Help - Rootkit MBR Found - Now What?

Hello all and thanks in advance for your time reading my thread. Yesterday I came home from work and woke my desktop from hibernation. When doing so, I see “A Rootkit was Found” dialog box from Avast on the screen. I am running XP Media Center with SP2. Avast is 4.8 with the latest detections file loaded.

I told Avast to delete the file and shortly thereafter, another dialog box pops up stating that a boot scan is recommended because there is a virus and a hidden file was found. The file name was MBR: \.\PHYSICALDRIVE0. And as I recall it was a pretty serious tone in the dialog text, just do not remember it all.

The bootup scan ran for quite some time. Found a file or two that had the win32: VB-GMR [trG] problem and told it to delete them. However, the problem did not go away. The boot finished and the process started all over again. I have tried the above sequence a few times with the same results.

Have been doing some reading about this problem these past few hours and it looks like I got a big problem on my hands. There does not seem to be a way to correct this problem if the operating system starts before any corrective measures that I can throw at it. Thus the reason for the lack of success of removing it from my machine - I think.

I also downloaded other rootkit identifying tools from Panda, GMER, and AVG. I have run these but they do not find the any rootkits on my system. Also ran spybot and Adaware just to make sure there were not other problems. They both came back negative. Am I seeing a false positive from Avast? If not, what are the steps to get rid of this? Any help is greatly appreciated.

Steve

Download the avast beta it has inproved the rootkit MbR desinfection. Also disable the system restore of winxp before you made the scan

Where do you find the latest beta version? Went here - http://www.avast.com/eng/beta_products.html and there were none listed.

Thanks,
Steve

Check out this Topic and instructions, http://forum.avast.com/index.php?topic=34612.0.

Thanks you for the link to the beta and advice. Installed the beta and it cleared all my problems up.

Thanks again,
Steve

No problem, glad your problem is resolved and I could help.

Welcome to the forums.