{"id":7018,"date":"2011-11-02T04:52:47","date_gmt":"2011-11-02T11:52:47","guid":{"rendered":"http:\/\/37prime.wordpress.com\/?p=7018"},"modified":"2011-11-02T04:52:47","modified_gmt":"2011-11-02T11:52:47","slug":"persistence-of-bootkit","status":"publish","type":"post","link":"https:\/\/37prime.com\/news\/2011\/11\/02\/persistence-of-bootkit\/","title":{"rendered":"Persistence of bootkit"},"content":{"rendered":"<p>Platform: Windows XP, Windows Vista and Windows 7.<\/p>\n<p>Symptoms, but not limited to:<\/p>\n<ul>\n<li>Search results using browser search box including Chrome and Internet Explorer 9 Omnibox are redirected to other sites.<\/li>\n<li>Internet Explorer is running in the background on login, using large amount of memory.<\/li>\n<\/ul>\n<p>After long troubleshooting sessions I figured out that a <a href=\"http:\/\/en.wikipedia.org\/wiki\/Rootkit#Bootkits\" target=\"_blank\">bootkit<\/a> was present on this computer.<\/p>\n<p><a href=\"http:\/\/37prime.com\/news\/wp-content\/uploads\/2011\/11\/Bootkit.jpg\"><img loading=\"lazy\" decoding=\"async\" title=\"Bootkit\" src=\"http:\/\/37prime.com\/news\/wp-content\/uploads\/2011\/11\/Bootkit.jpg\" alt=\"\" width=\"480\" height=\"270\" \/><\/a><\/p>\n<p>A bootkit hides itself by modifying the master boot record.<\/p>\n<p>The particular bootkit I was dealing with was not detected by <a href=\"http:\/\/www.bleepingcomputer.com\/combofix\/how-to-use-combofix\" target=\"_blank\">Combofix<\/a>, <a href=\"http:\/\/www.malwarebytes.org\/products\/malwarebytes_free\" target=\"_blank\">Malwarebytes&#8217; Anti-Malware<\/a> and many others. The only anti-malware program detected the bootkit was <a href=\"http:\/\/www.surfright.nl\/en\/hitmanpro\" target=\"_blank\">Hitman Pro 3.5<\/a>.<\/p>\n<p>If you are dealing with a persistent malware infection that redirects search results, try using numbers of anti-malware softwares. In addition to that, search for &#8220;Google redirect virus&#8221; using an uninfected computer. The malware redirects search result system-wide. On the infected system, search results were redirected on Internet Explorer, Safari, Chrome and Firefox. The malware will redirect search results on any browsers installed on the system.<\/p>\n<p>It is almost 5 o&#8217;clock in the morning. I have not had a minute of sleep. I&#8217;ll clean up this post later.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Platform: Windows XP, Windows Vista and Windows 7. Symptoms, but not limited to: Search results using browser search box including Chrome and Internet Explorer 9 Omnibox are redirected to other sites. Internet Explorer is running in the background on login, using large amount of memory. After long troubleshooting sessions I figured out that a bootkit &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/37prime.com\/news\/2011\/11\/02\/persistence-of-bootkit\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Persistence of bootkit&#8221;<\/span><\/a><\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[946,4],"tags":[545,2511,2648,936,3039,3131,3216,3218],"class_list":["post-7018","post","type-post","status-publish","format-standard","hentry","category-announcements","category-news","tag-bootkit","tag-resources","tag-security","tag-tech","tag-troubleshooting","tag-vista","tag-windows","tag-windows-7"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pcNtU-1Pc","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/37prime.com\/news\/wp-json\/wp\/v2\/posts\/7018","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/37prime.com\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/37prime.com\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/37prime.com\/news\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/37prime.com\/news\/wp-json\/wp\/v2\/comments?post=7018"}],"version-history":[{"count":0,"href":"https:\/\/37prime.com\/news\/wp-json\/wp\/v2\/posts\/7018\/revisions"}],"wp:attachment":[{"href":"https:\/\/37prime.com\/news\/wp-json\/wp\/v2\/media?parent=7018"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/37prime.com\/news\/wp-json\/wp\/v2\/categories?post=7018"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/37prime.com\/news\/wp-json\/wp\/v2\/tags?post=7018"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}