Rootkit: hidden boot sector

Page 2 of 2 Previous  1, 2

View previous topic View next topic Go down

Rootkit: hidden boot sector

Post by AdkWoody on Wed 11 May 2011, 1:59 pm

First topic message reminder :

Hello all. I have a friends computer that I'm working on trying to remove this pesky thing. File name is MBR:\\.\PHYSICALDRIVE0 and the Rootkit name is Rootkit: hidden boot sector. Avast has picked it up every time and says it has deleted it every time. I have even done a boot scan, it caught it, said it got rid of it, did another scan after start up and it said nothing found. Not a half hour later, avast says it found the rootkit again. There is no restore point to go from since my friend never created one and earlier today was the most recent. Malwarebytes comes up clean, and housecall.trendmicro.com comes up clean. There is no boot disk or windows disk to load to wipe it clean. I do have the application dvd and the drivers and utilities dvd. Is there anything I can do to fix this with what I have?

AdkWoody

Rookie Surfer
Rookie Surfer

Posts: 63
Joined: 2010-08-17
Operating System: Windows 7 Home Premium 64-Bit

View user profile

Back to top Go down


Re: Rootkit: hidden boot sector

Post by AdkWoody on Sat 14 May 2011, 4:48 am

I hope I did it right this time! If not, let me know what to do. It did restart while in the middle of it, but combofix came right back up and said it was creating the boot log. Not sure if it was intentional of the program, or the rootkit trying to protect it's self again.

AdkWoody

Rookie Surfer
Rookie Surfer

Posts: 63
Joined: 2010-08-17
Operating System: Windows 7 Home Premium 64-Bit

View user profile

Back to top Go down

Re: Rootkit: hidden boot sector

Post by Crush on Sat 14 May 2011, 4:53 am

Yes. Looks good. How are things running?

Crush

Tech Officer
Tech Officer

Posts: 3889
Joined: 2010-01-28

View user profile

Back to top Go down

Re: Rootkit: hidden boot sector

Post by AdkWoody on Sat 14 May 2011, 5:17 am

About 5 min after I booted back up into normal mode, the rootkit came up again in the grasp of avast.... even though avast was shut off permanently through this process and I hadn't turned it back on yet. Same thing. I just shut the computer down to await further instructions.

AdkWoody

Rookie Surfer
Rookie Surfer

Posts: 63
Joined: 2010-08-17
Operating System: Windows 7 Home Premium 64-Bit

View user profile

Back to top Go down

Re: Rootkit: hidden boot sector

Post by Crush on Sat 14 May 2011, 5:50 am


  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • Click the Report button and copy/paste the contents of it into your next reply
Note:It will also create a log in the C:\ directory.

Crush

Tech Officer
Tech Officer

Posts: 3889
Joined: 2010-01-28

View user profile

Back to top Go down

Re: Rootkit: hidden boot sector

Post by AdkWoody on Mon 16 May 2011, 1:47 am

2011/05/15 11:44:56.0118 1900 TDSS rootkit removing tool 2.5.1.0 May 13 2011 13:20:29
2011/05/15 11:44:56.0149 1900 ================================================================================
2011/05/15 11:44:56.0149 1900 SystemInfo:
2011/05/15 11:44:56.0149 1900
2011/05/15 11:44:56.0149 1900 OS Version: 6.1.7600 ServicePack: 0.0
2011/05/15 11:44:56.0149 1900 Product type: Workstation
2011/05/15 11:44:56.0149 1900 ComputerName: CHRISTINE-PC
2011/05/15 11:44:56.0149 1900 UserName: Christine
2011/05/15 11:44:56.0149 1900 Windows directory: C:\Windows
2011/05/15 11:44:56.0149 1900 System windows directory: C:\Windows
2011/05/15 11:44:56.0149 1900 Running under WOW64
2011/05/15 11:44:56.0149 1900 Processor architecture: Intel x64
2011/05/15 11:44:56.0149 1900 Number of processors: 2
2011/05/15 11:44:56.0149 1900 Page size: 0x1000
2011/05/15 11:44:56.0149 1900 Boot type: Normal boot
2011/05/15 11:44:56.0149 1900 ================================================================================
2011/05/15 11:44:56.0445 1900 Initialize success

AdkWoody

Rookie Surfer
Rookie Surfer

Posts: 63
Joined: 2010-08-17
Operating System: Windows 7 Home Premium 64-Bit

View user profile

Back to top Go down

Re: Rootkit: hidden boot sector

Post by AdkWoody on Mon 16 May 2011, 1:52 am

Sorry it took so long. The computer says it had 68 windows updates that it was configuring on reboot. It was stuck on update 1 for EVER! I turned off the updates for now. Please let me know if there is anything else I should do. I will run a full scan with Avast again to see what it pulls up and let you know. Thanks for all your help Crush. GeekPolice is a life saver for me!

AdkWoody

Rookie Surfer
Rookie Surfer

Posts: 63
Joined: 2010-08-17
Operating System: Windows 7 Home Premium 64-Bit

View user profile

Back to top Go down

Re: Rootkit: hidden boot sector

Post by Crush on Mon 16 May 2011, 5:44 am


Crush

Tech Officer
Tech Officer

Posts: 3889
Joined: 2010-01-28

View user profile

Back to top Go down

Re: Rootkit: hidden boot sector

Post by AdkWoody on Mon 16 May 2011, 10:23 am

Avast picked up a TON more than before when I had it set for high sensitivity and checked all packers. I simply hit repair then apply since I couldn't copy and past that log report and couldn't go to any other window without closing that one first. Once the computer reset, I seemed to have more control over the computer and it seems as though it's back to normal. I then changed all the setting for the full system scan back to normal and that came back clean. I just finished the full round of windows updates... 73 including the optional security ones. Now I am running another full system scan with the setting back to the high and all packers to see what happens. I will let you know if that came back clean, or if it found anything.

AdkWoody

Rookie Surfer
Rookie Surfer

Posts: 63
Joined: 2010-08-17
Operating System: Windows 7 Home Premium 64-Bit

View user profile

Back to top Go down

Re: Rootkit: hidden boot sector

Post by AdkWoody on Mon 16 May 2011, 12:05 pm

This is what came up on the Avast full system scan with high sensitivity and all packers checked.

File Names Status

C:\...|>_TUProj.dat Error: Archive is password protected
C:\...|>DataSave_Green.ico Error: Archive is password protected
C:\...|>IRIMG1.BMP Error: Archive is password protected
C:\...|>IRIMG1.JPG Error: Archive is password protected
C:\...|>DataSafe_Green.ico Error: Archive is password protected
C:\...|>diff_000001.dif Error: Archive is password protected
C:\...|>diff_000002.dif Error: Archive is password protected
C:\...|>diff_000003.dif Error: Archive is password protected
C:\...|>diff_000004.dif Error: Archive is password protected
C:\...|>diff_000005.dif Error: Archive is password protected
C:\...|>diff_000006.dif Error: Archive is password protected
C:\...|>diff_000007.dif Error: Archive is password protected

I couldn't copy and paste so I had to enter this manually. Under the Status of each one it says "Error: Archive is password protect.." Because I couldn't see it I just filled in the blanks. Before I clicked on the report it said the scan couldn't check all files.

AdkWoody

Rookie Surfer
Rookie Surfer

Posts: 63
Joined: 2010-08-17
Operating System: Windows 7 Home Premium 64-Bit

View user profile

Back to top Go down

Re: Rootkit: hidden boot sector

Post by Crush on Tue 17 May 2011, 3:14 am

Those are nothing to worry about. The high sensitivity will produce false positives. The important thing is, is it still picking up the rootkit in the MBR?


Crush

Tech Officer
Tech Officer

Posts: 3889
Joined: 2010-01-28

View user profile

Back to top Go down

Re: Rootkit: hidden boot sector

Post by AdkWoody on Tue 17 May 2011, 11:01 pm

Awesome! I think it's gone then! What's the MBR? I know that Avast and TDSSkiller both came back clean. Thanks again Crush!

AdkWoody

Rookie Surfer
Rookie Surfer

Posts: 63
Joined: 2010-08-17
Operating System: Windows 7 Home Premium 64-Bit

View user profile

Back to top Go down

Re: Rootkit: hidden boot sector

Post by Crush on Wed 18 May 2011, 4:22 am

The Master Boot Record. This infection will produce a detection from Avast similar to what you're stating. Is the detection from the first post gone?

Crush

Tech Officer
Tech Officer

Posts: 3889
Joined: 2010-01-28

View user profile

Back to top Go down

Re: Rootkit: hidden boot sector

Post by AdkWoody on Thu 19 May 2011, 3:20 am

Yes. All is gone nothing is being detected. Thank you so much for your help Crush! My friend thanks you too!

AdkWoody

Rookie Surfer
Rookie Surfer

Posts: 63
Joined: 2010-08-17
Operating System: Windows 7 Home Premium 64-Bit

View user profile

Back to top Go down

Re: Rootkit: hidden boot sector

Post by Crush on Thu 19 May 2011, 3:55 am

To uninstall ComboFix



  • Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
  • In the field, type in ComboFix /uninstall




(Note: Make sure there's a space between the word ComboFix and the forward-slash.)



  • Then, press Enter, or click OK.
  • This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.

====

Download Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


Crush

Tech Officer
Tech Officer

Posts: 3889
Joined: 2010-01-28

View user profile

Back to top Go down

I have a similar issue

Post by Lapps on Sat 02 Feb 2013, 12:18 am

Hey guys,
I made an account specifically for noticing this thread. My problem is that my world of warcraft account continuously gets hacked, and I have FOUR of those things popping up in my avast security when I try doing a quick scan. The datasafe_green pops up, along with the following:
|>diff_000001.dif
|>IRIMG1.BMP
|>IRIMG1.JPG

Now I notice you guys have figured these notices are not of issue, however what is it exactly that keeps on gaining access to my WOW account and locking it? Is it a keylogger? And what can I do to get rid of this? It's been happening for several years even when I was not playing on the account.

Any help will be greatly appreciated!!
Lapps

Lapps

Unborn
Unborn

Posts: 1
Joined: 2013-02-02
Operating System: Windows 7

View user profile

Back to top Go down

Page 2 of 2 Previous  1, 2

View previous topic View next topic Back to top


Permissions in this forum:
You cannot reply to topics in this forum