rootkit: Avast says it deletes it, but it detects it every time I boot up. How do I get rid of this?

2

1

After cleaning up the majority of my malware infestation with Process Explorer and Autoruns I am relying on Avast antivirus to clean up the rest. It continues to find a rootkit described as follows:

File Name: MBR:\.\PHYSICALDRIVE0

Severity: High

Status: Threat: Rootkit: hidden boot-sector

I select delete, let it run its boot-time scan, deleting everything found there, but the same rootkit is still found upon starting windows and scanning again. Is there some magic bullet that I am missing?

UPDATE:

I have successfully removed the rootkit residing in the master boot record. It was actually as easy as booting with the Win XP CD, selecting "Repair" a windows installation, and running fixmbr.

Scans with a few antispyware suites, and a complete scan with Microsoft Security Essentials shows a clean system.

Thanks for all of your suggestions. The answer goes to xciter as I didn't realize that repairing the MBR had to be done with the Win XP cd.

For further discussion: Am I right in thinking that most (if not all) Anti-Viruses won't be able to repair a MBR? Microsoft Security Essentials detected the same rootkit that Avast did, but also could not remove it.

jlnorsworthy

Posted 2011-05-24T06:21:34.553

Reputation: 135

possible duplicate of Removing a rootkit from the MBR.. without formatting?

– Mehper C. Palavuzlar – 2011-05-24T07:11:13.797

not flagging as a duplicate but I found a question with a couple of suggestions here: Which rootkit cleaner for Window XP do you recommend? which might help.

– Kez – 2011-05-24T07:24:46.023

Thanks for all the help and suggestions everyone - I really appreciate it. I now have plenty of things to try out when I get home. – jlnorsworthy – 2011-05-24T21:15:30.983

Answers

2

I suggest restarting into safe mode and removing it from there. If that does not work connect the HDD to another computer. If it breaks the MBR, repair with windows cd.

xciter

Posted 2011-05-24T06:21:34.553

Reputation: 524

Will removing it from safe mode that the boot-time scan will not? – jlnorsworthy – 2011-05-25T03:36:57.583

I don't really follow your question, but yes, some malware is very stubborn and can only be removed from safe mode. – xciter – 2011-05-25T12:07:06.307

Doh, I don't understand it either :) Insert "accomplish anything" between "mode" and "that". I was assuming that the boot-time scan (run before windows starts) would be as good as, or better than, trying to clean from safe mode; which by definition is running from within windows. I'm just trying to understand the ins and outs of the whole process. Your answer did lead me to finally cleaning the system - I'll post an update and mark the answer later. Thanks again for your help! – jlnorsworthy – 2011-05-25T16:00:19.473

Glad I can help. – xciter – 2011-05-26T12:30:41.447

2

Either reinstall Windows or get another anti-virus. I would reinstall for maximum security.

Peltier

Posted 2011-05-24T06:21:34.553

Reputation: 4 834

1

Download and run Microsoft Security Essentials. I find this much better than Avast. It is free. Another free app I use is Malwarebytes. Good luck.

Xavierjazz

Posted 2011-05-24T06:21:34.553

Reputation: 7 993

Asked: 2011-05-24T06:21:34.553

Viewed: 3 573 times

Active: 2011-05-26T06:15:03.117