Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Win7 notebook hit by "Microsoft Support" scam/Rootkit...

09 Feb 2017   #1
paulf22

Win7 Pro 64Bit
 
 
Win7 notebook hit by "Microsoft Support" scam/Rootkit...

Hi All

A friend was caught by a "Microsoft Support" scam yesterday, they downloaded GoToAssist 3.1X on her HP Elitebook running Win7 Pro 64Bit on a Crucial MX300 SSD.

I rebooted into Safe Mode and deleted the GoToAssist, but when I rebooted into Windows the "Microsoft Alert" and chat window they used popped right back up on the Desktop, so I'm assuming there's a rootkit in the system.

The machine is currently off with Internet disabled.

Does anyone have any ideas of how to clean this out short of nuking the drive... there's stuff in there my friend would rather not lose if at all possible. (Yeah, she didn't back-up on a regular basis.)


My System SpecsSystem Spec
.
10 Feb 2017   #2
Alejandro85

Windows 7 Ultimate x64
 
 

He MUST reformat the system. Once a virus enters a computer, it's basically impossible to determine what it actually did and how it's hiding or what changed, so it's no longer safe to ever use that system again. While certainly unpleasant, nuke the device from orbit is the way to go.

Now, about the data still in there, he doesn't have to lost anything. You can boot with a live-CD of some sort to get access to the affected drive, or plug it in a known-clean computer, so you can extract every important file in there, that's safe as long as you don't boot from it or run any program stored there. With all the data backed up to another drive, you can wipe it safely, reinstall, then restore all the data to the new system.
My System SpecsSystem Spec
11 Feb 2017   #3
paulf22

Win7 Pro 64Bit
 
 

Given what happened I'm assuming I'm not dealing withjust a virus here, but a rootkit; they hide in the MBR which is why reformatting the drive won't work, and they cannot be seen or dealt with by regular antivirus/malware tools.

Does anyone have any experience of dealing with rootkits, can anyone recommend any of the tools out there that claim to clean them?

Thanks!
My System SpecsSystem Spec
.

11 Feb 2017   #4
Bat 1

8.1 home x64
 
 

First scan with Malwarebytes. Goto Settings > Detection and Protection and make sure scan for rootkits is checked. If that doesn't work then goto Bleeping Computers and try rkill and the four other programs toward the bottom of the page. RKill Download

Remove the power, battery and disconnect the CMOS battery. Press and hold the power button down for 30 seconds then reconnect.

It would still be advisable to low level format the drive with a tool like HDDGURU: HDD LLF Low Level Format Tool Reinstall from a Genuine Windows ISO then bring up to date using the Simplix Pack.
My System SpecsSystem Spec
12 Feb 2017   #5
Alejandro85

Windows 7 Ultimate x64
 
 

First of all, a rootkit has nothing to do with the MBR. A rootkit is a malicious driver that runs in kernel mode and can control your entire system. A MBR virus is known as a "bootkit", a malicious program that takes control of your computer before the OS starts.
I don't see why you think you can have one of either, but it's not crazy to be that paranoid. In any case, the solution is the same, just reformat the whole thing.

As for antiviruses, none of them work, not even for "normal" viruses, much less for a potential rootkit. Once you're infected the system becomes completely unreliable, and so are antiviruses. They're only (moderately) good when preventing viruses from entering in the first place.

Rootkit or not, the solution is still the same, just reformat the computer and reinstall all the software from a known-clean media. No other option is reliable for this and you can't ensure a clean system otherwise.

As for a bootkit, it's easy to clean a MBR. Just rebuild the boot sector with the built-in utility "bootsect" as explained in this tutorial:
MBR - Restore Windows 7 Master Boot Record
My System SpecsSystem Spec
Reply

 Win7 notebook hit by "Microsoft Support" scam/Rootkit...




Thread Tools




Similar help and support threads
Thread Forum
New Threat with the scam "I'm from Microsoft Technical Dept etc"
I have been getting 3 or 4 telephone messages every day on this scam and usually just put the phone down. This morning I had a call from "Lisa" with the usual jargon so put the phone down. Two minutes later "Lisa" phoned again and said very fiercly that if I put down the phone on her again she...
System Security
SCAM? Phone call from "Microsoft Windows Repair Support, Albany"
While experiencing issues with BSOD and inability to repair Windows, the Repair Tool pop-up when it discovers it can't fix the issue asks if I want to report this to Microsoft. I chose SEND, and continued banging my head against the desk. Couple of days into this foray and I get a call saying...
Chillout Room
No "usb legacy support" "qfan" options on my asus laptop bios.
Entering the bios limits me to certain options. Is there anyway to access the other options? sorry, newbie here.
Performance & Maintenance
I have received a mail from "microsoft", it seems a scam.
Hi: i have received a weird mail, it says from microsoft live team, it seems a scam but no bad links. what do they want? there is no attatched file too. screenshot here: Regards. Max
Browsers & Mail
Tiscali - "There are no USB modems that support Win7"
I'm trying to get a new PC setup to access the internet. It's got Win 7 pre-installed and I have Tiscali broadband with the Speedtouch 330 usb modem they provided. This worked with my previous XP machine. After much faffing about trying to get it to work and find a suitable driver I find a post...
Hardware & Devices


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 03:30.
Twitter Facebook Google+ Seven Forums iOS App Seven Forums Android App