Jump to content

mbr rootkit prevents any AV (including mbar) from running


Recommended Posts

I have a Win7(x64) system that was badly infected with multiple viruses. Although I was able to manually stop all visible malicious processes and clean out all visible malicious files and reg entries, I could never get a single AV or malware tool to run. Not mbar, not any of numerous AV's I tried, not gmer, not tdsskiller, not rkill, etc etc etc. If you clicked on the exe's, they would just start and immediately close. Renaming the exe's or changing the extensions to com also didn't work. Oddly, hijackthis would run but indicated nothing. Taskmanager and regedit worked as well.

 

Thinking I had simply missed a rootkit, I decided to nuke the OS. It was a Dell OptiPlex with a recovery partition, so throwing back to factory was easy. The system was somewhat old and not cost effective to do a disk reinstall.

 

After re-imaging the OS partition to factory, all was going well until I saw that built in Windows defender wouldn't update. I tried loading AVG AV and that wouldn't run. MBAR nada. Clicking on the exe's would result in the installer opening and closing instantly, as before reload.

 

There must be some sort of mbr or sector zero rootkit whose purpose is just to prevent any av or malware tool from running.

 

Any last ditch suggestions from you guys? Some sort of boot disk or usb key with mbar on it? By the way, Kaspersky rescue disk and Norton Power Eraser run as boot media detected nothing. I don't believe fixmbr from the Windows recovery media will work because the Dell mbr is not standard (although I am going to try it).

 

I know I can probably write zeros to the entire HD or low level format and reload from disk, but it just wouldn't be cost effective as mentioned before. I know there are times when you have to give up, but I hate to admit defeat on this one. I've only had to do it twice before. Sometimes when you put in a lot of effort it becomes personal.

 

Thanks!

 

Joe Welna

Link to post
Share on other sites

Hello and :welcome: :
 

This sort of infection will require deep work with expert help.

We are not permitted to work on possible malware-related issues here in this particular section of the forum.

So, for expert assistance, I suggest that you please follow the advice in this pinned topic: Available Assistance For Possibly Infected Computers.
It explains the options for free, expert help >>AND<< the suggested, preliminary steps to expedite the process.
A malware analyst will assist you with looking into your issue, to see what can be done.

Thanks,

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.