Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win7 64-bit infection help needed! This one is a real jerk...


  • Please log in to reply
5 replies to this topic

#1 Rabbix

Rabbix

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:30 PM

Posted 23 November 2012 - 06:24 PM

Hello all, I have been a long-time reader at this site, and in the IT industry for 15 years myself, and I have for the first time come across a virus (rootkit?bootkit?) that I can not seem to clean myself.

OS: Windows 7 Home Premium 64-bit
Dell Inspiron 560

The PC was running a bit slow, but I had noticed any problems. I was using Verizon Internet Security Suite for AV. Now I seem to be able to search google once, but then unable to use any links without randomly being redirected to apparently benign sites. I also got a warning that my bandwidth usage was extremely high, and it could be because of a bot or some such.

So far, I have removed several infections with Super Anti Spyware, run Malwarebytes with no hits, AVG and Verizon Security with no hits. Combofix hung during nearly the last process, TSSDKiller(sp?) was unable to run at all, even when renamed and re-extensioned. I get Error Code 0x80070424 in Microsoft Security Essentials while trying to update. Hitman Pro 64 got no hits... And I believe that is the extent of my current troubleshooting. All scans have been tried in safe and normal modes, though I have not tried creating a new user and scanning from there, or removing the drive and scanning it as an external (I can, but with no luck on every scanner I typically use, I'm not sure what exactly I'd even scan it with...)

Also, I can not boot into the 'repair my computer' console, because it hangs at 'windows is loading files' (with no progress on the status bar underneath at all).

I read somewhere it could be a 'bootkit' which I have not encountered before, but I would love someone(s) else to weigh in on this, because I'm pretty amused after a decade-long winning streak vs infections!

Thanks in advance, I've read way way more than enough posts here as a lurker to know this was the place to come when I needed an assist.

Cheers,
Jesse

BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:12:30 PM

Posted 23 November 2012 - 06:37 PM

Download

TDSSkiller

Launch it.Click on change parameters-Select TDLFS file system

Click on "Scan".Please post the LOG report(log file should be in your C drive)

Do not change the default options on scan results

Download

aswMBR

Launch it, allow it to download latest Avast! virus definitions
Click the "Scan" button to start scan.After scan finishes,click on Save log

Post the log results here.If you get crashes in normal mode,run it in safemode with networking

Download

ESET online scanner

Install it

Click on START,it should download the virus definitions
When scan gets completed,click on LIST of found threats

Export the list to desktop,copy the contents of the text file in your reply

Edited by narenxp, 23 November 2012 - 09:14 PM.


#3 Rabbix

Rabbix
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:30 PM

Posted 23 November 2012 - 06:50 PM

I will begin that now, thanks a lot for the super-fast reply! I should also have mentioned that I have no issue repeating steps I have already taken, since I know the order can be imperative.

#4 Rabbix

Rabbix
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:30 PM

Posted 23 November 2012 - 09:09 PM

Ok, the first Killer util did find and remove anther rootkit, and I had to restart in safe mode with net for the asw to complete, but here are the results!

aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software
Run date: 2012-11-23 18:20:31
-----------------------------
18:20:31.959 OS Version: Windows x64 6.1.7601 Service Pack 1
18:20:31.959 Number of processors: 1 586 0x1601
18:20:31.959 ComputerName: PAT-PC UserName: pat
18:20:35.983 Initialize success
18:21:25.599 AVAST engine defs: 12112302
18:21:37.393 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
18:21:37.393 Disk 0 Vendor: ST332041 CC46 Size: 305245MB BusType: 3
18:21:37.409 Disk 0 MBR read successfully
18:21:37.409 Disk 0 MBR scan
18:21:37.455 Disk 0 Windows VISTA default MBR code
18:21:37.471 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 39 MB offset 63
18:21:37.502 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 12318 MB offset 81920
18:21:37.549 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 292872 MB offset 25309184
18:21:37.627 Disk 0 scanning C:\Windows\system32\drivers
18:21:58.515 Service scanning
18:22:41.603 Modules scanning
18:22:41.603 Disk 0 trace - called modules:
18:22:41.634 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys
18:22:42.149 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800259c060]
18:22:42.149 3 CLASSPNP.SYS[fffff8800186c43f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8002205050]
18:22:43.225 AVAST engine scan C:\Windows
18:22:49.590 AVAST engine scan C:\Windows\system32
18:32:04.322 AVAST engine scan C:\Windows\system32\drivers
18:32:28.253 AVAST engine scan C:\Users\pat
18:43:52.389 AVAST engine scan C:\ProgramData
19:25:39.533 Disk 0 MBR has been saved successfully to "C:\Users\pat\Desktop\MBR.dat"
19:25:39.751 The log file has been saved successfully to "C:\Users\pat\Desktop\aswMBR.txt"


aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software
Run date: 2012-11-23 19:27:46
-----------------------------
19:27:46.641 OS Version: Windows x64 6.1.7601 Service Pack 1
19:27:46.641 Number of processors: 1 586 0x1601
19:27:46.641 ComputerName: PAT-PC UserName: pat
19:27:48.778 Initialize success
19:28:00.899 AVAST engine defs: 12112302
19:28:15.126 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
19:28:15.126 Disk 0 Vendor: ST332041 CC46 Size: 305245MB BusType: 3
19:28:15.142 Disk 0 MBR read successfully
19:28:15.158 Disk 0 MBR scan
19:28:15.158 Disk 0 Windows VISTA default MBR code
19:28:15.158 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 39 MB offset 63
19:28:15.204 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 12318 MB offset 81920
19:28:15.220 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 292872 MB offset 25309184
19:28:15.251 Disk 0 scanning C:\Windows\system32\drivers
19:28:31.491 Service scanning
19:28:58.417 Modules scanning
19:28:58.417 Disk 0 trace - called modules:
19:28:58.448 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
19:28:58.963 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8003289060]
19:28:58.978 3 CLASSPNP.SYS[fffff8800185143f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8002339050]
19:29:03.721 AVAST engine scan C:\Windows
19:29:05.499 AVAST engine scan C:\Windows\system32
19:32:36.677 AVAST engine scan C:\Windows\system32\drivers
19:33:03.337 AVAST engine scan C:\Users\pat
19:36:32.315 AVAST engine scan C:\ProgramData
19:57:49.052 Scan finished successfully
20:07:54.396 Disk 0 MBR has been saved successfully to "E:\MBR.dat"
20:07:54.443 The log file has been saved successfully to "E:\aswMBR.txt"

#5 Rabbix

Rabbix
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:30 PM

Posted 24 November 2012 - 09:58 AM

Eset.txt:

C:\TDSSKiller_Quarantine\23.11.2012_17.58.28\mbr0000\tdlfs0000\tsk0006.dta Win64/Olmasco.Y trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\23.11.2012_17.58.28\mbr0000\tdlfs0000\tsk0007.dta Win32/Olmasco.O trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\23.11.2012_17.58.28\mbr0000\tdlfs0000\tsk0009.dta Win64/Olmasco.AB trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\23.11.2012_17.58.28\mbr0000\tdlfs0000\tsk0010.dta Win64/Olmasco.AA trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\23.11.2012_17.58.28\mbr0000\tdlfs0000\tsk0011.dta Win32/Olmasco.Q trojan cleaned by deleting - quarantined

#6 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:12:30 PM

Posted 24 November 2012 - 01:34 PM

I still need the TDSSkiller log


Download

Malwarebytes

Install,update and run a full scan

Click on Show results.Right click on the list ,select all and remove them.

Post the generated log here

Download

mini toolbox

Checkmark following boxes:

Flush DNS
Report IE Proxy Settings
Reset IE Proxy Settings
Report FF Proxy Settings
Reset FF Proxy Settings
List content of Hosts
List IP configuration
List Winsock Entries
List last 10 Event Viewer log
List Installed Programs
List Users, Partitions and Memory size
List restore points

Click Go and post the result.

Download

Farbar service scanner

Checkmark all the boxes

Click on "Scan".
Please copy and paste the log to your reply.

Download

adware cleaner

Launch it click on Delete

A log should be generated after scan ,post it here

Download

Junkware removal tool

For vista and windows 7 right click on the tool and select run as administrator

After scan gets completed,post the generated log here.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users