Hi! Recently, Spybot - Search & Destroy picked up a root kit called “boott! s”. My problem is how to remove it. Each scan I do with SD shows it, but then says it deleted it within a minute. I could manually delete it by right clicking the SD log, but it throws and error. When I run scans with Avast (Deep root kit scan on) and Malwarebytes (Root kit scan on), it shows my system clean as a whistle. However when I ran an Avast PE scan from the bootable disk, it showed 70+ infected files which it removed successfully. Still, after this I run SD again and there it is. There is absolutely nothing helpful on the internet about this root kit, apart from this screenshot (Boott! s is the lower one. I don’t have any messages about the top). I really need help, this is my last resort and I really don’t want to re-format due to not having the install cd.
(Oh, it might be helpful saying that I’m running Windows 7 Home Edition x64 :P)
FRST.txt and Additions.txt logs. NOTE: The inappropriate links or sites were NOT visited or used. This computer is second hand from ebay, and I do NOT know the owner.
Hi my feeling is that Spybot is pulling a false positive as as AswMBR would have seen anything there was to see, and FRST would have noted any drivers
Are you experiencing any problems ?
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
BHO-x32: No Name -> {BA0C978D-D909-49B6-AFE2-8BDE245DC7E6} -> No File
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File
2014-08-30 16:37 - 2014-04-02 17:28 - 00000000 ____D () C:\Windows\System32\Tasks\Games
Task: {D45FA8A8-6E1C-4DB1-A7B2-4FB7F6819941} - System32\Tasks\{579BA233-23DF-4E2D-8214-46A196BD50E4} => C:\Users\user1\Downloads\install_frame.exe
Task: {F20ED294-10A7-460A-8DEC-C6BA88DEEC93} - System32\Tasks\{5004B937-2A43-425F-B5A4-70C0028C2095} => C:\Users\user1\Downloads\install_frame.exe
EmptyTemp:
CMD: bitsadmin /reset /allusers
Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that
THEN
Please download AdwCleaner by Xplode onto your desktop.
[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.
Thanks for the reply! At the moment I don’t have ANY problems on the PC, no pop ups, no warning. Nothing. It’s just this scan that alerted me. I know I’m being awkward, but what does the code you posted do? I saw the word reset, and it makes me a bit worried. I’ll do the software now.
After the FRST reboot, a file named MBR.dat was placed on the desktop. I didn’t use the right software to read it, but it said somewhere “Invalid partition table Error loading operating system Missing operating system”. This may have been because I changed a partition around lately, but that was days ago and the file was created today.
EDIT: Think the MBR error was a one off, the file was not re created.
I didn't use the right software to read it, but it said somewhere "Invalid partition table Error loading operating system Missing operating system". This may have been because I changed a partition around lately, but that was days ago and the file was created today.
That is standard in all MBR's so is not a problem
but what does the code you posted do? I saw the word reset, and it makes me a bit worried
Just general tidying up, the reset was to reset the BITs to ensure that no malware was hiding there
I think you can rest safely as none of the scans showed a rootkit or any rootkit like behaviour. If you are happy let me know and I will tidy up
WARNING:Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article
I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disableJava in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
CryptoPrevent install this programme to lock down and prevent crypto ransome ware