Solved

Rootkit found - but what does it mean?

Posted on 2012-03-20
8
935 Views
Last Modified: 2012-03-26
Hello all, an alert from avast! antivirus popped up on a client PC and says "Rootkid Found" but the file name is pointing to MBR: \\.\PHYSICALDRIVE0\PARTITION3 and the action to take is Delete Now or Ignore. I am fairly certain that on my one harddrive, Partition 3 is where the OS resides. So if I choose to "Delete Now" is that going to harm the MBR and not let me load into Windows? And if I choose to Ignore, is this a real root kit somehow on my PC or a false-alarm?

Any help would be appreciated!
0
Comment
Question by:XAnalyzer
8 Comments
 
LVL 16

Expert Comment

by:l33tf0b
ID: 37744593
I'd suggest reading this article first:

http://www.experts-exchange.com/Software/Internet_Email/Anti_Spyware/A_5124-Stop-the-Bleeding-First-Aid-for-Malware.html

Rootkits are notoriously hard to clean at times and you may need to run scanners such as MBAM and combofix to help troubleshoot / log details.

You'll want to take that machine offline to scan once it's updated with virus definitions
0
 
LVL 7

Expert Comment

by:Todar
ID: 37744595
A rootkit is a stealthy type of malicious software (malware) designed to hide the existence of certain processes or programs from normal methods of detection and enables continued privileged access to a computer.

http://en.wikipedia.org/wiki/Rootkit

I would back-up the hard drive then allow Avast to delete it.
0
 
LVL 27

Expert Comment

by:Thomas Zucker-Scharff
ID: 37744780
You've gotten some great suggestions so far.  Be careful with rootkits they are a pain.  Check out my article on rootkits.  It explains what they are and reviews a bunch of free software you can use to get rid of them.

http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/A_2245-Anti-rootkit-software.html
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 44

Expert Comment

by:Darr247
ID: 37745194
You've yet to reply to the instructions given in Avast's forums yet, either.

http://forum.avast.com/index.php?topic=95887.0

Apparently made about 3 hours after your post here.
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 500 total points
ID: 37760094
Just make sure that it is not a legit partition or the one where windows is installed that you are deleting.

Have you first tried TDSSKiller?
TDL4 rootkits creates a hidden partition and modifies the partition table so it point to its malicious partition making it the active partition.
You can see which is the active partition using Gparted and you can change the boot flag there and you also have the option to delete the malicious partition.

The most important thing is to change the boot flag to the correct partition, once you've done that then all is well even if you leave the malicious partition there so long as it doesn't have the boot flag.
If Avast has already changed the boot flag to the correct partition, then the malicious partition is now harmless.


If you have run TDSSKiller and it didn't help, run this new tool below.
Download the yorkyt.exe disinfection tool.

http://www.pandasecurity.com/resources/tools/yorkyt.exe

Doubleclick to run.
A reboot will be requested to install a driver.
Another reboot will be requested to complete the disinfection.
When the disinfection is completed, accept the message that will be displayed.


Avast also has a tool that can also change the boot flag to the correct partition.
http://public.avast.com/~gmerek/aswMBR.htm#fix0
0
 

Author Comment

by:XAnalyzer
ID: 37760781
Ran TDSSKILLEE which identified the root kit (bootkit), once I deleted the infections the computer now loads with the blue screen of death in normal and safe mode of Windows. I get a STOP error ending in 7E...

Time for a format ?
0
 
LVL 44

Expert Comment

by:Darr247
ID: 37761244
That should be a SYSTEM_THREAD_EXCEPTION_NOT_HANDLED

And there should be another file name and offset addresses below that message.
What's the file name?
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 37761839
TDSSKiller must've deleted the patched driver or file needed at bootup and it wasn't replaced or deleted a file but the reg value e.g. in the subsystems key wasn't restored, it happens.


"Time for a format ?"

That's really up to you, if you don't have the time to troubleshoot and fix the issue then a reformat and clean install of the OS is an excellent idea.
That's what I would do since I don't need to backup my files. A reformat is a simple and quick fix in some cases.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Malware seems to be getting smarter and smarter. If you are having trouble being able to launch your malware removal tools such as (and recommended): MalwareBytes, HiJackThis, ComboFix, etc. you can try some of the workarounds listed below. 1. Ma…
Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question