Win Vista x64 Infection

ComboFix still running

I rebooted into Safe Mode and ran ComboFix. It ran for a while, then rebooted the machine (Which takes several hours). The machine has rebooted and I have logged in. ComboFix launched and currently says "Creating Logs. Do not start any applications until ComboFix finishes.

I wanted to reply to keep this thread alive.

--Andy
 
Good Morning Andy,

Dont worry, I will keep this thread open for you.

Not sure whats going on with it taking so long for your computer to boot up , thats not normal, lets see if Combofix completes and go from there
 
ComboFix Hung

It appears that after 12 plus hours of not completing, ComboFix is hung. It did run in safe mode, but once it rebooted the machine and it came back up in standard mode, it claimed to be writing logs, but there are none and the app never seemed to progress.

Next Steps?

I certainly appreciate your assistance on this.

Thanks
--Andy
 
Good Morning Andy,

Did Combofix leave any sort of log, it will be on your C: drive here C:\ComboFix.txt


Lets try one more program

Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • Only if Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)
 
Strange result

ComboFix did create a file on the root of the C Drive, but it is not a log. The file (C:\ComboFix) has the same Icon as "My Computer" and when I click on it, it displays the contents of my computer. When I looked at the properties it shows that the file is 15Mb or so which is strange given that there are 235GB or so of data stored on the C:\ Drive alone.

I do have the Folder permission set to not hide extensions, and this file has no extension. Adding an extension of ".txt" had no effect on the function of the file when double clicked.

I attempted to copy the file to another directory on the machine. The copy showed up as a file folder, and when I opened it, it displayed the contents of the folder which contained it.

It is also strange that when I naviagte to the root of C:\ in the CLI and enter a DIR command, there is no listing for a c:\ComboFix.

What should I try next?

--Andy
 
Downloaded TDSSKiller from Kapersky and ran it -- It appears to have hung several hours later. Here is the Log:

06:48:39.0522 9264 TDSS rootkit removing tool 2.7.9.0 Feb 1 2012 09:28:49
06:48:40.0041 9264 ============================================================
06:48:40.0041 9264 Current date / time: 2012/02/06 06:48:40.0041
06:48:40.0041 9264 SystemInfo:
06:48:40.0041 9264
06:48:40.0041 9264 OS Version: 6.0.6002 ServicePack: 2.0
06:48:40.0041 9264 Product type: Workstation
06:48:40.0042 9264 ComputerName: ANDY-PC
06:48:40.0042 9264 UserName: Andy
06:48:40.0042 9264 Windows directory: C:\Windows
06:48:40.0042 9264 System windows directory: C:\Windows
06:48:40.0042 9264 Running under WOW64
06:48:40.0042 9264 Processor architecture: Intel x64
06:48:40.0042 9264 Number of processors: 4
06:48:40.0042 9264 Page size: 0x1000
06:48:40.0042 9264 Boot type: Normal boot
06:48:40.0042 9264 ============================================================
06:50:48.0461 9264 Drive \Device\Harddisk0\DR0 - Size: 0x7471100000 (465.77 Gb), SectorSize: 0x200, Cylinders: 0xED81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
06:50:48.0670 9264 Drive \Device\Harddisk1\DR1 - Size: 0x2F7B100000 (189.92 Gb), SectorSize: 0x200, Cylinders: 0x60D8, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
06:50:48.0693 9264 \Device\Harddisk0\DR0:
06:50:48.0693 9264 MBR used
06:50:48.0694 9264 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x3A387800
06:50:48.0694 9264 \Device\Harddisk1\DR1:
06:50:48.0694 9264 MBR used
06:50:48.0694 9264 \Device\Harddisk1\DR1\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x17BD5299
06:50:50.0963 9264 Initialize success
06:50:50.0963 9264 ============================================================
06:50:56.0697 3932 ============================================================
06:50:56.0697 3932 Scan started
06:50:56.0697 3932 Mode: Manual;
06:50:56.0697 3932 ============================================================
 
Yep, thats not the entire log.

Nothing appears to be running correctly , scans are aborting prior to completion.

Lets check your Master Boot Record , you will need to use Firefox for the downloads as IE is messing with them and downloading them incorrectly. You will also need a usb thumb drive, it doesnt have to be large or expensive, just a small one will do. What this will do is create an offline dump of your Master Boot Record and we can look at it and see if its infected and causing you all this grief.



  1. xPUD

    We will need a USB stick and access to an uninfected machine.

    We need to prepare the USB stick. It is not absolutely essential that it is formatted, but it may help if it is:
    • Insert your USB drive ino the uninfected machine.
    • Click on Start > My Computer > right click your USB drive > choose Format > Quick format.

    Next
    • Download both http://sourceforge.net/projects/une...stom/unetbootin-xpud-windows-387.exe/download and http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of the uninfected machine.
    • Make sure you have the formatted USB stick in the uninfected system.
    • Double click on the unetbootin-xpud-windows-387.exe that you just downloaded.
    • Press Run and then OK.
    • Select the DiskImage option then click the browse button located on the right side of the textbox field.
    • Browse to and select the xpud-0.9.2.iso file you downloaded.
    • Verify the correct drive letter is selected for your USB device then click OK.
    • It will install a little bootable OS on your USB device
    • After it has completed do not choose to reboot the clean computer, simply close the installer.

    Next

    Next
    • Take the USB to the infected computer and boot with it.
    • The computer must be set to boot from the USB (as soon as BIOS is loaded tap F12 and choose to boot from the USB drive).
    • A Welcome to xPUD screen will appear.
    • Press File.
    • Expand mnt.
    • sda1,2...usually corresponds to your HDD.
    • sdb1 is likely your USB drive.
    • Click on the folder that represents your USB drive (sdb1 ?).
    • Confirm that you see dumpit that you downloaded there.
    • Double click on dumpit.
    • Once completed, a file called mbr.zip will be saved to the USB drive.
    • Take the USB drive back to the uninfected system and attach the mbr.zip in your next reply.


    If you encounter any diffuculties just let me know.
 
Hmmmmmm...

I followed your instructions exactly and when the the computer would not boot. After the BIOS screen it gave me "Boot error". I tried another Thumb Drive and had exactly the same result. I tried downloading the files using Chrome and had exactly the same result.

I then burned the ISO to a cd and left dumpit on the thumb drive and booted from the CD. I was able to run dumpit and mbr.zip is attached.

FWIW, there is a logical drive (RAID array) and a separate physical drive in this machine. It boots from the RAID array which I believe is was not mounted. I would have expected it to mount as sdd1 with the separate drive mounting as sdd2, but I believe the separate drive is mounted as sdd1.

--Andy
 
Good Morning,

What I was looking for was a hidden infected partition in your dump and I dont see one. Why do you use Raid ?
 
RAID et al.

I use RAID 5 for a couple of reasons; first performance and second for reliability.

I am currently booted with the Vista install disk running chkdsk c: /f /r. Depending on the results of that I may also attempt to repair replace the MBR unless you think that would be a bad idea.

I have also downloaded Kapersky's Rescu Disk ISO which supposedly supports RAID configs. Once chckdsk is done, and assuming that Kapersky will load and recognize the RAID, I'll try running dumpit again including the RAID array (C Drive) and get the results to you.

--Andy
 
At this point I would not attempt to replace the MBR, I have some other people looking in so if you could get me the dump file that would be great
 
Things are getting worse

So I was able to boot with my Vista disk and run chkdsk /r/f. Several issues were reported and fixed. Kapersky Rescue disk loaded but hung attempting to mount the RAID array. I rebooted into windows and now there is a message in the lower right corner of the screen:

Windows Vista (TM)
Build 6002
This copy of Windows is not genuine

I am quite certain that it is a genuine copy of windows as I purchased the disk from a reputable reseller (in person) and have been running it for years without ever seeing this message. I assume this to be the result of the infection and am beginning to wonder if I would be better off reformatting and starting over. I have good backups of all data that I can restore (once I have scanned for viruses).

My preference would be to clean the infection, as I am not 100% confident I can restore the entire backup (I have restored a few files here and there to verify that I could, but I've never attempted a backup of this scale with my Win Home Server before. Do you have any more ideas for me or should we throw in the towel?

I do appreciate all the time you've put into trying to help me.

Thanks
--Andy
 
Andy, go ahead and give TDSSKiller another shot and see if it will run. When where done I can link you to a windows forum that can help you with the error message related to windows

Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • Only if Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)
 
Win Vista repair disk

The machine is currently booted using the Vista Install disk (Repair Oprion). Is there a way to run tdsskiller from there, or do I need to reboot the machine using the installed OS?

--Andy
 
Still wiating for System Boot up

So, I'm still waiting for the system to boot up. It took nearly 24 hours to get a logon screen and now has taken nearly 24 hours and my desktop is not fully drawn. I'm able to get a cmd prompt by opening up Task Mgr. I can navigate the disks from the cmd prompt, but am unable to unzip tdsskiller.

I tried unzipping on another machine and transfering the file with a thumb drive, but the thumb drive has not been recognized by the infected machine yet, and is not mounted so I cannot reach it via the cmd prompt.

What next?
--Andy
 
Lets give this a shot

Download this to your C:\ drive
http://noahdfear.net/downloads/beta/up-ntfs-3g

up-ntfs-3g is self-extracting. It must be run from the root of any drive. Upon execution it will unmount any mounted ntfs partitions, update the ntfs-3g driver then remount the ntfs drives at their original location. It will then try to locate a sirefef created junction (currently using the naming convention $NtUninstallKB*****$) in the Windows directory. If found, it will attempt to locate a Windows user account Recycle Bin folder and move the rogue to that location - in Windows, this is the equivelent of deleting the junction. If successful, the junction will no longer be present back in normal mode, not even in the Recycle Bin.
 
Could not run--

Thanks for all your help so far--

Before running up-ntfs-3g I was able to get a copy of TDSSKILLER onto my machine. I did this by extracting it, copying the file to a website I manage then downloading the unzipped version. It ran exactly the same as the previous attempt and left an almost identical log as before (Dates and version were changed).

It took a while and some gyrations to get up-ntfs-3g to the root of c:\--
--First due to permissions IE would not save the file to the root of C:\
--IE would only save it as a .txt file
--I used the cmd prompt to rename it to up-ntfs-3g.exe
--I attempted to xcopy it to the root of c:\ with no luck (Permission denied-- even though I am logged in as administrator
--I fought with the system to get an CMD Prompt in elevated mode
--I xcopied up-ntfs-3g.exe to the root of C:\
--When I ran it (from the elevated cmd prompt) I got the following error:

Unsupported 16-Bit Application
The program or feature "\??\C:\up-ntfs-3g.exe" cannot start or run due to incompatibility with 64-bit versions of Windows. Please contact the software vendor to ask if a 64-bit Windows compatable version is available.

FYI, at this point my system is extremely unstable and barely running.

For what it is worth, My C:\drive is the previously discussed RAID array, but I also have another stand alone drive in the machine that contains some very old files that typically mounts as the "O:\" drive. While I am able to freely navigate the C:\ drive via the cmd prompt, every time I type "O:\" into the cmd prompt it hangs -- It doesn't report that the there is no O:\ drive as it would if I typed "Z:\" (There is no Z:\ drive on this machine). Apparently the O:\drive is only partially mounted.

What do you suggest as a next step?

--Andy
 
Andy,

I used the cmd prompt to rename it to up-ntfs-3g.exe
Click to expand...
Did you rename it back, exe wont work. Try redownloading it again with FireFox and save it without renaming it to the root of your C:\drive


Not sure at this point if your problems are malware or hardware related.
 
You must log in or register to reply here.
Back
Top