How it works?
The MBR rootkit malware saves a copy of the original Master Boot Record (MBR) in other sector of hard drive, and then it writes its own malicious MBR to load its malicious routine together with the original MBR of the hard drive. Regarding the driver rootkit component, it is not dropped as a file, but it is written in a portion of the hard drive as its stealth mechanism technique. Another malicious code is written in some sector of the hard drive to load the driver rootkit component before loading Windows.
How to clean?
There are ways to remove this MBR rootkit malware, but be cautious on following the instructions, because we are dealing with the Master Boot Record of a hard drive which may damage the MBR and causes loss of data.
Anyways, here are the easiest and safe steps that I know to remove/clean your infected Master Boot Record:
1. Download the tool MBR rootkit detector from the below link:
http://www2.gmer.net/mbr/mbr.exe
-Mirror-
Note: The tool from the mirror link is compressed and password protected (password: novirus). Also, it may not be the updated tool but it is the tool that I use as of this writing.
2. Using the command prompt (cmd.exe), run the “mbr.exe”. Check if you are really infected.
3. Once your are infected, run the mbr.exe again but this time with the parameter “-f” to fix/clean your Master Boot Record, please see below command:
mbr.exe –f
You should see the message “original MBR restored successfully!”
4. Then restart your computer.
After restart, when you run the mbr.exe again, you should see the line “user & kernel MBR ok” and should not have the line “MBR rootkit infection detected!......”.
As long as you have the MBR ok message, just ignore the other messages, Some malicious code in your hard drive sector may still exist but rest assured that it will not run anymore because you already have a clean Master Boot Sector. ^_^
Nice Info ,Keep It up!!!
ReplyDelete