2

After cleaning up the majority of my malware infestation with Process Explorer and Autoruns I am relying on Avast antivirus to clean up the rest. It continues to find a rootkit described as follows:

File Name: MBR:\.\PHYSICALDRIVE0

Severity: High

Status: Threat: Rootkit: hidden boot-sector

I select delete, let it run its boot-time scan, deleting everything found there, but the same rootkit is still found upon starting windows and scanning again. Is there some magic bullet that I am missing?

UPDATE:

I have successfully removed the rootkit residing in the master boot record. It was actually as easy as booting with the Win XP CD, selecting "Repair" a windows installation, and running fixmbr.

Scans with a few antispyware suites, and a complete scan with Microsoft Security Essentials shows a clean system.

Thanks for all of your suggestions. The answer goes to xciter as I didn't realize that repairing the MBR had to be done with the Win XP cd.

For further discussion: Am I right in thinking that most (if not all) Anti-Viruses won't be able to repair a MBR? Microsoft Security Essentials detected the same rootkit that Avast did, but also could not remove it.

jlnorsworthy
  • 135
  • 1
  • 7
  • possible duplicate of [Removing a rootkit from the MBR.. without formatting?](http://superuser.com/questions/178001/removing-a-rootkit-from-the-mbr-without-formatting) – Mehper C. Palavuzlar May 24 '11 at 07:11
  • not flagging as a duplicate but I found a question with a couple of suggestions here: [Which rootkit cleaner for Window XP do you recommend?](http://superuser.com/questions/14750/which-rootkit-cleaner-for-window-xp-do-you-recommend) which might help. – Kez May 24 '11 at 07:24
  • Thanks for all the help and suggestions everyone - I really appreciate it. I now have plenty of things to try out when I get home. – jlnorsworthy May 24 '11 at 21:15

3 Answers3

2

I suggest restarting into safe mode and removing it from there. If that does not work connect the HDD to another computer. If it breaks the MBR, repair with windows cd.

xciter
  • 524
  • 2
  • 7
  • Will removing it from safe mode that the boot-time scan will not? – jlnorsworthy May 25 '11 at 03:36
  • I don't really follow your question, but yes, some malware is very stubborn and can only be removed from safe mode. – xciter May 25 '11 at 12:07
  • Doh, I don't understand it either :) Insert "accomplish anything" between "mode" and "that". I was assuming that the boot-time scan (run before windows starts) would be as good as, or better than, trying to clean from safe mode; which by definition is running from within windows. I'm just trying to understand the ins and outs of the whole process. Your answer did lead me to finally cleaning the system - I'll post an update and mark the answer later. Thanks again for your help! – jlnorsworthy May 25 '11 at 16:00
  • Glad I can help. – xciter May 26 '11 at 12:30
2

Either reinstall Windows or get another anti-virus. I would reinstall for maximum security.

Peltier
  • 6,094
  • 8
  • 36
  • 62
1

Download and run Microsoft Security Essentials. I find this much better than Avast. It is free. Another free app I use is Malwarebytes. Good luck.

Xavierjazz
  • 8,160
  • 13
  • 68
  • 96