Jump to content

Unknown.Rootkit.VBR detected by Malwarebyes Full scan


Recommended Posts

I just did a full scan of my other laptop with Malwarebytes Anti-malware and got the following detection "Unknown.Rootkit.VBR" "Physical Sector" "Master Boot Sector on Volume #0" As per the image below.


post-192360-0-70451500-1441764661_thumb.



The laptop is an HP Compaq running Windows 7 Professional (x64). It is fully updated with MS patches except for those related to the Windows 10 Upgrade & the associated telemetry updates. In addition I have used the group policy editor to stop the Windows 10 upgrade via Windows update as it had downloaded &  tried several times to install Windows 10 even though I had not even reserved it with the GWX tool. These are all gone now as well as the 6GB Win 10 download. The default browser is Firefox, which is the latest version as are all plugins such as Java and Flash fully updated. The system is actively protected with a fully updated version of Kaspersky Internet Security 2015. The scan with Malwarebytes was a full scan resulting in a detection of:

Physical Sectors: 1Unknown.Rootkit.VBR, Master Boot Record on Drive #0, , [6a2e3c5d9d1d5d40f76f1e803d65c7d7],
(as per the attached scan result mb result.txt)

A couple of weeks ago I was using the laptop watching a movie. It overheated and then shut down automatically. I then stripped it down to check the fan and the heatsink to make sure the cooling system was ok. After reassembling the system and restarting I got a Smart warning of HDD failure. I removed the HDD and backed up all data to an external drive and made images of the partitions with acronis true image. I replaced the HDD with a new 500GB drive and re-imaged the system. On restarting on the new drive I got a similar warning then a warning about a corrupted boot sector.  After running check disk  and checking the active system partition and boot flles and then correcting the BCD file with bootice so that it directed to the Windows partition the system then booted ok once I had re-hidden the active boot system partition. Incidentally I then also did the same for the original HDD and that also then booted ok. Upon testing with HP tools at boot both drives showed no fault or error. I decided to continue using the new HDD which is where the rootkit has been detected by malwarebytes. Both Kaspersky & tdsskiller scans come up as clean.

The partition layout is as per the attached picture below. The active partition is labelled SYSTEM and is an HP factory primary partition (NTFS) containing the boot files and BCD file that directs to the Windows partition. The other primary partitions are the Recovery partition (NTFS) and the HP Tools Partition, which is FAT32. The C- Windows partition and the Files partition are part of a logical drive, both NTFS.

 

post-192360-0-51674500-1441764681_thumb.

 

Boot Ice has the following Info regarding the drive structure

 

post-192360-0-63359000-1441764698_thumb.

 

When I ran Testdisk  as per the picture below it has something about "Bad sector Count"

 

post-192360-0-12845700-1441764716_thumb.

 

This is the testdisk log (ignore the 2TB attached external drive):


Tue Sep  8 23:10:28 2015
Command line: TestDisk

TestDisk 7.0, Data Recovery Utility, April 2015

OS: Windows 7 (7601) SP1
Compiler: GCC 4.8, Cygwin 1007.34
Compilation date: 2015-04-18T13:01:55
ext2fs lib: 1.42.8, ntfs lib: 10:0:0, reiserfs lib: 0.3.1-rc8, ewf lib: 20120504, curses lib: ncurses 5.9
disk_get_size_win32 IOCTL_DISK_GET_LENGTH_INFO(/dev/sda)=500107862016
disk_get_size_win32 IOCTL_DISK_GET_LENGTH_INFO(/dev/sdb)=2000398934016
disk_get_size_win32 IOCTL_DISK_GET_LENGTH_INFO(\\.\PhysicalDrive0)=500107862016
disk_get_size_win32 IOCTL_DISK_GET_LENGTH_INFO(\\.\PhysicalDrive1)=2000398934016
disk_get_size_win32 IOCTL_DISK_GET_LENGTH_INFO(\\.\C:)=102164856832
disk_get_size_win32 IOCTL_DISK_GET_LENGTH_INFO(\\.\D:)=2000396746752
filewin32_getfilesize(\\.\E:) GetFileSize err Incorrect function.

filewin32_setfilepointer(\\.\E:) SetFilePointer err Incorrect function.

Warning: can't get size for \\.\E:
disk_get_size_win32 IOCTL_DISK_GET_LENGTH_INFO(\\.\F:)=375809638400
Hard disk list
Disk /dev/sda - 500 GB / 465 GiB - CHS 60801 255 63, sector size=512
Disk /dev/sdb - 2000 GB / 1863 GiB - CHS 243201 255 63, sector size=512
Drive C: - 102 GB / 95 GiB - CHS 12420 255 63, sector size=512
Drive D: - 2000 GB / 1863 GiB - CHS 243201 255 63, sector size=512
Drive F: - 375 GB / 350 GiB - CHS 45689 255 63, sector size=512

Partition table type (auto): Intel
Disk /dev/sda - 500 GB / 465 GiB
Partition table type: Intel

Analyse Disk /dev/sda - 500 GB / 465 GiB - CHS 60801 255 63
Geometry from i386 MBR: head=255 sector=63
NTFS at 0/32/33
Info: size boot_sector 407545, partition 407552
NTFS at 58136/44/21
FAT32 at 60787/106/56
Info: size boot_sector 210944, partition 210944
FAT1 : 32-849
FAT2 : 850-1667
start_rootdir : 1668 root cluster : 2
Data : 1668-210943
sectors : 210944
cluster_size : 2
no_of_cluster : 104638 (2 - 104639)
fat_length 818 calculated 818
NTFS at 25/159/7
Info: size boot_sector 199540729, partition 199540736
NTFS at 12446/149/56
Current partition structure:
 1 * hid. HPFS/NTFS           0  32 33    25 126 37     407552

Bad sector count.
 2 E extended                25 126 38 58136  44 20  933548032
 3 P HPFS - NTFS          58136  44 21 60787 106 55   42592256
 4 P FAT32 LBA            60787 106 56 60800 140 12     210944 [HP_TOOLS]
 5 L HPFS - NTFS             25 159  7 12446 117 23  199540736
   X extended             12446 117 24 58136  44 20  734005248
 6 L HPFS - NTFS          12446 149 56 58136  44 20  734003200
 

 

#1441750659 Disk /dev/sda - 500 GB / 465 GiB - CHS 60801 255 63
 1 : start=     2048, size=   407552, Id=17, *
 2 : start=   409600, size=933548032, Id=05, E
 5 : start=   411648, size=199540736, Id=07, L
 6 : start=199952384, size=734005248, Id=05, X
 6 : start=199954432, size=734003200, Id=07, L
 3 : start=933957632, size= 42592256, Id=07, P
 4 : start=976549888, size=   210944, Id=0C, P

 

 

I have attached both logs from Farbar recovery scan tool, but have yet to use malwarebytes to remove the detected possible rootkit. Please can you help me determine if this is a real rootkt infection or maybe a false positive or is it some corruption of the boot sector?
 

If I use malwarebytes to remove this I'm worried the system might not be bootable at restart?
I've used bootice to make a backup of the MBR and PBR's for the partitions.
I'm just a bit stuck as to whether this bad sector count is maybe caused by the rootkit or the detection is a false positive as a result of some corruption in the boot sector or partition table.

Any help here would be appreciated.
 

FRST.txt

Addition.txt

mb result.txt

Link to post
Share on other sites
  • Staff

Hello,

    

 

They call me TwinHeadedEagle around here, and I'll try to help your with your issue.

 

     

    

Before we start please read and note the following:

  • We're primarily oriented on malware removal here, so you must know that some issues just cannot be solved and you must be prepared for this. Some tools we use here will remove your browser search history, so backup your important links and all the files whose loss is unacceptable.
  • Note that we may live in totally different time zones, what may cause some delays between answers.
  • Don't run any scripts or tools on your own, unsupervised usage may cause more harm than good.
  • Do not paste the logs in your posts, attachments make my work easier. There is a More reply options button, that gives you Upload Files option below which you can use to attach your reports. Always attach reports from all tools.
  • Always execute my instructions in given order. If for some reason you cannot completely follow one instruction, inform me about that.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
:excl: I can't foresee everything, so if anything not covered in my instructions happens, please stop and inform me!

:excl: There are no silly questions. Never be afraid to ask if in doubt!

 

 

 

  warning.gif Rules and policies

 

We won't support any piracy.

That being told, if any evidence of illegal OS, software, cracks/keygens or any other will be revealed, any further assistance will be suspended. If you are aware that there is this kind of stuff on your machine, remove it before proceeding!

The same applies to any use of P2P software: uTorrent, BitTorrent, Vuze, Kazaa, Ares... We don't provide any help for P2P, except for their removal. All P2P software has to be uninstalled or at least fully disabled before proceeding!

 

Failure to follow these guidelines will result with closing your topic and withdrawning any assistance.

 

 


TDSSKiller_Kaspersky.png Scan with TDSSKiller

Please download TDSSKiller by Kaspersky and save it to your desktop.

  • Right-click on TDSSKiller_Kaspersky.png
  • icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Click on Change parameters and put a checkmark beside Loaded modules. A reboot will be needed to apply the changes, allow it to do so.
  • Your machine may appear very slow and unusable after that - it's normal.
  • TDSSKiller will run automaticaly. Click on Change parameters and click OK.
  • Click the Start Scan button and wait patiently.
  • If anything will be found follow this guidelines:
    • If a suspicious object is detected, the default action will be Skip, click on Continue.
    • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.

      Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.

      If Cure is not available, please choose Skip instead.

    • Do not choose Delete unless instructed!
    A report will be created in your root directory, (usually C:\ drive) in the form of TDSSKiller.[Version]_[Date]_[Time]_log.txt. Please include the contents of that file in your next post.
Link to post
Share on other sites

Many thanks for your swift reply TwinHeadedEagle.
Please find attached TD S Skiller log, carried out exactly as per instruction. The scan was clean and found nothing. I did this earlier today before I had seen your reply as I was already familiar with the tool having used kaspersky and some of their tools previously.

 

TDSSKiller.3.1.0.5_09.09.2015_12.54.14_log.txt

 

After my original posting and before your reply I had found another couple of  posts in another section of the forum, false positives I think whereby another member posted about a similar detection Unknown.Rootkit.VBR. The problem seemed to be related to the fact that the active partition was hidden as was mine. And after effecting a repair with malwarebytes another user reported that the whole of their partition had disappeared and it required a test disk deep scan to retrieve, while another user was lucky to have a back up image made. So i was fortunate to not have acted straight away to let MB fix the detection.

 

I thus used Bootice to Unhide the active system partition and remove the drive letter. I also changed the partition ID to 12 as this was listed as Compaq diagnostics. I checked with my backup info from how it was set up when purchased as new direct from HP and then it had also be set to hidden. The drive structure then looked like this just before the scan with kasperskys tool.

 

post-192360-0-14399500-1441821463_thumb.

 

post-192360-0-17345600-1441821482_thumb.

 

The system re-booted and did the scan with tdsskiller (which was clean). I then did another full scan with malwarebytes (including rootkits). This time the scan showed as clean. ( as per attached text log.)

 

post-192360-0-28100900-1441821788_thumb.

mb result new.txt

 

Having now logged in and seen your reply I decided to check the partitions and drive structure again. It seems that it has changed but without my intervention. Possibly caused by the reboot following running TDSSKILLER or the scan with malwarebytes. The active SYSTEM parition is now set as being hidden again though the partition ID remains at 12 as I had set it.

 

post-192360-0-70888100-1441822506_thumb.

 

post-192360-0-63779900-1441822531_thumb.

 

I think it wise now I have noticed that the partition is hidden again to do another full scan with malwarebytes (which will take another 2-3 hours) and see if still comes back as clean or if the detection has returned then report back.

 

Having now read your instructions i realise it is a tad out of protocol from your post but I would not want to be wasting your time on untold other scans and investigations if it is likely a false positive caused by some anomaly caused by an error with the drive structure or mislabelling of the partitions. If you have any otther suggestions or obsevations in the meantime I would be grateful to read them.

 

Link to post
Share on other sites

Sorry about the late reply, the forum has been down or I am unable to connect at all from my ISP virgin media in the UK. Just spoken to their tech support and they couldn't connect to your site also, I'm thinking they have DNS problems as earlier I had no upload at all only download. Now connecting via mobile tethering. I have 4G at about 60Mbps but the forums are taking a long time to load like it is dial up ;-) even when tethering, though at least i can connect unlike with the cable broadband the forums are totally offline.

I Did another full scan with MBAM as I said and it completed as being totally clean with no detections.  So I am thinking that this was a false positive relating to the partition structure somehow.  Not exactly sure how as yet but I'll try look into it further. As others have had the same thing with hidden active partitions the correct partition ID may be crucial.  Nothing changed with MBAM as the definitions were the same for all the scans as I immediately cut off the internet the moment i had the detection.

Thank yoiu again for your assistance with this and I hope it stays clear. I do regular scans with MBAM so if it re occurs I'll post back
thanks again :-)

Link to post
Share on other sites
  • Staff

Hello,

 

Sorry for my delay - I had a power outage. I was asked to look in on this topic because of a possible false positive.

I see though that you are no longer having the detection. 

 

If it comes back again, please let us know & post a new topic in this forum:
https://forums.malwarebytes.org/index.php?/forum/42-file-detections/

I'll need to gather some additional logs from you in order to further t-shoot the issue.

 

Thanks!
 

Link to post
Share on other sites

Hello,

 

Sorry for my delay - I had a power outage. I was asked to look in on this topic because of a possible false positive.

I see though that you are no longer having the detection. 

 

If it comes back again, please let us know & post a new topic in this forum:

https://forums.malwarebytes.org/index.php?/forum/42-file-detections/

I'll need to gather some additional logs from you in order to further t-shoot the issue.

 

Thanks!

 

 

 

Thanks Tammy

 

When the 199MB OEM SYSTEM  partition had an ID of 17 (as a standard hidden NTFS partition) the detection occured on this the active partition. When I changed the ID to 12  and also set it as unhidden but with no drive letter, the system re-hid the partition upon a restart. Then a scan had no detection.

If as has been discussed on other topics MBAM is set to detect unknown rootkits on hidden active partitions this could be related to the generic nature of the partition ID. As is ddn't occur on ID number 12. The machine was purchased as new by me from HP and had back ups and screenshots of the structure so when I re-imaged the system a few weeks ago I replicated the original structure and ID if these key partitions.

My thinking is that HP themselves have cocked this up. When I got the laptop I had originally ordered a higher spec version which didn't arrive. (they never bothered to tell me either though took full payment). On querying them they said they no longer had the stock so I ended up with a lower spec version. Upon examination it appears that the system though sold as new had actually been a refurbished model as the logs showed it had been sysprepped a few times and re-activated.There had been several hardware changes icluding the cpu as well as changing the version of windows shipped with the PC.

HP were of no use whatsoever when asking about this and never called or emailed back as promised when queried. My feeling is they were playing a fast one with many machines selling as new when they weren't. It wouldn't surprise me if this still went on.

My point being that I think that the partition ID they had set up when re-imaging these machines must have been set up wrongly at 17 instead of 12, which is Compaq diagnostics, which in turn on restarting and hiding the partition then correctly labels it as an OEM partition where there is no detection.

As these machines are generally imaged and deployed en masse it wouldn't surprise me to hear that other HP's on windows 7 ended up with the same issue or detection due to an incorrect partition ID on a hidden active partition.

Hope this info at least helps if this crops up with other similar HP machines.

Link to post
Share on other sites
  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.