Go Back   Technibble Forums > Technical Discussions > Security, Viruses and Trojans

  Technibble Sponsor

Reply
 
Thread Tools Display Modes
  #1  
Old 02-26-2012, 08:35 PM
Mr.Mike Mr.Mike is offline
 
Join Date: Aug 2009
Location: California Central Coast
Posts: 1,130
Mr.Mike is on a distinguished road
Default Help Please RootKit Craziness

Hi folks,

I originally posed this request for help here, but felt this was perhaps a better location. I hope you can help. Here it is:

Oh, where do I begin? This will go down as the most confusing thing I've seen to date!

I had a client bring in a Dell Inspiron 530 Desktop with Vista 32bit that was only booting to a "Repair Windows" or "Start Windows Normally" black screen. In order to see what was up, I chose start normally and got to a desktop, icons and all then a Rogue "Internet Security" program ran. I went to end the process, but suddenly the usb mouse wouldn't work. Then I started task manager with the keyboard and got in and got to the processes tab to kill the process and then the keyboard froze. I then shut down and tried again, this time going to Start while the keyboard was working and ran msconfig. I moused over to the Startup tab to uncheck "Internet Security" rogue program listed there and stop the process , but again keyboard and mouse froze.

Booted again to the "Repair Windows" / Start Normally screen and selected "Repair Windows". Immediately, it ran CHKDSK which reported:

Corrupt attribute
record (128, "")
93 re-parse records processed
0 bad file records processed
0 EA records processed
Recovering orphaned file
2 directory files - 2 unindexed files processed
Recovering orphaned file
WUREDI~1.bak
WUREDIR.cab.bak

This was something I'd never seen before. I booted it again thinking this had at least addressed some issues so I could take a closer look at the Rogue and kill it. This time, I began to suspect a Rootkit so I ran TDSSKiller from my thumb drive and its scan found a Rootkit called: RootKit.Win32.TDSS.td14. Nothing that surprising but, just when I went to get rid of it the MOUSE AND KEYBOARD froze again!!

Next I pulled the drive and slaved it on my bench and ran MBAM and got this result:

PUP.Zugo
Trojan.Agent
Trojan.FakeAlert
PUP.Fbsearch (16 times)
Trojan.Agent
Trojan.Agent
PUP.BundleInstaller.IO
PUP.BundleInstaller.IO

O.K., so that was the "Internet Security rogue. I "removed selected" (all) and then ran SAS. SAS found 124 Adware Tracking Cookies but nothing else. I cleaned those out too. That being done, I went to start TDSSKiller from my bench machine and scan the slaved/infected drive. I then go to My Computer to see the slaved drive and its partition and uh-oh...Next thing I know, the Main OS drive (J:\) shows no volume when right clicked and the recovery volume drive (K:\) when right-clicked pops up a window that says: "The Recycle Bin on Drive K:\ is Corrupted. Do you want to empty the recycle bin for this drive?" I click "No" and close the window not being sure what to do. Even more bizarre, (if it could any more bizarre than this), every other time I right click the K:\ or J:\ drives, the Windows 7 System window with the "windows experience index" comes up and the system it refers to is, get this, HP Pavilion dv6 Notebook PC!!with Windows 7 64-bit
My bench unit is a custom desktop running Win 7!

I figure I must be hallucinating. (Blink-Blink).

I'm hoping you guys can bring me down from this bad acid trip and make some sense out of this one. Google research/TN search yielded nothing comparable.

Thank you in advance for any help.
Reply With Quote
  #2  
Old 02-26-2012, 09:13 PM
Computerpete's Avatar
Computerpete Computerpete is offline
 
Join Date: Sep 2010
Location: Wigan, Greater Manchester, England
Posts: 32
Computerpete is an unknown quantity at this point
Default

You could try to fix your MBR
http://www.softpedia.com/get/System/...s/MBRFix.shtml
Also try Combofix
Reply With Quote
  #3  
Old 02-26-2012, 09:48 PM
Mr.Mike Mr.Mike is offline
 
Join Date: Aug 2009
Location: California Central Coast
Posts: 1,130
Mr.Mike is on a distinguished road
Default

Quote:
Originally Posted by Computerpete View Post
You could try to fix your MBR
http://www.softpedia.com/get/System/...s/MBRFix.shtml
Also try Combofix
Thanks Computerpete for the link and advice. I'll give it a shot. Not sure if it will work since my bench machine shows the drive as unformatted.

UPDATE: Didn't matter. Nice program. I ran MBRFix and am reinstalling to the orig. computer for bootup. Now, it boots to a screen showing "Other" as the User and asks for a username and password. Hmmm.

Now I'm booting to a Dell Utility Partition and am running some tests. I'll report back.

Last edited by Mr.Mike; 02-26-2012 at 11:39 PM. Reason: update
Reply With Quote
  #4  
Old 02-27-2012, 06:05 PM
TechguyUK TechguyUK is offline
 
Join Date: Mar 2010
Location: Lincoln, UK
Posts: 190
TechguyUK is on a distinguished road
Default

I could be wrong but your rootkit is likely infecting the mouse/kb drivers and possibly others, I had one do this to me the other day - plugging in a USB mouse at least gave me some function back.

Also - If you havn't already done so I would take an image of the customers HD and/or get a copy of their user data before doing much more with this. The issues you are experiencing can easily be the start a downward spiral resulting in no option but a N&P.
__________________
TechguyUK
Computer Repair & Support in Lincoln

'Making IT...work!'
Reply With Quote
  #5  
Old 02-27-2012, 06:32 PM
Mr.Mike Mr.Mike is offline
 
Join Date: Aug 2009
Location: California Central Coast
Posts: 1,130
Mr.Mike is on a distinguished road
Default

Quote:
Originally Posted by TechguyUK View Post
I could be wrong but your rootkit is likely infecting the mouse/kb drivers and possibly others, I had one do this to me the other day - plugging in a USB mouse at least gave me some function back.
I've not seen that before. I'm using a USB mouse. No PS/2 port available.

Quote:
Also - If you havn't already done so I would take an image of the customers HD and/or get a copy of their user data before doing much more with this. The issues you are experiencing can easily be the start a downward spiral resulting in no option but a N&P.
Have already done so. THanks!

I'm running UBCD v. 5.0.3 now to address the MBR and other possible issues.

Last edited by Mr.Mike; 02-27-2012 at 06:34 PM. Reason: more info
Reply With Quote
  #6  
Old 02-27-2012, 09:30 PM
Vicenarian's Avatar
Vicenarian Vicenarian is offline
 
Join Date: Jan 2010
Posts: 1,940
Vicenarian has a spectacular aura aboutVicenarian has a spectacular aura about
Default

Can you do an offline SFC scan? Use the MSDART tools if you have them. That should replace the infected keyboard/mouse drivers, and any other infected system drivers. Might want to try running a good AV Rescue CD as well (bitdefender, etc.)
__________________
2 Corinthians 5:21 "For God made Christ, who never sinned, to be the offering for our sin (by dying in our place), so that we could be made right with God through Christ."
Reply With Quote
  #7  
Old 02-27-2012, 09:42 PM
B Trevathan B Trevathan is offline
 
Join Date: Nov 2009
Location: Tennessee, USA
Posts: 515
B Trevathan is on a distinguished road
Default

Quote:
Originally Posted by ScarletPathos View Post
Now, it boots to a screen showing "Other" as the User and asks for a username and password.
Would this help you with your Other User issue?
How to use System Restore to log on to Windows 7 or Windows Vista when you lose access to an account:
http://support.microsoft.com/kb/940765
Reply With Quote
  #8  
Old 02-27-2012, 10:53 PM
Mr.Mike Mr.Mike is offline
 
Join Date: Aug 2009
Location: California Central Coast
Posts: 1,130
Mr.Mike is on a distinguished road
Default

Quote:
Originally Posted by B Trevathan View Post
Would this help you with your Other User issue?
How to use System Restore to log on to Windows 7 or Windows Vista when you lose access to an account:
http://support.microsoft.com/kb/940765
Good suggestion. I'll try this out, however, I've tried a system restore and found there are not restore points saved and the Operating system list does not populate. Thanks for the help.
Reply With Quote
  #9  
Old 02-28-2012, 12:02 AM
Vicenarian's Avatar
Vicenarian Vicenarian is offline
 
Join Date: Jan 2010
Posts: 1,940
Vicenarian has a spectacular aura aboutVicenarian has a spectacular aura about
Default

You can also run SFC from the Vista Recovery Environment (boot Vista CD and go into the command prompt). It's just easier with the MSDART tools, but you can make do without them.

http://www.winhelponline.com/blog/ru...ndows-7-vista/
__________________
2 Corinthians 5:21 "For God made Christ, who never sinned, to be the offering for our sin (by dying in our place), so that we could be made right with God through Christ."
Reply With Quote
  #10  
Old 02-28-2012, 12:23 AM
Mr.Mike Mr.Mike is offline
 
Join Date: Aug 2009
Location: California Central Coast
Posts: 1,130
Mr.Mike is on a distinguished road
Default

Quote:
Originally Posted by ScarletPathos View Post
Thanks Computerpete for the link and advice. I'll give it a shot. Not sure if it will work since my bench machine shows the drive as unformatted.

UPDATE: Didn't matter. Nice program. I ran MBRFix and am reinstalling to the orig. computer for bootup. Now, it boots to a screen showing "Other" as the User and asks for a username and password. Hmmm.

Now I'm booting to a Dell Utility Partition and am running some tests. I'll report back.
The Utility Partition won't boot. Going to try a few other things.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 11:52 AM.


Powered by vBulletin®
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Technibble.com is based out of MELBOURNE, AUSTRALIA.