Bienvenido! - Willkommen! - Welcome!

Bitácora Técnica de Tux&Cía., Santa Cruz de la Sierra, BO
Bitácora Central: Tux&Cía.
Bitácora de Información Avanzada: Tux&Cía.-Información
May the source be with you!

Saturday, November 19, 2011

MBR infected!

"Missing operating system” error:
http://windows7themes.net/missing-operating-system-windows-7.html
IMPORTANT: If you are on a home network, disconnect the affected machine from the network. 
Do not share a USB/flash drive with this affected machine. 
Do not use the infected machine unless for the malware removal instructions
Use a different machine to check email, sync your phone, etc. if possible. 

Install GRUB. Use grub bootloader for dualboot.
SuperGRUB or EasyBCD based on ISO image.
Possible Causes
virus Boo/Tdss.D write code in the mbr
-----------------------
Whistler Bootkit (Trojan-Clicker.Win32.Cycler)
  1. Haga doble clic en MBRCheck.exe (o clic derecho y seleccione "Ejecutar como administrador").
  2. Windows abrirá una advertencia de Seguridad. Hacer clic en "Ejecutar".
  3. Si NO hay infección se mostrara el tipo de MBR o "Unknow MBR code"
Presione "N" para salir del programa y abra un nuevo tema en el foro si necesita más ayuda a limpiar su equipo. 
------------------------
MBR infectado por Bootkit
En caso de SI detectarse una infección se mostrara:
Known-bad MBR code detected (Whistler / Black Internet)!

----------------------------- -------------------------------
1.- Deshabilita Restaurar sistema en todas las unidades.
2.- Pon MUCHA atención a la siguiente guía para hacer los pasos TAL CUAL se indican:
Eliminar MBR Rootkit/Mebroot/Sinowal (Malwares del sector de arranque)
3.- Elimina el ejecutable de TDSSKiller, y vacía la papelera de reciclaje.
  • Descarga TDSSKiller.zip y descomprimirlo al escritorio.
  • Desconecta el cable de Internet o apaga el Módem.
  • Ejecuta TDSSKiller como indica su Manual
  • Envía el reporte de TDSSKiller ubicado en C:\TDSSKiller_Fecha_Hora.log

====================================
Fuente
Nombre: Whistler Bootkit
Tipo: Malware con funciones de Rootkit
Alias: Whistler Bootkit, Black Internet, MaosBoot, Stoned Bootkit, MBR Rootkit TrojanDownloader:Win32/Unruy.D (Microsoft), Win32:Unruy-G (avast), Trojan.Siggen1.30114 (DrWeb), Crypt.VUB (AVG), Win32/TrojanDownloader.Unruy (Nod32), TR/Vilsel.aejm (AntiVir), Trojan-Clicker.Win32.Cycler (Kaspersky)
Whistler Bootkit es una nueva clase de malware (Bootkit) denominada como la evolución del rootkit convencional que ataca a todas las versiones de Windows desde 2000 hasta la reciente Server 2008 y Windows 7 (32 y 64bits), sumando funciones más complejas como la capacidad de infectar el "Master Boot Record".
Whistler Bootkit se aloja en el MBR (Master Boot Record) que es el encargado de informarle al sistema operativo que archivo se deberá cargar en el inicio del proceso de arranque, permitiendo así iniciar u ocultar otros malwares antes de que se cargue el mismo sistema operativo.
Una vez Whistler Bootkit infecta una máquina, puede permanecer totalmente oculto e inactivo sin mostrar absolutamente ningún síntoma en el equipo, pasando así desapercibido tanto para los programas Antivirus / Antirootkits, como así también para el mismo usuario.
Síntomas para detectar "Whistler Bootkit"
  • Se baja solo el volumen del PC.
  • Se baja solo la barra de "Onda" (Wave) del sonido.
  • Se activan varios iexplorer.exe consumiendo recursos.
  • Se nos abren ventanas de publicidad (popups) continuamente.
  • El equipo comienza a reproducir Música sólo y sin nuestro consentimiento.
Para eliminar
MBRCheck.exe
CCleaner
MalwareBytes Antimalware
Eliminando Whistler Bootkit:
  1. Ejecute nuevamente MBRCheck.exe como le fue indicado anteriormente.
  2. Al ver: "Enter 'Y' and hit ENTER for more options, or 'N' to exit" pulse 'Y' y luego "Enter"
  3. MBRCheck desplegará tres opciones:
    [1] Dump de MBR of a physical disk to file
    [2] Restore de MBR or a physical disk whit a standar boot code..
    [3] Exit.
  4. En "Enter your choice" presione '2' y luego "Enter".
  5. MBRCheck le solicitará "Enter the physical disk number to fix (0-99, -1 to cancel):" donde deberá ingresar el numero que se muestra a continuación de la palabra "PhysicalDrive" que en este caso seria el numero '0' y "Enter"
  6. En el siguiente paso MBRCheck mostrará los códigos disponibles de MBR:, seguido de una lista de Sistemas Operativos:
  7. Introduzca el numero ----- acorde a su S.O, ingrese el numero y presione "Enter"
  8. Se le pedirá confirmación para continuar: Escriba "Yes" y presione "Enter"
  9. Cierre el programa y reinicie su equipo.
  10. Luego de reiniciar, ejecute nuevamente MBRCheck.exe, para confirmar que su Sistema este libre de Bootkits y ver su correcto MBR.
  11. Actualice y ejecute MalwareBytes' Antimalware eliminando todo lo que este detecte.
  12. Ejecute CCleaner, para limpiar cookies, temporales y el Registro. Úselo de acuerdo a su manual.

====================================
Source
Often, viruses are very tricky and infect your MBR (Master Boot Record). This is pretty annoying, so let’s find out how to check the MBR for virus infections and how to remove the MBR virus.
How to check MBR for Viruses

The master boot record contains the primary partition tables, which makes it a very important disk record. Code in the MBR (Master Boot Record) is executed automatically on boot up, that’s why the MBR is often the target of viruses. Some viruses will always return unless you don’t remove them from the MBR.
1. Repair Corrupt / Broken MBR
If your MBR is corrupt or broken, you can often easily fix it by running a few Windows commands.  Look at the end of this post
2. Check MBR for viruses
Geekstogo.com provides a useful tool called MBRCheck, which will scan your MBR for any viruses. You should do this if you think your MBR might be infected.
Download MBRCheck.exe
After downloading MBRCheck.exe, stop all your security programs, run it and confirm all UAC prompts. You can run this while you are logged into Windows or if you can’t log in, do this either via safe-mode with command prompt or system repair tools (boot from Windows 7 DVD, repair, run command prompt).
Check MBR for Viruses
My MBR looks fine, it detected Windows 7 and Windows XP MBR code that are required to boot the operating system. If MBRCheck.exe finds a virus it will display it and you can proceed with removing the virus. However, if you need further advise, you can post the .log file that will be added to your desktop if MBRCheck.exe finds a virus.
==============================
Cannot run mbrcheck.exe
Source
  • Download TDSSKiller and save it to your Desktop.
  • Unxip the folder (Right Click > Extract to your Desktop).
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • Click the Report button and copy/paste the contents of it into your next reply
Note:It will also create a log in the C:\ directory.
Then download aswMBR to your desktop.
  • Double click the aswMBR icon to run it.
  • Vista and Windows 7 users right click the icon and choose "Run as administrator".
  • Click the Scan button to start scan.
  • When it finishes, press the Save log button, save the logfile to your desktop and post its contents in your next reply.
-------------------------------------------
Download the program   GMER from the link below to Desktop :
http://www2.gmer.net/download.php
Double-click run GMER .

  • Wait until the scan is complete introduction - if you have any inquiry appears, click No ;
  • Click Scan and wait until the scan is complete;
  • Click Save ... - save the report to Desktop (save as Gmer log1);
  • Right click in the window GMER and choose Options> Only non MS files - click Scan ;
  • after the short scan, click Save ... - save the report to Desktop (save as Gmer log2);
  • Click the >>> and choose Autostart tab;
  • after the short scan, click copy ;
  • open Notepad and it set the copied text - save the report to the Desktop (save as Gmer log3);[/ list]
    Attach all three reports to the message by using the option Attach file .
    ---------------------
    Download   AVZ Antiviral Toolkit  from the following link:
    http://devbuilds.kaspersky-labs.com/devbuilds/AVZ/avz4.zip
    Extract the archive to a folder
    • Run   AVZ   (double click on icon);
    • in the menu choose File> Standard Scripts ;
    • in the window that opens check the 2 and click Execute Selected Scripts;
    • Click Yes ;
    • after the scan you will get a notice: Script Executed ;
    • quit the program.
  Upload file virusinfo_syscheck.zip contained in AVZ \ log folder on the forum.
---------------------  -----------------------
After repair, you can remove the tools
  • Make sure you have an Internet Connection.
  • Download OTC to your desktop and run it
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.
...............
It is necessary to uninstall the AVZ Antiviral Toolkit  .
  • Run  AVZ  (double click on icon);
  • In the menu choose File> Standard Scripts ;
  • In the window that opens check the 6 and click Execute Selected Scripts;
  • Click Yes ;
  • After the procedure you will receive notification: Script Executed ;
  • Quit the program and delete the folder where the program is extracted.
that's it ...============================== 
Also you may try to repare your system with SFC command:
* Locate your Windows XP installation CD
* Go to Start, then to Run, and type in "SFC.EXE /SCANNOW" (without the quotes - and with a space between the SFC.EXE and the /SCANNOW).
* Press Enter.
* The program may (or it may not) ask you for your Windows XP installation CD - please insert it at the prompt. If it doesn't ask you for the CD this means that it wasn't necessary to replace any files.
* In the event the the system asks you for the CD, you must visit Windows Update immediately after the scan is completed (Please note that there won't be any confirmation dialog - the program will just exit without telling you anything).
Info:
http://www.updatexp.com/scannow-sfc.html
 ------------------- ------------------
Fixing the MBR
If you deside to fixmbr then before you contionue I recommend to you to do backup.

Run MBRCheck.exe again in safe mode by double-clicking on it.
  • Wait until you see the following line: Enter 'Y' and hit ENTER for more options, or 'N' to exit:
  • Enter 'Y' and then press Enter.
  • When asked: 'Enter your choice:', select option 2 (Restore the MBR of a physical disk with a standard boot code) and press the Enter key.
  • Now the program will ask: 'Enter the physical disk number to fix (0-99, -1 to cancel)'
  • Enter 1 and press the Enter key.
  • The program will show Available MBR codes followed by a list of operating systems as shown below:
    Quote
    Available MBR codes:
    [ 0] Default (Windows XP)
    [ 1] Windows XP
    [ 2] Windows Server 2003
    [ 3] Windows Vista
    [ 4] Windows 2008
    [ 5] Windows 7
    [-1] Cancel
    Please select the MBR code to write to this drive:
  • Please select your version of Windows from the list and enter the corresponding number and then press Enter.
    ( Enter 0 for DefaultMBR or 1 for Windows XP MBR )
  • When prompted for confirmation: "Do you want to fix the MBR code?". Type the full word Yes (not Y or the fix will not work) and press Enter.
  • Left-click on the title bar (where program name and path is written).
  • From the menu chose Edit -> Select All.
  • Press the Enter key to copy selected text.
  • Open Notepad, paste that text into it and save to your desktop as MBRCheck.txt.
  • When complete, you should see Done! Press ENTER to exit.... Press Enter on the keyboard.
  • Reboot your computer to complete the fix and copy/paste MBRCheck.txt in your next reply.
  • If your computer does not restart on its own, please restart it manually.
.................................................
Important Note: The Master Boot Record contains the Partition Table for the hard disk
 and a a little executable code for the boot start.
While fixing the Master Boot Record (MBR) is generally safe,
there is a small risk of damaging the MBR,
which may cause the computer to not boot up or it may corrupt a partition.
================
The following are signs of a damaged MBR:
  • Invalid Partition Table
  • Missing Operating System
  • Error loading operating system
If it is the worst case scenario, and your computer cannot boot, please take note of the following:

Please have your Windows CD available, which will allow recovering the boot code via the Windows Recovery Console in case of any problems or install the XP Recovery Console before proceeding with the above fix. Then, if any problems occur, the links below explain how to use and repair the MBR:

    How to use the Recovery Console
    How to fix MBR in Windows XP and Vista
    How to repair MBR in Windows 7
    Fix MBR – Operating system not found
    1. Start PC, Insert Windows 7 DVD and hit a key when asked to. You may have to change your boot order to boot from DVD!
    2. Click on “Repair your computer“:
    Windows 7 Repair your computer
    The installer will scan your PC for previous Windows installations:
    Windows 7 System Recovery Options
    Select Operating System
    4. Click on Command Prompt
    Windows 7 System Recovery Command Prompt
    bootrec.exe /fixmbr

    Fix MBR (Operating system found/logged on)
    1. On boot up press F8 and select “Repair your computer”.
    2. Next, Windows 7 will automatically search for errors. Let it check for errors and when it’s done close the window. At the bottom you will see the “Command Prompt” tool. Click on it.
    3. Enter the command
    bootrec.exe /fixmbr
    --------------------------------------------
     bootrec.exe /FixMbr
     bootrec.exe /FixBoot
     bootrec.exe /ScanOs
     bootrec.exe /RebuildBcd 
    Instalaciones de Windows examinadas correctamente. Total de instalaciones de Windows identificadas:0
    La operación se completó correctamente.
    There is one additional set of steps that will be required if bootrec /fixboot fails with the error message "the volume does not contain a recognized file system." In my case, this occurred because no partition was marked as active. The solution was to fire up diskpart from the same command prompt and mark the volume that had my OS as active:
    diskpart
    list volume (to identify the disk and partition that is NTFS formatted and has the OS)
    select disk 0 (the disk with Windows)
    select partition (the partition with Windows)
    active
    exit
    (Then perform the bootrec tasks)
    The /fixboot option apparently works by looking for the active partition for guiding the change that it makes to the boot record. In the case of linux/unix dual boots, the Windows partition is no longer marked active, hence the failure.
    ============================
    Comandos Diskpart: support.microsoft.com/kb/300415/es.
     Recuperar el arranque de Windows 7:
    Primero arrancar desde el DVD de Windows 7.
    Seleccionar el idioma y haz clic en Instalar
    En la pantalla de bienvenida seleccionar la opcion Reparar y luego Símbolo de sistema.
    En la consola de comandos ejecutar estos 3 comandos individualmente explicados a continuacion:
    bootrec /fixmbr
    bootrec /fixboot
    bootrec /rebuildbcd

    Bootrec es una herramienta de reparación del arranque que solo puede ser ejecutada desde la consola de recuperación.
    El primer comando reconstruye el MBR para que utilice el administrador de arranque de Windows 7.
    El segundo le dice al sector de arranque donde encontrar el boot loader BCD (\bootmgr).
    El último comando reconstruye la información del BCD desde cero y es altamente útil para recuperar una partición corrupta de Windows 7.
    ===========================
    http://bandaancha.eu/tema/1659506/desesperado-bootmgr-is-missing-w7
    ===========================
    rescue of windows XP after install ubuntu and formatted a 2nd hard disc.
    Put a window xp installation CD and select to boot up by disc
    Press "R" to reppair
    in the MS-DOS
    1
    type
    fixmbr
    y
    fixboot
    y
    exit (auto restart)

    No comments: