Possible MBR rootkit (win7 home basic 64)

Acer / Aspire 5742
August 21, 2012 at 17:03:21
Specs: Windows 7, 2.399 GHz / 7862 MB
Hi, I have a problem, this is the third time it happens, the first time I just did a wipe and load, and I made an image after that, then it happened again so I re-imaged my laptop, and now it's happening again.

It started with windows being unresponsive after login, the hard drive led staying on while the actual drive doesn't do anything, then services would start failing. I would restart win7 and I wouldn't be able to boot into 7, I'd try to go into safe mode and it stop at classpnp.sys. after that the MBR would get corrupt.

I thought it was a driver issue, now it's happening again. I'm just at the hard drive phase and windows taking too long to boot.

I ran Gmer and found C:\windows\servicing\TrustedInstaller.exe(***hidden***) to be infected, I tried disabling it and Gmer crashed, any way I deleted the file.

I ran Hijackthis! and said "for some reason your system denied write access to the Host file", so I deleted it (I'm not sure if I screwed up there).

Now I ran Eset's servicesrepair.exe and at least it's responding but the HDD comes back from time to time.

edited by moderator: remove unrequested log

See More: Possible MBR rootkit (win7 home basic 64)

Report •

August 21, 2012 at 19:10:51
Covering bases: Have you tried running chkdsk with bad sector testing, or some other drive checker?

How To Ask Questions The Smart Way

Report •

August 21, 2012 at 19:39:34
Hello, yes I ran Tune up's hard drive diagnostic tool (which basically runs ms chkdsk) and found no problems, I also ran western digital's hard drive diag. tool and same, found nothing. Thank you for your reply.

Report •

August 23, 2012 at 07:48:54
Well, I'm not entirely convinced it isn't hardware, but checking the software should be easy enough, assuming you have the tools.

Root kits are a part of a larger infection, so you'll want to deal with both parts or risk reinfection. Removing any MBR root kit is easy enough as long as you don't use full drive encryption. Just get your hands on a Windows 7 DVD (and it has to be something external to your HDD), run the recovery console, and run the following:

bootrec /fixmbr
bootrec /fixboot

After that, do not boot into Windows. Instead, boot into some WinPE environment or put the HDD into an enclosure, and run a virus scan on the drive. If you have a recovery CD/DVD made before the infection, use that. The recovery partition on the HDD is possibly infected and thus not valid.

How To Ask Questions The Smart Way

Report •
Related Solutions

Ask Question