Solved Rootkit survives restored image


fixer

Well-known member
Member
VIP
Local time
8:46 PM
Posts
358
OS
Windows 11 Pro
My trusty old PC became unbootable and unrepairable. Whether I restored a Macrium image or tried to clean install Win 10 it failed at boot with 'Your device ran into a problem and needs to restart. You can restart'. Same with automatic repair. I have no experience or knowlege of rootkits but from reading up this did fit the bill. I eventually got it up and running by using Partition Wizard to completely zap the SSD boot drive and reinstalling Win 10 from USB. I've always believed nothing can survive a disk image restore but seems that isn't so. Interesting!
 

My Computers

System One System Two

  • OS
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    Lafite 14
    CPU
    i7
    Memory
    16Gb
    Internet Speed
    150Mbps/39Mbps
    Browser
    Firefox
  • Operating System
    Win 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    PC Specialist
    CPU
    i5
    Memory
    8Gb
    Internet Speed
    150Mbps/39Mbps
    Browser
    Firefox
    Other Info
    Incompatible device, upgraded to Win 11

My Computer

System One

  • OS
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    HP Pavilion
    CPU
    AMD Ryzen 7 5700G
    Motherboard
    Erica6
    Memory
    Micron Technology DDR4-3200 16GB
    Graphics Card(s)
    NVIDIA GeForce RTX 3060
    Sound Card
    Realtek ALC671
    Monitor(s) Displays
    Samsung SyncMaster U28E590
    Screen Resolution
    3840 x 2160
    Hard Drives
    SAMSUNG MZVLQ1T0HALB-000H1
That's not the situation. I tried restoring three different images, all well predating this problem. The images were not infected.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    Lafite 14
    CPU
    i7
    Memory
    16Gb
    Internet Speed
    150Mbps/39Mbps
    Browser
    Firefox
  • Operating System
    Win 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    PC Specialist
    CPU
    i5
    Memory
    8Gb
    Internet Speed
    150Mbps/39Mbps
    Browser
    Firefox
    Other Info
    Incompatible device, upgraded to Win 11
How do you know your computer infected by Rootkit?

If its firmware infection then no formatting will help remove the infection.
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    HP Pavilion
    CPU
    AMD Ryzen 7 5700G
    Motherboard
    Erica6
    Memory
    Micron Technology DDR4-3200 16GB
    Graphics Card(s)
    NVIDIA GeForce RTX 3060
    Sound Card
    Realtek ALC671
    Monitor(s) Displays
    Samsung SyncMaster U28E590
    Screen Resolution
    3840 x 2160
    Hard Drives
    SAMSUNG MZVLQ1T0HALB-000H1
I'm not certain it was a rootkit but as completely zapping the boot drive with bootable Partition Wizard has enabled me to reinstall Windows from USB it obviously wasn't a firmware infection either. It was the SSD itself that was infected and that infection, whatever it was, survived three image restores. As for TDSSKiller, as it was impossible to boot the computer at all how would I have been able to run that?

Anyway, the problem is resolved and I'm not asking for help with it. Just thought members might be interested in this situation where an infected drive has survived multiple image restores.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    Lafite 14
    CPU
    i7
    Memory
    16Gb
    Internet Speed
    150Mbps/39Mbps
    Browser
    Firefox
  • Operating System
    Win 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    PC Specialist
    CPU
    i5
    Memory
    8Gb
    Internet Speed
    150Mbps/39Mbps
    Browser
    Firefox
    Other Info
    Incompatible device, upgraded to Win 11
what is the zap that partition wizard does ?
 

My Computers

System One System Two

  • OS
    Win7
    Computer type
    PC/Desktop
    CPU
    i5-8400
    Motherboard
    gigabyte b365m ds3h
    Memory
    2x8gb 3200mhz
    Monitor(s) Displays
    benq gw2480
    PSU
    bequiet pure power 11 400CM
    Cooling
    cryorig m9i
  • Operating System
    win7
    Computer type
    PC/Desktop
    CPU
    pentium g5400
    Motherboard
    gigabyte b365m ds3h
    Memory
    1x8gb 2400
    PSU
    xfx pro 450
It offers three different ways to blank a drive. I tried filling it with zeros and ones but that didn't work so I selected a process it describes as DoD, very slow. That succeeded with the seven pass option.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    Lafite 14
    CPU
    i7
    Memory
    16Gb
    Internet Speed
    150Mbps/39Mbps
    Browser
    Firefox
  • Operating System
    Win 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    PC Specialist
    CPU
    i5
    Memory
    8Gb
    Internet Speed
    150Mbps/39Mbps
    Browser
    Firefox
    Other Info
    Incompatible device, upgraded to Win 11
I tried filling it with zeros and ones but that didn't work so I selected a process it describes as DoD, very slow. That succeeded with the seven pass option.

Lot of writes to the disk. There are tools that use the ssd security erase which is very fast and less damaging.

Manufacturers have their own tools available and, for example, parted magic has one that is not manufacturer dependent. Aomei part assist includes something similar, though I haven't yet used that one.

As far as I can make out, the tools send a command to the disk controller to run it's own security erase/block erase function.

Micron:
The ATA SECURITY ERASE command not only deletes data but also returns an
SSD to its fresh-out-of-box (FOB) performance state. This can be useful when running
performance and benchmark tests. See Micron's Differences in Personal vs. Enterprise
SSD Performance technical marketing brief for more information. Writing all zeros or
any data pattern across an entire SSD is not a proper or secure method of erasing data
from an SSD. The ATA SECURITY ERASE command should be used for this purpose.
Some engineers and scientists have detected stray electrons in NAND cells after an erase, and Micron acknowledges this possibility. However, because a block erase operation raises every NAND cell to an identical erase voltage regardless of the cell’s previous state, Micron contends that it is impossible to determine the previous state of the cell based on leftover, stray signals
 
Last edited:

My Computers

System One System Two

  • OS
    Win7
    Computer type
    PC/Desktop
    CPU
    i5-8400
    Motherboard
    gigabyte b365m ds3h
    Memory
    2x8gb 3200mhz
    Monitor(s) Displays
    benq gw2480
    PSU
    bequiet pure power 11 400CM
    Cooling
    cryorig m9i
  • Operating System
    win7
    Computer type
    PC/Desktop
    CPU
    pentium g5400
    Motherboard
    gigabyte b365m ds3h
    Memory
    1x8gb 2400
    PSU
    xfx pro 450
The OP has already done it.

All the best,
Denis
 
Last edited:

My Computer

System One

  • OS
    Windows 11 Home x64 Version 23H2 Build 22631.3296
There is a therapy, but not a diagnosis.
 

My Computer

System One

  • OS
    Windows 10 Pro
Like i said formatting will not clean firmware from Rootkit infection.
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    HP Pavilion
    CPU
    AMD Ryzen 7 5700G
    Motherboard
    Erica6
    Memory
    Micron Technology DDR4-3200 16GB
    Graphics Card(s)
    NVIDIA GeForce RTX 3060
    Sound Card
    Realtek ALC671
    Monitor(s) Displays
    Samsung SyncMaster U28E590
    Screen Resolution
    3840 x 2160
    Hard Drives
    SAMSUNG MZVLQ1T0HALB-000H1
My trusty old PC became unbootable and unrepairable. Whether I restored a Macrium image or tried to clean install Win 10 it failed at boot with 'Your device ran into a problem and needs to restart. You can restart'. Same with automatic repair. I have no experience or knowlege of rootkits but from reading up this did fit the bill. I eventually got it up and running by using Partition Wizard to completely zap the SSD boot drive and reinstalling Win 10 from USB. I've always believed nothing can survive a disk image restore but seems that isn't so. Interesting!
Hi,
Winpe usb recovery media should work regardless of infection
Reflect prompts people to create it when opening reflect.
Boot to the winpe media delete partitions and restore system image easier than falling off a log.
 

My Computer

System One

  • OS
    Win-7-10-11Pro's
    Computer type
    PC/Desktop
    Manufacturer/Model
    Acer 17" Nitro 7840sn/ 2x16gb 5600c40/ 4060/ stock 1tb-os/ 4tb sn850x
    CPU
    10900k & 9940x & 5930k
    Motherboard
    z490-Apex & x299-Apex & x99-Sabertooth
    Memory
    Trident-Z Royal 4000c16 2x16gb & Trident-Z 3600c16 4x8gb & 3200c14 4x8gb
    Graphics Card(s)
    Titan Xp & 1080ti FTW3 & evga 980ti gaming
    Sound Card
    Onboard Realtek x3
    Monitor(s) Displays
    1-AOC G2460PG 24"G-Sync 144Hz/ 2nd 1-ASUS VG248QE 24"/ 3rd LG 43" series
    Screen Resolution
    1920-1080 not sure what the t.v is besides 43" class scales from 1920-1080 perfectly
    Hard Drives
    2-WD-sn850x 4tb/ 970evo+500gb/ 980 pro 2tb.
    PSU
    1000p2 & 1200p2 & 850p2
    Case
    D450 x2 & 1 Test bench in cherry Entertainment center
    Cooling
    Custom water loops x3 with 2x mora 360mm rads only 980ti gaming air cooled
    Keyboard
    G710+x3
    Mouse
    Redragon x3
    Internet Speed
    xfinity gigabyte
    Browser
    Firefox
    Antivirus
    mbam pro
Lot of writes to the disk. There are tools that use the ssd security erase which is very fast and less damaging.
I have since had a look at the SSD in HD Sentinel - status OK health 98%. However a bit puzzled by the report -

"The drive tried to examine and reallocate data sector(s) 2 times. The examined data area is perfect." Why would it be trying to reallocate a data area that is perfect? Maybe that's where this bug was hidden, who knows?

Anyway, thanks for the comments and suggestions.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    Lafite 14
    CPU
    i7
    Memory
    16Gb
    Internet Speed
    150Mbps/39Mbps
    Browser
    Firefox
  • Operating System
    Win 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    PC Specialist
    CPU
    i5
    Memory
    8Gb
    Internet Speed
    150Mbps/39Mbps
    Browser
    Firefox
    Other Info
    Incompatible device, upgraded to Win 11
Hi,
98% is hardly perfect
Seems it has bad cells.
 

My Computer

System One

  • OS
    Win-7-10-11Pro's
    Computer type
    PC/Desktop
    Manufacturer/Model
    Acer 17" Nitro 7840sn/ 2x16gb 5600c40/ 4060/ stock 1tb-os/ 4tb sn850x
    CPU
    10900k & 9940x & 5930k
    Motherboard
    z490-Apex & x299-Apex & x99-Sabertooth
    Memory
    Trident-Z Royal 4000c16 2x16gb & Trident-Z 3600c16 4x8gb & 3200c14 4x8gb
    Graphics Card(s)
    Titan Xp & 1080ti FTW3 & evga 980ti gaming
    Sound Card
    Onboard Realtek x3
    Monitor(s) Displays
    1-AOC G2460PG 24"G-Sync 144Hz/ 2nd 1-ASUS VG248QE 24"/ 3rd LG 43" series
    Screen Resolution
    1920-1080 not sure what the t.v is besides 43" class scales from 1920-1080 perfectly
    Hard Drives
    2-WD-sn850x 4tb/ 970evo+500gb/ 980 pro 2tb.
    PSU
    1000p2 & 1200p2 & 850p2
    Case
    D450 x2 & 1 Test bench in cherry Entertainment center
    Cooling
    Custom water loops x3 with 2x mora 360mm rads only 980ti gaming air cooled
    Keyboard
    G710+x3
    Mouse
    Redragon x3
    Internet Speed
    xfinity gigabyte
    Browser
    Firefox
    Antivirus
    mbam pro
Boot to the winpe media delete partitions and restore system image easier than falling off a log.
That's exactly what I did - how else could I have restored a boot drive image!
 

My Computers

System One System Two

  • OS
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    Lafite 14
    CPU
    i7
    Memory
    16Gb
    Internet Speed
    150Mbps/39Mbps
    Browser
    Firefox
  • Operating System
    Win 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    PC Specialist
    CPU
    i5
    Memory
    8Gb
    Internet Speed
    150Mbps/39Mbps
    Browser
    Firefox
    Other Info
    Incompatible device, upgraded to Win 11
That's exactly what I did - how else could I have restored a boot drive image!
Hi,
In the os
All it does is restart and attempt to restore a system image
Since you didn't list the process is why I stated the correct process.
 

My Computer

System One

  • OS
    Win-7-10-11Pro's
    Computer type
    PC/Desktop
    Manufacturer/Model
    Acer 17" Nitro 7840sn/ 2x16gb 5600c40/ 4060/ stock 1tb-os/ 4tb sn850x
    CPU
    10900k & 9940x & 5930k
    Motherboard
    z490-Apex & x299-Apex & x99-Sabertooth
    Memory
    Trident-Z Royal 4000c16 2x16gb & Trident-Z 3600c16 4x8gb & 3200c14 4x8gb
    Graphics Card(s)
    Titan Xp & 1080ti FTW3 & evga 980ti gaming
    Sound Card
    Onboard Realtek x3
    Monitor(s) Displays
    1-AOC G2460PG 24"G-Sync 144Hz/ 2nd 1-ASUS VG248QE 24"/ 3rd LG 43" series
    Screen Resolution
    1920-1080 not sure what the t.v is besides 43" class scales from 1920-1080 perfectly
    Hard Drives
    2-WD-sn850x 4tb/ 970evo+500gb/ 980 pro 2tb.
    PSU
    1000p2 & 1200p2 & 850p2
    Case
    D450 x2 & 1 Test bench in cherry Entertainment center
    Cooling
    Custom water loops x3 with 2x mora 360mm rads only 980ti gaming air cooled
    Keyboard
    G710+x3
    Mouse
    Redragon x3
    Internet Speed
    xfinity gigabyte
    Browser
    Firefox
    Antivirus
    mbam pro
Whether I restored a Macrium image or tried to clean install Win 10 it failed at boot with 'Your device ran into a problem and needs to restart. You can restart'. Same with automatic repair. ... I eventually got it up and running by using Partition Wizard to completely zap the SSD boot drive and reinstalling Win 10 from USB.

I find your experience interesting and I hope that somebody can explain it.

But I do not understand why you made the leap from a disk fault to diagnosing a rootkit.
Surely a disk fault [overcome by zapping] would explain all the symptoms you reported.

I do appreciate that some rootkits are disk-based whilst others are in the firmware.
Rootkit - Wikipedia
So, if you had a rootkit at all, it would have been a disk-based variant.


All the best,
Denis
 

My Computer

System One

  • OS
    Windows 11 Home x64 Version 23H2 Build 22631.3296
Hi,
In the os
All it does is restart and attempt to restore a system image
Since you didn't list the process is why I stated the correct process.
If you had read the thread you would know that the system wasn't bootable!!
 

My Computers

System One System Two

  • OS
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    Lafite 14
    CPU
    i7
    Memory
    16Gb
    Internet Speed
    150Mbps/39Mbps
    Browser
    Firefox
  • Operating System
    Win 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    PC Specialist
    CPU
    i5
    Memory
    8Gb
    Internet Speed
    150Mbps/39Mbps
    Browser
    Firefox
    Other Info
    Incompatible device, upgraded to Win 11
I find your experience interesting and I hope that somebody can explain it.

But I do not understand why you made the leap from a disk fault to diagnosing a rootkit.
Surely a disk fault [overcome by zapping] would explain all the symptoms you reported.

I do appreciate that some rootkits are disk-based whilst others are in the firmware.
Rootkit - Wikipedia
So, if you had a rootkit at all, it would have been a disk-based variant.


All the best,
Denis
Yeah, I did say I wasn't certain it was a rootkit. In retrospect I agree - just a disk fault. However this old box has been utterly reliable for donkey's years so a sudden disk fault never even occurred to me. Anyway, Win 10 is reinstalled on it now and all looks good atm but I'll keep the replacement I bought just in case.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    Lafite 14
    CPU
    i7
    Memory
    16Gb
    Internet Speed
    150Mbps/39Mbps
    Browser
    Firefox
  • Operating System
    Win 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    PC Specialist
    CPU
    i5
    Memory
    8Gb
    Internet Speed
    150Mbps/39Mbps
    Browser
    Firefox
    Other Info
    Incompatible device, upgraded to Win 11

My Computer

System One

  • OS
    Windows 11 Home x64 Version 23H2 Build 22631.3296

Latest Support Threads

Back
Top Bottom