[Closed] Unidentified, serious MBR/rootkitting

Status
Not open for further replies.
TDSSKiller seems to find the same thing that aswMBR does ( \Device\Harddisk0\DR0 ( TDSS File System ) ) but does not give me a "Cure" option, so I'm forced to skip. The rest all seem like regular old unsigned drivers, not anything malware-associated that I can recognize. The full log is attached.



Ran a new aswMBR scan while I was in there as well:


aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-07-23 00:43:50
-----------------------------
00:43:50.359 OS Version: Windows 5.1.2600 Service Pack 3
00:43:50.359 Number of processors: 2 586 0xF0D
00:43:50.359 ComputerName: HL111008 UserName: Kristine
00:43:50.640 Initialize success
00:45:31.671 AVAST engine defs: 12072201
00:46:01.781 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
00:46:01.796 Disk 0 Vendor: ST3160815AS 4.CCC Size: 152627MB BusType: 3
00:46:01.828 Disk 0 MBR read successfully
00:46:01.828 Disk 0 MBR scan
00:46:01.875 Disk 0 Windows XP default MBR code
00:46:01.890 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 149069 MB offset 2048
00:46:01.937 Disk 0 Partition 2 00 12 Compaq diag MSDOS5.0 3556 MB offset 305295360
00:46:01.953 Disk 0 Partition 3 00 17 Hidd HPFS/NTFS NTFS 1 MB offset 312578048
00:46:01.968 Disk 0 Partition 3 **INFECTED** MBR:SST [Rtk]
00:46:02.015 Disk 0 scanning sectors +312581792
00:46:03.484 Disk 0 scanning C:\WINDOWS\system32\drivers
00:46:13.218 Service scanning
00:46:32.640 Modules scanning
00:46:38.359 Disk 0 trace - called modules:
00:46:38.437 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
00:46:38.468 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x87375ab8]
00:46:38.515 3 CLASSPNP.SYS[f774cfd7] -> nt!IofCallDriver -> \Device\00000063[0x873ca9e8]
00:46:38.546 5 ACPI.sys[f76c3620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-4[0x87378d98]
00:46:38.921 AVAST engine scan C:\WINDOWS
00:47:03.859 AVAST engine scan C:\WINDOWS\system32
00:49:16.906 AVAST engine scan C:\WINDOWS\system32\drivers
00:49:37.046 AVAST engine scan C:\Documents and Settings\kristine
00:51:51.234 File: C:\Documents and Settings\kristine\Local Settings\Temp\34acf1a4-5753.tmp **INFECTED** Win32:Rootkit-gen [Rtk]
00:51:51.359 File: C:\Documents and Settings\kristine\Local Settings\Temp\35ad8ae8-5753.tmp **INFECTED** Win32:Rootkit-gen [Rtk]
00:51:51.531 File: C:\Documents and Settings\kristine\Local Settings\Temp\7ea807b2-5753.tmp **INFECTED** Win32:Rootkit-gen [Rtk]
00:52:29.156 AVAST engine scan C:\Documents and Settings\All Users
00:53:11.328 Scan finished successfully
00:53:19.890 Disk 0 MBR has been saved successfully to "C:\download\MBR.dat"
00:53:19.937 The log file has been saved successfully to "C:\download\aswMBR.txt"
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-07-25 18:19:57
-----------------------------
18:19:57.781 OS Version: Windows 5.1.2600 Service Pack 3
18:19:57.781 Number of processors: 2 586 0xF0D
18:19:57.781 ComputerName: HL111008 UserName: Kristine
18:19:58.359 Initialize success
18:21:56.500 AVAST engine defs: 12072500
18:22:17.109 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
18:22:17.125 Disk 0 Vendor: ST3160815AS 4.CCC Size: 152627MB BusType: 3
18:22:17.140 Disk 0 MBR read successfully
18:22:17.156 Disk 0 MBR scan
18:22:17.203 Disk 0 Windows XP default MBR code
18:22:17.234 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 149069 MB offset 2048
18:22:17.250 Disk 0 Partition 2 00 12 Compaq diag MSDOS5.0 3556 MB offset 305295360
18:22:17.296 Disk 0 Partition 3 00 17 Hidd HPFS/NTFS NTFS 1 MB offset 312578048
18:22:17.312 Disk 0 Partition 3 **INFECTED** MBR:SST [Rtk]
18:22:17.343 Disk 0 scanning sectors +312581792
18:22:18.781 Disk 0 scanning C:\WINDOWS\system32\drivers
18:22:29.578 Service scanning
18:22:51.093 Modules scanning
18:22:53.859 Disk 0 trace - called modules:
18:22:53.937 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
18:22:53.968 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8734d908]
18:22:54.015 3 CLASSPNP.SYS[f774cfd7] -> nt!IofCallDriver -> \Device\00000065[0x873d3338]
18:22:54.046 5 ACPI.sys[f76c3620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-4[0x87350d98]
18:22:54.500 AVAST engine scan C:\WINDOWS
18:23:20.500 AVAST engine scan C:\WINDOWS\system32
18:25:40.468 AVAST engine scan C:\WINDOWS\system32\drivers
18:26:03.000 AVAST engine scan C:\Documents and Settings\kristine
18:28:19.109 File: C:\Documents and Settings\kristine\Local Settings\Temp\34acf1a4-5753.tmp **INFECTED** Win32:Rootkit-gen [Rtk]
18:28:19.234 File: C:\Documents and Settings\kristine\Local Settings\Temp\35ad8ae8-5753.tmp **INFECTED** Win32:Rootkit-gen [Rtk]
18:28:19.406 File: C:\Documents and Settings\kristine\Local Settings\Temp\7ea807b2-5753.tmp **INFECTED** Win32:Rootkit-gen [Rtk]
18:28:39.687 AVAST engine scan C:\Documents and Settings\All Users
18:29:24.468 Scan finished successfully
18:41:27.640 Disk 0 MBR has been saved successfully to "C:\download\MBR.dat"
18:41:27.687 The log file has been saved successfully to "C:\download\aswMBR.txt"
 

Attachments

  • TDSSlog.zip
    31.1 KB · Views: 2
18:15:38.0093 2020 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user
18:15:38.0093 2020 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip
This said it was skipped by user, which meant that you were given an option to disinfect, but it's okay. You didn't know, and I have no idea why TDSSKiller wants you to Copy to Quarantine just to fix the problem. But, apparently, that's all the choice we have. Please do the "Copy" option and post a new log from TDSSKiller and aswMBR once done.
 
I can only presume it said "skipped by user" because "skip" was the option given to me by default (like all the other items), but there was no "Cure" option or I would have taken that. I'll produce the "copy" results when I can.
 
"Copy to Quarantine" did nothing, so I went ahead and hit "Delete" in the next run. It removed the item from TDSSKiller's view, but aswMBR.exe remains largely the same:

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-07-23 00:43:50
-----------------------------
00:43:50.359 OS Version: Windows 5.1.2600 Service Pack 3
00:43:50.359 Number of processors: 2 586 0xF0D
00:43:50.359 ComputerName: HL111008 UserName: Kristine
00:43:50.640 Initialize success
00:45:31.671 AVAST engine defs: 12072201
00:46:01.781 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
00:46:01.796 Disk 0 Vendor: ST3160815AS 4.CCC Size: 152627MB BusType: 3
00:46:01.828 Disk 0 MBR read successfully
00:46:01.828 Disk 0 MBR scan
00:46:01.875 Disk 0 Windows XP default MBR code
00:46:01.890 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 149069 MB offset 2048
00:46:01.937 Disk 0 Partition 2 00 12 Compaq diag MSDOS5.0 3556 MB offset 305295360
00:46:01.953 Disk 0 Partition 3 00 17 Hidd HPFS/NTFS NTFS 1 MB offset 312578048
00:46:01.968 Disk 0 Partition 3 **INFECTED** MBR:SST [Rtk]
00:46:02.015 Disk 0 scanning sectors +312581792
00:46:03.484 Disk 0 scanning C:\WINDOWS\system32\drivers
00:46:13.218 Service scanning
00:46:32.640 Modules scanning
00:46:38.359 Disk 0 trace - called modules:
00:46:38.437 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
00:46:38.468 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x87375ab8]
00:46:38.515 3 CLASSPNP.SYS[f774cfd7] -> nt!IofCallDriver -> \Device\00000063[0x873ca9e8]
00:46:38.546 5 ACPI.sys[f76c3620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-4[0x87378d98]
00:46:38.921 AVAST engine scan C:\WINDOWS
00:47:03.859 AVAST engine scan C:\WINDOWS\system32
00:49:16.906 AVAST engine scan C:\WINDOWS\system32\drivers
00:49:37.046 AVAST engine scan C:\Documents and Settings\kristine
00:51:51.234 File: C:\Documents and Settings\kristine\Local Settings\Temp\34acf1a4-5753.tmp **INFECTED** Win32:Rootkit-gen [Rtk]
00:51:51.359 File: C:\Documents and Settings\kristine\Local Settings\Temp\35ad8ae8-5753.tmp **INFECTED** Win32:Rootkit-gen [Rtk]
00:51:51.531 File: C:\Documents and Settings\kristine\Local Settings\Temp\7ea807b2-5753.tmp **INFECTED** Win32:Rootkit-gen [Rtk]
00:52:29.156 AVAST engine scan C:\Documents and Settings\All Users
00:53:11.328 Scan finished successfully
00:53:19.890 Disk 0 MBR has been saved successfully to "C:\download\MBR.dat"
00:53:19.937 The log file has been saved successfully to "C:\download\aswMBR.txt"

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-07-25 18:19:57
-----------------------------
18:19:57.781 OS Version: Windows 5.1.2600 Service Pack 3
18:19:57.781 Number of processors: 2 586 0xF0D
18:19:57.781 ComputerName: HL111008 UserName: Kristine
18:19:58.359 Initialize success
18:21:56.500 AVAST engine defs: 12072500
18:22:17.109 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
18:22:17.125 Disk 0 Vendor: ST3160815AS 4.CCC Size: 152627MB BusType: 3
18:22:17.140 Disk 0 MBR read successfully
18:22:17.156 Disk 0 MBR scan
18:22:17.203 Disk 0 Windows XP default MBR code
18:22:17.234 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 149069 MB offset 2048
18:22:17.250 Disk 0 Partition 2 00 12 Compaq diag MSDOS5.0 3556 MB offset 305295360
18:22:17.296 Disk 0 Partition 3 00 17 Hidd HPFS/NTFS NTFS 1 MB offset 312578048
18:22:17.312 Disk 0 Partition 3 **INFECTED** MBR:SST [Rtk]
18:22:17.343 Disk 0 scanning sectors +312581792
18:22:18.781 Disk 0 scanning C:\WINDOWS\system32\drivers
18:22:29.578 Service scanning
18:22:51.093 Modules scanning
18:22:53.859 Disk 0 trace - called modules:
18:22:53.937 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
18:22:53.968 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8734d908]
18:22:54.015 3 CLASSPNP.SYS[f774cfd7] -> nt!IofCallDriver -> \Device\00000065[0x873d3338]
18:22:54.046 5 ACPI.sys[f76c3620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-4[0x87350d98]
18:22:54.500 AVAST engine scan C:\WINDOWS
18:23:20.500 AVAST engine scan C:\WINDOWS\system32
18:25:40.468 AVAST engine scan C:\WINDOWS\system32\drivers
18:26:03.000 AVAST engine scan C:\Documents and Settings\kristine
18:28:19.109 File: C:\Documents and Settings\kristine\Local Settings\Temp\34acf1a4-5753.tmp **INFECTED** Win32:Rootkit-gen [Rtk]
18:28:19.234 File: C:\Documents and Settings\kristine\Local Settings\Temp\35ad8ae8-5753.tmp **INFECTED** Win32:Rootkit-gen [Rtk]
18:28:19.406 File: C:\Documents and Settings\kristine\Local Settings\Temp\7ea807b2-5753.tmp **INFECTED** Win32:Rootkit-gen [Rtk]
18:28:39.687 AVAST engine scan C:\Documents and Settings\All Users
18:29:24.468 Scan finished successfully
18:41:27.640 Disk 0 MBR has been saved successfully to "C:\download\MBR.dat"
18:41:27.687 The log file has been saved successfully to "C:\download\aswMBR.txt"

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-08-01 17:32:41
-----------------------------
17:32:41.875 OS Version: Windows 5.1.2600 Service Pack 3
17:32:41.875 Number of processors: 2 586 0xF0D
17:32:41.875 ComputerName: HL111008 UserName: Kristine
17:32:42.171 Initialize success
17:32:52.953 AVAST engine defs: 12073102
17:33:25.359 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
17:33:25.375 Disk 0 Vendor: ST3160815AS 4.CCC Size: 152627MB BusType: 3
17:33:25.390 Disk 0 MBR read successfully
17:33:25.406 Disk 0 MBR scan
17:33:25.453 Disk 0 Windows XP default MBR code
17:33:25.468 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 149069 MB offset 2048
17:33:25.500 Disk 0 Partition 2 00 12 Compaq diag MSDOS5.0 3556 MB offset 305295360
17:33:25.531 Disk 0 Partition 3 00 17 Hidd HPFS/NTFS NTFS 1 MB offset 312578048
17:33:25.546 Disk 0 Partition 3 **INFECTED** MBR:SST [Rtk]
17:33:25.593 Disk 0 scanning sectors +312581792
17:33:27.015 Disk 0 scanning C:\WINDOWS\system32\drivers
17:33:37.703 Service scanning
17:34:00.765 Modules scanning
17:34:04.578 Disk 0 trace - called modules:
17:34:04.640 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
17:34:04.671 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x872f8ab8]
17:34:04.718 3 CLASSPNP.SYS[f774cfd7] -> nt!IofCallDriver -> \Device\00000065[0x8736c9e8]
17:34:04.750 5 ACPI.sys[f76c3620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-4[0x8736cd98]
17:34:05.171 AVAST engine scan C:\WINDOWS
17:34:31.437 AVAST engine scan C:\WINDOWS\system32
17:36:51.953 AVAST engine scan C:\WINDOWS\system32\drivers
17:37:14.125 AVAST engine scan C:\Documents and Settings\kristine
17:39:33.125 File: C:\Documents and Settings\kristine\Local Settings\Temp\34acf1a4-5753.tmp **INFECTED** Win32:Rootkit-gen [Rtk]
17:39:33.218 File: C:\Documents and Settings\kristine\Local Settings\Temp\35ad8ae8-5753.tmp **INFECTED** Win32:Rootkit-gen [Rtk]
17:39:33.453 File: C:\Documents and Settings\kristine\Local Settings\Temp\7ea807b2-5753.tmp **INFECTED** Win32:Rootkit-gen [Rtk]
17:40:12.640 AVAST engine scan C:\Documents and Settings\All Users
17:40:57.812 Scan finished successfully
17:42:16.375 Disk 0 MBR has been saved successfully to "C:\download\MBR.dat"
17:42:16.421 The log file has been saved successfully to "C:\download\aswMBR.txt"
 
Combofix still largely freezes the PC before getting to any scan completion stages, and dds.scr still does not complete either.
 
Attempting to peel back the layers of this onion, I was able to run the Kaspersky Virus Removal Tool and pull off a few elements, including what looked like all the TMP files constantly showing up in aswMBR. I ran aswMBR immediately afterward, and it pinged on something new as well. (But no longer had the TMPs) Logs to follow:


Status: Deleted (events: 13)
8/1/2012 10:00:40 PM Deleted Trojan program Trojan-Dropper.Win32.Dorifel.evn C:\Documents and Settings\kristine\Local Settings\Temp\34acf1a4-5753.tmp High
8/1/2012 10:01:08 PM Deleted Trojan program Trojan-Dropper.Win32.Dorifel.evn C:\Documents and Settings\kristine\Local Settings\Temp\35ad8ae8-5753.tmp High
8/1/2012 10:00:52 PM Deleted Trojan program Trojan-Dropper.Win32.Dorifel.evn C:\Documents and Settings\kristine\Local Settings\Temp\7ea807b2-5753.tmp High
8/1/2012 10:04:04 PM Deleted Trojan program Trojan-Dropper.Win32.Dorifel.eta C:\FRST\Quarantine\1ee7e578-5753.exe High
8/1/2012 10:25:36 PM Deleted Trojan program Trojan-Dropper.Win32.Dorifel.eta C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2\A0011125.exe High
8/1/2012 10:26:09 PM Deleted Trojan program Backdoor.Win32.GeckaSeka.be C:\TDSSKiller_Quarantine\01.08.2012_00.11.30\tdlfs0000\tsk0011.dta High
8/1/2012 10:26:15 PM Deleted Trojan program Backdoor.Win64.TDSS.n C:\TDSSKiller_Quarantine\01.08.2012_00.11.30\tdlfs0000\tsk0012.dta High
8/1/2012 10:26:32 PM Deleted Trojan program Trojan.Win32.Tdss.ifoa C:\TDSSKiller_Quarantine\01.08.2012_00.11.30\tdlfs0000\tsk0019.dta High
8/1/2012 10:26:32 PM Deleted Trojan program Trojan.Win32.TDSS.isqx C:\TDSSKiller_Quarantine\01.08.2012_00.11.30\tdlfs0000\tsk0021.dta High
8/1/2012 10:26:40 PM Deleted Trojan program Backdoor.Win32.GeckaSeka.be C:\TDSSKiller_Quarantine\01.08.2012_00.24.25\tdlfs0000\tsk0011.dta High
8/1/2012 10:26:46 PM Deleted Trojan program Backdoor.Win64.TDSS.n C:\TDSSKiller_Quarantine\01.08.2012_00.24.25\tdlfs0000\tsk0012.dta High
8/1/2012 10:26:55 PM Deleted Trojan program Trojan.Win32.Tdss.ifoa C:\TDSSKiller_Quarantine\01.08.2012_00.24.25\tdlfs0000\tsk0019.dta High
8/1/2012 10:27:02 PM Deleted Trojan program Trojan.Win32.TDSS.isqx C:\TDSSKiller_Quarantine\01.08.2012_00.24.25\tdlfs0000\tsk0021.dta High
Status: Detected (events: 6)
8/1/2012 10:06:50 PM Detected unknown threat UDS:DangerousObject.Multi.Generic C:\install\Office 2003\Extras\MathType 5.1\mtype_v5_1_keygen.exe High
8/1/2012 10:20:57 PM Detected Trojan program HEUR:Backdoor.Win64.Generic C:\TDSSKiller_Quarantine\01.08.2012_00.11.30\tdlfs0000\tsk0006.dta High
8/1/2012 10:20:58 PM Detected Trojan program HEUR:Backdoor.Win64.Generic C:\TDSSKiller_Quarantine\01.08.2012_00.11.30\tdlfs0000\tsk0010.dta High
8/1/2012 10:26:19 PM Detected Trojan program HEUR:Backdoor.Win64.Generic C:\TDSSKiller_Quarantine\01.08.2012_00.24.25\tdlfs0000\tsk0006.dta High
8/1/2012 10:26:32 PM Detected Trojan program HEUR:Backdoor.Win64.Generic C:\TDSSKiller_Quarantine\01.08.2012_00.24.25\tdlfs0000\tsk0010.dta High
8/1/2012 10:26:49 PM Detected virus Virus.Win32.RLoader.a C:\TDSSKiller_Quarantine\22.07.2012_18.08.41\rtkt0000\svc0000\tsk0000.dta High

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-08-01 23:36:38
-----------------------------
23:36:38.656 OS Version: Windows 5.1.2600 Service Pack 3
23:36:38.656 Number of processors: 2 586 0xF0D
23:36:38.656 ComputerName: HL111008 UserName: Kristine
23:36:39.140 Initialize success
23:36:56.781 AVAST engine defs: 12073102
23:38:25.265 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
23:38:25.265 Disk 0 Vendor: ST3160815AS 4.CCC Size: 152627MB BusType: 3
23:38:25.281 Disk 0 MBR read successfully
23:38:25.296 Disk 0 MBR scan
23:38:25.328 Disk 0 Windows XP default MBR code
23:38:25.343 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 149069 MB offset 2048
23:38:25.375 Disk 0 Partition 2 00 12 Compaq diag MSDOS5.0 3556 MB offset 305295360
23:38:25.390 Disk 0 Partition 3 00 17 Hidd HPFS/NTFS NTFS 1 MB offset 312578048
23:38:25.390 Disk 0 Partition 3 **INFECTED** MBR:SST [Rtk]
23:38:25.390 Disk 0 scanning sectors +312581792
23:38:26.812 Disk 0 scanning C:\WINDOWS\system32\drivers
23:38:37.812 Service scanning
23:38:59.937 Modules scanning
23:39:04.187 Module: C:\WINDOWS\System32\DLA\DLADResN.SYS **SUSPICIOUS**
23:39:05.187 Disk 0 trace - called modules:
23:39:05.218 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
23:39:05.218 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8715cab8]
23:39:05.218 3 CLASSPNP.SYS[f74fefd7] -> nt!IofCallDriver -> \Device\00000065[0x871c8f18]
23:39:05.218 5 ACPI.sys[f7395620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-4[0x87161940]
23:39:05.687 AVAST engine scan C:\WINDOWS
23:39:29.593 AVAST engine scan C:\WINDOWS\system32
23:41:53.531 AVAST engine scan C:\WINDOWS\system32\drivers
23:42:17.015 AVAST engine scan C:\Documents and Settings\kristine
23:46:32.484 AVAST engine scan C:\Documents and Settings\All Users
23:47:23.125 Scan finished successfully
23:59:59.875 Disk 0 MBR has been saved successfully to "C:\download\MBR.dat"
23:59:59.875 The log file has been saved successfully to "C:\download\aswMBR6.txt"
 
Reboot your computer.

Boot from the windows XP CD, press the "R" key in the setup in order to start the Recovery Console.

Select your windows XP installation from the list (usually 1). It will prompt for an administrator password. The password is probably blank, so just hit enter.

Enter the command: fixmbr at the input prompt and confirm the next question with a Y.

It should then reboot the computer. If it does not, then type exit.

Boot back in to the Normal XP. Post a new aswMBR scan, please.
 
Performed, and the suspicious SYS file seems to have disappeared, but the core red flag remains:


aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-08-02 23:53:41
-----------------------------
23:53:41.250 OS Version: Windows 5.1.2600 Service Pack 3
23:53:41.250 Number of processors: 2 586 0xF0D
23:53:41.250 ComputerName: HL111008 UserName: Kristine
23:53:41.984 Initialize success
23:53:53.218 AVAST engine defs: 12080100
23:55:04.406 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
23:55:04.421 Disk 0 Vendor: ST3160815AS 4.CCC Size: 152627MB BusType: 3
23:55:04.453 Disk 0 MBR read successfully
23:55:04.468 Disk 0 MBR scan
23:55:04.515 Disk 0 Windows XP default MBR code
23:55:04.531 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 149069 MB offset 2048
23:55:04.562 Disk 0 Partition 2 00 12 Compaq diag MSDOS5.0 3556 MB offset 305295360
23:55:04.593 Disk 0 Partition 3 00 17 Hidd HPFS/NTFS NTFS 1 MB offset 312578048
23:55:04.609 Disk 0 Partition 3 **INFECTED** MBR:SST [Rtk]
23:55:04.640 Disk 0 scanning sectors +312581792
23:55:06.046 Disk 0 scanning C:\WINDOWS\system32\drivers
23:55:16.468 Service scanning
23:55:38.500 Modules scanning
23:55:44.515 Disk 0 trace - called modules:
23:55:44.593 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
23:55:44.640 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8735b908]
23:55:44.671 3 CLASSPNP.SYS[f774cfd7] -> nt!IofCallDriver -> \Device\00000065[0x87377338]
23:55:44.718 5 ACPI.sys[f76c3620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-4[0x8736cd98]
23:55:44.984 AVAST engine scan C:\WINDOWS
23:56:10.421 AVAST engine scan C:\WINDOWS\system32
23:58:26.281 AVAST engine scan C:\WINDOWS\system32\drivers
23:58:46.671 AVAST engine scan C:\Documents and Settings\kristine
00:01:21.687 AVAST engine scan C:\Documents and Settings\All Users
00:02:04.531 Scan finished successfully
00:04:43.343 Disk 0 MBR has been saved successfully to "C:\download\MBR.dat"
00:04:43.375 The log file has been saved successfully to "C:\download\aswMBR7.txt"
 
ListParts by Farbar Version: 25-07-2012
Ran by Kristine (administrator) on 03-08-2012 at 16:17:42
Windows XP (X86)
Running From: C:\download
Language: 0409
************************************************************
========================= Memory info ======================
Percentage of memory in use: 54%
Total physical RAM: 1014.17 MB
Available physical RAM: 457.64 MB
Total Pagefile: 2443.78 MB
Available Pagefile: 2057.39 MB
Total Virtual: 2047.88 MB
Available Virtual: 2001.07 MB
======================= Partitions =========================
1 Drive c: (Preload) (Fixed) (Total:145.58 GB) (Free:118.85 GB) NTFS ==>[Drive with boot components (Windows XP)]
4 Drive u: (Offline) (Network) (Total:145.58 GB) (Free:118.85 GB) *NT5CSC
Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 149 GB 0 B
Partitions of Disk 0:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 146 GB 1024 KB
Partition 2 OEM 3556 MB 146 GB
Partition 3 Unknown 1872 KB 149 GB
======================================================================================================
Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C Preload NTFS Partition 146 GB Healthy System (partition with boot components)
======================================================================================================
Disk: 0
Partition 2
Type : 12
Hidden: Yes
Active: No
There is no volume associated with this partition.
======================================================================================================
Disk: 0
Partition 3
Type : 17 (Suspicious Type)
Hidden: Yes
Active: No
There is no volume associated with this partition.
======================================================================================================
****** End Of Log ******
 
Please do the following, then re-run List parts

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it in the same directory ListParts is located as fix.txt
Disk=0 Partition=3 type=17
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
  • Run ListParts.
  • Press Fix button.
  • When it is done close the notification pop up. Click Scan and copy and paste the log (Result.txt) it makes.
 
Offhand, doesn't look like it did anything.

ListParts by Farbar Version: 25-07-2012
Ran by Kristine (administrator) on 05-08-2012 at 04:33:14
Windows XP (X86)
Running From: C:\download
Language: 0409
************************************************************
========================= Memory info ======================
Percentage of memory in use: 34%
Total physical RAM: 1014.17 MB
Available physical RAM: 665.74 MB
Total Pagefile: 2443.78 MB
Available Pagefile: 2254.21 MB
Total Virtual: 2047.88 MB
Available Virtual: 2001.07 MB
======================= Partitions =========================
1 Drive c: (Preload) (Fixed) (Total:145.58 GB) (Free:118.85 GB) NTFS ==>[Drive with boot components (Windows XP)]
4 Drive u: (Offline) (Network) (Total:145.58 GB) (Free:118.85 GB) *NT5CSC
Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 149 GB 0 B
Partitions of Disk 0:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 146 GB 1024 KB
Partition 2 OEM 3556 MB 146 GB
Partition 3 Unknown 1872 KB 149 GB
======================================================================================================
Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C Preload NTFS Partition 146 GB Healthy System (partition with boot components)
======================================================================================================
Disk: 0
Partition 2
Type : 12
Hidden: Yes
Active: No
There is no volume associated with this partition.
======================================================================================================
Disk: 0
Partition 3
Type : 17 (Suspicious Type)
Hidden: Yes
Active: No
There is no volume associated with this partition.
======================================================================================================
****** End Of Log ******

There is a PLFixlog.txt that reads:

Script used: "Disk=0 Partition=3 type=17"
 
For extra info, this is what Hitman Pro picks up:

Malware _____________________________________________________________________

Volume Boot Record (Sector 312578048)
C:$VBR_312578048

Rootkit.MBR.Sst.C (Boot Image) (Engine A) Rootkit.MBR!IK
 
I decided to see what HitmanPro could take care of, and apparently it could pull that off. It no longer shows up on aswMBR scans. However Combofix and DDS.scr still freeze the PC. Tried running an RSIT scan, which did produce a log. Not sure if the first one offers more than HijackThis, but info is info. The text files are attached, due to general big-hugeness.
 

Attachments

  • rsitlog.txt
    40.9 KB · Views: 0
  • rsitinfo.txt
    41.8 KB · Views: 0
Hm. Apparently still seeing something in there, but aswMBR still has nothing.



ListParts by Farbar Version: 25-07-2012
Ran by Kristine (administrator) on 05-08-2012 at 16:31:41
Windows XP (X86)
Running From: C:\download
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 32%
Total physical RAM: 1014.17 MB
Available physical RAM: 688.16 MB
Total Pagefile: 2443.78 MB
Available Pagefile: 2240.12 MB
Total Virtual: 2047.88 MB
Available Virtual: 2002.9 MB

======================= Partitions =========================

1 Drive c: (Preload) (Fixed) (Total:145.58 GB) (Free:118.82 GB) NTFS ==>[Drive with boot components (Windows XP)]
4 Drive u: (Offline) (Network) (Total:145.58 GB) (Free:118.82 GB) *NT5CSC

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 149 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 146 GB 1024 KB
Partition 2 OEM 3556 MB 146 GB
Partition 3 Unknown 1872 KB 149 GB
======================================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C Preload NTFS Partition 146 GB Healthy System (partition with boot components)
======================================================================================================

Disk: 0
Partition 2
Type : 12
Hidden: Yes
Active: No

There is no volume associated with this partition.
======================================================================================================

Disk: 0
Partition 3
Type : 17 (Suspicious Type)
Hidden: Yes
Active: No

There is no volume associated with this partition.
======================================================================================================

****** End Of Log ******
 
There is no volume associated with this partition.
I would suppose this tells me that even if the partition shows up, the data is most certainly not there to cause any problems.

If there are no more issues, then we shall clean up!

Clean up System Restore

Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."
  • Select Start > All Programs > Accessories > System tools > System Restore.
  • On the dialogue box that appears select Create a Restore Point
  • Click NEXT
  • Enter a name e.g. Clean
  • Click CREATE
You now have a clean restore point, to get rid of the bad ones:
  • Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  • In the Drop down box that appears select your main drive e.g. C
  • Click OK
  • The System will do some calculation and the display a dialogue box with TABS
  • Select the More Options Tab.
  • At the bottom will be a system restore box with a CLEANUP button click this
  • Accept the Warning and select OK again, the program will close and you are done

Run OTC to remove our tools

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe by OldTimer:
  • Save it to your Desktop.
  • Double click OTC.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.
Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Purge old temporary files

Download CCleaner Slim and save it to your Desktop - Alternate download link

When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe
Follow the prompts to install the program.

* Double-click the CCleaner shortcut on the desktop to start the program.
* Click on the Options block on the left, then choose Cookies.
* Under Cookies to Delete, highlight any cookies you would like to retain permanently
* Click the right arrow > to move them to the Cookies to Keep window.
* Go into Options > Advanced & uncheck Only delete files in Windows Temp folders older than 48 hours
* Click Cleaner on the left then Run Cleaner on the right to run the program.
* Important: Make sure that ALL browser windows are closed before selecting Run Cleaner

Caution: Only use the Registry feature if you are very familiar with the registry.
Always back up your registry before making any changes. Exit CCleaner after it has completed it's process.

Security Check

Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Tell me in your next reply, if you have completed these tasks:
  • Cleaned System Restore
  • Ran OTC
  • Ran TFC
  • Ran Security Check
Also, let me know how your computer is running, and don't forget to post the contents of the Security Check log.
 
I ran the system restore tasks (from rstrui.exe path specifically, as the malware largely busted up the All Programs directory), OTC, ccleaner (though curious why using Slim and not Portable), and Security Check posted below.

PC has been running largely OK, though the initial malware effects (including hiding most programs, files and directories) have not reverted. I can globally attrib -h that, but I normally like to keep it around to see if one of the malware cleanup tools takes care of that component while running.

I have not attempted to run ComboFix or dds.scr or anything else that was constantly freezing the computer since your last instructions.



Results of screen317's Security Check version 0.99.43
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Please wait while WMIC is being installed.d
I
s
p
l
a
y
N
a
m
e
ECHO is off.
e
T
r
u
s
t
ECHO is off.
I
T
M
ECHO is off.
Antivirus out of date!
`````````Anti-malware/Other Utilities Check:`````````
Spybot - Search & Destroy SBE
Malwarebytes Anti-Malware version 1.62.0.1300
CCleaner
Adobe Reader 9 Adobe Reader out of Date!
````````Process Check: objlist.exe by Laurent````````
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 8%
````````````````````End of Log``````````````````````
 
Status
Not open for further replies.
Back