Can I safely delete an infected hidden partition?

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Sleepybear, Feb 21, 2012.

  1. Sleepybear

    Sleepybear Private E-2

    Hiya,

    Symptoms are unusable wireless router between discrete hours of the evening. Wireless router works fine on other laptops and works fine with this PC on ethernet. No obvious signs of wireless interference from outside - been using fine for a couple of years - changing channels doesn't alter anything, only just started displaying these symptoms. Browsing the forums, I came across a few articles that talk about Rootkit.ZeroAccess!

    Not picked up in any of my standard AV, so ran Avast standalone and got a hit on a hidden partition on my backup drive (C) which isn't my boot drive (D). Log attached.

    Question is; to cut to the chase and dismiss this as a possible cause, can I just safely delete this hidden partition (whatever it is) without screwing Windows on (D) ?? Thanks.
     

    Attached Files:

    Sleepybear, Feb 21, 2012
    #1
  2. Sleepybear

    Sleepybear Private E-2

    Here are the standard logs if they help also. Many thanks.
     

    Attached Files:

    Sleepybear, Feb 21, 2012
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!
    Yes you should be able to delete this partition on the none boot drive with no problem. I can see the below drive and partitions on this additioan drive. The one in red is the infection.
    Code:
    Size 298.09 GB (320,070,320,640 bytes) 
Partition Disk #0, Partition #0 
Partition Size 298.09 GB (320,070,288,384 bytes) 
[COLOR=red][B]Partition Disk #0, Partition #1 [/B][/COLOR]
[B][COLOR=red]Partition Size 2.48 MB (2,604,544 bytes) [/COLOR][/B]
    We would normally use G-Parted as described in the below link to do this:

    Using G-Parted to Repair Windows Partition Infections

    You would not need to run the final steps of fixmbr and fixboot since this is not your boot drive. You have more to do than deleting this partition though. You have infections on your D drive which you need to remove. You need to run ComboFix as requested and attach the log so that we can continue to repair your problems. It would be good to delete the infected partition first though.
     
    chaslang, Feb 22, 2012
    #3
  4. Sleepybear

    Sleepybear Private E-2

    Many thanks for your time Chaslang - really appreciate it. OK, so I deleted the partition - looked OK. Ran the scan, got the logs and then ran Combofix. It came up with a box telling me I was infected with Rootkit.ZeroAccess! - its inserted itself into the tcp/ip stack...then I got a second box telling me Rootkit is detected, be patient...then a message saying Combofix has detected the presence of rootkit activity and needs to reboot. This it did, Combofix resumed and completed normally it would appear. Logs attached.
     

    Attached Files:

    Sleepybear, Feb 23, 2012
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Now download The Avenger by Swandog46, and save it to your Desktop.


    See the download links under this icon [​IMG]
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).



    Then attach the below logs:
    • C:\avenger.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Feb 23, 2012
    #5
  6. Sleepybear

    Sleepybear Private E-2

    Thanks for that, chaslang. All run OK - logs attached. System seems OK, will need to wait until this evening to see whether the wireless connection thing has resolved - working fine at the moment, but no change there, the symptoms were that it was unusable between certain times during the evening - from about 21:00 through to the early hours....and then it would be fine again by breakfast time. The only other strange thing is that when I go to a certain 'favourite' webpage on this computer, I can connect to it fine - its available and is genuine. But when my wife tries connecting to it though her XP account on this computer, the webpage returns what would appear to be a genuine 'this webpage is not available, apologies, our team is working on it' type message as if it had been posted as a holding page from the company? The genuine webpage IS available though as I say, and its definitely available from other computers? Haven't found multiple examples of that, just this one. I've deleted the page from favourites, deleted all temp files and cookies but the problem remains. Hmm?
     

    Attached Files:

    Sleepybear, Feb 24, 2012
    #6
  7. Sleepybear

    Sleepybear Private E-2

    Update - no change I'm afraid. At circa 21:00 the wireless broadband connection gives spurious results - very slow as to be unusable, or returning security certificate problems at favourite websites. The second I plug in the ethernet cable to the same router, everything returns to normal. Then, sometime in the early morning hours (I haven't stayed up all night to determine exactly when) it returns to normal, so at breakfast the wireless broadband is working fine to all intents and purposes. Happy to run further logs under your guidance - many thanks.
     
    Sleepybear, Feb 25, 2012
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    While it is not impossible that this is a malware related problem, I would say it is unliklely to be caused by malware. We have never seen any malware that picks a particular time of time like this to start causing a networking problem. In addition, if it were malware, it is also extremely unlikely that it would only impact your wireless connection.

    If your other PCs are actually running AT THE EXACT SAME TIME and have been on for the SAME LENGTH OF TIME, and they do not have this problem, then it would seem more likely that you are either running something on this PC that is causing an issue at this time of day. For example you have all of the below tasks set to run. What time do the run?
    Code:
    "D:\WINDOWS\Tasks\"
ad0ed9~1.job  24 Feb 2012         486  "Ad-Aware Update (Weekly).job"
apples~1.job  22 Feb 2012         284  "AppleSoftwareUpdate.job"
asc5_a~1.job  24 Feb 2012         300  "ASC5_AutoClean.job"
asc5_a~3.job  23 Feb 2012         302  "ASC5_AutoUpdate.job"
dailyb~1.job  24 Feb 2012         938  "Daily backup.job"
google~1.job  24 Feb 2012         890  "GoogleUpdateTaskMachineCore.job"
google~2.job  24 Feb 2012         894  "GoogleUpdateTaskMachineUA.job"
    Or this PC is actually having some physical issue with the wireless network card.


    Run a scan with MGtools at the exact time when the problem is occurring. Then afterwards, try the below steps one at a time and tell me if the problem clears up.
    • Power cycle your cable, DSL, or FIOS modem ( whatever you have )
    • Power cycle your router that provides wireless capability if not provided by the above mentioned modem.
    • If the above have no effect, power down this PC for about 2 minutes then power it back up and see if the problem is still happening.
     
    Last edited: Feb 26, 2012
    chaslang, Feb 26, 2012
    #8
  9. Sleepybear

    Sleepybear Private E-2

    Thanks chaslang. Google, iTunes, AdAware & Advanced System Care have all been around on this computer for a long time now, so no change there, and I can't see that any of these updates are scheduled for a 21:00 start and then take many hours to complete, thus slowing my wireless broadband connection down. I waited until circa 21:00 tonight (UK time) and sure enough, wireless went slow/unusable/security certificate errors by 21:05. Ran MGtools, log attached. Whilst MGtools was running, I tried the Google homepage (returned in about 40 seconds, and then the CNN homepage - over 2 minutes). Finished the log, plugged in my ethernet cable, disabled wireless and broadband was back to normal. I power cycled the router and then switched off the computer as you've suggested with no change. You'll recall that there is no degradation in service on my laptop at any time, which leads me to believe its this computer alone. So if its not the router/settings I guess the only other thing I could try is to uninstall my network adapter and reinstall it? Obviously I don't want to reinstall Windows on the suspicion of a bug somewhere, but...? I understand its difficult to diagnose absolutely everyone's problems if they don't immediately present themselves as malware so continue to appreciate your suggestions and help.:)
     

    Attached Files:

    Sleepybear, Feb 27, 2012
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I doubt that would change anything. This problem with time of day is not symptomatic of a problem with your drivers. It is more symptomatic of a hardware issue like heating, network interference at time of day, or with some other piece of software running on your PC some how causing a problem during this time.

    Let's do a couple more scans before totally ruling out malware.

    Run GMER per the below and attach the log:

    GMER - running with a random name

    Please download OTL by OldTimer.
    • Save it to your desktop.
    • Double click on the OTL icon on your desktop. (If running Vista or Win7 right-click and select Run as Administrator)
    • Check the "Scan All Users" checkbox.
    • Check the "Standard Output".
    • Change the setting of "Drivers" and "Services" to "All"
    • Copy the text in the code box below and paste it into the Customs Scans/Fixes text-field.
      Code:
      netsvcs
/md5start
afd.sys
atapi.sys
csrss.exe
dhcpcsvc.dll
explorer.exe
lsass.exe
nsiproxy.sys
regedit.exe
services.exe
svchost.exe
tcpip.sys
tdx.sys
userinit.exe
winlogon.exe
/md5stop
%systemdrive%\*.*
%systemdrive%\MGtools\*.*
%systemroot%\*. /mp /s
%systemroot%\system32\*.sys /90
%systemroot%\system32\*.exe /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%windir%\assembly\GAC\*.ini
%windir%\assembly\GAC_MSIL\*.ini
%windir%\assembly\gac_32\*.ini
%windir%\assembly\gac_64\*.ini
%windir%\assembly\temp\*.ini
%windir%\assembly\tmp\u /s
%allusersprofile%\application data\*.exe
hklm\system\currentcontrolset\services\dhcp
hklm\system\currentcontrolset\services\afd
hklm\system\currentcontrolset\services\tdx
hklm\system\currentcontrolset\services\tcpip
hklm\system\currentcontrolset\services\nsiproxy
hklm\software\microsoft\windows\currentversion\run
hklm\software\microsoft\windows\currentversion\runonce
    • Now click the Run Scan button.
    • Two reports will be created:
      • OTL.txt <-- Will be opened
      • Extra.txt <-- Will be minimized
    • Attach both OTL.txt and Extras.txt to your next message. (See how to attach)
     
    chaslang, Feb 27, 2012
    #10
  11. Sleepybear

    Sleepybear Private E-2

    Thanks chaslang. Both logs attached. Think both problems are solved now with the following actions. I ran Norman Malware Cleaner which found & removed - HKLM\SYSTEM\CurrentControlSet\TCPnumconnections\Services\TCPIP\parameters\20x00000064 - but also performed a hard 'reset to factory settings' rather than a power cycle on my router. The 21:00 problem has now gone, wireless broadband is working normally as it should. Unfortunately I committed the cardinal sin of both running the cleaner and then resetting the router before testing, rather than one at a time, so not sure which one did the trick - doh! FYI, I also solved the rogue webpage that my wife's account was experiencing by flushing the DNS cache and TCP/IP stack and deleting all the cookies for the website that I could find. So I'm hoping that we're done if these logs look clean? Many, many thanks for your help, persistence & patience if that is the case.
     

    Attached Files:

    Sleepybear, Feb 29, 2012
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    That is not what it removed because that is not a valid registry key. What you probably meant was the below which I saw in your logs and ignored because it is not a problem.
    Many people manipulate this regstry entry in an attempt to improve or performance with P2P/torrent downloading type applications. Then there are also people like you ( or some one else in your family using this PC ) who are playing games ( and you have a lot ). And you tweak this to improve game performance.

    This is more likely where the fix came. You probably removed some settings that the family "gamer" tweaked to allow port related settings to be open towards this PC for game playing. And perhaps the late night gamers in the world were trying to access some game related stuff on your PC for online game playing.



    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, Feb 29, 2012
    #12

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds