Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MBR Trojan horse


  • This topic is locked This topic is locked
19 replies to this topic

#1 IMSAI 8080

IMSAI 8080

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:26 AM

Posted 06 August 2012 - 02:54 PM

First post moved here and attachments added.
After finding adds and misdirects I checked and found a old Java script back door exploit in a Java cache. Java should have been updated but AVG had always been clean except for Jave cache.
As always I have used Gparted to copy the OS partition onto backup drives. After finding that MBRcheck reviled a non standard MBR In a panic I used BootRec /fixmbr which changed the MBR back to std win 7 and now back to normal OS operations. The MBR is now the same using(MBRcheck) as a fresh install on a new drive so the MBR had changed at some point and now I have 3 drives with OS's that I can not trust and any pin drives that were in the OS. Its hard to regen the OS but its done, data is safe but now how to clean up the mess ! Please review the mbr.txt attached
Now the bottom line is I do not know what I had, nor how the MBR was changed or what it did to the backup HD's and the USB pin drives, but have to clean the mess some how to returned them to service. Now I am just not sure if a format, disk wipe, or what would be good fix for the hard drives and then what to do for the pin drives. Can I still trust the drives after cleaning and Gparted for doing backup of a new clean install ?
All attachments are with the original OS and hard drive and tested by the attachments MBR.txt
SyS is 64 bit and GMER ran but no log .
Thanks to all that contribute to these great forums !
IMSAI 8080 and yes it was my first build and that dates me.

This post has been edited by boopme: 30 July 2012 - 07:10 PM

Attached Files


Edited by IMSAI 8080, 06 August 2012 - 03:05 PM.


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,600 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:26 AM

Posted 11 August 2012 - 02:55 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/464122 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows, you should not bother creating a GMER log.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 IMSAI 8080

IMSAI 8080
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:26 AM

Posted 11 August 2012 - 06:01 PM

Nothing should have changed. New DDS attached. 64 bit Os and no GMER files please see MBR.txt for details. Thanks to all the time and effort !

After finding adds and misdirects I checked and found a old Java script back door exploit in a Java cache. Java should have been updated but AVG had always been clean except for Jave cache.
As always I have used Gparted to copy the OS partition onto backup drives. After finding that MBRcheck reviled a non standard MBR In a panic I used BootRec /fixmbr which changed the MBR back to std win 7 and now back to normal OS operations. The MBR is now the same using(MBRcheck) as a fresh install on a new drive so the MBR had changed at some point and now I have 3 drives with OS's that I can not trust and any pin drives that were in the OS. Its hard to regen the OS but its done, data is safe but now how to clean up the mess ! Please review the mbr.txt attached
Now the bottom line is I do not know what I had, nor how the MBR was changed or what it did to the backup HD's and the USB pin drives, but have to clean the mess some how to returned them to service. Now I am just not sure if a format, disk wipe, or what would be good fix for the hard drives and then what to do for the pin drives. Can I still trust the drives after cleaning and Gparted for doing backup of a new clean install ?
All attachments are with the original OS and hard drive and tested by the attachments MBR.txt
SyS is 64 bit and GMER ran but no log .
Thanks to all that contribute to these great forums !
IMSAI 8080 and yes it was my first build and that dates me.

Attached Files



#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,931 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:26 AM

Posted 16 August 2012 - 07:24 AM

Hello, my apologies for the delay! My name is Elise and I'll assist you with this issue.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 IMSAI 8080

IMSAI 8080
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:26 AM

Posted 16 August 2012 - 01:11 PM

Thanks Elise for your review. Todays TDSS log is attached.
A scan on 6/22/2012 showed Detected object count: 1 IDriverT ( UnsignedFile.Multi.Generic ) - skipped by user but I looked at the MD5 and it checked out ok at that time. The old scan also showed MBR (0x1B8) (0792f22bcc85cfd3b28324561fffcabb) \Device\Harddisk0\DR0 and the new scan is now MBR (0x1B8) (a36c5e4f47e84449ff07ed3517b43a31) \Device\Harddisk0\DR0

Thanks for your hard work and I have the old TDSS file if needed.
Regards

Attached Files



#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,931 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:26 AM

Posted 16 August 2012 - 01:25 PM

How did you create the attached mbr.txt (your previous post)? It is not a valid mbr dump, its size is not 512 bytes.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 IMSAI 8080

IMSAI 8080
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:26 AM

Posted 16 August 2012 - 01:36 PM

Elise
Sorry for the file name and it is NOT a MBR file (512) but a text for what was found.

6-15-12 AVG found
AVG Jave Trojan
"Infection";"Trojan horse Exploit_c.UHJ";"C:\Documents and Settings\BJ\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\5\7ecc085-5e75b042";"N/A";"6/15/2012, 1:45:26 PM"

MBR check 6-22-12 931 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: BB91F7E34FF3754A41F2830964B0DA1B003BCA73

After BootRec.exe /fixmbr
MBR check 7-05-12 931 GB \\.\PhysicalDrive0 Windows 7 MBR code detected
SHA1: 4379A3D43019B46FA357F7DD6A53B45A3CA8FB79

After checking 3 backup drives all three had Unknown MBR's and all were clones. All MBR's changed via BootRec.exe /fixmbr

TDSSKiller.exe was next with unknowen results

A Net user account Nvida "UpdatusUser" was found and removed.

Lunix Puppy was next used to look at real MBR with no matches with MBRcheck's Sha1 check sum's and looking at the code the MBR's did not seem right and err msgs near the end were not even the same !

Gave up and used a new HD with a full new install ( the same the same DvD install used in the above HD's ) still could not getback to a MBR that's the same.
Now how to recover data in a safe way and to reclaim the backup drives and USB pendrives without reinfection and the following tests are with the problem OS and drive.

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,931 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:26 AM

Posted 16 August 2012 - 01:52 PM

MBRcheck hasn't been updated for a long time and really can't be trusted. Quite aside, Unknown mbr doesn't mean it is bad.

Do you have any actual problems with your computer at this point?

If you want you can attach the different MBR dumps and I can have a look at them (if you don't have them but want to create them, just let me know).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 IMSAI 8080

IMSAI 8080
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:26 AM

Posted 16 August 2012 - 02:10 PM

I will take a look for some of the old MBR.bin files (512 bytes). What application would you like me to use or I can get it by using Lunix to be sure whats on the drive.
The system that I use now is with a new HD and a full system install but still have to recover files and data from the old system that we are looking at. The problem is I can not trust the old system and having three back up drives and USB pen dirves that I do not want to use or get data from without knowing how to clean, wipe or how to format them to stop any reinfection.

Thanks again Elise

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,931 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:26 AM

Posted 16 August 2012 - 02:20 PM

You can use linux dd or whatever tool you prefer to get the dump, it really doesn't matter as long as it is a simple binary dump.

You can scan the drives with an AV just to make sure none of the data is infected. However, MBR malware typically doesn't spread through infected files, so unless other malware was present no need to worry about that.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 IMSAI 8080

IMSAI 8080
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:26 AM

Posted 16 August 2012 - 04:18 PM

Elise
Used Lunix dd command and it is attached as "lunix dd file.txt" . I had to change the file type from .bin to .txt to bypass "aren't permitted to upload this kind of file" so to look at it using a debugger the file type will have to be changed back. The Sha1 checksum is 8ee5cf5b1f34b97c000d8f25a2d7b4b3adf8ca28 and it seems to look good but the Sha1 check sum is not the same as MBRCheck.exe which is SHA1: 4379A3D43019B46FA357F7DD6A53B45A3CA8FB79 !!
To add to the confusion aswMBR.exe saves a copy of the MBR in a file, MBR.dat, which also is NOT the MBR ??
Any other way to look MBR's other than lunix but lunix does work !!

Elise Thank you again for looking into this mess !

Note to all: The attached file "linix dd file.txt" IS NOT TEXT so please do not try to "read it"
Thank you

Attached Files



#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,931 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:26 AM

Posted 17 August 2012 - 05:22 AM

Thats a partition first sector, or VBR, which explains why it doesn't match the dump made by aswmbr. :) As the system is not infected you can safely attach the aswmbr dump. Just zip it up and attach.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 IMSAI 8080

IMSAI 8080
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:26 AM

Posted 17 August 2012 - 01:16 PM

Elise

I am attaching two aswMBR.data dumps that the check sums do not match on 7/28 and today. My goal is to reclaim the backup hard drives and USB pen drives, data and programs, without reinfections. I have already installed a clean sys on a new hard drive but do not want to get it infected. Next is to understand how to clean, wipe, format the above to restore them to use as backups. Also would like to know what program to use to check for any int13 hooks.

Thanks again for your reviews.
IMSAI 8080

Attached Files



#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,931 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:26 AM

Posted 17 August 2012 - 01:34 PM

Both dumps are standard Windows 7 MBRs with normal partition structure, nothing to worry about. :)

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 IMSAI 8080

IMSAI 8080
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:26 AM

Posted 17 August 2012 - 02:25 PM

Elise
Looks like the sys is now stable and secure if you think so.

1.How do I clean, wipe or what type of format should be used to return 3 backup hard drives and 5 USB pen drives back to service without reinfection ?

2.What program to use to check for any int13 hooks ?

Again Thank you for all your help

IMSAI 8080




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users