How to detect a rootkit

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by faylynne, Sep 7, 2011.

  1. faylynne

    faylynne Private E-2

    Hi
    I've run thru the malware removal procedure, SAS is clean and mbam detected an infection with a registry key which was removed.
    ComboFix quarantined an mbr rootkit and deleted (but I've now deleted the log....duh :-o I know stupid thing to do !!!)

    Anyway, how can I tell if the system is clean, it's responding well and isn't acting suspicious.

    thanks for any advice.
     
    faylynne, Sep 7, 2011
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Go to the below link and follow the instructions for running TDSSKiller from Kaspersky

    Be sure to attach your log from TDSSKiller

    Please also download MBRCheck to your desktop.

    See the download links under this icon http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif

    • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
    • It will show a Black screen with some information that will contain either the below line if no problem is found:
      • Done! Press ENTER to exit...
    • Or you will see more information like below if a problem is found:
      • Found non-standard or infected MBR.
      • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
    • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
    • Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )
     
    TimW, Sep 7, 2011
    #2
  3. faylynne

    faylynne Private E-2

    thanks Tim

    attached TDSSKiller log (ran earlier) and MBRcheck log.
     

    Attached Files:

    faylynne, Sep 7, 2011
    #3
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Let TimW know whether you have your Vista boot CD or not.
     
    Kestrel13!, Sep 8, 2011
    #4
  5. faylynne

    faylynne Private E-2

    The machine is a Packard Bell and the o/s sticker says its OEM, so have only got the system recovery disks not a specific Vista disk.
    However, I do have a Vista Home Premium Retail disk, would this be ok?

    So I've read in forums that the MBR can be repaired by using the boot disk to repair it, is this what you're thinking of doing?

    Have also read that some manufacturers have an MBR code specific to their machines, so thought that might be the case with the code showing on the MBRCheck log.
     
    faylynne, Sep 8, 2011
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Use your Vista disc. First boot into the bios and change the boot order to CD/DVD as first boot device. Insert your Vista CD and reboot. Once you get into the Recovery Environment, type this:
    Bootrec.exe /fixmbr

    Then exit and reboot into normal mode. Re-run MBRCheck and attach the new log. ( note the space after the exe.)
     
    TimW, Sep 8, 2011
    #6
  7. faylynne

    faylynne Private E-2

    Hi Tim

    fraid I can't finish this up tonight, pc is back in use elsewhere now :(

    When I can I'll follow your steps and post a final note.

    thanks :)

    btw since you've helped me in the past I wanted to purchase something from MGs as a thankyou. I couldnt get the T-shirt I wanted, so bought some software instead - just wanted to let you knw x
     
    faylynne, Sep 8, 2011
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Not a problem. Just let me know when you get the chance. ;)
     
    TimW, Sep 8, 2011
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds