Jump to content
rdurost

Scan for Rootkits on External Drive

Recommended Posts

I'm working on a friend's desktop PC running Windows 7 Home x86.

Malwarebytes and ADWcleaner both crash without information during scans.  Something seems to be blocking those and other misc attempts at cleaning up the machine.  I suspect a rootkit.

I have removed the hard disk and used a USB dock to attach it to my own Windows 7 x64 desktop.   CHKDSK and sfc/ scannow both come up clean.  Malwarebytes comes up clean, but it is apparently unable to scan for rootkits on external drives, as is ADWcleaner.

I haven't tried any of the Windows command-line MBR tools yet, hoping that fans of my favorite anti-malware tools will suggest a more systematic approach.

Share this post


Link to post
Share on other sites

Hi   :welcome:

Does the USB-dock-drive get an assigned drive letter ?   it should.   Look at it via Windows Explorer to determine.

You just need to start a CUSTOM scan in Malwarebytes for Windows.  Then going carefully, drill thru the options, select the proper drive AND

check the box to select "scan for rootkits".

 

My one concern is this statement  

Quote

Malwarebytes and ADWcleaner both crash without information during scans.

 

Share this post


Link to post
Share on other sites
2 hours ago, Maurice Naggar said:

Hi   :welcome:

Does the USB-dock-drive get an assigned drive letter ?   it should.   Look at it via Windows Explorer to determine.

You just need to start a CUSTOM scan in Malwarebytes for Windows.  Then going carefully, drill thru the options, select the proper drive AND

check the box to select "scan for rootkits".

My one concern is this statement...

------------------------------------

A MB Custom scan allows you to pick a different drive letter (in my case F) but the poorly-worded prompts imply that if you check "rootkit scan" you must select the C:\ drive because that's the only dive that can be scanned for rootkits.  I would love to be proven wrong.

By the way, I HATE the new 4.x interface.  If offers NOTHING new, but requires one to learn once again where all the settings to be found.

Very typical for "new" software versions these days--if you have nothing new to offer, please don't require me and my elderly clients to learn a whole new interface.

Even if you DO have something new and more effective to offer, please resist the temptation to turn the interface designers loose to ***** up everything that the huge majority of your ordinary customers have learned at great cost just to parade it.  Grow the ***** up, in other words.

No disrespect to whoever you are, trying to help me--I appreciate that very much.

 

Share this post


Link to post
Share on other sites

Once at the initial Custom scan window,  the check-box for "scan for rootkits" is clear.image.png.bde3086c188da173ce0091a2d757cf91.png

 

One needs to click on the check box for that, so it is ON.   Like this.

image.png.c7e0667128e2060ec4698563b91aca27.png

 

One needs to pick  ( check-mark)  the drive letter for the drive to be scanned.    Such as this

 

image.png.418cd9ab1e9d8504e511327fc5baf629.png

 

Share this post


Link to post
Share on other sites

Yes, and when you make the selections as above, when you hit Scan, you get the dialog shown below.

I take this to mean that Malwarebytes only thinks rootkits are to be found on the local system drive, and not on external drives.

Rootkit.jpg.0bcd9e46ac7d86928dce7f62410550a8.jpg

Share this post


Link to post
Share on other sites

If do check the System drive as well as the external one and run the scan, the log report shows nothing to indicate one way or another that the external drive was scanned for rootkits.

Share this post


Link to post
Share on other sites

Would you kindly locate the scan report and attach a copy of it, so I can review.

https://support.malwarebytes.com/docs/DOC-3541

 

Would you then,  replace the drive back in the host system.   I presume that one has Malwarebytes for Windows installed on it.

Then do a new scan on that system  & also attach the new report.

 

In addition, it would be a good idea to scan with a different tool,  and then lets see that report.

I would suggest a free scan with the ESET Online Scanner
Go to https://www.eset.com/us/home/online-scanner/

Look on the right side of the page.  Click Scan Now
It will start a download of "esetonlinescanner_enu.exe"
Save the file to your system, such as the Downloads folder, or else to the Desktop.

Go to the saved file, and double click it to get it started.
When presented with the initial ESET options, click on "Computer Scan".

Next, when prompted by Windows, allow it to start by clicking Yes

When prompted for scan type, Click on Full scan
Click on the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.

Have patience.  The entire process may take an hour or more. There is an initial update download.
There is a progress window display.
You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.

When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.

Click The blue “Save scan log” to save the log.

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).

Press Continue when all done.  You should click to off the offer for “periodic scanning”.

 

Share this post


Link to post
Share on other sites

P.S.     Malwarebytes has a special tool that you should try, as well.

Please read all of these lines first so that it is all clear to you about our plan. I need a one time run of MBAR like listed here, please.

Please download Malwarebytes Anti-Rootkit (MBAR) from this link here

and save it to your desktop.

 

Doubleclick on the MBAR file and allow it to run.

•Click OK on the next screen, to allow the package to extract the contents of the file to its own folder named mbar.

•mbar.exe will launch automatically. On some systems, this may take a few extra seconds. Please be patient and wait for the program to open.

•After reading the Introduction, click 'Next' if you agree.

•On the Update Database screen, click on the 'Update' button.

•Once you see 'Success: Database was successfully updated' click on 'Next', then click the Scan button.

With some infections, you may see two messages boxes:

1.'Could not load protection driver'. Click 'OK'.
2.'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.

•If malware is found, press the Cleanup button when the scan completes. .

Please attach the log it produces, you'll find the log in that mbar folder as MBAR-log-<date and time>***.txt . Please attach that to your next reply.
  
 

Share this post


Link to post
Share on other sites

Not good at all, to be honest.  Despite trying too many things to even mention, the machine is still acting very strangely, even when I try to initiate a completely fresh install by booting from Windows 10 DVD, deleting all existing partitions on the hard disk, and going from there.

My next plan is to look into problems with the power supply, since I see that this one is a used one I had used when the OEM one failed a couple of years ago.

Richard

 

Share this post


Link to post
Share on other sites

Hello.   I regret to learn this latest news.

There is a good article at Tenforums on how to do a repair-install-in place  for Windows 10, using download from Microsoft.

https://www.tenforums.com/tutorials/16397-repair-install-windows-10-place-upgrade.html

Share this post


Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.