Please help with rootkit removal

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by evers, Nov 13, 2011.

  1. evers

    evers Private E-2

    Hello Major Geeks,

    My PC is infected, tried cleaning as much as I can but am afraid it is a rootkit infection. Could some one guide me through steps needed to clean ? I am afraid this is over my head. (Many thanks in advance)


    Currently have done the following:
    - tdsskiller (no threats detected)
    - run malwarebytes anti-malware (no threats detected)
    - run SuperAntiSpyware (no threats detected)
    - run MBRCheck, get the following:
    --------------------------------------------------
    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Home Edition
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x00000004

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000003`c0100000 (NTFS)

    Size Device Name MBR Status
    --------------------------------------------
    149 GB \\.\PhysicalDrive0 MBR Code Faked!
    SHA1: 0C7B0D4F80B63F5496D9800C9875CEA35E28D829


    Found non-standard or infected MBR.
    Enter 'Y' and hit ENTER for more options, or 'N' to exit: n


    Done!
    Press ENTER to exit...
    -------------------------------------------------------------
    please help :cry
     
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You have an infected Master Boot Record.

    Please be warned that you would be wise to back up any important data before proceeding with the next step of attempting to fix your MBR.

    Do you have your XP boot CD? If not:

    This is a download of an .iso file of just the Recovery Console for XP.
    Burn to CD with Nero or other 'disc image' capable tool and boot.

    XP Recovery Console.

    You can use ImageBurn to create the disc.

    Boot to the bios after creating the disc, and change the boot order to CD/DVD as first boot device. Then insert the CD and reboot. Once you are in the Recovery Console, type:
    fixmbr

    then exit. Reboot to normal mode and re-run MBRCheck and attach the new log.

    Then I want you to attach what logs you DO have from running SUPERantispyware, TDSSKiller etc. Did you run MGTools or combofix?
     
  3. evers

    evers Private E-2

    Thank you for the prompt reply. The PC is an ACER NetTop which did not come with any installation CDs. When I boot off of a recovery CD I get BSOD 0x7E at pci.sys

    Not sure if that leaves me with many options.....
     
  4. evers

    evers Private E-2

    Try a different CD Recovery disk and get BSOD stop code 7B
     
  5. thisisu

    thisisu Malware Consultant

    Try burning the CD at a slower speed.. like 2x.
     
  6. evers

    evers Private E-2

    -Have tried burning 1x speed for recovery cd, but still get BSOD stop codes 0x7B(CD works fine on other PCs). So have not been able to run 'fixmbr' as of yet.

    -Ran a utility tdldetect and RegRun which indicates I'm infected with TDL4.1.
    -HitMan Pro also says C:\Windows\system32\DriverS\RxFx0150.sys is infected
    -ping.exe takes up excessive cpu
    -avast antivirus is blocking ping which mysteriously has a mind of its own and wants to connect to malware sites(eg. 63.233.106.16)

    Interesting enough I was getting alot of Smuf DoS attacks on my LAN with my router keep reseting. I brought a newer version router and at least that problem seemed to go away.
     
  7. evers

    evers Private E-2

    Latest update:

    -Recovery CDs that I know are good, result in BSOD stop code 0x7B
    -Bootable CDs that I know are good (eg. UBCDWIN, Hiren's BootCD) do not even see the infected drive.
    -I ran Hitman pro which removed an infected RsFx0150.sys and installed COMODO which seems to have an effect of a stable environment.
    -MBRCheck still stating MBR code faked

    "MY PC is STILL infected, just lying dormant!":cry

    QUESTION: Could the rootkit TDL4.1 variant be smart enough to hide the hard drive when booting up on a CD ? What if I reverted to safe mode and used a restore point before the MBR got infected, would this help ?
     
  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Please download aswMBR.exe ( 511KB ) to your desktop.

    Double click the aswMBR.exe to run it.

    [​IMG]
    • Click the "Scan" button to start scan
    • On completion of the scan click the FIX MBR button save log, save it to your desktop and post in your next reply.
     
  9. evers

    evers Private E-2

    Okay here is the log file.....
     

    Attached Files:

  10. evers

    evers Private E-2

    And attached is the log of MBRCheck after running mbrfix. It seems even though mbrfix report was successful, MBRCheck still detects faked MBR. Should I have rebooted before running MBRCheck ?
     

    Attached Files:

  11. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Yes, try rebooting, re-run MBRCheck and if it still reports as FAKE then repeat the aswMBR step, fix the MBR again, reboot and check one more time. Let me know.
     
  12. evers

    evers Private E-2

    OKay ,
    -I reboot PC,
    -ran aswMBR scan, ran fixMBR, saved log
    -reboot PC,
    -ran MBRCheck, saved log

    looks like still have fake MBR......
     

    Attached Files:

  13. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    I am seeking guidance from the other malware fighters. Hang in there. :)
     
  14. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Go to the below link and follow the instructions for running TDSSKiller from Kaspersky

    Be sure to attach your log from TDSSKiller
     
  15. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Also:

    Please download bootkit_remover.rar
    • Scroll down a little way until you see Bootkit Remover, then scroll down bit further for the download button.
    • Click the underlined DOWNLOAD text to download the file and save it to your Desktop.
    • You then need to extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use 7-Zip
    • After extracing remover.exe to your Desktop, double click the remover.exe file to run the program.
    • Attach or post inline here, the output from remover.exe
    NOTE: The Command Prompt window text can be copied to the clip board by right clicking on the top bar of the window and using the Edit commands to Mark, Copy, and Paste.
     
  16. evers

    evers Private E-2

    thanks for the reply, here are the log files.....
     

    Attached Files:

  17. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You need to re-run TDSSKiller and choose cure as the action. After doing so, please download MBRCheck to your desktop.

    See the download links under this icon [​IMG]

    • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
    • It will show a Black screen with some information that will contain either the below line if no problem is found:
      • Done! Press ENTER to exit...
    • Or you will see more information like below if a problem is found:
      • Found non-standard or infected MBR.
      • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
    • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
    • Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )

    Attach the TDSSKiller log as well as the MBRCheck log.
     
  18. evers

    evers Private E-2

    I ran tdsskiller (version 2.6.19.0). The three options it provides are
    -Skip
    -Copy to quarantine
    -Delete

    I did not see a Cure option.

    So I ran 'Copy to quarantine', rebooted then ran MBRCheck. Please see attached files.
     

    Attached Files:

  19. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please download the latest version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one. Run the exe and attach the new C:\MGLogs.zip.
     
  20. evers

    evers Private E-2

    -attached is the output of MGTools
     

    Attached Files:

  21. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.


    Now download The Avenger by Swandog46 to your Desktop.

    See the download links under this icon [​IMG]
    Extract avenger.exe from the Zip file and save it to your desktop,


    1. Run avenger.exe by double-clicking on it.
    2. Click OK at the warning to continue to use The Avenger
    3. Do not change any of the check box options!
    4. Shut down your protection software now to avoid possible conflicts.
    5. Copy everything in the Quote box below, and paste it into the Input script here: part of The Avenger
    6. Now click the [​IMG] button
    7. Click Yes to the prompt to confirm you want to execute.
    8. Click Yes to the Reboot now? question that will appear when The Avenger finishes running.
    9. Your PC should reboot, if not, reboot it yourself.
    10. A log file from The Avenger will be produced at C:\avenger.txt and it will pop-up for you to view when you login after reboot.
    11. Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )


    Now we need to use your XP CD to fix your MBR. If you don't have it, we can create a Recovery CD here:
    This is a download of an .iso file of just the Recovery Console for XP.
    Burn to CD with Nero or other 'disc image' capable tool and boot.

    XP Recovery Console.

    You can use ImageBurn to create the disc.

    Once you have created the disk, boot into your bios and change the boot order to CD/DVD as first boot device, put in the disc and reboot. Once you are in the RC, type:
    fixmbr
    Exit out and reboot to normal mode. Re-run MBRCHeck and attach the new log.

    Then run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).Make sure that you watch for the license agreement for TrendMicro HijackThis and click on the Accept button TWICE to accept ( yes twice ).

    Then attach the below logs:

    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
  22. evers

    evers Private E-2

    Thanks for the reply. Okay steps as follows:
    1) Disabled COMODO antivirus software
    2) Ran C:\MGtools\analyse.exe and clicked three options you specified,clicked fix, exit HJT
    3)copied fixme.reg to desktop, double clicked, merged successfully with registry
    4)Ran avenger with script you specified, attached is log file

    Still working on CD Recovery to fix MBR, will notify as soon as I make progress


    (many thanks in adavnce :))
     

    Attached Files:

  23. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    OK, don't forget the C:\MGLogs.zip. ;)
     
  24. evers

    evers Private E-2

    Unfortunately, I can not run a Recovery CD without a BSOD stop code 7B or 7E @ pci.sys

    Can't figure out why, pc is a acer nettop with external CD drive.
     
  25. evers

    evers Private E-2

    The PC is a acer Revo nettop. I don't think it allows booting off a winXP recovery CD ? It has an eRecovery management system where the end user can create acers' recovery CD, which it has no problem booting from. The option is then to restore factory default settings to overwrite OS. There is no recovery console window from which to run fixmbr. Should I go ahead with their reinstall of OS ?
     
  26. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    That may not fix the infected MBR. Usually you would need to also repartition the drive. Did you change the boot order to CD/DVD as first boot device? Do you then get a window asking if you want to boot from the CD? If you choose to do that, is that when you get the BSOD?
     
  27. evers

    evers Private E-2

    Yes, of course, ( rootkit cleaning may be over my head, but at least I know how to change boot sequence - lol. )

    The CDs I use (UBCDWIN, Hirens, WinXP Recovery CD)work fine on the acer nettop until I try and boot off of them on the acer nettop.


    I've tried aswMBR, to no avail. Is there any other utility I could try to fix MBR while the infected drive OS is loaded/running ?
     
  28. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You confused me. Are you saying you cant boot off the Hirens?
     
  29. evers

    evers Private E-2

    Sorry for the obfuscation. I loss track, got confused myself.

    The pc is a acer revo nettop with an external iomega usb cd drive.

    -I can not boot off of UBCDWIN CD
    -I can not boot off of WinXp CD

    -However I can boot off of Hirens CD. It comes up with a menu of multiple boot options. Mini Windows Xp is one option. But when it runs it can not see the internal harddrive. In essense a mini WInXp running off the CD. Hirens' CD also other boot options in its menu that I am not familiar with such as plop manager.


    Acer has its' own recovery management where the end user can create a bootable CD to reinstall the OS. But its not the same as WinXP recovery CD. And there isn't an option within Acers' recovery CD to go to a recovery console and run fixmbr.Maybe Windows Xp Setup does not work from usb and that is why I can't boot up from WinXP CD ?

    Hope I was a little clearer.


    What I am wondering is if there is another way to boot, maybe off of a usb stick, then maybe run a fix mbr utility, just grasping at straws at this point
     
  30. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    *** Please print these instructions ***

    1. Download Hiren's BootCD Iso to the desktop of a clean computer.
    2. Extract the zipped HirensBootCD.zip to your desktop.
    3. Open the extracted HirensBootCD folder and extract the zipped HirensBootCD.iso.
    4. Double click the BurnToCD.cmd bat file contained in the HirensBootCD folder. This will launch BurnCDCC.
    5. Insert a blank CD in your drive.
    6. Press Start. This will burn the image to disc. After it has completed...
    7. Restart your sick computer and boot from the HBCD you created.
    o If your PC is not booting from the CD, you need to change the boot order:
    + Restart your PC
    + As soon as you get an image, press the Setup key. This is usually F2, F10, F12 or Del. On some machines the key can also be a different one. It should, however, be stated on the screen which key is the setup key.
    + Once you enter the computer's BIOS, use the arrow keys and tab key to move between elements. Press enter to select an item to change.
    + Navigate to the tab, where you can set the boot order. It should be called Boot or Boot order
    + The tab should now show your current boot order.
    + If the CD-drive is not at the top, please navigate to the CD-Rom drive with the keys arrows. Then move it to the top of the list. The keys for switching boot position are usually + to move up and - to move down. However they can be different, but they should be stated in the help, so that you can find them easily.
    + Once the CD-drive is on top of the boot order, navigate to Exit and select Exit saving changes.
    o Your PC should now boot from your CD.
    o Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted.
    8. When the CD boots choose "DOS BootCD".
    [​IMG]
    At the Hiren's BootCD main menu, select Next and hit Enter.
    [​IMG]
    At the second menu select 1 MBR (Master Boot Record)Tools
    [​IMG]
    In the list of MBR Tools select 1 MBR Work 1.08
    [​IMG]
    This screen will show the hard drive configuration.
    [​IMG]
    Type 5 to Install standard MBR code then hit Enter
    Type 1 to select Standard then hit Enter
    Type Y then hit Enter to confirm
    Type E then hit Enter to exit
    Press Ctrl+Alt+Del to restart the machine
     
  31. evers

    evers Private E-2

    Thanks for the replay. Okay, took the following steps:
    -Hirens Boot CD ( version 15.0) ran dos programs, mbr work 1.08, installed standard MBR code
    -ran MBRCheck
    -ran MGTools
    please see attached files...
     

    Attached Files:

  32. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

  33. evers

    evers Private E-2

    Attached Files:

  34. evers

    evers Private E-2

    I also rebuilt UBCD4WIN (slipstreamed it with correct OS version - winXP home edition SP3) and can now boot CD to windows recovery console. When I hit R for repair, it displays "<none>" for mass storage devices on my computer. Also BOOTCFG /SCAN resulted in error , failed to scan message.
     
  35. thisisu

    thisisu Malware Consultant

    There's Hitman Pro >> Download Link
     
  36. evers

    evers Private E-2

    Thanks for the reply. Have tried Hit Man pro, will try it again.

    I ran Kasperky rescue disk 2008, attached is log file.

    I must apologize. I have my dunce cap on. The reason recovery console did not see the infected hard drive may have been because I did not build an appropriate ISO with the drivers. Currently am slipstreaming, will keep you posted.

    (Thanks again for the time and effort spent on me :) )
     

    Attached Files:

    • KRD.txt
      File size:
      13.5 KB
      Views:
      6
  37. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please go into disc management and attach a screen shot of it. I want to be sure about the partitions on your system.
     
  38. evers

    evers Private E-2

    Okay, finally got a bootable cd/flash drive with appropriate drivers setup.

    Attached pics, first running booting off a ubcd4win CD running diskpart, the second running off of a ubcd4win flash drive running mbrfix.

    disk0 is the infected drive.
     

    Attached Files:

  39. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Using the ubcd4win flash drive running mbrfix, are you able to enter:
    fixmbr \device\harddisk0

    ??
     
  40. evers

    evers Private E-2

    Thanks for the reply.

    I'm still backing up as much as I can before going forward with the inevitable "fixmbr"

    Let me post with fixmbr results as soon as I done backing up......
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds