Jump to content

Bootkit/Rootkit; I don't know how to get rid of it.


chooki

Recommended Posts

Hello everyone,

 

A few weeks ago I ran what turned out to be a malicious .exe file. Immediately when I ran it, it broke the email protection component of my anti-virus software. Reinstalling that software overcame that problem however the a/v browser toolbar hasn't functioned properly since then, even after a system reinstallation. It is unable to rate and warn about webpages anymore.

I had a good idea that something old and nasty survived the reinstallation 1/ because of the already mentioned toolbar 2/ apps crash, mainly internet explorer 10 and 3/ 1 or 2 programs don't keep their customizations.

 

Apparently DEP is off according to a Microsoft 'fix it' app yet it appears to be on. Also, windows defender will not update. Whether WD ran before this trouble in conjunction with my subscription a/v software I don't know but I do know that it always asked to update signatures and the updates installed with no issues.. Attempting to do so now gives an error, each try.

Sometimes, Malwarebytes Anti-Exploit works, other times I can't start it even after killing the mbae process in task manager and attempting to re-start it. Often, the mbae shortcut icon changes to a 'broken shortcut' icon and then it comes good again with the proper icon and will run.

 

I've tried about 50 different antimalware programs; RougeKiller found the ZeroAccess rootkit very early on in my attempts to solve the problem. At one time, a program found a modified/unknown MBR (HP proprietary?) and offered to fix it. Now it's Win 7/8 MBR

 

I've run Bootrec /fixmbr and 2 similar commands but this hasn't helped. Yesterday, I found a program called 'bootkit remover available from here:

http://www.smartestcomputing.us.com/files/file/11-bootkit-remover/ and when I run it ..... pleased see attached pic/file:

 

I've run that program on 2 other pc's and it informs ok DOS WIN32 code.... I don't think it's a false positive on this pc in view of the above

 

It looks like I need to do something in a console window with elevated privileges.. which I've tried at C:\Windows\System32> I'm not sure if I'm headed in the right direction at this point. May I please have some assistance?

 

Thankyou for your time, chooki

 

 

post-147371-0-50268400-1382869368_thumb.

Link to post
Share on other sites

Well, that image is no good. So I'll type out exactly what's in it:

 

Bootkit Remover

© 2009 Esage Lab

www.esagelab.com

 

Program version: 1.2.0.1`

OS Version: Microsoft Windows 7  Service Pack 1 (build 7601), 64-bit

 

System volume is \\. \C:\

\\, \C: -> \\. \PhysicalDrive0 at offset 0x00000000 `32100000

 

............Size..................................Device Name ............................MBR Status

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

............223 GB.............................\\. \PhysicalDrive0 ...................Controlled by rootkit!

 

Boot code on some of your physical disks is hidden by a rootkit.

To disinfect the master boot sector, use the following command:

remover.exe fix <device_name>

To inspect the boot code manually, dump the master boot sector:

remover.exe dump <device_name> [output_file]

 

Done;

Press any key to quit...

 

=========================================================================

 

I tried to run remover.exe in an elevated permission cmd window but it's a bad command; I'm going wrong somewhere.

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.