Win32:MBRoot

Hi, I’ve got a message from avast saying that it has detected a rootkit with a heuristic method, saying “\.\physicaldrive0 MBR:Win32:MBRoot”.

The delete option doesn’t seem to work, nor does the boot time scan. I’ve also ran a Malwarebytes’ anti-malware, which didn’t find anything relevant (I attached the log anyway).

So I ran the OTL tool from this thread. I’ve attached the log. I had to run it more than once, because the first time I realised my comps date setting was wrong, and the extras file said it couldn’t access several databases, but now I have no extras file. I hope that’s not essential, don’t know why it’s stopped appearing.

Thanks in advance.

Essexboy is notified…

you find him here tomorrow at 8:00pm - 11:59pm UK time
http://www.timeanddate.com/worldclock/

OK lets go for it :smiley:

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

http://i1224.photobucket.com/albums/ee362/Essexboy3/Capture.jpg

Click the “Scan” button to start scan

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR2.png

Click the “Fix” in case of infection

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR3.png

Save the aswMBR.log to the desktop and post in your next reply

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR4.png

THEN

Please read carefully and follow these steps.

[*]Download TDSSKiller and save it to your Desktop.
[*]Extract its contents to your desktop.
[*]Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillermain.png

[*]If an infected file is detected, the default action will be Cure, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerMal-1.png

[*]If a suspicious file is detected, the default action will be Skip, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerSuspicious.png

[*]It may ask you to reboot the computer to complete the process. Click on Reboot Now.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerCompleted.png

[*]If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
[*]If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste the contents of that file here.

Well, I’ve rebooted and the message hasn’t popped up, so it seems to have been cleared. Thanks very much! I assume changing all my passwords now would be a good idea.

Reports attached.

Excellent ASWMbr killed it first.

Do you have any other problems ?

And yes it would be prudent to change passwords

Nope, that’s me sorted.
Thanks again essexboy!

OK just delete both files from your desktop and enjoy ;D

hi guys,

I just installed Commodo Time Machine and my Avast is reporting it like Win32:MBRroot u think is a false positive message? I deleted with ur instructions but i really want to keep that program in my system.
More interesting is that on my laptop Avast is not notofing me about this MBRoot and i have same aplication installed there !!!

What shel i do? ???

Thanks

Lucian

Open a new topic for your problem. :wink:
Thanks,
asyn