Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

FBI Virus


  • Please log in to reply
4 replies to this topic

#1 Norm@Home

Norm@Home

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:07:42 PM

Posted 03 August 2012 - 08:21 PM

I've got a friends notebook computer running Windows XP Media Center that was infected with the phony "FBI" pay us $200 and we'll unlock your computer virus scam.

I've been working on it and while I've made some headway, there appears to be a very hard to remove rootkit on this system and I'm going to need some advise on how to remove it. So far I've tried these things:

I removed the hard drive and attached it via a USB hard drive dock to one of my computers that's running Eset Smart Security 5.2.9.1 and performed a comprehensive scan. It found two things and it seemed like it was unable to clean either:

Active boot sector of the 2. physical disk / Win32/Olmasco.AB

Boot sector / Probably unknown TSR.BOOT virus


It seemed like is was unable to clean the Win32/Olmasco.AB virus; however after putting the hard drive back in the notebook and still having issues (see below) I retried the scan with the hard drive dock and ESet and this time the scan completed and didn't find anything.

After this I tried booting to the recovery console which had been previously installed but it started to load but hung and I had to hard power off and boot from a Windows XP CD to get to the recovery console and I tried FixMBR but that did not appear to fix or remove the problem.

I'm able to boot up into safe mode but it seems like the virus is active in safe mode since I can't seem to run some anti-rootkit removal tools: if I try and run TDSKiller it shows up for a few seconds in task manager and then closes without ever having run. I tried renaming the "TDSKiller.Exe" to a random filename but still it wouldn't run. I tried GMer's rootkit detector and it gave me this error on loading:
LoadDriver (C:\DOCUME~1\ADMINI~1\LOCALS~1\temp\agpiypob.sys"> error 0XC000010E: Cannot create a stable subkey under a volatile parent key

The program will open but many of the scan options are greyed out and if I run the scan with what options are available it doesn't detect anything wrong.

I tried running Malwarebytes Anti-malware and while it did find a few problem files and registry entries:

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{4D25F926-B9FE-4682-BF72-8AB8210D6D75} (PUP.MyWebSearch) -> Value: {4D25F926-B9FE-4682-BF72-8AB8210D6D75} -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{4D25F926-B9FE-4682-BF72-8AB8210D6D75} (PUP.MyWebSearch) -> Value: {4D25F926-B9FE-4682-BF72-8AB8210D6D75} -> Quarantined and deleted successfully.

Files Infected:
c:\program files\05websetup\W05Web.exe (Backdoor.HackerDefender) -> Quarantined and deleted successfully.
c:\documents and settings\<User Name Here>\start menu\Programs\Startup\ctfmon.lnk (Trojan.Ransom.Gen) -> Quarantined and deleted successfully.


Removing these did not help the problem in any way.

As a very last resort, I tried running the latest version of ComboFix in safe mode. (I realize that in general you don't advise running this unless asked by a forum helper) It gets as far as trying to scan but it never gets to Stage 1 (or at least Stage 1 is never displayed in the progress Window) and I let it sit for over four hours and at that point it seemed like the system was hung i.e. the mouse would move but the start menu wasn't responding nor was the keyboard as Alt-Ctl-Del would not bring up the task manager.

Any suggestions?

Thanks,

- Norm

BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:06:42 PM

Posted 03 August 2012 - 08:24 PM

Boot into safemode with networking

Download

FIXTDSS

Launch it ,It may ask for restart,reboot the PC

On reboot,click on REPAIR

Download

TDSSkiller

Launch it.Click on change parameters-Select TDLFS file system

Click on "Scan".Please post the LOG report(log file should be in your C drive)

Download

aswMBR

Launch it, allow it to download latest Avast! virus definitions
Click the "Scan" button to start scan.After scan finishes,click on Save log

Post the log results here

Download

ESET online scanner

Install it

Click on START,it should download the virus definitions
When scan gets completed,click on LIST of found threats

Export the list to desktop,copy the contents of the text file in your reply

#3 Norm@Home

Norm@Home
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:07:42 PM

Posted 03 August 2012 - 09:31 PM

In safe mode I could not run FIXTDSS, however I did discovered that if I renamed the executable to "abcxyz.com" I was then able to run it but it did not find anything and returned "Backdoor.Tidserve has not been found on your computer"

Likewise with TDSKiller, I was not able to run the program but when I renamed it "abcdxyz.com" I was able to run it and it found and removed on reboot what it called "Rootkit.Boot.SST.b" and as far as I can tell that was the major source of the problem.

Now all software runs without being blocked.

Thanks for the quick response,

- Norm

Edited by Norm@Home, 03 August 2012 - 09:48 PM.


#4 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:06:42 PM

Posted 04 August 2012 - 05:40 AM

Post the other logs,you may still be infected.

Please run TDSSkiller once again and post the new log

#5 Norm@Home

Norm@Home
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:07:42 PM

Posted 04 August 2012 - 08:53 AM

I've rerun: TDSKiller, ASWMbr, Malwarebytes, SpyBot, Combofix, upgraded NOD32 4.2.76 to 5.2.x.x and scanned with that and none of these has found any additional problems so I really believe that the system is now clean.

Thanks,

- Norm

Edited by Norm@Home, 04 August 2012 - 04:56 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users