Call for help - Rootkit partition

[coffee]

Got a laptop with a windows 7 install that I feel has a rootkit. I was looking at the partition layout of the drive and dont understand the partition layout.

First partition is labeled : BIOS_RVY and is 11 gigs.
Second is system and is 100 mb.
Third is OS_INSTALL and is 186 gigs.
Fourth is DATA and is 124 gigs.

What is BIOS_RVY and why is it 11 gigs???

I am thinking that system is the boot partition for windows infected with rootkit.

?

coffee

[HFultzjr]

Quote:

Originally Posted by coffee

Got a laptop with a windows 7 install that I feel has a rootkit. I was looking at the partition layout of the drive and dont understand the partition layout.

First partition is labeled : BIOS_RVY and is 11 gigs.
Second is system and is 100 mb.
Third is OS_INSTALL and is 186 gigs.
Fourth is DATA and is 124 gigs.

What is BIOS_RVY and why is it 11 gigs???

I am thinking that system is the boot partition for windows infected with rootkit.

?




coffee

BIOS_RVY looks like it is a manufacturer's recovery partition
100mb looks like a "boot" partition to start the recovery
OS_Install is the main "C" drive
Fourth is just a partition for storage

[ZenTree]

Of the very few virus partitions I have come across they have all been really small, think like 2 meg. If they start eating up gigs of space it's more likely they will be noticed as people wonder where that space went. And they really don't need that much space, they are only hiding a small file or two.

[coffee]

Ok, Yes I did finally find out what the partitions were. I have a rootkit on this thing as I did blow out the boot partition and used a rescue disk to restore it. Rootkit seems to have come back. So, I guess Im gonna kill the first and second (after backing them up) and do a new boot partition.

I have already scanned the system partition and havent really found anything. Some trojans were removed and some java exploits. But if this doesnt do it Im going to N/P the thing and be done with it.

[NYJimbo]

It seems like you might be working too hard instead of finding the tools to do the work for you.

If you are not using tools like combofix, mbam, tdsskiller, a few live tools like ccleaner, processexplorer and gmer and then a full scan by MSE, you are working too
hard. D7 is a great tool to just run down some of the other malware functions if you have extra time. I can't recall the last time I actually had to N/P a machine, its probably been a year or more.

Sure there is alot more to this and I am not going to go step by step, but I can't recall the last time ANY virus came back on any machine I have cleaned. Once the rootkit is dead, its dead. I never have to go looking for the rootkit, I let the software do it for me. It's extremely rare that something comes up that I have to spend real time prowling around for if I use the above software and maybe a few more programs.

In the end you always have to be sure you do a few good different AV full scans (whole drive or drives), update the basics like java, flash, adobe, windows updates and a few others and you are done.

Customers dont come back the next day or week or month with the same issue. If they do return its usually months later if not longer with something new and that can be pinpointed to something downloaded or ran at that time, not from the previous cleaning.

[coffee]

Quote:

Originally Posted by NYJimbo

It seems like you might be working too hard instead of finding the tools to do the work for you.

If you are not using tools like combofix, mbam, tdsskiller, a few live tools like ccleaner, processexplorer and gmer and then a full scan by MSE, you are working too
hard. D7 is a great tool to just run down some of the other malware functions if you have extra time. I can't recall the last time I actually had to N/P a machine, its probably been a year or more.

Sure there is alot more to this and I am not going to go step by step, but I can't recall the last time ANY virus came back on any machine I have cleaned. Once the rootkit is dead, its dead. I never have to go looking for the rootkit, I let the software do it for me. It's extremely rare that something comes up that I have to spend real time prowling around for if I use the above software and maybe a few more programs.

In the end you always have to be sure you do a few good different AV full scans (whole drive or drives), update the basics like java, flash, adobe, windows updates and a few others and you are done.

Customers dont come back the next day or week or month with the same issue. If they do return its usually months later if not longer with something new and that can be pinpointed to something downloaded or ran at that time, not from the previous cleaning.

Frankly Im embarrassed to have let this thing get away from me. However, I just ended up N/P it.

D7 sounds interesting and Ive already grabbed a copy of it. Going to investigate it tonite in a vm. I want to thank you for posting and Im very appreciative of the advice.

This will be my plan for the holiday weekend here. Its gonna be a D7 / Rootkit weekend.

Best Regards,

coffee