Author Topic: MBR rootkit ? (Read 17761 times)

Dave Kimble · « **Reply #15 on:** June 22, 2012, 11:19:55 PM »

Yes, I have that menu entry.
It freezes.

In fact I have tried every menu entry, and the only ones that don't freeze are Safe Mode and Safe Mode with Command Prompt.

essexboy · « **Reply #16 on:** June 22, 2012, 11:59:21 PM »

OK that scotches the idea of the video driver

Do you have a restore point set prior to the onset of this ?

Dave Kimble · « **Reply #17 on:** June 23, 2012, 12:11:26 AM »

I don't have any System Restore points left that I have any confidence in.
The SATA drive which we are currently testing, is already a restored system image, and that got re-infected at the next reboot, so I don't hold much hope for a System Restore.
If something was hiding in the MBR, is anything we have done aimed at trying to clear it out ?

essexboy · « **Reply #18 on:** June 23, 2012, 12:18:53 AM »

I have checked the MBR and it is reporting clean along with the rest of the scans .. I feel it is a windows system problem

Have you run sfc /scannow from an elevated command prompt ?

Dave Kimble · « **Reply #19 on:** June 23, 2012, 01:54:39 AM »

Yes, it was clean.
CHKDSK C: /f didn't work, the mirror has a bitmap error, but the repair needs a restart and it freezes before it can run the repair.

essexboy · « **Reply #20 on:** June 23, 2012, 01:25:27 PM »

Quote

CHKDSK C: /f didn't work, the mirror has a bitmap error, but the repair needs a restart and it freezes before it can run the repair.

Are you running a raid ? If so then there is a drive problem that does need to be repaired

Dave Kimble · « **Reply #21 on:** June 24, 2012, 04:03:41 AM »

In my last post I meant the mirrored MFT on C: ,
these tests have been with only one drive attached, the SATA drive.

However, yes, under normal circumstances, when I have SATA, SSD and USB drives attached,
I do run with RAID-1 (software) MirrorFolder.
The idea is that if my SSD dies (which it has done in the past) the SATA drive will take over on reboot.

I have just booted into Normal Mode with the old pATA drive OK,
then booted again with pATA (C:) and SSD (H:),
formatted H:, mirrored C: to H:, rebooted (which updates the registry at start-up),
and then disconnected the pATA drive and rebooted from SSD (as C:).
This works more or less OK.

There are some wrinkles though -
1. the hard drive light is permanently on dimly, and brightly when disc activity is happening
2. a hidden partition of 100 MB has appeared on SSD, I have made it visible as V:, it doesn't have anything in it apart from System Volume Information. Was it always there ?
3. Windows Update gets stuck on 4 updates to .NET Framework 4
4. X-lite, which I think uses .NET 4, won't run or uninstall.

If this makes more sense to you than it does to me, let me know, otherwise I am still working on it.

essexboy · « **Reply #22 on:** June 24, 2012, 12:48:42 PM »

OK the 100Mb partition is the Vista/7 version of the recovery console, this will allow repairs and analysis without using the CD
Screenshot attached

Dot net has always been a problem, when one update gets stuck then the whole thing crumbles

http://support.microsoft.com/kb/306160

Do you feel it is a problem with the SSD drive ?

Dave Kimble · « **Reply #23 on:** June 24, 2012, 04:55:18 PM »

The SSD was doing exactly the same thing as SATA, so its unlikely to be anything wrong hardware-wise.

I have several boot disks with Linux on them, and none of them get very far, even in non-install mode - they load for 30 seconds or so and then freeze, and the CD-drive then doesn't eject until after reset.

Win 7 on SSD plus USB is running usably with the hard drive light on dimly. Resmon can't detect anything weird happening.
A number of things don't uninstall properly, and Office 2007 only installs on C: and doesn't give the option of installing elsewhere.

Out of curiosity, how do you write something that finds rootkits ? And why can't something like that be built into Windows ?

essexboy · « **Reply #24 on:** June 24, 2012, 05:26:54 PM »

Quote

how do you write something that finds rootkits ?

For that you would need to ask the programmers, I just use their tools

Quote

And why can't something like that be built into Windows ?

MS is continually working to make it more difficult for rootkits to install, but as they need to allow software writers to use the OS they must allow some leeway... Otherwise you will get to the state of Apple, where software is only released for a Mac after apple have looked at it (increasing the price on the way)

Quote

I have several boot disks with Linux on them, and none of them get very far, even in non-install mode - they load for 30 seconds or so and then freeze, and the CD-drive then doesn't eject until after reset

. Is there a Linux version designed to work on SSD

As it stands at the moment I can see no malware on the system

Dave Kimble · « **Reply #25 on:** June 25, 2012, 06:30:58 AM »

I just solved the dim HDD light.
To disconnect the old pATA drive, I only removed the power cord. On removing the pATA cable the light went out.

X-lite now uninstalls too.

CHKDSK C: now says the MFT is clean.

.NET 4 updates install OK.

I feel that everything is working properly now on SSD.
I'll add SATA drive next and mirror to that.

Dave Kimble · « **Reply #26 on:** June 25, 2012, 09:18:04 AM »

That went OK, so MirrorFolder is mirroring C: on SSD to S: on SATA in RAID-1 mode OK.
I then set up MirrorFolder to mirror C: to K: on USB every 24 hours.
It does its first synchronisation straight away,
and at what I assume was the end of the task, it dies with a BSOD,
"A thread tried to release a resource it did not own"
STOP 0x000000E3 (0x... , 0x... , 0x... , 0x... )
and it did it again when I restarted and retried it.
Switched off mirroring C: to K: .
Event Viewer shows 69 Errors in the last hour, 2,728 in the last 24 hours.

I despair of Windows.

essexboy · « **Reply #27 on:** June 25, 2012, 07:22:59 PM »

The stop code indicates either an NTFS failure on the drive in question which a chkdsk should cure it or it is related to Microsoft update KB971486

The more probable cause is the NTFS failure

Dave Kimble · « **Reply #28 on:** June 26, 2012, 12:42:01 AM »

CHKDSK reports everything is OK on both C: on SSD and K: on USB,
although none of the reported statistics agree, which they should if the mirroring had completed ok (shouldn't they ?).
http://support.microsoft.com/kb/971486 says that fix is not applicable to Win 7.

I tried to get into Windows Update to see if I could see anything like that,
but clicking the shortcut in Start > All Programs > Windows Update it says "C:\windows\system32\wupdmgr.exe is missing" .
It worked OK yesterday.
Windows Explorer confirms this, although looking at my other machines, there is no such file there either.

The shortcut targets "%SystemRoot%\system32\wupdmgr.exe"
whereas on the other machines it points to "%windir%\system32\wuapp.exe startmenu"
From a Command prompt "C:\windows\system32\wuapp.exe startmenu" brings up the dialog.
Looking at Update History, there is no sign of KB971486.

Dave Kimble · « **Reply #29 on:** June 26, 2012, 03:51:29 AM »

Duh - the error was on S: on SATA.
chkdsk S: /f output attached

Author Topic: MBR rootkit ? (Read 17761 times)

Dave Kimble

Re: MBR rootkit ?

essexboy

Re: MBR rootkit ?

Dave Kimble

Re: MBR rootkit ?

essexboy

Re: MBR rootkit ?

Dave Kimble

Re: MBR rootkit ?

essexboy

Re: MBR rootkit ?

Dave Kimble

Re: MBR rootkit ?

essexboy

Re: MBR rootkit ?

Dave Kimble

Re: MBR rootkit ?

essexboy

Re: MBR rootkit ?

Dave Kimble

Re: MBR rootkit ?

Dave Kimble

Re: MBR rootkit ?

essexboy

Re: MBR rootkit ?

Dave Kimble

Re: MBR rootkit ?

Dave Kimble

Re: MBR rootkit ?