Go Back   Technibble Forums > General Computers > Guides, Tips and Tricks

  Technibble Sponsor

Reply
 
Thread Tools Display Modes
  #1  
Old 11-26-2010, 04:05 AM
xacked's Avatar
xacked xacked is offline
 
Join Date: Feb 2009
Posts: 61
xacked is on a distinguished road
Default How to Remove an MBR Virus

The following information is the result of much research and experience from my In-House lab, note that by following anything in this guide I'm not responsible for your actions or any damages that may arise.

Master Boot Record is 512 bytes at the beginning of the hard drive that, following BIOS, contains the partition table. In essence, points to the first line of the kernel, most importantly the boot partition. The first 440 bytes are blank, therefore it's a great place for malware to hide itself. Most AV products won't scan the MBR or catch the fact its infected because they look at the filesystem, but omit the first 512bytes on the hard drive. After what many techs will consider a successful cleaning, they'll restart the computer, only to discover the virus has come back in full force. The infected MBR has reinfected the system.

Removal Strategy: Remove viruses on the system that may have initially caused the MBR infection, check the MBR, clean the MBR, reboot, recheck the MBR.

Step 1: Disinfect as much of the system as you can. I recommend running Malwarebytes in Safe Mode and doing a full scan, then removing everything found. This step is important because it will most likely find the malware that can reinfect the MBR.

Step 2: Scan for the MBR virus with Bootkit Remover (don't forget to "Run as Admin" if you are not in Safe Mode).

If it says "Rootkit Activity Detected" it's self-explanatory

Step 3: You have three options, one safe route and two risky routes:

Option A:

WinXP: Boot into the Recovery Console (or install it with the XP disk) and type "fixmbr" and the MBR should be wiped.

Win Vista/7: Use the Recovery Disk or the installation disk for Windows Vista/7, boot into it, select the language, and instead of pressing Install Now select "Repair Your Computer" and click the Command Prompt. In it, type bootsect /nt60 :X /fixmbr (please replace X with your systemroot drive, it most commonly is C or D drive however you should know the config) then reboot the system and run the Bootkit Remover Tool again. If this doesn't work, you may have multiple partitions or hard drives, with their MBR possibly infected.

Option B:
Run TDSS Killer . Be prepared for this to break the OS, we've seen this happen in some instances, usually Option A and a chkdsk /r will fix it, however it's still risky.

Option C:
Run Combofix, which will both remove any malware and may remove the MBR infection as well.

Step 4 After any of the above methods are completed, restart the OS and use URL="http://www.esagelab.com/resources.php?s=bootkit_remover"] Bootkit Remover[/URL] again to scan the MBR. If it's gone, congrats! If it's not, then backup and format!

If your OS does break, backup the data (Be sure to run the backup files through an AV and MBAM and reformat the computer's hard drive with something like GParted, by wiping the whole drive and blowing out any partitions. This may be a point of contention, some people may opt for "Startup Repair" which may or may not fix the broken OS, we've seen it more often as a futile attempt. Other people may try the computer's "Factory Restore" option. Right off the bat I'll tell you it's not worth your time. We've tried this in the lab with several HP machines using a clean wipe of the hard drive, and the MBR virus is still there. This makes sense since the partition structure is still in place for the recovery partition to still function, thus the MBR hasn't been altered

*edit*
Quote:
Another option would be to download a small program called mbrfix which is command line driven and can be directed towards a specific drive. This means it can be run on a slave drive, or from a PE environment. It also gives backup and restore options for the mbr as well as a host of other options.
-Thanks ATTech!

**edit2**
The guide has been updated, since Combofix now supports 64-bit it has mbrfix built into it.

Last edited by xacked; 01-08-2011 at 01:51 AM.
Reply With Quote
  #2  
Old 11-26-2010, 02:37 PM
iisjman07's Avatar
iisjman07 iisjman07 is offline
 
Join Date: Jul 2009
Location: South End Of The UK
Posts: 3,049
iisjman07 has a spectacular aura aboutiisjman07 has a spectacular aura about
Default

Nice, informative post. Thanks for contributing to Technibble
__________________
put that in your pipe and grep it
Reply With Quote
  #3  
Old 11-26-2010, 03:00 PM
MobileTechie's Avatar
MobileTechie MobileTechie is online now
 
Join Date: Oct 2009
Location: UK
Posts: 4,284
MobileTechie has a spectacular aura aboutMobileTechie has a spectacular aura about
Default

It's worth noting that running fixmbr on system with custom MBR code, like Dells and other branded computers removes some of their boot functionality including the ability to boot into rescue partitions and other recovery features.

There is a tool: mbr.exe from the gmer site which will detect and fix infected mbr's. Whether it fixes them by re-writing the entire MBR (thus doing the same damage as fixmbr) I don't know.
Reply With Quote
  #4  
Old 11-26-2010, 03:06 PM
iisjman07's Avatar
iisjman07 iisjman07 is offline
 
Join Date: Jul 2009
Location: South End Of The UK
Posts: 3,049
iisjman07 has a spectacular aura aboutiisjman07 has a spectacular aura about
Default

Quote:
There is a tool: mbr.exe from the gmer site which will detect and fix infected mbr's. Whether it fixes them by re-writing the entire MBR (thus doing the same damage as fixmbr) I don't know.
I didn't know mbr.exe fixed the problems; I thought it only told you about them
__________________
put that in your pipe and grep it
Reply With Quote
  #5  
Old 11-26-2010, 03:40 PM
MobileTechie's Avatar
MobileTechie MobileTechie is online now
 
Join Date: Oct 2009
Location: UK
Posts: 4,284
MobileTechie has a spectacular aura aboutMobileTechie has a spectacular aura about
Default

It's got a few switches including -f which fixes.

Others are:

Usage: mbr.exe [options]
-f - fix mbr
-c start_sector size_in_sectors filename - copy selected sectors to file
-t - trace called modules
-u - unload driver

I've contacted the authors to find out what the fix actually does.

Update: heard back and apparently it restores the original mbr that the rootkit saves thus making it safe to use on Dell systems. I wasn't aware a RK would bother to back up the mbr.

Last edited by MobileTechie; 11-26-2010 at 03:45 PM.
Reply With Quote
  #6  
Old 11-26-2010, 08:44 PM
xacked's Avatar
xacked xacked is offline
 
Join Date: Feb 2009
Posts: 61
xacked is on a distinguished road
Default

Quote:
Originally Posted by MobileTechie View Post
It's worth noting that running fixmbr on system with custom MBR code, like Dells and other branded computers removes some of their boot functionality including the ability to boot into rescue partitions and other recovery features.

There is a tool: mbr.exe from the gmer site which will detect and fix infected mbr's. Whether it fixes them by re-writing the entire MBR (thus doing the same damage as fixmbr) I don't know.
Good point! Usually Bootkit Remover will flag these as "Unknown boot code". However if the MBR isn't cleanable there's no point in having those partitions around, they may be infected and cause a reinfection.

We have OEM disks in the office and we use their COA sticker licences to activate the respective version of Windows, however if they are under warranty we usually encourage them to have the manufacturer ship them a copy of the recovery disk in case they ever need to restore the system now that the recovery partition is gone and if they fall outside of our support critereon.

I haven't gotten around to trying out mbr.exe fully, the two times I tried it seemed to not have any effect. There's also EasyBCD that can rewrite the MBR, however it doesn't seem to be able to remove the bootkit virus. I'm quite curious what your results with mbr.exe have been and if its safer than TDSS killer

Last edited by xacked; 11-26-2010 at 08:46 PM.
Reply With Quote
  #7  
Old 11-26-2010, 08:51 PM
ZenTree ZenTree is offline
 
Join Date: Aug 2010
Location: UK
Posts: 616
ZenTree will become famous soon enough
Default

Quote:
Originally Posted by MobileTechie View Post
Update: heard back and apparently it restores the original mbr that the rootkit saves thus making it safe to use on Dell systems. I wasn't aware a RK would bother to back up the mbr.
Some of them do as when a program tries to scan the infected mbr, it can divert the call to the stored original. Not too common at the moment but have read a few articles in the netherweb about it.
Reply With Quote
  #8  
Old 11-30-2010, 08:48 PM
MobileTechie's Avatar
MobileTechie MobileTechie is online now
 
Join Date: Oct 2009
Location: UK
Posts: 4,284
MobileTechie has a spectacular aura aboutMobileTechie has a spectacular aura about
Default

Quote:
Originally Posted by xacked View Post
I haven't gotten around to trying out mbr.exe fully, the two times I tried it seemed to not have any effect. There's also EasyBCD that can rewrite the MBR, however it doesn't seem to be able to remove the bootkit virus. I'm quite curious what your results with mbr.exe have been and if its safer than TDSS killer
I've used it a few times with success. It finds the Alureon rootkit I've been messing with on a VM recently and, as part of other removal methods, sorts out the MBR. However it doesn't cure it on its own like TDSSKiller does. Just cleaning the MBR results in it being reinfected if the RK has been unhooked and its infected driver file replaced.
Reply With Quote
  #9  
Old 11-30-2010, 10:10 PM
iladelf iladelf is offline
 
Join Date: Aug 2007
Posts: 430
iladelf is an unknown quantity at this point
Default

Very informative post among fellow techs; this is what I'm here for. Thanks to all!
Reply With Quote
  #10  
Old 12-01-2010, 01:49 AM
ATTech ATTech is offline
 
Join Date: Jan 2010
Location: Sacramento Area, CA
Posts: 1,784
ATTech is on a distinguished road
Default

Just some clarification, the MBR contains partition information and points to the first line of the kernel, rather than pointing to the "rest of the hard drive"

Another option would be to download a small program called mbrfix which is command line driven and can be directed towards a specific drive. This means it can be run on a slave drive, or from a PE environment. It also gives backup and restore options for the mbr as well as a host of other options.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 09:59 AM.


Powered by vBulletin®
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Technibble.com is based out of MELBOURNE, AUSTRALIA.