FSIS11 Rootkit.MBR.Whistler.A

FSIS11 is identifying my computer as having two harddrives with rootkit issues. I tried using the Rescue CD and it would identify my two drives with the issue, but it wouldn't actually fix anything on them. How do I get this resolved? Is this just a recently created false positive?

 

The two drives in question don't even have Windows on them from what I could tell based on partition size. My C: is 500GB and the two drives that the Rescue CD said had MBR malware were 1000TB drives which are my data drives. How do I get them cleaned? Thanks.

Comments

  • MJ-perCompMJ-perComp Posts: 1,098 Superuser

    Hi,

     

    so if theses drives do not have windows on them why do you scan them with a windows AV?

    What DO they have on them?

    What are they formatted with NTFS? Ext2, FA?

     

     

     

     

     

  • cvaxcvax Posts: 20

    Hi,

     

    It is NTFS and just pure data. No Windows OS, but just stuff in there like MP3s, videos, photos, etc.

  • MJ-perCompMJ-perComp Posts: 1,098 Superuser

    So why do you think it is infected?

    do you have a report?

    What options did you use to scan?

     

  • cvaxcvax Posts: 20

    I didn't run any scan. In fact, all scans I run doesn't pick up anything.

    How I know is that when I turn on my computer and it is sitting on the logon screen for Windows 7, F-Secure just pops up a message saying:

     

    Malicious code found in Master Boot Record of disk MBR (0x82)

    Infection: Rootkit.MBR.Whistler.A (Boot image)

     

    It will give me two popups, one each for 0x82 and 0x80. I suspect those are my physical drive #s 0 and 2. Running MBRCheck confirms those two drive #s with Whistler in the boot record, but neither F-Secure or MBRCheck is capable of cleaning it.

     

    When I ran the Rescue CD for F-Secure it scanned it and confirmed the same harddrive with these messages:

     

    MasterBootRecord of sdc is infected with MBR malware

    MasterBootRecord of sdb is infected with MBR malware

     

    Since then someone has recommended I give Hiren's BootCD a try and repair the MBR records of the drives with that. I originally tried to rebuild with Windows 7 Recovery console commands of bootrec /fixmbr but that doesn't work because it doesn't let me choose a target hard drive.

  • KimmoKimmo Posts: 6 Former F-Secure Employee

    MBR infecting malware typically enumerate through all hard drives and external devices and then write the malicious MBR code on the first sector of each found drive. This explains why your other drives are also infected.

     

    Does FSIS11 report any Rootkit.MBR.Whistler.A detections from your primary hard disk which runs your Operating System? We will get back to you soon with more information how to proceed.

  • cvaxcvax Posts: 20

    Hi Kimmo,

     

    I have 4 physical hard drives. The MBR was detected on two of my drives, but not all 4. The one with the OS is not detected as infected.

     

    Please note that my OS drive is not the first physical hard drive of my computer. Not sure if that makes a difference. The OS is on drive 1 instead of drive 0. The 0x80 and 0x82 identify my drives impacted. 0 and 2 are infected while 1 and 4 are not detected as infected.

     

    Since then I have tried some DOS tools to wipe MBR and rewrite a new MBR on it. It seems to have worked, but nothing from Windows seemed to work.

  • cvaxcvax Posts: 20

    I am just not sure how FSIS11 did not detect what would have caused this MBR virus to begin with.

  • KimmoKimmo Posts: 6 Former F-Secure Employee

    If the operating system is infected with MBR malware it is typically not possible to see the malicious MBR because the rootkit is protecting it. It seems that in your case the existence of the rootkit was revealed because it did not protect your external hard drives.

     

    Currently IS2011 is not able to detect or remove the most advanced MBR rootkits. The good news is that we have a solution ready and we are doing final tests before we will release it to the update channels. When the update is ready all IS2011 users will get the new solution into use automatically.

     

    If you want to get confirmation that you are no longer infected with Whistler rootkit we need to get some raw sectors from your system by using a bootable Linux CD/USB. If you wish we can provide detailed instructions how to proceed.

  • cvaxcvax Posts: 20

    Hi Kimmo,

     

    I am indeed willing. Thanks.

  • Is there an update for IS2011 yet?

  • GeraldineGeraldine Posts: 1 Former F-Secure Employee

    Hi Cvax,

     

    Can you kindly create a support case so that we can work on this further?

    http://www.f-secure.com/en/web/business_global/support/contact/request

     

    You should receive an auto-reply with a 'SR-ID', just let us know the id once you have it.

     

    thanks,

    Geraldine

  • cvaxcvax Posts: 20

    Sorry for the delay.

    SR ID:1-480698223

This discussion has been closed.