Author Topic: [Resolved] Started as Win 7 virus, morphed to redirects and desktop pop ups  (Read 7381 times)

0 Members and 1 Guest are viewing this topic.

Offline 1972vet

  • Microsoft® MVP
  • Malware Removal Staff
  • Diamond Member
  • Posts: 8290
  • Patience is bitter indeed, but its fruit is sweet.
Click start...type Windows Disk Management and click the icon for it that the search returns at the top. Disk management will open which will show you your disk layout. Please take a screenshot and attach it here on your reply. Thanks!
Disabled Veteran
U.S.C.G. 1972 - 1978
Membership: U.N.I.T.E., A.S.A.P.

2009-12

Performance and Maintenance for Windows XP, Windows Vista and Windows Seven

Offline JerichoX

  • Bronze Member
  • Posts: 36
Here you go, although I don't think it has the results any of us want, lol

Offline 1972vet

  • Microsoft® MVP
  • Malware Removal Staff
  • Diamond Member
  • Posts: 8290
  • Patience is bitter indeed, but its fruit is sweet.
Try again this way...click start->right-click Computer and select "Manage" from there, look on the left side of that window for Disk Management and click there. You should see something like this (attachment). Let me know if what you see is still the same thing as what you already posted. Thanks!
Disabled Veteran
U.S.C.G. 1972 - 1978
Membership: U.N.I.T.E., A.S.A.P.

2009-12

Performance and Maintenance for Windows XP, Windows Vista and Windows Seven

Offline JerichoX

  • Bronze Member
  • Posts: 36
Thanks, your instructions worked. Here's the screentshot!

Offline 1972vet

  • Microsoft® MVP
  • Malware Removal Staff
  • Diamond Member
  • Posts: 8290
  • Patience is bitter indeed, but its fruit is sweet.
Great, thanks. Let's move on...Please read through This Article. It was written by one of our very own staff members here at SpywareHammer, negster22 and details the method she has developed for addressing this piece of malicious software.

The method she describes has been recently used and proven time and again, to have worked in facilitating the removal of the infection that you have. Let me know if you think you would like to give it a try and I will help you get through it step by step. Thanks!
Disabled Veteran
U.S.C.G. 1972 - 1978
Membership: U.N.I.T.E., A.S.A.P.

2009-12

Performance and Maintenance for Windows XP, Windows Vista and Windows Seven

Offline JerichoX

  • Bronze Member
  • Posts: 36
Let's give it a shot. How serious is what I have? For example, is there someone actively monitoring everything i'm doing with access to my bank records and passwords or is this just a generic virus that unlucky people randomly stumble on? Either way, if GParted is the most effective way to get rid of this then i'm up for it

Offline 1972vet

  • Microsoft® MVP
  • Malware Removal Staff
  • Diamond Member
  • Posts: 8290
  • Patience is bitter indeed, but its fruit is sweet.
It is a rootkit infection. Read more about the classical meaning of the word Here...and specifically, the more in depth and technical description of the type of infection you have Here.

  • Download Gparted Live CD ISO from Here and save where you can easily find it.

  • Create a bootable CD by burning that ISO image to a CD, you can d/l and use ImageBurn for that task.

  • Instructions for ImageBurn Here if required.

  • Boot your system from the GParted Live CD. You should see the following:



  • Press ENTER





  • By default, "do not touch keymap" is highlighted. Leave this setting alone and just press ENTER.





  • Choose your language and press ENTER. English is default





  • Once again, at this prompt, press ENTER   You will now be taken to the main GUI screen below:





  • Right click on the 1 mb Partion and select "Manage Flags"

  • Remove the Ticks from Boot and Hidden as follows:





  • Right click on the OS Partion, you can recognize it by its size 102 mb and select "Manage Flags"

  • Put a tick in the Boot option as follows:





  • You now need to confirm those actions as follows:



  • Recheck each partion under "Flags" make sure the small rogue partiton does not have "Boot" applied, and the OS partion DOES have "Boot applied.

  • If the above is correct double click on the Button.

  • At the next window select "Reboot" then "OK" Boot into Normal Windows, check that all is OK.



Post back and let me know the results. There is more to do...
Disabled Veteran
U.S.C.G. 1972 - 1978
Membership: U.N.I.T.E., A.S.A.P.

2009-12

Performance and Maintenance for Windows XP, Windows Vista and Windows Seven

Offline JerichoX

  • Bronze Member
  • Posts: 36
I'm using another computer right now because i've encountered a problem for this step:

Right click on the 1 mb Partion and select "Manage Flags"

When I right click, Manage Flags cannot be clicked. When I right click the other drives it is possible to click on Manage Flags but not for the 1mb Partion

Any advice?

Offline 1972vet

  • Microsoft® MVP
  • Malware Removal Staff
  • Diamond Member
  • Posts: 8290
  • Patience is bitter indeed, but its fruit is sweet.
OK, let's summarize what has been done so far...

Earlier, we ran the RogueKiller which produced a log showing you, among other things, two views of your disk's condition. First, your view:

--- User ---
[MBR] bef71944b3b5de032e277fa31ccfb751
[BSP] 5ddb2240a06dd04c2f16e27a394def14 : Windows 7 MBR Code
Partition table:
0 - [XXXXXX] NTFS [HIDDEN!] Offset (sectors): 63 | Size: 12888 Mo
1 - [ACTIVE] NTFS [VISIBLE] Offset (sectors): 25173855 | Size: 106 Mo
2 - [XXXXXX] NTFS [VISIBLE] Offset (sectors): 25382700 | Size: 147044 Mo

User = LL1 ... OK!
User != LL2 ... KO!

Which shows us three partitions, the system reserve partition marked "ACTIVE" which is what we want.

The next view is the system's view:

--- LL2 ---
[MBR] 4c3bcdad733249acf5ba0fa43870e420
[BSP] 5ddb2240a06dd04c2f16e27a394def14 : Windows 7 MBR Code
Partition table:
0 - [XXXXXX] NTFS [HIDDEN!] Offset (sectors): 63 | Size: 12888 Mo
1 - [XXXXXX] NTFS [VISIBLE] Offset (sectors): 25173855 | Size: 106 Mo
2 - [XXXXXX] NTFS [VISIBLE] Offset (sectors): 25382700 | Size: 147044 Mo
3 - [ACTIVE] NTFS [HIDDEN!] Offset (sectors): 312579760 | Size: 1 Mo


...which shows the infected partition, labeled #3 above, as "ACTIVE".

Kindly note, this view shows 4 entries numbered as 0 thru 3 while the user view shows only 3 entries numbered as 0 thru 2. Windows. as a boot procedure,  sees this as follows:
0 = partition 1
1 = partition 2
2 = partition 3 and so on...

For our purposes, partition 4, marked as #3, the bad one, needs to go while partition 2, marked as #1, needs to be set to "Active"

Now, that was then...Fast forward to the present, after having run the several tools mentioned. and ideally, at that point, what we would have wanted to see is that the infected partition had the boot flag and hidden attribute removed, and replaced with having set partition table entry #1 as "ACTIVE".

We ran a couple tools to address this infection, which seemed to have no effect. With your last posting, we find that things aren't as we thought they should be. To address THAT, we should look over what has been done to find a suspect which would answer the question, "how did this come about".

First suspect was aswMBR, which you said did nothing when you tried to execute it...aswMBR by itself, would not have been expected to re-set any boot flags or remove any infected partition without intervention, so we can eliminate that one.

Next up was BitDefender's automated removal tool which also did nothing when you tried to execute it. However, that one is purported to have the affect that you've described but with your earlier report that it too did nothing upon your execution attempt, then we can eliminate that one as well.

Next up was TDSSKiller. Here I think we have a winner with repect to what you've reported. This seems what is behind the present situation. An excerpt from the log seems to prove this:

15:59:50.0480 3188   \Device\Harddisk0\DR0 ( Rootkit.Boot.SST.b ) - infected
15:59:50.0480 3188   \Device\Harddisk0\DR0 - detected Rootkit.Boot.SST.b (0)
15:59:50.0558 3188   \Device\Harddisk0\DR0 ( TDSS File System ) - warning
15:59:50.0558 3188   \Device\Harddisk0\DR0 - detected TDSS File System (1)
15:59:50.0620 3188   Boot (0x1200)   (4ae9670f027d0a89e0c7489090193fcf) \Device\Harddisk0\DR0\Partition0
15:59:50.0636 3188   \Device\Harddisk0\DR0\Partition0 - ok
15:59:50.0652 3188   Boot (0x1200)   (9d87a2e1b9d5058b8bf2c0389474ae0b) \Device\Harddisk0\DR0\Partition1
15:59:50.0652 3188   \Device\Harddisk0\DR0\Partition1 - ok
15:59:50.0652 3188   ============================================================
15:59:50.0652 3188   Scan finished
15:59:50.0652 3188   ============================================================
15:59:50.0683 1920   Detected object count: 2
15:59:50.0683 1920   Actual detected object count: 2
16:00:27.0141 1920   \Device\Harddisk0\DR0 ( Rootkit.Boot.SST.b ) - will be cured on reboot
16:00:27.0141 1920   \Device\Harddisk0\DR0 - ok
16:00:27.0141 1920   \Device\Harddisk0\DR0 ( Rootkit.Boot.SST.b ) - User select action: Cure
 

...This seems also to account for the fact that your Windows Disk Management screenshot appeared to show us that it did not see this infection. Having taken the screenshot AFTER we ran TDSSKiller, if what I believe happened, actually DID happen, then things seem to be as they ought.

Now, let's see if we can prove this. While I assume you are still booted into the linux system view (GParted), Please answer these few questions:


1. Does the 1 MB partition have a Boot label under flags collumn?
 
2. Does the 1 MB partition say "unallocated" under "Partition" and "File System" columns? Is it greyed out?


...and upon your next reply, please be sure to tell me whether or not you are still booted into GParted or if you have indeed tried booting back into Windows yet. Rather than assuming you posted your previous comment from another computer, it's best I ask first before you will have need to reboot back and forth using GParted.  Your answer may prove that we need only to use Windows Disk Management at this point, rather than GParted.






Disabled Veteran
U.S.C.G. 1972 - 1978
Membership: U.N.I.T.E., A.S.A.P.

2009-12

Performance and Maintenance for Windows XP, Windows Vista and Windows Seven

Offline JerichoX

  • Bronze Member
  • Posts: 36
Hey 1972vet, thanks for the extensive reply. Yes last night I booted back into Windows with the infected computer and that is the computer I am using right now.

For the questions you wanted to know:

1. Does the 1 MB partition have a Boot label under flags column?
-There's no boot label under the flags column for the 1mb partition.

 
2. Does the 1 MB partition say "unallocated" under "Partition" and "File System" columns? Is it greyed out?
-Yes it says unallocated under the Partition and File System. When I right click the 1mb Partition everything is greyed out and the only two things I can click on is "New" and "Information"

Hope any of this can help...

Offline 1972vet

  • Microsoft® MVP
  • Malware Removal Staff
  • Diamond Member
  • Posts: 8290
  • Patience is bitter indeed, but its fruit is sweet.
Please take another screen shot using Windows Disk Management and attach it on your next reply. Thanks!
Disabled Veteran
U.S.C.G. 1972 - 1978
Membership: U.N.I.T.E., A.S.A.P.

2009-12

Performance and Maintenance for Windows XP, Windows Vista and Windows Seven

Offline JerichoX

  • Bronze Member
  • Posts: 36
Here you go!

Offline 1972vet

  • Microsoft® MVP
  • Malware Removal Staff
  • Diamond Member
  • Posts: 8290
  • Patience is bitter indeed, but its fruit is sweet.
  • Re-boot with the GParted Live CD again.
  • Follow the previous instructions until you are at the main GUI as below:



  • Select the small rogue partition. Remember, it's the one listed as 1 mb. At this point, it may be listed as unallocated space. After you've selected it, click the trash can icon to delete...then click Apply to confirm your actions:



  • Double click on the Button.

  • At the next window select "Reboot" then "OK" Boot into Normal Windows.

Post back your results. Thanks!
Disabled Veteran
U.S.C.G. 1972 - 1978
Membership: U.N.I.T.E., A.S.A.P.

2009-12

Performance and Maintenance for Windows XP, Windows Vista and Windows Seven

Offline JerichoX

  • Bronze Member
  • Posts: 36
It won't let me delete it, the Trash Can/Delete button is greyed out. I took a screenshot so you could see what I see but I can't find that picture where the program said it would be.

Offline 1972vet

  • Microsoft® MVP
  • Malware Removal Staff
  • Diamond Member
  • Posts: 8290
  • Patience is bitter indeed, but its fruit is sweet.
OK, I don't see the screenshot so perhaps you just forgot to click the attach button. Regardless, please answer...is the space labeled unallocated or is it still listed as partition space. If it's unallocated, it is in effect, already harmless free space and the rogue partition would be gone. If this scenario is accurate then you should see a grayed out button for deletion when that space is highlighted. Please confirm/deny this. Thanks!
Disabled Veteran
U.S.C.G. 1972 - 1978
Membership: U.N.I.T.E., A.S.A.P.

2009-12

Performance and Maintenance for Windows XP, Windows Vista and Windows Seven