MBR rootkit help

Discussion in 'malware problems & news' started by Nekromantik, Dec 8, 2010.

Thread Status:
Not open for further replies.
  1. Nekromantik

    Nekromantik Registered Member

    Joined:
    Dec 8, 2010
    Posts:
    107
    Hi
    Last 2 days KIS2010 kept reporting a trojan found in my internet temp files and it cleaned both. This happened every night at 9pm UK time, usually it says it cleaned it and my PC works fine but last night after it found those 2 trojans I got a IRQL not equal or less BSOD. I did not install new software or hardware so that was not the cause. So I went into safe mode to install Mbam and reboot and KIS found a MBRrootkit and I press clean and restart and once I did that the computer screen went blank and pc restarted. From then on I cannot stay in windows long it either BSODs or black screen and then restarts.

    So I decided to do memtest86 and ran it for 2 hours and 4 passes and got no errors. My pc still freezes and restarts randomly in safe mode so then I formatted my C drive and installed Win XP, (I was on win 7 before but cant find disk) which installed fine but after about 20 mins yet again I got a random restart.

    Could this be because KIS did not remove the mbr rootkit properly?
    If so how do I remove it or what else could be the issue?

    thanks
     
  2. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
    Last edited: Dec 8, 2010
  3. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
  4. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
  5. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    Prevx will remove the MBR Rootkit and Adware for free http://info.prevx.com/downloadcsi.asp but lets hope that KIS has removed the infecter as if the MBR keeps getting reinfected only a licened version will remove the MBR Rootkit and the infecter! Also if you want a full free version of SafeOnline that will do the same job but keep your Browsers secure while banking download this version! http://www.prevx.com/safebook.asp

    HTH,

    TH
     
  6. Nekromantik

    Nekromantik Registered Member

    Joined:
    Dec 8, 2010
    Posts:
    107
    thanks for the help
    i used fixmbr in recovery console for xp and now so far no crashes and I ran gmer and it found nothing.
    is gmer reliable?
     
  7. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    Yes Gmer is great!

    TH
     
  8. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
    Now, I would run DrWeb Cureit's "Express Scan". A full scan will probably take too long. Feedback from others indicates that DrWeb Cureit is one of the best at detecting/cleaning Rootkits. The first thing that DrWeb Cureit scans is all MBR's.

    http://www.freedrweb.com/cureit/?lng=en
     
  9. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    Reinstalling XP will almost certainly write a new MBR unless perhaps you did a "repair install". FIXMBR would also be very effective, as well as being a lot easier to do, although certain types of malware, if they're still active in the system, will just write their redirection code back to the MBR again.

    Even if some orphaned malware code remains on the disk (perhaps in a private encrypted filesystem near the end of the disk, as some will do), it still needs to be executed, otherwise it can do nothing. A fresh MBR and a fresh install should cut off all execution possibilities. If you're really concerned and you want to be absolutely certain then you could use the hard drive manufacturer's diagnostics program to fill the entire drive with zeros before installing the OS.
     
  10. Nekromantik

    Nekromantik Registered Member

    Joined:
    Dec 8, 2010
    Posts:
    107
    Thanks
    Weird thing is after my.xp install it done.the same black screen and reboot so I.ran memtest and got no.errors so then done fixmbr and then.seemed fine. Just installed win 7 now.hopefully.nothing happens now kis kinda let me down this time. If xp install overwrites mbr.and it.crashed still does that mean it might not been a rootkit?
     
  11. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    You could run MBRCheck for another opinion/check?
     
  12. Nekromantik

    Nekromantik Registered Member

    Joined:
    Dec 8, 2010
    Posts:
    107
    I just ran MBRcheck and here is the output

     
  13. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    MBRCheck will report suspect mbr as unknown code so it seems that your MBR is clean.

    As for the .sys and processes you will have to rely on a decent AV to pick up anything as some malware can run as known files.

    No expert here and if you think you may have probs it may be better to post in a dedicated help forum.
     
Loading...
Thread Status:
Not open for further replies.