Help with Olmarik.TDL2 Olmasco.O trojan removal

[magliery]

My parents' laptop seems to have a nasty trojan infection and I'm in over my head on fixing it. It's a Lenovo 3000 N100 running Win XP Pro SP3.

ESET detected two trojans in memory, Win32/Olmasco.O associated with a svchost.exe process and Win32/Olmarik.TDL4 which is not associated with anything. Neither can be cleaned. I could kill the process which eliminated the Olmasco.O detection. I found a suspicious entry to start Messenger in the HKCU Run area, and deleting it eliminated the Olmasco.O on startup (although I guess that means that file has been hijacked?). Here's what ESET sees now (memory and boot sector scan):

Scan Log

Version of virus signature database: 7377 (20120811)

Date: 8/11/2012 Time: 5:27:39 PM

Scanned disks, folders and files: Operating memory;C:\Boot sector;E:\Boot sector

Operating memory - Win32/Olmarik.TDL4 trojan - unable to clean

Number of scanned objects: 655

Number of threats found: 1

Number of cleaned objects: 0

Time of completion: 5:28:22 PM Total scanning time: 43 sec (00:00:43)

A bunch of ugly things happened from the infection: the computer is slow, saving files takes forever, all of the icons disappeared from the Start Menu and Desktop, etc. I'm not even sure what all I did not, but I think some combination of Malwarebytes Anti-Malware and ERARemover recovered the Desktop and Start Menu. The other symptoms remain.

Most of the anti-rootkit stuff has been ineffective. TDSSKiller and aswMBR just won't run even if I rename them. GMER gives and LoadDriver error in kglyypod.sys (0xC000010E) when it starts (something about a stable subkey) and can only do some of its scans (Services, Registry, Files):

GMER 1.0.15.15641 - http://www.gmer.net

Rootkit scan 2012-08-11 17:12:09

Windows 5.1.2600 Service Pack 3

Running: 7pbixleu.exe; Driver: C:\DOCUME~1\Frank\LOCALS~1\Temp\kglyypod.sys

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0016cef1e350

Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0016cef1e350 (not active ControlSet)

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

---- EOF - GMER 1.0.15 ----

Panda Anti-Rootkit found nothing. MBRCheck says that the MBR is faked. I backed it up and let it over-write, but is said the same thing when I restarted. I'm not sure this really worked, though, since the Lenovo recovery screen still came up.

I also tried to run Combofix, but it crashes after about 5 min. into the part that it says will take 10 min, and you have to re-start. No log file gets produced. It did install the recovery console.

Sadly, DDS.com also will not run. It goes though many ##'s, gives and error about js.prefs, and then a few #'s later the computer crashes. Has to be restarted, no logs. So the best I can figure out to send is the HiJackthis log, which follows at the end of this.

I am not averse to formatting the drive and starting over (might as well put Win7 on I guess), but my understanding is that if the MBR is infected, it will just immediately re-infect when I install again. So I guess I need help with that. Suggestions? Thanks a lot.

I forgot to mention that the service running inside the svchost.exe that was infected was Dnscache, in case that helps.

Tom

mbam-log-2012-08-11 (13-57-27).txt

MBRCheck_08.11.12_19.10.00.txt

hijackthis.log

ESET.log

gmer.log

[Maniac]

Hello magliery! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

• If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
  
• I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  
• Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  
• Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  
• Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.
  

BACKDOOR WARNING

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

Help: I Got Hacked. Now What Do I Do?

Help: I Got Hacked. Now What Do I Do? Part II

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

Do you have any USB Flash drive on hand?

[magliery]

Hi Maniac,

Thanks for the reply. Yes, my parents do use this PC for electronic banking and other purposes with sensitive personal data. I am totally fine with re-formatting and reinstalling. My questions would be this:

1. Do we have to remove the infection first from the MBR so that it doesn't re-infect the PC? If so, how do I do this? Is it possible to be sure about this, or should I consider replacing the HDD ($60 is pretty cheap for this kind of peace of mind). What would you do?

2. The physical drive is partitioned into Programs and Data drives. If we can clean the MBR, would it be OK to wipe only the C: Programs drive, or is it likely that there would still be an infection buried in the D: drive somewhere? ESET does not detect any infected files, only operating memory, but that seems impossible (it must be executing code from somewhere?).

3. ESET first detected the infection on Aug. 4 at 6:46 pm. However, there are also DNS cache poisonings on May 30 and July 25; I don't know if they are related. The last backup to an external drive (using Genie Backup Manager) was July 22-24 (for some reason it took 38 hours?). Is that data likely to be trojan-free? Is that external drive like to be infected (for example, in its MBR)? What should I do with it?

The bottom line is that I do need to be able to get to the data somehow, so I probably need to clean it to the extent necessary to make that safe.

Yes, I have a USB flash drive. I am working from another PC now; the laptop is offline and I'm keeping it off in between times I've tried to work on it. It was also off from the 4th to the 11th. I was out of town, and when my parents told me about the ESET detection, I told them to turn it off until I could look at it. Hopefully we minimized the damage.

Thanks,

Tom

[Maniac]

Tom, It would be better if we clean the MBR, so make sure that after reinstalling will not be a problem. Furthermore, it is important reinstalling to include the entire hard drive, because you can't be sure exactly where the problem would arise. Regarding your data is important after you reinstall, to protect the new system (antivirus, firewall and other security measures), so once restore the data be verified with your protective programs to confirm that they are clean from malware.

About your MBR:

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
  
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  
• Use the arrow keys to select the Repair your computer menu item.
  
• Select English as the keyboard language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
  
• Restart your computer.
  
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  
• Click Repair your computer.
  
• Select English as the keyboard language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

• • 
    Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt

[*]Select Command Prompt

[*]In the command window type in notepad and press Enter.

[*]The notepad opens. Under File menu select Open.

[*]Select "Computer" and find your flash drive letter and close the notepad.

[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter

Note: Replace letter e with the drive letter of your flash drive.

[*]The tool will start to run.

[*]When the tool opens click Yes to disclaimer.

[*]Press Scan button.

[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

[magliery]

Hi, this laptop is running WinXP Pro SP3, so there are no System Recovery Options. For some reason I had created a BartPE CD before, so I used that to boot and ran FRST. The log is attached.

Two notes. (1) I am behind an Linksys router firewall, so I assume these brief online sessions are not too dangerous.

(2) Is this USB stick now garbage, or is there some way for me to know it hasn't been infected? I'm worried its MBR could also be infected (if that's a think that happens to USB sticks...?).

Thanks,

Tom

FRST.txt

[magliery]

Looks like this is how it got in:

2012-08-04 20:48 - 2010-09-25 17:30 - 00000732 ____A C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk

That's the day ESET found the infection.

[Maniac]

It seems this tool wouldn't help us, because of your older Windows OS. If you have a Windows XP CD, I suggest you to follow the instructions here to clean the MBR:

http://helpdeskgeek.com/how-to/fix-mbr-xp-vista/

[magliery]

Hi, OK, just to be clear:

1. Those directions will clean any infection from the MBR and boot sector?

2. I take it after I do that, I should use a Win 7 disk to format and install, right?

3. I didn't understand what you said before. Will it be safe to leave the DATA partition alone, install the system, install ESET and MBAM, and then access any data on the DATA drive? Or are you saying I should format the WHOLE drive and put the data back from the external backup?

4. How do I know if the external backup is OK? How can I check?

5. Is my USB drive that I just used for the above OK? How can I check?

Thanks a lot,

Tom

[Maniac]

1. Those directions will clean any infection from the MBR and boot sector?

Yes, your MBR will be back to default.

2. I take it after I do that, I should use a Win 7 disk to format and install, right?

That's right.

3. I didn't understand what you said before. Will it be safe to leave the DATA partition alone, install the system, install ESET and MBAM, and then access any data on the DATA drive? Or are you saying I should format the WHOLE drive and put the data back from the external backup?

You should format the whole hard disc (all partitions).

4. How do I know if the external backup is OK? How can I check?

With your security programs which you should install immediately after the re-install.

5. Is my USB drive that I just used for the above OK? How can I check?

Check my previous answer.

[Maniac]

Are you still with me?

[magliery]

Sorry, yes, I did the fixmbr and then installed Win 7. I'm building the system now. I completely re-partitioned and formatted the drive. The only thing I'm still concerned about is what will happen when I restore the data from back-up. I have MSE and MBAM up and running, and I will probably change MSE to ESET (my parents have a subscription through 9/2013), so it should be as well protected as possible.

What do you recommend I do to check it out after I restore the data (besides a full MBAM and ESET scan)? I guess we can cross that bridge when I get to it. I'll let you know when I do.

I do appreciate your help, and I am getting MBAM Pro for all my computers...

Thanks,

Tom

[Maniac]

ESET NOD32 Antivirus or ESET Smart Security? This is a great product. Before you restore the backup, install the ESET software. If you tell me which I could send you some good guides to help you configure it well.

[Maniac]

Do you still need help?

[Maurice Naggar]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!