Virtumonde-New Thread-As Per request

[TomZT]

Hi Blade,
Sorry for the delay in getting back to you. I had Sunday morning activities to attend. I did include you and my infected computer in my prayers.

I tried the passwords.. "Administrator, administrator, Admin, & admin"
All invalid!

Do you think the second set of ERDNT commands...
cd erdnt\hiv-backup
batch erdnt.con
exit
...might have set an administrator password? The password request appeared just after running these commands???

Or perhaps, the infection (after a set period of time or actions) took admin control? I'm just guessing here.

I do remember that way back in this process... before running any of the initial ERUNT OR HJT scans... when I could still boot to Windows XP SAFE mode... I was once asked... while starting up to SAFE MODE... "What user account to log on to": The choices were: ADMINISTRATOR or Tom McNeal (my name). This surprised me back then because I had never setup any Administrator Account or Passwords on this machine. AT that time I did try choosing Administrator and when prompted for a password... I simply pressed enter. This was invalid and so next selected my name as the User account and booted to safe mode.

I'm sure I have the Windows XP CD (that came with this computer from DELL) but i will have to do some digging to find it. Does your question mean we will need to re-format the hard drive and re-install XP??? OR, do you have other ideas to try with the XP CD?

I look forward to your reply.
Tom

[Blade81]

Hi Tom,

Do you think the second set of ERDNT commands...
cd erdnt\hiv-backup
batch erdnt.con
exit
...might have set an administrator password? The password request appeared just after running these commands???

That's something I was wondering too. But both this and the backup we restored earlier should be similar ones.

I'm sure I have the Windows XP CD (that came with this computer from DELL) but i will have to do some digging to find it. Does your question mean we will need to re-format the hard drive and re-install XP??? OR, do you have other ideas to try with the XP CD?

I was thinking about running recovery console from XP Professional media. It might be possible to run that way without password prompt.

[TomZT]

I am chatting now with DELL support about getting a WIN XP PRO replacement CD in case I cannot find the one that came with the computer.

[TomZT]

That's something I was wondering too. But both this and the backup we restored earlier should be similar ones.

The first ERUNT BACK UP Copied 9 Files before returning to the prompt for EXIT.

The second time 10 Files were copied before the prompt for EXIT.

Maybe there was an administartor entry in the 10th file copied.

I was thinking about running recovery console from XP Professional media. It might be possible to run that way without password prompt.

Would this need to be the same XP CD that came with this particular machine? Or will any Win XP Pro CD work for this.

[TomZT]

Hi Blade,

I have found my original Dell licensed Windows XP Pro Reinstall CD but I am not sure if this will help us if we can't get into the Recovery Console anyway without entering a correct Administrator Password.

Another problem might be that the original Dell XP install CD is XP Pro SP1. SP2 and then SP3 were later installed on the problem machine via Microsoft Updates. I remember reading in the ComboFix Instructions that it would install different versions of the Restore Console depending on whether it found SP1 or SP2 / SP3 on the machine.

I do have another newer Dell machine and also found the XP Pro SP3 install CD for that machine too. But even so, don't you think we'll still have the same problem getting to the Recovery Console Command Prompt without the correct Administrator password. I should also note that this newer Dell machine uses the NTFS file system whereas I think the problem machine uses the FAT32 file system. I don't know if this would cause a problem?

I do have another theory but cannot check it out until I can get into the Recovery Console or get to a command prompt some other way. Perhaps a Bootable CD? I'm thinking I may have specified a folder other than C:\Windows\erdnt for my ERUNT Registry backup. I think I may have specified c:\Windows\erdnt_A instead; thinking I may wish to create another backup later in C:\Windows\erdnt_B. But I can't remember for sure if I did this or not and cannot check without getting back in to the Recovery Console. If I did save my backup in C:\Windows\erdnt_A, and ran the restore mistakenly from C:\Windows\erdnt, could this have created the Password problem I'm having now?

I've re-read the ERUNT instructions and emailed Lars Hederer to ask if he might know what's going on. I will let you know what he thinks if and when he replies.

Any ideas or suggestions you may have will be much appreciated.
Tom

[Blade81]

Hi,

I do have another newer Dell machine and also found the XP Pro SP3 install CD for that machine too.

That cd can be used assuming it's real install cd and not just for recovering.

1. Insert the Windows XP startup disk into the floppy disk drive, or insert the Windows XP CD-ROM into the CD-ROM drive, and then restart the computer.

Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted.
2. When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
3. If you have a dual-boot or multiple-boot computer, select the installation that you must access from the Recovery Console.

See if that lets you access command prompt of recovery console. If yes, try these commands here to check requested things.

[TomZT]

Blade said...
That cd can be used assuming it's real install cd and not just for recovering.
1. Insert the Windows XP startup disk into the floppy disk drive, or insert the Windows XP CD-ROM into the CD-ROM drive, and then restart the computer.

This CD is labeled "Reinstallation CD, MS Windows XP Professional, SP3"
"This software id already installed on your computer. Use this media only to reinstall the operating system on a Dell computer."

Blade said...
Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted.

I think I may have to do this first.... I.E. Hit F2 when first starting to enter the Dell System Setup. Then set up boot priority making the CD # 1 instead of floppy. Then restart machine with the CD in the machine. Do you agree?

Tom

[TomZT]

And...

Hi Blade,

I do have another theory but cannot check it out until I can get into the Recovery Console or get to a command prompt some other way. Perhaps a Bootable CD? I'm thinking I may have specified a folder other than C:\Windows\erdnt for my ERUNT Registry backup. I think I may have specified c:\Windows\erdnt_A instead; thinking I may wish to create another backup later in C:\Windows\erdnt_B. But I can't remember for sure if I did this or not and cannot check without getting back in to the Recovery Console. If I did save my backup in C:\Windows\erdnt_A, and ran the restore mistakenly from C:\Windows\erdnt, could this have created the Password problem I'm having now?

Any thoughts on this???

[Blade81]

Good to hear that you got the media created

I also verified what I think probably caused the problem we had when we tried the ERUNT restore. As I mentioned in a previous post. I did in fact save my original ERUNT registry backup in a subfolder folder named 11_17_09_A, thinking I may want to try another backup later that day and save it in a folder like 11-17_09_B. So when we restored from C:Windows\erdnt\subs and then on the second try C:\Windows\erdnt\hiv-subs, we probably restored something other than my backup. I'm guessing we may have restored an ERUNT sample registry (with an Administrator Password) which normally would have been overwritten by my own backup had I put it in the right folder. Does this make sense?

It's probably correct one. Anyway, we may give one of those another try if needed.

Can you explain why, when we first started out, we didn't begin by doing a regular Window System Restore to a point prior to the date of infection?

We didn't restore to older point cos those seldom work. Usually infection has rendered them useless and symptoms won't disappear.


Now that you have access to hard drive contents could you check c:\qoobox\quarantine\c\windows\system32\drivers folder to see if there's pciide.sys.vir file there?

[TomZT]

Hi Blade,

Yep! I checked that folder for the file (pciide.sys.vir) and it is there.

There is also another file there too (fad.sys.vir).