weird rootkit that I can't pinpoint

Discussion in 'malware problems & news' started by garegin, Sep 29, 2013.

Thread Status:
Not open for further replies.
  1. garegin

    garegin Registered Member

    Sep 29, 2013
    United States

    I have difficulty with a tricky rootkit. I am saying rootkit because I can't even detect it with an offline scan of defender/security essentials. Few tell tales

    1. can't install updates/checkSUR
    2. event viewer shows that shutdown.exe is called periodically to restart my system. I have subsequently deleted shutdown.exe to sabotage the restart process.
    3. after the restart the OS partition is switched to hidden, so that Windows doesn't boot all the that. I have to manually switch it to 0x07 offline.

    I ran GMER but didn't find anything.

    The only way that I'm thinking is to trace the processes and see when and how the partition is switched to hidden.
    Do you guys want an offline dump of my mbr and boot sector? I don't actually know the best tool to do it. I have already done both bootrec /fixmbr and /fixboot. No go.
  2. JRViejo

    JRViejo Global Moderator

    Jul 9, 2008
    garegin, first, welcome to Wilders!

    Perhaps a review of If you are currently infected, and seeking dedicated help in any one of the sites listed there, would be your best bet. Wilders stopped one-on-one malware cleaning services awhile back.

    Thread closed per Policy.
Thread Status:
Not open for further replies.