I think the MBR on one of my PCs is borked...

DublinWriter

...how to fix?

It's a nasty one, I recently had several variants tof aluron.h come in through what looks to me like a back-door caused by an MBR infection.

Ran Malwarebytes, SuperAntiSpyware, MS's Malware Util, AVG, all now reporting clean except, however still getting browser redirects on google searches (hosts file is fine).

bhickey

You can overwrite the MBR with a clean copy easily enough. What OS are you running as I think instructions vary slightly?

If you have the time and patience, I'd be curious to see too how you might get on with either of the antivirus boot CD's mentioned here. In theory, these might be able to detect an MBR infection if there is one.

DublinWriter

bhickey wrote: »

I'd be curious to see too how you might get on with either of the antivirus boot CD's mentioned here. In theory, these might be able to detect an MBR infection if there is one.

Tried those links and it appears the images are for Linux.

I've downloaded the Windows equivalents from the respective websites. I'll let you know how I get on.

bhickey

DublinWriter wrote: »

Tried those links and it appears the images are for Linux.

Yes, they are ISO image files that you use to create boot CD's. You then boot from the CD and scan the hard disks on your machine. Windows is not loaded - that's the whole idea. There is no "Windows" equivalent.

DublinWriter

bhickey wrote: »

Yes, they are ISO image files that you use to create boot CD's. You then boot from the CD and scan the hard disks on your machine. Windows is not loaded - that's the whole idea. There is no "Windows" equivalent.

Perhaps what I should have said is that they are for Linux installations.

I tried the Windows equivalent recovery CDs from both companies without any success.

I rebooted into the Windows recovery console and did a FIXMBR manually - it warned me that my MBR looked damaged/non-standard to begin with so I guess my suspicions were confirmed about it being an MBR loaded-rootkit.

FIXMBR ran and I rebooted. All seemed fine, however both FireFox and IE go into redirects when I do a google search.

Uninstalled Java, things looked OK, both browsers worked as expected, re-booted and now the problem is back.

Pulling my hair out!

bhickey

DublinWriter wrote: »

Perhaps what I should have said is that they are for Linux installations.

I tried the Windows equivalent recovery CDs from both companies without any success.

They're NOT for Linux installations, they are simply boot disk images. You burn the images to a CD and then boot from the CD. You then scan the hard disks in your machine.

I'm not sure what you mean by "Windows equivalent recovery CDs".

DublinWriter

bhickey wrote: »

They're NOT for Linux installations, they are simply boot disk images. You burn the images to a CD and then boot from the CD. You then scan the hard disks in your machine.

I'm not sure what you mean by "Windows equivalent recovery CDs".

So what's the difference between:

http://download.bitdefender.com/rescue_cd/bitdefender-rescue-cd.iso (your original link)

and

http://download.bitdefender.com/windows/desktop/repairquar/rescuecd-20100322-3.iso

???

DublinWriter

I think I've nailed it now.

So far, it's eluded:

- AVG Free 8.5
- MalwareBytes
- SuperANTISpyware
- Spybot S&D
- Microsoft Malware Removal Tool
- GMER
- HiJackTHIS

The only util to spot and try and remove it was a util called COMBOFIX.

bhickey

DublinWriter wrote: »

So what's the difference between:

http://download.bitdefender.com/rescue_cd/bitdefender-rescue-cd.iso (your original link)

and

http://download.bitdefender.com/windows/desktop/repairquar/rescuecd-20100322-3.iso

???

I have absolutely no idea. I've only ever used the first one. Hang in there, it looks like your persistence may be rewarded

tricky D

Does anybody read the sticky anymore??

DublinWriter

tricky D wrote: »

Does anybody read the sticky anymore??

In fairness, I did all the obvious stuff.

I finally cracked it yesterday and it turned out to be the new Drooptroop trojan that's been doing the rounds. It went undetected by the seven AV programs I listed previously (including Malwarebytes) and was only detected by COMBOFIX and Hitman.

Neither util could fix the problem as the virus infects explorer.exe and winlogin.exe. The only way I could fix was rebooting into the Recovery Console and manually using EXPAND to reinstall the infected system files from the original XP SP3 CDROM.

naughto

if ya stay away from pron sites it might help:D:D:D:D:D

trojan-Dropper.Win32.Drooptroop.cpt is usually spread via dubious porn websites, via file-sharing of multimedia downloads or via spam emails. The Trojan-Dropper.Win32.Drooptroop.cpt is a disruptive Trojan horse threat that can steal confidential information and negatively affect the infiltrated computer’s files!