redirecting me to other websites

waddler_8

Not surprised to see uTorrent...

closed

did the op try tdsskiller?

waddler_8

Not sure - I know you suggested it earlier. If it's true to form, TDSSKiller wont run either.

I know with past TDSS/TDL variants it's been a game of cat and mouse - Blocking TDSSKiller then Kas working round it till they re-code it to block it again.

Toxteth_OGrady

waddler_8 wrote: »

The partition table shows 4 partitions - I'm presuming; 1. Recovery (hidden), 2. The OS partition, 3. A backup/data partition & of course 4. The rootkit's partition (hidden).

The boot flag has to be set correctly, so I have to know exactly which partition the OS is on - I can't just presume the above - I need to know for sure.

Is this a laptop or desktop? It not unusual (doh! now I've got that Tom flaming Jones tune in my head) to have 4 partitions on a Win 7 latop; the 100MB Win 7 System Reserved, the os, a logical data partition and the hidden OEM factory restore image.

waddler_8

Going by the partition types, the first one could well be the Windows RE partition & on a second look it may well be. (as I said, I can't just presume - I'd need more information from another tool, hence the question about the RE and flash drive), the second two are NTFS, the fourth is a Hidden IFS (HPFS), which it is known the rootkit uses.

On some Windows 7 computers and ALL Vista and Windows 7 computers that employ Bitlocker encryption (Enterprise and Ultimate editions), the 100 MB "System Reserved" Partition (rather than the larger Windows Primary Partition) may be the partition that needs to have it's boot flag set.

http://secure-computer-solutions.com/blog/2011/11/using_gparted_to_edit_the_part_1.html

The above is always the first partition. I would expect the boot flag to be set to the first or second partition. The boot flag is set to the fourth partition.


Also: See this information here


Another Example:

13:21:02.668 Disk 0 Windows 7 default MBR code
13:21:02.670 Disk 0 MBR hidden
13:21:02.672 Disk 0 Partition 1 00 07 HPFS/NTFS NTFS 100 MB offset 2048
13:21:02.674 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 91222 MB offset 206848
13:21:02.676 Disk 0 Partition 3 80 (A) 17 Hidd HPFS/NTFS NTFS 257 MB offset 187029504
13:21:02.678 Disk 0 Partition 3 **INFECTED** MBR:Alureon-K [Rtk

http://public.avast.com/~gmerek/aswMBR.htm



Going by the symptoms; google redirects (classic TDSS); AV's, MBAM etc dont find anything; tools that may detect it won't run; MBRcheck gives the MBR as "Faked"; manually inspecting the MBR and seeing the information in the partition table - all that makes me 99.9% sure that we are dealing with this variant of TDL4.

Toxteth_OGrady

@waddler, I think you may be right but I'm just trying to rule out other possibilities. Wouldn't a hidden factory restore image also be HPFS/NTFS? Also if you've booted into RE with an OEM custom MBR, it would flag the hidden image as active to allow the factory restore from it.

waddler_8

You can google for the partiton types.

The partition types of the OP's infected MBR are 1. 0x27 2. 0x07 3. 0x07 4. 0x17

Heres my own - Note the boot flag is set to the OS partition, despite the Dell Recovery/diagnostic partitons.

10:42:46.640 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 47 MB offset 63
10:42:46.656 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 175554 MB offset 96390
10:42:46.656 Disk 0 Partition - 00 0F Extended LBA 59576 MB offset 359647155
10:42:46.687 Disk 0 Partition 3 00 DB CP/M / CTOS MSDOS5.0 3223 MB offset 481660830
10:42:46.703 Disk 0 Partition 4 00 07 HPFS/NTFS NTFS 59576 MB offset 359647218

Toxteth_OGrady

Just out of interest, cos I don't want to chuck in anymore red herrings to the diagnostic path you are following, but where does your Dell set boot flag if you choose the recovery environment? More for my own edification than anything else, ta.

waddler_8

I don't know for sure myself, but I'm guessing the boot flag is always set to the OS partition. At some point early in the boot cycle, pressing the correct function key will load the RE rather than the OS - Hence the custom MBR.

Toxteth_OGrady

waddler_8 wrote: »

I don't know for sure myself, but I'm guessing the boot flag is always set to the OS partition. At some point early in the boot cycle, pressing the correct function key will load the RE rather than the OS - Hence the custom MBR.

or the BCD is chainloading and making the restore partition volume bootable on selection :question:

Anyway, going way OT so enough distraction from me.

TOG