Possible Malware infection

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by wormgod, Jun 20, 2012.

  1. wormgod

    wormgod Private E-2

    Hi All,

    A little background -

    I have been having trouble staying connected tot he internet. Quite often (several times a day, usually after a period of inactivity), I lose my connection to the internet. To restore it, I unplug my NetGear router, wait 10 seconds or so, and plug it back in. After a few seconds, my PC has reconnected. In trying to diagnose the cause of this problem, the first thing I decided to try was bypassing the router, so I connected directly to my cable modem. Within a couple of hours, my Yahoo email was hacked and sent Spam emails to all my contacts. When I noticed this, I reconnected back via the router and decided to run through all the necessary scans to see if anything else unfortunate had made its way onto my PC. I am using Comodo Firewall and SuperAnitSpyware AV software.

    Attached are my logs. I have three logs from RogueKiller. The first time I ran it, it created two (I think the second was created when I clicked the Delete button). I realized that I had other users logged on and processes running at that point, so I restarted the PC and ran it a second time which created the third log.

    Please take a look and let me know if all is clear or if I have have anything that needs to be cleaned up. Thanks!
     

    Attached Files:

    wormgod, Jun 20, 2012
    #1
  2. wormgod

    wormgod Private E-2

    Additional logs added
     

    Attached Files:

    wormgod, Jun 20, 2012
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Se our instructions again. Also scan should only be run once! Also you were not supposed to do anything but scan with RogueKiller. No fixing/deleting!

    Your logs are clean but one thing is questionable and that is the below 3GB partition
    Code:
    Partition Disk #0, Partition #2 
Partition Size 3.65 GB (3,915,233,280 bytes) 
Partition Starting Offset 246,075,701,760 bytes
    Do you know what this is? Does it contain any info that you put there?


    Goto the below link and follow the instructions for running TDSSKiller from Kaspersky
    • Be sure to attach your log from TDSSKiller
    Now please also download MBRCheck to your desktop.

    See the download links under this icon [​IMG]
    • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
    • It will show a Black screen with some information that will contain either the below line if no problem is found:
      • Done! Press ENTER to exit...
    • Or you will see more information like below if a problem is found:
      • Found non-standard or infected MBR.
      • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
    • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
    • Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )
     
    chaslang, Jun 21, 2012
    #3
  4. wormgod

    wormgod Private E-2

    Thanks for taking a look. I am not sure what that 3GB partition is (possible recovery partition?) as I do not remember creating it.

    Here are the logs from TDSSkiller (one malware item found) and MBRcheck. Please take a look and let me know what I should do next.

    Thanks!
     

    Attached Files:

    wormgod, Jun 25, 2012
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay well it may be an issue. TDSSKiller also pointed to it ( somewhat indirectly ) with the below
    Code:
    11:55:00.0314 5720 \Device\Harddisk0\DR0\# - copied to quarantine
11:55:00.0314 5720 \Device\Harddisk0\DR0 - copied to quarantine
11:55:00.0361 5720 \Device\Harddisk0\DR0 ( Rootkit.Boot.Sinowal.b ) - will be cured on reboot
11:55:00.0376 5720 \Device\Harddisk0\DR0 - ok
11:55:00.0376 5720 \Device\Harddisk0\DR0 ( Rootkit.Boot.Sinowal.b ) - User select action: Cure
    Rerun TDSSkiller again and attach a new log. I want to make sure this has gone away before deciding whether to take any action on that partition.
     
    chaslang, Jun 26, 2012
    #5
  6. wormgod

    wormgod Private E-2

    Hi Chaslang!

    Here is the latest TDSSKiller log (I even made sure to download the latest version). Looks like it did not find sinowal this time. Hopefully it is gone now.

    Is there any way to determine what is on that 3GB partition without putting the computer at risk again?

    Thanks!
     

    Attached Files:

    wormgod, Jun 27, 2012
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Looks good!

    Not really.

    It does seem questionable and it does not look like a recovery partition. Your logs showed the below three partitions:

    Code:
    Partition Disk #0, Partition #0 
Partition Size 47.03 MB (49,319,424 bytes) 
 
Partition Disk #0, Partition #1 
Partition Size 229.13 GB (246,026,350,080 bytes) 
 
Partition Disk #0, Partition #2 
Partition Size 3.65 GB (3,915,233,280 bytes)
    And partition information also showed the below
    Code:
      Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    OEM                 47 MB    32 KB
  Partition 2    Primary            229 GB    47 MB
  Partition 3    Unknown           3734 MB   229 GB
    The OEM partition would more likely be a recovery partition from Dell.

    However I cannot say for sure whether the last 3.7 GB partition is a problem. Are you currently having any more malware issues of any kind? If your answer is yes, then the only thing left to try may be removing this partition.
     
    Last edited: Jun 29, 2012
    chaslang, Jun 28, 2012
    #7
  8. wormgod

    wormgod Private E-2

    I don't believe I am having any other issues other than the original - not being able to stay connected to internet without having to power off/on my router. Is that a possible symptom?

    Can we just rewrite the MBR with a clean version? I do have a bootable Dell Recovery CD. Would that reset the partitions correctly (and eliminate the 3GB one if it was created more recently by something nasty)?

    Thanks!
     
    wormgod, Jun 28, 2012
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Doubt this would be a problem related to the partition. Sounds more like your router has a problem. Wyy don't you try bypassing the router and connect direct to your cable, or FiOS....etc mode and run this way for an interval ( whatever it normally takes ) to test if it is just your router.

    It is not the MBR. It is a partition which is an even lower level. Rewriting an MBR or even formatting a drive does not fix a partition problem. You have to work on the partition itself. If you are not having any real malware problems ( and it does not seem so ) I would leave the partition alone. It is possible that Dell put a factory recovery partition there and did not label the partition.
     
    chaslang, Jun 29, 2012
    #9
  10. wormgod

    wormgod Private E-2

    Hi Chaslang!

    I have tried removing the router from the mix previously, and I believe that was when I really started having problems (see initial post), so I am reluctant to do this again. My paranoid mind thinks that whatever malware (e.g. sinowal) was on my computer was not able to get to the outside world via my router, so the malware would periodically disable my network connection. This would cause me to think it was the router and connect directly to the cable modem; thus, the malware would then have access to send sensitive information (or download other malware). Plausible?

    I thought the partition table was stored as part of the MBR. Not so? Wouldn't a clean version of the MBR then tell us if the partition existed previously? Also, is it possible that the extra partition was created at a time when XP did did not support a larger partition so the extra 3GB is just a leftover partition? If we don't think it is anything, can we just access it and wipe or format it?

    Thanks!
     
    wormgod, Jun 30, 2012
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you want to determine whether the router is the cause of your problems, you need to try it.

    Not true at all. Your router would not block outgoing things from your PC. This is why software firewalls need to be installed on your PC as stated in our How to Protect yourself from malware!
    sticky.

    No! As already stated. Infected partitions need to be deleted using special partition editing software which in most cases will not cause any loss of data. Other alternatives would be to use your Windows Boot CD to erase all partitions. Create new partitions. Format them. And then reinstall everything from scractch. Obviously this second option wipes out everything on your PC.

    No! It is either an infected partition added by the malware or it is a factory recovery partition added by Dell. Since it is not labeled, we cannot tell. Do you know if Dell installed a Factory Recovery partition? Ask them. This is why it is preferential to bypass your router first rather than deleting this partition first.

    No!
     
    chaslang, Jul 1, 2012
    #11
  12. wormgod

    wormgod Private E-2

    Once we are certain that the PC is free from malware, I will go back to debugging the internet issue.

    Ah. I have been running Comodo FW for a couple of years now.

    Yes, this is a Dell Recovery partition with a full image of the PC as it was shipped.

    Is everything clean now? Is there more that we should check/clean?

    Thanks!
     
    wormgod, Jul 2, 2012
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your logs have been clean since TDSSkiller removed the Rootkit.Boot.Sinowal.b infection.

    If you are not having any other malware problems, it is time to do our final steps and you can test bypassing your router.
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Press and hold the Windows key [​IMG] and then press the letter R on your keyboard. This opens the Run dialog box.
      • Copy and paste the below into the Run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, Jul 2, 2012
    #13
  14. wormgod

    wormgod Private E-2

    Hi Chaslang!

    Thanks for all the help!

    I had a couple of more questions about Rootkit.Boot.Sinowal.b:
    1. Do you happen to know what vulnerability it exploited to infect the system? I would like to make sure that was closed (if possible). I follow most (if not all) of the recommendations in your link including regular updates of XP (as they are released).
    2. Is there any way to determine when the infection occurred (other than based on observation of hacked email, etc)?
    3. I purchased SUPERAntiSpyware a couple of years ago, and real-time protection is enabled (as well as daily updates). Just curious as to why it did not catch Rootkit.Boot.Sinowal.b at the time of infection? Obviously, after the fact, we needed a rootkit scanner to find it, but is this something you would have expected SUPERAntiSpyware to catch in real-time?

    Thanks again!
     
    wormgod, Jul 3, 2012
    #14

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds