Hard disk suddenly crawling - likely rootkit

[jatoghia]

So a few days ago, all of a sudden, I noticed that my system was taking longer to boot up, and then I noticed that my system performance had ground to a screeching halt. The hard drive in my system appears to be accessed in very short bursts with long pauses in between. I ran a scan with Avira and noticed in the log that it was preventing my hiddenobject search from taking place. I also noticed that when UAC needs permission it is now coming up with a completely different allow/deny prompt that looks more like a Norton Labs-style prompt, and I've never had Norton installed on this system. The system delays are particularly bad when I have to approve something to run as administrator, which can take several minutes to start running. One last observation, was that when I followed the steps on this site to download DDS, that was when Avira detect dds.pif as a virus, so I'm pretty sure whatever this rootkit is it has gotten its hooks into my antivirus software as well.

Thank you for your help.

DDS.txt follows:

.

DDS (Ver_11-03-05.01) - NTFSx86

Run by toghia at 21:51:39.01 on Tue 03/29/2011

Internet Explorer: 8.0.6001.19019

Microsoft

Attach.zip

mbam-log-2011-03-29 (21-18-39).txt

[Elise]

Hello, I see you also ran Combofix. Can you please post me the log at c:\combofix.txt?

[jatoghia]

Hello, I see you also ran Combofix. Can you please post me the log at c:\combofix.txt?

Here you go.

ComboFix.txt

[Elise]

Have you set your computer to connect through a proxy server? If not, we'll remove it. Even if you set this, I'd recommend you to stop using it, since using a dedicated port for internet traffic, is very unsafe.

If combofix asks you to update, please do so.

CF-SCRIPT

-------------

We need to execute a CF-script.

• Close any open browsers.
  
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
• Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:

KilAll::

Rootkit::
c:\windows\system32\drivers\pwdiipow.sys

Driver::
pwdiipow

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

[jatoghia]

I briefly used the proxy server to stream some news from the BBC (that needed to think my computer was in the UK, but I immediately disabled it afterwards.)

Machine still slow. Combofix.txt attached. Thank you for all your assistance thus far.

Have you set your computer to connect through a proxy server? If not, we'll remove it. Even if you set this, I'd recommend you to stop using it, since using a dedicated port for internet traffic, is very unsafe.

If combofix asks you to update, please do so.

CF-SCRIPT

-------------

We need to execute a CF-script.

• Close any open browsers.
  
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
• Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:

KilAll::

Rootkit::
c:\windows\system32\drivers\pwdiipow.sys

Driver::
pwdiipow

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

[jatoghia]

Sorry, earlier problem with the attachment. Here you go.

ComboFix.txt

[Elise]

Please run the following as a CFScript and let me know how things are running afterwards.

DDS::
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = 109.204.9.25:3128

Driver::
XCQI

Rootkit::
c:\users\toghia\AppData\Local\Temp\XCQI.exe

[jatoghia]

Here you go. What should we do next? Is it at all useful to you that Avira is reporting explorer.exe as a hidden object?

ComboFix.txt

[Elise]

Can you give me the exact details of the Avira message. The log looks clean now, however, just as important is how your machine is behaving.

[jatoghia]

Can you give me the exact details of the Avira message. The log looks clean now, however, just as important is how your machine is behaving.

It simply reported 1 hidden object in its scan summary. When I checked the scan log it listed "c:\windows\explorer.exe" as a hidden object.

Unfortunaely, the computer doesn't appear to be running any faster. The hard drive continues to have extremely long pauses between short bursts of reads, causing major performance problems. It takes nearly 10 minutes from password login until I can actually use the computer. 1-2 minute delays occur when launching apps, especially bad for those that require elevated administrative privs. Video playback is impossible as it keeps pausing. This is with a Western Digital Black (performance) drive. I ran SMART to make sure the problem wasn't hardware related, and besides, my Ubuntu and Windows recovery partitions are not exhibiting the problem, so it must be software related. Strangest of all is that this wasn't a performance degradation issue but like a light switch, my machine went from working fine to having all these problems, more like a Trojan that decided to go active, and if memory serves, I hadn't installed anything before the problem started, and the last thing I remember was that I had to abruptly shut down the machine (couldn't wait for clean software shutdown) so I tried "checkdsk /f" and also "sfc /scannow" to see if there was any corruption of my OS, but nothing was detected, and the fact that spybot, malwarebytes, and Avira are all returning completely clean scans when there is usually at least 1-2 tracking cookies on the system is enough to convince me that something is still hiding all the malware.

[Elise]

In that case, lets run a rootkit scanner, to see of something more might be amiss.

GMER

-------

Please download GMER from one of the following locations and save it to your desktop:

• Main Mirror
  This version will download a randomly named file (Recommended)
  
• Zipped Mirror
  This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  

• Disconnect from the Internet and close all running programs.
  
• Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  
• Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  
• Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
  
  
• GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  
• If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  
• Now click the Scan button. If you see a rootkit warning window, click OK.
  
• When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  
• Click the Copy button and paste the results into your next reply.
  
• Exit GMER and re-enable all active protection when done.
  

-- If you encounter any problems, try running GMER in Safe Mode.

[jatoghia]

OK. I will run GMER again when I get home. If you recall, my GMER log was included with the email following the "now what do I do?" procedures pinned to the top of this forum. Do you think it will catch something new this time or did you want to look at the ark.txt file I attached at the very beginning?

[jatoghia]

OK. I will run GMER again when I get home. If you recall, my GMER log was included with the email following the "now what do I do?" procedures pinned to the top of this forum. Do you think it will catch something new this time or did you want to look at the ark.txt file I attached at the very beginning?

Correction, I meant my GMER log was included in the zip file I attached to the inital post. Sorry for any confusion.

[Elise]

Sorry, I forgot to adapt the instructions. I need to see a bit more GMER output.

If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.

Now click the Scan button. If you see a rootkit warning window, click OK.

Before clicking the Scan button, ensure that all options in the right panel are checked, except for Devices and All.

[jatoghia]

Now I cannot run GMER. Last two attempts both resulted in BSOD, Paged Access to Non-Paged Area.

[Elise]

Uncheck IAT/EAT and then try to run the scan again. Make also sure Devices is unchecked.

[jatoghia]

Same blue screen. It says it is happening on pwdiipow.sys which is the driver we supposedly removed.

[Elise]

Okay, that helps a lot and means most likely combofix was not able to fix this. First of all, lets try to do it from Safe Mode with Networking.

Restart your computer in Safe Mode (tap F8 when your computer starts and select Safe Mode with Networking from the Advanced Boot Options Menu).

Then run the following as a CFScript. If asked to update Combofix, allow it.

Rootkit::
c:\windows\system32\drivers\pwdiipow.sys

Driver::
pwdiipow

[jatoghia]

My frustration is only mounting. So I booted into safe mode, dragged the CFScript.txt onto Combofix.exe, and first I got a warning about Avira, so I went to disable it, but there is nothing for Avira running in the system tray in safe mode, so then I launch the AntiVir Control Center and it shows that Avira is not currently running. I then when to Task Manager and couldn't see any Avira processes running on the system, so I went ahead and ran Combofix despite the warning about my anti-virus software which as far as I could tell was not running.

During the execution of Combofix in safe mode, I got two Access Denied: Administrative privs are required messages (one at the very beginning, and one around Stage 38), which is particularly odds since UAC is supposed to be disabled in safe mode (a fact that I confirmed). Now that I think about it, I have been noticing weird issues with my permissions for a while now, such as when I tried to save a file to a directory and Windows told me I needed administrative privs (even though I am an administrator) and wouldn't even allow me to elevate the task. I also tried running TDSSKiller thinking that I might have an MBR infection, but whether I select "Run as administrator" or even try to run from safe mode using the "Run as administrator" option, I still get the stupid "You need to have administrative privs" error message and the program quits. The only conclusion I can reach is that this infection is obviously much deeper than anything we've tried thus far. I appreciate your help if you still have any ideas.

And yes, the system is still running ridiculously slowly.

ComboFix.txt

[Elise]

In that case, lets do this a little differently. The following steps will allow us to delete the offending file without it being protected.

Try this please. You will need a USB drive.

Download GETxPUD.exe to the desktop of your clean computer

• Run GETxPUD.exe
  
• A new folder will appear on the desktop.
  
• Open the GETxPUD folder and click on the get&burn.bat
  
• The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  
• Click on Start and follow the prompts to burn the image to a CD.
  
• Next download driver.sh to your USB drive
  
• Remove the USB & CD and insert it in the sick computer
  
• Boot the Sick computer with the CD you just burned
  
• The computer must be set to boot from the CD
  
• Gently tap F12 and choose to boot from the CD
  
• Follow the prompts
  
• A Welcome to xPUD screen will appear
  
• Press File
  
• Expand mnt
  
• sda1,2...usually corresponds to your HDD
  
• sdb1 is likely your USB
  
• Click on the folder that represents your USB drive (sdb1 ?)
  
• Confirm that you see driver.sh that you downloaded there
  
• Press Tool at the top
  
• Choose Open Terminal
  
• Type bash driver.sh
  
• Press Enter
  
• After it has finished a report will be located on your USB drive named report.txt
  
• Remove the USB drive and insert it back in your working computer and navigate to report.txt
  Please note - all text entries are case sensitive
  

Copy and paste the report.txt for my review

[jatoghia]

Sorry for the delay. I got sent out of town for work. I just have two questions before proceeding. First, since I already have a UNIX partition on my system, wouldn't it just be easier to mount my NTFS partition and run whatever UNIX-based tools you want me to run from that?

Second, I once removed a rootkit device driver that had added itself to Vista's essential device list. With the driver removed, the system would mo longer boot and would wind up loading the repair console. Do you think that could happen again here?

[Elise]

It might run, but you need a different script. If you have Ubuntu-like linux, you can run http://noahdfear.net/downloads/udriver.sh

You now need to run "bash udriver.sh" from a terminal on the flashdrive.

[screen317]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

[jatoghia]

Attached is the report.txt file generated after I mapped both my main NTFS partition (x) and also my recovery partition (y) in Ubuntu.

[jatoghia]

Sorry. Here it is.

report.txt