Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Recovery partition also infected by rootkit, att. Deltalima.

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Recovery partition also infected by rootkit, att. Deltalima.

Unread postby Ronski » May 19th, 2013, 11:52 pm

This is not a request for help, more as to give some information that it is possible for laptop recovery partition to be infected by rootkit. I was helped previously by Deltalima, see post here;

viewtopic.php?f=11&t=61795

I was always intending to use win 7 disks and do a complete re format of the drive, but first I just did a factory reset, this formated the C: drive and put everything back to factory defaults. Then I ran the DDS and the results were as before with possible rootkit warning.

=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7601 Disk: ST9500420AS rev.0003HPM1 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: >>UNKNOWN [0x83A41000]<< >>UNKNOWN [0x8C630000]<< >>UNKNOWN [0x8D190000]<< >>UNKNOWN [0x8D155000]<< >>UNKNOWN [0x83A0A000]<< >>UNKNOWN [0x8C4CD000]<< >>UNKNOWN [0x8C741000]<< >>UNKNOWN [0x8C5C9000]<< >>UNKNOWN [0x8C7C4000]<<
_asm { DEC EBP; POP EDX; NOP ; ADD [EBX], AL; ADD [EAX], AL; ADD [EAX+EAX], AL; ADD [EAX], AL; }
1 ntkrnlpa!IofCallDriver[0x83A77BC5] -> \Device\Harddisk0\DR0[0x87812AC8]
\Driver\Disk[0x878637D8] -> IRP_MJ_CREATE -> 0x8C63439F
3 [0x8C63459E] -> ntkrnlpa!IofCallDriver[0x83A77BC5] -> [0x869C1270]
\Driver\hpdskflt[0x878497D8] -> IRP_MJ_CREATE -> 0x8D156FB0
5 [0x8D157090] -> ntkrnlpa!IofCallDriver[0x83A77BC5] -> [0x876BE918]
\Driver\ACPI[0x86927258] -> IRP_MJ_CREATE -> 0x8C4D64CC
7 [0x8C4D63D4] -> ntkrnlpa!IofCallDriver[0x83A77BC5] -> \Device\Ide\IdeDeviceP0T0L0-0[0x8770C030]
\Driver\atapi[0x876DFC88] -> IRP_MJ_CREATE -> 0x8C75B8CC
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; MOV ES, AX; MOV DS, AX; MOV SI, SP; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; JMP FAR 0x0:0x660; }
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !


I then used the win 7 disk and removed the system and recovery partitions and installed Windows from scratch, on the unallocated space of the drive.

This now comes back clean, and everything is ok.

I thought I would post this for information purposes only, to show that the recovery or system partition can be infected.

Thanks again to Deltalima.

Best regards,

Ron.
.
Ronski
Regular Member
 
Posts: 118
Joined: August 5th, 2008, 9:31 pm
Advertisement
Register to Remove

Re: Recovery partition also infected by rootkit, att. Deltal

Unread postby deltalima » May 20th, 2013, 3:06 am

Hi Ronski,

Thanks for the update. Glad to hear all is sorted.

As your problems appear to have been resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 27 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware