Bootkit Remover version 1.1

Copyright 2009-2010 eSage Lab
http://www.esagelab.com
support@esagelab.com


This is an antivirus tool providing generic detection and disinfection of 
so-called bootkits (such as Sinowal/Mebroot/MaosBoot, 
Stoned Bootkit, Black Internet etc.)

A bootkit is a program that alters Master Boot Record (MBR) to 
ensure persistent execution of malicious code. In some cases a bootkit 
will also try to avoid detection by hiding its own code in the MBR.

Bootkit Remover is capable of detecting malicious boot code (both explicit 
and sheltered) installed by all kinds and modifications of bootkits. An 
infected boot code can then be fixed and/or dumped.

*** ATTENTION! 
    
While fixing MBR is generally safe, there is a small risk of damaging the 
system. Use the tool at your own risk!

In case of any damage caused to system, boot from your Microsoft Windows 
installation CD, go to the Recovery console, and run the fixmbr command.

About the Recovery console: http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/bootcons_fixmbr.mspx?mfr=true
About the fixmbr command: http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/bootcons_fixmbr.mspx?mfr=true

*** FEATURES
  
1. Easy detection and cleaning of all seen in-the-wild MBR-infecting 
   malware, including all versions of the Sinowal trojan, as well as of 
   yet unknown bootkits.
   
2. Supported OS: x86 and 64-bit editions of Microsoft Windows XP, Server 
   2003, Vista, Server 2008, Windows 7 (RC1, RTM).
   Windows 2000 - not supported by design.
   
3. Usermode only. No drivers or undocumented system features.

4. Requires Administrator privileges to run.
   
   
*** USAGE

The tool should be run from a command line with Administrator privileges. 
   
1. To verify purity of system root drive MBR:

> remover.exe 

Scanning should be completed in a couple of milliseconds. Possible verdicts:

 OK (DOS/Win32 Boot code found) 
  - MBR boot code is clean.

 Unknown boot code 
  - MBR boot code is modified. This practically corresponds to either 
    an active bootkit infection, or a custom boot manager installed (such 
    as GRUB). 

 Controlled by rootkit! 
  - a bootkit with self-hiding capabilities is detected.

2. To check custom drive:

> remover.exe check <device>

... where <device> is the target physical drive name (ex. \\.\PhysicalDrive0).

3. To restore the original boot code: 

> remover.exe fix <device>

... where <device> is the target physical drive name (ex. \\.\PhysicalDrive0).

4. To dump MBR boot code to console or a file:

> remover.exe dump <device> [output_file]

... where [output_file] is an optional file name to save the dump. 


*** VERSION HISTORY

22.07.2010: version 1.1
- Now only system root drive is checked by default
- Added option 'check' to analyze custom volumes
- Added logfile "bootkit_remover_debug_log.txt"

03.10.2009: version 1.0.0.3
- Initial release