Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

$MBR.1 detected by WR; Google links alt


  • Please log in to reply
8 replies to this topic

#1 hotagw

hotagw

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:39 PM

Posted 17 February 2012 - 01:40 PM

My Webroot detected $MBR.1 but is unable to remove it, after rebooting. I read that it was a false positive; however, my computer (and Norton Antivirus and Webroot) are acting up. It's been doing this for about a week.

I also noticed that http://asdvd(dot)info/feed(dot)php has been added to my google results so I get redirected to sites if I click the link. If I copy/paste, I do not get redirected.

Additionally, my Norton AV has informed me that Generic Host Process for Win 32 is using unusually high memory. Norton has also blocked Web Attack Malicious ToolKit, Black Hole Toolkit, OraclJave, Rhino Script, and JRE Trustd Method.

I'm running Windows XP Professional Version 2002 Service Pack 3.

I would appreciate any support or direction one might be able to provide me. Thank you in advance. Also, my roommate and I use the same wireless network, should I advise her to have her Mac checked out?

BC AdBot (Login to Remove)

 


#2 Tim the Wizard

Tim the Wizard

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:So. Cal
  • Local time:09:39 AM

Posted 17 February 2012 - 02:07 PM

Mac is built on a different file-system so it is unlikely to infect your roommate.

I would go run some checks with some popular free malware removal utilities like Malwarebytes, SuperAntispyware, and SPYbot S&D. It isnt usually necessary to run a full scan so just select quick scan and remove what they find. If you are still having issues NOD32 by Eset has a online virus scan for free. Of course if none of this works you can post logs in the LOG analysis area and have the experts walk you through removing a serious infection. Best of luck!

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:39 PM

Posted 17 February 2012 - 02:27 PM

Hello, Please tell us your Operating System..

Also post the Malwarebytes log after that scan.

This is possibly a False positive. We should double check it before we take action.

Lets' upload this file for a second opinion on what it actually is..

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.
<filepath>suspect.file

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/


NOTE:
For submission to a specific anti-virus vendor see Submitting Virus Samples: How to Submit a Virus.



Also,To check for and confirm the MBR (Master Boot Record) rootkit.


Please download mbr.exe and save it to the root directory, usually C:\ <- (Important!).
  • Go to Start > Run and type: cmd.exe
  • press Ok.
  • At the command prompt type: c:\mbr.exe >>"C:\mbr.log"
  • press Enter.
  • The process is automatic...a black DOS window will open and quickly disappear. This is normal.
  • A log file named mbr.log will be created and saved to the root of the system drive (usually C:\).
  • Copy and paste the results of the mbr.log in your next reply.
If you have a problem using the command prompt, you can just double-click on mbr.exe to run the tool.

Edited by boopme, 17 February 2012 - 02:28 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 hotagw

hotagw
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:39 PM

Posted 17 February 2012 - 11:55 PM

I'm running Windows XP Professional Version 2002 Service Pack 3

I included the Malwarebytes log below. I wasn't sure if I should put everything into one reply or not. Thank you both for your assistance.

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.18.01

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
User :: F983C920B0964F8 [administrator]

2/17/2012 20:40:53
mbam-log-2012-02-17 (20-40-53).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 305062
Time elapsed: 3 hour(s), 8 minute(s), 6 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

#5 hotagw

hotagw
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:39 PM

Posted 18 February 2012 - 12:58 AM

MBR Log

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: FUJITSU_MHV2120BH_PL rev.00000029 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e

device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x868072C6
user & kernel MBR OK
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: FUJITSU_MHV2120BH_PL rev.00000029 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e

device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x868072C6
user & kernel MBR OK
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: FUJITSU_MHV2120BH_PL rev.00000029 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e

device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x867A82C6
user & kernel MBR OK

#6 hotagw

hotagw
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:39 PM

Posted 18 February 2012 - 01:25 AM

I'm having difficulty locating the $MBR.1 file to upload it. I've done both a manual search of the c:\ directory and had the computer do a search and both came up empty. When the Webroot search detected it, I believe it was during the rootkit portion of the search. Any chance someone could direct me to the appropriate place to start looking? Thank you again for taking the time to answer my questions.

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:39 PM

Posted 18 February 2012 - 07:40 PM

I found a Webroot guide here

http://download.webroot.com/WSAUserGuide_8.0.1.pdf


Section 5,Quarantine,see if you can copy the file if its there
To view and manage items in quarantine:
1 Open the main interface (see “Using the main interface” on page 5).
2 Click PC Security, then click the Quarantine tab.
3 Click the View Quarantine button.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 hotagw

hotagw
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:39 PM

Posted 18 February 2012 - 11:12 PM

I found a Webroot guide here

http://download.webroot.com/WSAUserGuide_8.0.1.pdf


Section 5,Quarantine,see if you can copy the file if its there
To view and manage items in quarantine:
1 Open the main interface (see “Using the main interface” on page 5).
2 Click PC Security, then click the Quarantine tab.
3 Click the View Quarantine button.


Thank you for the suggestion and the guide. I'm still going through the guide now, but unfortunately the file has not yet been quarantined. It is found during the scan and then the only options are to keep monitoring it, dismiss it, or remove it. If you select remove, you're prompted to restart your computer. Once it restarts, Webroot either starts scanning again (at which point, it says it cannot be removed and prompts you to contact support) or Webroot re-opens with a red screen saying the computer is infected. Unfortunately, at no point does the file enter the quarantine section. I've tried uninstalling Webroot to look for the file, but as of yet, no luck.

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:39 PM

Posted 18 February 2012 - 11:21 PM

ets remove this safely.. Let's get a deeper look amd see exactly what is there.

Please go here....Preparation Guide ,do steps 6-9.

Create a DDS log and post it in the new topic explained in step 9 which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If GMER won't run skip it and move on.

Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users