cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Rootkit, anybody?

ArthurDent
Grafter
Posts: 170
Thanks: 2
Registered: ‎25-02-2013

Rootkit, anybody?

‎01-11-2014 6:15 PM

I use Plusnet Protect (McAfee) and Malwarebytes Pro regularly. When running McAfee (even a Quick Scan) it lists  a rootkit but doesn't remove it or notify of any danger.
So are rootkits always malicious? If so, can they be manually removed safely - and if so how, please?
Cheers!
Message 1 of 26
(4,114 Views)
Reply
0 Thanks
25 REPLIES 25
ArthurDent
Grafter
Posts: 170
Thanks: 2
Registered: ‎25-02-2013

Re: Rootkit, anybody?

‎01-11-2014 6:45 PM

I have now found an app at www.gmer.org but don't know if it's safe and/or effective.
Any thoughts please?
Message 2 of 26
(1,344 Views)
Reply
0 Thanks
ArthurDent
Grafter
Posts: 170
Thanks: 2
Registered: ‎25-02-2013

Re: Rootkit, anybody?

‎01-11-2014 6:48 PM

Sorry, guys. It's www.gmer.net
Message 3 of 26
(1,344 Views)
Reply
0 Thanks
picbits
Rising Star
Posts: 3,432
Thanks: 23
Registered: ‎18-01-2013

Re: Rootkit, anybody?

‎01-11-2014 8:35 PM

Rootkits are very dangerous. They can mask a load of other viruses and trojans and hide all sorts of nasties.
I generally scan with something like tdsskiller - give it a go and see if it picks up anything ?
http://support.kaspersky.co.uk/viruses/disinfection/5350
I've had one machine that was so riddled with stuff after contracting a rootkit that it took a clean boot with Hirens, a disinfect then some serious repair work afterwards - three days to rebuild that machine Sad
Message 4 of 26
(1,344 Views)
Reply
0 Thanks
ArthurDent
Grafter
Posts: 170
Thanks: 2
Registered: ‎25-02-2013

Re: Rootkit, anybody?

‎01-11-2014 9:34 PM

Thanks DomS. Tried the tdsskiller approach you suggested. It went through 524 objects but didn't find anything. Ho hum.
Message 5 of 26
(1,344 Views)
Reply
0 Thanks
picbits
Rising Star
Posts: 3,432
Thanks: 23
Registered: ‎18-01-2013

Re: Rootkit, anybody?

‎01-11-2014 9:50 PM

Hmm could just be a false positive.
GMER is safe enough to use but I never seemed to get anywhere much with it - worth having a play with though but make sure you back up any vital data etc before trying to fix anything.
I remember the rootkit I removed for a customer had rendered their system almost unusable and by the time I'd removed it had really screwed things up.
Message 6 of 26
(1,344 Views)
Reply
0 Thanks
ArthurDent
Grafter
Posts: 170
Thanks: 2
Registered: ‎25-02-2013

Re: Rootkit, anybody?

‎02-11-2014 10:20 AM

Thanks Dom.
Rather nervously took a look at GMER, which appeared to identify something called TDL4@MBR.
Didn't go any further with GMER.
Googling TDL4@MBR turned up a 2012 thread on the Malwarebytes forum.
One post suggested using RogueKiller  Huh
With some trepidation I went into that, but to this noddy it could have been written in Reverse Polish.
Experience has taught me that setting off something complex that I don't understand often does me more harm than good!
Message 7 of 26
(1,344 Views)
Reply
0 Thanks
picbits
Rising Star
Posts: 3,432
Thanks: 23
Registered: ‎18-01-2013

Re: Rootkit, anybody?

‎02-11-2014 1:58 PM

Always wise to quit when you are ahead Wink
I'd love to try and help you out more but that isn't a rootkit I'm familiar with Sad
Message 8 of 26
(1,344 Views)
Reply
0 Thanks
NedLudd
Grafter
Posts: 1,898
Thanks: 8
Registered: ‎20-10-2012

Re: Rootkit, anybody?

‎02-11-2014 3:08 PM

Have a look at this site!
http://windowstechies.com/-/en/spyware/?t=1&k=tdl4%20rootkit&m=b&u=&c=53624069550&gclid=COrf8pqZ3MEC...
It may help you.
Geoff,
York.
Message 9 of 26
(1,344 Views)
Reply
0 Thanks
ReedRichards
Seasoned Pro
Posts: 4,927
Thanks: 145
Fixes: 25
Registered: ‎14-07-2009

Re: Rootkit, anybody?

‎03-11-2014 8:20 AM

Quote from: DomS
Always wise to quit when you are ahead Wink

Unfortunately ArthurDent is behind rather than ahead!  And the link by NedLudd is just a 'sales pitch' for a program called SpyHunter.
Edit:  There's an interesting commentary on 'Spyhunter' at the bottom of this thread http://www.bleepingcomputer.com/forums/t/517033/spyhunter-cannot-remove-infections/
2nd Edit;  MBR stands for Master Boot Record.  If your Master Boot Record has been modified then even resetting your computer to its 'factory state' would probably leave the infected boot record intact.  Did you actually try tdsskiller, ArhturDent?  That has worked for me in similar situations.
Message 10 of 26
(1,344 Views)
Reply
0 Thanks
ArthurDent
Grafter
Posts: 170
Thanks: 2
Registered: ‎25-02-2013

Re: Rootkit, anybody?

‎03-11-2014 1:55 PM

Intriguing, all this!
The only real reason I started this thread was that when running a PlusnetProtect/McAfee scan (even a quick one) it continuously displays what it is scanning.I happened to notice it flagging up that it was scanning rootkit. That seemed to take some time before moving on to scan something else. Having seen this I have looked out for it and seen it since.
Yep, RR, I did run TDSKILLER but after galloping quickly through 524 objects it didn't identify any cause for concern.
Also ran SPYHUNTER, which came up with a load of warnings - yellow flags, not red so I'm not sure about the seriousness of them:
15 x adware (all LuckyLeap)
5 x assorted tracking cookies
2 x PUP (both MyPC Backup)
2 x spyware cookies (both xiti)
Was going to register until I saw the price tag ($47.99).
Obviously this would be on top of Malwarebytes, for which I'm already paying. So?
I note, however, that there's a Malwarebytes beta of a rootkit app. Any experience/comments from you guys would be appreciated.
Cheers!
Message 11 of 26
(1,344 Views)
Reply
0 Thanks
NedLudd
Grafter
Posts: 1,898
Thanks: 8
Registered: ‎20-10-2012

Re: Rootkit, anybody?

‎03-11-2014 2:50 PM

Just downloaded it Arthur. Completed its scan in a few minutes and my system came up clean!  Smiley
Geoff,
York.
Message 12 of 26
(1,344 Views)
Reply
0 Thanks
Anonymous
Not applicable

Re: Rootkit, anybody?

‎03-11-2014 2:52 PM

@ ArthurDent
I have this and mine too came up clean:

Malwarebytes Anti-Malware
www.malwarebytes.org
Scan Date: 03/11/2014
Scan Time: 14:40:56
Logfile: malware.txt
Administrator: Yes
Version: 2.00.3.1025
Malware Database: v2014.11.03.06
Rootkit Database: v2014.11.01.02
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled
OS: Windows 8.1
CPU: x64
File System: NTFS
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 313598
Time Elapsed: 3 min, 5 sec
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Warn
PUM: Warn
Processes: 0 (No malicious items detected)
Modules: 0 (No malicious items detected)
Registry Keys: 0 (No malicious items detected)
Registry Values: 0 (No malicious items detected)
Registry Data: 0 (No malicious items detected)
Folders: 0 (No malicious items detected)
Files: 0 (No malicious items detected)
Physical Sectors: 0 (No malicious items detected)
(end)
Message 13 of 26
(1,344 Views)
Reply
0 Thanks
ReedRichards
Seasoned Pro
Posts: 4,927
Thanks: 145
Fixes: 25
Registered: ‎14-07-2009

Re: Rootkit, anybody?

‎04-11-2014 1:42 PM

I had reason to suspect a rootkit on a client's computer recently and tried both the Malwarebytes beta anti-rootkit and GMER.  One of them identified a non-standard MBR but I don't remember which.  I then used the bootrec tool http://support.microsoft.com/kb/927392 to recreate the MBR and I also did the boot sector for luck.
It turned out that the problem (lots of pop-up adverts when browsing the web) was down to past malware changing the DNS settings.  I'm not sure if I simply missed that at first look or if It had been 'cloaked' and I managed to reveal it.
Message 14 of 26
(1,344 Views)
Reply
0 Thanks
ArthurDent
Grafter
Posts: 170
Thanks: 2
Registered: ‎25-02-2013

Re: Rootkit, anybody?

‎04-11-2014 4:58 PM

Hmmm. Quite apprehensive about tackling a Master Boot Record, but I  have now done a malwarebytes rootkit beta scan too, which also came up clean!
Message 15 of 26
(1,344 Views)
Reply
0 Thanks