How can your organization benefit from savings just by replacing your legacy backup solutions with Acronis' #CyberProtection? Join Forrester's Joe Branca and Ryan Davis from Acronis live as they explain how you can too.
RootKit ZeroAccess. Hidden partition question.
I Just removed ZeroAccess RootKit from a Dell Dimension using ComboFix.
Some research while CF was doing it's thing disclosed that ZA creates new partitions hidden from the user in which to hid itself. I booted the machine with Partition Commander, and it displayed the disk as follows:
A gray sliver at the top: 7 MB, gray = Free
Most of the cylinder Maroon (= NTFS) 74.47 GB
A Blue sliver at the bottom (= Other, unix etc) 31 MB
Overall size of Drive 0 displayed at 74.5
Since the displayed size is close to 80 I'm asusming it's an 80 GB HDD.
If there is a hidden partition, it it the difference between 80 and 74.5 GB?
What might the Blue (= other) 31 MB sliver be?
Could it be related to Windows Recovery or is it too small to be that?
Should I just remove it?
Is there anything I can do to discern whether there is a new hidden partition that is harboring the RootKit?
Some research while CF was doing it's thing disclosed that ZA creates new partitions hidden from the user in which to hid itself. I booted the machine with Partition Commander, and it displayed the disk as follows:
A gray sliver at the top: 7 MB, gray = Free
Most of the cylinder Maroon (= NTFS) 74.47 GB
A Blue sliver at the bottom (= Other, unix etc) 31 MB
Overall size of Drive 0 displayed at 74.5
Since the displayed size is close to 80 I'm asusming it's an 80 GB HDD.
If there is a hidden partition, it it the difference between 80 and 74.5 GB?
What might the Blue (= other) 31 MB sliver be?
Could it be related to Windows Recovery or is it too small to be that?
Should I just remove it?
Is there anything I can do to discern whether there is a new hidden partition that is harboring the RootKit?
Do more with
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
The drive is actually 74.5 GB rather than 80GB. In HDD manufacturer ratings 1KB = 1000 bytes instead of the actual 1024 bytes. As sizes increase, discrepancy between manufacturer rating and what is reported by the OS increases.
7MB unformatted partition is left over from XP formatting. For some reason, XP always leaves a 7MB unformatted partition. 31MB partition is Dell diagnostics.
Th check that TDLFS file system has been removed, run TDSSKiller, click on Change Parameters, and check Detect TDLFS File System.
7MB unformatted partition is left over from XP formatting. For some reason, XP always leaves a 7MB unformatted partition. 31MB partition is Dell diagnostics.
Th check that TDLFS file system has been removed, run TDSSKiller, click on Change Parameters, and check Detect TDLFS File System.
Are you still having trouble with ZeroAccess? Combofix deletes the Dr0 sector that is written to the bottom of Dr0 harddrive, hidden from the user and restores the mbr (startup method).
Looking for it after the fact is pretty pointless as it wont be missing if CF removed it properly. As Willcomp was saying it is most likely the diagnostic tools(Memtest, Diagnostics, etc; 31 MB ) on a Dell Dimension. They pack a lot of software onto those machines... Restore partitions are usually about 4.4 gig's for the operating system plus more for factory image software.
To explain the 8mb partition that you see. It is actually a backed up sector that allows you to upgrade to a Dynamic Disk.
Looking for it after the fact is pretty pointless as it wont be missing if CF removed it properly. As Willcomp was saying it is most likely the diagnostic tools(Memtest, Diagnostics, etc; 31 MB ) on a Dell Dimension. They pack a lot of software onto those machines... Restore partitions are usually about 4.4 gig's for the operating system plus more for factory image software.
To explain the 8mb partition that you see. It is actually a backed up sector that allows you to upgrade to a Dynamic Disk.
Thanks for explaining what the 8MB partition in XP is for. Have seen it numerous times and knew it was normal but not what the purpose was.
Moderator, please keep this open a bit longer. Been occupied with other things and not through with this yet.
Rgr that. I just gained access to a new malware repository I am going to look for a live sample of this rootkit. This newer rootkit I did not have a sample of so today if I get it I will begin working on taking it apart and seeing what I can add here to help or possibly make a special article to remove it.
Premium Content
You need an Expert Office subscription to comment.Start Free Trial