Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible root kit installing viruses


  • This topic is locked This topic is locked
82 replies to this topic

#1 WrinkledCheese

WrinkledCheese

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 15 March 2012 - 09:42 AM

Hello all,

I've tried it all. I ran virus scanners. I ran live CD virus scanners. I've used Hiren's boot CD and FalconFour's ultimate boot CD. I can detect viruses but for the life of me I cannot remove them all. I've tried ComboFix, it won't run after the blue screen appears after it's unpacked itself. Likewise with DDS. I've tried various other tools based on suspicions, IE win32k having been modified in the past couple months so I ran win32kdiag.exe. I've tried every rootkit scanner I can think of or find and they either don't run or don't find anything.

CMOS checksum errors when I use the Windows Recovery Boot CD to run various commands: chkdsk /r; fixboot; bootcfg /rebuild. Not sure if this means anything.

Please assist me in identifying root cause and removing this malware please. I booted into Windows to try some tools - ComboFix, dds, etc - after using various boot CDs to try and remove the malware and the machine is now infected with new, never before seen - by me - viruses. I was originally seeing only sality infections, now there are several others. I can rerun any test and provide any logs that would be needed to find out what's wrong with this system.

I think it may be worth noting that at first ComboFix wouldn't do anything once it unpacked itself and blink away at the blue screen, but now it gave me two errors after performing some tasks using Live CDs and Windows Recovery CD.

I didn't get a chance to write down the first one but it said something very close to:
ComboFix has detected interference. Close now and run a root kit scanner.

The second error is recurring:
C:\32788R~1 not in expected location. Inform sUBs now!!

I've tried re-downloading the file from bleepingcomputer.com. I've tried save link as to name the file something else in case something was looking for ComboFix.exe in the process list, but I can't get anything to work properly. At this point I'm hoping someone is going to get back to me and give me some steps to perform because as it is the system is just a PITA and isn't going anywhere in terms of resolving the issue.

Edited by WrinkledCheese, 15 March 2012 - 09:44 AM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,521 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:07 PM

Posted 18 March 2012 - 09:50 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

You have a very bad infection.


I was originally seeing only sality infections, now there are several others. I can rerun any test and provide any logs that would be needed to find out what's wrong with this system.


Read about it:

http://www.symantec.com/security_response/writeup.jsp?docid=2006-011714-3948-99

You should reformat and reinstall everything. Should you wish to continue follow the following instructions.

PLEASE NOTE: Most authorities say that a PC with a polymorphic file infector can never again be trusted and should be reformatted. You should seriously consider reformatting and reinstalling Windows.

That said, if you wish we can attempt disinfection but you are cautioned that theoretically you can never be sure cleaning is 100% complete.

Read all these directions before proceeding.

When you have the .ISO file downloaded, you need to create a bootable disk or flash drive with it, using a clean PC to do that. The .ISO file is a disk image. It should NOT be burned as a regular file. You need a program like ImgBurn that can burn an .ISO image. I think a CD is best as there is no way anything can write on it after it is made, but the USB may be more convenient and easier.

Be sure to read these:
Download Kaspersky Rescue Disk 10
How to record Kaspersky Rescue Disk 10 to an USB device and boot my computer from it?
How to record Kaspersky Rescue Disk 10 to a CD/DVD and boot my computer from the disk?


Summarizing:
  • Go to a clean PC.
  • Download the .iso image file.
  • Create a CD (or flash drive if you prefer).
  • At the infected PC: put the disk in the drive and reboot.

Follow the directions here, but you will find some differences.

Familiarize yourself with How to create a report file in Kaspersky Rescue Disk 10?

Print the following directions:

Boot from Kaspersky Rescue Disk 10:
Restart your computer and put the disk in the drive while booting.
Press any key. A loading wizard will start (you will see the menu to select the required language). If you do not press any key in 10 seconds, the computer boots from hard drive automatically.
Select the required interface language using the arrow-keys on your keyboard.
Press the Enter key on the keyboard.
In the start up wizard window that opens, select the Kaspersky Rescue Disk. Graphic Mode
Click Enter.
Click 'A' to accept the agreement.
Select operating system from dropdown menu (select Windows whatever)
Select Objects to scan: check Disk boot sectors, Hidden startup objects, C:
Click My Update Center and update if any available
Back to other tab and click Start Object Scan.
(It took 3 hours to scan my 47G)
When scan has completed save a report:

On the upper part of the Kaspersky Rescue Disk window, click on the Report link.
On the bottom right hand corner of the Protection status - Kaspersky Rescue Disk window, click on the Detailed Report button.
On the upper right hand corner of the Detailed report window, click on the Save button.
After clicking Detailed Report and 'SAVE', a browse window opens.
Double-click on the \
Click 'disks'.
All your drives will be shown and you can easily double-click C and save the report to C:\KasperskyRescueDisk10.txt.
Click on the Save button.
The report has been saved to the file.

Remove the disk from the drive (or disconnect USB) and reboot normally.

Post the content of the file for my review.
Let me know what problem persists.

#3 WrinkledCheese

WrinkledCheese
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 19 March 2012 - 08:22 AM

Thanks for the information. I had already read the Symantec information regarding this virus when I first detected it. It's a good source of removal information.

I'm just reading your post now and nothing has been done, except a GMER scan when I read the "preperation" sticky. DDS will not complete. I will be reading and performing the tasks as requested.

Here is a few preliminary details on how I will be performing these tasks.

Setup:
-Infected Machine-
Windows XP Professional SP2
Hooked into KVM
Hooked into switch for Internet capabilities

-Cleaning Machine-
Slackware Linux 13.37
Hooked into KVM
Hooked into switch for Internet capabilities
ClamAV w/ daily update check

I will use the 'Cleaning Machine' to perform all tasks that require absolute assured clean processes. I have ClamAV running as a daemon in case a virus does target GNU Linux is some fashion. It has a cron job set up on a daily update check/install.

I will not be printing the instructions but I will be reading them from the 'Cleaning Machine'.

I've posted the GMER log that ran over the weekend, which is the only thing I've done since I posted this thread. I will post all logs for your review. I will also review the logs myself but I will not perform any actions, although I may pose questions if I cannot find any information via Google from a reputable source regarding a log line I find suspicious.

I am more interested in cleaning the infection but I understand a backup, reformat and re-install may be required.

One thing I am concerned about that I have found, while trying to run SpinRite on the hard drive to find disk defects since 'chkdsk /r' says there are unrecoverable faults, is that the NTFS partition size is reported as 35GB and the disk size is reported as 32GB. I'm wondering if the partition table itself is somehow infected.

I will post back once I have performed the tasks described above and have read all information above.

#4 WrinkledCheese

WrinkledCheese
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 19 March 2012 - 08:58 AM

I ran into an issue and although I suspect the solution is obvious I figured I would clear it by you first.

I burned the 'Kaspersky Rescue Disc' to a CD and went into 'Graphical Mode' and the monitor said "Input Signal Out Of Range". I believe the solution is to go into 'Graphical Mode' and scan the computer from there. I loaded 'Graphical Mode' from curiosity and it seems like a live CD of GNU Linux, as I suspected.

I also noticed there was a way to get into the 'Graphical Mode' from within the 'Text Mode'. I tried that option and it allowed me to generate an x11 configuration file that I could manually edit so it would work with my monitor. I didn't have to edit anything in order to get into the Rescue Disc's KDE environment, but the default 'Graphical Mode' option on boot would not work for me.

To be clear I modified the procedure to get into the 'Graphical Mode' rescue CD by performing the following actions:

INSTEAD OF:
In the start up wizard window that opens, select the Kaspersky Rescue Disk. Graphic Mode

I PERFORMED THE FOLLOWING:
Kaspersky Rescue Disk. Text Mode
Network Setup ->
->Configure Adapter
-->select Adapter(probably eth0 which is what I chose)
--->select yes(confirm adapter)
---->select dhcp(most likely you have dhcp enabled if not you probably know your network)
----->click ok(should be adapter successfully configured message)
Start Update (Menu Option 7 - I planned on scanning from text mode )
Graphical Mode (Menu Option 13) ->
->Select xorg-gen ( other options are xorg-run, xorg-mkx and exit)

Graphical Mode should start

Since this procedure got me to where you wanted me with minimal deviation and no action performed to disk, I will continue with your instructions.

[EDIT]
Even though the update was performed in 'Text Mode' and it seemed that the update was recognized by the 'Graphical Mode' interface, I will perform the update procedure as described.
[EDIT2]
The update revealed no available updates.

Do you want a log attachment or the text pasted as a reply?

Edited by WrinkledCheese, 19 March 2012 - 09:05 AM.


#5 nasdaq

nasdaq

  • Malware Response Team
  • 40,521 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:07 PM

Posted 19 March 2012 - 09:11 AM

We should be more information on the MBR with this tool.

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please post the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

Note: You may be asked if you want to download Avast Free Antivirus I suggest you deny this download unless you do not have any Antivirus protection on the computer.
===

Let see what we can find on the partitions.

Please download this ListPart.exe to a folder of you choice. Select the proper tool for your system.

For x86 (x32) bit systems please download Listparts
For x64 bit systems please download Listparts64
Run the tool as an Administrator , click Scan and copy and post the log (Result.txt) in your next reply.

#6 WrinkledCheese

WrinkledCheese
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 19 March 2012 - 10:53 AM

Thanks again nasdaq for the great information.

The Kaspersky scan just completed and it's asking me to clean the files. Should I clean the files before saving the log or should I just save the log? It's at 99% complete and asking to clean files.

[EDIT]
Virus.Win32.Sality.q is the detected virus it's asking to clean.

Edited by WrinkledCheese, 19 March 2012 - 10:55 AM.


#7 WrinkledCheese

WrinkledCheese
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 19 March 2012 - 11:34 AM

I'm waiting on your response to finalize the Kaspersky scan so I can save the log and post it before I perform the tasks regarding the partitions.

#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,521 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:07 PM

Posted 19 March 2012 - 01:21 PM

Clean it.

#9 WrinkledCheese

WrinkledCheese
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 19 March 2012 - 02:23 PM

Done. I performed a second scan just to make sure that the same thing that happened with the Panda AV Rescue Disc didn't happen with Kaspersky, where it said it cleaned the files but upon subsequent scans they were still detected as infected. This was not the case.

The Kaspersky2.txt file contains 3 scan logs.
Scan log 1 - stopped because I tried to view the detailed log during object scan.
Scan log 2 - completed with clean
Scan log 3 - completed with read errors present in previous scan(scan 2) as well as password protected image file which was also present in scan 2

I will report back with the information you requested.

#10 WrinkledCheese

WrinkledCheese
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 19 March 2012 - 02:42 PM

Here are the aswMBR quick scan results as well as the ListPart x86 logs.

#11 nasdaq

nasdaq

  • Malware Response Team
  • 40,521 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:07 PM

Posted 20 March 2012 - 10:40 AM

The Kaspersky log does not look good.

Please download CCleaner (freeware) from here.
Run the installer, and uncheck the option to install Yahoo toolbar (unless you want Yahoo toolbar).
Once installed, run CCleaner.

The following should be selected by default, if not, please select:
Posted Image

Then please click Posted Image and choose Posted Image

Please uncheck Posted Image

Then go back to Posted Image and click Posted Image to run it.

If presented with an option to install 3rd party software, deny it.
===

Then run this AVG Anti-Rootkit

http://www.softpedia.com/get/Antivirus/AVG-Anti-Rootkit.shtml

Try to run ComboFix after the scan.

#12 WrinkledCheese

WrinkledCheese
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 20 March 2012 - 12:59 PM

Thanks for the reply. I am in the process of downloading the tools requested. I will download new versions in case the tools I already tried have been compromised. I will report back with the logs in the next few hours or possibly tomorrow. Me and my GF are celebrating an anniversary today... I don't think she'd be pleased if I spent a large amount of time fixing a computer LOL

#13 WrinkledCheese

WrinkledCheese
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 20 March 2012 - 01:43 PM

Well the results are in and, unfortunately, nothing changed.

I have attached screen shots of the issues I've run into.

CCleaner removed 1.1GB of data. I made sure the options you asked me to uncheck were unchecked. They have changed the options slightly to 24 hours instead of 48 hours.

AVG Anti-Rootkit failed to find anything with an in-depth scan.

ComboFix fails to start. It has changed it's behaviour since I've started trying to clean this machine, before I posted here. Before it would go to the blue dos window and if task manager was up you could see it would run a couple .3xe files and then get hung up on one(started with an s but now I can't duplicate the behaviour). I once got a message stating that ComboFix has detected interference. But now I get the message I posted as a PNG. This is all prior to my original post, the only message I get on the only time I ran it was what I attached.

[attachment=120879:combofix.PNG]
[attachment=120878:ccleaner.PNG]
[attachment=120880:avgantirootkit.PNG]

#14 nasdaq

nasdaq

  • Malware Response Team
  • 40,521 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:07 PM

Posted 21 March 2012 - 07:14 AM

Please Download
TDSSKiller.zip

>>> Double-click on TDSSKiller.exe to run the application.
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue
    Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue
    Posted Image
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

+++++++

Try to run ComboFix again.

Post the log or the error message.

#15 WrinkledCheese

WrinkledCheese
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 21 March 2012 - 08:56 AM

I ran TDSSKiller but it didn't pick up anything.

ComboFix still won't run. It's behaviour has not changed. I downloaded it again, right clicking and just typing jibberish for the file name when I save it from BleepingComputer.com. Even though it says the folder is not located where it's expected to be, the folder is created but it seems to be some sort of copy of my computer which can result in an infinite loop of entering my computer, going to c:\, going to the combofix folder, which acts like my computer.

You can even right click and manage this folder. I'm not sure if this is normal behaviour for ComboFix.

[EDIT]
Oops! I forgot the log.

Edited by WrinkledCheese, 21 March 2012 - 08:56 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users