Wednesday, December 14, 2011

Get rid of WIN32:MBRootkit that dares competing with OS on peer-to-peer terms

WIN32:MBRootkit (Win32 MB Rootkit) trojans legitimate free software, often without knowledge of the software publisher and the person providing it on free download terms. There are no restrictions predetermined by its technical characteristics though that would keep it from being dropped in other ways.
As concerns the post-arrival activities on victimized machine, there are strong restrictions to the way of integration onto computer system as the rogue always goes directly into Mater Boot Record. By doing so it claims privileges equal to that of genuine computer system. That is, it creates its own weird system to interfere with the one installed at the computer to serve user.
Removal of WIN32:MBRootkit is the must already due to the way it enters computers. Nevertheless, the rogue executes payload, which is quite unpleasant, too. In particular, it intercepts incoming and outgoing data of browsers on infected machine. The data is analyzed to retrieve sensitive info such as passwords, usernames etc.
Click here to run free scan, both within OS and at MBR, in order to remove WIN32:MBRootkit thus eliminating hostile system competing with genuine OS. 

Manual removal directions:
 Delete files:
 Delete registry entries:
HKEY_CURRENT_USER\Software\Classes\.exe "(Default)" = 'ah'
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "(Default)" = "%LocalAppData%\.exe" -a "%1" %*
HKEY_CURRENT_USER\Software\Classes\ah "(Default)" = 'Application'
HKEY_CURRENT_USER\Software\Classes\ah "Content Type" = 'application/x-msdownload'
HKEY_CURRENT_USER\Software\Classes\ah\DefaultIcon "(Default)" = '%1'
HKEY_CURRENT_USER\Software\Classes\ah\shell\open\command "(Default)" = "%LocalAppData%\.exe" -a "%1" %*
HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = "%LocalAppData%\.exe" -a "%1" %*
HKEY_CLASSES_ROOT\ah\shell\open\command "(Default)" = "%LocalAppData%\.exe" -a "%1" %*
HKEY_CLASSES_ROOT\ah\shell\open\command "IsolatedCommand"

No comments: