Registry Changes Are not Saved

Run Hitman Pro. 3.6,  Sounds like the MBR is infected and needs to be replaced/rebuilt.
Had a similar virus earlier this week and HMP worked.

I would suggest removing the hard drive, connecting it to a working system (that has AV installed including Malwarebytes) and do a full scan of the drive.  This will remove the infection and you can find out what what the malware/virus was and assess the damage.

You really need to know what's going on before taking specific steps.

mjyga1, tried HMP, problem still exists.

HadleyR: My very first process was to remove the hard drive, connect it to another computer, and run MBAM full scan.  Threats were found and removed.  However, when the hard drive was replaced in its host computer, the problem remained.  I will run through the process again.  

To both of you:  What do you recommend for software to scan the MBR for infections?

try combofix - I suggest you run it from usbcd4win - this is startup disk  will boot independent of your OS... it has a bunch of other antivirus and diag tools also.

if you sure it is mbr then write a  new mbr  /fixmbr option. since vista does not have recovery console, use instructions in this video - not all applies to you but it will show how to use /fixmbr
http://www.youtube.com/watch?v=fMwfWP2ahyw

To younghv:  First of all, I found the article "Malware Fighting - Best Practices" very illuminating.  Thank you for suggesting it to me.

Secondly, the problem computer will not boot into normal mode, only safe mode.  I am preparing to start the procedures you recommended.  My question is, will they be effective in safe mode?

Great question!

Most malware scanners WILL provide some functional work for you in "Safe Mode", so feel free to go with it for now.

When we get your system able to boot normally, another run of RogueKiller followed by a "Quick Scan" with Malwarebytes will be in order.

Rogue Killer was run in safe mode on the problem computer.  Results are attached.  "Delete" was selected for the registry problems. Also selected "Hosts Fix."

A full system scan was by MBAM, freshly updated.  Results are attached - a log and a picture of the results display.  The latter, I believe, is showing the items quarantined by TDSSKiller which was run on a previous day, before posting to EE.

I will now move forward with ComboFix.
RKreport-1-.txt
RKreport-2-.txt
RKreport-3-.txt
mbam-log-2012-01-26--19-43-00-.txt
MBAM-Results-Display.jpg

So far it looks as though both are doing their jobs.
You can delete those TDSSKILLER quarantined files.

Did you try re-booting to Normal Mode after the MBAM scan (you can do just a Quick Scan- the Full is not needed...for now.)

It is getting pretty late into my night, but I'll be back on in the morning.

Tried ComboFix.  System locked up.  Shut it down with the power button.  Tried normal boot then; no go.  Back to safe mode.  ComboFix again.  Appears to be locked up again.  I will check back in the morning before I head off to another task.

younghv, here is the latest:  ComboFix will not run.  I cannot tell what is interfering with it, but it locks up the computer.  I repeated everything from the beginning (RogueKiller, MBAM, TDSSKiller, ComboFix).  With the latter, I do see a brief flash of "access is denied" when it starts, even though the account is an administrator account.  And to start it, I right-click the icon and choose "Run as Administrator."

It starts to scan, but nothing is displayed beyond the first 3 lines about the time required.  I never see anything about clock settings.  I never see any "completed" stages.

System still will not boot in normal mode.

I will check with you tomorrow.

This is how to repair the MBR on your Vista machine.

http://members.rushmore.com/~jsky/id39.html

Sorry did paste the link.

Nancy,
I am going to ask a couple of the other Experts (who know CF much better than I) to weigh in on this.

While waiting for them to check in, please delete the "combofix.exe" file (don't uninstall it, just delete the .exe file.

Re-boot to "Safe Mode with Networking" and download a fresh copy of ComboFix - but - this time use the "Save-As" function and call it something random. Make sure you are downloading it to your desktop.

Try running the RK/CF combination again.
[Note - since you have access to a clean computer, you can also download all of your tools to it, then rename/copy them to CD or USB stick for use on the target computer.

You might also consider downloading and burning this to CD - I had to use it on a system yesterday. http://connect.microsoft.com/systemsweeper]

mjyga1 - my security software blocked me from going to the link you posted, so you might want to consider posting links to more mainstrearm sites.

Additionally, TDSSKILLER will auto-fix MBR infections - so there shouldn't be any need to take other actions.

Can't read info from MBAM screenshot -- did TDSSKiller show the presence of ZeroAccess (ZA) root kit? Description of problem indicates ZA was present.

I have had problems with CF and Vista. At least two Vista PCs rendered unbootable and unrecoverable by using CF, so exercise caution.

If ZA was found by TDSSKiller, try using this tool: http://deletemalware.blogspot.com/2011/09/zeroaccesssirefefmax-rootkit-removal.html

Should have added that although TDSSKiller appears to remove ZA, it actually does not.

younghv:
Deleted ComboFix and re-downloaded, re-ran, per your instructions.  Same result.  Have created the Microsoft Sweeper CD and the scan is running now - Windows Defender Offline.  I must head out shortly.  If the scan finishes in time, I will post results.

Willcomp:
I apologize for the poor image from TDDSKiller. I did not realize that the jpg was so poor.  It did not find ZA.

younghv:
Scan just finished. (I ran full scan.)  No threats were detected.  Definitions are out of date - I tried to update them twice, but it failed both times, toward the last 25% of the progress bar.  I will check back in a few hours.

As willcomp noted, a ZA infection takes this to a whole new realm of fun and excitement.

Regarding "Definitions are out of date" - for which tool?

And...which scan just finished?

Has the thought of a wipe/reload crossed anyone's mind?  Get the important data off the system via connecting the drive to a (protected) and working system, CAREFULLY wipe it, and then reload the OS.    Checking on Zero Access, it reveals sophisticated code that modifies system files, etc.  To sort out a badly compromised OS vs. reloading the OS might make the latter more efficient per time spent.  My experience has been pretty negative in these situations, especailly making sure the rootkit (if that is the case) is gone.  Just a thought...

younghv:

The definitions are out of date for the Microsoft Sweeper tool, which turned out to be Offline Windows Defender.

And that is the scan that was run and completed this morning with no threats found.

What do you think, young, should I try HadleyR's suggestion to wipe and reload?

lol! Figures! I post at the sametime! Oh well! Good post, Nancy! Bravo!

Forgot to add use "sfc /scannow" as well while in the recovery console.

Hi Nancy,
Please take a look here:  https://community.mcafee.com/thread/36999.  Rootkits can eat a tech's time!  The above from McAfee more or less sums up what you may be up against.  While nothing I have proposed is actually a solution, you have to decide how much time you want to spend on un-snarling a mess.  I have only suggested what we would do:  1.) Safley get the data off the crippled system.   2.) Wipe everything including the partitions, MBR, etc. with a utilitiy OR take a hammar to the drive.  How much is your time worth?  Ordinary infections are one thing.  Rootkits are entirely another....

However, some infections are also accompanied by suspicious behavior that can be caused by such simple things as a corruped paging file.  I.e., the infection is cured but other stuff is going on that may have been caused by the infection.

We have spend hours on something when it might have been more cost effective to trash the drive.

Had

"What do you think, young, should I try HadleyR's suggestion to wipe and reload?"

In my shop we end up doing that maybe once or twice a year; so no, I do not agree.

In the first place, it probably won't solve the problem (you'll just get reinfected) and in the second place - follow the guidance from "Russell_Venable".

He is one of those types who can carefully walk you way down the rabbit hole and put a real fix on this - not a pretend fix.

In one of my Articles I encourage all question "Askers" to review the profile (just click on the Expert's name in the title banner above their post) of anyone offering advice. It is a quick way to get an indication of their success here on EE and you will learn some about Russell's background.

(Call me Vic.)

HadleyR,
I appreciate your concern about time constraints, it is well noted. If it where that easy it. We would have gone down that route already. :) Malware authors know this already and cling to whatever they can get there hands on to stay in control of the victim or in there case "The asset".

The type of infection here is known as a TDL4 / MaxSS to be exact... It's a mixture of TDSS and ZeroAccess techniques. They come from the same malware family, it was no surprise when the first varient's came out for TDL4 that would included ZeroAccesses methods of defense. This version does not use the familiar ADS Streams in a defensive process. The Files are killed directly from Ring0(Driver land) this command can be sent outside the entire operating system from a separate driver completely hidden from the reach of the operating system as the driver will be filtering all references to any scans for the rootkit, effectively keeping it stealthed. I visited the McAfee page you posted and  the moderator posts a lot of propaganda about malwarebytes. From personal experience there is a lot of Microsoft MVP's working on the Malwarebytes project and are VERY VERY experienced and knowledgeable about what they are doing. That is why this rootkit restricts access to normal mode as it uses a vulnerability in malwarebytes and any other AV Vendors product. No live scanning? Good news for the rootkit owners. SPF(System File Protection) is disabled in "Safe mode" forcing the user to boot into the safe mode allowing them to remove and replace files previously protected by the operating system with there own "Version". Making this extremely hard to make a one hit kill solution as infections are randomly done to different files and also the problem of including such as distribution copywrite issues  prevent software from having a backup copy to replace these files with a clean version. Businesses are effected the most because of the time consuming effort that must be done to each individual computer. The deeper the rootkit is embedded the harder it is to remove it without permanently damaging the host.

I'm back and have questions.  These are for Russell Venable if you are still around.

I have another Vista computer available, and I believe it is clean.  However, the operating system is Vista Ultimate, SP2.  The problem computer is Vista Home Basic without any SP updates.  (One of the ways I found the problem to begin with is that the Windows update would not run.)

If I build a recovery disc from Vista Ultimate, will it work on the problem computer to run the suggested processes?

Yes, It should run on the Windows Vista Basic machine. I used a W7 repair disk to repair a WinXP machine last week in fact. Once the infection is gone or at least disabled. You will be able to update by windows update again. Until then we will see if wiping the MBR works with this version if not then we will look at other methods.

I'm not Russell, but the answer is yes.

Have created the Vista repair disc from NeoSmart.  Booted from the repair disc.  Brings up Recovery Essentials (Windows Vista 32-Bit Edition).  Options are:  
--- Attempt automated repair...
--- Scan for viruses
--- Use System Restore
--- Restore previous backup
--- Launch command line prompt
--- Check memory for defects

Please bear with me folks.  This is stuff is new to me.

I selected "Launch command line prompt" which took me to
X:\windows\system32>
This is the system from the CD, right?
So I entered C: which yielded C:\>
Now I entered the chkdsk /f command.
Response:
"The type of the file system is NTFS.
"Cannot lock current drive.
"Chkdsk cannot run because the volume is in use by another process.
"Chkdsk may run if this volume is dismounted first.
"ALL OPENED HANDLES TO THIS VOLUME WOULD THEN BE INVALID.
"Would you like to force a dismount on this volume? (Y/N)"

What's the answer?  

Thank you, willcomp!  Chkdsk is running!

Is there a Chkdsk log file somewhere which I can post?

The answer is "yes".  If you boot from the hard drive, you would not be able to lock the drive and an option would appear "...would you like to schedule  this volume to be checked  the next time the system restarts?"  (Y/N).  As you booted from a CD, your hard drive is not locked by the operating system and can be locked by another process (chkdsk).  We have all of the hardware here to do the same thing but from a fully loaded machine that has every utility imagineable on it instead of from a CD.  I hope this helps...

Sorry -- various of us doubled....

Since I could not figure out the log stuff (was running CHKDSK prior to your last post), I keyed the results into Notepad.  Will attach the file.  

I am now attempting the sfc /scannow operation.  Receiving this message:
"There is a system repair pending which requires reboot to complete.  Restart Windows and run sfc again>"
Guess I will attempt a reboot to nomral mode to see what happens.
CHKDSK-Results-2011-01-27-20-53.txt

System still will not boot in normal mode.  Attempted sfc /scannow again.  Received "system repair pending" message again.  Any suggestions on the next step?

Got it to run:
sfc /scannow /offbootdir=c:\ /offwindir=c:\windows

Ok, The results above are not out of the norm. I'll wait for your results.

scr /scannow results:
"Windows Resouorce Protection did not find any integrity violations."

bootrec.exe /fixmbr:  "The operation completed successfully."  Still could not boot into normal mode.
bootrec.exe /fixboot:  same as above; still could not boot normally.

Just for kicks, tried bootrec.exe /scanos   The result:
"Successfully scanned Windows installations.
"Total identified Windows installations: 0
"The operation completed successfully."

So, why could it find no Windows installations, I wonder?

That's odd. It's probably not finding it because its being filtered. It's not normal. Can you export a registry key from the command prompt using

reg export "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems" Subsystems.reg

Select allOpen in new window

This command will output a registry(*.reg) key file in the same directory as its called from. Post that registry file here as a attachment. This command must be run as a administrator. I would like to see the bootup order your OS is configured as. Also run a new instance of TDSSKiller, GMER, and post those logs here as well.

If your having trouble running the command I can make a batch file for you to use instead.

After a few hours of sleep, I attempted to start the computer normally.  Failed, of course.
Booted from the NeoSmart Recovery CD and ran their scan (ClamWin Free Antivirus) - 8 threats found; results are attached.
Attempted normal reboot again; failed.
Started in safe mode to export registry key; that file is attached.
I copied the files from the infected system to this clean system using a USB flash drive.  When that flash drive was connected, my Norton Internet Security picked up "Trojan.ADH.2" and quarantined it.
Will proceed with TDSSKiller and GMER.
I have the manufacturer's "Recovery and Applications/Drivers" CDs - 2 of them.  This is a Toshiba.  I also have another disk for the same operating system which may be helpful.
User files have been backed up.
Normal bootup order is hard drive, DVD drive, LAN.


ClamWin-Scan-Results.txt
Subsystems.reg

When you try to boot in normal mode, are there any error messages? BSOD with stop code?

TDSSKiller.2.7.7.0-25.01.2012-07.txt
TDSSKiller.2.7.7.0-25.01.2012-07.txt
TDSSKiller.2.7.7.0-26.01.2012-20.txt
TDSSKiller.2.7.7.0-26.01.2012-21.txt
TDSSKiller.2.7.7.0-28.01.2012-12.txt

Willcomp:

Something flashed on the screen like a BSOD, but I cannot catch it.

See if this looks similar to your situation.  https://www.experts-exchange.com/questions/27156632/Vista-Stop-08E-BSOD-at-Welcome-Screen.html

Note: rpggamergirl is a very knowledgeable malware removal expert.

GMER results are posted.
GMER.log

willcomp - that other posting certainly looks similar.  Used your trick to see the error - yup, 8E - same as the other one.  Maybe there is no solution.

Could be since there is a new pair of expert eyes -- Russell Venable. It'll be interesting to see what he comes up with.

That posting was the second Vista PC I encountered with the same problem. I haven't had any problems with CF and XP.

Semi off-topic...
I am down to only one Vista customer (my building contractor) and I have just convinced him to buy a new Windows 7 system.

So glad to never have to touch another one of those again.

Vic, there's a distinct possibility that the same thing could happen on a Win 7 system since it is very akin to Vista. I do much prefer Win 7 though.

Huzzah!  I'm afraid to breathe.  Executed the procedure for "Manually repairing the Windows Bootloader" (see Russell Venable's last post, ID 37510747).  Booted normally!

What should I run next:  ComboFix, TDSSKiller, MBAM?

Well good!! I never thought about repairing the boot loader. It helps to have an in-depth understanding of how the malware works.

Wait for direction from Russell.

Toshiba is a good brand. Never did me wrong. Just like I suspected. The rootkit is filtering using a filter driver. Which files exactly did you copy over and test on the separate pc to virus scan? Did you happen to grab a copy of the driver clamav happened to find? The java found are how the rootkit got onto the system but if I can get ahold of the actualy rootkit driver I can see for  myself how it's hiding it's traces by static analysis.  Right now I am going through a power outage and can only reply through the phone. So I apologize. If you can run combofix as a random name a post the results here. The process you complete before eradicated the rootkits startup method in what's know as the Virtual Boot Record(VBR). So combofix and normal should be good to go now. If you can grab quarantined files and keep them in a passworded zip file I can continue further on here an get a forensic look at the actually rootkit and find out where it's C&C is located, so it can blocked. If I'm lucky enough to get rootkit components that is.

Clam AV results are with one of my earlier posts - ID 37612339.
Downloaded ComboFix with a different, convoluted name.  Will not run - same behavior as before - says the scan is starting and could take 10 minutes or double that, locks up the system after about 50 seconds.  I will look for quarantined files.

Alright. At least your in normal mode now. Can you do a scan with malwarebytes or is that blocked too?

MBAM did run.  Will use clamAV again now, and let you know results.

Have attached the latest results.  Takes that scan a while to fun.  Should I be concerned about the "access denied" indications?
clamav-report-280112-204334.txt

That is your shadowcopy directory. Only way to gain access to scan that part is to add yourself. Assuming your scanning from windows.

You don't need to worry about  that file. It your hibernation file for when your computer sleeps, it's a power save feature.

What do you think, Russell?  Do you think it's clean now?  Is there anything else I should do?

Try to see if combofix still gets blocked. We will know then. :) Sometimes when you think it's clean there is still work to be done. Let's hope this is not the case. If it doesn't block it. We will complete the scan with combfix and see what we can do to prevent future exploitation.

OK, will try ComboFix again.  Will get back to you in the morning.  You know that you and the rest of the helpers here are my new best friends.  I cannot thank all of you enough for the help you have provided.

Tried ComboFix again with the same result.  I had even removed a residual McAfee Personal Firewall which I found hanging around (used McAfee removal tool), thinking that might be the block.  No such luck. Russell, et al, I guess I will have to cross my fingers for a while.  What do you think?  The system appears to be running ok.  Just don't know what may be lurking.

Well, we definitely fixed one portion. It appears there may be some system drivers still patched with defensive code from the rootkit. Hard part is finding which ones. I really want to be sure your free of rootkit component's. Can you run a fresh copy of TDSSKiller. This should find the patched drivers causing combofix to fail.


As far as prevention. If you don't use Java specifically for any applications it is safe to uninstall this software or if you do use it, try to at least upgrade your installed version to a new version.

Any progress?

I apologize for the delayed response.  Have been out all day and just saw your comments.  I will see what I can do with TDDSKiller.  And I will take your advice about Java.  There is no reason to remain exposed.  It may be a few days before all of this is done.  I will be back in touch as soon as possible.  Thank you again for all of your help.  I would not have managed without your input.  And I have learned a lot.

Np! That is why I am here. :)

Its been a fews days. Thought I'd checkup and see how things are going.

Hello, Russell, I am back.  It has been a long week.

The problem computer has not been used much.  I just finished a fresh scan with TDSSKILLER.  Processed 239 objects; no threats found.  I did notice that I could check a parameter to "Detect TDLFS file system."  Should I try that option?

Yes, that would be a good idea.

Came up with a warning.  Have attached the TDSSKiller reports from first and second scans.  There must be something lurking.

The first scan was run without "Detect TDLFS file system."  For the second scan, this option was selected.
TDSSKiller.2.7.9.0-05.02.2012-11.txt
TDSSKiller.2.7.9.0-05.02.2012-20.txt

Ok, can you zip the whole quarantine folder with a password of "infected", and send the zip file to my email address in my profile. This way I can take a better look at the rootkit files.

I will do this today.

File has been sent.

Got it! Examining the files now. Ok, the option "Copy to Quarantine?" does not delete the files. The files are still there. If you run tdsskiller again and wait till you reach the end. It will allow you to select options on items found during the scan, select delete for the rootkit items detected and you should be good to go. Does the system behave normally now?

1. Ran TDDSKiller again, with "Detect TDLFS File System selected."
2. Selected "Delete" for the TDSS File System warning options.
3. Restarted the computer.
4. Ran TDDSKiller again, with same selection.
5. No problems found!

Yes, the system seems to be working normally.  I have uninstalled Java, which was one of your earlier suggestions.

Shall we consider it clean?

This problem was a tough one for me.  The help I received was outstanding.  Thank you to everyone who followed through with me for so many days.  Russell Venable, you are incredible.  To anyone who reads this dialogue, please block those sites in your router.

Thanks! Glad to help out.

This one needs to go in the EE Hall of Fame!

nancywva - I've never seen an asker who would hang in there as well as you have and the work from "Russell_Venable" was stellar.