Restoring Image to remove suspected rootkit


Author
Message
wiggers
wiggers
New Member
New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)
Group: Forum Members
Posts: 9, Visits: 11
I think my hard drive has a serious rootkit. I've tried restoring an image from before when things started going wrong, but it still returns. After a while I can't run anything, not even the command prompt.
Is there a way of restoring an image to overwrite whatever is embedded in the disk?


Seekforever
Seekforever
Expert
Expert (662 reputation)Expert (662 reputation)Expert (662 reputation)Expert (662 reputation)Expert (662 reputation)Expert (662 reputation)Expert (662 reputation)Expert (662 reputation)Expert (662 reputation)
Group: Awaiting Activation
Posts: 417, Visits: 3.5K
If you have such a problem, my guess is that the image has the malware in it. Can you go back further in time?
Nasty code lying in un-used sectors that are not referenced by an executable program cannot do anything - code has to execute to perform its task and if no program tries to run the code it just sits there.

AFAIK, the Reflect program doesn't offer anything that would clean the disk. However to put your mind at ease you can boot up an alternative system and run a disk-wiping program. You may find one that comes in a bootable environment such as Linux, WinPE, ...   Windows chkdsk /r since Vista will zero all the un-used sectors in a partition when doing its readcheck but your problem can reside in the MBR - I have no idea about the other partitions for GPT and UEFI so the wipe program is a better option and then you can treat the disk as brand new disk to restore your image.

Have you done the typical diagnostics on your machine in case it isn't malware? Such as checking the Windows Event Viewer,  chkdsk /r on all partitions and run a RAM test such as Memtest overnight - overnight in case the bad cells, if any, are intermittent. PCs use RAM with blind faith that it is good; there is no checking that the data was stored correctly on typical PCs. Best RAM test is to substitute known good RAM but that isn't often an option for most people.




Edited 9 March 2017 5:40 PM by Seekforever
wiggers
wiggers
New Member
New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)
Group: Forum Members
Posts: 9, Visits: 11
Thanks for the suggestions. I have run a single pass of Memtest, not conclusive I know but that was OK. It's actually a friend's PC and the next previous backup is about a year old. :-( That was one of the problems I was trying to fix. Windows backup had stopped working because the SYSTEM RESERVED partition was too small (old system) and Windows Update had also stopped working for the same reason I suspect. I have an Ubuntu installation CD so I'll try a wipe with that. I have booted from an AVG rescue disk and run several different scans, but it found nothing. Interestingly, when I tried to boot from a Windows 10 installation disk it came up with an error (device disconnected) but when I tried again I couldn't boot to the CD, it kept going to the hard drive even after pressing F12 and selecting the CD! Could the BIOS be infected now?

Cheers.


Seekforever
Seekforever
Expert
Expert (662 reputation)Expert (662 reputation)Expert (662 reputation)Expert (662 reputation)Expert (662 reputation)Expert (662 reputation)Expert (662 reputation)Expert (662 reputation)Expert (662 reputation)
Group: Awaiting Activation
Posts: 417, Visits: 3.5K
Yes, it could be a BIOS virus but they really aren't that common. A more likely cause of it being disconnected and then not booting from CD is that the drive or port is bad. If it can't see or read the CD it goes to the next device in the boot order.

I think BIOS viruses are generally rectified by reflashing the BIOS from a fresh one downloaded on a different PC. PCs often have a recovery BIOS to revert to in case the main one goes bad; have a look in the motherboard documentation about this and you might access it but since it is on the motherboard one might assume a clever virus infected it also so a reflash would be a better solution.

I know there are a lot of PC viruses around and people visit risky sites but OTOH there are a lot of faults attributed to viruses that were really software or hardware issues.  The system gets wiped and the software reinstalled and it works so the assumption is "we got rid of the virus" rather than "we corrected the conflict".
You may well have a virus but don't let it put blinders on such that you don't consider other, and often simpler, causes.

When you think you have Windows restored after disk cleaning:
Another thing you might want to pursue is Windows System File Checker but if it finds corrupt files the Windows Update has to be able to run to download new copies of any bad files. There is also a Windows Update Fix tool you can find at Microsoft to fix that (not always). 


wiggers
wiggers
New Member
New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)
Group: Forum Members
Posts: 9, Visits: 11
Thanks again. I took your advice and installed Ubuntu. I then restored the backup again but, as you suspected, it still had the infection. But I was able, this time, to boot from the Windows installation disk and reset the operating system. This seems to have done the trick, fingers crossed!

The main symptoms of the infection were that the control panel for Avast would immediately close after opening and Windows Update would not run, just returned an error. When I ran AdwCleaner it found 30 suspect registry entries. When I researched them they were indications of infection, a bunch of them were to do with protector.dll. When I deleted those registry entries nothing would run, not even cmd, and even trying to run Adwcleaner from a CD returned an error. The only way to shut down was with the physical power button held for 10s.

Cheers!


Seekforever
Seekforever
Expert
Expert (662 reputation)Expert (662 reputation)Expert (662 reputation)Expert (662 reputation)Expert (662 reputation)Expert (662 reputation)Expert (662 reputation)Expert (662 reputation)Expert (662 reputation)
Group: Awaiting Activation
Posts: 417, Visits: 3.5K
Glad you are running and I hope it keeps running properly!
GO

Merge Selected

Merge into selected topic...



Merge into merge target...



Merge into a specific topic ID...




Similar Topics

Reading This Topic

Login

Explore
Messages
Mentions
Search