Ad Popups,Sounds/Verbal Audio,Clicking Sounds,Slow PC Performance,BSOD,WAVE File Mute

[Ed_G]

There has been a recent flurry of malware forum postings by individuals seeking help which list some or all of the symptoms in the title of this post.

It seems there is a virus outbreak of a bootkit-type virus that is fixed by re-writing the Master Boot Record (MBR). There appears to be no name for this virus yet and typical malware detection tools do not appear to work in detecting this issue including the one's given in the MajorGeeks post in the Malware forum: READ & RUN ME FIRST. Malware Removal Guide, for XP systems. I run XP. Further, I also run McAfee on my PC, and it is not finding this issue either even after updates were checked and updated to my PC. Also I tried SpyBot-Search and Destroy and it does not work either.

Hopefully, Anit-Virus (AV) sw will catch up to this nasty bootkit type virus very soon. Note that my research on the internet indicates that bootkit viruses have not been the focus of AV sw for years since these type of attacks have lost favor for many years by virus writers. Research shows that these type of viruses were very popular when viruses first were built many years ago in the early 1990's, but then lost favor to other less complex exploits, but it is anticipated that these type of viruses are gaining favor again since they are very powerful and have the capability to be extremely malicious.

The purpose of this posting is to: 1) provide some Additional Information to chaslang and other users about my experience in following chaslang's instructions from his/her previous postings. 2) Ask chaslang about a steps in his/her instructions to Clarify Instruction Step Purpose.

Additional Information:

I have viewed ~6+ recent postings on this virus that causes many or all of the symptoms given in the Title of this posting, and Major Geek chaslang has been helping out these users in each case.

I also contracted this virus on my computer and followed some of the steps given in a couple of the postings that chaslang answered. The virus' symptoms are now gone for 3 days so I am pretty sure it is eradicated as a couple of the symptoms appear within 10 minutes after booting (ad popups, clicking sounds, music/verbal audio. I did not submit a post for help on this up until now.

Anyway, the steps given were fairly consistent in all of chaslang's postings. But there were some differences. Most notably, the primary steps to remove the bootkit virus is to re-write the MBR and there were 2 different methods provided by chaslang and here is my experience with each

I tried the MBRCheck.exe first on my Dell Latitude E6500 PC with XP SP3 OS on it, which was given in some of the postings. It did not work. The virus remained. MBRCheck.exe detected it when using it to check for the bootkit virus, but for some reason it did not fix it when carrying out the steps to re-write the MBR. It never stated that the MBR was "successfully" written as given by other users in the posting when they provided the text of the output from MBRcheck.exe back to chaslang, but did indicate it was "done". So...

I then tried the remover.exe, which is given in many more of the postings. It did work.

The results I experienced with both of these methods may be helpful to chaslang or other users to know.


Clarify Instruction Step Purpose

This section of this posting is for chaslang. Please help me and clarify the following:

A) You provided the following steps in instructional posts, for just one example see http://forums.majorgeeks.com/showthread.php?p=1507149:


- Disable System Restore on all drives.
- Look for the below folder and if if it sill exists, delete it.
C:\System Volume Information\Microsoft

I would like clarification on the purpose of these steps. It seems to be to delete previous restore points that may contain the virus. Not sure. I did not do this since when doing the first step to disable system restore, XP warns me ALL previous restore points will be deleted. I did not want to do this as I have restore points prior to the time when I contracted the virus. Further I created a new restore point after the virus was removed. I have noted the few restore points that may have the virus. Unfortunately, Restore Point capability does not allow user with admin privs to delete selected restore points.

Moreover, having these prior to virus contraction restore points was absolutely necessary for me to have since I first needed to fix the BSOD issue I was experiencing since my WLAN driver was causing BSODs and I could not boot (NOT EVEN TO SAFE MODE) so I chose to boot to Safe Mode but (fortunately) the system then subsequently prompts whether to continue to boot to Safe Mode OR go back to a restore point. Without having valid restore points before the virus contraction and corruption of my WLAN driver, I would need to format/reload OS/reload sw/configure/etc. since I could not even boot to an OS.

Please also note that I first tried to go back to a restore point and continue to operate. However, I continued getting the other symptoms listed in the Title of this post. Further, the BSOD came back on subsequent reboot of the system so simply going back to a restore point did not eradicate the virus. This makes sense since now I know it is a bootkit virus affecting the MBR.

Questions:

i) Why is deleting ALL restore points necessary?
ii) Am I missing something about restore point operation where I may restore the virus again if I chose a restore point prior to contracting the virus or using one after the virus was removed?
iii) Do I still need to delete all my restore points since my PC is not exhibiting issues for 3 days now?


B) You provided the following steps in posts, for just one example see http://forums.majorgeeks.com/showthread.php?p=1507149:

- Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).
- Then rerun MGtools as per the READ & RUN ME and attach the below log:
C:\MGlogs.zip

There are many tools that were asked to be run first before posting to the forum in: READ & RUN ME FIRST. Malware Removal Guide including MGTools.

Questions:

i) Why the focus to re-run only this particular tool after re-writing the MBR and confirming virus is gone on re-boot?
ii) Was it so you (chaslang) could check the log for general malware eradication/pc health after re-writing the MBR?
iii) Did you find something in the MGTools logs from infected machines that lead you the suspecting a rootkit virus which would be eradicated with an MBR re-write?
iv) Do I still need to re-run this tool since my PC is not exhibiting issues for 3 days now?

[chaslang]

Welcome to Major Geeks!

For future reference, polls in the Malware Forum are a waste of time since no one can post or answer in your thread accept one of the staff. And we don't do polls.

Quote:

Originally Posted by Ed_G

There appears to be no name for this virus yet

Not true. It has been given several names. The most common are Black Internet and Whistler which MBRCheck will even tell you. BootKit Remover does not detect the infection by name and also does not even recognize some valid MBRs. It sometimes reports valid MBRs as unknown.

Quote:

Originally Posted by Ed_G

and typical malware detection tools do not appear to work in detecting this issue including the one's given in the MajorGeeks post in the Malware forum:

Not really true, because there have been several forms of this infections. The first forms were easily seen in the logs and were even detected by Malwarebytes. The newer forms while not clearly detected by a novice nor are they point out by tools like SAS and MBAM but it is point out to us by reviewing the logs from MGtools. This and the symptoms easily tell us what the infection is. Also a recent update to ComboFix has also been sometimes able to indicate the Black Internet infected MBR.

Quote:

Originally Posted by Ed_G

I also run McAfee on my PC, and it is not finding this issue either even after updates were checked and updated to my PC.

A major deficiency in McAfee which is something you and many more people need to complain to them about.

Quote:

Originally Posted by Ed_G

I tried the MBRCheck.exe first on my Dell Latitude E6500 PC with XP SP3 OS on it, which was given in some of the postings. It did not work. The virus remained. MBRCheck.exe detected it when using it to check for the bootkit virus, but for some reason it did not fix it when carrying out the steps to re-write the MBR. It never stated that the MBR was "successfully" written as given by other users in the posting when they provided the text of the output from MBRcheck.exe back to chaslang, but did indicate it was "done".

Without seeing logs and without knowing exactly what you did, all I can say is you must not have entered the correct information to get MBRCheck to run the fix. Or you used and out of date version of the tool. MBRCheck is actually much more powerful and safer than BootKit Remover.

Quote:

Originally Posted by Ed_G

Unfortunately, Restore Point capability does not allow user with admin privs to delete selected restore points.

Correct and there is also no easy way to know how many restore points may or may not be infected so removing all of them is the only truly safe option. This infection is however an additional problem since at least one form of the infection (like the one you mentioned with the Microsoft folder in SR) was making use of the System Volume Information folder which cannot be easily access until System Restore is disable and then permissions are fixed (due to the infection) so that the infected folder and files can be removed. Removing all other restore points is actually the safe thing to do here too since other source/trace files of the infection could be in real restore points.

Quote:

Originally Posted by Ed_G

Moreover, having these prior to virus contraction restore points was absolutely necessary for me to have since I first needed to fix the BSOD issue I was experiencing since my WLAN driver was causing BSODs and I could not boot (NOT EVEN TO SAFE MODE) so I chose to boot to Safe Mode but (fortunately) the system then subsequently prompts whether to continue to boot to Safe Mode OR go back to a restore point. Without having valid restore points before the virus contraction and corruption of my WLAN driver, I would need to format/reload OS/reload sw/configure/etc. since I could not even boot to an OS.

This problem you mentioned with your WLAN driver is the first case mentioned of it causing a BSOD so I'm not sure it is really related. It could be that it is and that it was just unique to you hardware configuration.

And even though you used a restore point to fix the problems with your driver, this obviously did not remove the MBR infection since this is not fixed by a restore. Nor would it be fixed by a format and reinstall. You have to delete ALL partitions, repartition, format and reinstall to clean up the boot record unless you use a procedure like with MBRcheck or you you use Microsoft's fixmbr (only for XP, Vista and Win 7 need different but similar methods) from the Recovery Console to rewrite the MBR.

You will note that all of our normal cleaning procedures, do not want you to Disable System Restore like many antivirus companies mistakenly tell you to do immediately upon getting infected. We always have waited until we have cleaned a PC to clear the restore points because our motto was "even an infected restore point can be better than no restore point when something goes wrong". The problem is this infection could have possibly respawn itself from the System Volume Information folder unless the files were removed. And in

Quote:

Originally Posted by Ed_G

However, I continued getting the other symptoms listed in the Title of this post. Further, the BSOD came back on subsequent reboot of the system so simply going back to a restore point did not eradicate the virus. This makes sense since now I know it is a bootkit virus affecting the MBR.

Yes this is what I said above.

Quote:

Originally Posted by Ed_G

i) Why is deleting ALL restore points necessary?

Because Microsoft does not give you a method to remove only one are and particular number. Also because there is no way to know which restore points may be infected.

Quote:

Originally Posted by Ed_G

ii) Am I missing something about restore point operation where I may restore the virus again if I chose a restore point prior to contracting the virus or using one after the virus was removed?

Yes this is why they are removed.

Quote:

Originally Posted by Ed_G

Do I still need to delete all my restore points since my PC is not exhibiting issues for 3 days now?

Yes!! If your PC is operating properly now, you should delete restore points. And when you re-enable system restore a new restore point is created for the state you currently have. If your PC is clean, then your restore point is clean. I say if, because we did not clean your PC via our full cleaning procedure where you would attach all of the logs we requested so that we can determine if you are really clean. Fixing the Black Internet infection and symptoms, does not necessarily mean there are no other infections on your PC.

Quote:

Originally Posted by Ed_G

B) There are many tools that were asked to be run first before posting to the forum in: READ & RUN ME FIRST. Malware Removal Guide including MGTools.

Questions:

i) Why the focus to re-run only this particular tool after re-writing the MBR and confirming virus is gone on re-boot?

Because we could see from it that processes related to the first forms of the infection were no longer running. This along with the all of the other logs from the READ & RUN ME allows us to determine if a PC is clean. And when you tie that together with the original posted telling us their problems/symptoms are gone..... well this normally means all is good.

Quote:

Originally Posted by Ed_G

ii) Was it so you (chaslang) could check the log for general malware eradication/pc health after re-writing the MBR?

Yes as stated above too.

Quote:

Originally Posted by Ed_G

iii) Did you find something in the MGTools logs from infected machines that lead you the suspecting a rootkit virus which would be eradicated with an MBR re-write?

The infection has already evolved several times since the first versions were seen, but with the first version (as stated above) we could see the processes of the infection running and we also could identify some other common things in logs. We quickly surmised it was an MBR infection when normal advanced cleaning procedures to forcefully remove files, folders in registry keys showed that the infection was successfully removed and upon followup rescans with MGtools, we saw the infection can right back.

Quote:

Originally Posted by Ed_G

iv) Do I still need to re-run this tool since my PC is not exhibiting issues for 3 days now?

MGtools is is not a comprehensive scan nor is it truly a "malware scanner" although there are quite a few things it will detect and point out. It is more of a massive information collector for malware fighters to use to help us locate possible problems especially when other tools may not detect anything. The trained eye of a malware fighter uses all the logs to help find possible causes of problems being reported. So to answer your question more explicitly, if you only run MGtools we can only find out information that the MGlogs.zip file contains. While it could possibly reveal to us some remains of the Black Internet infection, it will not conclusively tell us your PC is clean. If you want to get an all clean, then run the READ & RUN ME and attach all of the requested logs.

[Ed_G]

chaslang,

Thank-you for your answers to the questions I asked.

Also thank-you for the comprehensive comments you have made to the information, background, etc. in my initial post, which I did not ask for.

btw, I suggest removing the capability for a user to add a rating poll to one of their postings if it is both problematic and something that is just not done on the Major Geeks site.

Based on your answers I will delete all of my restore points.

For the record (no pun intended), as of today, now day 6 or so after virus eradication, I still am operational with no re-infrection.

[Ed_G]

I deleted my older restore points by turning off restore opening My Computer from Desktop > clicing on View System Information > click on System Restore tab > Checking the "Turn of System Restore" checkbox > confirming to delete all restore points in the subsequent dialog box.

However, deleting the System Vloume Information folder was impregnable. It was read only and could not be deleted. I tried unchecking the Read Only checkbox in System Volume Information folder's Properties and also tried to reset it using DOS cmd line ATTRIB setting. The XP OS will not allow it to be set to so that it is not read only.

This issue was also described by another user who tried to delete this folder, but I can't find that particular post at the moment and what you told that user to do.

Note that I did this all under my user account on my machine. I am set up with Administrator privileges. This is the only account on my machine with these privileges at this point in time. I do not understand why Windows XP SP3 will not allow me to set folder privileges/attributes of this System Volume Information folder. sometimes Windows just makes me want to or or

Anyway, I re-booted and then turned restore back on and this automatically generated a new restore point.

Questions:

1. Does the a) System Volume Information folder NEED to be deleted to fully recover from this virus (along with deleting old resore points) or b) is just deleting all previous restore points and creating a new one enough?

2. If answer to question above is 1a), how do you suggest I proceed to succesfully delete System Volume Information folder?

[chaslang]

Quote:

Originally Posted by Ed_G

btw, I suggest removing the capability for a user to add a rating poll to one of their postings if it is both problematic and something that is just not done on the Major Geeks site.

It is just the Malware Forum where they serve no purpose. Other forums are fine. I'm not sure if they can be disabled for just a certain forum, but I will check.

[chaslang]

Quote:

Originally Posted by Ed_G

However, deleting the System Vloume Information folder was impregnable. It was read only and could not be deleted.

You don't need to delete it. You just need to disable System Restore so that restore points are removed. System Restore is a special folder to the operating system and the malware also will play with permissions of the folder to prevent you from removing the malware. Like when in the version of malware that creates the \System Volume Information\Microsoft folder. This would be the folder and associated files that need to be removed. This folder is not a restore point folder. It is just malware.

The below link explains how to fix permissions on this folder and any other folder using cacls

http://support.microsoft.com/kb/309531

Quote:

Originally Posted by Ed_G

1. Does the a) System Volume Information folder NEED to be deleted to fully recover from this virus (along with deleting old resore points) or b) is just deleting all previous restore points and creating a new one enough?

As stated above, you don't need to delete this folder. Restore points are removed when SR is disabled. If malware has created other folders in System Volume Information (as mentioned above) then you need to make sure those files and folders are deleted.

[Ed_G]

Thank-you for the link on enabling permissions on the System Volume Information folder, which contains the XP OSes restore point information.

Yes, Microsoft's simple file sharing scheme was the issue here. I forgot about this "feature" put in by Microsoft into their XP OS (and several other Microsoft's OSes as well). For the benefit of other users, I am providing the following link below for information on this feature. This link does a really good job at explaining this “feature” (or sometimes more of a hindrance). Not sure how long this link will be maintained by the publishing web site and even if the webs site will exist in the future, but using your favorite internet search engine and searching for something like “what does folder property use simple file sharing (recommended) mean?” should get you some similar articles.

http://e-articles.info/e/a/title/Usi...ng-in-Windows/

So now once I unchecked the "Use simple file sharing (Recommended)" property for folders on my system as given in the Microsoft Knowledge Base link you provided, I could then add my user account to the Sys. Vol. Info. security tab (since the Security tab now appeared when viewing folder property's when simple file sharing was off). I then could provide myself folder permissions including reading, writing and modifying privs.,…none of these prvis. are enabled for the Sys. Vol. Info. folder when using simple file sharing by default when XP is installed.

Note I already had turned off hiding system files so the Sys. Vol. Info. folder was already appearing in the file system at the C: root.

Anyway, once I could open the System Volume Information folder to read it, I saw that the subfolder that chaslang told me to delete was not in this folder so all is well again. Recall chaslang indicated to delete the SUBFOLDER: C:\System Volume Information\Microsoft.

[chaslang]

You're welcome. Surf safely!