Jump to content

Unknown.Rootkit.MBR

sbarajas

By sbarajas
in Resolved Malware Removal Logs

 Share

Recommended Posts

sbarajas

sbarajas

Posted
Posted

Hello,

I scanned a Windows 7 Pro Desktop with Malwarebytes Free version 3.0.5. It found two instance of a threat Identified as PUM.Optional.DisableTaskMgr. I Quarantined it, rebooted, no problem. I then enabled rootkit scanning in the settings and scanned again. This second scan found one instance of a threat identified as Unknown.Rootkit.MBR. Again, I clicked on Quarantine and was prompted to reboot. Upon rebooting the PC will not come back up and it continuously just beeps loudly. I have to hard shut down the PC I was able to get to the C Drive and grab the scan files for both the first and second scans. I also have screenshots I took of each scan result and the log file for both the scans. I am wondering if anyone has come across this and if there is any advice as far as fixing the MBR or getting the PC to boot up normally again. I did some searching afterwards and found that it is not recommended to quarantine instances of Unknown.Rootkit.MBR. But found that too late. Please let me know if you would like any more information from me. Any help would be appreciated.

Capture.PNG

Capture2.PNG

Link to post
Share on other sites
  • 2 weeks later...
AlexSmith

AlexSmith

Posted
Posted

@sbarajas,welcome to the Malwarebytes Forums community!! I have moved your topic to our Malware Removal for Windows area so you can get help from an expert on malware removal and cleanup.

I would also recommend reading up the following thread to get the ball rolling so to speak: 

 

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Hello sabarajas and welcome to Malwarebytes,

My screen name is kevinf80, i`m here to help clean up your system. Make sure to run all scans from accounts with Administrator status, continue as follows please:

Anyone other than the original starter of this thread please DO NOT follow the instructions and advice posted as replies here, my help and advice is NOT related to your system and will probably cause more harm than good...


I assume you have access to another PC as you are posting images etc. if you also have a USB flashdrive (memory stick) see if you can do the following and post the produced log....

Please download Farbar Recovery Scan Tool from here:

http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/

save it to a USB flash drive. Ensure to get the correct version for your system, 32 bit or 64 bit

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

Plug the flash drive into the infected PC.

Windows 7 enter System Recovery Options.

Enter System Recovery Options I give two methods, use whichever is convenient for you.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select Your Country as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.


To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select Your Country as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.


On the System Recovery Options menu you may get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
 
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst64 or e:\frst depending on your version. Press Enter Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

Thank you,

Kevin

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted (edited)

Save the attached file fixlist.txt to your flash drive, same place as FRST.
Now please enter System Recovery Options as you did to get the log.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Re-boot your system, if your system now boots correctly continue:

Download Farbar Recovery Scan Tool and save it to your desktop.

Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

Be aware FRST must be run from an account with Administrator status...
 
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach that log to your reply.

Thank you,

Kevin....

fixlist.txt

Edited by kevinf80
Link to post
Share on other sites
sbarajas

sbarajas

Posted
  • Author
Posted

Kevin,

I ran the fixlist.txt with no success in fixing the problem. I attached the Fixlog.txt that was generated. The PC still won't boot up and beeps continuously when I try turning it on, same as before. Where do we go from here? Did the FRST scan file I attached before give you any insight on how to proceed? please let me know, thank you.

Fixlog.txt

Link to post
Share on other sites
sbarajas

sbarajas

Posted
  • Author
Posted

Just ran a fresh scan and attached the results.

The PC is a Lenovo thinkcentre M78.

So the PC goes through an initial screen with the Lenovo logo. after that it goes to a blank black screen with nothing but a blinking underscore and is unresponsive to any input. Also, just get continuous beeping until I hard shut off the PC. Pretty sure when I quarantined the Unknown.rootkit.mbr malware identified by malwarebytes that messed up the MBR and that is preventing startup. Please let me know your thoughts.

FRST2.txt

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Yes one of the admin guys has suggested a MBR issue, problem is that FRST is not confirming bad MBR....  You also mention a continuous beep, have a look at the beep codes from Lenova: https://support.lenovo.com/gb/en/solutions/ht062270

Next,

There is a back up of all registry hives, the following fix will replace all hives. Also the fix will tak dump of MBR, that will be saved to the usb stick, zip that up and attach to reply, also attach fix result...

Save the attached file fixlist.txt to your flash drive, same place as FRST.
Now please enter System Recovery Options as you did to get the log.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Re-boot your system,

fixlist.txt

Link to post
Share on other sites
sbarajas

sbarajas

Posted
  • Author
Posted

I have attached the fixlog and the MBRDUMP files. I also scanned again and attached the scan file. please let me know what else you need.

 

from the Lenovo site the most likely beep codes are:

Beeps continuously

Connect correctly and check all the plugs of power supply, monitor and graphics and make sure they are well connected.

Repeated short beeps

power issue

 

I am not sure it would be either of those things though. I'll investigate either way

fix&MBR.zip

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted (edited)

I do not believe any of the beep codes will help, the new FRST log shows a problem with Winlogon and Userinit, The registry hives have been replaced, I doubt that FRST would use a corrupt value so have to assume there is a major issue we have not discovered yet...

Quote

HKLM\...\Winlogon: [Userinit] C:\WINDOWS\SYSWOW64\ULAGENTEXE.EXE,

I`ve just uploaded the MBR dump to VirusTotal, it has comeback as clean. I did expect that as FRST has not listed an mbr problem yet...

https://www.virustotal.com/en/file/790ebb22a92542a30a20505016c7bb4f9ea64b8e1689b788ae1c6d6620f377b7/analysis/1486759094/

Old MBR infections did create their own MBR but show the original to scanners to avoid being found. Usually that would not work in the RE so am not exactly sure what is happening....

The attached fix will replace winlogon values and rebuild the MBR, lets see what happens after the fix and a reboot...

Next,

Save the attached file fixlist.txt to your flash drive, same place as FRST.
Now please enter System Recovery Options as you did to get the log.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Re-boot your system, any change?

fixlist.txt

Edited by kevinf80
typo
Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Ok, lets try again....

Save the attached file fixlist.txt to your flash drive, same place as FRST.
Now please enter System Recovery Options as you did to get the log.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Re-boot your system, any change?

fixlist.txt

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Can you boot to the Recovery Environment Command prompt, at the prompt either type or copy/paste the following commands, hit enter after each one...

BCDedit /expport C:\BCD_Backup

C:\

CD boot

Attrib BCD -s -h -r

Ren C:\boot\bcd bcd.old

Bootrec /RebuildBcd

After the last command the system may see to hang, wait until a response is posted, at that response do the following:

Select Y to confirm adding Windows 7 to the list of bootable operating systems on your computer...

Type exit to close the cmd prompt, re-boot your system...

Any improvement...? 


 
Link to post
Share on other sites
  • Staff
shadowwar

shadowwar

Posted
  • Staff
Posted (edited)

I would hold up a second here. It looks like you are running a commercial product called drivelock. This uses a custom MBR to boot the disk as the disk is encrypted.

Mbam restored the standard windows MBR and that is the issue here.

Using windows utilities to restore the mbr wont work. You may have to contact Drivelock and see if they have a utiltity to restore the MBR to their custom mbr. Most drive encryption programs have a bootable cd that can fix these. I have not used drivelock before so i cant be 100% sure.

The customer is being helped by Lisa in support. I would stick with that for now. Doing these windows commands may cause more issues to be fixed once the custom mbr is repaired.

After this is repaired we would appreciate if you can follow the instructions from lisa so we can prevent this from happening again by getting some whitelisting info.

 

Edited by shadowwar
Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.