Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

mebroot / torpig infection


  • Please log in to reply
17 replies to this topic

#1 mofawayesu

mofawayesu

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:53 AM

Posted 07 June 2011 - 07:35 PM

My ISP reported a Torpig infection on this notebook. I cleaned it once with SpybotSD in clean mode and it seemed to have taken care of it. That was two weeks ago, and the ISP is complaining again. This time SpybotSD doesn't show anything, but GMER shows a malicious Win32:MBRoot code @ sector 156296388. Up to this point I've tried mbr.exe, mbam, eset online scan and several others with nothing else catching it. I did eventually rewrite the MBR from the recovery console and that resulted in the computer slowing down significantly (boots slow, sound card stutters etc). There have been the occasional BSOD when running mbam and gmer, but nothing that is consistently reproducible. I'm out of ideas! Thanks

Edited by hamluis, 07 June 2011 - 07:37 PM.
Moved from XP to Am I Infected.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,739 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:53 PM

Posted 07 June 2011 - 08:31 PM

If the log results show both both the user & kernel MBR are OK, its not considered an active MBR infection even if it indicates detected hooks/malicious code.

The presence of malicious code and a PE file in other sectors of the drive indicates that there was an infection but it has been cleaned and the MBR sector has been restored successfully. Mebroot overwrites the MBR of the hard disk and drops an executable outside of formatted partitions. The installer of the rootkit writes the content of a malicious kernel driver to the last sectors of the disk, and then modifies several sectors to include sector 0 (MBR). According to gmer, fixmbr restores only sector 0 (MBR). As such, mbr.exe will always show all sectors where data was written to the drive by Mebroot even after the infection is removed.

Newer tools are similar in that they just repair the MBR and leave the executable as it will not be accessible once the MBR has been fix. However, rootkit detection tools will continue to detect it and remnants of malicious code found in other sectors. This leftover data cannot be repaired or restored without knowing what information actually belonged in those sectors and probably would require a disk editor with programmer's knowledge to fix.

I'm not aware of any step by step instructions for using a disk editor to accomplish this so you will have to read the vendor's documentation if attempting to use one.

Lets double-check.

Please download aswMBR.exe and save it to your Desktop.
  • Double click on aswMBR.exe to run it. Vista/Windows 7 users right-click and select Run As Administrator.
  • Click the Scan button to start scan.

    Posted Image
  • On completion of the scan click, click the Save log button and save it to your Desktop.
  • Do not select any Fix options at this time.
  • Copy and paste the contents of that log in your next reply.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 mofawayesu

mofawayesu
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:53 AM

Posted 07 June 2011 - 10:06 PM

Thanks for the quick reply. On running aswMBR the first time, I got an initialize error C000010e - driver not loaded, and the SCAN button remains grayed out. It worked however on the second try.


aswMBR version 0.9.5.256 Copyright© 2011 AVAST Software
Run date: 2011-06-07 21:02:26
-----------------------------
21:02:26.218 OS Version: Windows 5.1.2600 Service Pack 3
21:02:26.218 Number of processors: 1 586 0xD06
21:02:26.218 ComputerName: VALUED-827C7724 UserName: Valued Customer
21:02:28.171 Initialize success
21:02:32.671 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
21:02:32.671 Disk 0 Vendor: FUJITSU_MHT2080AT_PL 0022 Size: 76319MB BusType: 3
21:02:32.734 Disk 0 MBR read successfully
21:02:32.734 Disk 0 MBR scan
21:02:32.750 Disk 0 Windows XP default MBR code
21:02:32.796 Disk 0 scanning sectors +156296385
21:02:32.937 Disk 0 malicious Win32:MBRoot code @ sector 156296388 !
21:02:33.000 Disk 0 PE file @ sector 156296410 !
21:02:33.031 Disk 0 scanning C:\WINDOWS\system32\drivers
21:03:06.921 Service scanning
21:03:10.765 Disk 0 trace - called modules:
21:03:10.828 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll ATAPI.SYS intelide.sys
21:03:10.843 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x82372030]
21:03:10.843 3 CLASSPNP.SYS[f8583fd7] -> nt!IofCallDriver -> \Device\00000076[0x823e1c80]
21:03:11.390 5 ACPI.sys[f84fa620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-4[0x823e62e0]
21:03:11.406 Scan finished successfully
21:04:16.718 Disk 0 MBR has been saved successfully to "D:\MBR.dat"
21:04:16.750 The log file has been saved successfully to "D:\aswMBR.txt"

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,739 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:53 PM

Posted 08 June 2011 - 07:49 AM

21:02:32.750 Disk 0 Windows XP default MBR code <- this indicates clean
21:02:32.937 Disk 0 malicious Win32:MBRoot code @ sector 156296388 <- this indicates a remnant of malicious code after the MBR was fixed as I previously explained. There is no way to remove it.

Example logs from an infected machine would show similar to these:

15:20:29.906 Disk 0 TDL4@MBR code has been found
15:20:29.906 Disk 0 MBR hidden
15:20:29.921 Disk 0 MBR [TDL4] **ROOTKIT**

14:39:20.859 File C:\WINDOWS\system32\drivers\rdpcdd.sys TDL3 **ROOTKIT**

16:29:33.500 Disk 0 MBR [Win32:MBRoot] **ROOTKIT**


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 mofawayesu

mofawayesu
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:53 AM

Posted 08 June 2011 - 09:22 AM

Glad to hear you think it's clean. However, since fixing the MBR infection, performance has gone down the drain. It boots slower, runs apps slower, all sounds 'stutter' when played (open a window, startup sound, etc.). It was running better before I 'fixed' it! Something else is broken - any ideas?

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,739 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:53 PM

Posted 08 June 2011 - 09:41 AM

The problem with some malware infections, especially when dealing with backdoor Trojans and rootkits is that they often are responsible for downloading additional malicious files and the severity of damage will vary.

Please post the results of your last MBAM scan for review (even if nothing was found).

To retrieve the Malwarebytes Anti-Malware scan log information, launch MBAM.
  • Click the Logs Tab at the top.
  • The log will be named by the date of scan in the following format: mbam-log-date(time).txt
    -- If you have previously used MBAM, there may be several logs showing in the list.
  • Click on the log name to highlight it.
  • Go to the bottom and click on Open.
  • The log should automatically open in notepad as a text file.
  • Go to Edit and choose Select all.
  • Go back to Edit and choose Copy or right-click on the highlighted text and choose Copy from there.
  • Come back to this thread, click Add Reply, then right-click and choose Paste.
  • Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
Logs are saved to the following locations:
-- XP: C:\Documents and Settings\<Username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-yyyy-mm-dd
-- Vista, Windows 7, 2008: C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-yyyy-mm-dd



Please download SUPERAntiSpyware Free and follow these instructions for performing a scan.

  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • Be sure to update the definitions before scanning by selecting "Check for Updates".
    If you encounter any problems while downloading the updates, manually download them from here.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
  • Click Close to exit the program.
  • Please copy and paste the Scan Log results in your next reply.
-- Some types of malware will disable security tools. If SUPERAntiSpyware will not install, please refer to these instructions for using the SUPERAntiSpyware Installer. If SUPERAntiSpyware is already installed but will not run, then follow the instructions for using RUNSAS.EXE to launch the program.

-- Alternatively, you can download and use the SUPERAntiSpyware Portable Scanner or perform a SUPERAntiSpyware Online Safe Scan (both listed under Popular Links) instead. If you cannot download from the infected computer, save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer it. Then double-click on the file to launch the portable version and scan. The file is randomly named to help keep malware from blocking the scanner.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 mofawayesu

mofawayesu
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:53 AM

Posted 08 June 2011 - 05:30 PM

Here is the MBAM log. I also ran SAS, but used the portable version. I found out after a 6 hour long scan that this version doesn't save logs! It found lots of tracking cookies (999, maybe program max?), but nothing else. I can rerun it if you'd like, but thought I'd get back to you at least with what I have so far.


Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6790

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/8/2011 9:23:40 AM
mbam-log-2011-06-08 (09-23-40).txt

Scan type: Quick scan
Objects scanned: 167703
Time elapsed: 30 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#8 mofawayesu

mofawayesu
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:53 AM

Posted 08 June 2011 - 06:43 PM

Here's a quick scan log from SAS:


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/08/2011 at 05:27 PM

Application Version : 4.53.1000

Core Rules Database Version : 7224
Trace Rules Database Version: 5036

Scan type : Quick Scan
Total Scan Time : 00:55:43

Memory items scanned : 429
Memory threats detected : 0
Registry items scanned : 1529
Registry threats detected : 0
File items scanned : 5521
File threats detected : 0

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,739 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:53 PM

Posted 08 June 2011 - 09:09 PM

Try doing an online scan to see if it finds anything else that the other scans may have missed.

Please perform a scan with Eset Online Anti-virus Scanner.
  • If using Mozilla Firefox, you will be prompted to download and use the ESET Smart Installer. Just double-click on esetsmartinstaller_enu.exe to install.
  • Vista/Windows 7 users need to run Internet Explorer/Firefox as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run As Administrator from the context menu.
  • Click the green Posted Image button.
  • Read the End User License Agreement and check the box:
  • Check Posted Image.
  • Click the Posted Image button.
  • Accept any security warnings from your browser and allow the download/installation of any require files.
  • Under scan settings, check Posted Image and make sure that the option Remove found threats is NOT checked.
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click the Start button.
  • ESET will install itself, download virus signature database updates, and begin scanning your computer.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop as ESETScan.txt.
  • Push the Posted Image button, then Finish.
  • Copy and paste the contents of ESETScan.txt in your next reply. If no threats are found, there is no option to create a log.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 mofawayesu

mofawayesu
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:53 AM

Posted 09 June 2011 - 09:05 AM

Here it is:


C:\Documents and Settings\Valued Customer\Application Data\Sun\Java\Deployment\cache\6.0\33\6eee3aa1-5a8b1b1a a variant of Java/Agent.BR trojan
C:\Documents and Settings\Valued Customer\Application Data\Sun\Java\Deployment\cache\6.0\57\10fa0cb9-2dae9d66 probably a variant of Java/Agent.BR trojan
C:\WINDOWS\system32\235.js JS/TrojanDownloader.Agent.NWG trojan

#11 mofawayesu

mofawayesu
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:53 AM

Posted 09 June 2011 - 09:07 AM

Something else interesting going on: Secunia PSI is regularly noting that 'new programs' are being removed or added - maybe that's the work of some of the above noted trojans?

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,739 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:53 PM

Posted 09 June 2011 - 09:49 AM

Your scan results indicate a threat(s) was found in the Java cache.

When a browser runs an applet, the Java Runtime Environment (JRE) stores the downloaded files into its cache folder for quick execution later and better performance. Both legitimate and malicious applets, malicious Java class files are stored in the Java cache directory and your anti-virus may detect them as threats. The detection can indicate the presence of malicious code which could attempt to exploit a vulnerability in the JRE. For more specific information about Java exploits, please refer to Virus found in the Java cache directory.

Notification of these files as a threat does not always mean that a machine has been infected; it indicates that a program included the viral class file but this does not mean that it used the malicious functionality. As a precaution, I recommend clearing the entire cache manually to ensure everything is cleaned out:
Before doing anything else, if you have not already done so, you should back up all your important documents, personal data files and photos to a CD or DVD drive as some infections may render your computer unbootable during or before the disinfection process. If that occurs there may be no option but to reformat and reinstall the OS or perform a full system recovery. The safest practice is not to backup any files with the following file extensions: exe, .scr, .ini, .htm, .html, .php, .asp, .xml, .zip, .rar, .cab as they may be infected.
Please download and scan with the Kaspersky Virus Removal Tool from one of the links provided below and save it to your desktop.
Link 1
Link 2Be sure to print out and read the instructions provided in:How to Install Kaspersky Virus Removal Tool
How to use the Kaspersky Virus Removal Tool to automatically remove viruses
  • Double-click the setup file (i.e. setup_9.0.0.722_22.01.2010_10-04.exe) to select your language and install the utility.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If you receive a UAC prompt asking if you would like to continue running the program, you should press the Continue button.
  • At the 'Setup page', click Next, check the box 'I accept the license agreement' and click Next twice more to extract the required files.
  • Setup may recommend to scan the computer in Safe Mode. Click Ok.
  • A window will open with a tab that says Autoscan and one for Manual disinfection.
  • Click the green Start scan button on the Autoscan tab in the main window.
  • If malware is detected, you will see the Scan Alert screen.
  • Place a checkmark in the Apply to all box, and click Disinfect if the button is active.
  • After the scan finishes, if any threats are left unneutralized in the Scan window (Red exclamation point), click the Neutralize all button.
  • Place a checkmark in the Apply to all box, and click Disinfect if the button is active.
  • If advised that a special disinfection procedure is required which demands system reboot, click the Ok button to close the window.
  • In the Scan window click the Reports button, choose Critical events and select Save to save the results to a file (name it avptool.txt).
  • Copy and paste the report results of any threats detected. Do not include the longer list marked Events.
  • When finished, follow these instructions on How to uninstall Kaspersky Virus Removal Tool 2010.
-- If you cannot run this tool in normal mode, then try using it in "safe mode".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 mofawayesu

mofawayesu
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:53 AM

Posted 09 June 2011 - 11:43 PM

Here it is. The last item was quarantined, not deleted (the javascript one). Note the time taken for the fullscan - could the malware have infected the HD driver in some way to slow down access to a crawl like this?


Autoscan: completed 11 hours ago (events: 2, objects: 3787, time: 00:07:17)
6/9/2011 10:55:01 AM Task started
6/9/2011 11:02:21 AM Task completed
Autoscan: completed 3 minutes ago (events: 5, objects: 370497, time: 10:13:53)
6/9/2011 12:22:35 PM Task started
6/9/2011 2:19:07 PM Detected: Trojan.Win32.Clicker.hd C:\Program Files\Mozilla Firefox\searchplugins\google_search.xml
6/9/2011 2:46:40 PM Deleted: Trojan.Win32.Clicker.hd C:\Program Files\Mozilla Firefox\searchplugins\google_search.xml
6/9/2011 9:24:38 PM Detected: HEUR:Exploit.Script.Generic C:\WINDOWS\system32\235.js
6/9/2011 10:36:33 PM Task completed

#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,739 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:53 PM

Posted 10 June 2011 - 06:00 AM

Note the time taken for the fullscan


The speed and ability to complete an anti-virus or anti-malware scan depends on a variety of factors.
  • The program itself and how its scanning engine is designed to scan: using a signature database vs heuristic scanning or a combination of both.
  • Options to scan for spyware, adware, riskware and potentially unwanted programs (PUPS).
  • Options to scan memory, boot sectors, registry and alternate data streams (ADS).
  • Type of scan performed: Deep, Quick or Custom scanning.
  • What action has to be performed when malware is detected.
  • A computer's hard drive size.
  • Disk used capacity (number of files to include temporary files) that have to be scanned.
  • Types of files (.exe, .dll, .sys, .cab, archived, compressed, packed, email, etc) that are scanned.
  • Whether external drives are included in the scan.
  • Competition for and utilization of system resources by the scanner.
  • Other running processes and programs in the background.
  • Interference from malware.
  • Interference from the user.
-- Using two security scanning engines at the same time can cause each to interfere with the other, cause systems hangs, false detections, unreliable results and other unpredictable behavior.

-- If the screensaver, hibernation or Sleep Mode are not turned off before scanning, those features can sometimes have odd effects when attempting to resume normal mode.


Further, it is not unusual for an anti-virus or anti-malware scanner to be suspicious of compressed, archived, .cab, .rar, .jar, .iso, and packed files because they have difficulty reading what is inside them. These kind of files often trigger alerts by security software using heuristic detection because they are resistant to scanning (difficult to read). This resistance may also result in some scanners to stall (hang) on these particular types of files or just ignore (skip) them. Certain files in the System Volume Information Folder like the Tracking.log (created by the Distributed Link Tracking Service to store maintenance information) have also been reported as a source causing some scanners to hang.

How is your computer running now? Any more signs/symptoms of infection?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 mofawayesu

mofawayesu
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:53 AM

Posted 10 June 2011 - 09:14 AM

There's no overt sign of infection at this point--but then the only obvious thing before was the complaints from the ISP and since beginning working on it, I haven't let it be connected to the net for too long--with the exception of the eset scan.

The speed thing is the only obvious thing wrong at this point. Even the XP startup animation runs slow, screen redraws are slow, sounds play at less than half speed etc. On boot, the thing is so slow that the system generates a 'no antivirus installed' before it gets a chance to load MSE. Eventually MSE does load and then everything is fine. If it wasn't for the sound thing, I'd suspect a video driver problem. All devices are good to go in the device manager otherwise. I've also checked BIOS to make sure that it's at system defaults.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users