viewtopic.php?f=11&t=61795
I was always intending to use win 7 disks and do a complete re format of the drive, but first I just did a factory reset, this formated the C: drive and put everything back to factory defaults. Then I ran the DDS and the results were as before with possible rootkit warning.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7601 Disk: ST9500420AS rev.0003HPM1 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: >>UNKNOWN [0x83A41000]<< >>UNKNOWN [0x8C630000]<< >>UNKNOWN [0x8D190000]<< >>UNKNOWN [0x8D155000]<< >>UNKNOWN [0x83A0A000]<< >>UNKNOWN [0x8C4CD000]<< >>UNKNOWN [0x8C741000]<< >>UNKNOWN [0x8C5C9000]<< >>UNKNOWN [0x8C7C4000]<<
_asm { DEC EBP; POP EDX; NOP ; ADD [EBX], AL; ADD [EAX], AL; ADD [EAX+EAX], AL; ADD [EAX], AL; }
1 ntkrnlpa!IofCallDriver[0x83A77BC5] -> \Device\Harddisk0\DR0[0x87812AC8]
\Driver\Disk[0x878637D8] -> IRP_MJ_CREATE -> 0x8C63439F
3 [0x8C63459E] -> ntkrnlpa!IofCallDriver[0x83A77BC5] -> [0x869C1270]
\Driver\hpdskflt[0x878497D8] -> IRP_MJ_CREATE -> 0x8D156FB0
5 [0x8D157090] -> ntkrnlpa!IofCallDriver[0x83A77BC5] -> [0x876BE918]
\Driver\ACPI[0x86927258] -> IRP_MJ_CREATE -> 0x8C4D64CC
7 [0x8C4D63D4] -> ntkrnlpa!IofCallDriver[0x83A77BC5] -> \Device\Ide\IdeDeviceP0T0L0-0[0x8770C030]
\Driver\atapi[0x876DFC88] -> IRP_MJ_CREATE -> 0x8C75B8CC
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; MOV ES, AX; MOV DS, AX; MOV SI, SP; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; JMP FAR 0x0:0x660; }
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
I then used the win 7 disk and removed the system and recovery partitions and installed Windows from scratch, on the unallocated space of the drive.
This now comes back clean, and everything is ok.
I thought I would post this for information purposes only, to show that the recovery or system partition can be infected.
Thanks again to Deltalima.
Best regards,
Ron.
.