Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"MBR Rootkit Detected!"


  • This topic is locked This topic is locked
10 replies to this topic

#1 pheap1

pheap1

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:35 AM

Posted 17 February 2010 - 06:03 PM

This may be a challenge as I have tried for days myself to fix this and to no effect, every program that claims to be able to rewrite the MBR isn't able to run, as with any sort of low level format. DBAN, Killdisk. booting from a CD with the same, all of them cease without running, with an error message (I can post these if they are of any use). The closest I got was with DBAN but it shows that no hard disk is there and so can't be rewriten. I used Malwarebytes Anti-Malware as the main program to detect and remove other infections (se below) and, within the windows environment that was fine. It does not pick up this though, in fact, rootrepeal is the only one that does.

I tried a different hard drive, thinking that would do the trick, and straight away the infection was on it, so if it was just the boot sector then how does that happen? Could this be on the BIOS? I've tried any way I can to flash the BIOS but without success just in case, my knowledge in this area isn't good though. It's a HP computer, by the way, and the backup disks aren't exactly useful.

The initial infection mentioned above installed a number of different viruses which my virus protection blocked or removed, eventually one persistent sys file was removed along with the registry entries linked to it (knabsce.sys, doesn't appear to be a known name). I thought that would be it but running RootRepeal revealed, and still reveals 'MBR Rootkit Detected!' on all volumes (the main drive, the backup D drive and an attached portable hard drive, this last one is one with all my data backups on and. if nothing else, this is one that I need to have clean so that I can access them). How it got there is probably from a downloaded utility that turned out to be infected. I had AVG running (full version) but it picked up only some of the viruses thrown at it at the time.

All of this has been posted from my laptop as the main computer is not now connected to the internet and pretty much in its factory state.

Anyway, after three days of trying to sort this myself, without success, I thought it was about time I asked someone who knows better what they are doing.

Attached are the files as requested -

Attached Files



BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:35 PM

Posted 20 February 2010 - 01:21 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. In the custom scan box paste the following:
    CODE
    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    /md5stop
    %systemroot%\*. /mp /s
  6. Push the button.
  7. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 pheap1

pheap1
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:35 AM

Posted 20 February 2010 - 04:48 PM

Hi,

thanks for the reply. The problem is that I have an MBR rootkit (as identified by Root Repeal) on all drives. I managed to get rid of a number of other viruses that were installed at the same time but this, stubbornly, remains. The fact that I did a wipe and removed the initial drives before connecting a new one, only for it to be installed on the new drive, leads me to think that this is something in the BIOS.

I have tried to wipe the MBR but the infection is stopping this.

As I have switched to another hard disk and disconnected the one with the initial infection should I connect that one too?

Attached Files



#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:35 PM

Posted 20 February 2010 - 05:01 PM

Hi,

it might just be a false positive from RootRepeal. Gmer usually is also able to see the infection, but does not list it in your ark.txt.

Just for a cross check please also run mbr.exe:
Please download mbr.exe and save it to your root directory, usually C:\ <- (Important!).
  • Go to Start > Run and type: cmd.exe
  • press Ok.
  • At the command prompt type: c:\mbr.exe -t >"C:\mbr.log"
  • press Enter.
  • A "DOS" box will open and quickly disappear. That is normal.
  • A log file named mbr.log will be created and saved to the root of the system drive (usually C:\).
  • Copy and paste the results of the mbr.log in your next reply.
If you did a full format of the entire hard disk (overwriting the partition table), then there is little chance the infection survived.
When possible please don't attach the logs, but paste them into your reply.
regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 pheap1

pheap1
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:35 AM

Posted 20 February 2010 - 06:12 PM

Here's the log file -

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll storport.sys nvstor32.sys klif.sys fltmgr.sys
kernel: MBR read successfully
user & kernel MBR OK

I rechecked the C, D and J (external) drives again and they still all say that there is an MBR rootkit on each drive with the subsequent sector mismatches. I plugged in the external drive into my laptop as a test and rootrepeal shows the same thing *but*, confusingly, it doesn't give any positive for the laptop's internal hard drive. Has something somehow happened to the disks that were infected in the first place for it to remain a positive on two different machines?

I managed to run both fixboot and fixmbr and still get the same positives.

I've installed Kaspersky on this machine now, will it pick up anything if something starts to be run from a program still lurking there? I just want to be safe rather than sorry!

Thanks once again.

#6 pheap1

pheap1
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:35 AM

Posted 20 February 2010 - 06:13 PM

Double post, whoops!

Edited by pheap1, 20 February 2010 - 06:14 PM.


#7 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:35 PM

Posted 21 February 2010 - 04:07 AM

Have you previously run RootRepeal on the machine without getting the MBR detection?

Gmer and mbr.exe don't see the infection if it should be present. In addition an MBR detection can only do harm on the disk that is booted. Data-drives with infected MBRs poste no threat whatsoever.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#8 pheap1

pheap1
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:35 AM

Posted 21 February 2010 - 09:57 AM

Unfortunately I hadn't run it previously, no.

I went online on that computer last night and a number of trojans were downloaded. Kaspersky picked up some but a few others were only picked up, worryingly, by an anti-malware run.

As I succeeded in removing what I thought was the extent of the threat I'm worried that I left something that is the root of the problem, hence the quick reappearance of trojans.

It's a bit confusing at the moment, I don't know how safe I really am.

I presume that if I connect the data drive to another machine I can copy those files without any fear of passing on a virus then, is that correct?

Edited by pheap1, 21 February 2010 - 09:57 AM.


#9 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:35 PM

Posted 21 February 2010 - 12:48 PM

Hi,

If you were still infected by the mbr rootkit, we would see some more obvious signs. These aren't present. Gmer and mbr are also very good at detecting this infection and they show no sign of it.

I don't think you are infected any more. Do you have any other symptoms apart of the mbr infection shown by rootrepeal?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#10 pheap1

pheap1
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:35 AM

Posted 22 February 2010 - 08:21 PM

Been out all day so not checked the computer today, will do so tomorrow...

QUOTE(myrti @ Feb 21 2010, 12:48 PM) View Post
Hi,

If you were still infected by the mbr rootkit, we would see some more obvious signs. These aren't present. Gmer and mbr are also very good at detecting this infection and they show no sign of it.

I don't think you are infected any more. Do you have any other symptoms apart of the mbr infection shown by rootrepeal?

regards myrti



#11 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:35 PM

Posted 06 March 2010 - 04:14 PM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users