NOD32 identifies Mebroot.bz but can't clean it

Discussion in 'ESET NOD32 Antivirus' started by dmr316, Oct 31, 2009.

Thread Status:
Not open for further replies.
  1. dmr316

    dmr316 Registered Member

    Joined:
    Oct 31, 2009
    Posts:
    6
    Hi,

    I've got a serious pc problem to do with recovering from a malware attack.

    As far as I can tell, my PC is clean of malware except for the MBR which NOD32 (v4) says is still infected with Mebroot.bz.

    I've read some topics here and used the recovery console in XP to fixmbr but although Windows says the MBR is now "clean", using the mbr.exe tool says the following:

    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
    device: opened successfully
    user: MBR read successfully
    kernel: MBR read successfully
    user & kernel MBR OK
    copy of MBR has been found in sector 0x098A7FEC
    malicious code @ sector 0x098A7FEF !
    PE file found in sector at 0x098A8005 !

    I've tried submitting this to ESET but the software doesn't seem to have an option for this type of virus/malware. Is this because it's new? And is there anything I can do, short of rebuilding my PC from scratch?

    Thanks in advance for any help.
     
  2. BFG

    BFG Registered Member

    Joined:
    Oct 27, 2004
    Posts:
    482
    Location:
    San Diego
    Hello,

    The article on this page explains mbr viruses and what can be done to clean them.

    BFG
     
  3. dmr316

    dmr316 Registered Member

    Joined:
    Oct 31, 2009
    Posts:
    6
    Thanks for the link. I used it to try and rebuild the MBR but am still getting the same messages with (a) NOD32 being able to identify mebroot.bz but not being able to clean it, and (b) using gmer's mbr.exe tool which is still finding malicious code and a pe file in various sectors of the MBR.

    At this point I'm thinking maybe it'd be a good idea to copy what data I can to a usb drive and then format c: and start again. Would you agree? Or should I see if the next NOD32 update might be able to help?
     
  4. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,032
    Location:
    California
    Hello,

    Have you tried using ESET's stand-alone MebRoot remover? It can be downloaded from this page in ESET's Threat Encyclopædia.

    Regards,

    Aryeh Goretsky
     
  5. dmr316

    dmr316 Registered Member

    Joined:
    Oct 31, 2009
    Posts:
    6
    Hi Aryeh, thanks for the link to ESET stand-alone MebRoot remover tool.

    I've used it to try and remove the MBR rootkit but although it "found the Meb's MBR", it identified the rootkit as "no active" [sic] and it was "unable to clean the rootkit".

    So my dilemma is this: because the rootkit is not active, is my PC OK to use even though NOD32 v4 is identifying my MBR as still being infected with the Mebroot.bz trojan? In other words, is this a 'false positive'?

    Or should I try and backup my files a.s.a.p. and reimage my hard disk after a low level format? Or even buy a new hard disk before starting again?

    Thanks for your help (and this would have to happen to me on a weekend... :'( )
     
  6. stackz

    stackz Registered Member

    Joined:
    Dec 27, 2007
    Posts:
    619
    Location:
    Sydney Australia
    Hi dmr,

    From what you've described it certainly appears that your MBR is clean, just some of the malicious code that the infected MBR executed is still on disk. Given that there's no longer anything to execute this code then you've reason to worry about it; as mebroot removal tool showed, it's inactive.
     
  7. dmr316

    dmr316 Registered Member

    Joined:
    Oct 31, 2009
    Posts:
    6
    Thanks stackz, that's good to know. It's just worrying that every time I turn my PC on, NOD32 is saying that there's a boot sector threat it can't fix. But you've given me good reason to sleep easy tonight, so thank you for that and hopefully ESET will be able to clean it at some point, otherwise I'll have to buy my xmas present (a new pc) early...
     
  8. harsha_mic

    harsha_mic Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    791
    Location:
    India
    Sorry if the question is meaningless...

    If the Malware is inactive then why is the difficulty for NOD32 in removing remaining malicious code....
     
  9. dmr316

    dmr316 Registered Member

    Joined:
    Oct 31, 2009
    Posts:
    6
    It's not a meaningless question at all, I've been wondering that myself.

    I can only surmise that maybe NOD32 either:
    i - doesn't have enough permissions to repair the MBR fully
    ii - isn't able to repair the MBR fully

    As I understand it, Mebroot.bz is an old trojan because I think Mebroot.i is the current version running amok on the internet.

    Hopefully ESET will sort something out soon because I can't be the only one in this situation?
     
  10. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    I keep going back to what is a AV products responsibility. Detection or cleaning. If both then I want my AV to detect and clean at the same time. Now cleaning means ensuring all remnants are gone and all my files and registry entries are exactly like they are suppose to be.

    To me that is not going to happen with any AV product, or others.

    I am firm in thinking that something like ShadowDefender used with a great product like Eset are as close to perfection as you can get. AV detects, SD reboots any changes. I honestly dont understand why more dont see the logic in this. Maybe it is me.
     
  11. stackz

    stackz Registered Member

    Joined:
    Dec 27, 2007
    Posts:
    619
    Location:
    Sydney Australia
    Provided that the MBR is clean, there are various hex editors that allow you to manually write directly to disk, that is, you could zero out the malicious code remnants.

    I wouldn't recommend this for the inexperienced and having a full disk image to recover to is a must, in case something goes awry.
     
  12. dmr316

    dmr316 Registered Member

    Joined:
    Oct 31, 2009
    Posts:
    6
    To answer your last point, I think it must be because not many people have heard of ShadowDefender. Having said that, I googled it and have downloaded it to see just how good it is alongside NOD32.

    You're right, I don't feel comfortable doing something like that because I'd have no idea what I'm doing. But I can ask my friend to Acronis my rebuild, just in case.

    So thanks both for the tips! :)
     
  13. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    Some worry about making sure updates are excluded in ShadowDefender, which I have never understood. Every thing or file you exclude is a hole and you have to be careful. Eset will update fine in shadow mode and yes when you come out all updates are gone, but you just hit the update button and walla, you are exactly where you should be again. Seamless to me.
     
Thread Status:
Not open for further replies.