BIBM detected as rootkit?

User discussion and information resource forum for BootIt Bare Metal and BootIt UEFI
Post Reply
DrTeeth
Posts: 1289
Joined: Fri Aug 12, 2011 6:58 pm

BIBM detected as rootkit?

Post by DrTeeth »

Hi,

I have been investigating some issues with my PC and have just had
ESET tech support online connected to my PC.

They ran a tool which produced this output:-

Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.2.0.0
OS Version: Microsoft Windows 7 Home Premium Edition Service Pack 1
(build 7601)
, 64-bit

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00900000

Size Device Name MBR Status
--------------------------------------------
931 GB \\.\PhysicalDrive0 Controlled by rootkit!

Boot code on some of your physical disks is hidden by a rootkit.
To disinfect the master boot sector, use the following command:
remover.exe fix
To inspect the boot code manually, dump the master boot sector:
remover.exe dump [output_file]


Done;
Press any key to quit...
------------------------------------------

Could you please check if this is a false positive as I suspect?

Thanks in advance.
--

Cheers

DrT
______________________________
We may not be able to prevent the stormy times in
our lives; but we can always choose to dance
in the puddles (Jewish proverb).
TeraByte Support
Posts: 3598
Joined: Thu May 05, 2011 10:37 pm

Re: BIBM detected as rootkit?

Post by TeraByte Support »

It appears the offset is either a byte offset (sector 18432) or sector
offset (9437184), either way it's not the MBR it's detecting (that be hidden
anyway). The thing to do is boot the BootIt boot disk and see what options
show up, if reactivate then you probably have one (in the past when you had
one the system would reset when the windows come together in win7, however
it could have been changed to not do that). Also, someone could have
created something to patch in differently, so you could run scripting,
capture the first 63 sectors on the HD to a file, reinstall bootit bm with
the reinstall option, then boot again back to the boot disk, run scripting
again to capture the same sectors lba 0 (63 sectors), then boot to windows,
compare the two files .. fc /b file1 file2 and see if they are mainly the
same or different.

This gives me an idea I'll add to a future version of BIBM...

I already have an idea how to prevent rootkits completely (less physical
access) without getting in the way of normal software, without needing tcg
or other stuff. That's on my target development list too.

"DrTeeth" wrote in message news:944@public.bootitbm...

Hi,

I have been investigating some issues with my PC and have just had
ESET tech support online connected to my PC.

They ran a tool which produced this output:-

Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.2.0.0
OS Version: Microsoft Windows 7 Home Premium Edition Service Pack 1
(build 7601)
, 64-bit

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00900000

Size Device Name MBR Status
--------------------------------------------
931 GB \\.\PhysicalDrive0 Controlled by rootkit!

Boot code on some of your physical disks is hidden by a rootkit.
To disinfect the master boot sector, use the following command:
remover.exe fix
To inspect the boot code manually, dump the master boot sector:
remover.exe dump [output_file]


Done;
Press any key to quit...
------------------------------------------

Could you please check if this is a false positive as I suspect?

Thanks in advance.
--

Cheers

DrT
______________________________
We may not be able to prevent the stormy times in
our lives; but we can always choose to dance
in the puddles (Jewish proverb).

Post Reply