Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smart HDD Infection


  • Please log in to reply
9 replies to this topic

#1 MiNdWaRp

MiNdWaRp

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:06 PM

Posted 26 April 2012 - 02:07 PM

Hello!

I have been trying to get rid of this infection for about 2 days now, but it keeps coming back.

I have checked out the Virus Removal guide section but found nothing regarding my specific strain of infection.

So far, I have followed this guide as well as running ComboFix on my own prior to that.

The PC has an attached external HDD which I backed up onto the computer and formatted / unallocated to eliminate it as a catalyst.

The virus seemed to be gone until I installed NOD32 Antivirus 5, which popped up a detection message saying "Operating memory - a variant of Win32/Olmasco.O trojan - unable to clean". After seeing this, I rebooted into Safe Mode with Networking to attempt to clean it and it re-appeared once again.

I have DDS and Gmer running right now, but both seemed to have stopped progressing and have been at the same point for over 30 minutes so far.

Any help regarding this issue would be greatly appreciated.

BC AdBot (Login to Remove)

 


#2 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:01:06 PM

Posted 27 April 2012 - 10:36 AM

Wecome to Bleeping Computer, MiNdWaRp!

If you cannot download, but can run programs, instead of downloading the program requested to the problem computer, download it to a clean computer.

Next, save it to a USB flash drive (or removable media), move it to the Desktop of the infected computer, and run the program as described below.

(If you previously downloaded this program, before you download a new copy, right-click the old file, and select: Delete)



Please download a current version of RogueKiller

•When you get to the website, go to where it says:
(Download link) Lien de téléchargement: Posted Image
•Click the dark-blue button to download.
•Save to the Desktop

•Close all windows and browsers
•XP: Double-click the program to run it
•Vista/seven: Right-click and select 'Run as Administrator'
•Press: SCAN
•A report opens on the Desktop: RKreport.txt

Please copy/paste the RKreport.txt , and provide it in your reply.

Note:
If RogueKiller is blocked, do not hesitate to try running it again.
If it still fails to run, right-click on the downloaded icon and select: Rename
Then, rename it to winlogon.exe and try again.

Old duck...


#3 MiNdWaRp

MiNdWaRp
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:06 PM

Posted 27 April 2012 - 04:00 PM

Thanks for the reply.

Well, although I managed to run RogueKiller before, it does not let me run it this time... This one's a real bugger!

I can see that svchost.exe(1220) is infected, as per NOD32 if that helps.

#4 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:01:06 PM

Posted 27 April 2012 - 05:35 PM

Need some information in order to proceed...

Q 1. What Operating System is installed on the problem computer?

Q 2. Do you know if the system is 32-bit, or 64-bit?

To find out...click Start, in the Search Programs and Files box, type: system
Click: System Information in the Programs list presented.

When System Summary is selected in the navigation pane, the Operating System is displayed as follows:
◦For a 64-bit version operating system: under Item > System type, x64-based PC appears.
◦For a 32-bit version operating system: under Item > System type, x86-based PC appears.

If you cannot access this info in Windows, to find out, restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the Advanced Boot Options menu appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select your language settings, and click: Next
  • Select your User account and click: OK (If you did not set a password, leave blank.)

On the System Recovery Options menu you get the following options:
•Startup Repair
•System Restore
•Windows Complete PC Restore
•Windows Memory Diagnostic Tool
•Scan your computer's memory for errors.
•Command Prompt
  • Select Command Prompt
  • In the Command window, at the bliking cursor type wmic os get osarchitecture and press: Enter

You will get information like the following:

Microsoft Windows [Version 6.1.7600]
Copyright © 2009 Microsoft Corporation. All rights reserved.

C:\Users\Aaflac>wmic os get osarchitecture
OSArchitecture
64-bit (or, 32-bit, if applicable)

Please post whether the system is 32-bit or 64-bit.

Q 3. If Vista or Windows Seven, do you have the Repair your computer option in the Advanced Boot Options menu?

To find out:
Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the Advanced Boot Options menu appears.
  • Is the Repair your computer option listed?

Q 4. If you do not have the option above, do you have your Windows installation CD/DVD available?


Q 5. Last, do you have a USB flash drive available, and do you have access to another computer?

Edited by Aaflac, 27 April 2012 - 05:35 PM.

Old duck...


#5 MiNdWaRp

MiNdWaRp
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:06 PM

Posted 27 April 2012 - 08:54 PM

The system is running 32 bit Windows XP Professional.

For the weekend, I have remote access to the machine, but not a Windows Installation option.

I can do remote file transfers through the remote access program I use. USB drive was what I was using to transfer programs to the machine so I could run them when I had direct access.

Also, I managed to get RogueKiller to give me a log:


RogueKiller V7.3.3 [04/22/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Brunet Insurance [Admin rights]
Mode: Scan -- Date: 04/27/2012 17:05:58

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : Root.MBR|ZeroAccess ¤¤¤
[ZeroAccess] (LOCKED) windir\NtUpdateKBxxxx present!

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD10EARS-00Y5B1 +++++
--- User ---
[MBR] b9dde6f9d6112b7a09928dbd77b13aba
[BSP] a72e6d02b6cda3fd41fcda93e2d8528a : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 953859 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] 2fd9a6621508a01241159017c875ff3b
[BSP] a72e6d02b6cda3fd41fcda93e2d8528a : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 953859 Mo
1 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 1953504000 | Size: 10 Mo

+++++ PhysicalDrive1: WDC WD16 00AAJB-00PVA0 USB Device +++++
--- User ---
[MBR] fc16d429fd8799b55758f0836e737a54
[BSP] 5a83d6b9acae2d4418bfbf54070df937 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 152625 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1].txt >>
RKreport[1].txt

#6 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:01:06 PM

Posted 27 April 2012 - 09:15 PM

Looks as if Smart HDD is gone, but, it came with a 'bundle' that you do not want:
ZeroAccess Rootkit, and possibly a hidden partition where malware resides.


We do have a problem, though...is this a workplace computer in a business environment (User: Brunet Insurance [Admin rights])?

Our assistance is not intended for a workplace computer, nor to replace a company IT manager or outsource staff.

It is not possible to anticipate any alterations or configurations made to a business computer, or how it will interact with the tools commonly used in the removal of malware. The tools we use may create a possible loss of company information!!

In addition, many of the tools we use have specific instructions from their authors that they not be used in a business environment.

Your circumstances are regrettable, but, to prevent any possible loss or corruption of company information, please refer your request for assistance to your company staff, IT manager, or to the service the company uses to address computer problems.

Edited by Aaflac, 27 April 2012 - 09:33 PM.

Old duck...


#7 MiNdWaRp

MiNdWaRp
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:06 PM

Posted 29 April 2012 - 01:13 AM

It is a computer being used for business purposes, however, they are not a big enough operation to have their own IT service. They operate in the basement of a house with this stand-alone computer. I am simply a friend trying to do them a favour and remove an infection.

Based on research I've done on the Win32/Olmasco.O Trojan, I've seen that it can infect the MBR and create its own hidden partition that can be used to store files and folders with dynamically changing names.

If you're not able to help me with removal due to it being a business computer, would you be able to tell me if the infection will spread / even function if I were to tell them to buy a Windows 7 64-bit PC and have their files copied over? I wasn't able to find out if the rootkit supports 64-bit architectures from my research and they've been considering an upgrade soon anyhow.

#8 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:01:06 PM

Posted 30 April 2012 - 02:43 PM

Here is some info for your perusal:
http://www.infosecurity-magazine.com/view/23223/bootkits-take-aim-at-the-windows-64bit-platform/

Since this computer belongs to an Insurance entity, there are probably all sorts of personal records kept in it, etc.

If a new PC is bought, the owners need to scan all the data they plan to move to the new computer with more than one AV program, not only the one installed on the computer, but also with online scaners like the ESET Online Scanner, BitDefender Online, Kaspersky...

Old duck...


#9 MiNdWaRp

MiNdWaRp
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:06 PM

Posted 01 May 2012 - 04:19 PM

Thank you for your assistance Aaflac.

For the record, I managed to remove it using FixTDSS. I also ran TDSSKiller, Malwarebytes Anti-Malware and NOD32 In-Depth Scan to make sure it was eliminated.

#10 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:01:06 PM

Posted 01 May 2012 - 09:18 PM

:thumbup2:

Also give ESET Online Scanner a whirl.

Disable (temporarily) your AntiVirus program and any AntiSpyware programs while performing the online scan.
It precludes conflicts, and will speed up scan time.

Edited by Aaflac, 01 May 2012 - 09:22 PM.

Old duck...





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users