Anti-Spyware Forums


Reply
Thread Tools Display Modes

How best to deal w/ master boot record virus

 
 
villandra
Guest
Posts: n/a

 
      16-01-2012, 08:05 AM
Looks like I've got a master boot record virus. I want to know what
my options are.

GMER included this worrisome report in a very long and complex report:

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk2\DR5 sector 00: rootkit-like behavior

McAfee Stinger says:

2 master boot records, possibly infected 0
3 boot sectors possibly infected 0


Gmer's mbr log reports:

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer,
http://www.gmer.net
Windows 5.1.2600 Disk: HP______ rev.1.00 -> Harddisk2\DR5 -> \Device
\0000007e

device: opened successfully
user: error reading MBR
kernel: MBR read successfully
user != kernel MBR !!!

Avast's aswMBR reports:

wMBR version 0.9.9.1297 Copyright(c) 2011 AVAST Software
Run date: 2012-01-16 00:09:40
-----------------------------
00:09:40.750 OS Version: Windows 5.1.2600 Service Pack 3
00:09:40.750 Number of processors: 4 586 0x2A07
00:09:40.750 ComputerName: DORA UserName:
00:09:40.968 Initialize success
00:09:41.046 AVAST engine defs: 12011501
00:09:57.203 Disk 0 \Device\Harddisk0\DR0 -> \Device\Ide
\IdeDeviceP0T0L0-3
00:09:57.203 Disk 0 Vendor: WDC_WD3200AAKS-00V1A0 05.01D05 Size:
305245MB BusType: 3
00:09:57.203 Device \Driver\usbstor -> DriverStartIo USBSTOR.SYS
b83d1f26
00:09:57.218 Disk 2 MBR read successfully
00:09:57.218 Disk 2 MBR scan
00:09:57.218 Disk 2 Windows XP default MBR code
00:09:57.218 Disk 2 MBR hidden
00:09:57.218 Disk 2 Partition 1 80 (A) 07 HPFS/NTFS NTFS
39997 MB offset 63
00:09:57.218 Disk 2 Partition - 00 0F Extended LBA
265237 MB offset 81915435
00:09:57.234 Disk 2 Partition 2 00 07 HPFS/NTFS NTFS
265237 MB offset 81915498
00:09:57.250 Disk 2 scanning E:\WINDOWS\system32\drivers
00:10:04.781 Service scanning
00:10:05.156 Service WRkrn E:\WINDOWS\System32\drivers\WRkrn.sys
**LOCKED** 32
00:10:05.656 Modules scanning
00:10:12.500 Disk 2 trace - called modules:
00:10:12.500 ntkrnlpa.exe CLASSPNP.SYS disk.sys hal.dll
00:10:12.515 1 nt!IofCallDriver -> \Device
\Harddisk2\DR5[0x8939b2d8]
00:10:12.828 AVAST engine scan E:\WINDOWS
00:10:18.312 AVAST engine scan E:\WINDOWS\system32
00:11:34.109 AVAST engine scan E:\WINDOWS\system32\drivers
00:11:45.734 AVAST engine scan E:\Documents and Settings\Dora Smith
00:14:02.875 AVAST engine scan E:\Documents and Settings\All Users
00:14:50.578 Scan finished successfully
00:17:47.453 Disk 2 MBR has been saved successfully to "E:\MBR.dat"
00:17:47.468 The log file has been saved successfully to "E:
\aswMBR.txt"

I didn't continue with the files that were called by the master boot
record.

The "Service WRkrn E:\Windows\System32\drivers\WRkrn.sys ***LOCKED**
32 line is in yellow. Do I need to do something special about
that?

Avast aswMBR has an option to "FixMBR" - I guess by putting standard
code. Alternatively apparently one can do the same thing from within
AVAST (I currently have AVAST paid version installed after Vipre
didn't do anything to protect or fix my computer.)

MBRCheck from geekstogo.com found

298 GB Physical Drive 0 Windows XP MBR code detected (in green)
SHAI (long string)
74 GB Physical Drive 1 Re: Unknown MBR code

Found nonstandard or infected MBR (restore MBR of a physical disk w
standard boot code).

Choose physical disk to fix, usualy 0, choose code for system (ie XP),
confirm change.


Alternatively one can boot into the Repair Console and type fixmbr,
which, I guess, creates a NEW master boot record with standard code -
which might still work.

-----------------------------------------------------------------------------------------

MY QUESTIONS:


1. I don't suppose that there's any chance that using system restore
from early enough would restore the master boot virus? I believe it
backs up everything, but I'm not sure what "everything" includes.


2. One part that puzzles me is that sometimes the replaced code/ file
works and sometimes it doesn't. If the master boot record is an index
of everything on the drive, then how would substituted standard code
still allow the machine to function?


3. If I run fixmbr in the recovery console to fix it, should I also
run fixboot, or not?


4. If I have the recovery console installed on my computer, do I need
the Windows CD?


5. The other part I'm having trouble with is whether to replace the
code in "Disk 0" or "Disk 2". I seem to have two conflicting versions
of which "disk" has the corrupted code. And if I did fix "disk 0"
what should I do with the mbr in "disk 2"?


Dora


 
Reply With Quote
 
 
 
 
David H. Lipman
Guest
Posts: n/a

 
      16-01-2012, 01:01 PM
From: "villandra" <(E-Mail Removed)>

> Looks like I've got a master boot record virus. I want to know what
> my options are.
>
> GMER included this worrisome report in a very long and complex report:
>
> ---- Disk sectors - GMER 1.0.15 ----
>
> Disk \Device\Harddisk2\DR5 sector 00: rootkit-like behavior
>
> McAfee Stinger says:
>
> 2 master boot records, possibly infected 0
> 3 boot sectors possibly infected 0
>
>
> Gmer's mbr log reports:
>
> Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer,
> http://www.gmer.net
> Windows 5.1.2600 Disk: HP______ rev.1.00 -> Harddisk2\DR5 -> \Device
> \0000007e
>
> device: opened successfully
> user: error reading MBR
> kernel: MBR read successfully
> user != kernel MBR !!!
>
> Avast's aswMBR reports:
>
> wMBR version 0.9.9.1297 Copyright(c) 2011 AVAST Software
> Run date: 2012-01-16 00:09:40
> -----------------------------
> 00:09:40.750 OS Version: Windows 5.1.2600 Service Pack 3
> 00:09:40.750 Number of processors: 4 586 0x2A07
> 00:09:40.750 ComputerName: DORA UserName:
> 00:09:40.968 Initialize success
> 00:09:41.046 AVAST engine defs: 12011501
> 00:09:57.203 Disk 0 \Device\Harddisk0\DR0 -> \Device\Ide
> \IdeDeviceP0T0L0-3
> 00:09:57.203 Disk 0 Vendor: WDC_WD3200AAKS-00V1A0 05.01D05 Size:
> 305245MB BusType: 3
> 00:09:57.203 Device \Driver\usbstor -> DriverStartIo USBSTOR.SYS
> b83d1f26
> 00:09:57.218 Disk 2 MBR read successfully
> 00:09:57.218 Disk 2 MBR scan
> 00:09:57.218 Disk 2 Windows XP default MBR code
> 00:09:57.218 Disk 2 MBR hidden
> 00:09:57.218 Disk 2 Partition 1 80 (A) 07 HPFS/NTFS NTFS
> 39997 MB offset 63
> 00:09:57.218 Disk 2 Partition - 00 0F Extended LBA
> 265237 MB offset 81915435
> 00:09:57.234 Disk 2 Partition 2 00 07 HPFS/NTFS NTFS
> 265237 MB offset 81915498
> 00:09:57.250 Disk 2 scanning E:\WINDOWS\system32\drivers
> 00:10:04.781 Service scanning
> 00:10:05.156 Service WRkrn E:\WINDOWS\System32\drivers\WRkrn.sys
> **LOCKED** 32
> 00:10:05.656 Modules scanning
> 00:10:12.500 Disk 2 trace - called modules:
> 00:10:12.500 ntkrnlpa.exe CLASSPNP.SYS disk.sys hal.dll
> 00:10:12.515 1 nt!IofCallDriver -> \Device
> \Harddisk2\DR5[0x8939b2d8]
> 00:10:12.828 AVAST engine scan E:\WINDOWS
> 00:10:18.312 AVAST engine scan E:\WINDOWS\system32
> 00:11:34.109 AVAST engine scan E:\WINDOWS\system32\drivers
> 00:11:45.734 AVAST engine scan E:\Documents and Settings\Dora Smith
> 00:14:02.875 AVAST engine scan E:\Documents and Settings\All Users
> 00:14:50.578 Scan finished successfully
> 00:17:47.453 Disk 2 MBR has been saved successfully to "E:\MBR.dat"
> 00:17:47.468 The log file has been saved successfully to "E:
> \aswMBR.txt"
>
> I didn't continue with the files that were called by the master boot
> record.
>
> The "Service WRkrn E:\Windows\System32\drivers\WRkrn.sys ***LOCKED**
> 32 line is in yellow. Do I need to do something special about
> that?
>
> Avast aswMBR has an option to "FixMBR" - I guess by putting standard
> code. Alternatively apparently one can do the same thing from within
> AVAST (I currently have AVAST paid version installed after Vipre
> didn't do anything to protect or fix my computer.)
>
> MBRCheck from geekstogo.com found
>
> 298 GB Physical Drive 0 Windows XP MBR code detected (in green)
> SHAI (long string)
> 74 GB Physical Drive 1 Re: Unknown MBR code
>
> Found nonstandard or infected MBR (restore MBR of a physical disk w
> standard boot code).
>
> Choose physical disk to fix, usualy 0, choose code for system (ie XP),
> confirm change.
>
>
> Alternatively one can boot into the Repair Console and type fixmbr,
> which, I guess, creates a NEW master boot record with standard code -
> which might still work.
>
> -----------------------------------------------------------------------------------------
>
> MY QUESTIONS:
>
>
> 1. I don't suppose that there's any chance that using system restore
> from early enough would restore the master boot virus? I believe it
> backs up everything, but I'm not sure what "everything" includes.
>
>
> 2. One part that puzzles me is that sometimes the replaced code/ file
> works and sometimes it doesn't. If the master boot record is an index
> of everything on the drive, then how would substituted standard code
> still allow the machine to function?
>
>
> 3. If I run fixmbr in the recovery console to fix it, should I also
> run fixboot, or not?
>
>
> 4. If I have the recovery console installed on my computer, do I need
> the Windows CD?
>
>
> 5. The other part I'm having trouble with is whether to replace the
> code in "Disk 0" or "Disk 2". I seem to have two conflicting versions
> of which "disk" has the corrupted code. And if I did fix "disk 0"
> what should I do with the mbr in "disk 2"?
>
>
> Dora
>


A RootKit in the MBR is not a virus.

Download TDSSKiller - http://support.kaspersky.com/viruses...?qid=208280684

Choose "Change Parameters"
Check "Detect TDLFS file system"
Hit; OK

Start Scan



--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp


 
Reply With Quote
 
 
 
 
villandra
Guest
Posts: n/a

 
      16-01-2012, 08:33 PM
On Jan 16, 7:01*am, "David H. Lipman" <DLipman~(E-Mail Removed)>
wrote:
> From: "villandra" <(E-Mail Removed)>
>
>
>
>
>
> > Looks like I've got a master boot record virus. *I want to know what
> > my options are.

>
> > GMER included this worrisome report in a very long and complex report:

>
> > ---- Disk sectors - GMER 1.0.15 ----

>
> > Disk \Device\Harddisk2\DR5 sector 00: rootkit-like behavior

>
> > McAfee Stinger says:

>
> > 2 master boot records, possibly infected 0
> > 3 boot sectors possibly infected 0

>
> > Gmer's mbr log reports:

>
> > Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer,
> >http://www.gmer.net
> > Windows 5.1.2600 Disk: HP______ rev.1.00 -> Harddisk2\DR5 -> \Device
> > \0000007e

>
> > device: opened successfully
> > user: error reading MBR
> > kernel: MBR read successfully
> > user != kernel MBR !!!

>
> > Avast's aswMBR reports:

>
> > wMBR version 0.9.9.1297 Copyright(c) 2011 AVAST Software
> > Run date: 2012-01-16 00:09:40
> > -----------------------------
> > 00:09:40.750 * *OS Version: Windows 5.1.2600 Service Pack 3
> > 00:09:40.750 * *Number of processors: 4 586 0x2A07
> > 00:09:40.750 * *ComputerName: DORA *UserName:
> > 00:09:40.968 * *Initialize success
> > 00:09:41.046 * *AVAST engine defs: 12011501
> > 00:09:57.203 * *Disk 0 *\Device\Harddisk0\DR0 -> \Device\Ide
> > \IdeDeviceP0T0L0-3
> > 00:09:57.203 * *Disk 0 Vendor: WDC_WD3200AAKS-00V1A0 05.01D05 Size:
> > 305245MB BusType: 3
> > 00:09:57.203 * *Device \Driver\usbstor -> DriverStartIo USBSTOR.SYS
> > b83d1f26
> > 00:09:57.218 * *Disk 2 MBR read successfully
> > 00:09:57.218 * *Disk 2 MBR scan
> > 00:09:57.218 * *Disk 2 Windows XP default MBR code
> > 00:09:57.218 * *Disk 2 MBR hidden
> > 00:09:57.218 * *Disk 2 Partition 1 80 (A) 07 * *HPFS/NTFS NTFS
> > 39997 MB offset 63
> > 00:09:57.218 * *Disk 2 Partition - 00 * * 0F Extended LBA
> > 265237 MB offset 81915435
> > 00:09:57.234 * *Disk 2 Partition 2 00 * * 07 * *HPFS/NTFS NTFS
> > 265237 MB offset 81915498
> > 00:09:57.250 * *Disk 2 scanning E:\WINDOWS\system32\drivers
> > 00:10:04.781 * *Service scanning
> > 00:10:05.156 * *Service WRkrn E:\WINDOWS\System32\drivers\WRkrn.sys
> > **LOCKED** 32
> > 00:10:05.656 * *Modules scanning
> > 00:10:12.500 * *Disk 2 trace - called modules:
> > 00:10:12.500 * *ntkrnlpa.exe CLASSPNP.SYS disk.sys hal.dll
> > 00:10:12.515 * *1 nt!IofCallDriver -> \Device
> > \Harddisk2\DR5[0x8939b2d8]
> > 00:10:12.828 * *AVAST engine scan E:\WINDOWS
> > 00:10:18.312 * *AVAST engine scan E:\WINDOWS\system32
> > 00:11:34.109 * *AVAST engine scan E:\WINDOWS\system32\drivers
> > 00:11:45.734 * *AVAST engine scan E:\Documents and Settings\Dora Smith
> > 00:14:02.875 * *AVAST engine scan E:\Documents and Settings\All Users
> > 00:14:50.578 * *Scan finished successfully
> > 00:17:47.453 * *Disk 2 MBR has been saved successfully to "E:\MBR.dat"
> > 00:17:47.468 * *The log file has been saved successfully to "E:
> > \aswMBR.txt"

>
> > I didn't continue with the files that were called by the master boot
> > record.

>
> > The "Service WRkrn E:\Windows\System32\drivers\WRkrn.sys ***LOCKED**
> > 32 line is in yellow. * Do I need to do something special about
> > that?

>
> > Avast aswMBR has an option to "FixMBR" - I guess by putting standard
> > code. * Alternatively apparently one can do the same thing from within
> > AVAST (I currently have AVAST paid version installed after Vipre
> > didn't do anything to protect or fix my computer.)

>
> > MBRCheck from geekstogo.com found

>
> > 298 GB Physical Drive 0 *Windows XP MBR code detected (in green)
> > * * * *SHAI *(long string)
> > 74 GB Physical Drive 1 Re: *Unknown MBR code

>
> > Found nonstandard or infected MBR (restore MBR of a physical disk w
> > standard boot code).

>
> > Choose physical disk to fix, usualy 0, choose code for system (ie XP),
> > confirm change.

>
> > Alternatively one can boot into the Repair Console and type fixmbr,
> > which, I guess, creates a NEW master boot record with standard code -
> > which might still work.

>
> > ---------------------------------------------------------------------------*--------------

>
> > MY QUESTIONS:

>
> > 1. *I don't suppose that there's any chance that using system restore
> > from early enough would restore the master boot virus? *I believe it
> > backs up everything, but I'm not sure what "everything" includes.

>
> > 2. *One part that puzzles me is that sometimes the replaced code/ file
> > works and sometimes it doesn't. *If the master boot record is an index
> > of everything on the drive, then how would substituted standard code
> > still allow the machine to function?

>
> > 3. *If I run fixmbr in the recovery console to fix it, should I also
> > run fixboot, or not?

>
> > 4. *If I have the recovery console installed on my computer, do I need
> > the Windows CD?

>
> > 5. * The other part I'm having trouble with is whether to replace the
> > code in "Disk 0" or "Disk 2". *I seem to have two conflicting versions
> > of which "disk" has the corrupted code. *And if I did fix "disk 0"
> > what should I do with the mbr in "disk 2"?

>
> > Dora

>
> A RootKit in the MBR is not a virus.
>
> Download TDSSKiller -http://support.kaspersky.com/viruses/solutions?qid=208280684
>
> Choose "Change Parameters"
> Check "Detect TDLFS file system"
> Hit; OK
>
> Start Scan
>
> --
> Dave
> Multi-AV Scanning Tool -http://multi-av.thespykiller.co.ukhttp://www.pctipp.ch/downloads/dl/35905.asp- Hide quoted text -
>
> - Show quoted text -


I did exactly as you said. It didn't find anything. Just like the
last time I ran it without checking detect the tdlfs file system.

The scans I reported above reported abnormal code, and something root-
kit like. Maybe it wasn't written with the TDLFS file system.

Dora
 
Reply With Quote
 
Dustin
Guest
Posts: n/a

 
      17-01-2012, 09:44 PM
villandra <(E-Mail Removed)> wrote in
news:(E-Mail Removed):

> Looks like I've got a master boot record virus. I want to know what
> my options are.


I don't see that based on the logs you've provided...

> GMER included this worrisome report in a very long and complex
> report:


complex?

> device: opened successfully
> user: error reading MBR
> kernel: MBR read successfully
> user != kernel MBR !!!


That's normal so far...

> 00:11:34.109 AVAST engine scan E:\WINDOWS\system32\drivers
> 00:11:45.734 AVAST engine scan E:\Documents and Settings\Dora
> Smith 00:14:02.875 AVAST engine scan E:\Documents and Settings\All


Looks like your computer actually knows who you are. I bet it has
financial records and gobs of other actual personal information too...

> The "Service WRkrn E:\Windows\System32\drivers\WRkrn.sys ***LOCKED**
> 32 line is in yellow. Do I need to do something special about
> that?


Heres what a quick google did:
http://systemexplorer.net/db/wrkrn.sys.html

Seems it probably belongs to a webroot product. Do you have webroot
software installed and running?


> Avast aswMBR has an option to "FixMBR" - I guess by putting standard
> code. Alternatively apparently one can do the same thing from
> within AVAST (I currently have AVAST paid version installed after
> Vipre didn't do anything to protect or fix my computer.)
>
> MBRCheck from geekstogo.com found
>
> 298 GB Physical Drive 0 Windows XP MBR code detected (in green)
> SHAI (long string)
> 74 GB Physical Drive 1 Re: Unknown MBR code


THAT'S NOT A ROOTKIT! That's your hidden factory restore partition.
/sarcasm Go ahead, **** with it. /sarcasm (I wouldn't really **** with
it, if you screw it up, bye bye factory restore ability).

> Choose physical disk to fix, usualy 0, choose code for system (ie
> XP), confirm change.


DO NOT DO THIS. You will be sorry.

>
> Alternatively one can boot into the Repair Console and type fixmbr,
> which, I guess, creates a NEW master boot record with standard code -
> which might still work.


On drive 0 for a perfectly good reason.

> MY QUESTIONS:
>
>
> 1. I don't suppose that there's any chance that using system restore
> from early enough would restore the master boot virus? I believe it
> backs up everything, but I'm not sure what "everything" includes.


I've seen no virus. No evidence of a virus. What makes you think you
have a virus or something else wrong?

>
> 2. One part that puzzles me is that sometimes the replaced code/
> file works and sometimes it doesn't. If the master boot record is an
> index of everything on the drive, then how would substituted standard
> code still allow the machine to function?


the MBR is NOT an index of anything on the drive. It's a boot sector. It
contains executable code, not a file system.

> 3. If I run fixmbr in the recovery console to fix it, should I also
> run fixboot, or not?


You are really looking to **** your machine up, eh? Just say that's what
you want to do and we'll do it right in proper!

> 4. If I have the recovery console installed on my computer, do I
> need the Windows CD?


Yes...To eventually reload windows. Which you will be, at this rate.

>
> 5. The other part I'm having trouble with is whether to replace the
> code in "Disk 0" or "Disk 2". I seem to have two conflicting
> versions of which "disk" has the corrupted code. And if I did fix
> "disk 0" what should I do with the mbr in "disk 2"?


What are the specs? How many HD's are on it? what software do you have
up and running? what's the make and model?


> Dora


Smith, right?

--
Character is doing the right thing when nobody's looking. There are too
many people who think that the only thing that's right is to get by, and
the only thing that's wrong is to get caught. - J.C. Watts
 
Reply With Quote
 
 
 
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Best way to perform a virus scan when can't boot. Erich Anti-Virus 1 28-06-2004 08:14 PM
msdhmd.dll / Deal Helper? Doug Spyware 3 28-05-2004 06:45 AM
SpyFerret,whats the deal? j.roy.b Spyware 0 31-01-2004 06:24 PM
how do I record chat sessions? Roger Spyware 3 18-01-2004 11:10 PM
Makers of Kazaa suing record labels SJL Spyware 0 24-09-2003 04:00 PM


All times are GMT. The time now is 03:54 AM.