Re: MBR infection protection help

Discussion in 'other anti-malware software' started by taleblou, May 20, 2010.

Thread Status:
Not open for further replies.
  1. taleblou

    taleblou Registered Member

    Joined:
    Jan 9, 2010
    Posts:
    1,349
    Hi:

    A few days ago when I by chance scanned with prevx and it showed a MBR rootkit ($mbr.0 rootkit) that all my security softwares from malwarebyte, superantispyware, hitman pro and a-squared, etc.. missed and forced me to wipe everything clean and repartition and refomat and put a clean windows 7 home 32bit on it again. Now since I have windows 7 home 32bit and antirootkit softwares are limited ( no win 7 support for GMER, ICESWORD, COMBOFIX, etc..), are there any MBR capable scanning anti rootkits out there that also removes it beside prevx? Also what should I do to protect from future MBR infection? I currently put SHADOW DEFENDER on my clean window and is it enough to protect against MBR infection? Any help on this matter is welcomed. Thanks in advance.
     
  2. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,557
  3. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    13,269
    Location:
    Ontario, Canada
    The free version of Prevx should of gave you the option to remove MBR rootkit for free and it also will remove some adware for free!

    HTH,

    TH
     
  4. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
  5. cgeek

    cgeek Registered Member

    Joined:
    Mar 31, 2010
    Posts:
    328
  6. taleblou

    taleblou Registered Member

    Joined:
    Jan 9, 2010
    Posts:
    1,349
    Hi:

    Thanks for replies. Firstly prevx did not offer to clean the mbr and asked for subscription to remove it? I do not know what you mean by free prevx 3 will remove mbr (it did not on mine) forcing me to do a clean pc and format. Also blueridge mbr guard looks and sound great but will it conflict with shadow defender, comodo, etc.? Also cgeek you mean that shadow defender (paid) is effective against mbr infection then? Thanks in advance.

    Also I wanted to stick with linux mint (since tiered of windows infections) but it seems my internet is filtered on some web sites (believe it or not) and the only way to bypass it is using comodo dns server. Also proxies did not work to by pass the issue. I have called Primus about the issue and they can not find the cause of the certain site being blocked. Anyway because of Comodo dns server which is part of their comodo IS had to go back to windows instead of linux mint I had. SO I am stuck with windows for my browsing and comodo DNS server. lol
     
  7. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,557
    most virtualization software removed mbr protection in their features to avoid possible conflicts.

    however Wondershare Timefreeze offers MBR protection aside from its virtualization feature.

    first, you must remove the infection from your mbr and use some of the apps mentioned above to protect your MBR.
     
  8. cgeek

    cgeek Registered Member

    Joined:
    Mar 31, 2010
    Posts:
    328
    No. Shadow Defender does not protect the MBR. Neither does Wondershare as far as I know. It's not listed on their website.
    Virtual desktop systems that I know for a fact that protect the MBR are Returnil and Comodo Time Machine.
    Note: I have not read the help file within WonderShare Time Freeze so forgive me if I am mistaken.

    Also you can try OpenDNS instead of Comodo DNS if you haven't already done so.


    Thanks
    cgeek
     
  9. guest

    guest Guest

  10. cgeek

    cgeek Registered Member

    Joined:
    Mar 31, 2010
    Posts:
    328
    Ah, It sure does. Thank you for pointing this out. I retract my statement about SD not protecting the MBR.
     
  11. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    13,269
    Location:
    Ontario, Canada
    What security did you have running at the time of the MBR rootkit besides Prevx? I have asked (PrevxHelp) to look at this thread! Any extra info would be appreciated!

    TH
     
    Last edited: May 20, 2010
  12. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,557
    cgeeek

    wondershare time freeze also provide MBR protection. I tried it.
    though not enabled by default. :)
     
  13. Hugger

    Hugger Registered Member

    Joined:
    Oct 27, 2007
    Posts:
    1,003
    Location:
    Hackensack, USA
    I need to ask this.
    Does Sandboxie protect the MBR?
     
  14. Boost

    Boost Registered Member

    Joined:
    Feb 2, 2007
    Posts:
    1,294
  15. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,557
    yes, to a certain degree.
     
  16. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Hello,
    Prevx should indeed offer free cleanup for MBR rootkits - if you are still experiencing this problem, please write into our tech support inbox at http://info.prevx.com/service.asp to have one of our engineers assist with your cleanup process.

    Thank you and let me know if you have any other questions! :)
     
  17. taleblou

    taleblou Registered Member

    Joined:
    Jan 9, 2010
    Posts:
    1,349
    Hi:
    Thanks for all your help guys. Well to answer a few of your questions. Before I use prevx 3 I had 8 antimalwares (hitman pro, a-squared, malwarebyte antimalware, super antispyware, comodo IS, Iobot 360, Clamwin) and they all showed clean system. Been using them for a while and then just by chance decided to use prevx free and scan for the heck of it and to my surprise it detected a $mbr.0 Rootkit also it flegged some hp driver updates I got from hp.ca website support as malwares (lol) and for cleaning it offered the registering key box. It would not allow me to do anything except the reg box key keep poping up. Since I do not have a paid prevx I was forced to do a full wipe of my laptop and repartition and format and install a clean windows 7. It took many hours to get back to where I was with all updates and softwares. The new scan showed clean with prevx and I put shadow defender on for protection and also took "Konata Izumi" advice and installed MBRguard from blueridge ( no popup or anything and I assume its working?).

    By the way I tried linux for a while but when my Primus dsl internet blocking some sites I had to go back to win 7 to use comodo secure DNS server to bypass the problem.
     
  18. taleblou

    taleblou Registered Member

    Joined:
    Jan 9, 2010
    Posts:
    1,349
    Hi again:

    Forgot to ask something. Does anyone know how to change the DNS server to use open DNS in Linux Mint 9 please? For protection I rather use linux mint 9 but I do not know how to change the DNS server in there to allow me viewing the blocked web pages. Thanks in advance for all your help.
     
  19. cgeek

    cgeek Registered Member

    Joined:
    Mar 31, 2010
    Posts:
    328
    Right click your network manager icon and select edit connections.
     
    Last edited: May 21, 2010
  20. timestand

    timestand Former Poster

    Joined:
    May 7, 2010
    Posts:
    172
  21. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,941
    Location:
    USA
    I need some help.
    What applications typically are used to modify the MBR? I'm thinking of how a user can protect against MBR modifications?
    I've read that GeSWall’s access control policy stops trojan killdisk by denying low-level write access to the disk. But GeSWall does not enforce restrictions for non-isolated applications. Does Prevx real-time without SafeOnline protect against (block) MBR modifcation, or is it just SafeOnline that does this? Any thoughts appreciated.
     
  22. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    13,269
    Location:
    Ontario, Canada
    Prevx realtime will protect you not the SafeOnline part of it as I know you don't use it! :thumb:

    TH
     
  23. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,941
    Location:
    USA
    This makes it look like SafeOnline protects against MBR modification and not Prevx real-time.
     

    Attached Files:

  24. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    To back-up your MBR (just in case) I have long used HDHacker (HDH) by Dimio. Dimio is the same fellow who programs the superb DTaskManager. HDH is small -- only 20 KB -- & does NOT install or make any changes to registry etc. If you dislike it, just delete the folder & Poof! -- it's history.

    You can download HDH for FREE if you go to Dimio's site & scroll about three-quarters of the way down the page until you see "HDHacker".
    ~~~~~~~~~~~~~~~~~~~~~~~~

    By the way...
    Online Armor protects MBR . . .

    Per Mike Nash: OA protects against direct disk access (write).

    Per Kees1958: Direct disk access and kernel hooking is the way to get the MBR infected. At this time OA should cover all known intrusions as far as I know.
     
    Last edited: May 21, 2010
  25. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    13,269
    Location:
    Ontario, Canada
    SafeOnline will stop users from getting infected! Great! :thumb: But look at the protection part of the page also see Rootkits!!

    Capture21-05-2010-6.47.32 PM.jpg

    TH
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.