Jump to content

heuristic.possible.mbr rootkit (A)


Recommended Posts

Gday,

During the deep scan (and no other scans report this) the following was brought to my attention:

Heuristic.Possible.MBR Rootkit (A)

The following could not be removed: \DosDevices\Physical Drive 1-Rootkits can't be removed automatically.

I followed the instructions found here:

http://support.emsisoft.com/topic/9307-heuristicpossiblembrrootkit-a/

The TDDSKiller did not detect the Rootkit - the rest of the instructions seemed tailored to that PC so did not continue.

I have also tried Malwarebytes Anti-Malware scan which also did not turn up any results.

My guess is it is just the eRecovery partition of the Acer Aspire 8950G, however have experienced one other issue with the PC that makes me think twice.

Internet explorer will not access the internet unless the 64 bit version is run. An error appears (I can't remember the exact error) only on the 32 bit version, while Chrome and IE64bit work as normal.

I have followed the instructions here: http://support.emsisoft.com/index.php?/forum-6/announcement-2-start-here-if-you-dont-we-are-just-going-to-send-you-back-to-this-thread/

The 3 files have been zipped together and are attached.

Cheers for any assistance,

Jordan

  • Upvote 1
Link to post
Share on other sites

Hi and welcome!!

I know you said you already ran it but I would like to see a fresh log on this. :)

Please download TDSSKiller

  • Double click TDSSKiller.exe
  • When the window opens, click on Change Parameters
  • Under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System”
  • click OK
  • Press Start Scan
  • Do Not Attempt To Fix Anything Now. We just need to look over the report and be sure we are removing the correct
    items.
  • Attach the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)

----------

Link to post
Share on other sites

Hi,

Please download aswMBR to your desktop.

  • Double click the aswMBR icon to run it.
  • Click the Scan button to start scan.
  • If you are asked to update the Avast Virus database please allow it to do so.
  • When it finishes, press the save log button, save the logfile to your desktop and attach its contents in your next reply.

aswmbrscan.jpg

Click the image to enlarge it

----------

Link to post
Share on other sites

Hi,

I don't believe there is a rootkit problem. I want to get one more scan to validate this though...

Please download MBRCheck.exe to your desktop.

  • Be sure to disable your security programs
  • Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
  • A window will open on your desktop
  • if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
  • If nothing unusual is found just press Enter
  • A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop.
  • Please attach the contents of that file.

----------

I see that you have some entries that need to be removed in Google Chrome. The fastest and easiest way to do this is to just uninstall Google Chrome by going to Start >> Control Panel >> Programs and Features and then uninstall Google Chrome.

Once completely uninstalled, you can download and install a fresh copy from here.

----------

Please download and run ERUNT (Emergency Recovery Utility NT). This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed. **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.

----------

Run OTL.exe

  • Copy/paste the following text written inside of the quote box into the Custom Scans/Fixes box located at the bottom of OTL

    :Services
    :OTL
    IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...rc=IE-SearchBox
    IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...rc=IE-SearchBox
    O33 - MountPoints2\{097fcd3f-9562-11e1-a022-60eb69d8488c}\Shell - "" = AutoRun
    O33 - MountPoints2\{097fcd3f-9562-11e1-a022-60eb69d8488c}\Shell\AutoRun\command - "" = "H:\WD SmartWare.exe" autoplay=true
    O33 - MountPoints2\{80db6d15-d624-11e1-9a60-60eb69d8488c}\Shell - "" = AutoRun
    O33 - MountPoints2\{80db6d15-d624-11e1-9a60-60eb69d8488c}\Shell\AutoRun\command - "" = H:\HTC_Sync_Manager_PC.exe
    O33 - MountPoints2\{bbe2fa72-d23a-11e1-9792-60eb69d8488c}\Shell - "" = AutoRun
    O33 - MountPoints2\{bbe2fa72-d23a-11e1-9792-60eb69d8488c}\Shell\AutoRun\command - "" = H:\HTC_Sync_Manager_PC.exe
    O33 - MountPoints2\H\Shell - "" = AutoRun
    O33 - MountPoints2\H\Shell\AutoRun\command - "" = H:\HTC_Sync_Manager_PC.exe
    [2012/09/25 12:49:19 | 000,000,000 | ---D | C] -- C:\Users\anna\AppData\Local\Ilivid Player
    [2012/09/25 12:49:02 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Searchqu Toolbar
    [2012/09/25 12:47:53 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\iLivid
    [2012/09/25 12:49:19 | 000,000,989 | ---- | M] () -- C:\Users\Public\Desktop\iLivid.lnk
    :Files
    ipconfig /flushdns /c
    :Commands
    [emptytemp]
    [resethosts]
    [clearallrestorepoints]
    [start explorer]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then run a new scan and attach a new OTL log ( don't check the boxes beside LOP Check or Purity this time )

----------

Link to post
Share on other sites
  • 2 weeks later...

Hi,

Let's keep going and check to see if anything else is hiding. :)

Please download Farbar Service Scanner and run it on the computer with the issue.

  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender

    [*]Press "Scan".

    [*]It will create a log (FSS.txt) in the same directory the tool is run.

    [*]Please copy and paste the log to your reply.

----------

Please download Malwarebytes Anti-Malware to your desktop.

  • Right-click and Run as Administrator mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan as shown below.
    mbam-1.jpg
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.

The log can also be found here:

Windows 2000 & Windows XP:

C:\Documents and Settings\<USERNAME>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs

Windows Vista & Win7:

C:\Users\<USERNAME>\AppData\Roaming\Malwarebytes\Malwarebytes' Anti-Malware\Logs

----------

ESET Online Scanner

Go here to run an online scannner from ESET. Windows Vista/Windows 7 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator

  • Note: For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
  • Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.
  • Close the ESET online scan, and let me know how things are now.

----------

Link to post
Share on other sites

Hi,

so this rootkit is all that remains of our troubles.
I don't see anywhere a rootkit. :)

----------

Providing there are no other malware related problems...

IT APPEARS THAT YOUR LOGS ARE NOW CLEAN :D SO LETS DO A COUPLE OF THINGS TO WRAP THIS UP!! :D

This infection appears to have been cleaned, but I can not give you any absolute guarantees. As a precaution, I would go ahead and change all of your passwords as this is especially important after an infection.

----------------

Clean up with OTL:

  • Right-click and Run as Administrator OTL.exe to start the program.
  • Close all other programs apart from OTL as this step will require a reboot
  • On the OTL main screen, press the CLEANUP button
  • Say Yes to the prompt and then allow the program to reboot your computer.

----------

Any of the logs that you created for use in the forums or remaining tools that have not yet been removed can be deleted so they aren't cluttering up your desktop.

If you didn't already have it I would keep Malwarebytes AntiMalware though.

Here are some tips to reduce the potential for spyware infection in the future:

1. Internet Explorer. Even if you don't use it as your main browser it should be kept up-to-date because that is the browser Windows uses for updates.

Make your Internet Explorer more secure - This can be done by following these simple instructions:

  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.

2. FireFox. If you use Firefox, I recommend installing the following add-ons to help make your Firefox browser more secure:

NoScript

AdBlock Plus

3. Enable Protected Mode in Internet Explorer. This helps Windows Vista users stay more protected from attack by running Internet Explorer with restricted privileges as well as reducing the ability to write, alter or destroy data on your system or install malicious code. To make sure this is running follow these steps:

  • Open Internet Explorer
  • Click on Tools > Internet Options
  • Press Security tab
  • Select Internet zone then place check next to Enable Protected Mode if not already done
  • Do the same for Local Intranet, Trusted Sites and Restricted Sites and then press Apply
  • Restart Internet Explorer and in the bottom right corner of your screen you will see Protected Mode: On showing you it is enabled.

4. Use and update an anti-virus software - I can not overemphasize the need for you to use and update your anti-virus application on a regular basis. With the ever increasing number of new variants of malware arriving on the scene daily, you become very susceptible to an attack without updated protection.

5. Firewall

Using a third-party firewall will allow you to give/deny access for applications that want to go online. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a firewall in its default configuration can lower your risk greatly. I would personally only recommend using one of the following two below:

Online Armor Free

Agnitum Outpost Firewall Free

6. Make sure you keep your Windows OS current. Windows XP users can visit Windows update regularly to download and install any critical updates and service packs. Windows Vista/7 users can open the Start menu > All Programs > Windows Update > Check for Updates (in left hand task pane) to update these systems. Without these you are leaving the back door open.

7. WOT (Web of Trust) As "Googling" is such an integral part of internet life, this free browser add on warns you about risky websites that try to scam visitors, deliver malware or send spam. It is especially helpful when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites. WOT has an add-on available for Firefox, Internet Explorer as well as Google Chrome.

8.Finally, I strongly recommend that you read How to Prevent Malware found here and also PC Safety and Security - What Do I Need?.

Please reply to this thread once more if you are satisfied so that we can mark the problem as resolved.

Link to post
Share on other sites

Hey Jeffce,

We've been through your instructions, but doing a "Smart" Emsisoft scan still returns the Possible Rootkit we originally mentioned.

I have attached screenshots of the detection, trying to quarantine (Image002) and delete (Image003)

Do we just ignore this message from here on in?

Cheers,

Jordan

Link to post
Share on other sites

Hey Jeffce,

You have not convinced me that these scans are going to be at all worthwhile, especially considering the fact that we have already run 2 of the 3 programs and not made any alterations to the boot record. I fully understand that we need to be thorough when investigating issues like this however I do not have access to the PC at all times and it is very frustrating having to constantly come back to say "we have another 1,2 or 3 programs to run then hopefully we can get a result" to my friend I am helping. Is there no way to send any scanning programs first, then any program that will fix something can be run then the scanning programs being run again? This piecemeal approach is simply not working for us and has proven so far to be a complete waste of time as we are still where we started.

Can you please either justify why these scans will be different from the first time we ran them, else please escalate this to Emsisoft as it is their Online Armour software that is continually generating a false positive here.

It wasn't always being detected, so the latest definitions from the last 2 weeks of September will contain the change that has resulted in the false positive.

Cheers,

Jordan

Link to post
Share on other sites

Jordan,

There is no piecemeal approach to malware detection & removal. The tools Jeffce is having you run, have slight differences in their abilities. Where one tool may not detect malware, another tool might detect malware.

A heuristic detection on the MBR means that the MBR does not match known good and infected MBRs. Which, requires further investigation. It is not a False Positive, per say.

With that said you have Memeo Instant Backup installed on that system. Backup & recovery applications often modify the MBR and such modifications will trigger a heuristic detection on the MBR, as the MBR does not match known good or infected MBRs.

Link to post
Share on other sites

Hello Kevin,

Thanks for the quick reply, I appreciate the info but you have not answered my question.

I understand that there is work to be done to determine whether it is a threat or not but how can you justify running those same scanners (aswMBR and also TDSSKiller) twice when the boot record has not been modified yet? I am remotely assisting someone with this issue, and that seems like very liberal use of our time.

My other question was the overall outcome of all of these tests, specifically if we do not find any malicious data will this be passed over to Emsisoft to prevent the heuristic detection? It will have been a change made around the end of September.

Cheers,

Jordan

Link to post
Share on other sites

I would need a copy of the MBR from the system in question. I will forward it to our developers. That way they can take a look at it and create a signature for the MBR.

Please download Emsisoft MBR Master from this link (make sure to save it on your desktop), and follow the instructions below to get me an MBR dump and a log:

  1. Open the Emsisoft MBR Master file that you saved on your desktop (the default file name is mbrmastr).
  2. Click on the Backup MBR button in the lower-right corner.
  3. Save the backup of your MBR on your desktop (you can name it whatever you want).
  4. Close Emsisoft MBR Master, and a log file will be saved on your desktop.
  5. Please right-click on the MBR backup that you saved on your desktop, go to Sent to, and select Compressed (zipped) folder in order to zip the file so that it can be attached to a reply. Note that you can use something such as 7-Zip, WinZip, WinRar, etc. if you would prefer.
  6. Please attach both the log and the zipped MBR backup to a reply by using the More Reply Options button to the lower-right of where you type in your reply.

Link to post
Share on other sites

The MBR appears to be OK. As stated earlier that system is using backup/recovery software and has altered the MBR. Because of the nature of the alteration and methods used to hide the alteration from the OS, have triggered a heuristic detection. We use 2 methods to read the MBR and if the results differ then an alert is triggered because it mimics RootKit like behavior.

You can safely ignore the detection, whether or not a signature will released for this specific MBR I can not answer.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...