Jump to content

Bootkit/Rootkit; I don't know how to get rid of it.


Recommended Posts

Hello everyone,


A few weeks ago I ran what turned out to be a malicious .exe file. Immediately when I ran it, it broke the email protection component of my anti-virus software. Reinstalling that software overcame that problem however the a/v browser toolbar hasn't functioned properly since then, even after a system reinstallation. It is unable to rate and warn about webpages anymore.

I had a good idea that something old and nasty survived the reinstallation 1/ because of the already mentioned toolbar 2/ apps crash, mainly internet explorer 10 and 3/ 1 or 2 programs don't keep their customizations.


Apparently DEP is off according to a Microsoft 'fix it' app yet it appears to be on. Also, windows defender will not update. Whether WD ran before this trouble in conjunction with my subscription a/v software I don't know but I do know that it always asked to update signatures and the updates installed with no issues.. Attempting to do so now gives an error, each try.

Sometimes, Malwarebytes Anti-Exploit works, other times I can't start it even after killing the mbae process in task manager and attempting to re-start it. Often, the mbae shortcut icon changes to a 'broken shortcut' icon and then it comes good again with the proper icon and will run.


I've tried about 50 different antimalware programs; RougeKiller found the ZeroAccess rootkit very early on in my attempts to solve the problem. At one time, a program found a modified/unknown MBR (HP proprietary?) and offered to fix it. Now it's Win 7/8 MBR


I've run Bootrec /fixmbr and 2 similar commands but this hasn't helped. Yesterday, I found a program called 'bootkit remover available from here:

http://www.smartestcomputing.us.com/files/file/11-bootkit-remover/ and when I run it ..... pleased see attached pic/file:


I've run that program on 2 other pc's and it informs ok DOS WIN32 code.... I don't think it's a false positive on this pc in view of the above


It looks like I need to do something in a console window with elevated privileges.. which I've tried at C:\Windows\System32> I'm not sure if I'm headed in the right direction at this point. May I please have some assistance?


Thankyou for your time, chooki




Link to post
Share on other sites

Well, that image is no good. So I'll type out exactly what's in it:


Bootkit Remover

© 2009 Esage Lab



Program version:`

OS Version: Microsoft Windows 7  Service Pack 1 (build 7601), 64-bit


System volume is \\. \C:\

\\, \C: -> \\. \PhysicalDrive0 at offset 0x00000000 `32100000


............Size..................................Device Name ............................MBR Status

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

............223 GB.............................\\. \PhysicalDrive0 ...................Controlled by rootkit!


Boot code on some of your physical disks is hidden by a rootkit.

To disinfect the master boot sector, use the following command:

remover.exe fix <device_name>

To inspect the boot code manually, dump the master boot sector:

remover.exe dump <device_name> [output_file]



Press any key to quit...




I tried to run remover.exe in an elevated permission cmd window but it's a bad command; I'm going wrong somewhere.


Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.