Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TDL3-Alureon Variant; ComboFix not Successful


  • This topic is locked This topic is locked
23 replies to this topic

#1 VoleCubed

VoleCubed

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:05:45 PM

Posted 23 August 2010 - 10:41 PM

Problem: Infection with some species of the Google Redirect Virus (Identified - but not removed - by HitmanPro v3.5 as a variant of Alureon-TDL3 RootKit)

Neither SuperAntiSpyware nor SpyBot even detected a problem. MalwareBytes did nothing. HitmanPro v3.5 identified the rootkit mentioned above, but did not remove the problem. ComboFix "detected" "rootkit activity" and rebooted the PC, but the problem persists. A stand alone version of GMER had a few entries that seemed suspicious to me (Reg HKLM\SOFTWARE\Classes\CLSID\{101124FA-FFBB-531A-857D-17BCB9C0E544}\InprocServer32@InprocServer32; 1@v^Vn-}f(YR]eAR6.jiGraphicsFiltersFPXFiles<?(f'^Vn-}f(YR]eAR6.jiGraphicsFiltersFPXFiles<?
Reg HKLM\SOFTWARE\Classes\CLSID\{101124FA-FFBB-531A-857D-17BCB9C0E544}\InprocServer32@; C:\Program Files\Common Files\Microsoft Shared\Grphflt\FPX32.FLT; Reg HKLM\SOFTWARE\Classes\CLSID\{101124FA-FFBB-531A-857D-17BCB9C0E544}\MiscStatus@). But I was unable to even view - let alone delete - the relevant keys in RegEdit (the values were said to be unavailable or inuse or some such thing - locked, in other words). I ran TDSSKiller twice. First it detected nothing. Then it detected a forged driver and quarantined it. But even this had no effect on the redirections.

Attached are the relevant logs (DDS X2, Malwarebytes X2, HijackThis, ComboFix, GMER, MBRChecker, RootKitUnhooker, TDSSKiller X2, etc.). I tried to paste them instead, but the post was rejected as too long.

Sincerely,

Matt

P.S.

I should also mention that I am somewhat hamstrung on this PC because there is a separate error: The PC hangs when trying to boot in safe mode. This has been going on for some time. It used to hang at some file (I forget now which one) which I, through research, determined to be non-critical and so deleted. Now the PC hangs on safe mode boot at the file MUP.SYS. Apparently, the fix is to repair the XP OS. But, the Dell that I have had a defective CD-ROM drive. I recently (say 3 weeks ago) replaced the drive with a DVD-ROM, but I can't put my finger on my XP disks. I thought that I had more time to look for them. I had a mind to run SDFix, but I can't get into safe mode. None of the other programs - ComboFix included - have so far required safe mode. I just thought that I would put my safe mode difficulty on record from the start.

Attached is a supplemental log, from RootkitReveal (for whatever it may be worth).

EDIT: Posts merged ~BP

Attached Files


Edited by Budapest, 25 August 2010 - 04:16 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:45 PM

Posted 30 August 2010 - 05:44 AM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 VoleCubed

VoleCubed
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:05:45 PM

Posted 31 August 2010 - 02:31 AM

Hello! I am here. :-) Well, I will be in bed shortly, but I am monitoring my topic and I appreciate your willingness to assist me. Thank you, in advance, for whatever help or advice you can lend to me.

~ Matt

Also...attached is a Hitman screenshot.

Attached Files


Edited by VoleCubed, 31 August 2010 - 03:08 PM.


#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:45 PM

Posted 31 August 2010 - 05:58 PM

Please run MBRCheck

Please download <a href="http://ad13.geekstogo.com/MBRCheck.exe" target="_blank" rel="nofollow">MBRCheck</a> to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.

Edited by boopme, 09 September 2011 - 10:45 PM.

Posted Image
m0le is a proud member of UNITE

#5 VoleCubed

VoleCubed
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:05:45 PM

Posted 01 September 2010 - 02:20 AM

First, thank you for the reply and instruction!

Second, I downloaded MBRCheck to my Desktop from your supplied URL and executed the program.

Third, the generated log is attached. The file is named "TheMBRCHeckLogYouRequested_20100831.txt".

But, fourth, as you probably know, and as I repeat here just for the record, I had already run an MBRCheck and the original log was included in my attachment of 8/23 labeled "Virus_20100823.txt". I have re-submitted the original log for your inspection. The file is named "OriginalMBRCheckLog_20100823".

~ Matt

Attached Files



#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:45 PM

Posted 01 September 2010 - 06:02 PM

The MBR has been rewritten.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Important Note: While fixing the Master Boot Record (MBR) is generally safe, there is a small risk of damaging the operating system so that it will not boot up or the partitions may become corrupted. I recommend you have your Windows CD available which will allow recovering the boot code via the Windows Recovery Console in case of any problems or install the XP Recovery Console before proceeding with the above fix. Then if any problems occur, the links below explain how to use and repair the MBR:If you do not have a recovery disk then please burn one as shown here


Run MBRCheck.exe
  • Run MBRCheck.exe
  • Wait until you see the following line: Enter 'Y' and hit ENTER for more options, or 'N' to exit:
  • Please push the 'Y' key and then press Enter
  • When program ask you Enter 2 and press the Enter key
  • Now the program will ask you "Enter the physical disk number to fix (0-99, -1 to cancel):"
  • Enter 0 and press the Enter key.
  • The program will show Available MBR codes:, followed by a list of operating systems. Please enter the correct number for your operating system, and then press Enter.
  • when asked Do you want to fix the MRB code? type in YES and press enter
  • Restart your PC.
After you restart the PC
  • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
  • It will show a Black screen with some data on it
  • a report called MBRcheck will be on your desktop
  • open this report
  • Right click on the screen and select > Select All
  • Press Control+C
  • now please copy that report to this thread

Posted Image
m0le is a proud member of UNITE

#7 VoleCubed

VoleCubed
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:05:45 PM

Posted 01 September 2010 - 09:14 PM

Thank you for your continued support and attention.

1. ComboFix had previously installed the Recovery Console on this PC, so I proceeded directly to running MBRCheck.

2. I ran MBRCheck, pressed 'y' after the scan, entered option '2', typed '0' (for physical disk number), typed '1' (for XP operating system option), typed 'YES', and retarted the PC. I have attached the relevant MBRCheck log.

3. Upon restart, I ran MBRCheck again and that second log is attached.

Assuming that the MBR was successfully rewritten in (what I have here labeled) Step 2, it appears that the MBR was corrupted again between MBR restoration and restart. X(

The log for the MBRCheck run after restart still reads "\\.\PhysicalDrive0 MBR Code Faked!" and Hitman still detects the same rootkit/"bootkit" traces (screenshot attached). sad.gif

Thank you for you patience. I await further instruction.

~ Matt

Attached Files


Edited by VoleCubed, 01 September 2010 - 09:17 PM.


#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:45 PM

Posted 02 September 2010 - 01:27 PM

Don't worry it isn't a reinfection. MBRCheck hasn't worked in this case so we need to use an alternative method to fix the MBR

Locate your XP disk. If you can't find it then follow the instructions to burn one below.

Please download the Recovery Console Bootable CD iso
Unzip the file and user your favourite burning application to burn the iso to a CD. Note, this is not the same as just burning the iso file on a CD.
  • Insert the CD-ROM into the CD-ROM drive, and then restart the computer.


    When you have the disk do the following:
  • If your PC is not booting from the CD, you need to change the boot order:
    • Restart your PC
    • As soon as you get an image, press the Setup key. This is usually F2, or Del. On some machines the key can also be a different one. It should, however, be stated on the screen which key is the setup key.
    • Once you enter the computer's BIOS, use the arrow keys and tab key to move between elements. Press enter to select an item to change.
    • Navigate to the tab, where you can set the boot order. It should be called Boot or Boot order
    • The tab should now show your current boot order.
      If the CD-drive is not at the top, please navigate to the CD-Rom drive with the keys arrows. Then move it to the top of the list. The keys for switching boot position are usually + to move up and - to move down. However they can be different, but they should be stated in the help, so that you can find them easily.
    • Once the CD-drive is on top of the boot order, navigate to Exit and select Exit saving changes.
  • Your PC should now boot from your CD.
    Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted.

  • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.

  • When you are prompted, type the Administrator password. If the administrator password is blank, just press ENTER.

  • A command prompt will open
Once in Recovery Console, please type fixmbr and hit enter.

Type exit to exit and restart your PC. Now run and post a new MBRCheck log
Posted Image
m0le is a proud member of UNITE

#9 VoleCubed

VoleCubed
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:05:45 PM

Posted 04 September 2010 - 01:32 AM

Thank you, again, for your assistance. And I apologize for my delinquent response. I had substantial difficulties, which I will presently relate to you.

Firstly, I did download the XP Recovery Console Bootable Disk ISO on a clean PC. I double clicked the ISO file and my burner program, Nero (apparently the program defaulted to open ISO files), seemed to make it easy to burn it to a CD - which I did.

Secondly, I attempted - after verifying in the BIOS that my IDE-DVD-ROM drive was prior to the hard drive in the book sequence - to use the CD to boot the PC. And, after listening to the brief 3.5" floppy test, the DVD-ROM could be heard spinning; however, the boot sequence seemed to bypass the CD altogether, proceeding quickly to Windows XP normal load. (It seemed that an option for Recovery Console appeared practically for a mere INSTANT, and then vanished.)

Thirdly, I put in additional effort to locate my actual full version copy of Windows XP Pro, which I was finally able to track down. And I then attempted to boot the PC from the XP Pro full version. The PC could again be heard trying the floppy drive, then the DVD-ROM drive, at which point the PC hung on a black screen. I left the PC sit for over an hour with no discernible change in this black-screen-hang until, able to bear it no longer, I availed myself of the power button. (I take it, however, that this episode demonstrates that the DVD-ROM drive was indeed prior to the hard drive in the boot sequence. I confess, though, that I cannot be SURE that my XP Pro disk is a bootable disk - but it seems that I have used it that way on an earlier occasion.)

Fourthly, I allowed Windows to begin to boot normally - with nothing in the DVD-ROM drive - and, since I have a Dell PC, pressed F12 for "Boot Sequence" options. This function key provided various choices. One option was labeled "Utility Boot" (or something close to that). But, after selecting that option, the PC hung again. Another choice said (something like): "Boot from IDE device", but gave an error that repeated every time I pressed F2 to "retry device". (Bear in mind that the DVD-ROM drive functions in normal Windows mode usage.)

Fifth, since ComboFix had previously installed the Recovery Console, I simply pressed "R" when the - very BRIEF (see above) - option for Recovery Console was displayed. This actually worked to get me to a screen that said (at the bottom): "Starting Windows Recovery Console" (or something close to that). And there was a process bar that progressed beautifully from left to right and then... promptly stopped. The PC hung up on the "Starting Windows Recovery Console" screen. And an hour of time again was insufficient to perceive any relevant change.

I suspect that these troubles might go back to the underlying trouble that I noted in my initial post: Namely, something is apparently wrong somewhere with my machine's boot sequence (as I reported in the first post, my PC will not go into Safe Mode). If this is the case, then, I suppose, my inability to execute your most recent instructions might have nothing whatsoever to do with my overwritten MBR, but with some other, unrelated - and underlying - problem.

Practically, it makes no difference to ME, since the end result is that something is wrong with my PC that impairs my PC's functionality. But, that said, I realize that it may make a big difference to YOU, since you're on the "Anti-Malware" team and not on the "Dell Computers with Boot Problems" team.

However, it is beyond me to establish a demarcation point between those two realms of problem. So, I leave it to you to instruct me further, or pass me off to another forum.

Thank you for your patience.

Sincerely,

Matt

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:45 PM

Posted 04 September 2010 - 05:10 AM

I think we need to sort out the boot issue before we can use the CD that we burnt.

Please post in Bleeping Computer's XP forum for help. Link to this forum and explain that the boot sequence seems to be causing the problem.

If you haven't had a reply in two days please let me know and I will ask an advisor to look at it.
Posted Image
m0le is a proud member of UNITE

#11 VoleCubed

VoleCubed
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:05:45 PM

Posted 05 September 2010 - 08:38 PM

Dear m0le,

I posted to the XP forum, as instructed.

The link, just for your information, is as follows:



As you specified, I will wait 48 hours from the post day/time for a reply before contacting you again to perhaps email an adviser directly.

Thank you for all of your assistance.

Sincerely,

Matt

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:45 PM

Posted 06 September 2010 - 11:28 AM

You're welcome Matt thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#13 VoleCubed

VoleCubed
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:05:45 PM

Posted 06 September 2010 - 08:31 PM

Dear m0le,

Sorry to bother you, but I think that someone just edited my post in the XP forum such that it now appears in the Malware category. Would you mind contacting an adviser for me; or, perhaps, you could move my post back to the XP category for me.

Thank you!!!

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:45 PM

Posted 07 September 2010 - 08:02 AM

I have moved it back.

Let me know if there are further problems. thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#15 VoleCubed

VoleCubed
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:05:45 PM

Posted 09 September 2010 - 11:08 AM

Hello, m0le.

You counseled me that:

"If you haven't had a reply in two days please let me know and I will ask an advisor to look at it."

Unfortunately, it has now been two days since you moved my post, originally dated Sept. 5, 2010, back to the XP forum. You made the move back sometime before 8:00a (according to the post time-stamp) on Sept. 7 and it is three hours later on Sept. 9 as I write this.

If it wouldn't be too much trouble, I would appreciate it if you would contact someone in the XP forum to look at my issue with me.

Thank you! (Again!)

Sincerely,

Matt




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users