How best to deal w/ master boot record virus

V

villandra

Looks like I've got a master boot record virus. I want to know what
my options are.

GMER included this worrisome report in a very long and complex report:

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk2\DR5 sector 00: rootkit-like behavior

McAfee Stinger says:

2 master boot records, possibly infected 0
3 boot sectors possibly infected 0


Gmer's mbr log reports:

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer,
http://www.gmer.net
Windows 5.1.2600 Disk: HP______ rev.1.00 -> Harddisk2\DR5 -> \Device
\0000007e

device: opened successfully
user: error reading MBR
kernel: MBR read successfully
user != kernel MBR !!!

Avast's aswMBR reports:

wMBR version 0.9.9.1297 Copyright(c) 2011 AVAST Software
Run date: 2012-01-16 00:09:40
-----------------------------
00:09:40.750 OS Version: Windows 5.1.2600 Service Pack 3
00:09:40.750 Number of processors: 4 586 0x2A07
00:09:40.750 ComputerName: DORA UserName:
00:09:40.968 Initialize success
00:09:41.046 AVAST engine defs: 12011501
00:09:57.203 Disk 0 \Device\Harddisk0\DR0 -> \Device\Ide
\IdeDeviceP0T0L0-3
00:09:57.203 Disk 0 Vendor: WDC_WD3200AAKS-00V1A0 05.01D05 Size:
305245MB BusType: 3
00:09:57.203 Device \Driver\usbstor -> DriverStartIo USBSTOR.SYS
b83d1f26
00:09:57.218 Disk 2 MBR read successfully
00:09:57.218 Disk 2 MBR scan
00:09:57.218 Disk 2 Windows XP default MBR code
00:09:57.218 Disk 2 MBR hidden
00:09:57.218 Disk 2 Partition 1 80 (A) 07 HPFS/NTFS NTFS
39997 MB offset 63
00:09:57.218 Disk 2 Partition - 00 0F Extended LBA
265237 MB offset 81915435
00:09:57.234 Disk 2 Partition 2 00 07 HPFS/NTFS NTFS
265237 MB offset 81915498
00:09:57.250 Disk 2 scanning E:\WINDOWS\system32\drivers
00:10:04.781 Service scanning
00:10:05.156 Service WRkrn E:\WINDOWS\System32\drivers\WRkrn.sys
**LOCKED** 32
00:10:05.656 Modules scanning
00:10:12.500 Disk 2 trace - called modules:
00:10:12.500 ntkrnlpa.exe CLASSPNP.SYS disk.sys hal.dll
00:10:12.515 1 nt!IofCallDriver -> \Device
\Harddisk2\DR5[0x8939b2d8]
00:10:12.828 AVAST engine scan E:\WINDOWS
00:10:18.312 AVAST engine scan E:\WINDOWS\system32
00:11:34.109 AVAST engine scan E:\WINDOWS\system32\drivers
00:11:45.734 AVAST engine scan E:\Documents and Settings\Dora Smith
00:14:02.875 AVAST engine scan E:\Documents and Settings\All Users
00:14:50.578 Scan finished successfully
00:17:47.453 Disk 2 MBR has been saved successfully to "E:\MBR.dat"
00:17:47.468 The log file has been saved successfully to "E:
\aswMBR.txt"

I didn't continue with the files that were called by the master boot
record.

The "Service WRkrn E:\Windows\System32\drivers\WRkrn.sys ***LOCKED**
32 line is in yellow. Do I need to do something special about
that?

Avast aswMBR has an option to "FixMBR" - I guess by putting standard
code. Alternatively apparently one can do the same thing from within
AVAST (I currently have AVAST paid version installed after Vipre
didn't do anything to protect or fix my computer.)

MBRCheck from geekstogo.com found

298 GB Physical Drive 0 Windows XP MBR code detected (in green)
SHAI (long string)
74 GB Physical Drive 1 Re: Unknown MBR code

Found nonstandard or infected MBR (restore MBR of a physical disk w
standard boot code).

Choose physical disk to fix, usualy 0, choose code for system (ie XP),
confirm change.


Alternatively one can boot into the Repair Console and type fixmbr,
which, I guess, creates a NEW master boot record with standard code -
which might still work.

-----------------------------------------------------------------------------------------

MY QUESTIONS:


1. I don't suppose that there's any chance that using system restore
from early enough would restore the master boot virus? I believe it
backs up everything, but I'm not sure what "everything" includes.


2. One part that puzzles me is that sometimes the replaced code/ file
works and sometimes it doesn't. If the master boot record is an index
of everything on the drive, then how would substituted standard code
still allow the machine to function?


3. If I run fixmbr in the recovery console to fix it, should I also
run fixboot, or not?


4. If I have the recovery console installed on my computer, do I need
the Windows CD?


5. The other part I'm having trouble with is whether to replace the
code in "Disk 0" or "Disk 2". I seem to have two conflicting versions
of which "disk" has the corrupted code. And if I did fix "disk 0"
what should I do with the mbr in "disk 2"?

Yours,
Dora Smith
 
D

David H. Lipman

From: "villandra said:
Looks like I've got a master boot record virus. I want to know what
my options are.

< snip >

Please don't Multi-Post.
Please do Cross-Post to pertinent, On Topic, news groups.

You post about a MBR RootKit has been answered already.
 
J

jim

Looks like I've got a master boot record virus. I want to know what
my options are.

GMER included this worrisome report in a very long and complex report:

Have you looked at your boot.ini to see anything has changed -- such as a
new option being added on the execute line?

jim
 
V

villandra

Have you looked at your boot.ini to see anything has changed -- such as a
new option being added on the execute line?

jim

Here's the entire content of boot.ini .

[boot loader]
timeout=1
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP
Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons


I just installed the Windows Recovery Console.

Dora
 
0

000-222-000

villandra said:
Have you looked at your boot.ini to see anything has changed -- such as a
new option being added on the execute line?

jim

Here's the entire content of boot.ini .

[boot loader]
timeout=1
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP
Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons


I just installed the Windows Recovery Console.


Make the timeout=30

So you will have time to use it...

Remember to uncheck in the Boot.ini Properties,
the Read-Only
before saving
....
 
S

Six Underground

1. I don't suppose that there's any chance that using system restore
from early enough would restore the master boot virus? I believe it
backs up everything, but I'm not sure what "everything" includes.

AIUI, System Restore has nothing to do with MBR code. System Restore
deals mainly with certain types of files, and also the registry. Info
regarding this is available online.

2. One part that puzzles me is that sometimes the replaced code/ file
works and sometimes it doesn't. If the master boot record is an index
of everything on the drive, then how would substituted standard code
still allow the machine to function?

AIUI, the Master Boot Record contains the disk's partition table, boot
code, and signatures. It is not an index of everything on the disk.
You may be thinking of the MFT.

3. If I run fixmbr in the recovery console to fix it, should I also
run fixboot, or not?

Run only what is necessary to effect the necessary repairs; nothing
more.

If you do opt to use fixmbr, heed Microsoft's warning from their
web site:

"Warning This command can damage your partition tables if a virus is
present or if a hardware problem exists. If you use this command, you
may create inaccessible partitions. We recommend that you run
antivirus software before you use this command."'

4. If I have the recovery console installed on my computer, do I need
the Windows CD?

No.

Good luck!

6U
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top