Got a rootkit infection, does Avast kill & remove it?

I’m not really an expert regarding computers, but got an Avast warning Sign of “Rootkit: hidden file” has been found in "MBR:\.\PHYSICALDRIVE 0. That did scare me! :o Told Avast to get rid of it, and Avast instructed me to restart my system. So I did a restart and Avast did a bootscan, found no infections. I thought everything was ok, but a few minutes later the same Avast rootkit warning popped up again! Told Avast to get rid of it, restarted with bootscan found no infections, and now my system seems to be working normally again. Scanned completely with Avast a third time and nothing was found.

Tried to do some homework on MBR rootkits, additionally scanned my pc with Ad-Aware, rootkit detectors GMER, Blacklight, and Sophos Anti-Rootkit.

Nothing found. Still, I’m very worried some nasty Rootkit thingie is still on my MBR and I’m not sure what to do! ??? Any advice is greatly appreciated, I’m really dependent on my computer so I need to make sure it is a healthy machine!

Help-help please! :-*

Hoi Eric,

Probeer eerst te scannen met DrWeb CureIt, hier te downloaden:
http://freedrweb.com/cureit/

http://www.oiepoie.nl/2007/08/04/caught-a-virus-trinity-to-the-rescue/
is een handige bootable cdrom met meerdere (4!)
virusscanners. Als ClamAV, F-Prot, AVG en BitDefender geen
van alle iets vinden om je harddisk kan je er redelijk zeker
van zijn dan je schoon ben.
De virusscanners updaten zichzelf eerst via het netwerk
(mits de computer is aangesloten op Internet).
Wat ook een goede optie is, is om Ultimate Boot CD te gebruiken.
Kost niets, en je kunt er gewoon vanaf cd mee scannen.
http://www.ubcd4win.com/

Ja daar hebben wij dus al meer dan 2 jaar last van MBR virus
initDiskillegal partition table *
drive 00 sector 0
illegal partition table * drive 00 sector 0
illegal partition table * drive 00 sector 0
illegal partition table * drive 00 sector 0
Je krijgt het dus niet weg met Testdisk 6.9B en Doctor
partition table,Windows FIXMBR .Low format Unallocated h80.
enz .enz Krijg het weg maar als je gaat Formateren zit het
er weerin. En dit hebben heel veel mensen en weten niet dat
het erin zit maar hebben wel onverklaarbare problemen met
hun PC.Page not found 401.Scanner doet het niet goed virus
scanner wordt gedeactiveert.Firewall gaat uit.enz.enz.Je
vindt het met het programma http://www.killdisk.com/ als je
hiermee low format. Dan zie je dat bij het Rebooten.

Succes,

polonus

i have the same problem boot scan does not clear it i have tried 4 times still it comes back any suggestions

Help: I Got Hacked. Now What Do I Do?

The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been[b] completely compromised[/b], the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications). Alternatively, you could of course work on your resume instead, but I don’t want to see you doing that.

You cannot get more compromised that catching a rookit (complete control over your machine, basically). Now, you can spend a couple of days with the other guys here trying to deal with the infection, knowing that you will be unable to trust that machine anyway, or you can use the same time to reinstall a clean system and do a known clean image for restore purposes after that.

Your choice.

i have the same problem boot scan does not clear it i have tried 4 times still it comes back any suggestions
You should have started a new topic when asking for help, and not inside one from 2008

Within a corporate IT system I would agree with the reformat … But how many users have an image of their system ? or even a backup come to that. Do they have the discs for the computer or are they lost ?

There is always the option to reformat, but the only time I recommend it is for a file infector.

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswmbrscan.gif

Click the “Scan” button to start scan

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswmbrsavelog.gif

On completion of the scan click save log, save it to your desktop and post in your next reply

[size=10pt][size=10pt][size=10pt][size=10pt][size=10pt][size=10pt][size=10pt][size=10pt]sinowal@MBR[rtk]: Gone in a matter of seconds with aswMBR[/size][/size][/size][/size][/size][/size][/size][/size]

Hello everybody! I’m here to share my experience about my pc infection by a rootkit virus “sinowal@MBR[rtk]” just 3 days ago.

First of all, I’d like to thank especially to essexboy and Pondus and to several other individuals in this forum. Without their dedicated posts, I couldn’t have solved the problem.

So here is the story…

With McAfee and Kaspersky installed on my office pc, I had previously thought that surfing the Internet was safe. How wrong I was. My Kaspersky’s virus database had been obsolete when the pc got infected by a series of viruses completely unknown to me.

I didn’t panic as I’d had such an experience before. I began to download popular antivirus software…Kaspersky Antivirus 2011, Kaspersky Internet Security, Avira AntiVir Personal, AVG and Spybot Search & Rescue. I did it one after another…installing a piece of software and uninstalling it to try the next one. Nothing helped. Apparently, the viruses seemed to prevent each piece of the software from running a successful installation. There was no way I could remove all the threats. I spent countless hours on the pc, trying to repeat the installation, restarted it, scanned it with the existing antivirus software again and again but to no avail. At first there were no immediate effects from the infection. Except from the pc froze during installation of most of the antivirus software, I could use it as usual, open my files, listen to the music, watch YouTube videos and browse the Internet. No problem at all. However, as I kept trying to install new antivirus software, it suddenly began to exhibit some kind of strange behavior I hadn’t had for more than a year. There were repeated losses in my Internet connection which I overcame by restarting the pc.

By 6 pm yesterday, some of the viruses found were successfully deleted. However, I knew there were hidden objects doing suspicious activities. So, I installed Avast which detected 3 other different threats on my pc. One of them, known as sinowal@mbr[rtk] couldn’t be removed. According to Wikipedia, it is a rootkit virus and can do severe harm to infected pcs and their users. That’s when I started to worry. I Google searched to learn more about the virus before stumbling across this forum. After reading several related posts, I installed and ran the Malwarebyte’s Anti-Malware. Two other infections were found and fixed. Then, came one of the most astonishing moments in my life as a pc user after I installed aswMBR on my pc. Not only was its installation very fast, but as soon as I ran it, the culprit was quickly recognized. In a matter of seconds, it was successfully removed from my system and my pc turned healthy again.

[color=purple]This post is sent to help others decide what they can do to solve the problem similar to mine. I do not mean to imply that all other antivirus software I mentioned in this post are of no good. Certainly, one software is better than the others under different circumstances
[/color]

At the moment Avast is one of the very few AV’s that will actually pinpoint an MBR infection. Glad you found a resolution

Hello essexboy

Just getting a ride on this post.

On April 11th got the blocking sites/malware problem. After reading this forum I found the false positive issue.
I´ve updated and scan again

Now its giving me rootkit-hidden files found

The aswMBR log is:
aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-04-12 21:50:00

21:50:00.316 OS Version: Windows 6.0.6002 Service Pack 2
21:50:00.316 Number of processors: 2 586 0x1706
21:50:00.318 ComputerName: PATICH UserName: Bruno
21:50:05.888 Initialize success
21:50:11.652 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IAAStorageDevice-1
21:50:11.654 Disk 0 Vendor: Hitachi_ BKFO Size: 476940MB BusType: 3
21:50:11.676 Disk 0 MBR read successfully
21:50:11.678 Disk 0 MBR scan
21:50:11.684 Disk 0 scanning sectors +976773120
21:50:11.966 Disk 0 scanning C:\Windows\system32\drivers
21:50:19.033 Service scanning
21:50:20.352 Disk 0 trace - called modules:
21:50:20.385 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll iaStor.sys
21:50:20.388 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x86dc7838]
21:50:20.391 3 CLASSPNP.SYS[8b1a58b3] → nt!IofCallDriver → [0x85dd0f08]
21:50:20.393 5 acpi.sys[806996bc] → nt!IofCallDriver → \Device\Ide\IAAStorageDevice-1[0x85d4e028]
21:50:20.396 Scan finished successfully

Can you help
Thx

Your MBR is OK what files are reported as a rootkit ?

Essexboy, thank you for your reply.

There were 61 files, infortunatly I didn´t copy the log.

But this was bugging me so much, that yesterday I spent most of the night awake. but anyways…

After I read almost all posts about the false positive-thing I looked carefully into the Chest. All the files I had there were transfered in 11-04-2011. So, I´ve restored them all.

Today, there were no rootkit alert, only a couple of infected files I moved to the chest.

Right now, I´m running another full-sistem scan.

I´ll post the results
Regards

Update:
The full scan resulted in “no threat”
So, for now, I´m OK

Thank you for your atention

Ah right - I had some files quarantined with that but as they were html I suspected an FP but couldn’t get on to the forum