Use Combofix only in collaboration with a Qualified Helper.
Please bare in mind that following instructions is for Qualified Helpers.
If You are not, take counseling at one of the Hijackthis fora.
Don't try this fix if Your system has a factory MBR or Multiboot.
Not long ago I came across the Whistler Bootkit in a Hijackthis log.
This very aggresieve malware takes over the PC.
Gmer, The Avenger 2, Combofix,.. didn't give any solution.
Nor did a System Recovery !
Next symptoms are visible:
Kaspersky :
HEUR: Trojan.Win32.Generic in de C:\System Volume Information folder
Dr Web :
smss.exe C:\System Volume Information\Whistler Win32.HLLC.Asdas.8 No recovery.Replaced
svchost.exe C:\System Volume Information\Whistler Win32.HLLC.Asdas.8 No recovery.Replaced
In Hijackthis, one can notice the following:
Running processes:
C:\System Volume Information\Whistler\svchost.exe
C:\System Volume Information\Whistler\smss.exe
or after a system recovery :
C:\System Volume Information\_restore{d5fffa500b1b}\svchost.exe
C:\System Volume Information\_restore{d5fffa500b1b}\smss.exe
Combofix shows us :
------------------------ Other active processes------------------------
c:\system volume information\_restore{d5fffa500b1b}\svchost.exe
c:\system volume information\_restore{d5fffa500b1b}\smss.exe
(or C:\System Volume Information\Whistler\svchost.exe
C:\System Volume Information\Whistler\smss.exe )
The Startup list of Hijackthis shows the following (if systemrecovery was used)
Windows NT 'Wininit.ini' :
PendingFileRenameOperations: C:\System Volume Information\_restore{d5fffa500b1b}\svchost.exeC:\System Volume Information\_restore{d5fffa500b1b}\smss.exeC:\System Volume Information\_restore{d5fffa500b1b}\SMSS.EXEC:\System Volume Information\_restore{d5fffa500b1b}\SVCHOST.EXE
The PendingFileRenameOperations value under [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] wasn't present.
Combofix en The Avenger deletes the two files, but after a reboot they immediately came back..
Identification:
Intensive search on Google learns me that I have to deal with a Whistler Bootkit.
The solution:
Because this one hides himself in the bootsector , speed and accuracy is of the most importance.
Step 1
Downloadt bootkit_remover.rar (INFO)
Unzip the file.
Open the directory map bootkitremover en double click on remover.exe.
Post whats appears on the screen. (copy & paste)
Step 2
A infected bootsector looks like this:
Bootkit Remover version 1.0.0.1
(c) 2009 eSage Lab
http://www.esagelab.com/
\\.\C: ->
\\.\PhysicalDrive0
MD5: 274955059efe9236c07688c5ff9242b2
Size Device
Name MBR Status
--------------------------------------------
74 GB
\\.\PhysicalDrive0 Unknown boot code
Unknown boot code has been found on
some of your physical disks.
To inspect the boot code manually, dump the
master boot sector:remover.exe dump [output_file]
To disinfect
the master boot sector, use the following command:remover.exe fix
This line gets my immediately attention : \\.\PhysicalDrive0
Before moving on with the repair, doublecheck this with MBRcheck:
Download MBRCheck.exe towards your desktop.
Dblclick MBRCheck.exe.
If You get a message rapport, typ N and Enter.
Enter again.
On your desktop You will find MBRCheck_mm.dd.yy_hh.mm.ss .
If it look something like this :
\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
PhysicalDrive0 Model Number: MAXTORSTM380815AS, Rev: 3.AAD
Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: F238F1FE114296B6DC7716517DC1DADB3FF3D5C6
Done!
Then we are done !
Else, follow the next instructions.
We remove this by writing a batch with a switch for remover.exe :
@ECHO OFF
START remover.exe fix \\.\PhysicalDrive0
EXIT
By executing this batch, the PC has to reboot immediately.
Its is very important that the TS does this because of the possibility of reinfection.
One can also implement the DOS command SHUTDOWN -r into the batch:
@ECHO OFF
START remover.exe fix \\.\PhysicalDrive0
SHUTDOWN -r
EXIT
After a reboot, ask the TS to run remover.exe again and let him post the remover.exe log.
If everything was going ok, the log must look like this:
Bootkit Remover version 1.0.0.1
(c) 2009 eSage Lab
http://www.esagelab.com
\\.\C: -> \\.\PhysicalDrive0
MD5: 6def5ffcbcdbdb4082f1015625e597bd
Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)
Double check it with Gmer and Hijackthis.
Its recommended to let the TS change his passwords.
Emphyrio :)
Thanks to Marckie for support me with this difficult infection .
Geen opmerkingen:
Een reactie posten
Opmerking: Alleen leden van deze blog kunnen een reactie posten.