Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Windows Recorery


  • This topic is locked This topic is locked
28 replies to this topic

#1 MRcostello

MRcostello

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:20 AM

Posted 10 June 2011 - 10:48 AM

Hello, one of the computers on my network has become infected with Windows XP Recovery. I followed the instructions to remove it myself twice so far, but it is still there when I restart. I was able to run DDS and GMER in safe mode, nothing will run in normal mode.

DDS Log

.
DDS (Ver_2011-06-03.01) - NTFSx86 NETWORK
Internet Explorer: 8.0.6001.18702
Run by jhastings at 15:22:14 on 2011-06-09
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1013.778 [GMT -4:00]
.
AV: ESET NOD32 Antivirus 4.2 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
BHO: DCA BHO: {b49699fc-1665-4414-a1cb-c4a2a4a13eec} - c:\program files\upromise\dca-bho.dll
BHO: Dictionary.com Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: ShopAtHomeIEHelper Class: {e8daaa30-6caa-4b58-9603-8e54238219e2} - c:\program files\selectrebates\toolbar\ShopAtHomeToolbar.dll
BHO: Upromise TurboSaver: {edc0f17f-f4b7-47e4-b73e-887faeb376fa} - c:\program files\upromise\upromisetoolbar.dll
TB: Dictionary.com Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Upromise TurboSaver: {06e58e5e-f8cb-4049-991e-a41c03bd419e} - c:\program files\upromise\upromisetoolbar.dll
TB: ShopAtHome.com Toolbar: {98279c38-de4b-4bcf-93c9-8ec26069d6f4} - c:\program files\selectrebates\toolbar\ShopAtHomeToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Microsoft Works Update Detection] c:\program files\microsoft works\WkDetect.exe
uRun: [Upromise Update] c:\program files\upromise\dca-ua.exe
uRun: [Upromise Tray] c:\program files\upromise\UpromiseTray.exe
uRun: [UYhaQsSEGdkYay] c:\documents and settings\all users\application data\UYhaQsSEGdkYay.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [<NO NAME>]
mRun: [HPUsageTracking] "c:\program files\hp\hp ut\bin\hppusg.exe" "c:\program files\hp\hp ut\"
mRun: [SelectRebates] c:\program files\selectrebates\SelectRebates.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: CabBuilder - hxxp://ak.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {32505657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {7EC816D4-6FC3-4C58-A7DA-A770EE461602} - hxxp://151.203.99.51/Ericom/WebConnect%205.6/web/windows/ptdownloader.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://javadl-esd.sun.com/update/1.6.0/jinstall-6u5-windows-i586-jc.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://constantcontact.webex.com/client/T26L/training/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: Interfaces\{9950AC8E-3197-436D-863D-98A0662B090B} : NameServer = 10.1.1.5
Notify: igfxcui - igfxdev.dll
.
============= SERVICES / DRIVERS ===============
.
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2010-3-24 95872]
S1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2010-3-24 114984]
S2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2010-3-24 810120]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-28 135664]
S2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2011-4-19 993848]
S2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2011-4-19 399416]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-28 135664]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
.
=============== Created Last 30 ================
.
2011-06-09 19:13:27 120832 ----a-w- c:\windows\system32\drivers\193B0.sys
2011-06-09 19:11:20 120832 ----a-w- c:\windows\system32\drivers\19381.sys
2011-06-09 19:09:33 120832 ----a-w- c:\windows\system32\drivers\1174C.sys
2011-06-09 19:07:52 120832 ----a-w- c:\windows\system32\drivers\85416.sys
2011-06-09 19:07:26 120832 ----a-w- c:\windows\system32\drivers\193A.sys
2011-06-09 19:07:16 352256 ----a-w- c:\documents and settings\all users\application data\16637732.exe
2011-06-09 15:45:39 -------- d--h--w- c:\documents and settings\jhastings.costello.000\local settings\application data\ESET
2011-06-09 15:26:44 437248 ----a-w- c:\documents and settings\all users\application data\UYhaQsSEGdkYay.exe
2011-05-16 15:01:44 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
==================== Find3M ====================
.
2011-05-29 13:11:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
.
============= FINISH: 15:23:32.62 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:09:20 AM

Posted 10 June 2011 - 02:19 PM

Good evening. :)

Download aswMBR.exe from here and save it to your Desktop.

  • Double click the tool to run it.
  • Click the Scan button to, well, start the scan - obvious really!
  • Once the scan reports "Scan finished successfully", which takes less than a minute on my system, click Save log.
  • On my system it offers to save it to the Desktop, which may or may not be it's default behaviour, but it's as handy a place as any.
  • You'll also see a file called MBR.dat appear as well - this is a backup that it created, just in case it's needed. Keep it handy for now.

I'd like the contents of aswMBR.txt in your next reply, if you'd be so kind.

So long, and thanks for all the fish.

 

 


#3 MRcostello

MRcostello
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:20 AM

Posted 10 June 2011 - 02:46 PM

Thanks for the quick reply. Here is the log you wanted.

aswMBR version 0.9.5.256 Copyright© 2011 AVAST Software
Run date: 2011-06-10 15:34:25
-----------------------------
15:34:25.171 OS Version: Windows 5.1.2600 Service Pack 3
15:34:25.171 Number of processors: 2 586 0xF06
15:34:25.171 ComputerName: JOHN-PC UserName:
15:34:25.515 Initialize success
15:34:28.218 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
15:34:28.218 Disk 0 Vendor: WDC_WD800JD-00LSA0 06.01D06 Size: 76319MB BusType: 3
15:34:30.234 Disk 0 MBR read successfully
15:34:30.234 Disk 0 MBR scan
15:34:30.234 Disk 0 Windows XP default MBR code
15:34:32.265 Disk 0 scanning sectors +156296385
15:34:32.281 Disk 0 scanning C:\WINDOWS\system32\drivers
15:34:41.578 Service scanning
15:34:43.046 Disk 0 trace - called modules:
15:34:43.046 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86ce51ed]<<
15:34:43.046 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86d8bab8]
15:34:43.046 3 CLASSPNP.SYS[f76cefd7] -> nt!IofCallDriver -> \Device\00000060[0x86d819e8]
15:34:43.046 5 ACPI.sys[f7545620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-e[0x86d7a940]
15:34:43.062 \Driver\atapi[0x86d8f510] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0x86ce51ed
15:34:43.062 Scan finished successfully
15:35:21.312 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\jhastings.COSTELLO.000\Desktop\MBR.dat"
15:35:21.312 The log file has been saved successfully to "C:\Documents and Settings\jhastings.COSTELLO.000\Desktop\aswMBR.txt"

#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:09:20 AM

Posted 10 June 2011 - 02:55 PM

Download TDSSKiller.zip from Kaspersky from here and save it to your Desktop.

  • You will then need to extract the file(s) from the zipped folder.
  • To do this: Right-click on the zipped folder and from the menu that appears, click on Extract All...
    In the Extraction Wizard window that opens, click on Next> and in the next window that appears, click on Next> again.
    In the final window, click on Finish

  • Please close all open programs as this may result in a reboot being necessary.
  • Double click TDSSKiller.exe to begin.
  • Click Start scan and allow the tool to do just that.
  • One the scan has completed, if the tool has identified anything allow it to carry out it's default action(s) - you'll need to click Continue where appropriate.
  • Finally, if it prompts you to reboot your machine, please click Reboot Now and ensure that your machine does so.
  • If the scan finds nothing, please click the Report button and let me have a copy of the text file that opens.
  • If you reboot your machine, the log, which i'd like to see, will be located at the root of you hard drive as C:\TDSSKiller.Version_Date_Time_log.txt.
    Please check that you get the one with the right date and time. :)

So long, and thanks for all the fish.

 

 


#5 MRcostello

MRcostello
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:20 AM

Posted 10 June 2011 - 03:30 PM

I've tried to run TDSSKiller a few times now in normal mode and safe mode but it won't open.

#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:09:20 AM

Posted 10 June 2011 - 03:54 PM

Do you have a flashdrive of at least 128 Mb that you can wipe clean for a tool that is needed?

So long, and thanks for all the fish.

 

 


#7 MRcostello

MRcostello
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:20 AM

Posted 10 June 2011 - 03:55 PM

Yes.

#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:09:20 AM

Posted 10 June 2011 - 04:39 PM

Please read through all the instructions BEFORE you begin and ask any questions that you may have first. Be aware that an active infection may interfere with the first part of this procedure. If it doesn't go according to instructions, you may have to use a different PC to write the software to the flash drive.

  • Download both this file and this file and save them to your Desktop.
  • Insert your USB flash drive into your PC.
  • Click Start > My Computer, right click your flash drive's icon and select Format > Quick format - this will wipe the contents of the flash drive, so make sure there is nothing of value on there!
  • Double click unetbootin-xpud-windows-version number.exe that you just downloaded and OK any Security Warning that Windows may offer.
  • Select the Diskimage radio button and then click the browse button (the one with three dots on) located on the right side of the textbox field.
  • Browse to and select the xpud-0.9.2.iso file you downloaded above by double clicking it.
  • Verify the correct drive letter is selected for your USB device at the bottom and then click OK.
  • The program will install a little bootable OS onto your flash drive.
  • Once the files have been written to the drive you will be prompted to reboot - this isn't necessary, so just click Exit.
  • Next download http://noahdfear.net/downloads/driver.sh to your USB - directly or drag it there when it's downloaded.

The next part is somewhat tricky as it differs on different machines. If you are lucky, then the following will work - if it doesn't, let me know and we'll go for a different angle.
  • If it isn't already there, insert the flash drive into the sick PC and then reboot it.
  • You need to select the OS that is on the stick rather than let Windows take charge, so press F12 and choose to boot from the USB drive before Windows starts loading.
  • Follow the prompts and eventually a Welcome to xPUD screen will appear.
  • Click the File icon on the left.
  • Open the mnt folder by clicking it, just as you do in Windows.
  • You are going to identify the folder that represents to your flash drive.
  • sda1, sda2 etc... will usually be your hard drive(s); sdb1 is likely to be your flash drive.
  • Click on the flash drive folder and check that you can see driver.sh that you downloaded earlier.
  • Next click Tool at the top.
  • Choose Open Terminal - this will open the Linux equivalent of a Command Window in all it's fashionable black livery.
  • Type bash driver.sh and then <ENTER>
  • You now get to sit and watch some text scroll down the Terminal window until it reports Done - which doesn't need any explanation, hopefully!
  • A report will be located on your flash drive called report.txt (an uninspired choice of name I know!), which is the purpose of this little adventure.
  • Click the Home icon on the left and Power off the machine
  • Remove the USB drive and insert back in your working computer and navigate to report.txt

    Please note - all text entries are case sensitive

    Copy and paste the contents of report.txt into your next reply, or let me know if you had any problems.

So long, and thanks for all the fish.

 

 


#9 MRcostello

MRcostello
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:20 AM

Posted 13 June 2011 - 08:15 AM

I've followed the first part of your directions, but when I turn on the computer I just get a black screen with Boot Error at the top, then windows boots normally.

#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:09:20 AM

Posted 13 June 2011 - 01:36 PM

Good evening. :)

If that doesn't work, we'll need to play with the BIOS instead - I have to do this with my test laptop that refuses to play nicely any other way.

There's a handy pictorial guide here that involves setting the CD-ROM as first boot device - you just need to think flashdrive instead.
If you insert the flashdrive before you reboot the PC and then access the BIOS, you should be able to set the flashdrive as first boot device and on rebooting the PC it should boot into xPud. On my laptop the flashdrive appears as an option within the hard drives section and I just click a plus sign next to it to expand the option, but yours may have a flashdrive option all of it's own.

If you have any questions about this step, ask before you proceed. If you enter the BIOS and are unsure if you have carried out the step correctly, there should be an option to exit without keeping changes, so you won't do any harm.

So long, and thanks for all the fish.

 

 


#11 MRcostello

MRcostello
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:20 AM

Posted 13 June 2011 - 03:52 PM

I changed the BIOS settings to boot from the USB drive first, it still gives me a Boot Error.

#12 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:09:20 AM

Posted 13 June 2011 - 04:15 PM

In which case you'll need to download the .iso file again and re-install it to the flashdrive - it may well be a dodgy download/installation that's causing the issue.

So long, and thanks for all the fish.

 

 


#13 MRcostello

MRcostello
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:20 AM

Posted 14 June 2011 - 08:03 AM

It looks like that fixed the problem, but now it gives me a different error message:

PXE-E53: No boot filename received

PXE-M0F: Exiting PXE ROM

Then it says boot error and restarts regular windows XP.

#14 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:09:20 AM

Posted 14 June 2011 - 01:58 PM

Good evening. :)

No idea about that then, so we'll go with something else. You'll need to temporarily uninstall your anti-virus as it incorrectly identifies part of the next tool as malicious and stops it working properly. Despite being informed of the issue they seem reluctant to do anything about it, so we'll have to work around it.

The latest, and still free, version of AVG is available here. Download the installation file and the ComboFix one below before you start and then uninstall your AV, reboot and then run CF - you'll need to be connected to the internet as CF may need to download some files. Once done, reinstall your AV, make sure it's up to date and let me have the log that CF produced.

Take a trip to this webpage for download links and instructions for running Combofix by sUBs: http://www.bleepingcomputer.com/combofix/how-to-use-combofix *

  • When prompted to save Combofix, change the filename BEFORE saving it - any name will do, as long as it has .exe at the end.
  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste
  • Let me know how the PC is behaving.
* There are two points to note from the instructions page:

1) The Recovery Console.

It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.
CF will complete some, but not all, of it's removal tasks without the installation of the Console, so you are free to choose whether you want to complete this step, but it is in your interests to do so.

So long, and thanks for all the fish.

 

 


#15 MRcostello

MRcostello
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:20 AM

Posted 15 June 2011 - 07:56 AM

Something strange has happened. Combofix opened fine but once it finished installing I got a popup about a driver that went away too fast for me to write it down. Combofix started to run, but instead of the text that is supposed to show up there was just a blinking cursor. I let it run overnight but this morning nothing had changed and the computer was unresponsive. I restarted and now everything seems to be running fine on the computer, but I have no combofix log. There is a new .txt file on the desktop called catchme that says:

File "C:\WINDOWS\system32\drivers\volsnap.sys" added successfully
File list cleared

I did not follow your instructions completely, I disabled my antivirus instead of uninstalling it, did that screw up the combofix install? Should I run combofix again?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users