Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Checking for All-Clean


  • This topic is locked This topic is locked
14 replies to this topic

#1 ENAJonas

ENAJonas

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:41 PM

Posted 12 February 2012 - 01:01 PM

Hello BC!

I recently discovered that I had Google redirection. Started looking online and saw that most of the time this is caused by a rootkit. So, I ran every special detection tool I could think of, among which were RootRepeal, TDSSKiller, GMER, MBRasw, Sophos, RootkitRevealer, and others I just forgot. ALL of which turned up NOTHING. (I am in IT so I was able to clearly decipher each of the logs and see there wasn't anything "real" there.). Then, I overwrote both my MBR and NTFS boot sector, no help. Then, as a final step, I ran offline Linux scans using both Kaspersky and AVG rescue disks, on the entire physical disk, and NOTHING!!! Clearly even a rootkit cannot hide completely from an offline scan, so I was really scratching my head!!! Finally, I realized that I had not yet tried MBAM, so I did. Lo and behold it found that the entire problem was due to a Firefox addin!! Not even code, just XUL XML!!!! So I blew it away and the redirection is gone! In my search for something complex I missed the simplest of things to check. Just to be sure I checked in IE (which I never use :) and there's no redirection there either.

So I "believe" I am clean, however, one strange thing still happens. I cannot run the "regular" TDSSKiller, only the "special" ones Kaspersky released. The process just closes on launch. But I don't see ANY other signs of trouble. Based on what happened, can you please advise what else I should do so you guys can give me the official all-clean?? Thanks so much in advance.

BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:41 PM

Posted 17 February 2012 - 08:57 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 ENAJonas

ENAJonas
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:41 PM

Posted 17 February 2012 - 09:58 PM

Yep, I'm definitely still here!

I await your initial instructions and appreciate your kind help in advance.

Edited by ENAJonas, 17 February 2012 - 10:16 PM.


#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:41 PM

Posted 17 February 2012 - 10:55 PM

Your write-up makes it sound encouraging but let's check.

Please run aswMBR

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Posted Image
m0le is a proud member of UNITE

#5 ENAJonas

ENAJonas
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:41 PM

Posted 18 February 2012 - 12:41 PM

Oh No........Does this mean the rootkit is still active? I don't think it's actually doing anything anymore though.....

Also, I know you didn't ask, but I had run DDS before, and now that I look at that log as well I don't like the "Rootkit" section at the end

Something to note - I have so many special programs and configurations on this computer - I do NOT want to run ComboFix and have it automatically change many things or have me lose things. I have heard horror stories of ComboFix making things a lot worse. If you can give me an option to run ComboFix in a "detect only" mode, then I will be willing. But if it's only automatic I really want to find another way to identify exactly where the rootkit is running from. I hate to say it, but with no visible problems with the system I can't justify making things a lot worse.

--aswMBR--

aswMBR version 0.9.9.1618 Copyright© 2011 AVAST Software
Run date: 2012-02-18 12:21:17
-----------------------------
12:21:17.334 OS Version: Windows 5.1.2600 Service Pack 3
12:21:17.334 Number of processors: 1 586 0x207
12:21:17.334 ComputerName: ENAJONAS UserName:
12:21:18.816 Initialize success
12:22:25.632 AVAST engine defs: 12021800
12:22:40.754 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
12:22:40.764 Disk 0 Vendor: Size: 0MB BusType: 0
12:22:40.784 Disk 0 MBR read successfully
12:22:40.794 Disk 0 MBR scan
12:22:40.884 Disk 0 Windows XP default MBR code
12:22:40.894 Disk 0 MBR hidden
12:22:40.904 Disk 0 Partition 1 00 DE Dell Utility Dell 4.1 31 MB offset 63
12:22:40.934 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 38115 MB offset 64260
12:22:41.004 Disk 0 scanning C:\WINDOWS\System32\drivers
12:23:00.482 Service scanning
12:23:41.071 Modules scanning
12:23:54.790 Disk 0 trace - called modules:
12:23:54.840 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
12:23:55.211 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86fa6b48]
12:23:55.221 3 CLASSPNP.SYS[f757f022] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-e[0x86f86b00]
12:23:55.732 AVAST engine scan C:\WINDOWS
12:24:08.009 AVAST engine scan C:\WINDOWS\system32
12:27:50.479 AVAST engine scan C:\WINDOWS\system32\drivers
12:28:13.793 AVAST engine scan C:\Documents and Settings\Justin Aglow
12:30:01.307 AVAST engine scan C:\Documents and Settings\All Users
12:30:27.064 Scan finished successfully
12:30:36.728 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Justin Aglow\Desktop\MBR.dat"
12:30:36.748 The log file has been saved successfully to "C:\Documents and Settings\Justin Aglow\Desktop\aswMBR.txt"


----DDS----

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2800.1106 BrowserJavaVersion: 1.6.0_21
Run by Justin Aglow at 15:59:50 on 2012-02-12
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.665 [GMT -5:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bluetooth\bin\btwdins.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\SYSTEM32\ATIPTAXX.EXE
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\I8kfanGUI\I8kfanGUI.exe
C:\WINDOWS\System32\ctfmon.exe
C:\program Files\Omega Drivers\ATI Tray Tools\atitray.exe
C:\Program Files\Bluetooth\BTTray.exe
C:\WINDOWS\SYSTEM32\TASKMGR.EXE
C:\Program Files\FastDefrag\FAST2.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uDefault_Page_URL = hxxp://www.dellnet.com
uSearch Bar = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
mDefault_Page_URL = hxxp://www.dellnet.com
mStart Page = about:blank
mSearch Bar = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
uInternet Connection Wizard,ShellNext = hxxp://www.dellnet.com/
uInternet Settings,ProxyOverride = *.local
BHO: {00000000-0000-0000-0000-000000000221} - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: {243b17de-77c7-46bf-b94b-0b5f309a0e64} - c:\program files\microsoft money\system\mnyside.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\Scriptcl.dll
BHO: NTIECatcher Class: {c56cb6b0-0d96-11d6-8c65-b2868b609932} - c:\program files\nettransport\NTIEHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
uRun: [i8kfangui] c:\program files\i8kfangui\I8kfanGUI.exe /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [FAST Defrag] c:\progra~1\fastde~1\FAST2.EXE -tray
uRun: [AtiTrayTools] "c:\program files\omega drivers\ati tray tools\atitray.exe"
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [ATIPTA] c:\windows\system32\ATIPTAXX.EXE
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bttray.lnk - c:\program files\bluetooth\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\taskma~1.lnk - c:\windows\system32\TASKMGR.EXE
uPolicies-explorer: NoSMHelp = 01000000
IE: Download all by Net Transport - c:\program files\nettransport\NTAddList.html
IE: Download by Net Transport - c:\program files\nettransport\NTAddLink.html
IE: Send To &Bluetooth - c:\program files\bluetooth\btsendto_ie_ctx.htm
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\bluetooth\btsendto_ie.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\msn messenger\msnmsgr.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - c:\program files\microsoft money\system\mnyside.dll
Trusted Zone: limera1n.com\www
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0000000A-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/8/B/E/8BE028EC-F134-4AA0-84AB-64F76D6B9842/wmsp9dmo.cab
DPF: {00000055-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/fhg.CAB
DPF: {00000161-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/msaudio.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {CC679CB8-DC4B-458B-B817-D447B3B6AC31} - hxxps://vpn.dentsply.com/CACHE/stc/1/binaries/vpnweb.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E34F52FE-7769-46CE-8F8B-5E8ABAD2E9FC} - hxxps://vpn.dentsply.com/CACHE/sdesktop/install/binaries/instweb.cab
TCP: DhcpNameServer = 192.168.0.2
TCP: Interfaces\{8CD1B604-2EC0-4BE1-9BB6-1EAEFB0939C3} : DhcpNameServer = 192.168.0.2
TCP: Interfaces\{A9DE272F-E229-4A6D-AA19-104834943B3D} : DhcpNameServer = 192.168.0.2
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\justin aglow\application data\mozilla\firefox\profiles\z8b0q0q2.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
.
============= SERVICES / DRIVERS ===============
.
R1 atitray;atitray;c:\program files\omega drivers\ati tray tools\atitray.sys [2005-11-13 11008]
R1 fanio;FanIO driver;c:\windows\system32\drivers\fanio.sys [2004-12-11 17792]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2010-5-16 104000]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2006-11-30 54872]
R2 PStrip;PSTRIP;c:\windows\system32\drivers\pstrip.sys [2007-7-14 27992]
R2 vpnagent;Cisco AnyConnect Secure Mobility Agent;c:\program files\cisco\cisco anyconnect secure mobility client\vpnagent.exe [2011-9-9 475088]
R3 acsint;acsint;c:\windows\system32\drivers\acsint.sys [2011-9-21 38440]
R3 acsmux;acsmux;c:\windows\system32\drivers\acsmux.sys [2011-9-21 57000]
R3 NgVpn;Aventail VPN Adapter;c:\windows\system32\drivers\ngvpn.sys [2010-5-16 79944]
S2 MBAMService;MBAMService;c:\program files\malwarebytes\mbamservice.exe [2012-2-12 652360]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro36.sys [2012-2-11 23624]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-2-12 20464]
S3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2010-5-16 72264]
S3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2010-5-16 34152]
S3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2010-5-16 168776]
S3 NgFilter;Aventail VPN Filter;c:\windows\system32\drivers\ngfilter.sys [2010-5-16 22600]
S3 NgLog;Aventail VPN Logging;c:\windows\system32\drivers\nglog.sys [2010-10-9 27208]
S3 NgWfp;Aventail VPN Callout;c:\windows\system32\drivers\ngwfp.sys [2010-10-9 25160]
S3 rkhdrv40;Rootkit Unhooker Driver; [x]
S4 ciscod.exe;Cisco Security Service;c:\program files\cisco\cisco hostscan\bin\ciscod.exe [2011-9-9 47568]
S4 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2006-11-30 144960]
S4 NgVpnMgr;Aventail VPN Client;c:\windows\system32\ngvpnmgr.exe [2010-9-13 240816]
.
=============== Created Last 30 ================
.
2012-02-12 05:37:12 -------- d-----w- c:\documents and settings\justin aglow\application data\Malwarebytes
2012-02-12 05:36:24 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-02-12 05:36:23 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-12 05:36:23 -------- d-----w- c:\program files\Malwarebytes
2012-02-11 05:39:21 23624 ----a-w- c:\windows\system32\drivers\hitmanpro36.sys
2012-02-11 05:34:06 -------- d-----w- c:\program files\HitmanPro
2012-02-11 05:33:25 -------- d-----w- c:\documents and settings\all users\application data\HitmanPro
2012-01-22 21:51:17 -------- d-----w- c:\documents and settings\justin aglow\local settings\application data\libimobiledevice
2012-01-22 21:39:19 4517664 ----a-w- c:\windows\system32\usbaaplrc.dll
2012-01-22 21:39:19 42496 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2012-01-22 21:12:59 -------- d-----w- c:\windows\data
2012-01-22 02:01:06 6853180 ----a-w- c:\windows\absinthe.exe
2012-01-15 23:13:07 -------- d-----w- c:\program files\PowerStrip
.
==================== Find3M ====================
.
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600
.
CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully

user: error reading MBR
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
1 nt!IofCallDriver[0x804DFDFF] -> \Device\Harddisk0\DR0[0x86FA6B48]
3 CLASSPNP[0xF757F022] -> nt!IofCallDriver[0x804DFDFF] -> \Device\Ide\IdeDeviceP1T0L0-e[0x86F51B00]
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
user != kernel MBR !!!
.
============= FINISH: 16:00:23.23 ===============

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:41 PM

Posted 18 February 2012 - 02:04 PM

None of the lines you have boldened are cause for alarm. I certainly won't be running Combofix on this machine at this stage.

Please run the ESET online scanner next

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • Copy and paste the resulting log in your next reply
If no log is generated that means nothing was found. Please let me know if this happens.
Posted Image
m0le is a proud member of UNITE

#7 ENAJonas

ENAJonas
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:41 PM

Posted 18 February 2012 - 04:29 PM

Wow. ESET found absolutely nothing.

So do we have a case where I simply have a "non-standard" MBR that some tools think may be a problem, and there is in fact no rootkit?

But.....what explains the fact that I still can't run the normal TDSSKiller?

Just for kicks, I also ran an MBRCheck & MBRScan. Again, some interesting results:

---MBRSCAN---
Device\Harddisk0\DR0 37.26 Go [Fixed] ==> XP MBR Code . ==> PARTITION TABLE FAKED !!

MBR_MD5 : B92366EA07A8901311CC921BF337F86C
MBR_SHA1 : 455CDDA9EE9CDF9CE819F03FF35B869A587E421E

Device\Harddisk0\Partition1 31.35 Mo 0xDE Dell Utility
Device\Harddisk0\Partition2 37.22 Go 0x07 NTFS / HPFS __ BOOTABLE __

DRIVER : C:\WINDOWS\System32\Drivers\hiber_WMILIB.SYS => Invisible on the disk
ADDRESS : 0xF7AF0000
SIZE : 8.0 Ko

--MBRCHECK--
37 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:41 PM

Posted 18 February 2012 - 05:37 PM

Okay, MBRScan is finding a faked partition when in fact it is reading the Dell recovery partition.

---MBRSCAN---
Device\Harddisk0\DR0 37.26 Go [Fixed] ==> XP MBR Code . ==> PARTITION TABLE FAKED !!

Device\Harddisk0\Partition1 31.35 Mo 0xDE Dell Utility
Device\Harddisk0\Partition2 37.22 Go 0x07 NTFS / HPFS __ BOOTABLE __



MBRCheck and aswMBR both call the MBR a standard XP code

--MBRCHECK--
37 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A



This is a Microsoft WMI driver which is hidden on the disk. That is an expected result.

DRIVER : C:\WINDOWS\System32\Drivers\hiber_WMILIB.SYS => Invisible on the disk
ADDRESS : 0xF7AF0000
SIZE : 8.0 Ko



So do we have a case where I simply have a "non-standard" MBR that some tools think may be a problem, and there is in fact no rootkit?


Yes.


what explains the fact that I still can't run the normal TDSSKiller?


Try FixTDSS

I would like you to run this tool for me - fixTDSS

Download it to your desktop and start the program

Follow the prompts and OK any security prompts

When it is complete it will say the infection was cleared or no infection was found - let me know what it says
Posted Image
m0le is a proud member of UNITE

#9 ENAJonas

ENAJonas
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:41 PM

Posted 18 February 2012 - 08:46 PM

Hey M0le, I just want to be sure that you're confidence level is pretty high that this tool won't cause me major problems. Did a quick search, and it seems that FixTDSS has a number of times caused new BSODs and/or changed files when in fact there was no TDSS on the system. Please let me know your thoughts. See, for example, this link: http://forums.majorgeeks.com/showthread.php?t=252773

Thanks again.

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:41 PM

Posted 18 February 2012 - 09:21 PM

TDSS, and specifically the TDL4 variant known as ZeroAccess, sets junctions so that if a tool known to it is used it will trigger sabotage in the system. I have never heard of FixTDSS being hit in this way and I am more running FixTDSS to show you that it is not present on the system.

If there is no TDSS then the machine is in no danger. It is the malware that damages the machine not the tools used to fix it.

However, I am confident that the machine is clean so if you do not wish to run FixTDSS then you don't need to.

Why TDSSKiller won't run I don't know. To eliminate obvious things like checking it has been downloaded and run correctly please uninstall the copy you have and then redownload it and run it as shown:

  • Download TDSSKiller and save it to your Desktop.

  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.

  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l report.txt

  • Now click Start Scan.
  • If Malicious objects are found, ensure Cure is selected then click Continue > Reboot now.
  • Click Close
  • Finally press Report and copy and paste the contents into your next reply. If you've rebooted then the log will be found at C:\

Let me know what you have decided with regards FixTDSS too.
Posted Image
m0le is a proud member of UNITE

#11 ENAJonas

ENAJonas
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:41 PM

Posted 19 February 2012 - 05:43 PM

Hey M0le,

Ran the FixTDSS and it said I had no Backdoor.Tidserv. So is this the final all-clean? I don't need to worry about any of the MBR results, or the fact that I can't run TDSSKiller I assume.

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:41 PM

Posted 19 February 2012 - 05:52 PM

Don't worry about the MBR log that is fine. The TDSSKiller program failing is very strange but the tools we have used to check would have found something to show that TDSS was present.

It could be that your security is stopping the program but I have no problem issuing an all-clean to you, ENAJonas :thumbup2:
Posted Image
m0le is a proud member of UNITE

#13 ENAJonas

ENAJonas
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:41 PM

Posted 19 February 2012 - 06:04 PM

Great! Really appreciate the help with this!

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:41 PM

Posted 19 February 2012 - 06:06 PM

You're welcome, the topic will be closed in five days in case anything emerges. You can PM me if you need to after that. :)
Posted Image
m0le is a proud member of UNITE

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:41 PM

Posted 23 February 2012 - 08:48 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users