MBR.EXE Shows Clean, but RootRepeal Show MBR RootKit Detected on E:

[DiscoverySound]

Hello all I am new to this forum and to rootkits. Pesky sobs.
I have been reading the forum before posting and trying everything
everyone else has tried. I just want to be sure before formatting everything that
I am infected and there is no way to fix.

MBR.EXE
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, no urls but gmer
Windows 5.1.2600 Disk: WDC_WD3200AAKS-00B3A0 rev.01.03A01 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-5

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

RootRepeal
This seems to long to post here but the top reads:
Volume E:\ MBR Rootkit Detected!

Is this normal? Am I infected? What do you need from me
to continue forward in my fight against rootkits (if any)

I then downloaded Prevx and it detected "THREAT gnserv.dat-vir in c:\windows\temp\" I bought the license for a year to remove it and after removal and restart and rescan the Threat still shows up.

Damn the people who make this malicious crap.

[Odie]

You are infected. As it is not easy to get rid of rootkits the question now is how much time and effort are you prepared to spend in trying to get rid of the infection?

[DiscoverySound]

You are infected. As it is not easy to get rid of rootkits the question now is how much time and effort are you prepared to spend in trying to get rid of the infection?

Well if it will save me the time moving everything to a safe place and re installing everything I would like to give it a shot.

[Odie]

In order not to duplicate what you might have done already, could you please tell us which, if any, actions you have taken.

We might just be lucky in getting rid of it with one of the following scanners

RootkitBuster (Trendmicro)
AntiRootkit (Panda)
Sophos Anti Rootkit (Sophos)

[ForgottenSiN]

I would Suggest you to use a Malware removal Tool ComboFix

ComboFix is a program, created by sUBs, that scans your computer for known malware, and when found, attempts to clean these infections automatically. In addition to being able to remove a large amount of the most common and current malware, ComboFix also displays a report that can be used by trained helpers to remove malware that is not automatically removed by the program.

Here is the Step by Step Guide on Install / use of ComboFix

Link : http://www.bleepingcomputer.com/combofix/how-to-use-combofix

[Redfox]

don't reinstall yet. there's a lot of way to remove the infection of your pc. try malwarebytes and superantispyware.

[leofelix]

Try those free MBR rootkit removal tools, do not forget to read the instructions

http://www.eset.eu/encyclopaedia/mebroot_backdoor_sinowal_trojan_mebroot_stealth_mbr_trojan_backdoor_maosboot?lng=en

http://www.symantec.com/security_response/writeup.jsp?docid=2008-020817-4716-99


http://support.kaspersky.com/faq/?qid=208280684

http://www.malwarecity.com/blog/free-removal-tool-for-tdl4-available-now-1106.html

You may also try to use
NoVirusThanks Anti-Rootkit Free

I hope it helps

[RedDawn]

DiscoverySound,


My advice, for what it's worth, is to seek help from a trained analyst on one of the many malware removal forums.

Some worth mentioning:

SpywareHammer
hxxp://spywarehammer.com/simplemachinesforum/index.php?PHPSESSID=tfueabhrg52e60kjpfes0ssa14&board=10.0

Malware Removal
hxxp://www.malwareremoval.com/forum/viewforum.php?f=11&sid=86b269a45cfa3b95bf33950c55349b5e

Aumha Malware Removal
hxxp://aumha.net/viewforum.php?f=30

Geeks to Go Virus, Spyware, Malware Removal
hxxp://www.geekstogo.com/forum/forum/37-virus-spyware-malware-removal/


================================

Sorry about the links, I had to mung them due to posting restrictions for new members. Just replace hxxp with http at the beginning of each link.

Post denied. New posts are limited by number of URLs it may contain and checked if it doesn't contain forbidden words.

[solin]

Sometimes rootkit scans are also often a false positive. If you're unsure, do not delete any. MBR is not all bad, could be part of the antivirus or the other. If it all goes normally without any problems on your computer, temporarily ignore. Until you are sure..