Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


PC Crashing after Rootkit.MBR infection

  • Please log in to reply
No replies to this topic

#1 plist


  • Members
  • 1 posts
  • Local time:11:42 AM

Posted 29 December 2009 - 10:30 AM

The users PC was infected last thursday and since then has been crashing completely randomly since, I assume that this is the cause. Though I have done several scans etc, and can't see anymore signs of the virus, I am currently following the thread here http://www.bleepingcomputer.com/forums/t/281368/rootkitmbr-infection/ in an effort to see what I've got.

Initial Mbam log

Malwarebytes' Anti-Malware 1.42
Database version: 3443
Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 7.0.5730.13

12/28/2009 10:30:50 AM
mbam-log-2009-12-28 (10-30-50).txt

Scan type: Quick Scan
Objects scanned: 132989
Time elapsed: 9 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\jmelick\Local Settings\Temp\DVWK.dll (Rootkit.MBR) -> Quarantined and deleted successfully.
C:\Documents and Settings\jmelick\Local Settings\Temporary Internet Files\Content.IE5\EH6H68P9\eH9dd7896eV0100f070006Rf2e70b05102Td6e418dd201l0409Kcf9b95b3318J0b0006010[1] (Rootkit.MBR) -> Quarantined and deleted successfully.

After finding that I started looking around to see why it was still crashing, assuming I had got it outta there, then I found that thread. Here is my initial mbr.exe log.

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK 
copy of MBR has been found in sector 0x094FE9BD 
malicious code @ sector 0x094FE9C0 !
PE file found in sector at 0x094FE9D6 !

I assumed that it wasn't necessary to run the mbr.exe -f, since it was different than the other guys log, but I did anyway, for good measure. Got the exact same output as the first time, I then rebooted back to normal mode and am currently running ESET online scanner. I will post results when it is done, but I fear that I will not make it through a full scan since that mbr didn't actually fix anything... Anyone advise where to go next? I will continue to follow other thread posting results until I get a response.

Thanks in advance!


It should also be noted that I did run MBAM again, with nothing found.

Edited by plist, 29 December 2009 - 10:38 AM.

BC AdBot (Login to Remove)


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users