cancel
Showing results for 
Search instead for 
Did you mean: 

Malwarebytes finding Rootkits - whatever they are

FIXED
penneck
Rising Star
Posts: 772
Thanks: 25
Registered: ‎03-08-2007

Malwarebytes finding Rootkits - whatever they are

I've been using Malwarebytes for a long time, but just lately every run finds two Rootkits which it describes as MalWare. I don't just quarantine these, I get Malwarebytes to delete them. However, even if I reboot immediately after, and run Malwarebytes again, it still finds them. Is there something that Malwarebytes isn't finding, that reinstalls these Rootkits as my pc reboots? Any other suggestions?

Thanks for any help

27 REPLIES
Community Veteran
Posts: 3,816
Thanks: 449
Fixes: 6
Registered: ‎05-04-2007

Re: Malwarebytes finding Rootkits - whatever they are

Rootkits are nasty, either Malwarebytes is playing up (reporting false positives) or it would suggest it is not removing them.
I don't know what device you're using, I assume a PC - but first thing it to back up all your data (just in case).

It could possibly be a dodgy update, so is reporting a problem which isn't there. Or you may have them.

I've also known AV software to identify genuine applications to be a problem. You could try another AV software to test.

If you can post more detail on what it says it is finding someone here can help.

Community Veteran
Posts: 5,671
Thanks: 1,565
Fixes: 37
Registered: ‎16-10-2014

Re: Malwarebytes finding Rootkits - whatever they are

@penneck

What are the names of these rootkits?

What OS are you running?

Community Veteran
Posts: 4,915
Thanks: 139
Fixes: 25
Registered: ‎14-07-2009

Re: Malwarebytes finding Rootkits - whatever they are

A rootkit is essentially a virus that is very deeply embedded in the workings of your computer and so particularly hard to remove.   Typically they start running at a very early stage of the Windows boot process.  If you have two then they probably operate a buddy system so that if one gets removed then the other resurrects it.  Your best hope of getting rid of them is an offline virus scan so that they are not active during the removal attempt - but there is some danger that the scanner might remove the viruses but not correct the settings so the computer then completely fails to start.     

Community Veteran
Posts: 3,816
Thanks: 449
Fixes: 6
Registered: ‎05-04-2007

Re: Malwarebytes finding Rootkits - whatever they are

I thought Rootkits directed the Windows API calls to a non Windows function by changing the kernal to a different address, so it would call another.

Main advice is to back all your personal data.

It's not nice for the OP at the moment, but I remember reading this Sony article:

https://blogs.technet.microsoft.com/markrussinovich/2005/10/31/sony-rootkits-and-digital-rights-mana...

I would get all your data off, wipe the computer and re-install the OS from scratch (pain I know).

penneck
Rising Star
Posts: 772
Thanks: 25
Registered: ‎03-08-2007

Re: Malwarebytes finding Rootkits - whatever they are

I have taken a screen print of the Malwarebytes report, but cannot figure out how to attach it to this post. It is a pdf file, but if I try using the 'Insert Photo' thing just above here, it complains about it not being a supported type. That is in spite of seeming to say that pdf files are acceptable.

 

To answer a couple of other questions, the equipment is a pc, and the OS is Win 7 (and it is up-to-date)

Community Veteran
Posts: 5,671
Thanks: 1,565
Fixes: 37
Registered: ‎16-10-2014

Re: Malwarebytes finding Rootkits - whatever they are

@penneck - Just attach the image without the PDF using the Insert Photo icon above. It's the one that resembles as rectangle with a sun and a hill in it. Two right of the smiley face.

Edit:- I'm with @Alex on this one, I'd cut my losses and re-install Windows after doing a full format (not quick) of the install disk. If a competent program like Malwarebytes can't remove it....

penneck
Rising Star
Posts: 772
Thanks: 25
Registered: ‎03-08-2007

Re: Malwarebytes finding Rootkits - whatever they are

I've got two versions of the Malwarebytes report, a .bmp and a .pdf. I used the Insert Photo icon. It was that one that didn't like either format, but at least .pdf was on the list that appeared to be indicating what were acceptable formats for the photo.

As for re-formatting and re-installing Win 7. my pc only has one hard drive, sub-divided into three drives C:, D: and E:.

C: is used for the OS, and Excel and all the other software processes. Minitool Partition says it is a Logical drive and its status is 'System'

D: is very small, and is not used for anything, but I haven't had the courage to delete it because Minitool Partition says it is the Primary drive and its status is 'Active and Boot'. I cannot remember how I got into this situation - it was a long time ago. I suspect it happened when I tried changing the OS from XP to Win7 and I was being cautious

E: contains all the data files. Minitool Partition says it is a Logical drive and its status is 'None'.

If I re-format the disk will it just do the C: drive, or will it go over the whole hard drive? I haven't got enough back-up hard drive to copy all of the data files to somewhere safe. If I can do just the C: drive, perhaps this would give me the chance to make the C: drive the Primary, Active and Boot, and delete the D: drive. What do you think?

 

 

penneck
Rising Star
Posts: 772
Thanks: 25
Registered: ‎03-08-2007

Re: Malwarebytes finding Rootkits - whatever they are

A bit of good news. About an hour ago, I went on Google and typed in 'Rootkit'. One of the things that came up was 'Malwarebytes Anti-Rootkit BETA v1.09.3.1001'. I have just run that, and it found those two Rootkit things, and ran its own cleanup. Since then, I have rebooted the pc and run Malwarebytes Anti-Malware (which is what I had been using even if I didn't make that clear on the earlier posts). It was the Anti-Malware s/w which found but didn't permanently kill those Rootkits. This time, having run the Ant--Rootkit, the Anti-Malware didn't find the Rootkits, so hopefully they have gone.

I will run the Malwarebytes Anti-Malware s/w over the next few days, just to confirm whether it has been successful or not.

I'm not going to do the hard drive reformat and reinstall until I know the problem is still there.

By the way, so Malwarebytes understand, I'm not complaining about their products. I still think they are very good

In the meantime, my thanks to all of you that tried to help. I would still like to do those status corrections to my C: and D: drives, if anyone knows how to do it.

Cheers

Community Veteran
Posts: 4,915
Thanks: 139
Fixes: 25
Registered: ‎14-07-2009

Re: Malwarebytes finding Rootkits - whatever they are


@penneck wrote:

 

In the meantime, my thanks to all of you that tried to help. I would still like to do those status corrections to my C: and D: drives, if anyone knows how to do it.

Cheers


The status of all your drives is correct except that the D: drive should not have a letter associated with it; it is meant to be hidden.  You could remove the drive letter in Disk Management.  The D: drive contains a bit of code that tells the computer where to look in order to start Windows.  Remove it and your computer will not start.    

penneck
Rising Star
Posts: 772
Thanks: 25
Registered: ‎03-08-2007

Re: Malwarebytes finding Rootkits - whatever they are

Hello ReedRichards. thanks for your help.

I am unable to find something called Disk Management, and if doing the wrong thing could end up with me not being able to start my pc, I am being extra cautious.

What I have found is that in MiniTool Partition Wizard, I can delete the drive letter (?) by:-

(1) selecting the drive D: on the list of partitions;

(2) going to the Partition dropdown menu;

(3) selecting Change Letter, and selecting the New Drive Letter as None;

(4) clicking Apply

Is that the correct way, or is there something I've missed that could be dangerous?

Community Veteran
Posts: 4,915
Thanks: 139
Fixes: 25
Registered: ‎14-07-2009

Re: Malwarebytes finding Rootkits - whatever they are

Fix

MiniTool Partition Wizard is a software product made by a software company called, yes, 'MiniTool'.  I have never used it.  If you right click Computer and then click Manage you will find Disk Management amongst the tools listed.  A search for 'disk management' would also find it although it is designated 'Create and format hard disk partitions' and you don't see the true name until you run the program.

Either way I would do as you postulate, remove the letter from the D: drive by setting its drive letter to 'None'.  The only reason for hiding this drive is to remove the temptation to delete it or tamper with the contents.  You know not to do that now but will you remember a year or two hence?

By-the-by, I think @Alex and @Mook got a bit carried away in recommending you to wipe and re-install.  That has to be the solution of very last resort because the process is so time-consuming and you demonstrated that it was worthwhile to investigate other alternatives first.  Also, unless you are careful to delete the boot partition, which is normally hidden, it may not work as that may have been where your rootkits were located.

Community Veteran
Posts: 5,671
Thanks: 1,565
Fixes: 37
Registered: ‎16-10-2014

Re: Malwarebytes finding Rootkits - whatever they are

@ReedRichards - To be honest I don't think that @Alex or I were getting a bit carried away. If I had hardware that was confirmed to have root kit on it then I wouldn't trust it as far as I could throw it. At the time of posting is was evident that the software being used couldn't remove it hence the recommendation. Even now with the rootkit removed, @penneck has a nagging suspicion of distrust so much so that the intention it to run it repeatedly for confirmation.

If a clean install had been done then those actions, because of that doubt, wouldn't be required. Yes, I know it's a tedious task, but for peace of mind I think one that would be well worth the inconvenience.

 

Community Veteran
Posts: 4,915
Thanks: 139
Fixes: 25
Registered: ‎14-07-2009

Re: Malwarebytes finding Rootkits - whatever they are

It's easy to get superstitious about computer viruses.  Can they really be got rid of?  Can you trust your security software when it says the virus has gone?  Yes and yes.  Really the main residual danger of a computer virus infection is that it tampers with the settings in a way that your security software fails to notice and correct, leaving you with future problems.  But the same thing can happen in all sorts of other ways, installing then uninstalling some trial piece of software for example.  So it's no bad thing to do a complete re-install of the OS every year or two.  But the best time to re-install the OS is a wet day in winter, not in summer whilst you could be outside enjoying the sunshine and long hours of daylight.

And a complete re-install of the OS is not a magic bullet that will cure everything.  I have done a complete re-install from a recovery partition and still failed to get rid of a rootkit because the re-install failed to rewrite the boot partition.  Since that is usually hidden you have to be very punctilious to make sure it does get deleted as part of the re-install.

 

           

penneck
Rising Star
Posts: 772
Thanks: 25
Registered: ‎03-08-2007

Re: Malwarebytes finding Rootkits - whatever they are

First things first, the Rootkit problem appears to be solved. Several bootups followed by running Malwarebytes Anti-Malware, and there have been no sign of any problems, so thanks to all for your help.

 

Second - I've got rid of that drive letter (D: drive), as per the suggested method, and the only problem that has caused is that I can no longer play Games such as Freecell, Solitaire, etc. I think they are games you get when you install the operating system. If I put the drive letter back, I can play the games, so I guess there is some software on that D: partition that has these games. I have found and copied Freecell.exe from the D: drive to the same place in the C: drive, and modified the paths in the properties on the shortcut that would start that game. I have then tried using the shortcut, but it complained about 'cards.dll' being missing, so I copied that file across to the C: drive. In spit of that, it still complains about cards.dll being missing, so I guess there is another piece of s/w I need to move that so far remains unidentified. Therefore, it looks like I have the choice, play the games but keep the drive letter, or get rid of the drive letter and not be able to play these games. Ummmm! Difficult choice