xacked
New Member
- Reaction score
- 0
The following information is the result of much research and experience from my In-House lab, note that by following anything in this guide I'm not responsible for your actions or any damages that may arise.
Master Boot Record is 512 bytes at the beginning of the hard drive that, following BIOS, contains the partition table. In essence, points to the first line of the kernel, most importantly the boot partition. The first 440 bytes are blank, therefore it's a great place for malware to hide itself. Most AV products won't scan the MBR or catch the fact its infected because they look at the filesystem, but omit the first 512bytes on the hard drive. After what many techs will consider a successful cleaning, they'll restart the computer, only to discover the virus has come back in full force. The infected MBR has reinfected the system.
Removal Strategy: Remove viruses on the system that may have initially caused the MBR infection, check the MBR, clean the MBR, reboot, recheck the MBR.
Step 1: Disinfect as much of the system as you can. I recommend running Malwarebytes in Safe Mode and doing a full scan, then removing everything found. This step is important because it will most likely find the malware that can reinfect the MBR.
Step 2: Scan for the MBR virus with Bootkit Remover (don't forget to "Run as Admin" if you are not in Safe Mode).
If it says "Rootkit Activity Detected" it's self-explanatory
Step 3: You have three options, one safe route and two risky routes:
Option A:
WinXP: Boot into the Recovery Console (or install it with the XP disk) and type "fixmbr" and the MBR should be wiped.
Win Vista/7: Use the Recovery Disk or the installation disk for Windows Vista/7, boot into it, select the language, and instead of pressing Install Now select "Repair Your Computer" and click the Command Prompt. In it, type bootsect /nt60 :X /fixmbr (please replace X with your systemroot drive, it most commonly is C or D drive however you should know the config) then reboot the system and run the Bootkit Remover Tool again. If this doesn't work, you may have multiple partitions or hard drives, with their MBR possibly infected.
Option B:
Run TDSS Killer . Be prepared for this to break the OS, we've seen this happen in some instances, usually Option A and a chkdsk /r will fix it, however it's still risky.
Option C:
Run Combofix, which will both remove any malware and may remove the MBR infection as well.
Step 4 After any of the above methods are completed, restart the OS and use URL="http://www.esagelab.com/resources.php?s=bootkit_remover"] Bootkit Remover[/URL] again to scan the MBR. If it's gone, congrats! If it's not, then backup and format!
If your OS does break, backup the data (Be sure to run the backup files through an AV and MBAM and reformat the computer's hard drive with something like GParted, by wiping the whole drive and blowing out any partitions. This may be a point of contention, some people may opt for "Startup Repair" which may or may not fix the broken OS, we've seen it more often as a futile attempt. Other people may try the computer's "Factory Restore" option. Right off the bat I'll tell you it's not worth your time. We've tried this in the lab with several HP machines using a clean wipe of the hard drive, and the MBR virus is still there. This makes sense since the partition structure is still in place for the recovery partition to still function, thus the MBR hasn't been altered
*edit*
**edit2**
The guide has been updated, since Combofix now supports 64-bit it has mbrfix built into it.
Master Boot Record is 512 bytes at the beginning of the hard drive that, following BIOS, contains the partition table. In essence, points to the first line of the kernel, most importantly the boot partition. The first 440 bytes are blank, therefore it's a great place for malware to hide itself. Most AV products won't scan the MBR or catch the fact its infected because they look at the filesystem, but omit the first 512bytes on the hard drive. After what many techs will consider a successful cleaning, they'll restart the computer, only to discover the virus has come back in full force. The infected MBR has reinfected the system.
Removal Strategy: Remove viruses on the system that may have initially caused the MBR infection, check the MBR, clean the MBR, reboot, recheck the MBR.
Step 1: Disinfect as much of the system as you can. I recommend running Malwarebytes in Safe Mode and doing a full scan, then removing everything found. This step is important because it will most likely find the malware that can reinfect the MBR.
Step 2: Scan for the MBR virus with Bootkit Remover (don't forget to "Run as Admin" if you are not in Safe Mode).
If it says "Rootkit Activity Detected" it's self-explanatory
Step 3: You have three options, one safe route and two risky routes:
Option A:
WinXP: Boot into the Recovery Console (or install it with the XP disk) and type "fixmbr" and the MBR should be wiped.
Win Vista/7: Use the Recovery Disk or the installation disk for Windows Vista/7, boot into it, select the language, and instead of pressing Install Now select "Repair Your Computer" and click the Command Prompt. In it, type bootsect /nt60 :X /fixmbr (please replace X with your systemroot drive, it most commonly is C or D drive however you should know the config) then reboot the system and run the Bootkit Remover Tool again. If this doesn't work, you may have multiple partitions or hard drives, with their MBR possibly infected.
Option B:
Run TDSS Killer . Be prepared for this to break the OS, we've seen this happen in some instances, usually Option A and a chkdsk /r will fix it, however it's still risky.
Option C:
Run Combofix, which will both remove any malware and may remove the MBR infection as well.
Step 4 After any of the above methods are completed, restart the OS and use URL="http://www.esagelab.com/resources.php?s=bootkit_remover"] Bootkit Remover[/URL] again to scan the MBR. If it's gone, congrats! If it's not, then backup and format!
If your OS does break, backup the data (Be sure to run the backup files through an AV and MBAM and reformat the computer's hard drive with something like GParted, by wiping the whole drive and blowing out any partitions. This may be a point of contention, some people may opt for "Startup Repair" which may or may not fix the broken OS, we've seen it more often as a futile attempt. Other people may try the computer's "Factory Restore" option. Right off the bat I'll tell you it's not worth your time. We've tried this in the lab with several HP machines using a clean wipe of the hard drive, and the MBR virus is still there. This makes sense since the partition structure is still in place for the recovery partition to still function, thus the MBR hasn't been altered
*edit*
-Thanks ATTech!
**edit2**
The guide has been updated, since Combofix now supports 64-bit it has mbrfix built into it.
Last edited:
