paulonuvem

Heuristic.Possible.MBR.Rootkit!E1

Recommended Posts

Hello

I made a complete scan with Emsisoft AntiMalware and it finds, «only», Heuristic.Possible.MBR.Rootkit!E1 i (on\\.\PhysicalDrive0 - Rootkits)... There was an alert to view those support foruns and I ´ve read the following post: http://support.emsisoft.com/topic/6645-heuristicpossiblembrrootkite1-manual-removal/page__hl__heuristic.possible.mbr.rootkit%26%2333%3Be1__fromsearch__1

So I Download TDSSKiller and save it to my Desktop and Double-click on TDSSKiller.exe to run the application; it founds four threads and now I send the report as an attach file...

What can i do more to clean my PC?

Thanks

Paulo

Share this post


Link to post
Share on other sites

I was able to make Emsisoft Emergency Kit scan but OTL scan stay stucked/frozen when «Scanning Firefox settings»...I tried for 3 times and some problem occur and I shut down Windows and swich on Windows and same problem happen...

Share this post


Link to post
Share on other sites

Download ComboFix from one of these locations:

Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop

Link 1

Link 2

* IMPORTANT !!! Save Combo-Fix to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    See HERE for help
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, ComboFix will produce a log.

Note:

1. Do not mouseclick combofix's window while it's running. That may cause it to stall!

2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

Attach logs for: (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)

  • ComboFix (C:\combofix.txt)

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Share this post


Link to post
Share on other sites

I made what you said and it takes about one hour to complete the task...After some programs didn´t start up (for instance Antivirus). I reboot the PC and more programs start up, but even so Ashampoo Magical Defrag and Kasperky Internet Security didn´t start well. After I shut down completely the PC and swich on and everithig was ok. But Now I have 12 .RIT files (from VPART000.RIT to VPART011.RIT) on drive C:// of about 2gigabytes each and i want to know if i can delete them. Can I?

The problem is that I´ve runed a smart scan with Emsisoft Anti Malware again and the problem (Heuristic.Possible.MBR.Rootkit!E1) still remains. Is it dangerous or can I trust that my PC will run normally witout problems on the days that are coming?

Share this post


Link to post
Share on other sites

I made what you said and it takes about one hour to complete the task...After some programs didn´t start up (for instance Antivirus). I reboot the PC and more programs start up, but even so Ashampoo Magical Defrag and Kasperky Internet Security didn´t start well. After I shut down completely the PC and swich on and everithig was ok. But Now I have 12 .RIT files (from VPART000.RIT to VPART011.RIT) on drive C:// of about 2gigabytes each and i want to know if i can delete them. Can I?

The problem is that I´ve runed a smart scan with Emsisoft Anti Malware again and the problem (Heuristic.Possible.MBR.Rootkit!E1) still remains. Is it dangerous or can I trust that my PC will run normally witout problems on the days that are coming?

Share this post


Link to post
Share on other sites

Do the following:

  1. Click on the Start button and then choose Control Panel.
  2. Click on the System and Security link.
    Note: If you're viewing the Large icons or Small icons view of Control Panel, you won't see this link so just click on the Administrative Tools icon and skip to Step 4.
  3. In the System and Security window, click on the Administrative Tools heading located near the bottom of the window.
  4. In the Administrative Tools window, double-click on the Computer Management icon.
  5. When Computer Management opens, click on Disk Management on the left side of the window, located under Storage.
    After a brief loading period, Disk Management should now appear on the right side of the Computer Management window.
    Note: If you don't see Disk Management listed, you may need to click on the |> icon to the left of the Storage icon.

Take a screen Shot of the Disk Management Window and attach the screen shot to your reply.

Share this post


Link to post
Share on other sites

So...

But you´ve said nothing about:«But Now I have 12 .RIT files (from VPART000.RIT to VPART011.RIT) on drive C:// of about 2gigabytes each and i want to know if i can delete them. Can I?»

Those files were made by the restore mechanism of Combo Fix?

Now I send you the print screen from Disk Management...

Share this post


Link to post
Share on other sites
But you´ve said nothing about:«But Now I have 12 .RIT files (from VPART000.RIT to VPART011.RIT) on drive C:// of about 2gigabytes each and i want to know if i can delete them. Can I?»

ComboFix did not create those files, they were created by your drive backup software.

Your system does not appear to be infected. Drive backup/cloning software often alters the MBR.

Share this post


Link to post
Share on other sites

For what I discover on the Net files with file extension .RIT are part of «Farstone» programs... And I have Farstone Restore It http://www.farstone.com/software/restore-it.php instlled on my PC. Also I´ve read on the Net that «Farstone» programs change MBR ... so I can, perhaps, take the conclusion that Heuristic.Possible.MBR.Rootkit!E1, the only thing «found» by Emsisoft Anti Malware complete scan, was a false rootkit... What you think about it?

Share this post


Link to post
Share on other sites

Yes, that is correct.

Download to the System32 folder:

- Stealth MBR rootkit detector by Gmer

Do the following

Start -> All Programs -> Accessories -> Right click "Command Prompt" -> "Run as administrator"

Click"OK" on any alerts.

The Command Console will open

Enter the following command, at the Command Prompt. The quotes are required.

Press the Enter Key after each command

mbr.exe -c 0 1 c:\copy_of_sector_00 (there is a space between the .exe and -c)

Wait for the above command to finish then type:

exit

The Command Console will close.

Now ZIP c:\copy_of_sector_00 and attach the zip archive to your reply. An Emsisoft developer will examine the MBR and add it to the know good MBR whitelist.

Share this post


Link to post
Share on other sites

The Heuristic.Possible.MBR.Rootkit detection is a purely behavioral detection. What happens is that the MBR is read twice, once uisng the Windows API and a second time using direct access. If the two readings differ then it triggers a heuristic MBR rootkit detection.

This happens because some rollback solutions use bootkit like technology to protect their custom MBR. At the time there is no way to whitelist false postiive MBR detections.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.