Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

mbr.exe rootkit


  • Please log in to reply
3 replies to this topic

#1 jonesm.d.

jonesm.d.

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:05 PM

Posted 15 February 2011 - 12:16 PM

A client machine (Dell Inspirion) running Windows XP was infected. Ran rkill.exe, didn't find anything. Ran tdsskill.exe, didn't find anything. Ran Malwarebytes, and Computer Associates Antivirus, found nothing. I downloaded, installed and ran Hitman Pro 3.5, which identified mbr.exe as a root kit. I know there is an mbr.exe killer out there but I don't know where, I thought it was on this site. Any assistance? Computer Associates Antivirus software's "Real Time" scanner keeps popping up a virus alert, but does not provide the full path. Trying to knock out this mbr.exe so we can proceed with the virus removal.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:05 PM

Posted 15 February 2011 - 12:26 PM

To check for and confirm the MBR (Master Boot Record) rootkit, use the standalone mbr.exe tool by Gmer.

Please download mbr.exe and save it to the root directory, usually C:\ <- (Important!).
  • Go to Start > Run and type: cmd.exe
  • press Ok.
  • At the command prompt type: c:\mbr.exe >>"C:\mbr.log"
  • press Enter.
  • The process is automatic...a black DOS window will open and quickly disappear. This is normal.
  • A log file named mbr.log will be created and saved to the root of the system drive (usually C:\).
  • Copy and paste the results of the mbr.log in your next reply.
If you have a problem using the command prompt, you can just double-click on mbr.exe to run the tool.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 jonesm.d.

jonesm.d.
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:05 PM

Posted 15 February 2011 - 12:49 PM

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD400BB-75FRA0 rev.77.07W77 -> Harddisk0\DR0 ->

device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: error reading MBR

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:05 PM

Posted 15 February 2011 - 03:10 PM

Hello, To remove the infection, run the command mbr.exe -f (note the space between the e and -f) from a command prompt. Have the user reboot the machine, otherwise the next report may still show (false) infection. Then run mbr.exe again to confirm the removal.

Open Windows Explorer and rename the C:\mbr.log to C:\mbr.old
Go to Start > Run and type: cmd
press Ok.
At the command prompt, type: cd \
press Enter.
At the command prompt, type: mbr.exe -f
(make sure you have a space before the e and the -f)
press Enter.
At the command prompt, type: exit
press Enter.

It will produce a new report at C:\mbr.log. Please copy/paste the results in your next reply.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users