How best to deal w/ master boot record virus

Discussion in 'Anti-Virus' started by villandra, Jan 16, 2012.

  1. villandra

    villandra Guest

    Looks like I've got a master boot record virus. I want to know what
    my options are.

    GMER included this worrisome report in a very long and complex report:

    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk2\DR5 sector 00: rootkit-like behavior

    McAfee Stinger says:

    2 master boot records, possibly infected 0
    3 boot sectors possibly infected 0


    Gmer's mbr log reports:

    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer,
    http://www.gmer.net
    Windows 5.1.2600 Disk: HP______ rev.1.00 -> Harddisk2\DR5 -> \Device
    \0000007e

    device: opened successfully
    user: error reading MBR
    kernel: MBR read successfully
    user != kernel MBR !!!

    Avast's aswMBR reports:

    wMBR version 0.9.9.1297 Copyright(c) 2011 AVAST Software
    Run date: 2012-01-16 00:09:40
    -----------------------------
    00:09:40.750 OS Version: Windows 5.1.2600 Service Pack 3
    00:09:40.750 Number of processors: 4 586 0x2A07
    00:09:40.750 ComputerName: DORA UserName:
    00:09:40.968 Initialize success
    00:09:41.046 AVAST engine defs: 12011501
    00:09:57.203 Disk 0 \Device\Harddisk0\DR0 -> \Device\Ide
    \IdeDeviceP0T0L0-3
    00:09:57.203 Disk 0 Vendor: WDC_WD3200AAKS-00V1A0 05.01D05 Size:
    305245MB BusType: 3
    00:09:57.203 Device \Driver\usbstor -> DriverStartIo USBSTOR.SYS
    b83d1f26
    00:09:57.218 Disk 2 MBR read successfully
    00:09:57.218 Disk 2 MBR scan
    00:09:57.218 Disk 2 Windows XP default MBR code
    00:09:57.218 Disk 2 MBR hidden
    00:09:57.218 Disk 2 Partition 1 80 (A) 07 HPFS/NTFS NTFS
    39997 MB offset 63
    00:09:57.218 Disk 2 Partition - 00 0F Extended LBA
    265237 MB offset 81915435
    00:09:57.234 Disk 2 Partition 2 00 07 HPFS/NTFS NTFS
    265237 MB offset 81915498
    00:09:57.250 Disk 2 scanning E:\WINDOWS\system32\drivers
    00:10:04.781 Service scanning
    00:10:05.156 Service WRkrn E:\WINDOWS\System32\drivers\WRkrn.sys
    **LOCKED** 32
    00:10:05.656 Modules scanning
    00:10:12.500 Disk 2 trace - called modules:
    00:10:12.500 ntkrnlpa.exe CLASSPNP.SYS disk.sys hal.dll
    00:10:12.515 1 nt!IofCallDriver -> \Device
    \Harddisk2\DR5[0x8939b2d8]
    00:10:12.828 AVAST engine scan E:\WINDOWS
    00:10:18.312 AVAST engine scan E:\WINDOWS\system32
    00:11:34.109 AVAST engine scan E:\WINDOWS\system32\drivers
    00:11:45.734 AVAST engine scan E:\Documents and Settings\Dora Smith
    00:14:02.875 AVAST engine scan E:\Documents and Settings\All Users
    00:14:50.578 Scan finished successfully
    00:17:47.453 Disk 2 MBR has been saved successfully to "E:\MBR.dat"
    00:17:47.468 The log file has been saved successfully to "E:
    \aswMBR.txt"

    I didn't continue with the files that were called by the master boot
    record.

    The "Service WRkrn E:\Windows\System32\drivers\WRkrn.sys ***LOCKED**
    32 line is in yellow. Do I need to do something special about
    that?

    Avast aswMBR has an option to "FixMBR" - I guess by putting standard
    code. Alternatively apparently one can do the same thing from within
    AVAST (I currently have AVAST paid version installed after Vipre
    didn't do anything to protect or fix my computer.)

    MBRCheck from geekstogo.com found

    298 GB Physical Drive 0 Windows XP MBR code detected (in green)
    SHAI (long string)
    74 GB Physical Drive 1 Re: Unknown MBR code

    Found nonstandard or infected MBR (restore MBR of a physical disk w
    standard boot code).

    Choose physical disk to fix, usualy 0, choose code for system (ie XP),
    confirm change.


    Alternatively one can boot into the Repair Console and type fixmbr,
    which, I guess, creates a NEW master boot record with standard code -
    which might still work.

    -----------------------------------------------------------------------------------------

    MY QUESTIONS:


    1. I don't suppose that there's any chance that using system restore
    from early enough would restore the master boot virus? I believe it
    backs up everything, but I'm not sure what "everything" includes.


    2. One part that puzzles me is that sometimes the replaced code/ file
    works and sometimes it doesn't. If the master boot record is an index
    of everything on the drive, then how would substituted standard code
    still allow the machine to function?


    3. If I run fixmbr in the recovery console to fix it, should I also
    run fixboot, or not?


    4. If I have the recovery console installed on my computer, do I need
    the Windows CD?


    5. The other part I'm having trouble with is whether to replace the
    code in "Disk 0" or "Disk 2". I seem to have two conflicting versions
    of which "disk" has the corrupted code. And if I did fix "disk 0"
    what should I do with the mbr in "disk 2"?


    Dora
     
    villandra, Jan 16, 2012
    #1
    1. Advertisements

  2. A RootKit in the MBR is not a virus.

    Download TDSSKiller - http://support.kaspersky.com/viruses/solutions?qid=208280684

    Choose "Change Parameters"
    Check "Detect TDLFS file system"
    Hit; OK

    Start Scan
     
    David H. Lipman, Jan 16, 2012
    #2
    1. Advertisements

  3. villandra

    villandra Guest

    I did exactly as you said. It didn't find anything. Just like the
    last time I ran it without checking detect the tdlfs file system.

    The scans I reported above reported abnormal code, and something root-
    kit like. Maybe it wasn't written with the TDLFS file system.

    Dora
     
    villandra, Jan 16, 2012
    #3
  4. villandra

    Dustin Guest

    I don't see that based on the logs you've provided...
    complex? :)
    That's normal so far...
    Looks like your computer actually knows who you are. I bet it has
    financial records and gobs of other actual personal information too...
    Heres what a quick google did:
    http://systemexplorer.net/db/wrkrn.sys.html

    Seems it probably belongs to a webroot product. Do you have webroot
    software installed and running?

    THAT'S NOT A ROOTKIT! That's your hidden factory restore partition.
    /sarcasm Go ahead, **** with it. /sarcasm (I wouldn't really **** with
    it, if you screw it up, bye bye factory restore ability).
    DO NOT DO THIS. You will be sorry.
    On drive 0 for a perfectly good reason.
    I've seen no virus. No evidence of a virus. What makes you think you
    have a virus or something else wrong?
    the MBR is NOT an index of anything on the drive. It's a boot sector. It
    contains executable code, not a file system.
    You are really looking to **** your machine up, eh? Just say that's what
    you want to do and we'll do it right in proper!
    Yes...To eventually reload windows. Which you will be, at this rate.
    What are the specs? How many HD's are on it? what software do you have
    up and running? what's the make and model?

    Smith, right? :)
     
    Dustin, Jan 17, 2012
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.