Help! mbr rootkit detected

Discussion in 'malware problems & news' started by frmarine, Jan 7, 2010.

Thread Status:
Not open for further replies.
  1. frmarine

    frmarine Registered Member

    Joined:
    Apr 10, 2009
    Posts:
    7
    Location:
    Atlanta, Georgia
    on bleepingcomputer forum last weekend, on a whim i ran the rootrepeal scan & it detected an 'MBR ROOTKIT". i ran combofix, didn't find anything. next i downloaded gmer.net mbr.exe file and it wouldn't run. the command prompt poped up for a second & disappeared. on gmer.net site he said to rename the file so the rootkit couldn't prevent it from running. i right clicked on it, renamed it, still wouldn't run. i read another blog that said you can boot up from the windows XP cd and click "fix mbr" and it will repair/delete the old file along with the rookkit & create a new mbr file. i misplace the xp cd & just ordered a replacement one. does anyone know if that will work? any ideas on getting the gmer mbr.exe file to run for me? i read on this forum that avast has a gmer like anti-rootkit detection, could that work also? i have macafee virus scan + firewall installed(free from this site the past 3 yrs.) a scan came up clean.i also saw on this forum that sophos anti-rootkit might work & mcafee has a rootkit detector. i'll try these two also. i'm not in the same ballpark as the regular posters on here so if someone offers any help please describe in detail the steps i need to do in order to remove this mbr rootkit.i have XP-SP3, mcafee virus, mbam, sas, geswall. i installed geswall last week & didn't learn to run firefox in isolate mode till after i got infected.i don't know how long this rootkit has been on here, could've happened around new yrs day or the next day. possible infected from a porn site(no more i've learned my lesson) or a freeware download junk file cleaner.THANX FOR YOUR TIME/HELP ANYONE. I won't forget to thank you. ** i also tried to run "mbr -f" from the command prompt but it did'nt work.mbam didn't pick it up either but did catch a couple of trojans which were deleted.
     
  2. Fuzzydice45

    Fuzzydice45 Registered Member

    Joined:
    May 13, 2009
    Posts:
    108
    Location:
    Australia
    I believe Prevx fixes MBR rootkits for free...
    Other than that, I can't help.
    Sorry :doubt:
     
  3. simisg

    simisg Registered Member

    Joined:
    Nov 6, 2008
    Posts:
    410
    Location:
    Greece
  4. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
  5. frmarine

    frmarine Registered Member

    Joined:
    Apr 10, 2009
    Posts:
    7
    Location:
    Atlanta, Georgia
    to all that offered help, THANX for reading my looong post. i forgot to mention i tried the free prevyx, didn't find the mbr rootkit. i did see the remove-malware.com post already which is where i got the info about using the xp cd to fix the mbr file. as soon as i get the new xp cd i'll try that if i haven't already gotten rid of it. THANX AGAIN.
     
  6. Johnny123

    Johnny123 Registered Member

    Joined:
    May 4, 2006
    Posts:
    548
    Location:
    Bremen, Germany
    Boot from the XP CD and enter the Recovery Console. It will ask you which Windows installation you want to use, you only have one choice unless you're dual-booting. It will ask for an Administrator password. This is the admin account that you only see in safe mode. If you haven't made a password for this account (which you probably haven't) don't type anything and hit enter. Then at the command prompt type fixmbr (no space between fix and mbr). It will ask if you really want to do it, blah blah, just say yes. That should do it.

    If you want to avoid this sort of thing in the future, don't run as admin ;)
     
  7. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    hitman pro and dr web cure it in a usb stick and problem solve
     
  8. dcrowe0050

    dcrowe0050 Registered Member

    Joined:
    Sep 1, 2009
    Posts:
    378
    Location:
    NC
    DR.Web Cure IT is what I was going to advise and its free, also you can try Panda Anti-rootkit, and also Sysinternals rootkit revealer.
     
  9. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    good advise;)
     
  10. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Okay just a few things.

    frmarine, I cannot really comment on whether you have something wrong with your mbr as there is no log. The best course of action if you have is to use fix mbr.

    You say you ran mbr.exe and it wouldn't run or opened a command prompt that then disappeared. Gmer's tool is run from the command prompt and you need to open one where the file is located then enter mbr.exe and press return.

    You'll notice from the attachment I opened a cmd prompt window, changed directory to where mbr.exe was and ran it. In this case though you'll also notice access was denied. That is because I have my machine configured so that nothing can write to the mbr unless I allow it. If your mbr is okay you would expect to get :

    device: opened successfully
    user: MBR read successfully
    kernel: MBR read successfully
    user & kernel MBR OK

    and a text file called mbr in the same directory from where mbr.exe was run.

    This ark is some what outdated, suffers from some false positives and shouldn't be used today to find modern rootkits.
     

    Attached Files:

    • mbr.JPG
      mbr.JPG
      File size:
      25.2 KB
      Views:
      2,424
    Last edited: Jan 8, 2010
  11. Durad

    Durad Registered Member

    Joined:
    Aug 13, 2005
    Posts:
    591
    Location:
    Canada
    Prevx
     
  12. frmarine

    frmarine Registered Member

    Joined:
    Apr 10, 2009
    Posts:
    7
    Location:
    Atlanta, Georgia
    to the rest of the kind people who took the time to read my post:jmonge,johnny123,dcrowe0050,meriadoc & durad,after i had already posted thanx the first time to the others who responded, i say THANX again & sorry i didn't see your posts because i haven't been back on here since jan.7th. i always try to remember to come back & thank people for offering ideas to help. i ended up going back on bleepingcomputer.com & posting the same problem & a person on there advised me to rerun the "rootrepeal" app. & right click on the "mbr-rootkit detected file" and it will delete the file & reboot all cleaned up. it deleted it in a second, rebooted, reran rootrepeal, all gone! i didn't do that the first time i ran it because i thought if i deleted it, it might cause the pc to not reboot & or run right without the mbr file. that rootrepeal app. scans so many areas on your computer, its great at finding these lowlifes hiding in your pc/laptop! if anybody wants to try out the app., just do a search for "rootrepeal" & save it. its a keeper.
     
  13. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Yes RR is a powerful ark and one of the first I'd reach for, glad you are sorted now.
     
  14. karad

    karad Registered Member

    Joined:
    Sep 10, 2008
    Posts:
    237
    I agree completely about RootRepeal!
    Very effective and,moreover,clear and simple to use.
    On a XPHome EECpc was the only one to find a MBR, which neither IceSword,RootkitRevealer and others could find.
    (I dont use Gmer anylonger because it is sometimes difficult to uninstall). Nor Avira or Superantispyware could detect that MBR anomaly and it could have been a FP, but when I gathered some courage and let RR remove the culprit the after effect inequivocally showed it was a real rootkit: IE8 could be opened again and used,whereas it was vanishing after 1 second before removal.
    It saved from a painfull reinstall on that netbook.
    Surely its a keeper, too bad only for XP, I hope they will develop further.
     
Loading...
Thread Status:
Not open for further replies.