Hi,

I've got a serious pc problem to do with recovering from a malware attack.

As far as I can tell, my PC is clean of malware except for the MBR which NOD32 (v4) says is still infected with Mebroot.bz.

I've read some topics here and used the recovery console in XP to fixmbr but although Windows says the MBR is now "clean", using the mbr.exe tool says the following:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x098A7FEC
malicious code @ sector 0x098A7FEF !
PE file found in sector at 0x098A8005 !

I've tried submitting this to ESET but the software doesn't seem to have an option for this type of virus/malware. Is this because it's new? And is there anything I can do, short of rebuilding my PC from scratch?

Thanks in advance for any help.

Hello,

The article on this (http://www.itechs-systems.com/articles/a5.htm) page explains mbr viruses and what can be done to clean them.

BFG

-{ Quote: "Hello,

The article on this (http://www.itechs-systems.com/articles/a5.htm) page explains mbr viruses and what can be done to clean them.

BFG" }-

Thanks for the link. I used it to try and rebuild the MBR but am still getting the same messages with (a) NOD32 being able to identify mebroot.bz but not being able to clean it, and (b) using gmer's mbr.exe tool which is still finding malicious code and a pe file in various sectors of the MBR.

At this point I'm thinking maybe it'd be a good idea to copy what data I can to a usb drive and then format c: and start again. Would you agree? Or should I see if the next NOD32 update might be able to help?

Hello,

Have you tried using ESET's stand-alone MebRoot remover? It can be downloaded from this (http://www.eset.eu/encyclopaedia/mebroot_backdoor_sinowal_trojan_mebroot_stealth_mbr_trojan_backdoor_maosboot) page in ESET's Threat Encyclopædia.

Regards,

Aryeh Goretsky

-{ Quote: "Hello,

Have you tried using ESET's stand-alone MebRoot remover? It can be downloaded from this (http://www.eset.eu/encyclopaedia/mebroot_backdoor_sinowal_trojan_mebroot_stealth_mbr_trojan_backdoor_maosboot) page in ESET's Threat Encyclopædia.

Regards,

Aryeh Goretsky" }-

Hi Aryeh, thanks for the link to ESET stand-alone MebRoot remover tool.

I've used it to try and remove the MBR rootkit but although it "found the Meb's MBR", it identified the rootkit as "no active" [sic] and it was "unable to clean the rootkit".

So my dilemma is this: because the rootkit is not active, is my PC OK to use even though NOD32 v4 is identifying my MBR as still being infected with the Mebroot.bz trojan? In other words, is this a 'false positive'?

Or should I try and backup my files a.s.a.p. and reimage my hard disk after a low level format? Or even buy a new hard disk before starting again?

Thanks for your help (and this would have to happen to me on a weekend... :'( )

Hi dmr,

From what you've described it certainly appears that your MBR is clean, just some of the malicious code that the infected MBR executed is still on disk. Given that there's no longer anything to execute this code then you've reason to worry about it; as mebroot removal tool showed, it's inactive.

-{ Quote: "Hi dmr,

From what you've described it certainly appears that your MBR is clean, just some of the malicious code that the infected MBR executed is still on disk. Given that there's no longer anything to execute this code then you've reason to worry about it; as mebroot removal tool showed, it's inactive." }-

Thanks stackz, that's good to know. It's just worrying that every time I turn my PC on, NOD32 is saying that there's a boot sector threat it can't fix. But you've given me good reason to sleep easy tonight, so thank you for that and hopefully ESET will be able to clean it at some point, otherwise I'll have to buy my xmas present (a new pc) early...

Sorry if the question is meaningless...

If the Malware is inactive then why is the difficulty for NOD32 in removing remaining malicious code....

-{ Quote: "Sorry if the question is meaningless...

If the Malware is inactive then why is the difficulty for NOD32 in removing remaining malicious code...." }-

It's not a meaningless question at all, I've been wondering that myself.

I can only surmise that maybe NOD32 either:
i - doesn't have enough permissions to repair the MBR fully
ii - isn't able to repair the MBR fully

As I understand it, Mebroot.bz is an old trojan because I think Mebroot.i is the current version running amok on the internet.

Hopefully ESET will sort something out soon because I can't be the only one in this situation?

I keep going back to what is a AV products responsibility. Detection or cleaning. If both then I want my AV to detect and clean at the same time. Now cleaning means ensuring all remnants are gone and all my files and registry entries are exactly like they are suppose to be.

To me that is not going to happen with any AV product, or others.

I am firm in thinking that something like ShadowDefender used with a great product like Eset are as close to perfection as you can get. AV detects, SD reboots any changes. I honestly dont understand why more dont see the logic in this. Maybe it is me.

Provided that the MBR is clean, there are various hex editors that allow you to manually write directly to disk, that is, you could zero out the malicious code remnants.

I wouldn't recommend this for the inexperienced and having a full disk image to recover to is a must, in case something goes awry.

-{ Quote: "I am firm in thinking that something like ShadowDefender used with a great product like Eset are as close to perfection as you can get. AV detects, SD reboots any changes. I honestly dont understand why more dont see the logic in this. Maybe it is me." }-

To answer your last point, I think it must be because not many people have heard of ShadowDefender. Having said that, I googled it and have downloaded it to see just how good it is alongside NOD32.

-{ Quote: "Provided that the MBR is clean, there are various hex editors that allow you to manually write directly to disk, that is, you could zero out the malicious code remnants.

I wouldn't recommend this for the inexperienced and having a full disk image to recover to is a must, in case something goes awry." }-

You're right, I don't feel comfortable doing something like that because I'd have no idea what I'm doing. But I can ask my friend to Acronis my rebuild, just in case.

So thanks both for the tips! :)

Some worry about making sure updates are excluded in ShadowDefender, which I have never understood. Every thing or file you exclude is a hole and you have to be careful. Eset will update fine in shadow mode and yes when you come out all updates are gone, but you just hit the update button and walla, you are exactly where you should be again. Seamless to me.