Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 14 replies
  • Subscribers 1 subscriber
  • Views 7178 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Trojan in master boot record, please help

zonedogg

how do I make a bootable flash drive so i can clean the boot record, something the computer will run before it reads the hard drive, I really dont want to reformatt and re-install windows to deal with this. zonedogg@verizon.net

:6009


This thread was automatically locked due to age.
  • 0

    Hi,

    Remsav is a utility (actually just a script) that support provide to clean up any remnants of SAV (registry, temp folders etc)before reinstalling. I'm sure there's a link on the site somewhere in a KB but can't recall myself which one. QC, any ideas? AVRemove is a tool Sophos provide to remove other brands of AV.

    Matt

    :6255
  • 0

    Hello weschrist and Matt,

    so C: is the OS partition. If D: contains only data Sophos shouldn't choke on D:\System Volume Information\...\*.

    But one step at a time. So Sophos Anti-Virus is up to date. You should run SAV32CLI (from the Sophos Anti-Virus directory) with the following settings:

    sav32cli.exe -mbr -bs=C,D -all C:\ -p=sav32cli-C.log

    This will run quite some time and should detect a threat if there is one. Or you could run a full scan:

    sav32cli.exe -mbr -bs=C,D -f -all C:\ -p=sav32cli-C.log

    This will take even longer and is usually not necessary. Note that in both cases the scan is restricted to C:.

    If it hangs at this point try without the -mbr and -bs options - if it works then this indicates a problem scanning the boot record. Unlikely but who knows.

    If you are happy with the results scan your D: drive.

    sav32cli.exe -ns -f -all D:\ -p=sav32cli-D.log

    If it stops progressing make a note of the last file scanned and stop it using CTRL-C (if it stops the logs should also list where it has been when it has been stopped). Maybe this gives a hint where it "hangs" or seems to hang.

    Re: remsav. It is not available for download, you get it from Support. And then only if you have made your case. Doesn't look like a flawed install to me and as long the above checks haven't been done I don't see it's benefit. Anyway it is no longer to be the "big gun" like some previous version as it says: 

    Note: This script will attempt to perform a REGULAR uninstall ...

    and indeed all it does is calling MSIEXEC /x {ProductCode}.

    Christian

    :6291
  • 0

    Thanks Christian,

    Only problem I see with this is that if the machine is infected and has 'modified' Sophos like a certain rootkit I can think of does, sav32cli will not find or detect it during this scan (even in the MBR). The best option if the user is convinced there's something more on the machine has to be to scan the HD on a known clean and working system, my original thought. Utilising a different vendor's software on a system known to be infected also helps to 'double' check if an external scan is not available hence prevx (almost unknown and extremely small/fast) but pretty reasonable for standalone.

    Hadn't realised remsav wasn't available to download. My copy also deletes some registry entries and files/folders as well as running the MSI. Perhaps it's customised by support for individuals?

    Matt

    :6293
  • 0

    Hello Matt,

    remsav usually has a version number. Last I saw was 3.0.x I think.

    Right, a rootkit might prevent a successful scan - but I wouldn't bet that an "alternate" scanner might not also get subverted. So it's probably better to either slave the disk or use a LiveCD.

    Christian

    :6299
Unfiltered HTML