Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit in Windows 7 that I cannot work out how to remove


  • Please log in to reply
17 replies to this topic

#1 aaandy

aaandy

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:11:10 AM

Posted 11 August 2014 - 09:46 PM

Hi folks,
 
I've used the site a lot to look up common fixes in the past but this is my first time posting. Hoping someone can help me!
 
My computer, on the surface, seem to be working fine. It's not slow, no weird pop-ups or anything. I've always been OCD about my computer security - running constant checks and not going on any 'fishy' websites.
 
Then, after my wife did some browsing I found a virus and some rootkits on there. I deleted using AVG and they don't seem to have returned. But I decided to do some digging to make sure that everything was OK. I used AVG in safe mode and got this result:
 
AVG 2014 AntiVirus command line scanner
Copyright © 1992 - 2013 AVG Technologies
Program version 2014.0.4716, engine 2014.0.4007
Virus Database: Version 4007/8019 2014-08-11
@Scan_BootSectorName|%name%=C:\| Found Bootkit.61030040.F987090C is OK.
@Scan_BootSectorName|%name%=D:\| Found Bootkit.61030040.F987090C is OK.

C:\Boot\BCD Locked file. Not scanned. is OK.
C:\Boot\BCD.LOG Locked file. Not scanned. is OK.
C:\Documents and Settings\ Locked file. Not scanned. is OK.
C:\hiberfil.sys Locked file. Not scanned. is OK.
C:\pagefile.sys Locked file. Not scanned. is OK.
 
And so on until
 
------------------------------------------------------------
Objects scanned     : 151166
Found infections    :   88
Found high severity :    0
Found med severity  :    0
Found info severity :   90
Fixed high severity :    0
Fixed med severity  :    0
Fixed info severity :    0
------------------------------------------------------------
 
It is the text in bold that has me worrying. How do I remove this bootkit?!
 
I used TDSSKiller, MalwareBytes and AVG in normal computer mode and come up with nothing. Likewise in safe mode, MalwareBytes and TDSSKiller find nothing, just AVG.
 
I have also done a full system recovery on the laptop (Samsung), and I went to the Samsung Service Centre to ask what else could be done - and they said the full recovery was the most comprehensive 'wipe' they could do... I thought you could do more, but I'm not really an expert.
 
It should be noted that this result also comes up on my work computer, as well as my laptop. In fact, the above result is my work computer, but to all intents and purposes the results are the same (my laptop has a hidden boot sector as well, but I have heard that is OK).
 
I live and work in Korea if that makes any difference - I know that Korean websites are filled with pop-ups which may explain how my wife managed to infect the machine in the first place.
 
Thank you!!!!
 
Andrew

Edit: Moved topic from Windows 7 to the more appropriate forum.~ Animal

BC AdBot (Login to Remove)

 


#2 aaandy

aaandy
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:11:10 AM

Posted 11 August 2014 - 09:48 PM

By the way, apologies for the spelling mistake in the title - can't figure out how to edit it, only the main body.

Fixed - Hamluis.


Edited by hamluis, 12 August 2014 - 05:37 AM.


#3 Ste2ph

Ste2ph

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:10 PM

Posted 12 August 2014 - 02:02 AM

I mean it looks good to me. But if u really want to be sure use Hitman Pro to run a virus scan. Sometimes it picks up stuff malwarebytes doesnt. http://www.surfright.nl/en/hitmanpro . It uses multiple A/V databases I believe to scan your PC for viruses. Its very good, I use it all the time. PC Magazine gave it a 4/5 stars http://www.pcmag.com/article2/0,2817,2413295,00.asp It doesnt cost money to use if ur using it for personal use. 


Edited by Ste2ph, 12 August 2014 - 02:03 AM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:10 PM

Posted 12 August 2014 - 09:06 PM

Also run

Please download aswMBR ( 4.5MB ) to your desktop.
  • Double click the aswMBR.exe icon, and click Run.
  • When asked if you'd like to "download the latest Avast! virus definitions", click Yes.
  • Click the Scan button to start the scan.
  • On completion of the scan, click the save log button, save it to your desktop, then copy and paste it in your next reply.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 aaandy

aaandy
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:11:10 AM

Posted 13 August 2014 - 04:25 AM

Hi,

 

I ran the Hitman Pro scanner - it found some tracking cookies that might have been the result of my reinstalling Chrome and forgetting to adjust the cookie settings. There were a few websites (yahoo, for example) that had cookies, but I had NOT visited those websites - is this a cause for concern?

 

Other than those cookies, the Hitman Pro scan found nothing of any importance.Is it worth also running it in safe mode?

 

here is the aswMBR log:

 

aswMBR version 1.0.1.2041 Copyright© 2014 AVAST Software
Run date: 2014-08-13 18:17:34
-----------------------------
18:17:34.497    OS Version: Windows x64 6.1.7601 Service Pack 1
18:17:34.497    Number of processors: 4 586 0x2A07
18:17:34.498    ComputerName: ANDREW-PC  UserName: Andrew
18:17:35.237    Initialize success
18:17:35.373    VM: initialized successfully
18:17:35.377    VM: Intel CPU supported 
18:17:37.439    VM: supported disk I/O iaStor.sys
18:18:19.795    AVAST engine defs: 14081203
18:19:01.693    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
18:19:01.699    Disk 0 Vendor: ST500LM0 2AR1 Size: 476940MB BusType: 3
18:19:01.897    VM: Disk 0 MBR read successfully
18:19:01.905    Disk 0 MBR scan
18:19:01.918    Disk 0 unknown MBR code
18:19:01.937    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS          100 MB offset 2048
18:19:01.942    Disk 0 default boot code
18:19:01.962    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS       207872 MB offset 206848
18:19:01.970    Disk 0 Partition - 00     0F Extended LBA            249532 MB offset 425928704
18:19:02.005    Disk 0 Partition 3 00     27 Hidden NTFS WinRE NTFS        19435 MB offset 936970240
18:19:02.049    Disk 0 Partition 4 00     07    HPFS/NTFS NTFS       249531 MB offset 425930752
18:19:02.232    Disk 0 scanning C:\windows\system32\drivers
18:19:12.127    Service scanning
18:19:33.042    Modules scanning
18:19:33.054    Disk 0 trace - called modules:
18:19:33.077    ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll 
18:19:33.081    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800908f060]
18:19:33.085    3 CLASSPNP.SYS[fffff880013ba43f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa80071ee050]
18:19:33.599    AVAST engine scan C:\windows
18:19:36.016    AVAST engine scan C:\windows\system32
18:22:06.730    AVAST engine scan C:\windows\system32\drivers
18:22:17.356    AVAST engine scan C:\Users\Andrew
18:22:33.817    AVAST engine scan C:\ProgramData
18:24:25.694    Scan finished successfully
18:24:43.195    Disk 0 MBR has been saved successfully to "C:\Users\Andrew\Desktop\MBR.dat"
18:24:43.199    The log file has been saved successfully to "C:\Users\Andrew\Desktop\aswMBR.txt"
 
Is this good, or bad?
 
Thanks!


#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:10 PM

Posted 13 August 2014 - 04:46 PM

Hello I am suspecting a False Positive from AVG..
Lets see if any rootkits show here as there were none above.

Download 51a5f31352b88-icon_MBAR.pngMalwarebytes Anti-Rootkit to your desktop.
  • Double click on downloaded file. OK self extracting prompt.
  • Warning! Malwarebytes Anti-Rootkit needs to be run from an account with administrator rights.
  • MBAR will start. Click in the introduction screen "next" to continue.
  • Click in the following screen "Update" to obtain the latest malware definitions.
  • Once the update is complete select "Next" and click "Scan".
  • When the scan is finished and no malware has been found select "Exit".
  • If malware was detected, make sure to check all the items and click "Cleanup". Reboot your computer.
  • Open the MBAR folder and paste the content of the following files in your next reply:
    • "mbar-log-{date} (xx-xx-xx).txt"
    • "system-log.txt"
>>>>

Please download Rkill by Grinler and save it to your desktop.
  • Link 1
  • Link 2
    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista, right-click on it and Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • If the tool does not run from any of the links provided, please let me know.
  • Do not reboot the computer, you will need to run the application again.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 maggot7

maggot7

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:10 PM

Posted 13 August 2014 - 05:02 PM

Is this just my not being familiar with AVG or does "Found Bootkit.61030040.F987090C is OK." not sound like it found anything malicious? Why would AVG list an active, discovered bootkit as "is OK"?



#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:10 PM

Posted 13 August 2014 - 05:09 PM

It does sound like it. That is why I am running other Tools to find it. They are showing clean so I suspect a false positive.

If this scan comes clean we will report those to AVG.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 aaandy

aaandy
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:11:10 AM

Posted 13 August 2014 - 07:00 PM

Hi,

 

I have run Malwarebytes already - it found nothing. I will run Rkill tonight when I get home.

 

In response to why AVG would list something as OK if it was a rootkit, I will be honest and say that it is probably more my lack of know-how in this case. I'm not a complete novice with computers but I am very, very far from being an expert. I just saw the word 'bootkit', Googled it and then got worried. Hence, I came to people like yourselves who know a lot more than I.

 

I will let you know what Rkill comes up with.

 

Thank you!



#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:10 PM

Posted 13 August 2014 - 07:07 PM

This was MBAM's antiRootkit tool
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 aaandy

aaandy
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:11:10 AM

Posted 13 August 2014 - 07:44 PM

I think I ran that one too, but I'll double check tonight and make sure it is the anti-rootkit tool I'm running. Thanks again!



#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:10 PM

Posted 13 August 2014 - 07:57 PM

OK, if it was or it is clean.. Submit the file to AVG... L@@K


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 aaandy

aaandy
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:11:10 AM

Posted 14 August 2014 - 09:26 AM

Hi,

 

Just ran the MalwareBytes anti-rootkit - it found nothing. 

 

Rkill file runs as follows:

 

Rkill 2.6.8 by Lawrence Abrams (Grinler)
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Program started at: 08/14/2014 11:25:18 PM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * No malware processes found to kill.
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * Windows Defender Disabled
 
   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001
 
Checking Windows Service Integrity: 
 
 * Windows Defender (WinDefend) is not Running.
   Startup Type set to: Manual
 
Searching for Missing Digital Signatures: 
 
 * No issues found.
 
Checking HOSTS File: 
 
 * No issues found.
 
Program finished at: 08/14/2014 11:26:26 PM
Execution time: 0 hours(s), 1 minute(s), and 8 seconds(s)


#14 aaandy

aaandy
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:11:10 AM

Posted 14 August 2014 - 10:34 AM

In the meantime, I've re-run MalwareBytes, MalwareBytes Anti Rootkit, AVG, Kapersky TDSSkiller, and Hitman Pro - all got nothing on their radar.

 

I did another aswMBR scan and the results were precisely identical to those I posted before. AVG did detect it as a piece of malware, but the notification disappeared before I could have a good look at it. Still, I definitely saw aswMBR in the filename. So, I ran AVG again and it found nothing. I have heard that this can happen sometimes (two antivirus programs not liking each other...right?)

 

What's the verdict? More work needed? False positive? Or still an issue?

 

By the way, thanks to all who responded - this has been a huge help to me. 



#15 maggot7

maggot7

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:10 PM

Posted 14 August 2014 - 10:39 AM

TDSS Killer and HitmanPro are fantastic programs and I would trust their results. Unless boopme has another idea, I would say you're just fine.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users