Need help with a rootkit problem...

I had a major spyware infection that started with the application "System Fix".

I ran through the process I found on bleepingcomputer, but there was one portion where they metioned that this usually comes with a rootkit infection, and I should run TDSSKILLER. However, no matter how I renamed it, this program would not start at all. I would get a cmd window that popped up blank for about half a second, and nothing else.

A scan with SAS found several infections that it rated high, but seemed to remove them.

However, I am still having problems with the computer. It mostly works, but I haven't checked everything yet, but Skype will not run, and iTunes will run, but will not recognize when I plug in my iPod.
I'm also getting error events (in the log, no messages pop up) about a problem with my NTFS boot sector. When I connect the ethernet, I am getting redirects to pages that are selling things about 50% of the time.

So, I just finished running through the process outlined above, everything worked except RootRepeal gave an error about a driver not being able to initialize. I attached a log of that failure, since that might also be useful.

Any help on this would be very useful, as I work from home, and this computer is my livelyhood. The situation is not completely dire, because I am able to copy files from the computer, and I do have a backup computer (though it is the computer I upgraded from a while back, so it is sloooow)...

 

Hi and welcome to Major Geeks, Tasarran!

Do you have your data backed up?
Do you have your Windows 7 DVD? We need it to restore a clean Master Boot Record (MBR).

Did you have any trouble running ComboFix? Please attach that log.

 

I don't have the whole drive backed up, but I have the data that is important.

When I bought the computer, I didn't get a DVD with it.

Forgot Combofix, running now.

 

How long do I let Combofix run before I assume it has locked up?

It says it usually takes 10 minutes, but could take twice as long on heavily infected systems, but it's been running for 40 minutes now...

 

Give it at least an hour.

 

Well, I let it run while I did some other things, and it never ended, in fact it locked up my computer, I had to reset.

And I forgot to mention above, DDS doesn't work, either. It runs for a while, but then the progress bar freezes.

 

Please download aswMBR by Avast! to your desktop.

• Double-click aswMBR.exe to run it (Vista and Win7 right-click and select Run as Administrator)
• Select No when asked Would you like to download latest Avast! virus definitions?
• Click the [FixMBR] button.
• Reboot the PC when it is finished.

Once you have rebooted

Rerun aswMBR
click [Save Log]
Attach this log to your next message: How to attach items to your post)

 

It won't run, either...

I get an hourglass for about two seconds, and nothing happens.

I tried renaming it to iexplore.exe and a random string.com, same results.

GRR

 

Try Hitman Pro >> http://majorgeeks.com/Hitman_Pro_d5283.html

 

It worked, and it found some spyware cookies, but not much else...

I ran it twice, but I can't attach the logs, they are xml...

I don't think it worked.

 

Please follow this thread: How to fix the Windows 7 MBR for 32bit OS

 

When I boot fromthe CD, my operating system isn't shown.
It says to select it off the disk, but which one???

 

From your RootRepeal log
Sounds like data corruption to me which could be why the Recovery Console is not seeing your hard drive.

Please boot back into Windows and download and install the following: Puran Defrag Free Edition

Now delete your existing System Restore points and create a new one before proceeding. >> Disable And Enable System Restore

Once you have deleted the old restore points and created a new restore point...Now open Puran Defrag Free Edition

Hopefully this sees your C:\ drive
If so, highlight the C:\ drive
Highlight the Boot Time Defrag button
From the drop down menu, select > Restart-Defrag-Restart + Full Disk Check
Allow the PC to reboot and let this program run unhindered
This could take a long time (3+ hours) depending on the corruption and defragmentation on the C: drive.

When it boots your PC back into Windows... retry the guide about restoring a clean MBR (booting off the CD)

 

This thing is a nightmare!

Fixed the MBR using the CD, but MBRCheck still says there is an infected or non-standard MBR.

aswMBR still won't run.

 

Using the disc has always been able to repair the MBR, however, within the past week or so... we are noticing it has not been as effective at all.

Hang in there while we do some more research.

 

If I had the install disk, I'd reformat it.

I already got the data I need off it. It would be a pain to have to re-install all my software, but I could handle it...

 

Are you running a RAID Mirror?

Was the recovery console able to see your hard disk after running Puran Defrag?

 

I wish I was running a RAID, but wouldn't both drives just be infected then?

My disk didn't show up to select, but it let me hit NEXT anyway. The first time through, it wouldn't let me do even that much, so something must have changed in some small way after Puran.

Question about Puran:
I selected Restart-Defrag-Restart-Full Disk Scan, but what it did was reboot, then basicall ran CHKDSK -f. I didn't see any defragmentation process?
Did it work as it was supposed to?

 

It should have done chkdsk -r (5 stages).
and after the chkdsk -r, it should reboot again and start the defrag process.

Quick suggestion, can you reboot back into recovery console and perform these two commands:

• bootrec /fixboot
• bootrec /fixmbr

 

Skip the above, I think I've found the real problem.

This is most likely (hear me out because I yet to see this first hand!) a hidden partition set by some of the newer TDL rootkits.

According to what I've read, we need to delete this partition (the one highlighted in dark red), and THEN, we can attempt to fix the MBR.

Since I have not seen this first hand, can you tell me if you can see this 1MB partition when you open My Computer and look under "Hard Disk Drives"?

What about if you go into Storage > Disk Management
See the below pic:

 

I was going through the Puran process again to see if it would work right.
Insanity is doing the same thing over and over, hoping for a different result, so I guess this has finally driven me insane...

I'm in the middle of 5/5, with probably an hour left.

Can I stop it, or will this cause harm?

 

Go ahead and let it finish and it sounds like your PC needs it anyways.

 

I made a tutorial for the next procedure that I would like you to try. Let me know if these steps were easy or difficult as you're basically the first person we've attempted this on.

First, download Download gparted-live-0.10.0-3.iso (115.1 MB)
You will need a blank CD to burn this ISO to. You can burn the .ISO using software like ImgBurn.

Now boot off of this newly created CD.


You should be here...
Press ENTER


By default, "do not touch keymap" is highlighted. Leave this setting alone and just press ENTER.


Choose your language and press ENTER. English is default [33]


Once again, at this prompt, press ENTER

You will now be taken to the main GUI screen below

According to your logs, the partition that you want to delete is 1.70 MB (1,785,856 bytes)
Click the trash can icon to delete and then click Apply.

You should now be here confirming your actions:


Now you should be here:


Now double-click the button.

You should receive a small pop up like this:

Choose reboot and then press OK.


Now I would retry doing bootrec /fixmbr like before (from the recovery console) and/or running TDSSKiller.

Attach a new MBRcheck log and describe if you had any trouble.

 

Well, looks like you're right, I see it in Disk Management, but not in the regular list of drives.

attaching a screen shot of Disk Manager.

This is one time I'm pretty unhappy to be an early-adopter...

edit:[Posted this before I read your message below, I think I should be able to handle it, I'll let you know how it goes.]

 

Since you attached that screenshot, it looks like the 2mb TDL partition is marked "Active".

You can change the OS drive (931GB) to active while in GParted if you have any issues with booting.

 

well, GParted gets to that menu where I would select keymap, then goes into a loop of error messages.

nouveau 0000:02:00.0: DVI-I-1: EDID block 0 invalid.
DDC responded, but no EDID for DVI-I-1
EDID checksum is invalid, remainder is 128
" "
" "
" "

then it repeats ad infintum.

This looks like its referring to a display? DVI?

edit: unplugged one of my dual monitors, and it proceeded to continue

 

Well, now it won't boot off the drive...

DISK BOOT FAILURE, INSERT SYSTEM DISK AND PRESS ENTER

 

Boot into the Windows 7 Recovery console > Command prompt

type in:

• bootrec /fixmbr
• bootrec /fixboot
• exit

Now restart your PC.

Let me know if this fixes it.

 

bootrec /fixmbr
The operation completed successfully.

bootrec /fixboot
Element not found.

Perhaps I should mention here that my drive letters still aren't available when I start the CD...

 

Are you still in the recovery console?

What appears when you type:

• bootrec /rebuildbcd

 

Successfully scanned Windows Installations.
Total identified: 1
[1] D:\Windows
Add installation to boot list? Y/N/A?

My original device was C:...

 

Ok good, we should be able to change it back to C: later once we are back in Windows.

Type Y to add

Let me know what appears after you have done this.

 

D'oh!

When I hit Y the response is "Element not found."

I can change to D: and see the directory, it seems to be my drive.

 

Ok, type in the following:

• d:
• dir

Let me know what appears

ok now, while the command prompt window looks like D:\>
type in the below

• bootrec /fixboot

Same thing? element not found?

 

Yes, same thing

 

Alright, boot back into Gparted.

First verify that the 2MB partition is gone.


Is "boot" next to your OS drive?

If "boot" is not next to your OS drive under "Flags", right-mouse click the OS drive while in Gparted and select Manage Flags

In the menu that pops up, place a checkmark in boot like the picture below:

 

No. I just went under Partition > Manage Flags and turned it on.

Is that right?

 

Correct, now try rebooting.

Once you are in Windows, please attempt to run MBRcheck.

Looks like the new TDL rootkits do override your active partition with its own 2MB one, really interesting heh (well maybe not for you )

 

Sigh, I feel like we're really close now, thank you very much for your patience.

The latest problem is this:

Loading Operating System...

BOOTMGR is missing
Press Ctrl+Alt+Del to restart

Doing so causes it to reboot and cycle back

 

No problem.

Boot back into the recovery console and see if Startup repair fixes the problem on its own. It will ask you to reboot your PC for the changes to take affect.

If that does not work, then try the bootrec /fixboot command once again

 

did /fixboot, same result

went back in and did /fixmbr, /fixboot, worked fine
same result on boot

third time tried to add in /rebuildbcd
Did not find any installs

still BOOTMGR is missing...

However, in System recovery, the main drive does show now, that window was blank up until now.

 

Have you tried the startup repair option yet? We are getting really close.

 

I feel that we are getting close, too.

I hope our labors here will help others get past this evil creation...

Running startup repair now...

 

It worked at last!

MBR Check is clear!

What should I do as follow-up? TDSSKiller? MalwareBytes?

 

Great

Yes go ahead and run TDSSKiller using these directions:

Now we need to run TDSSKiller by Kaspersky
Follow the instructions here and attach your log when you are finished. (How to attach items to your post)

For good measure you can update and run MBAM while I analyze the rest of your logs

 

Can you also try running ComboFix after you've done TDSSKiller and MBAM.

 

TDSSKiller found a couple of suspicious files that were skipped.

Running MBAM now.

 

The things it found are not problems so leave them as skipped. However it does not appear that you made use of the Change Parameters function

Read the instructions for running TDSSKiller if you skipped this.

 

Sorry, that computer is still isolated from the internet until it gets a clean bill of health. I missed that step going back and forth.

 

MBAM found nothing, and it looked like the only thing ComboFix did was to delete some of the directories that 'System Fix' left behind when this whole thing got started...

Thanks again for your help!
Here are the logs, I hope this helps you help someone else.