MBR rootkit ?

Viruses and worms
1

Win 7 Ult-32 SP1 + updates, Avast AV + updates
was running well, then one day I noticed Avast Anti-virus tray icon no longer showing,
Windows Update was switched off, Defender was switched off,
and various other Windows settings were not how I normally have them,
but otherwise the system was functioning OK.

On rebooting it freezes during the first screen just when you would expect the switch to video driver.
I tried various things, but often they just didn’t work as expected.
Eventually used the installation disc in repair mode to restore an earlier system image and got going again,
but only till the next reboot.

Now I can get it to load in safe mode, but not with networking services.
Device Manager > View > Show Hidden Devices has flags against spldr.sys and sptd.sys
“This device is not present, is not working properly, or does not have all its drivers installed (Code 24)”.
Event Viewer shows sptd event id 4 “Driver detected an internal error in its data structures for .”

I don’t have Alcohol or Daemon Tools, but I do have Active ISO Burner.

I downloaded the installation package for SPTD to use the uninstall feature,
but it reports its is not installed, although I can see C:/windows/system32/drivers/sptd.sys
When i try to install it, sptd.sys’s timestamp is updated, but the install ends very quickly
and the uninstall still says it is not installed.

A full scan with Avast doesn’t find anything wrong.

Kapersky’s TDSSKiller is suspicious of 4 unsigned drivers,
one of which (a ViMicro webcam driver that didn’t work) I allowed it to delete, with no effect.

HijackThis reports O20 AppInit_dlls: [blank]
which is very suspicious, but without being able to see the thing that is hiding itself, I cannot delete it.

SFC /scannow is clean.

CHKDSK C: finds errors in MFT mirror - the volume bitmap is incorrect.
CHKDSK C: /f cannot lock the volume, and on reboot it freezes before chkdsk starts.

I have 3 physical drives, SSD, SATA, USB and I have tried each one on its own, SSD and SATA do the same thing, USB(external SATA) nothing at all.

I have loaded an old PATA drive on its own and that works.

Can anyone identify the malware from that ?
Which cleaning tool(s) to use ?
Do they work in Safe Mode, because that’s all I’ve got.

It got right past Avast and switched it off :-((
This is just about the end for Windows and me.

2

Follow this guide and attach (not copy and paste) logs from Malwarebytes / OTL / aswMBR
http://forum.avast.com/index.php?topic=53253.0

When done the malware specialists will be notified…it may take several hours before they arrive

3

All my tools will work from safe mode

4

These scans were done with only the SATA drive attached.
Attachments ( part 1):
aswMBR.txt
Extras.ANSI.txt
mbam-log-2012-06-21 (06-25-42).txt
OTL.ANSI.Txt

5

aswMBR is showing no malware there

There is a Host redirect which I will now clear

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
To disable MBAM
Open the scanner and select the protection tab
Remove the tick from “Start with Windows”
Reboot and then run OTL

http://i1224.photobucket.com/albums/ee362/Essexboy3/mbamstop.jpg

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Files ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

6

Attachments (part 2/2):
OTL.Txt
MBR.dat.txt

7

Disabled mbam OK
OTL RunFix OK
ComboFix warned that Avast AV was running, although Process Explorer says it wasn’t, continued OK
Tried booting into normal mode - freezes as before

8

Sorry, there was a OTL Quick Scan in there as well

9

What is the sequence when you try to boot to normal mode please

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
FCopy:: c:\windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_cf3fd62ccb9e983d\user32.dll|c:\windows\System32\user32.dll
Save this as [b]CFScript.txt[/b], in the same location as ComboFix.exe

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
10
What is the sequence when you try to boot to normal mode please
The usual black "Starting Windows" screen comes up, the stupid coloured squares come together and pulsate a few times and then freeze. The disc activity light is on until that point and then stops.

ComboFix with CFScript runs OK, produces ComboFix.log.2.txt
Reboot into normal mode freezes.
Reboot into Safe Mode works as normal.
While typing this (on my netbook) the desktop machine did 3 resets in quick succession all by itself - its never done that before.
I ran memory diagnostics for 2 passes a couple of days ago and it was OK.

11

I do not think it is a rootkit or MBR otherwise you would have the same problem in safe mode

Lets disable all bar MS services now and see if that lets you in

Step 1:

Start the System Configuration Utility
Click Start, click Run, type msconfig, and then click OK.
The System Configuration Utility dialog box is displayed.

Step 2:

Configure selective startup options
In the System Configuration Utility dialog box, click the General tab, and then click Selective Startup.
Click to clear the Load Startup Items check box. Verify that Load System Services and Use Original BOOT.INI are checked.
Click the Services tab.
Click to select the Hide All Microsoft Services check box.
Click Disable All, and then click OK.
When you are prompted, click Restart to restart the computer.

Step 3: Log on to Normal Windows

12

msconfig OK
reboot into normal mode freezes as before
recall that spldr.sys is still corrupt,
in Safe Mode Start > [Firewall] > “There was an error opening the Windows Firewall with Advanced Security snap-in”,
Windows Security Centre Service is not running,
networking services don’t load.

13

Could you download defogger from here and run http://majorgeeks.com/Defogger_d7088.html

Then retry a normal boot

Also

run farbar service scanner

http://i1224.photobucket.com/albums/ee362/Essexboy3/Farbar/FSS-1.jpg

Tick “All” options.
Press “Scan”.
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

14

Run Defogger OK, produces defogger_disable.log
Reboot into normal mode - freezes
Reboot into Safe Mode - OK
Run Farbar with all ticked OK, produces FSS.txt
Reboot into normal mode - freezes
Reboot into Safe Mode OK.

15

On the safe mode menu do you have the following option :

Enable low-resolution video (640×480)

If so then select that and let me know if it boots to windows

16

Yes, I have that menu entry.
It freezes.

In fact I have tried every menu entry, and the only ones that don’t freeze are Safe Mode and Safe Mode with Command Prompt.

17

OK that scotches the idea of the video driver

Do you have a restore point set prior to the onset of this ?

18

I don’t have any System Restore points left that I have any confidence in.
The SATA drive which we are currently testing, is already a restored system image, and that got re-infected at the next reboot, so I don’t hold much hope for a System Restore.
If something was hiding in the MBR, is anything we have done aimed at trying to clear it out ?

19

I have checked the MBR and it is reporting clean along with the rest of the scans … I feel it is a windows system problem

Have you run sfc /scannow from an elevated command prompt ?

20

Yes, it was clean.
CHKDSK C: /f didn’t work, the mirror has a bitmap error, but the repair needs a restart and it freezes before it can run the repair.