Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

mbr and leftovers in a sector from rootkit Mebroot


  • Please log in to reply
2 replies to this topic

#1 mbrrootkit

mbrrootkit

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:08 AM

Posted 16 March 2010 - 02:41 PM

When running mbr, the results show:

copy of MBR has been found in sector 0x2542e2b0
malicious code @ sector 0x02542e2b3
PE file found in sector at 0x02542e2c9

I know the infection is gone, but would really like to get rid of this message since Symantec also picks it up, but does nothing. I would like a utility that would clear or delete these leftovers so that someone is not lulled into ignoring antivirus messages. I have already done fixmbr, wiped free space with ccleaner, run combofix and installed the XP recovery console. I guess I could use a sector editor and zero it out. I have seen many people ask the question, but no answers. Surely there is a utility to do this. Mebroot was the original problem. I would rather not reformat the hard drive and restore the image. Details on how to do it would be appreciated.

Thanks

Edited by Orange Blossom, 16 March 2010 - 02:50 PM.
Move to AII. ~ OB


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,946 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:08 AM

Posted 17 March 2010 - 07:55 AM

The presence of malicious code and a PE file in other sectors of the drive indicates that there was an infection but it has been cleaned and the MBR sector has been restored successfully. Mebroot overwrites the MBR of the hard disk and uses rootkit techniques to hide itself. The installer of the rootkit writes the content of a malicious kernel driver to the last sectors of the disk, and then modifies several sectors to include sector 0 (MBR). According to gmer, fixmbr restores only sector 0 (MBR). As such, mbr.exe will always show all sectors where data was written to the drive by Mebroot even after the infection is removed. This leftover data cannot be repaired or restored without knowing what information actually belonged in those sectors and probably would require a disk editor with programmer's knowledge to fix. I'm not aware of any step by step instructions for using a disk editor to accomplish this so you will have to read the vendor's documentation if attempting to use one.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 mbrrootkit

mbrrootkit
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:08 AM

Posted 18 March 2010 - 08:39 AM

Thanks for the response. That is what I have found so far. I was thinking that if the malicious code is in that sector that either there was nothing there before or whatever was there is ruined so I could zero it out with a sector editor. I wonder how I could find out if something legitimate was using that sector like using the FAT or the old Norton Editor. I saw that mbr (gmer) has a -c option to copy a sector to a file. It would be nice if it had an option to wipe a sector. I want to get rid of the traces. I will keep looking.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users