Help Please RootKit Craziness

Mr.Mike

Mr.Mike

Active Member
Reaction score
14
Location
San Diego Area
Hi folks,

I originally posed this request for help here, but felt this was perhaps a better location. I hope you can help. Here it is:

Oh, where do I begin? This will go down as the most confusing thing I've seen to date!

I had a client bring in a Dell Inspiron 530 Desktop with Vista 32bit that was only booting to a "Repair Windows" or "Start Windows Normally" black screen. In order to see what was up, I chose start normally and got to a desktop, icons and all then a Rogue "Internet Security" program ran. I went to end the process, but suddenly the usb mouse wouldn't work. Then I started task manager with the keyboard and got in and got to the processes tab to kill the process and then the keyboard froze.:confused: I then shut down and tried again, this time going to Start while the keyboard was working and ran msconfig. I moused over to the Startup tab to uncheck "Internet Security" rogue program listed there and stop the process , but again keyboard and mouse froze. :mad:

Booted again to the "Repair Windows" / Start Normally screen and selected "Repair Windows". Immediately, it ran CHKDSK which reported:

Corrupt attribute
record (128, "")
93 re-parse records processed
0 bad file records processed
0 EA records processed
Recovering orphaned file
2 directory files - 2 unindexed files processed
Recovering orphaned file
WUREDI~1.bak
WUREDIR.cab.bak

This was something I'd never seen before. I booted it again thinking this had at least addressed some issues so I could take a closer look at the Rogue and kill it. This time, I began to suspect a Rootkit so I ran TDSSKiller from my thumb drive and its scan found a Rootkit called: RootKit.Win32.TDSS.td14. Nothing that surprising but, just when I went to get rid of it the MOUSE AND KEYBOARD froze again!!:eek::mad::eek::mad:

Next I pulled the drive and slaved it on my bench and ran MBAM and got this result:

PUP.Zugo
Trojan.Agent
Trojan.FakeAlert
PUP.Fbsearch (16 times)
Trojan.Agent
Trojan.Agent
PUP.BundleInstaller.IO
PUP.BundleInstaller.IO

O.K., so that was the "Internet Security rogue. I "removed selected" (all) and then ran SAS. SAS found 124 Adware Tracking Cookies but nothing else. I cleaned those out too. That being done, I went to start TDSSKiller from my bench machine and scan the slaved/infected drive. I then go to My Computer to see the slaved drive and its partition and uh-oh...Next thing I know, the Main OS drive (J:\) shows no volume when right clicked and the recovery volume drive (K:\) when right-clicked pops up a window that says: "The Recycle Bin on Drive K:\ is Corrupted. Do you want to empty the recycle bin for this drive?" I click "No" and close the window not being sure what to do. Even more bizarre, (if it could any more bizarre than this), every other time I right click the K:\ or J:\ drives, the Windows 7 System window with the "windows experience index" comes up and the system it refers to is, get this, HP Pavilion dv6 Notebook PC!!with Windows 7 64-bit :eek::confused::eek:
My bench unit is a custom desktop running Win 7!

I figure I must be hallucinating. :( (Blink-Blink).

I'm hoping you guys can bring me down from this bad acid trip and make some sense out of this one. Google research/TN search yielded nothing comparable.

Thank you in advance for any help.
 
Computerpete said:
You could try to fix your MBR
http://www.softpedia.com/get/System/Hard-Disk-Utils/MBRFix.shtml
Also try Combofix
Click to expand...

Thanks Computerpete for the link and advice. I'll give it a shot. Not sure if it will work since my bench machine shows the drive as unformatted.

UPDATE: Didn't matter. Nice program. I ran MBRFix and am reinstalling to the orig. computer for bootup. Now, it boots to a screen showing "Other" as the User and asks for a username and password. Hmmm.

Now I'm booting to a Dell Utility Partition and am running some tests. I'll report back.
 
Last edited:
I could be wrong but your rootkit is likely infecting the mouse/kb drivers and possibly others, I had one do this to me the other day - plugging in a USB mouse at least gave me some function back.

Also - If you havn't already done so I would take an image of the customers HD and/or get a copy of their user data before doing much more with this. The issues you are experiencing can easily be the start a downward spiral resulting in no option but a N&P.
 
TechguyUK said:
I could be wrong but your rootkit is likely infecting the mouse/kb drivers and possibly others, I had one do this to me the other day - plugging in a USB mouse at least gave me some function back.
Click to expand...

I've not seen that before. I'm using a USB mouse. No PS/2 port available.

Also - If you havn't already done so I would take an image of the customers HD and/or get a copy of their user data before doing much more with this. The issues you are experiencing can easily be the start a downward spiral resulting in no option but a N&P.
Click to expand...
Have already done so. THanks!

I'm running UBCD v. 5.0.3 now to address the MBR and other possible issues.
 
Last edited:
Can you do an offline SFC scan? Use the MSDART tools if you have them. That should replace the infected keyboard/mouse drivers, and any other infected system drivers. Might want to try running a good AV Rescue CD as well (bitdefender, etc.)
 
Vicenarian said:
Can you do an offline SFC scan? Use the MSDART tools if you have them. That should replace the infected keyboard/mouse drivers, and any other infected system drivers. Might want to try running a good AV Rescue CD as well (bitdefender, etc.)
Click to expand...

Thanks V. Haven't been able to do an sfc yet. I'll get the MSDART tools together. Thanks for your suggestions; will report back.

Update: Actually, I'm not a member of Technet and don't have those tools.

I'm using UBCD but can't get to a true c:\ prompt to run sfc.
 
Last edited:
ScarletPathos said:
Thanks V. Haven't been able to do an sfc yet. I'll get the MSDART tools together. Thanks for your suggestions; will report back.

Update: Actually, I'm not a member of Technet and don't have those tools.

I'm using UBCD but can't get to a true c:\ prompt to run sfc.
Click to expand...
Do you mean you can't run SFC from a Vista CD from the Command Prompt or nothing will see the system partition?
 
Vicenarian said:
You can also run SFC from the Vista Recovery Environment (boot Vista CD and go into the command prompt). It's just easier with the MSDART tools, but you can make do without them.

http://www.winhelponline.com/blog/run-sfc-offline-windows-7-vista/
Click to expand...

Thanks.

Believe it or not, I can get to the c:\ prompt, no problem, but it will not run sfc! So I pulled it, slaved it again to my bench unit and am running sfc /scannow through D7.

Result: "Windows Resource Protection could not start the repair service." :(:confused:
 
ScarletPathos said:
Thanks Computerpete for the link and advice. I'll give it a shot. Not sure if it will work since my bench machine shows the drive as unformatted.

UPDATE: Didn't matter. Nice program. I ran MBRFix and am reinstalling to the orig. computer for bootup. Now, it boots to a screen showing "Other" as the User and asks for a username and password. Hmmm.

Now I'm booting to a Dell Utility Partition and am running some tests. I'll report back.
Click to expand...

The Utility Partition won't boot. :mad: Going to try a few other things.
 
Grrrrrrrrr

Now, having benched the drive again, there are 3 partitions on this WD 320GB HDD listed.

In Windows:

Local disk F:(39 MB of 46 MB),
Recovery K: (4.6 GB of 9.9 GB, and
OS L: NTFS (shows no volume & Access Denied)

In DOS:

F:\ contains:

Command.Com
Autoexec.up
Config.up
Copyup.bat
delldiag.ini
diags]
Himem.sys
Autoexec.bat
Config.sys, and
oobedone.flg (which Googles as no threat, leftover scan file).

K:\ contains:

[dell]
[Program Files]
[ProgramData]
[Remote Programs]
[sources]
[Tools]
[Users]
[Windows], and
ao_setup_1.5.0.9.exe

L:\ contains:
[.jagex_cache_32] -??
[0c7c3] - ??
[Adobe]
autoexec.bat
config.sys
[Dell]
[doctemp]
[Drivers]
DVDPATH.txt
[EpsonReg]
[Firefox]
fsqwr.bmp
[Intel]
[Linksys Driver]
[Microsoft]
ntuser.dat
[Perlogs]
[PPPNycA1uv2oFpG] -??
[Program Files]
[Remote Programs]
[Roaming]
scramble.log
SystemInfo.ini
[Temp]
[Users]
[waQj6dWK8R9Tq] - ??
Win-Files.txt
[Windows]
YServer.txt

So the whole OS is there, just not recoverable using Windows Repair or Recovery so far. Does anything look to you like it should be deleted from L:\ ? Or, is this an issue that L:\ has been "de-activated" more that just trashing the MBR/Boot Sector by the rootkit?

I've got one nerve left, and this is on it!! :mad: GRRRRRR!!!
 
Last edited:
Hmm...strange you got the "Windows Resource Protection could not start the repair service." error when running SFC from your OWN system. Did you specify the right hard drive (the infected one) when trying to run SFC from your own PC?

Other than that, I'm not sure what else to recommend; here are some (somewhat) random ideas:

- You might want to try changing/fixing the filesystem permissions on the infected drive

- You might want to try searching in the '\System32\Drivers' folder for any suspicious drivers. Also, not sure if you knew this, but you can run TDSSKiller on a slaved drive (pretty sure)

- Also, try running a virus scan on the slaved drive (MSSE, Kaspersky, or Bitdefender)
 
Sounds like you have both a hard drive with possible bad sectors and rootkit/trojans i would go about first scanning the hard drive for bad sectors, then using dart or recovery dvd start a command prompt and fixmbr,fixboot , chkdsk /r.

After running chkdsk /r then try either kaspersky rescue cd or bitdefender rescue cd, then try booting to safemode and run combofix.

On drives with that many problems i always make an image just incase.

hdd regenerator is the best utility to fix hard drive problems and is worth buying there is nothing like it and is fastest surface scan that is available you might want to try it.
 
Last edited:
Vicenarian said:
Hmm...strange you got the "Windows Resource Protection could not start the repair service." error when running SFC from your OWN system. Did you specify the right hard drive (the infected one) when trying to run SFC from your own PC?

Other than that, I'm not sure what else to recommend; here are some (somewhat) random ideas:

- You might want to try changing/fixing the filesystem permissions on the infected drive

- You might want to try searching in the '\System32\Drivers' folder for any suspicious drivers. Also, not sure if you knew this, but you can run TDSSKiller on a slaved drive (pretty sure)

- Also, try running a virus scan on the slaved drive (MSSE, Kaspersky, or Bitdefender)
Click to expand...

Thank you again V. Yes, I'm pretty certain I did sfc on the drive containing the OS. I'll double check to make sure it was but run it again. Although the OS Drive (L:\) is "not accessible" I'll try to take on the permissions today and look at those "suspicious drivers" you mentioned but not sure what to look for. I'll run a virus scan again as you mentioned.

I appreciate all your assistance. +1 to you sir! :)
 
Last edited:
B Trevathan said:
Do you mean you can't run SFC from a Vista CD from the Command Prompt or nothing will see the system partition?
Click to expand...

Hi BT- Yes, I can get to a command prompt via System Repair, but it doesn't run. Since I'm booting from an OS disk (Win 7 32-bit) the default drive name is X:\ then I change it to C:\ and try sfc. No joy. It says it cannot run the sfc command (sfc /scannow).
 
You must log in or register to reply here.

Similar threads

Larry Sabo
ASUS Vivobook keyboard not functional in Windows, but does in WinPE
2
Replies
23
Views
351
Porthos
Porthos
katz
Client forgot pin, trying to delete Ngc folder issues
Replies
17
Views
459
britechguy
britechguy
SimonB
Deleting old user profiles
Replies
6
Views
179
johnrobert
johnrobert
johnrobert
Add screen to PC
Replies
12
Views
676
johnrobert
johnrobert
thecomputerguy
Never a dull moment. (story time)
Replies
18
Views
741
britechguy
britechguy
Back
Top