"Boott! s" Root Kit

Hi! Recently, Spybot - Search & Destroy picked up a root kit called “boott! s”. My problem is how to remove it. Each scan I do with SD shows it, but then says it deleted it within a minute. I could manually delete it by right clicking the SD log, but it throws and error. When I run scans with Avast (Deep root kit scan on) and Malwarebytes (Root kit scan on), it shows my system clean as a whistle. However when I ran an Avast PE scan from the bootable disk, it showed 70+ infected files which it removed successfully. Still, after this I run SD again and there it is. There is absolutely nothing helpful on the internet about this root kit, apart from this screenshot (Boott! s is the lower one. I don’t have any messages about the top). I really need help, this is my last resort and I really don’t want to re-format due to not having the install cd.

(Oh, it might be helpful saying that I’m running Windows 7 Home Edition x64 :P)

Hi there and welcome to the forum,

follow this guide and attach the requested logs: https://forum.avast.com/index.php?topic=53253.0

Thanks. I’ll do that now.

Oh. It seems my accounts keep messing up. Jammo110 is me, it messed up my username.

Thats weird, in the profiles are different registration times.

I think it logged in using that “Avast ID” thing. I dunno, though.

Ok, I’ve done one step. Here is MBAM’s log:
Scan Date: 30/08/2014
Scan Time: 17:30:59
Logfile: MBAMlog.txt
Administrator: Yes

Version: 2.00.2.1012
Malware Database: v2014.08.30.05
Rootkit Database: v2014.08.21.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: user1

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 344896
Time Elapsed: 14 min, 0 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

Please use the attachments and other options function under the answer box
toattach the logs, thanks. :slight_smile:

Please attach your logs…!! Thanks.

Whoops! Sorry.

FRST.txt and Additions.txt logs. NOTE: The inappropriate links or sites were NOT visited or used. This computer is second hand from ebay, and I do NOT know the owner.

Last log, the aswMBR.exe one.

Hi my feeling is that Spybot is pulling a false positive as as AswMBR would have seen anything there was to see, and FRST would have noted any drivers

Are you experiencing any problems ?

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

BHO-x32: No Name -> {BA0C978D-D909-49B6-AFE2-8BDE245DC7E6} -> No File Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File 2014-08-30 16:37 - 2014-04-02 17:28 - 00000000 ____D () C:\Windows\System32\Tasks\Games Task: {D45FA8A8-6E1C-4DB1-A7B2-4FB7F6819941} - System32\Tasks\{579BA233-23DF-4E2D-8214-46A196BD50E4} => C:\Users\user1\Downloads\install_frame.exe Task: {F20ED294-10A7-460A-8DEC-C6BA88DEEC93} - System32\Tasks\{5004B937-2A43-425F-B5A4-70C0028C2095} => C:\Users\user1\Downloads\install_frame.exe EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

Thanks for the reply! At the moment I don’t have ANY problems on the PC, no pop ups, no warning. Nothing. It’s just this scan that alerted me. I know I’m being awkward, but what does the code you posted do? I saw the word reset, and it makes me a bit worried. :stuck_out_tongue: I’ll do the software now.

Ok, done that. Logs here.

After the FRST reboot, a file named MBR.dat was placed on the desktop. I didn’t use the right software to read it, but it said somewhere “Invalid partition table Error loading operating system Missing operating system”. This may have been because I changed a partition around lately, but that was days ago and the file was created today.

EDIT: Think the MBR error was a one off, the file was not re created.

I didn't use the right software to read it, but it said somewhere "Invalid partition table Error loading operating system Missing operating system". This may have been because I changed a partition around lately, but that was days ago and the file was created today.
That is standard in all MBR's so is not a problem
but what does the code you posted do? I saw the word reset, and it makes me a bit worried
Just general tidying up, the reset was to reset the BITs to ensure that no malware was hiding there

I think you can rest safely as none of the scans showed a rootkit or any rootkit like behaviour. If you are happy let me know and I will tidy up

Wow! Thanks so much! Yep, I’m happy to carry on.

EDIT: Ran another SD scan, still says that it’s still there. I guess the stuff you told me to run didn’t remove the false positive?

Nope as it is something inherent within spybot

Recommendation would be to uninstall spybot and use MBAM instead

Ok, thanks for the help. :slight_smile:

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Download and run Delfix

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article

I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

Malwarebytes.

Update and run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe :wave: