BleepingComputer.com: MBR Boot Kit Trojan

Jump to content

Forum Rules

When posting your problem, do not run and post a ComboFix log. ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer. Any posts containing CF Logs will be ignored.

To receive help, you should instead provide a detailed description of your problem, detailed word-for-word error messages that you are receiving, screenshots of strange behaviour, and your operating system. This information is much more useful to our helpers than a ComboFix log.

If you have not received help after three days, please post a link to your topic HERE.
Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

MBR Boot Kit Trojan

#1 User is offline   seether 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 46
  • Joined: 07-December 11
  • Gender:Male
  • Location:South Dakota

Posted 06 January 2012 - 10:04 PM

Hello,

I suspect I have a problem with a boot kit trojan.

BCD Store looks like this:


Windows Boot Manager
--------------------------
identifier {bootmgr}
device unknown
description Windows Boot Manager
locale in-US
inherit {globalsettings}
default {current}
resumeobject {9b133800-38df-11e1-919c-cfb3aaf7c08d}
displayorder {current}
toolsdisplayorder {memdiag}
timeout {30}

Windows Boot Manager
-------------------------------
identifier {current}
device partition=C:
path \Windows\system32\sinload.exe
description Windows 7
locale en-US
inherit {bootloadersettings}
default {current}
recoverysequence {9b133800-38df-11e1-919c-cfb3aaf7c08d}
recoveryenabled Yes
osdevice partition=C:
systemroot \Windows
resumeobject {9b133800-38df-11e1-919c-cfb3aaf7c08d}
nx OptIn

This post has been edited by seether: 06 January 2012 - 10:05 PM

#2 User is online   boopme 

  • To Insanity and Beyond
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Global Moderator
  • Posts: 48,794
  • Joined: 10-September 04
  • Gender:Male
  • Location:NJ USA

Posted 06 January 2012 - 11:25 PM

Hello seether
To confirm this bootkit, do the following:

In case you don't have an archive extracter installed already:
Please download 7zip and install the program on your computer (we need this program in order to be able to unzip the tool that can delete Bootkit Whistler).

When 7zip is succesfully installed, please download bootkit_remover.rar and save the file to your desktop.

Right click on the file and select "extract/unzip here".

This will create two readme files and remover.exe on your desktop.
Double click on remover.exe; a command window will open. Please copy/paste the text under "MBR Status" and post that in your next reply.
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users