Win7 notebook hit by "Microsoft Support" scam/Rootkit...

Hi All

A friend was caught by a "Microsoft Support" scam yesterday, they downloaded GoToAssist 3.1X on her HP Elitebook running Win7 Pro 64Bit on a Crucial MX300 SSD.

I rebooted into Safe Mode and deleted the GoToAssist, but when I rebooted into Windows the "Microsoft Alert" and chat window they used popped right back up on the Desktop, so I'm assuming there's a rootkit in the system.

The machine is currently off with Internet disabled.

Does anyone have any ideas of how to clean this out short of nuking the drive... there's stuff in there my friend would rather not lose if at all possible. (Yeah, she didn't back-up on a regular basis.)

He MUST reformat the system. Once a virus enters a computer, it's basically impossible to determine what it actually did and how it's hiding or what changed, so it's no longer safe to ever use that system again. While certainly unpleasant, nuke the device from orbit is the way to go.

Now, about the data still in there, he doesn't have to lost anything. You can boot with a live-CD of some sort to get access to the affected drive, or plug it in a known-clean computer, so you can extract every important file in there, that's safe as long as you don't boot from it or run any program stored there. With all the data backed up to another drive, you can wipe it safely, reinstall, then restore all the data to the new system.

Given what happened I'm assuming I'm not dealing withjust a virus here, but a rootkit; they hide in the MBR which is why reformatting the drive won't work, and they cannot be seen or dealt with by regular antivirus/malware tools.

Does anyone have any experience of dealing with rootkits, can anyone recommend any of the tools out there that claim to clean them?

Thanks!

First scan with Malwarebytes. Goto Settings > Detection and Protection and make sure scan for rootkits is checked. If that doesn't work then goto Bleeping Computers and try rkill and the four other programs toward the bottom of the page. RKill Download

Remove the power, battery and disconnect the CMOS battery. Press and hold the power button down for 30 seconds then reconnect.

It would still be advisable to low level format the drive with a tool like HDDGURU: HDD LLF Low Level Format Tool Reinstall from a Genuine Windows ISO then bring up to date using the Simplix Pack.

First of all, a rootkit has nothing to do with the MBR. A rootkit is a malicious driver that runs in kernel mode and can control your entire system. A MBR virus is known as a "bootkit", a malicious program that takes control of your computer before the OS starts.
I don't see why you think you can have one of either, but it's not crazy to be that paranoid. In any case, the solution is the same, just reformat the whole thing.

As for antiviruses, none of them work, not even for "normal" viruses, much less for a potential rootkit. Once you're infected the system becomes completely unreliable, and so are antiviruses. They're only (moderately) good when preventing viruses from entering in the first place.

Rootkit or not, the solution is still the same, just reformat the computer and reinstall all the software from a known-clean media. No other option is reliable for this and you can't ensure a clean system otherwise.

As for a bootkit, it's easy to clean a MBR. Just rebuild the boot sector with the built-in utility "bootsect" as explained in this tutorial:
MBR - Restore Windows 7 Master Boot Record