TDSS / Hiloti / MBR rootkit or what? RnRMe files attached

Hi Gang!
Apparently it's time for my annual stubborn infection ;-)

I've been at this for almost 3 days and I admit I may have deviated from standard MG procedure: fwiw, last time I did that I turned you guys on to the gooredfix tool

Anyhow I bashed away at this thing for awhile with my usual toolkit and recurring infections before finding TDSSKiller. I figured I'd do a 'read and run me' before running TDSSKiller, I ran SAS and MBAM and then decided I should run TDSSKiller before running combofix since it seemed the reinfections were coming pretty fast and furious... so I did, and then ran combofix, rootrepeal, and MGTools: I've attached 8 logs.

installed the newest AVG free and its initial scan identified Win32/Heur in a very old copy of kazaa.exe I had lying around, and it's rootkit tool found nothing, but then i noticed the default settings were kinda slack...

You can see that rootrepeal says I have MBR rootkit on my F, L, and N drives... I don't even know what MBR is but it seems from MG forums that these 3 external drives are non-bootable and can't have MBR to have a rootkit of? So maybe these are false-positives but I'm too nervous to even touch the external drives...

likewise I'm generally nervous about the whole rig, but here's my main 3 questions:
1) How do my logs look?
2) What is MBR, and are those MBR rootkits false-positives or what?
3) I read how some of these types of infections can even get into a router, and since my laptop is also acting strangely I'm concerned about that... is there some way to look at that?

OH, PS: I know I have too much junk lying around my desktop: you oughtta to see my office! I've tried to change but it seems this is just the way I work ::slightly sheepish::

Anyhow, thanks as always for your kindness and generosity :heart y'all are the best!

-bingo

 

TDSS / Hiloti / MBR rootkit or what? other RnRMe files attached

the rest of the logs... thanks again!!
-b

 

here's the mbrcheck log, it found something... things seem running OK.
Earlier today I reset my router and ran gooredfix.
I've attached that log as well.
thanks!
-k
PS since running the readandrunme on this computer and my laptop, i have a file on both desktops called settings.dat ...it's just 15 bytes big in both cases.

 

Yes Tim, that is "freeagent drive".
It's mostly media-storage

 

Thanks, Tim!
I'll do the clean-up this evening, I have to go to work...
I still have 3 questions:

1) since running the readandrunme on this computer and my laptop, I have a file on both desktops called settings.dat ...it's just 15 bytes big in both cases. This is just a file that appeared on my desktop, wasn't there before running the RnR: any idea what it is?

2) Um, so what IS MBR?
...I'm guessing "Master Boot Record"... am I close?

3) I've seen helpers at bleepingcomputer have warned in TDSS-related threads that some of these infections are "password-stealers"... does that seem to apply in my case? Should I get proactive about changing passwords and investigating whether I'm experiencing an identity-theft attack?

Like i said, I'll tidy up tonight: thanks again for your help, and in advance for whatever light you can shed on my three questions!

yours,
-b

 

OK, now AVG Resident Shield claims to have found virus Win32/Heur in the most recent of 49 Restore Points in a System Volume Information folder on my 1TB iomega external drive (not the FA GoFlex 1TB drive). While I'm not sure about a SVI folder on an external, I'm REALLY not sure about having 49 restore points on an external drive! the path is F:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP595 ...I can navigate to the (hidden) SVI folder but can't open it. There's also a (hidden) AVG folder at the same level. What's up with that?
I have run only part of the cleanup: Combofix uninstall procedure caused combofix to try to run, then exit with a complaint about AVG. Combofix no longer appears in my C-drive (nor qoobox). HJT did not appear in add/remove programs. MGClean.bat returned "the system cannot find the file specified", but MGtools.exe and MGTools folder are now gone from C-drive. I did not toggle system restore.

...and on we go

thanks as always!

 

Thanks, Tim!

first

I always unhide all folders etc... in any case this is on my DESKTOP: why would I have a hidden system folder on my desktop? Can I just throw it away?

-----
So: I have NOT toggled system restore...

Remember that rootrepeal and mbrcheck BOTH warned of MBR issues on my external drives. Now last night:

Today I learned what the SVI folder is and poked around a bit... I can open the SVI folder on my C: drive, and there are, in fact, 49 restore points in there. The SVI folders on my 3 externals are all locked, I can't look in them, and the AVG scan I ran last night also shows them as locked. However, all 3 external drive SVI folders show "folder empty" on mouse-hover. So AVG resident-shield says yesterday it sees an infected file in a restore point on the F drive, and today that restore-point is apparently on the C drive (where it should be), and AVG scanner can't see into the (now ostensibly empty) SVI-folder on the F-drive where the ostensibly-infected restore point was (or is?)...

I guess I'm not having any clear 'problems' that I can point at except for anomalous AVG-notifications, but with rootrepeal saying "MBR Rootkit Detected!" on all 3 externals, MBRCheck saying "Found non-standard or infected MBR" for 2 or 3 externals, and AVG giving me warnings about a Trojan in an external's SVI file (which SVI file is ACTUALLY on the C-drive, maybe...), well, I guess I'm concerned that there's still something hiding, maybe moving itself around between SVI-folders: perhaps I should re-run some scans?

I did try to look in those locked SVI folders using the Cacls tool from the command-line, but I'm lame at command-line and couldn't figure out how to get into the root-folder of an external...

Anyhow, Tim, I'm sorry if I'm being a pest but I'm still pretty concerned: what can you tell me?

OH, PS:

No, I never set sytem restore to use external drives, but it seems possible that the back-up software that came bundled with the drives may have done that. In any case, I can't delete those folders from the externals: the folders are locked, access is denied.

all the best!
-b

 

Hi Tim, thanks for this!

I'm pretty overextended and it'll be at least a few days before I can get these drives backed-up :-o

Do I understand correctly that you think these are almost-certainly false-positives from MBRcheck and RootRepeal, that I can probaby ignore them, and you are suggesting this fix merely as a way to be absolutely sure?

...if so, I'll continue to compute with (guarded) confidence until I can buy another terabyte

...and offer my heartfelt thanks for now, until I can send you fresh logs from MBRcheck and MBRfix.

Many many thanks!

 

Yes I did... and yes I will. Thanks again!!