Hidding Rootkits?

[Edgar R. Zakarian]

Hi guys,

 

PLEASE keep an open mind.

 

How many places can Rootkits hide?

 

I have a friend who is ADAMANT that he still has a virus.

 

He has tried everything, including resetting CMOS, reinstalling, replacing mouse/keyboard, harddrive, etc.

And he just keeps getting it. He's been trying to get rid of it, for about 2 years now.

Rootkit is detected by GMER, a rootkit scanner.

According to him, it's VERY persistent, and he has NO clue how it gets into his PC.

 

Signs are that his PC runs unstable, especially in CSGO. (He's a pro player, as in plays in leagues, and he can definitely feel it, when the pc doesn't run well).

 

Windows has been installed of a fresh copy of windows 7 and also tried on windows 8. (FROM DVD's).

 

Nomatter what he does, it keeps coming back... So where can Rootkits REALLY hide??

 

[You_are_a_cunt]

Rootkits can hide themselves anywhere, pretty much.

resetting the CMOS isn't actually a solution. Flashing the BIOS is, however.

If all storage was replaced, the BIOS flash memory is pretty much the last place it can hide. (mouse and keyboard should be safe, unless they have some sort of flash memory for profiles).

 

That or he's paranoid

[Cryosec]

I guess it might be hiding in the free space inside the MBR (master boot record) partition. This can be tested by changing the drive or completely wiping it before reinstalling windows.

 

Or it could be inside the BIOS flash memory as said above.

[Enderman]

Can you describe what "unstable" means?

Does it crash or artifact?

Because that's sign of a hardware problem, not a rootkit...

[Zando_]

Replace the mobo and HDD (and peripherals if they have onboard storage) if you want to be sure there's nowhere for it to hide. 

[Tsuki]

Run TDSSKiller

im betting he doesnt have a virus, and hes just paranoid as fuck

[Edgar R. Zakarian]

10 hours ago, revsilverspine said:

Rootkits can hide themselves anywhere, pretty much.

resetting the CMOS isn't actually a solution. Flashing the BIOS is, however.

If all storage was replaced, the BIOS flash memory is pretty much the last place it can hide. (mouse and keyboard should be safe, unless they have some sort of flash memory for profiles).

 

That or he's paranoid

Good to know. Bios flash is basically pulling out the battery for a short time, correct?

10 hours ago, Cryosec said:

I guess it might be hiding in the free space inside the MBR (master boot record) partition. This can be tested by changing the drive or completely wiping it before reinstalling windows.

 

Or it could be inside the BIOS flash memory as said above.

All the bytes on the harddrive were formatted to be 0's, before use. Just to ensure it was clean. 

This happend after we reset the CMOS, and pulled out the battery for some time. (FLASH?)

The formatting and cleaning was done on a LIVE booted Linux version, booted from a DVD.

10 hours ago, Enderman said:

Can you describe what "unstable" means?

Does it crash or artifact?

Because that's sign of a hardware problem, not a rootkit...

Unstable means weird frame drops.

This here is not his system, but just an example of net graph from google.

 

Here are some of the issues in CS:

He's not hitting anywhere 300 FPS on a 7700K and GTX 1070, which he should be.

sometimes he gets microstutters

When moving crouched, e.g. walking around the corner crouched, the screen vibrates (if you focus on the wall corner edge).

Pressing tab (scoreboard) makes the sv value jump to 50+ and become red, for some reason.

 

 

• Drag files here to attach, or choose files... 
  Max total size 20MB
• Insert other media 

Uploaded Images

•  
•  

 

10 hours ago, Zando Bob said:

Replace the mobo and HDD (and peripherals if they have onboard storage) if you want to be sure there's nowhere for it to hide. 

5 hours ago, Tsuki said:

Run TDSSKiller

im betting he doesnt have a virus, and hes just paranoid as fuck

What's TDSSkiller?? How does it work?

[You_are_a_cunt]

no. That is a bios settings reset mechanism.

flashing the bios is done by basically reinstalling it. Use the latest bios version available for that exact board and refer to the manufacturer's instructions on updating/reflashing the bios. This most likely will involve copying the dowbloaded bios onto a usb drive and using the bios flashing utility within the motherboard bios.

msi calls it m-flash (iirc) and i think asus calls it ezflash (i might be wrong about the naming since it's information that isn't required too often and is fairly pointless to remember)

[Edgar R. Zakarian]

3 hours ago, revsilverspine said:

no. That is a bios settings reset mechanism.

flashing the bios is done by basically reinstalling it. Use the latest bios version available for that exact board and refer to the manufacturer's instructions on updating/reflashing the bios. This most likely will involve copying the dowbloaded bios onto a usb drive and using the bios flashing utility within the motherboard bios.

msi calls it m-flash (iirc) and i think asus calls it ezflash (i might be wrong about the naming since it's information that isn't required too often and is fairly pointless to remember)

and i could use a cd to ensure the usb doesent get infected by the old bios?

 

And can the rootkit really infect both a 4790k platform and a 7700k platform? the SAME damn rootkit? Different motherboards?