Computer Help forum

Question

How best to deal w/ master boot record virus

by dorasm / January 15, 2012 5:05 PM PST

Looks like I've got a master boot record virus. I want to know what my options are.

GMER included this worrisome report in a very long and complex report:

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk2\DR5 sector 00: rootkit-like behavior

McAfee Stinger says:

2 master boot records, possibly infected 0
3 boot sectors possibly infected 0

(Six or seven different antivirus programs and scans have failed to identify any specific rootkit virus.)


Gmer's mbr log reports:

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: HP______ rev.1.00 -> Harddisk2\DR5 -> \Device\0000007e

device: opened successfully
user: error reading MBR
kernel: MBR read successfully
user != kernel MBR !!!

Avast's aswMBR reports:

wMBR version 0.9.9.1297 Copyright(c) 2011 AVAST Software
Run date: 2012-01-16 00:09:40
-----------------------------
00:09:40.750 OS Version: Windows 5.1.2600 Service Pack 3
00:09:40.750 Number of processors: 4 586 0x2A07
00:09:40.750 ComputerName: DORA UserName:
00:09:40.968 Initialize success
00:09:41.046 AVAST engine defs: 12011501
00:09:57.203 Disk 0 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
00:09:57.203 Disk 0 Vendor: WDC_WD3200AAKS-00V1A0 05.01D05 Size: 305245MB BusType: 3
00:09:57.203 Device \Driver\usbstor -> DriverStartIo USBSTOR.SYS b83d1f26
00:09:57.218 Disk 2 MBR read successfully
00:09:57.218 Disk 2 MBR scan
00:09:57.218 Disk 2 Windows XP default MBR code
00:09:57.218 Disk 2 MBR hidden
00:09:57.218 Disk 2 Partition 1 80 (A) 07 HPFS/NTFS NTFS 39997 MB offset 63
00:09:57.218 Disk 2 Partition - 00 0F Extended LBA 265237 MB offset 81915435
00:09:57.234 Disk 2 Partition 2 00 07 HPFS/NTFS NTFS 265237 MB offset 81915498
00:09:57.250 Disk 2 scanning E:\WINDOWS\system32\drivers
00:10:04.781 Service scanning
00:10:05.156 Service WRkrn E:\WINDOWS\System32\drivers\WRkrn.sys **LOCKED** 32
00:10:05.656 Modules scanning
00:10:12.500 Disk 2 trace - called modules:
00:10:12.500 ntkrnlpa.exe CLASSPNP.SYS disk.sys hal.dll
00:10:12.515 1 nt!IofCallDriver -> \Device\Harddisk2\DR5[0x8939b2d8]
00:10:12.828 AVAST engine scan E:\WINDOWS
00:10:18.312 AVAST engine scan E:\WINDOWS\system32
00:11:34.109 AVAST engine scan E:\WINDOWS\system32\drivers
00:11:45.734 AVAST engine scan E:\Documents and Settings\Dora Smith
00:14:02.875 AVAST engine scan E:\Documents and Settings\All Users
00:14:50.578 Scan finished successfully
00:17:47.453 Disk 2 MBR has been saved successfully to "E:\MBR.dat"
00:17:47.468 The log file has been saved successfully to "E:\aswMBR.txt"

I didn't continue with the files that were called by the master boot record.

The "Service WRkrn E:\Windows\System32\drivers\WRkrn.sys ***LOCKED** 32 line is in yellow. Do I need to do something special about that?

Avast aswMBR has an option to "FixMBR" - I guess by putting standard code. Alternatively apparently one can do the same thing from within AVAST (I currently have AVAST paid version installed after Vipre didn't do anything to protect or fix my computer.)

MBRCheck from geekstogo.com found

298 GB Physical Drive 0 Windows XP MBR code detected (in green)
SHAI (long string)
74 GB Physical Drive 1 Re: Unknown MBR code

Found nonstandard or infected MBR (restore MBR of a physical disk w standard boot code).

Choose physical disk to fix, usualy 0, choose code for system (ie XP), confirm change.


Alternatively one can boot into the Repair Console and type fixmbr, which, I guess, creates a NEW master boot record with standard code - which might still work.

-----------------------------------------------------------------------------------------

MY QUESTIONS:


1. I don't suppose that there's any chance that using system restore from early enough would restore the master boot virus? I believe it backs up everything, but I'm not sure what "everything" includes.


2. One part that puzzles me is that sometimes the replaced code/ file works and sometimes it doesn't. If the master boot record is an index of everything on the drive, then how would substituted standard code still allow the machine to function?


3. If I run fixmbr in the recovery console to fix it, should I also run fixboot, or not?


4. If I have the recovery console installed on my computer, do I need the Windows CD?


5. The other part I'm having trouble with is whether to replace the code in "Disk 0" or "Disk 2". I seem to have two conflicting versions of which "disk" has the corrupted code. And if I did fix "disk 0" what should I do with the mbr in "disk 2"?

Dora

Discussion is locked
You are posting a reply to: How best to deal w/ master boot record virus
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: How best to deal w/ master boot record virus
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.

All Answers

Collapse -
Answer
Some answers
by Jimmy Greystone / January 15, 2012 10:10 PM PST

Some answers:

1: No. System Restore only backs up stuff within the OS, and the MBR is something different

2: The MBR stands for Master Boot Record, so it's not an index of everything on the drive. It's a special section of the drive where the OS bootloader is stored, or at least something pointing to where the bootloader is stored goes. Basically it's a defined area of the drive that the BIOS will look at when trying to find an OS to boot after POST

3: fixmbr SHOULD overwrite the MBR with a clean one, but at the same time, if you haven't removed the source of the infection first, it'll likely just come back

4: The recovery console is only on the Windows CD/DVD

5: Disk 0 is almost always the boot drive. Technically all it really means is that it's the first physical drive found, but unless you set up a dual boot or did something similarly unusual, Disk 0 is pretty much always going to be the boot drive

Also, I noticed that you seem to be under the mistaken impression that merely having an AV program installed absolves you of any responsibility for the security of your system. Nothing could be further from the truth. AV programs are supplementary at best. They will not catch everything because they are reactionary by their very nature. A threat has to be identified, then analyzed, a counter measure has to be devised, tested, all of which can take a few days to weeks. Then it has packaged into an updated definitions file for distribution, which could add a few more days to the whole process before that updated definitions file gets to your particular system. So there could well be a 2-3 week window, commonly referred to as a 0-day threat, where an AV program will have no idea about some threat you may have downloaded. Which is why YOU need to take primary responsibility for your system's security. All the security programs in the world still won't stop you from doing something stupid and infecting your system.

Collapse -
How best to deal with master boot record virus
by dorasm / January 16, 2012 1:33 AM PST
In reply to: Some answers

Thanks for your help.

If I overwrite the first of the two mbr files, how do I get rid of the second one (on the 2nd "disk")?

Also, Avast's master boot record search found the two files with evidence one is infected, but I can't seem to get Avast itself to spot it, and it seems like it needs to spot it before it will remove it. Is there a way to get Avast to recognize and/or overwrite it, or should I just have the master boot record scan fix it?

What I've read is that you should let the AVAST program fix it, becuase for some reason that's better. Not it's better because AVAST would find the rest of the virus; AVAST actually thinks my system is clean, except for one piece of low danger adware that could be the anti-spyware program itself. I installed that after I got the virus.

I don't believe I did anything stupid, and neither did my sister who picked up one of these nasties, or the teacher at my nephews' school. I know that I picked up a fake av infection by searching Google for photos of the Swiss Alps. My sister got one like it on the Blue Mountain greeting card site. I've always been careful of what e-mails I open and what web sites I visit. My tastes don't run to porn or pirated files. I'm into genealogy and history, and biological science. I don't know, maybe there are some who thinks anyone interested in family history deserves to get a nasty virus. I am reading that rootkits have become a major problem on the Internet; they are no longer something you pick up if you're irresponsible.

But I really appreciate the helpful answer while you were blasting me without good cause. Happy

If you've got an effective way to screen these things as they're installed or spot them before they do harm, I'd really like to hear it.

Yours,
Dora

Collapse -
Not "blasting" and with GOOD cause
by Jimmy Greystone / January 16, 2012 9:30 AM PST

I'm not "blasting" you, and it's with very GOOD cause. After all, you just used a herd mentality argument. If 500 people jump off a cliff to their deaths, does that mean if you're #501 in line that it's any better of an idea? It's something of a blind spot in people's reasoning: Just because something is popular doesn't make it a good idea. It just makes it a POPULAR bad idea.

You appear to have a rather cavalier attitude towards computer security, and it bit you in the **** this time. So, you have a rather simple decision to make. You can either a) take things a bit more seriously and start learning what various security programs do and DON'T do, so you can better formulate a strategy to cover the gaps they leave, or b) you can wait for this issue to inevitably happen again, and again, and again, and again, and again... And did I mention again, because if I didn't, it'll happen again. I'm just trying to point this out to you, but if you want to get all defensive about it and think that I'm "blasting" you for "no good reason" then you can look forward to many future repeat occurrences of problems like the one you have now. Or you can set your needlessly bruised ego aside, recognize the value in what you are being told, even if you don't care for the particular delivery mechanism, and save yourself a lot of hassle going forward.

Collapse -
Answer
A Correction On Number 4...
by Grif Thomas Forum moderator / January 18, 2012 3:44 AM PST

If you've previously installed the Recovery Console on your computer,
and it comes up as a selection during the boot process screen, you
do NOT have to have the Windows CD/DVD. It shows up as an available operating system at startup. Recovery Console will run by
using the up/down arrow at the selection screen, then press "Enter", to
select the "Recovery Console" option.

http://support.microsoft.com/kb/307654

Hope this helps.

Grif

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

GIVEAWAY

Turn up the volume with our Apple Byte sweeps!

Two lucky winners will take home the coveted smart speaker that lets Siri help you around your connected house. This sweepstake ends Feb. 25, 2018.