Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

GMER claims rootkit-like behaviour in the MBR


  • Please log in to reply
3 replies to this topic

#1 silvertree

silvertree

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:08 AM

Posted 02 January 2011 - 08:32 PM

Hello, this is a friends computer that was severely messed up.

Windows Vista SP2.

Initially windows refused to boot because of a missing driver component. I resolved that with a repair using the Vista boot disk.

Now that the system runs it is clear that this computer has been infected in some manner.

Naturally, before I got the machine all it had for protection was an expired copy of Norton Security.

Google Chrome fails to function. The program starts but no pages will load.

Internet Explorer functions but more often than not gets redirected.

Windows Update says it “Can't check for updates”.

After a small amount of time and usage all programs begin to fail to launch claiming that “The service cannot accept control messages at this time”.

I have regressed the system back one month using system restore. Probably not far enough and made little difference.

I have already scanned with MS Security Essentials and MBAM. Both found nothing. RootRepeal shows a very long list of files that are hidden and GMER shows possible tampering with the MBR (sector 00(MBR) Rootkit-like behavior; sector 10; sector 63 and sector 234441392(+255)).

I have used the repair console included on the Vista disk and ran BOOTREC /fixmbr and /fixboot and /rebuildbcd. Each time after a normal boot GMER still reports that same problems.

I don't mind re-installing the system to restore proper function but if its got an MBR infection isn't a re-install pointless?

Thanks for your attention.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,600 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:08 AM

Posted 02 January 2011 - 09:36 PM

Try running TDSSKiller which checks the MBR for infection and is often effective repairing it if found.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.zip) and save it to your Desktop. <-Important!!!
Be sure to print out and follow all instructions for performing a scan or refer to these instructions with screenshots.

  • Extract (unzip) the file to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the Desktop. Vista/Windows 7 users refer to these instructions if you're unsure how to unzip a file.
  • If you don't have an extracting program, you can download TDSSKiller.exe and use that instead.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • When the program opens, click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure is selected, then click Continue > Reboot now to finish the cleaning process.<- Important!!
    Note: If 'Suspicious' objects are detected, you will be given the option to Skip or Quarantine. Skip will be the default selection.
  • A log file named TDSSKiller_version_date_time_log.txt will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.
-- If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to these instructions. In some cases it may be necessary to redownload TDSSKiller and randomly rename it before downloading and saving to the computer.

-- For any files detected as 'Suspicious' (except those identified as Forged to be cured after reboot) get a second opinion by submitting to Jotti's virusscan or VirusTotal. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 silvertree

silvertree
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:08 AM

Posted 02 January 2011 - 10:15 PM

Thank you. GMER shows no complaints now.

Time to really get into fixing this machine. Cheers!

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,600 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:08 AM

Posted 03 January 2011 - 01:15 PM

You're welcome and good luck.

Post back if you need further assistance.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users