[supremeone77]

i tried renaming boot.ini so i could copy the .bak file to it. But i get access denied. Oh well, i dont think its really a difference maker.

For MBRwizard, i made a backup of the MBR and than tried to erase first 63 sectors and than all the partition information disappeared. Thank god I made a backup. Last time I did this without losing all the partition information. So thats a little fishy. Im thinking there has to be a problem with the master boot record. Is there a way to look at sector starts for all the partitions and erase the mbr and than reenter it manually somehow? It's worth a try. Just seems to me the MBR is key. Fixing it last time made my system boot and it holds important information that might be scrambled a bit now.

Also another thing i don't understand is all the access denied things. Like theres a folder labeled with the name of the virus. Not sure if it was already there or i created it with dummycreator (someone recommended it), but I couldn't delete it, it said access denied. Like I thought the advantage of using boot cd environments is you could delete anything. I couldn't even do a batch erdnt.con command to try to restore registry hashes (even though i doubt that would have made a difference)

Edited by supremeone77, 27 September 2011 - 11:29 PM.

[Advertisements]

IF you do the /List command in mbrwiz does it show you that partition 3 is the active one?

I'm not sure why you are having problems deleting files.

You might want to try Hiren's Boot Disk. The MiniXP option is usually pretty good. http://www.hirensbootcd.org/download/

Obviously the bad guy here is:

C:\WINDOWS\4088192661

Tho there are usually lots more. If you can delete it then replace it with a folder of the same name then it can't come back.


See if you can find the Combofix Log. C:\Combofix.txt or maybe E:\Combofix.txt It may tell us more.

Ron

[RKinner]

IF you do the /List command in mbrwiz does it show you that partition 3 is the active one?

I'm not sure why you are having problems deleting files.

You might want to try Hiren's Boot Disk. The MiniXP option is usually pretty good. http://www.hirensbootcd.org/download/

Obviously the bad guy here is:

C:\WINDOWS\4088192661

Tho there are usually lots more. If you can delete it then replace it with a folder of the same name then it can't come back.


See if you can find the Combofix Log. C:\Combofix.txt or maybe E:\Combofix.txt It may tell us more.

Ron

[supremeone77]

Hmmm idk, sometimes i see that folder, but right now it doesn't seem to show up. I'm going to do a search for it. There is no combofix log. I'm going to google about a way to manually add in mbr entries. I can't think of anything else that might help

[supremeone77]

Btw I'm thinking of trying MBRcheck, which I've seen from here:
http://en.kioskea.ne...otkit-infection

Looks like it can just make a new MBR for windows xp. Also I can use mbrwizard in ubcd4win to save the current mbr in case something goes wrong. What do you think?

Also i looked at this one thread on google where a guy mentioned he got rid of his rootkit when he did a fixmbr command in the recovery console. He said when he tried it it said "non-standard boot sector or mbr" or something and he was "like yeah thats how you can tell it was a rootkit". Well i got that message as well so maybe it is mbr related, unfortunately fixmbr didn't work for me.

[RKinner]

You can try MBRCheck if you like.

Download

http://ad13.geekstogo.com/MBRCheck.exe

Save it and run it. It will produce a log MBRCheck(date).txt on your desktop. Copy and paste it into a reply.

Hit Y and Enter

2

choose the appropriate number for your operating system.

I'm wondering if it won't boot because it got confused about the drive numbers and which drive was active but without info from mbrwiz /list or the map command I can't tell what's going on. Certainly OTL was confused. It showed the E as being very small but pointed userinit to E: and couldn't find many files. MBRcheck won't mess with the partitions or the drive assignments so I doubt it will make a difference.

Ron

[supremeone77]

ahh so I heard you mention about active partitions and looking at the /list in mbr showed the © 212 gig partition as being active and not the 12 gig (E) partition as active. Made E: active, but now getting a nldtr error (might have spelled wrong). Off to google how to fix that now ;o. Not sure if this is aftermath of combofix or rootkit.

[supremeone77]

Okay, so went into recovery console to fix ntldr error. But this time instead of showing the e: partition as F:\windows or G:\windows. It showed up as c:\windows. And it also showed a E:\minint. Anyways I fixed ntldr problem, rebooted and than it said corrupt boot.ini, than went to another screen that said hal.dll is corrupt or missing. So im loading otlpe boot disk now to see if i can edit boot.ini back to how it was and also want to see if hal.dll is really missing or if its looking at C: for it which is the wrong drive, instead of E:.

But yeah, I'm starting to get confused. Hope the fixmbr commands I've done and mbrcheck fix didn't mess anything up.

I forgot to do mbrwizard log, but it had all drives listed correct just some of the letters got moved up one, like F: instead of E:. Heres mbrcheck log:

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: (build 2600)
Logical Drives Mask: 0x008007ff

Kernel Drivers (total 89):
0x80800000 \I386\SYSTEM32\NTKRNLMP.EXE
0x80A17000 \I386\SYSTEM32\HALAACPI.DLL
0xF7987000 \I386\SYSTEM32\KDCOM.DLL
0xF7897000 \I386\SYSTEM32\BOOTVID.DLL
0xF755D000 setupdd.sys
0xF7A4F000 \I386\SYSTEM32\DRIVERS\SPDDLANG.SYS
0xF754C000 pci.sys
0xF751E000 acpi.sys
0xF7989000 \I386\SYSTEM32\DRIVERS\WMILIB.SYS
0xF75F7000 isapnp.sys
0xF7A50000 \I386\SYSTEM32\DRIVERS\OPRGHDLR.SYS
0xF745E000 fltmgr.sys
0xF744B000 wimfsf.sys
0xF7437000 fbwf.sys
0xF7A51000 pciide.sys
0xF7707000 \I386\SYSTEM32\DRIVERS\PCIIDEX.SYS
0xF7627000 mountmgr.sys
0xF7418000 ftdisk.sys
0xF7717000 partmgr.sys
0xF771F000 fdc.sys
0xF7991000 dmload.sys
0xF7871000 dmio.sys
0xF7855000 JRAID.SYS
0xF7400000 \I386\SYSTEM32\DRIVERS\SCSIPORT.SYS
0xF772F000 MVXXMM.SYS
0xF7647000 \I386\SYSTEM32\DRIVERS\CLASSPNP.SYS
0xF7A2A000 NVGTS6R.SYS
0xF7B2D000 NVGTS7R.SYS
0xF7995000 \I386\SYSTEM32\DRIVERS\USBD.SYS
0xBBEAF000 dcrypt.sys
0xF7737000 dc_fsf.sys
0xF773F000 usbehci.sys
0xBBE8B000 \I386\SYSTEM32\DRIVERS\USBPORT.SYS
0xF774F000 usbuhci.sys
0xF7677000 usbhub.sys
0xF7757000 usbccgp.sys
0xF789F000 hidusb.sys
0xF775F000 \I386\SYSTEM32\DRIVERS\HIDPARSE.SYS
0xF7687000 \I386\SYSTEM32\DRIVERS\HIDCLASS.SYS
0xF78A3000 kbdhid.sys
0xF7767000 kbdclass.sys
0xF776F000 mouclass.sys
0xF78A7000 mouhid.sys
0xF7777000 firadisk.sys
0xBBE73000 atapi.sys
0xF76A7000 3WAREGSM.SYS
0xBBE61000 3WDRV100.SYS
0xBBE44000 3WAREDRV.SYS
0xBBCAC000 CDA1000.SYS
0xF77BF000 MV61XXMM.SYS
0xF77C7000 MV64XXMM.SYS
0xF77DF000 USBSTOR.SYS
0xBA917000 snapman.sys
0xBA853000 dmboot.sys
0xF77E7000 flpydisk.sys
0xBBB3A000 cdrom.sys
0xBBB2A000 disk.sys
0xBBB1A000 ramdisk.sys
0xBA83C000 ksecdd.sys
0xBA818000 fastfat.sys
0xBA78B000 ntfs.sys
0xBA77A000 udfs.sys
0xBA759000 exfat.sys
0xBBB0A000 cdfs.sys
0xBA72C000 ndis.sys
0xBA712000 mup.sys
0xF7A09000 \SystemRoot\System32\drivers\swenum.sys
0xBA54D000 \SystemRoot\System32\drivers\ks.sys
0xBA98B000 \SystemRoot\System32\drivers\vga.sys
0xBA539000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0xF7AAD000 \SystemRoot\System32\Drivers\Null.SYS
0xBBE24000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF799B000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA5B4000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF798D000 \SystemRoot\System32\Drivers\Beep.SYS
0xBA4F7000 \SystemRoot\System32\drivers\afd.sys
0xF779F000 \SystemRoot\System32\drivers\TDI.SYS
0xF7AB1000 \SystemRoot\system32\DRIVERS\accgain.sys
0xBF800000 \SystemRoot\System32\win32k.sys
0xBA658000 \SystemRoot\System32\drivers\Dxapi.sys
0xF770F000 \SystemRoot\System32\watchdog.sys
0xBF9C3000 \SystemRoot\System32\drivers\dxg.sys
0xF7A7D000 \SystemRoot\System32\drivers\dxgthk.sys
0xBFF50000 \SystemRoot\System32\framebuf.dll
0xBA339000 \SystemRoot\system32\DRIVERS\wimfltr.sys
0xF7807000 \SystemRoot\system32\DRIVERS\imdisk.sys
0xF7A7B000 \SystemRoot\system32\drivers\dummy.sys
0xF799D000 \??\X:\i386\System32\BCM42XHW.SYS
0x7C900000 \i386\System32\ntdll.dll

Processes (total 15):
0 System Idle Process
4 System
328 X:\I386\System32\csrss.exe
388 X:\I386\System32\services.exe
400 X:\I386\System32\lsass.exe
420 X:\I386\System32\cmd.exe
564 X:\I386\System32\svchost.exe
612 X:\I386\System32\svchost.exe
668 X:\I386\System32\svchost.exe
968 X:\I386\explorer.exe
1436 G:\HBCD\HBCDMenu.exe
1512 X:\I386\System32\keybtray.exe
1536 X:\I386\System32\spoolsv.exe
1576 \Device\ImDisk0\Temp\HBCD\AutoMountDrives.exe
1836 \Device\HarddiskVolume5\New Folder (2)\MBRCheck.exe

\\.\B: --> error 1
\\.\C: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive2 at offset 0x00000000`00007e00 (NTFS)
\\.\E: --> \\.\PhysicalDrive1 at offset 0x00000036`4e710a00 (NTFS)
\\.\F: --> \\.\PhysicalDrive1 at offset 0x00000047`8cc96200 (NTFS)
\\.\I: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\J: --> \\.\PhysicalDrive3 at offset 0x00000000`00007e00 (FAT)
\\.\X: --> \\.\PhysicalDrive-1 at offset 0x00000000`00000000 (NTFS)

PhysicalDrive1 Model Number: ST3320620AS, Rev: 3.AAE
PhysicalDrive2 Model Number: SeagateFreeAgent Pro, Rev: 400A
PhysicalDrive0 Model Number: WDCWD1001FALS-00U9B0, Rev: 05.00K05
PhysicalDrive3 Model Number: SanDiskU3 Titanium, Rev: 2.18

Size Device Name MBR Status
--------------------------------------------
298 GB \\.\PhysicalDrive1 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
698 GB \\.\PhysicalDrive2 RE: Unknown MBR code
SHA1: 639AC5CDF8A5CF3245975932C6A4215450A7B98F
931 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
1 GB \\.\PhysicalDrive3 RE: Unknown MBR code
SHA1: A16EF68870D2ED162DDA2E379D2960A80789C94E


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice: Enter the physical disk number to fix (0-99, -1 to cancel): 1Available MBR codes:
[ 0] Default (Windows XP)
[ 1] Windows XP
[ 2] Windows Server 2003
[ 3] Windows Vista
[ 4] Windows 2008
[ 5] Windows 7
[-1] Cancel

Please select the MBR code to write to this drive: 1
Do you want to fix the MBR code? Type 'YES' and hit ENTER to continue: yes
Successfully wrote new MBR code!
Please reboot your computer to complete the fix.


Done!

Edited by supremeone77, 28 September 2011 - 01:18 PM.

[supremeone77]

Okay computer is booting now. Combofix is running stage 1 and stage 2 scans etc..

Okay so heres what I realized. The active partition wasn't set right. I fixed that. But than for some reason the E: and C: drive got switched. Usually boot.ini is on the C: and that boots the active partition E:. But for some reason E was C: and didn't have the boot.ini that C: normally has. Basically its C (non active but has bootini) and E (active, no bootini). But than E changed to C and needed a boot.ini.

Going to see what happens after combofix finishes some scans. Im still worried about the drive letter stuff. I'd prefer the active partition to be C: and actually wanted it like that a while back but it seemed like it would cause a lot of conflicts with drive paths to software and other things. Also I'm worried about if rootkit stole any passwords, not sure how that works with this one. Should have just unplugged internet adapter.

[supremeone77]

Okay I got it fixed I believe. Combofix seemed to fix everything, things seem to be back to normal (typing on pc now).

Should I run any other software to double check to make sure everything is good? I no longer see the colon named process atm.

Also any ideas how to prevent this infection in the future? What happened was I was in firefox and java.exe loaded in systray and than i got infected. I heard you can install a new java which has less vulnerabilities, but what else? Nod32 didn't prevent it so im worried about a reoccurring infection.

[RKinner]

Let me see the combofix log. Then:

Malwarebytes' Anti-Malware
:!: If you have a previous version of MalwareBytes', remove it via Add or Remove Programs and download a fresh copy. :!:

http://www.malwarebytes.org/mbam.php

SAVE Malwarebytes' Anti-Malware to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.

* Be sure that everything is checked, and click Remove Selected.

* When completed, a log will open in Notepad. Please save it to a convenient location.
* The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
* Post that log back here.

• Go to this page and Download TDSSKiller.zip to your Desktop.
• Extract its contents to your desktop and drag TDSSKiller.exe on the desktop, not in the folder.
• Vista Start logo >All Programs> Accessories> RIGHT-click on Command Prompt and Select Run As Administrator. Copy/paste the following bolded command and hit Enter.
  
  "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v
• If TDSSKiller alerts you that the system needs to reboot, please consent.
• When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.

Download aswMBR.exe ( 511KB ) to your desktop.
Double click the aswMBR.exe to run it
change the a-v scan to None.
uncheck trace disk IO calls
Click the "Scan" button to start scan
On completion of the scan (Note if the Fix button is enabled (not the FixMBR button) and tell me) click save log, save it to your desktop and post in your next reply

Run OTL (Vista or Win 7 => right click and Run As Administrator)

select the All option in the Extra Registry group then Run Scan.

You should get two logs. Please copy and paste both of them.

1. Double-click My Computer, and then right-click the hard disk that you want to check. C:
2. Click Properties, and then click Tools.
3. Under Error-checking, click Check Now. A dialog box that shows the Check disk options is displayed,
4. Check both boxes and then click Start.
You will receive the following message:
The disk check could not be performed because the disk check utility needs exclusive access to some Windows files on the disk. These files can be accessed by restarting Windows. Do you want to schedule the disk check to occur the next time you restart the computer?
Click Yes to schedule the disk check, but don't restart yet.

Start, Run, eventvwr.msc, OK to bring up the Event Viewer. Right click on System and Clear All Events, No (we don't want to save the old log), OK. Repeat for Application. Reboot. The disk check will run and will probably take an hour or more to finish.

Start, Run, sfc /scannow, OK

SPACE after sfc. This will check your critical system files. If it asks for a CD and you don't have one or it doesn't like your CD just tell it to SKIP.

Start, Run, sigverif, OK

Press Start. This will check your drivers. If you just get a few when it finishes tell me what they are. If you get a lot just look for those with newish dates (since about the time the problem started.)


1. Please download the Event Viewer Tool by Vino Rosso
http://images.malwar...om/vino/VEW.exe
and save it to your Desktop:
2. Double-click VEW.exe
3. Under 'Select log to query', select:

* System
4. Under 'Select type to list', select:
* Error
* Warning


Then use the 'Number of events' as follows:


1. Click the radio button for 'Number of events'
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.


Please post the Output log in your next reply then repeat but select Application.

If you can afford it then I think Kaspersky is the best anti-virus. I use the free Avast myself. Since they hired the guy who wrote the anti-rootkit program GMER, it's gotten a lot better. I like to run Firefox with the AdBlock Plus add-on. IF you add the noscript add-on (a bit of a pain to use at first but once you figure it out and teach it which sites you want to permit to run scripts it will make browsing safer. You should install and run the UpdateChecker:
http://www.filehippo.../updatechecker/
(You don't need to download Betas and if there is a program you don't use you can just uninstall it rather than update it. You can right click on the updatechecker icon (looks like a downward green arrowhead) and select Settings and tell it no betas. If you don't use MSN Messenger I would not upgdate it. MS installs a bunch of stuff when you do. You can tell the program to not show you that update.)

I usually wait until I'm sure we are clean to clear the System Restore but it would probably be a good idea to do it now.
Follow Jim's procedure here:
http://aumha.net/vie...581099691bf108f

I'm going on a trip tomorrow so don't know if I will have Internet every night so replies may be a bit delayed.



Ron

[supremeone77]

sorry for the delayed post, been busy with school. Okay, I ran malwarebytes. looks like it found 0access and removed it, very happy about that, feel more in the clear now. I'll run the other scans soon. Seems like the amount of scans you have to do nowadays has increased heh. Btw thanks for mentioning malware bytes, forgot how good that program is. Heres the log:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7839

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

10/1/2011 12:10:46 AM
mbam-log-2011-10-01 (00-10-46).txt

Scan type: Quick scan
Objects scanned: 261165
Time elapsed: 8 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\TMP\0.2818420606346954.exe (Rootkit.0Access) -> Quarantined and deleted successfully.
c:\TMP\578.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\TMP\0.29806942128612957.exe (Exploit.Drop.2) -> Quarantined and deleted successfully.
c:\TMP\0.5359126688192755.exe (Exploit.Drop.2) -> Quarantined and deleted successfully.
c:\TMP\0.8404779660226418.exe (Exploit.Drop.2) -> Quarantined and deleted successfully.

Edited by supremeone77, 30 September 2011 - 10:13 PM.

[RKinner]

Just got back from my trip. Sorry for the delay.

First time I've ever seen MBAM remove Zero Access. Hope it did it correctly tho I have my doubts since you have not posted the other scans or the Combofix log. Did it kill the PC so it won't boot?

Ron