Go Back   Technibble Forums > Technical Discussions > Security, Viruses and Trojans

  Technibble Sponsor

Reply
 
Thread Tools Display Modes
  #1  
Old 05-26-2012, 02:59 AM
coffee's Avatar
coffee coffee is offline
 
Join Date: Oct 2011
Location: USA, Indiana
Posts: 1,670
coffee has a spectacular aura aboutcoffee has a spectacular aura about
Send a message via Skype™ to coffee
Default Call for help - Rootkit partition

Got a laptop with a windows 7 install that I feel has a rootkit. I was looking at the partition layout of the drive and dont understand the partition layout.

First partition is labeled : BIOS_RVY and is 11 gigs.
Second is system and is 100 mb.
Third is OS_INSTALL and is 186 gigs.
Fourth is DATA and is 124 gigs.

What is BIOS_RVY and why is it 11 gigs???

I am thinking that system is the boot partition for windows infected with rootkit.

?

coffee
__________________

www.renuecomputers.com
Reply With Quote
  #2  
Old 05-26-2012, 03:43 AM
HFultzjr HFultzjr is offline
 
Join Date: Jul 2010
Location: Central PA, USA
Posts: 849
HFultzjr will become famous soon enough
Default

Quote:
Originally Posted by coffee View Post
Got a laptop with a windows 7 install that I feel has a rootkit. I was looking at the partition layout of the drive and dont understand the partition layout.

First partition is labeled : BIOS_RVY and is 11 gigs.
Second is system and is 100 mb.
Third is OS_INSTALL and is 186 gigs.
Fourth is DATA and is 124 gigs.

What is BIOS_RVY and why is it 11 gigs???

I am thinking that system is the boot partition for windows infected with rootkit.

?




coffee



BIOS_RVY looks like it is a manufacturer's recovery partition
100mb looks like a "boot" partition to start the recovery
OS_Install is the main "C" drive
Fourth is just a partition for storage
__________________
Harold
ACS Alternative Computer Solutions
Reply With Quote
  #3  
Old 05-26-2012, 07:11 AM
ZenTree ZenTree is offline
 
Join Date: Aug 2010
Location: UK
Posts: 616
ZenTree will become famous soon enough
Default

Of the very few virus partitions I have come across they have all been really small, think like 2 meg. If they start eating up gigs of space it's more likely they will be noticed as people wonder where that space went. And they really don't need that much space, they are only hiding a small file or two.
Reply With Quote
  #4  
Old 05-26-2012, 02:54 PM
coffee's Avatar
coffee coffee is offline
 
Join Date: Oct 2011
Location: USA, Indiana
Posts: 1,670
coffee has a spectacular aura aboutcoffee has a spectacular aura about
Send a message via Skype™ to coffee
Default

Ok, Yes I did finally find out what the partitions were. I have a rootkit on this thing as I did blow out the boot partition and used a rescue disk to restore it. Rootkit seems to have come back. So, I guess Im gonna kill the first and second (after backing them up) and do a new boot partition.

I have already scanned the system partition and havent really found anything. Some trojans were removed and some java exploits. But if this doesnt do it Im going to N/P the thing and be done with it.
__________________

www.renuecomputers.com
Reply With Quote
  #5  
Old 05-26-2012, 05:00 PM
NYJimbo's Avatar
NYJimbo NYJimbo is offline
 
Join Date: Jul 2008
Location: Long Island, you know, like the iced tea.
Posts: 6,661
NYJimbo is a glorious beacon of lightNYJimbo is a glorious beacon of lightNYJimbo is a glorious beacon of lightNYJimbo is a glorious beacon of lightNYJimbo is a glorious beacon of light
Default

It seems like you might be working too hard instead of finding the tools to do the work for you.

If you are not using tools like combofix, mbam, tdsskiller, a few live tools like ccleaner, processexplorer and gmer and then a full scan by MSE, you are working too
hard. D7 is a great tool to just run down some of the other malware functions if you have extra time. I can't recall the last time I actually had to N/P a machine, its probably been a year or more.

Sure there is alot more to this and I am not going to go step by step, but I can't recall the last time ANY virus came back on any machine I have cleaned. Once the rootkit is dead, its dead. I never have to go looking for the rootkit, I let the software do it for me. It's extremely rare that something comes up that I have to spend real time prowling around for if I use the above software and maybe a few more programs.

In the end you always have to be sure you do a few good different AV full scans (whole drive or drives), update the basics like java, flash, adobe, windows updates and a few others and you are done.

Customers dont come back the next day or week or month with the same issue. If they do return its usually months later if not longer with something new and that can be pinpointed to something downloaded or ran at that time, not from the previous cleaning.

Last edited by NYJimbo; 05-26-2012 at 05:05 PM.
Reply With Quote
  #6  
Old 05-27-2012, 02:35 AM
coffee's Avatar
coffee coffee is offline
 
Join Date: Oct 2011
Location: USA, Indiana
Posts: 1,670
coffee has a spectacular aura aboutcoffee has a spectacular aura about
Send a message via Skype™ to coffee
Default

Quote:
Originally Posted by NYJimbo View Post
It seems like you might be working too hard instead of finding the tools to do the work for you.

If you are not using tools like combofix, mbam, tdsskiller, a few live tools like ccleaner, processexplorer and gmer and then a full scan by MSE, you are working too
hard. D7 is a great tool to just run down some of the other malware functions if you have extra time. I can't recall the last time I actually had to N/P a machine, its probably been a year or more.

Sure there is alot more to this and I am not going to go step by step, but I can't recall the last time ANY virus came back on any machine I have cleaned. Once the rootkit is dead, its dead. I never have to go looking for the rootkit, I let the software do it for me. It's extremely rare that something comes up that I have to spend real time prowling around for if I use the above software and maybe a few more programs.

In the end you always have to be sure you do a few good different AV full scans (whole drive or drives), update the basics like java, flash, adobe, windows updates and a few others and you are done.

Customers dont come back the next day or week or month with the same issue. If they do return its usually months later if not longer with something new and that can be pinpointed to something downloaded or ran at that time, not from the previous cleaning.
Frankly Im embarrassed to have let this thing get away from me. However, I just ended up N/P it.

D7 sounds interesting and Ive already grabbed a copy of it. Going to investigate it tonite in a vm. I want to thank you for posting and Im very appreciative of the advice.

This will be my plan for the holiday weekend here. Its gonna be a D7 / Rootkit weekend.

Best Regards,

coffee
__________________

www.renuecomputers.com
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 05:23 AM.


Powered by vBulletin®
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Technibble.com is based out of MELBOURNE, AUSTRALIA.