Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

antigen, sickboy, mbr rootkit detection


  • This topic is locked This topic is locked
4 replies to this topic

#1 Charlie Tounah

Charlie Tounah

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:33 PM

Posted 21 October 2010 - 12:28 PM

Hi,

Apologies in advance for not waiting for permission to run Combofix, but I have had good success with it in the past and it has worked where nothing else did.

Anyway, I have a computer that was slow, ran Combofix on it, and it found and deleted a number of files among which were antigen.exe and sickboy.exe. In the combofix log, the following appeared:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: >>UNKNOWN [0x804D7000]<< >>UNKNOWN [0xBA3B8000]<< >>UNKNOWN [0xBA108000]<< >>UNKNOWN [0xBA0F8000]<< >>UNKNOWN [0xB9F50000]<< >>UNKNOWN [0x806E4000]<< >>UNKNOWN [0xB9EE2000]<< >>UNKNOWN [0xBA671000]<< >>UNKNOWN [0xBA328000]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> 0xba10cf28
\Driver\ACPI -> 0xb9f56cb8
\Driver\atapi -> 0xb9ee8852
IoDeviceObjectType -> ParseProcedure -> 0x805827e8
\Device\Harddisk0\DR0 -> ParseProcedure -> 0x805827e8
NDIS: Broadcom NetXtreme Gigabit Ethernet -> SendCompleteHandler -> 0xb9df4bb0
PacketIndicateHandler -> 0xb9e01b21
SendHandler -> 0xb9ddf87b
user & kernel MBR OK

Obviously there's some MBR rootkit activity going on here, but my question is,
did the scan take care of it, or just detect it?

Thanks for your help,

Charlie T.

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:33 PM

Posted 30 October 2010 - 11:47 AM

Hi Charlie,

Are you still needing help with this? I would need to see the complete log to be able to tell you for sure. But if there are still problems then we need to run another tool to take it out. :thumbup2:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 Charlie Tounah

Charlie Tounah
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:33 PM

Posted 01 November 2010 - 08:45 AM

Hi,

I think we're good now -- I booted from a live CD, and used TestDisk (cgsecurity.org - great program) to check the partition structure, and in fact there was a discrepancy between the MBR and the actual sector count/location; so it appeared that Combofix detected, but did not fix, the MBR issue. TestDisk was able to write a new copy of an MBR and everything seems to be in good shape now.

Thanks for the reply.

Charlie T.

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:33 PM

Posted 02 November 2010 - 12:17 PM

Hi Charlie,

Thank you so much for letting me know. :thumbup2:

I'll leave this open for a couple of days, just in case. :)

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:33 PM

Posted 07 November 2010 - 12:08 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users