Rootkit - Reinstalled Win 7 64 Uknowingly - Seriously Urgent: Finals

Laptop had Win 7 64 installed without knowing it was infected with a rootkit. MBR prevents fresh install. I thought the sluggishness was from a year of windows-bloat. Running avast! Internet Sec. 6.0. The logs are huge so I just attached them as text except for aswMBR. Any helps is GREATLY appreciated. EDIT: I ran Malwarebytes, SuperAntiSpyware, TDSKiller, avast! Internet Security 6.0 boot scan with full scans of everything (but I’m pretty sure avast is toast since it’s hooked). Anything that autofixes this KISS style isn’t recognizing it. Would a CD with a HDD wipe work?

I don’t even care about this laptop OS being preserved as backup data has been done from reinstalling, so if there is a way to format my HDD and get rid of the MBR so I can install Win 7 fresh I’m more than willing to do that to avoid any artifacts.

aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-10 11:44:52
-----------------------------
11:44:52.651    OS Version: Windows x64 6.1.7600 
11:44:52.651    Number of processors: 4 586 0x2502
11:44:52.652    ComputerName: XIRRI  UserName: 
11:44:54.535    Initialize success
11:44:58.586    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
11:44:58.589    Disk 0 Vendor: WDC_WD5000BEKT-00KA9T0 01.01A01 Size: 476940MB BusType: 11
11:45:00.652    Disk 0 MBR read successfully
11:45:00.653    Disk 0 MBR scan
11:45:00.656    Disk 0 Windows 7 default MBR code
11:45:00.659    Service scanning
11:45:02.296    Disk 0 trace - called modules:
11:45:02.358    ntoskrnl.exe CLASSPNP.SYS disk.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys 
11:45:02.362    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8007a60060]
11:45:02.366    3 CLASSPNP.SYS[fffff880018df43f] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8007769060]
11:45:02.369    Scan finished successfully
11:45:42.587    Disk 0 MBR has been saved successfully to "C:\Users\Divide_By_Z3r0\Documents\MBR.dat"
11:45:42.588    The log file has been saved successfully to "C:\Users\Divide_By_Z3r0\Documents\aswMBR.txt"

C:\Users\Divide_By_Z3r0\Documents\MBR.dat"
Please upload MBR.dat to www.virustotal.com and post the results!
Regards
Philip

Download and install MBAM.

I’m running @killdisk right now. More than anything, I want to know how I got this but it’s impossible to know now. Due to reinstalling a day ago I didn’t want anything left behind so I chose this route. My prof gave me an extra day so it’s all good.

My desktop is another story but it’ll have to wait a week. Thanks for the input fellas.

This can be locked.

I am referring you to our Certified Malware expert, named Essexboy for malware removal. He will review your logs and give you further instructions, however he comes on the forum late UK time. He will respond to you in this thread, so remember to check this thread daily.

Please do not make any further changes to your machine in the meantime.

Essexboy has been notified.

To late to save now.

I'm running @killdisk right now.

One question - Why do you think your MBR is infected ?

Well I thought it was based off advice from thr aswMBR log I posted. Are you saying that log shows my system is healthy? That would be great because I ran BCwipe total WipeOut (with the exception off ATA erase because my BIOS blocks it). It did delete the entire drive with all other options enabled and upon reinstall of Win 7 aswMBR showed the same results.

The laptop is custom so getting a new BIOS is very difficult.

Hijackthis looked much better after bcwipe so if that asw log is normal I’m in good shape.

From my limited experience of the aswMBR tool it isn’t reporting an MBR infection. See this topic for an example of when one is found as it clearly states one has been found, http://forum.avast.com/index.php?topic=77872.msg644049#msg644049.

Thanks for the info! I was misinformed and should have waited/posted here first. It makes sense my system is probably clean since I ran literally every scan from all promiment AV forums and nothing was detected since running WipeOut.

I do find it odd reinstalling Win 7 doesn’t do a better job wiping the MBR and such. I’ll post a hijack this log after I’m done installing my drivers. It seems a lot of stuff is reported, and what concerns me most are the missing program results which I don’t understand at all.

Thank you all for your replies. I truly appreciate them!

You’re welcome.

Personally I feel that HJT brings anything to the party, it is a very old tool which hasn’t been updated in over 18 months and hasn’t kept pace with malware developments. It doesn’t even look in many of the locations that modern malware seeks to hide.

There are better specialist tools like OTS by they require interpretation by someone familiar with it, such as essexboy (but he won’t be back on the forums until tomorrow night, it is 1:15am in the UK).

Again it would revolve around your having a problem, so after installing the drivers, etc. and you have rebooted, what problems are you experiencing ?

Yea I’ll rerun OTS in a bit.

So I ran combofix and it showed a directory that is really weird with all sorts of modules and hooks. My laptop has been running slow at the login and I feel like it’s infected somehow. Googling some of the readable text it came up with PHPJackal.

I ran BCWipe totalwipeout and reinstalled yet I have these files from March 2011 impicating all this hooking of stuff. Wtf is going on!? I get no results from other scans yet with 8gb of RAM 27% is in use. Should I hot swap and run bcwipe after BIOS load to wipe? All these svchost proceses have weird labels after them. This is my first virus/trojan in a decade and I’m at a loss. I’m on my iphone b/c I’m afraid to go online with my laptop. IDE erase is disabled by my BIOS. No option to disable.

Thoughts?

Before running BCWipe totalwipeout and reinstalling, it would be more helpful to us, who are trying to help you if you provide us with an OTS log(s) of your machine. This gives us important information, and perhaps you may not have had to wipe and reinstall everything on your machine so we can fix the problem.

Did you run the ComboFix after reinstalling? If so, please attach the log to your next post.

I will also notify Essexboy of the latest developments. In the meantime, do not make any further changes to your machine. Thank you.

Thanks for your help but there has been an OTS log since starting this thread. Please read the OP.

yet with 8gb of RAM 27% is in use.
Windows 7 uses as much ram as possible to stop any disc swapping
So I ran combofix and it showed a directory that is really weird with all sorts of modules and hooks.
Could you post the combofix log please as I am a little confused as to what you are referring to

Combofix Log 5/14/2011

Thanks for all the comments everyone!

edit: The reason I am still dubious about being clean is the time it takes for Win 7 to log me in (I have very little software installed after all the formatting), the time it lags when I click on my wireless connection, and I got an email yesterday saying one of my passwords for an account attempted to be changed. The laptop isn’t amazing or anything (i3-350m, 500GB WD Scorpio 7200rpm, nVidia 335m, 8gb DDR3), but it never ran this slow and I have it set to max performance and not max appearance.

It is a product from a very small company, which was a big mistake on my part and one I won’t repeat, as I am unable to update my BIOS and many drivers without specifically modding their .inf’s. When I run GPUZ/CPUID the fields for any pertinent mfg. data are not filled in. When googling the BIOS version I get one thread from another guy who bought the same laptop and he received no replies. The seller is really weird and uncooperative in providing me a copy of the BIOS. If it turns out this machine isn’t infected that would be great, but I have a weird feeling about it because the BIOS disables ATA Erase so my BCWipe can’t use that functionality.

After you check out the combofix log and deem my system healthy I’ll be less inclined to worry, but my desktop is also infected. aswMBR came back with a positive scan, and I ran the mbr fix. That didn’t really seem that great, and I’ll be wiping all the drives on that machine, and at least I can update the BIOS with the Sabertooth x58.

MBAM confirmed a lot of malware on this laptop prior to my formatting, and it was a redirect. After years of cautious behavior I fell out of the loop as to what commonly infects computers now and it’s made me feel like an idiot because I can’t effectively interpret what I see in any of these scans.

How prevalent are infections that make their way into BIOS/firmware?

Your OTS log is dated 5/10/11. Since that time, you have run other malware removal tools, wiped your machine and did a reinstall of your machine. Asking for another OTS on 5/13/11 was appropriate prior to doing a ComboFix so that we could see what was going on in your machine, which was the reason I was asking for it…however it is too late now since you ran the ComboFix. Every time you make a change to your machine, your OTS log will change.

Rather than wait for Essexboy’s help on fixing your desktop, you are already jumping to fix your desktop. If you feel comfortable doing this, then by all means do so, but he is an expert in this area. IMO, I would wait for Essexboy to assist you. First, I would post as an attachment an OTS log for your desktop for him to review when he gets to the forum in a few hours so we can see exactly what is going on with this machine. Thank you.

Well I’ve posted on many boards as it seems a lot of ppl get infected. Finally, I used EasyBCD which lead me to a help webpage to use the Win 7 recovery console to completely erase all aspects of the MBR and Boot areas, because I noticed those remained the same even using bcwipe (dated 2/5/2011). After replacing all of that I am pretty certain that did it.

My new install has no abnormalities as the past ones did. My laptop os behaving normally and I hope that did it.

What infection did aswMBR show ? as the logs you have posted showed no infection - so they may have been run after the fix.

No apparent malware showed in the CF log

Did you use Bootrec.exe /FixMbr