Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.
Course Of The Month
6 days, left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
Rootkit found - but what does it mean?
Posted on 2012-03-20
Hello all, an alert from avast! antivirus popped up on a client PC and says "Rootkid Found" but the file name is pointing to MBR: \\.\PHYSICALDRIVE0\PARTITI
Any help would be appreciated!
Any help would be appreciated!
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
2
2
- +3
8 Comments
I'd suggest reading this article first:
http://www.experts-exchange.com/Software/Internet_Email/Anti_Spyware/A_5124-Stop-the-Bleeding-First-Aid-for-Malware.html
Rootkits are notoriously hard to clean at times and you may need to run scanners such as MBAM and combofix to help troubleshoot / log details.
You'll want to take that machine offline to scan once it's updated with virus definitions
http://www.experts-exchange.com/Software/Internet_Email/Anti_Spyware/A_5124-Stop-the-Bleeding-First-Aid-for-Malware.html
Rootkits are notoriously hard to clean at times and you may need to run scanners such as MBAM and combofix to help troubleshoot / log details.
You'll want to take that machine offline to scan once it's updated with virus definitions
A rootkit is a stealthy type of malicious software (malware) designed to hide the existence of certain processes or programs from normal methods of detection and enables continued privileged access to a computer.
http://en.wikipedia.org/wi
I would back-up the hard drive then allow Avast to delete it.
http://en.wikipedia.org/wi
I would back-up the hard drive then allow Avast to delete it.
Active today
You've gotten some great suggestions so far. Be careful with rootkits they are a pain. Check out my article on rootkits. It explains what they are and reviews a bunch of free software you can use to get rid of them.
http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/A_2245-Anti-rootkit-software.html
http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/A_2245-Anti-rootkit-software.html
Active 3 days ago
You've yet to reply to the instructions given in Avast's forums yet, either.
http://forum.avast.com/index.php?topic=95887.0
Apparently made about 3 hours after your post here.
http://forum.avast.com/index.php?topic=95887.0
Apparently made about 3 hours after your post here.
Just make sure that it is not a legit partition or the one where windows is installed that you are deleting.
Have you first tried TDSSKiller?
TDL4 rootkits creates a hidden partition and modifies the partition table so it point to its malicious partition making it the active partition.
You can see which is the active partition using Gparted and you can change the boot flag there and you also have the option to delete the malicious partition.
The most important thing is to change the boot flag to the correct partition, once you've done that then all is well even if you leave the malicious partition there so long as it doesn't have the boot flag.
If Avast has already changed the boot flag to the correct partition, then the malicious partition is now harmless.
If you have run TDSSKiller and it didn't help, run this new tool below.
Download the yorkyt.exe disinfection tool.
http://www.pandasecurity.com/resources/tools/yorkyt.exe
Doubleclick to run.
A reboot will be requested to install a driver.
Another reboot will be requested to complete the disinfection.
When the disinfection is completed, accept the message that will be displayed.
Avast also has a tool that can also change the boot flag to the correct partition.
http://public.avast.com/~gmerek/aswMBR.htm#fix0
Have you first tried TDSSKiller?
TDL4 rootkits creates a hidden partition and modifies the partition table so it point to its malicious partition making it the active partition.
You can see which is the active partition using Gparted and you can change the boot flag there and you also have the option to delete the malicious partition.
The most important thing is to change the boot flag to the correct partition, once you've done that then all is well even if you leave the malicious partition there so long as it doesn't have the boot flag.
If Avast has already changed the boot flag to the correct partition, then the malicious partition is now harmless.
If you have run TDSSKiller and it didn't help, run this new tool below.
Download the yorkyt.exe disinfection tool.
http://www.pandasecurity.com/resources/tools/yorkyt.exe
Doubleclick to run.
A reboot will be requested to install a driver.
Another reboot will be requested to complete the disinfection.
When the disinfection is completed, accept the message that will be displayed.
Avast also has a tool that can also change the boot flag to the correct partition.
http://public.avast.com/~gmerek/aswMBR.htm#fix0
Ran TDSSKILLEE which identified the root kit (bootkit), once I deleted the infections the computer now loads with the blue screen of death in normal and safe mode of Windows. I get a STOP error ending in 7E...
Time for a format ?
Time for a format ?
Active 3 days ago
That should be a SYSTEM_THREAD_EXCEPTION_NO
And there should be another file name and offset addresses below that message.
What's the file name?
And there should be another file name and offset addresses below that message.
What's the file name?
TDSSKiller must've deleted the patched driver or file needed at bootup and it wasn't replaced or deleted a file but the reg value e.g. in the subsystems key wasn't restored, it happens.
"Time for a format ?"
That's really up to you, if you don't have the time to troubleshoot and fix the issue then a reformat and clean install of the OS is an excellent idea.
That's what I would do since I don't need to backup my files. A reformat is a simple and quick fix in some cases.
"Time for a format ?"
That's really up to you, if you don't have the time to troubleshoot and fix the issue then a reformat and clean install of the OS is an excellent idea.
That's what I would do since I don't need to backup my files. A reformat is a simple and quick fix in some cases.
Featured Post
Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restoreâ„¢. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
Operating system developers such as Microsoft (https://www.microsoft.com) and Apple have made incredible strides in virus protection over the past decade. Operating systems come packaged with built in defensive tools such as virus protection and a f…
For both online and offline retail, the cross-channel business is the most recent pattern in the B2C trade space.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
- Anti-Virus Apps
- Ransomware
- The Email Laundry
- Email Servers
- Cybersecurity
- Microsoft Access, *malware
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email
Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses
Course of the Month6 days, left to enroll
705 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.