The
MBR Rootkit is one of the most advanced and malicious type of
rootkit infection that can create an insurmountable threat to the
security of the computer. This
malware is very dangerous as it
replaces the MBR or the Master Boot Record of the system that it infects.
MBR Rootkit also known as
Mebroot, gives privileged access to the computer. MBR
Rootkit and Sinowal, the super Trojan, can steal
confidential details like bank information and important passwords. The system modification is minimum and thus it is very difficult to identify these kind of infection. Proper procedure and expert help can disinfect the system but it is important to change the essential passwords.
Sinowal/Mebroot/MBR Rootkit infection
Intro
This is a
rootkit-type infection.
This malware steals confidential information, particularly passwords and bank details. It will be necessary to change passwords after disinfection and check with your bank that nothing unusual happened.
Method: Gmer
- Download http://www2.gmer.net/mbr/mbr.exe
- Turn off your antivirus and cut the connection
- Double-click mbr.exe.
- A report will be generated: mbr.log
- In cases of infection, the message "MBR rootkit code detected" will appear in the report.
- In the Start Menu > Run, type:
- In mbr.log this line appears: the original MBR restored successfully!
- You can post the report to get some help on the Forum.
Restart mbr.exe to check that the infection is no longer present and the new report should no longer find rootkit.
Example report uninfected:
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
Under Vista and Seven, do not forget to start mbr.exe by right-clicking and selecting "Run as administrator".
Method: Recovery Console and fixmbr
- You will need the Windows CD
- Boot from the Windows CD
- Start the Recovery Console as explained here
- Once in the Recovery Console, type the following command: fixmbr deviceharddisk0
- Validate by pressing [Enter] key on your keyboard
Method: Combofix
Warning: This method should only be used if you know what you are doing as it could potentially cause further damage to your machine.
- Right click here
- Choose: Save target as
- Choose the Desktop as the destination
- In the "File Name", rename ComboFix.exe to kioskea.exe example, then save
- The renaming stage is mandatory. Failure to do so will cause the process to fail.
- Disconnect from the Internet and close all applications and programs
- Double-click Kioskea.exe to start the fix (Vista and Seven: right-click and choose "Run as administrator")
- Accept the warning message and accept the installation of the Recovery Console (in XP)
- The report will be created under the root: C:Combofix.txt
Example of an infection found by Combofix:
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys PCTCore.sys ACPI.sys hal.dll atapi.sys spzt.sys >>UNKNOWN [0x86F80938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
DriverDisk -> CLASSPNP.SYS @ 0xf7749f28
DriverACPI -> ACPI.sys @ 0xf7422cb8
Driveratapi -> atapi.sys @ 0xf739fb40
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
DeviceHarddisk0DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Broadcom NetLink (TM) Gigabit Ethernet -> SendCompleteHandler -> NDIS.sys @ 0xf72b5bb0
PacketIndicateHandler -> NDIS.sys @ 0xf72a4a0d
SendHandler -> NDIS.sys @ 0xf72b8b40
user & kernel MBR OK
Or
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
MBR rootkit code detected !
malicious code @ sector 0x12a14c0 size 0x1ad !
copy of MBR has been found in sector 62 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.
Sample of disinfection report:
(((((((((((((((((((((((((((((((((( Andere Verwijderingen
Other deletions )))))))))))))))))))))))))))))))))))))))))))))))))
\ \. \ PhysicalDrive0 - bootkit Sinowal WAS found and disinfected
\ \. \ PhysicalDrive0 - bootkit Sinowal WAS found and disinfected
.
(((((((((((((((((((( Bestanden gemaakt van 2010-11-18 to 2010-12-18
Files created between 2010-11-18 and 2010-12-18 ))))))))))))))))))))))))))))))
Method: Bootkit Remover
- Download and unzip Bootkit Remover to the desktop
- Download BTKR_Runbox to the desktop
- Note: You must have the remover.exe and BTKR_Runbox.exe on the desktop for the tool to work correctly
- Start BTKR_Runbox then select option 3
- Confirm by pressing "1" then Enter
- The PC will restart
- After reboot, restart BTKR_Runbox by selecting option 1
- If the procedure worked well, you should see " OK [DOS/Win32 Boot code found] "
Method: MBRCheck
Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.
[ 0] Default (Windows XP)
[ 1] Windows XP
[ 2] Windows Server 2003
[ 3] Windows Vista
[ 4] Windows 2008
[ 5] Windows 7
[-1] Cancel
- Type the number corresponding to your operating system and confirm with Enter
- Then you will see this message:
Do you want to fix the MBR code? Type 'YES' and hit ENTER to continue:
- You should have this message:
Do you want to fix the MBR code? Type 'YES' and hit ENTER to continue: Successfully wrote new MBR code!
- This should be followed by:
"Please reboot your computer to complete the fix."
- Restart your PC and post the report generated on the appropriate forum.
Method: ZhpFix
If you used ZHPDiag and an infection of this type is detected you may see a report similar to the following:
---\\ Search infection Master Boot Record (O80)
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
Run by Sabrina at 28/06/2010 18:29:00
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8410A328]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x8410a328
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x05D267C0
malicious code @ sector 0x05D267C3 !
PE file found in sector at 0x05D267D9 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.
Use "ZHPFix" command "MBRFix" to clear infection !
- Start ZHPFix from the desktop shortcut (under Vista and 7: Run as administrator mode) or from ZHPDiag, which contains the shortcut to ZhpFix (an icon located at the top)
- Click MBRfix located on the right side of the screen
- Click 'No' to the message that appears on the screen
- Wait for the tool to complete its process
- At the end of treatment, a report will be displayed
- You can post the report on the appropriate forum
- Restart the PC for the modifications to take effect and check with ZHPDiag that the infection has gone
Method: Antiboot from Kaspersky
The whole procedure is described
here.
Other methods
Online Scan
To verify that nothing remains, you may want to do an online scan of your computer:
Original
FAQ by
jlpjlp on CCM!
Published by
jak58 -
Last update on February 13, 2012 09:56 PM by Paul Berentzen
