BleepingComputer.com: n.exn, trojan virus

Here is the log from MBR.exe:
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
PE file found in sector at 0x01749DDC1 !

I ran Root Repeal, following all the instructions you listed, but after a few minutes of scanning, an error message would appear stating "Could not read the boot sector. Try adjusting the Disk Access Level in the Options dialog." The program would stop responding after this message appeared, so while I wasn't able to scroll down to see all of the results up to that point, there was a message visible that said a rootkit was found in J:. I ran the program twice, but received the same error message both times. I didnt want to adjust any of the disk level access options without speaking with you first.

Also, I have 142gb free (out of a total of 181gb) on my C: drive.

Post me the screenshot of all prompt please

Here is a screen of the error message, along with the main window from Root Repeal in the background. You can see in the results where it says Rootkit found in J:, but I was unable to scroll down as the program had stopped responding by that point.

First of all, backup your data from your external drives to the computer first..

Then, go to the "Volume J:\" which says "MBR Rootkit Detected" and right click on it.. Then choose "Wipe File".. Do the same for each file that says "MBR Rootkit Detected".. Then reboot the computer and scan your external drives again with RootRepeal.. Then tell me how it goes

Thanks for the reply. I have a few questions though before I follow through on your instructions.
1- Is there any risk in transferring the files from my externals onto my C: drive of infecting the C: drive? I'm assuming there isn't as the malware seems to reside in the MBR of the externals as opposed to any individual files themselves, but I just want to confirm this with you so i dont end up in the same situation I was in a week or two ago.

2- Also, I'm not sure exaclty where to find the option "Wipe File". If you mean RootRepeal offers this then I don't think it will work as the program stalls after that error message pops up and I am unable to interact with it at all. In the picture that I just posted I am able to close the error message window, but the main window to RootRepeal is no longer responding as I cant click on any of the entries (including the one for J: stating it is infected) nor can I scroll down to see what other drives may be infected with a rootkit. I have to use Task Manager to close the program as I am unable to click the "X" in the upper right corner of the window. Perhaps if I changed the disk access levels in the RootRepeal options then the error wouldn't appear and the program may not hang, but I am wary of messing with options that can have a potentially negative impact without the advice of expert like yourself. To make things a bit clearer for you I am going to type out the 4 different disk access levels the options menu offers along with the attributes for each level. I think that if I could change this to allow the scan to successfully complete then I could perform the "wipe file" you instructed me to do.

Lowest Level- Only supports SCSI devices. Does not support dynamic disks.
Special Level- Supports all block-based devices. Does not support dynamic disks.
Middle Level- Supports all block-based devices. Does not support dynamic disks.
High level- Supports all devices. Supports dynamic disks.

Thanks!

[quote]1- Is there any risk in transferring the files from my externals onto my C: drive of infecting the C: drive? I'm assuming there isn't as the malware seems to reside in the MBR of the externals as opposed to any individual files themselves, but I just want to confirm this with you so i dont end up in the same situation I was in a week or two ago.[\quote]

There's always risk on everything that we do, but don't worry too much.. The most important thing is you backup all your data.. We can clean your computer or in worst case scenario just reformat it, but if you lost your data, it would be very difficult to recover it back..

And please use the "High Level" first.. Then if unsuccessfull, followed with the Middle >> Special >> Lowest level.. But only do this after backup all your data

I finally was able to get Root Repeal to finish a successful scan. I set it to the 2nd highest (Middle) level and did not receive any error messages. I am attaching the log of the results with this post. I decided to attach the log rather than "wipe file" as those were your initial instructions. I do have a backup of all the data of the infected external drives so if it comes to having to format the drives, it wont be too big of a deal. While I couldn't fit all of the data on my C: drive, I purchased a new 1.5TB external drive which has more than enough room for the files from J: K: and L:. Thanks!

Hi.. Sorry I'm late.. Was outstation for three days...



Lets just "Wipe File" to those things and see if it will take care of it..

I am having a difficult time performing the "wipe file" instructions you gave me. When I right-click on the three entries that show "MBR Rootkit Detected!" (which are fro drives J:, K: and L:), the only options that are available are "Restore and Reboot Immediately", "Restore", and "Dump". The only entries that show "Wipe File" when right clicked are the first 3 files listed in the window after the scan is complete. These files are on my C: drive and do NOT have a status of "MBR Rootkit Detected!" The first file is c:\hiberfil.sys and its status is "Locked to the Windows API!". The other two files are c:\documents and settings\dave\application data\pctoolsfirewallplus\firewallgui.txt and firewallguisdk.txt. The status for both these files is "Allocation size mismatch (API: 8, Raw: 0). I'm assuming that these files aren't an issue as scans by Avira and RootRepeal only show Rootkits on J: K: and L:. The only reason I listed them here is because I get the option of "Wipe File" when I right click on those, but do not see it for J: K: and L: when clicked. I've safely backed up all the info on these disks, so I have no problem formatting them, I just want to be sure that whatever method I use to perform the format will also destroy the Rootkit as well. Thanks again.

Ok.. Choose "Restore and Reboot Immediately" option, but only do that on the below option.. Don't do anything on your C:\ drive

Thanks for the quick reply. I went ahead and performed the "Restore and Reboot Immediately" option on all 3 drives listed with a Rootkit. Right after I make the choice a warning dialog appears saying it will perform the fixmbr command and asks me to confirm the decision. When I click "OK" the PC immediately reboots and Windows loads as usual. However, when I run RootRepeal again and perform another scan, I get the same exact results showing Rootkits on the 3 drives, so it appears that the Restore option is having no effect on the drives whatsoever. As I have said before, I do have backups of all the data on the infected drives on a new external, and that drive is not listed as infected, so perhaps if there is another program that can erase all the data and restore the MBR on those 3 drives, that may be the best option. As always, thanks very much for your continued assistance.

You already backup your data to somewhere else right? What happen if you reformat the external drive? Try to format one partition first.. would it still detect the mbr rootkit via RootRepeal?

Yes, I do have all the data from the 3 infected externals backed up onto a new, uninfected external. I followed your advice and did a format of one of my infected drives (K:), however as soon as the format was finished, Avira popped up with a warning saying that K: still had a boot sector infection. Also, when running RootRepeal after the format, the results are exactly the same. It still shows a Rootkit detected on the same drives, including the one I had just formatted. I performed the format using Windows by right-clicking on the drive under My Computer, then choosing Format. Thanks.

Lets try this one..


Go to below link and download MBRFix

http://www.sysint.no/en/Download.aspx

Save and unzip them to your Desktop.. Then open the mbrfix folder, copy both mbrfix.exe and mbrfix64.exe to your root J, K, and L drive..

Then go to Start >> Run >> copy/paste below >> Enter

J:\MbrFix.exe /drive 0 fixmbr /yes


K:\MbrFix.exe /drive 0 fixmbr /yes


L:\MbrFix.exe /drive 0 fixmbr /yes

Reboot your computer and run Avira/RootRepeal (only one) again and tell me how it goes

This post has been edited by fenzodahl512: 08 March 2010 - 07:20 AM

I went ahead and followed your instructions on how to use MBRFix. After I pasted the command line into "Run" and pressed enter, a small window would appear for a split second (looked like a dos command prompt window, but was so fast I couldn't read anything) and then the window would close. I did this for all 3 drives, rebooted, and ran RootRepeal. Unfortunately the scan results in RootRepeal were identical to the ones before this, showing a Rootkit in drives J:, K:, and L:. I did not run a scan with Avira, as you stated I should only use one of the 2 programs, though Im fairly certain it would also show Rootkits on those drives as well as the MBRFix didn't seem to have much effect. As always, I really appreciate your continued aid. I know this thread has been going on for quite some time now and I am very grateful that you are sticking with me until we can find a solution to this lingering issue. Thanks again!