Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sector 0 Rootkit Removed installed programs and data


  • Please log in to reply
2 replies to this topic

#1 mrchip3

mrchip3

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:49 AM

Posted 08 October 2015 - 09:05 PM

I did a hitmanpro scan and had a result for a sector 0 MBR infection and had it delete it.  It then had me reboot the sys.

 

When I rebooted there was only 2 old users.  I logged into each of them neither of which had any files and most (not all) programs are gone.  By "gone" I literally mean they are gone.  For instance Mozilla thunderbird was installed before the virus reboot.  There is no data file, it is not listed in "add/remove programs" there isn't even a directory under the Program Files(x86) and that goes for a lot of other programs that were installed.  It's crazy...I don't even get a result for hitman when searching the computer nor is it in \program files  or add remove programs and it was the one that asked me to reboot so I now for sure it was there before the reboot.  Not sure if hitmanpro has a portable app but I did the download from bleepingcomputer and installed so I know it's not just a "missing" file it was actually installed.

 

I checked c:\Users\  and went through all the users desktop folders and they are all empty.  It is like it did a system restore and removed personal data files as well...like a rollback.  However the reboot didn't take long at all.  It was like a regular reboot not like a roll back or system restore which can take a while and for all the programs that have been removed.

 

There isn't another windows partition or a \windows.old that it's booting from either.  It's so weird.

 

Also windows needed to be reauthenticated - not sure if its important but thought best not to leave that out.  Any ideas on what happened?



BC AdBot (Login to Remove)

 


#2 mrchip3

mrchip3
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:49 AM

Posted 08 October 2015 - 09:34 PM

Update:  I just did a scan on a 2nd system and have the same infection.  I have not cleaned it and here are some of the details:

 
*********************
Master Boot Record (sector 0) - Bootkit
 
Windows disk signature: 8B6AC2E5
 
Partition Type LBA Number of sectors
0 07 2048 40960000
1* 07 40962048 447432704
2 00 0 0
3 00 0 0
***********************
following that is a bunch of hexidecimal in 2 seperate tables.  One showing the info in sector 1 and the other table showing the info that will replace it.
 
I did have a thought.  I notice another partition called recovery.  Inside is a tool called rollback by horizon-datasys.  Is it possible hitman has confused the sector 0 virus for something from the Rollback program and when replaced the 0 sector it effectively undid anything after rollback was installed.  This might explain why some programs are still on the system like adobe reader and flash player yet others are completely gone.  Trying to figure it out and any help would be appreciated.
 
Thanks...would like to undo what was done.


#3 RolandJS

RolandJS

  • Members
  • 4,533 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austin TX metro area
  • Local time:06:49 AM

Posted 08 October 2015 - 09:40 PM

Do you have restorable backups of your OS partition?  I ask because I had a similar wipeout [for a different reason/cause unbeknowst to me] of numerous folders and their files, and the only thing I can reliably do was do a restore from a recent backup image, and, add back things that were not part of that earlier image.


Edited by RolandJS, 08 October 2015 - 09:51 PM.

"Take care of thy backups and thy restores shall take care of thee."  -- Ben Franklin revisited.

http://collegecafe.fr.yuku.com/forums/45/Computer-Technologies/

Backup, backup, backup! -- Lady Fitzgerald (w7forums)

Clone or Image often! Backup... -- RockE (WSL)





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users