Mr.Mike
Active Member
- Reaction score
- 14
- Location
- San Diego Area
Hi all,
Oh, where do I begin? This will go down as the most confusing thing I've seen to date!
I had a client bring in a Dell Inspiron 530 Desktop with Vista 32bit that was only booting to a "Repair Windows" or "Start Windows Normally" black screen. In order to see what was up, I chose start normally and got to a desktop, icons and all then a Rogue "Internet Security" program ran. I went to end the process, but suddenly the usb mouse wouldn't work. Then I started task manager with the keyboard and got in and got to the processes tab to kill the process and then the keyboard froze.
I then shut down and tried again, this time going to Start while the keyboard was working and ran msconfig. I moused over to the Startup tab to uncheck "Internet Security" rogue program listed there and stop the process , but again keyboard and mouse froze.
Booted again to the "Repair Windows" / Start Normally screen and selected "Repair Windows". Immediately, it ran CHKDSK which reported:
Corrupt attribute
record (128, "")
93 re-parse records processed
0 bad file records processed
0 EA records processed
Recovering orphaned file
2 directory files - 2 unindexed files processed
Recovering orphaned file
WUREDI~1.bak
WUREDIR.cab.bak
This was something I'd never seen before. I booted it again thinking this had at least addressed some issues so I could take a closer look at the Rogue and kill it. This time, I began to suspect a Rootkit so I ran TDSSKiller from my thumb drive and its scan found a Rootkit called: RootKit.Win32.TDSS.td14. Nothing that surprising but, just when I went to get rid of it the MOUSE AND KEYBOARD froze again!!
Next I pulled the drive and slaved it on my bench and ran MBAM and got this result:
PUP.Zugo
Trojan.Agent
Trojan.FakeAlert
PUP.Fbsearch (16 times)
Trojan.Agent
Trojan.Agent
PUP.BundleInstaller.IO
PUP.BundleInstaller.IO
O.K., so that was the "Internet Security rogue. I "removed selected" (all) and then ran SAS. SAS found 124 Adware Tracking Cookies but nothing else. I cleaned those out too. That being done, I went to start TDSSKiller from my bench machine and scan the slaved/infected drive. I then go to My Computer to see the slaved drive and its partition and uh-oh...Next thing I know, the Main OS drive (J:\) shows no volume when right clicked and the recovery volume drive (K:\) when right-clicked pops up a window that says: "The Recycle Bin on Drive K:\ is Corrupted. Do you want to empty the recycle bin for this drive?" I click "No" and close the window not being sure what to do. Even more bizarre, (if it could any more bizarre than this), every other time I right click the K:\ or J:\ drives, the Windows 7 System window with the "windows experience index" comes up and the system it refers to is, get this, HP Pavilion dv6 Notebook PC!!with Windows 7 64-bit
My bench unit is a custom desktop running Win 7!
I figure I must be hallucinating. (Blink-Blink).
I'm hoping you guys can bring me down from this bad acid trip and make some sense out of this one. Google research/TN search yielded nothing comparable.
Thank you in advance for any help.
Oh, where do I begin? This will go down as the most confusing thing I've seen to date!
I had a client bring in a Dell Inspiron 530 Desktop with Vista 32bit that was only booting to a "Repair Windows" or "Start Windows Normally" black screen. In order to see what was up, I chose start normally and got to a desktop, icons and all then a Rogue "Internet Security" program ran. I went to end the process, but suddenly the usb mouse wouldn't work. Then I started task manager with the keyboard and got in and got to the processes tab to kill the process and then the keyboard froze.
I then shut down and tried again, this time going to Start while the keyboard was working and ran msconfig. I moused over to the Startup tab to uncheck "Internet Security" rogue program listed there and stop the process , but again keyboard and mouse froze. Booted again to the "Repair Windows" / Start Normally screen and selected "Repair Windows". Immediately, it ran CHKDSK which reported:
Corrupt attribute
record (128, "")
93 re-parse records processed
0 bad file records processed
0 EA records processed
Recovering orphaned file
2 directory files - 2 unindexed files processed
Recovering orphaned file
WUREDI~1.bak
WUREDIR.cab.bak
This was something I'd never seen before. I booted it again thinking this had at least addressed some issues so I could take a closer look at the Rogue and kill it. This time, I began to suspect a Rootkit so I ran TDSSKiller from my thumb drive and its scan found a Rootkit called: RootKit.Win32.TDSS.td14. Nothing that surprising but, just when I went to get rid of it the MOUSE AND KEYBOARD froze again!!
Next I pulled the drive and slaved it on my bench and ran MBAM and got this result:
PUP.Zugo
Trojan.Agent
Trojan.FakeAlert
PUP.Fbsearch (16 times)
Trojan.Agent
Trojan.Agent
PUP.BundleInstaller.IO
PUP.BundleInstaller.IO
O.K., so that was the "Internet Security rogue. I "removed selected" (all) and then ran SAS. SAS found 124 Adware Tracking Cookies but nothing else. I cleaned those out too. That being done, I went to start TDSSKiller from my bench machine and scan the slaved/infected drive. I then go to My Computer to see the slaved drive and its partition and uh-oh...Next thing I know, the Main OS drive (J:\) shows no volume when right clicked and the recovery volume drive (K:\) when right-clicked pops up a window that says: "The Recycle Bin on Drive K:\ is Corrupted. Do you want to empty the recycle bin for this drive?" I click "No" and close the window not being sure what to do. Even more bizarre, (if it could any more bizarre than this), every other time I right click the K:\ or J:\ drives, the Windows 7 System window with the "windows experience index" comes up and the system it refers to is, get this, HP Pavilion dv6 Notebook PC!!with Windows 7 64-bit
My bench unit is a custom desktop running Win 7!
I figure I must be hallucinating.
(Blink-Blink).I'm hoping you guys can bring me down from this bad acid trip and make some sense out of this one. Google research/TN search yielded nothing comparable.
Thank you in advance for any help.
Last edited:
