Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

File Restore Removed But TDSSKiller Blocked


  • Please log in to reply
5 replies to this topic

#1 SolutionTracker

SolutionTracker

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:29 AM

Posted 04 November 2012 - 01:34 PM

It all started with an infection of the fake FileRestore virus. I removed it the old fashioned way...one painful element at a time. And then rebuilt all the links manual.

All seems well EXCEPT for an old favorite: the Google LiveSearch Redirector. Using MalwareBytes, HijackThis, AVG, GMER, and others, I removed traces from the registry, IE Content, etc. But I'm sure I'm up against a rootkit.

Following the guide at Bleeping Computer (thanks, nicely written), I copied RKILL to the desktop of a user in safemode, ran RKILL from the command line, and it finds nothing to shutdown, but it notes the EFS service is non-existent. Then I attempted to run TDSSKiller. It fizzles, just as it's done many times in this effort.

I've tried Run As Administrator and NOT. I get the Windows dialog asking if it's OK, I say yes, the rotating arrow turns for less than two seconds, and then it goes away. I've renamed it to iExplore.exe, iExplore.com, and even things like George.com. No joy.

I used Resource Tuner to strip out some of the properties. I didn't find a happy medium. Either TDSS dies as describes above or I get an error message telling me the program won't run without <fill in several different incarnations of encoded info>. I did once get that error to tell me that MS Common Controls was needed, so I made sure the most recent version is installed.

I'll take any suggestions I can get:
Win 7 64-bit
Dell Latitude E6500
A couple Cisco VPN clients installed, SQL Server, but nothing remarkable.

Edited by hamluis, 04 November 2012 - 01:55 PM.
Moved from AV, Firewall to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:09:29 AM

Posted 04 November 2012 - 01:49 PM

Do not run any tools unless instructed

Download Listparts from here

For 32 bit

List parts 32

For 64 bit

List parts 64

Launch it,click on SCAN,post the log

#3 SolutionTracker

SolutionTracker
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:29 AM

Posted 05 November 2012 - 01:42 PM

List Parts Log:

ListParts by Farbar Version: 30-10-2012
Ran by alanrollins (administrator) on 05-11-2012 at 13:30:46
Windows 7 (X64)
Running From: C:\Users\alanrollins\Downloads
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 44%
Total physical RAM: 4083.91 MB
Available physical RAM: 2269.56 MB
Total Pagefile: 8165.96 MB
Available Pagefile: 6032.74 MB
Total Virtual: 8192 MB
Available Virtual: 8191.89 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:74.46 GB) (Free:9.75 GB) NTFS ==>[System with boot components (obtained from reading drive)]
ATTENTION: Malware custom entry on BCD on drive c: detected. Check for MBR/Partition infection.
2 Drive d: (Kaspersky Rescue) (CDROM) (Total:0.11 GB) (Free:0 GB) CDFS
3 Drive o: (System) (Network) (Total:40 GB) (Free:1.6 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 74 GB 3072 KB

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 54 MB 31 KB
Partition 2 Primary 74 GB 54 MB
Partition 3 Primary 10 MB 74 GB

======================================================================================================

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

There is no volume associated with this partition.

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C NTFS Partition 74 GB Healthy System (partition with boot components)

======================================================================================================

Disk: 0
Partition 3
Type : 17 (Suspicious Type)
Hidden: Yes
Active: Yes

There is no volume associated with this partition.

======================================================================================================
The boot configuration data store could not be opened.
The system cannot find the file specified.


****** End Of Log ******

That log looks very much like this one from Rogue Killer...since I didn't set this machine up, I have no idea what partitions should be there. Your help is appreciated.

RogueKiller V8.2.2 [11/03/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website: http://tigzy.geekstogo.com/roguekiller.php
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7600 ) 64 bits version
Started in : Normal mode
User : alanrollins [Admin rights]
Mode : Scan -- Date : 11/04/2012 14:06:43

Bad processes : 0

Registry Entries : 5
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ DESK] HKCU\[...]\ClassicStartMenu : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

Particular Files / Folders:

Driver : [NOT LOADED]

Infection : Root.MBR

HOSTS File:
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost


MBR Check:

+++++ PhysicalDrive0: Hitachi HTS541680J9SA00 ATA Device +++++
--- User ---
[MBR] 22447c107b1a6e4ae49f9a4282b44e13
[BSP] 835bba1def3110538c6524d1647ded71 : Windows 7 MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 54 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 112455 | Size: 76249 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] ffdb18acbcc1d3aee865477324b3eeff
[BSP] 835bba1def3110538c6524d1647ded71 : Windows 7 MBR Code [possible maxSST in 2!]
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 54 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 112455 | Size: 76249 Mo
2 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 156272640 | Size: 10 Mo

Finished : << RKreport[1]_S_11042012_02d1406.txt >>
RKreport[1]_S_11042012_02d1406.txt

#4 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:09:29 AM

Posted 05 November 2012 - 09:19 PM

You are not following my instructions.I never said you to run rogue killer.

Do not run any tools unless instructed


Restart the PC

Press F8 on bootup

Select REPAIR YOUR COMPUTER

Click on REPAIR

On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

Can you get to this screen?

If yes

Select command prompt and run these commands

diskpart
select disk 0
select partition 2
active


Now restart the PC and run TDSSkiller again

#5 SolutionTracker

SolutionTracker
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:29 AM

Posted 06 November 2012 - 12:33 AM

I'm afraid from the boot menu I cannot enter "Repair Your Computer."

I can enter SafeMode, SafeMode With Network Prompt, and all the other options I've tried, but when I select the top option to repair, I'm given the message "Windows is Loading Files" but nothing happens after that. I allowed a full 10 minutes at that message with no further action. I rebooted, went to boot menu, selected "Repair Your Computer," and allowed the message to stand for even longer the second time. No progress.

Any other suggestions for updating the partitions?

By the way, if you'll check the log date for RK, you'll see it was run a day before the other log, long before I had instructions from you, which I am attempting to following exactly.

#6 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:09:29 AM

Posted 06 November 2012 - 05:33 AM

Download

TDSSkiller

Launch it.Click on change parameters-Select TDLFS file system

Click on "Scan".Please post the LOG report(log file should be in your C drive)

Do not change the default options on scan results

Download

aswMBR

Launch it, allow it to download latest Avast! virus definitions
Click the "Scan" button to start scan.After scan finishes,click on Save log

Post the log results here.If you get crashes in normal mode,run it in safemode with networking

Download

ESET online scanner

Install it

Click on START,it should download the virus definitions
When scan gets completed,click on LIST of found threats

Export the list to desktop,copy the contents of the text file in your reply

Edited by narenxp, 08 November 2012 - 01:46 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users