Tag Archives | mbr rootkit

Remove-Malware News and Notes 8.17.11

Infected with a rootkit?  I wouldn’t waste your time with rootkit removal tools (IMO).  I had a client who was getting redirected to malvertised sites on almost every search.  In case you didn’t know, getting redirected to a site when you’re searching means that you have a rootkit (TDSS).  Anyway…I connected to the client remotely and tried:

  • TDSS Killer.  Wouldn’t load.
  • Norton’s TDSS remover.  Loaded but didn’t find anything.
  • Bit Defender’s TDSS remover.  Loaded but didn’t find anything.
  • Hitman Pro.  Loaded but didn’t find anything.
  • Combofix.  Found some stuff, but didn’t detect the rootkit.
  • GMER.  Detected MBR modification.
After the GMER scan detected a possible MBR rootkit I told the client I’d run over her house, pickup the PC and return it the next day.  As soon as I got it home I ran a scan with my Kaspersky Rescue Disc.  KAVRD found an MBR rootkit and removed it.  🙁 still waiting for a real rootkit removal tool….
Here’s the pic:
rootkit removal kaspersky
Continue Reading · 26

Removing MBR Rootkits The Easy Way

This week I’ve had 3 clients with MBR rootkits on their PC’s.  Before I tell you what I used to get rid of the mbr rootkit’s I want to tell you what didn’t work:

  1. GMER – Great for detecting rootkits in System32\drivers, not so much for detecting MBR rootkits.
  2. TDSSKiller – I just started using this.  It fails to detect MBR rootkits (at least the 3 from this week).
  3. Hitman Pro – same as GMER.


What did work for me was the Kaspersky Rescue disc.  The Kaspersky rescue disc is awesome for detecting and disinfecting rootkits.  It you do what I do then this free bootable disc is an absolute must in your toolkit.

Continue Reading · 15

Getting Rid of MBR Rootkit’s (bootkit)

Yo everyone, for the past 2 months I’ve been seeing a major increase in MBR (sector 0) rootkits a.k.a bootkits.  While these may sound scary (something on sector zero of your hard drive….oh no’s) they’re really pretty easy to get rid of.

Method 1 – Boot your computer from a Dr. Web Live CD and scan C: (or all your partitions).  The instant the scanner starts it will find the MBR Rootkit.  Choose yes to write a new signature.  That effectively destroys the MBR Rootkit.

Method 2 (Windows XP) – Boot your computer from the windows xp and choose to enter the recovery console.  Once you’re inside the recovery console issue the following command and press enter

FIXMBR

…then Reboot.

Method 2 (Windows 7 or Vista) – Boot your computer from the Windows 7 or Vista disc.  Choose to repair your computer.  Choose the Command Prompt option (near the bottom).  Enter the following command and press enter

Bootrec /FIXMBR

…then Reboot.

At this point your MBR rootkit should be toast.

Reboot your computer and run a scan with an updated Malwarebytes and whatever antivirus (I suggest Kaspersky Internet Security) quarantine and then remove whatever they find.

Lastly, here are 2 good articles from Microsoft concerning the recovery console and bootrec

http://support.microsoft.com/kb/927392 – Windows 7 and Vista Bootrec.exe Documentation

http://support.microsoft.com/kb/314058 – Windows XP Recover Console Documentation

Continue Reading · 4