Getting Rid of MBR Rootkit’s (bootkit)

Yo everyone, for the past 2 months I’ve been seeing a major increase in MBR (sector 0) rootkits a.k.a bootkits.  While these may sound scary (something on sector zero of your hard drive….oh no’s) they’re really pretty easy to get rid of.

Method 1 – Boot your computer from a Dr. Web Live CD and scan C: (or all your partitions).  The instant the scanner starts it will find the MBR Rootkit.  Choose yes to write a new signature.  That effectively destroys the MBR Rootkit.

Method 2 (Windows XP) – Boot your computer from the windows xp and choose to enter the recovery console.  Once you’re inside the recovery console issue the following command and press enter

FIXMBR

…then Reboot.

Method 2 (Windows 7 or Vista) – Boot your computer from the Windows 7 or Vista disc.  Choose to repair your computer.  Choose the Command Prompt option (near the bottom).  Enter the following command and press enter

Bootrec /FIXMBR

…then Reboot.

At this point your MBR rootkit should be toast.

Reboot your computer and run a scan with an updated Malwarebytes and whatever antivirus (I suggest Kaspersky Internet Security) quarantine and then remove whatever they find.

Lastly, here are 2 good articles from Microsoft concerning the recovery console and bootrec

http://support.microsoft.com/kb/927392 – Windows 7 and Vista Bootrec.exe Documentation

http://support.microsoft.com/kb/314058 – Windows XP Recover Console Documentation

, ,

4 Responses to Getting Rid of MBR Rootkit’s (bootkit)

  1. Adam November 23, 2010 at 2:36 pm #

    Another good tool for scanning the MBR as well as for tdss rootkits is tdsskiller. It can also cure it if it finds it and can also be run from PE environment.

    http://support.kaspersky.com/viruses/solutions?qid=208280684

  2. Sheen November 24, 2010 at 7:44 am #

    Nice info Matt. Thank you.

  3. Eric November 30, 2010 at 6:49 am #

    Does anyone know, does being in a “limited user account” (Windows XP) prevent one of these malware titles from rewriting the master boot record? I believe we had a some contaminated pdfs with exe payloads fail to install a mbr successfully. The person surfing the web (he was in the administrators group) said a warning popped up then the pc blue screened, and when we tried to bring it back up there was a blinking black cursor, nothing more. Dr. web said there was no mbr virus. Fortunately we had another Dell D630 with the exact same hard drive, so we saved the mbr with mbrwizard from that pc and restored it back onto the other pc. The second pc, a desktop optiplex, wasn’t so lucky. I had to rebuild it. I think the malware tried to insert itself into the mbr but something stopped it, virus scanners found nothing because it didn’t get completely written onto the hard drive.

Trackbacks/Pingbacks

  1. Outils gratuits de sécurite informatique | Data Security Breach - July 15, 2012

    […] Kill  bootkits […]

Leave a Reply