MBR Infected by Rootkit.

Malice

Avast tells me there is a rootkit on the MBR

MBR: \\.\PHYSICALDRIVE0 Threat: Rootkit: Hidden boot sector

but when I try to move it to chest it tells me "Error: The request is not supported (50)"
The nearest explanation I can find for that error message is from here but that doesn't seem quite right.

I assume choosing the delete action from the Avast log would be dangerous (ie delete the MBR) so I haven't tried that.
If I select Repair it tells me "Action postponed until next reboot" but if I reboot, nothing happens.

I've tried the same actions in safe mode and that hasn't helped.

Unfortunately I'm still getting the blue screens of death but they seem to come at different times so unless things suddenly get a lot worse I can probably backup the important files and reinstall the operating system but I'm sure there's a better fix!

irishgeo

Malice wrote: »

Avast tells me there is a rootkit on the MBR

but when I try to move it to chest it tells me "Error: The request is not supported (50)"
The nearest explanation I can find for that error message is from here but that doesn't seem quite right.

I assume choosing the delete action from the Avast log would be dangerous (ie delete the MBR) so I haven't tried that.
If I select Repair it tells me "Action postponed until next reboot" but if I reboot, nothing happens.

I've tried the same actions in safe mode and that hasn't helped.

Unfortunately I'm still getting the blue screens of death but they seem to come at different times so unless things suddenly get a lot worse I can probably backup the important files and reinstall the operating system but I'm sure there's a better fix!

try a scan with Bitdefender Boot CD anti-virus and see if it detects anything.

dont remove anything just yet just see if it detects anything.

download link http://download.bitdefender.com/rescue_cd/

Malice

irishgeo wrote: »

try a scan with Bitdefender Boot CD anti-virus and see if it detects anything.

dont remove anything just yet just see if it detects anything.

download link http://download.bitdefender.com/rescue_cd/

:eek:362Mb! Unfortunately I was out all evening and I've an early start in the morning so I won't be able to try this until tomorrow evening. Interestingly enough, the laptop was left on for the last 3 hours and hasn't blue-screened in that time. I wonder if there is a particular user action or actions that triggers it?

irishgeo

Malice wrote: »

:eek:362Mb! Unfortunately I was out all evening and I've an early start in the morning so I won't be able to try this until tomorrow evening. Interestingly enough, the laptop was left on for the last 3 hours and hasn't blue-screened in that time. I wonder if there is a particular user action or actions that triggers it?

can you download a utility called bluescreenview , this allows you to view the bluescreens you have had.

http://www.nirsoft.net/utils/blue_screen_view.html

post up the stop errors you see. make you sure you to the Options Menu > Lower Pane Mode > Blue Screen in XP Style in order to see the bluescreen

random blue screens could a be RAM problem. I suggest you test your RAM with Memtest86+

http://www.memtest.org/

bhickey

If you have the Operating System CD you can boot from it and write a clean MBR to the disk (Google for instructions for your operating system). That normally reaches the spot that other programs sometimes can't.

Malice

Unfortunately the laptop has restarted twice while I was attempting to download the BitDefender ISO. I'll see if I can get it downloaded on another machine.

irishgeo wrote: »

can you download a utility called bluescreenview , this allows you to view the bluescreens you have had.

http://www.nirsoft.net/utils/blue_screen_view.html

post up the stop errors you see. make you sure you to the Options Menu > Lower Pane Mode > Blue Screen in XP Style in order to see the bluescreen

random blue screens could a be RAM problem. I suggest you test your RAM with Memtest86+

http://www.memtest.org/

I'll try the memtest utility next but I've downloaded the blue screen utility. What part of the output do you need? The 3 most recent dumps all contain this:

The problem seems to be caused by the following file: ntoskrnl.exe
IRQL_NOT_LESS_OR_EQUAL

although one of them reads

The problem seems to be caused by the following file: ntoskrnl.exe
SYSTEM_SERVICE_EXCEPTION

bhickey wrote: »

If you have the Operating System CD you can boot from it and write a clean MBR to the disk (Google for instructions for your operating system). That normally reaches the spot that other programs sometimes can't.

I've moved house four times since I got the laptop, unfortunately the only OS-related CD I can find is the Windows 7 upgrade disc. Would that work do you think?

Lastly does anyone know whether or not selecting Delete Now in the Avast action menu when it detects the rootkit will actually screw up the MBR? I daren't do it if it will render the machine unbootable.

I forgot to say I also tried Malware Bytes and it will find some infections and remove them but they re-appear on a reboot (presumably as a consequence of the rootkit).

bhickey

You can download a Windows 7 recovery disc image here. Burn the image to a CD/DVD, boot from it and off you go.

Malice

Happily I think I have it sorted. The fix turned out to be pretty simple in the end. I came across this thread on the Avast forum and downloaded the referenced utility. It found the rootkit and zapped it. I ran scans with Malware Bytes and Avast and they came up clean and I haven't had a blue screen since.

Thanks to everyone for your help anyway!

MrVestek

The following is a fantastic tool for removing most known types of rootkit infections:
http://www.gmer.net/