Trojan in master boot record, please help

Hi,

Just for interest, what's the host OS that's infected?

Matt

Apart from that - what exactly has been found? Most analyses refer you to Disinfecting master boot record viruses that store the boot sector and disinfection might be possible using SAV32CLI.EXE.

Christian

You're ahead of me Christian,

Was thinking also that maybe a fixmbr (xp) or window vista/7 boot fix could easily clear up the MBR record (replacing rather than fixing) but need to be sure infection won't just return.

Matt

How does one tell if they have a trojan in the mbr?

I recently got the "Security Tools" virus.  I stopped the random number processes via Task Manager, deleted all the random number folders, etc I could find, searched the registry, and tried to run Sophos. 

Sophos only ran to 2% and always stopped on D:\System Volume Information\...\*., despite leaving it running for 36 hours. I ran "Spybot" and got rid of everything it detected, uninstalled Sophos, restarted the computer, downloaded a fresh copy of Sophos, did a clean install, and scanned again.  Still only running to 2% and still hanging up around the same location.

Sophos insists that I talk to the UC tec support people, who say either reinstall the OS (which I really, really, really don't want to go through) or pay them $75 an hour. 

Any advice would be greatly appreciated!

p.s. thinking of trying the 'fixmbr' command, but how do I find the device name?  map is not recognized in a command prompt.

Hi weschrist,

Are you able to slave the HD in another system and scan the drive from a known clean machine?

Matt

At this point, I'm not sure.  The only way I know how to do that would be to get a hold of an external HD case, remove the HD from my laptop, and plug it into my parent's machine.  I suppose I will look around for an external case today... good suggestion.

Does it matter that D: and C: are partitions on the same drive?  C: holds the OS and most programs, D: holds the data.

Hi,

No, partitions just become additional drives on the new machine. I'd suggest using a usb adapter rather than a case since it'll be cheaper and more useful in future for checking any other units. Usually only cost around £10-£15 and readily available from e.g. Amazon. Not sure what country you're in so difficult to suggest where to buy.

Alternatively, I use a second AV product for sub-scanning. Spy-Bot to me is too verbose and wastes to much time involving itself in unecessary areas. A better tool I would suggest is the free version of prevx www.prevx.com. Download it (it's tiny!), install and run it. The free version won't fix much, but will give you in depth analysis of what's found and where it found it very quickly. Using a DOS prompt, you can rename running dll's or sys files and then reboot and delete. Once done, you maybe able to then run a full Sophos sweep. I'd still advise slaving the drive and running a full Sophos scan anyway when you've the ability to do so but Prevx might get you out of a hole quickly.

Matt

Thanks for the advice.  Unfortunately, Sophos won't even work with a rick-click scan on the prevx download.

I ran prevx anyway... against my better judgement... and it says my system is clean.

Ok, the issue here may just be that the Sophos install is damaged rather than anything more sinister. Have you tried unistalling Sophos completely, running a sophos cleanup (remsav) and then reinstalling?

Matt

I don't have remsav, but I do have AVremove.exe and AVremoveW.exe in the Sophos/crt folder...