[jr2]

Did a quick format followed by factory restore on a dell using the command prompt from the factory.wim image using Falcon Four's UBCD 4.5 and the included ImageX GUI.

After it was done, fired up a browser and guess what?  Search redirect.  So after some searching, came across the fact that bootkits are becoming more and more popular (I thought boot sector virii had died with DOS, but I guess they have made a comeback).

I couldn't boot to recovery console, the virus killed that, I'm guessing the bootkit did it, as EasyBCD couldn't get a lock on the boot sector, but as soon as I used TDSSKiller (by Kaspersky) and removed the bootkit, EasyBCD fired right up.  Also, MS Security Essentials immediately picked up on the bootkit after TDSSKiller quarantined it, so if MSE had been installed prior to my getting ahold of the computer, it most likely would have caught it before infection (there was an expired trial of NOD32 running in tandem with AVG Free, and a crippled Malwarebytes' Anti-Malware {couldn't initialize correctly, most likely due to bootkit and two AV softs running} when I started working on it).

Other tools I came across in my searchings:

aswMBR.exe (by Avast!, careful; it can come back with false positives, use with caution, it's like HijackThis - gives much useful info, can sometimes correctly identify threats, but sometimes makes mistakes)

BD_Removal_Tool_AntiBootkit_x64 (or x86) (by BitDefender)

I'd already run ComboFix through, however, it didn't do much as the bootkit was still active.  Gonna run it through now and see what can be done.

Oh, and I had run unhide.exe through it before, as all the files on the hard disk were hidden in the original infection.  Ran unhide, copied off the user files, formatted, and then discovered the bootkit was still infecting it.

Hope the info helps!

~jr2

TDSSKiller log file:

01:13:39.0171 4816   TDSS rootkit removing tool 2.7.26.0 Apr  4 2012 19:52:02
01:13:39.0550 4816   ============================================================
01:13:39.0550 4816   Current date / time: 2012/04/09 01:13:39.0550
01:13:39.0550 4816   SystemInfo:
01:13:39.0550 4816   
01:13:39.0550 4816   OS Version: 6.1.7600 ServicePack: 0.0
01:13:39.0550 4816   Product type: Workstation
01:13:39.0550 4816   ComputerName: RACHEL-PC
01:13:39.0550 4816   UserName: Rachel
01:13:39.0550 4816   Windows directory: C:\Windows
01:13:39.0550 4816   System windows directory: C:\Windows
01:13:39.0550 4816   Running under WOW64
01:13:39.0550 4816   Processor architecture: Intel x64
01:13:39.0550 4816   Number of processors: 2
01:13:39.0550 4816   Page size: 0x1000
01:13:39.0550 4816   Boot type: Normal boot
01:13:39.0550 4816   ============================================================
01:13:40.0877 4816   Drive \Device\Harddisk0\DR0 - Size: 0x4A85D56000 (298.09 Gb), SectorSize: 0x200, Cylinders: 0x9801, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
01:13:44.0481 4816   Drive \Device\Harddisk1\DR1 - Size: 0xE8E0DB6000 (931.51 Gb), SectorSize: 0x200, Cylinders: 0x1DB01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
01:13:44.0487 4816   \Device\Harddisk0\DR0:
01:13:44.0501 4816   MBR used
01:13:44.0501 4816   \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x14000, BlocksNum 0x1D4C000
01:13:44.0502 4816   \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x1D60000, BlocksNum 0x236CE2B0
01:13:44.0502 4816   \Device\Harddisk1\DR1:
01:13:44.0502 4816   MBR used
01:13:44.0502 4816   \Device\Harddisk1\DR1\Partition0: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x74705800
01:13:44.0559 4816   Initialize success
01:13:44.0559 4816   ============================================================
01:14:12.0908 4936   ============================================================
01:14:12.0908 4936   Scan started
01:14:12.0908 4936   Mode: Manual;
01:14:12.0908 4936   ============================================================
01:14:13.0274 4936   1394ohci        (1b00662092f9f9568b995902f0cc40d5) C:\Windows\system32\DRIVERS\1394ohci.sys
01:14:13.0278 4936   1394ohci - ok
01:14:13.0312 4936   ACPI            (6f11e88748cdefd2f76aa215f97ddfe5) C:\Windows\system32\DRIVERS\ACPI.sys
01:14:13.0318 4936   ACPI - ok
01:14:13.0347 4936   AcpiPmi         (63b05a0420ce4bf0e4af6dcc7cada254) C:\Windows\system32\DRIVERS\acpipmi.sys
01:14:13.0348 4936   AcpiPmi - ok
01:14:13.0400 4936   adp94xx         (2f6b34b83843f0c5118b63ac634f5bf4) C:\Windows\system32\DRIVERS\adp94xx.sys
01:14:13.0417 4936   adp94xx - ok
01:14:13.0453 4936   adpahci         (597f78224ee9224ea1a13d6350ced962) C:\Windows\system32\DRIVERS\adpahci.sys
01:14:13.0459 4936   adpahci - ok

<deleted a gazillion system driver entries here - jr2>

01:14:31.0531 4936   wudfsvc         (b551d6637aa0e132c18ac6e504f7b79b) C:\Windows\System32\WUDFSvc.dll
01:14:31.0534 4936   wudfsvc - ok
01:14:31.0565 4936   WwanSvc         (9a3452b3c2a46c073166c5cf49fad1ae) C:\Windows\System32\wwansvc.dll
01:14:31.0570 4936   WwanSvc - ok
01:14:31.0622 4936   yukonw7         (79d9ce9614c955dd31aa2556b4014662) C:\Windows\system32\DRIVERS\yk62x64.sys
01:14:31.0627 4936   yukonw7 - ok
01:14:31.0650 4936   MBR (0x1B8)     (cdb4de4bbd714f152979da2dcbef57eb) \Device\Harddisk0\DR0
01:14:31.0679 4936   \Device\Harddisk0\DR0 ( Rootkit.Boot.SST.b ) - infected
01:14:31.0679 4936   \Device\Harddisk0\DR0 - detected Rootkit.Boot.SST.b (0)
01:14:31.0686 4936   MBR (0x1B8)     (a36c5e4f47e84449ff07ed3517b43a31) \Device\Harddisk1\DR1
01:14:31.0694 4936   \Device\Harddisk1\DR1 - ok
01:14:31.0713 4936   Boot (0x1200)   (a5a47f88a08d4a60ab8861a5e6c4609c) \Device\Harddisk0\DR0\Partition0
01:14:31.0713 4936   \Device\Harddisk0\DR0\Partition0 - ok
01:14:31.0744 4936   Boot (0x1200)   (f718c492716da6fd2b3527c65ba37340) \Device\Harddisk0\DR0\Partition1
01:14:31.0744 4936   \Device\Harddisk0\DR0\Partition1 - ok
01:14:31.0744 4936   Boot (0x1200)   (55f697e71427a982234d0bc4f2231a8c) \Device\Harddisk1\DR1\Partition0
01:14:31.0744 4936   \Device\Harddisk1\DR1\Partition0 - ok
01:14:31.0744 4936   ============================================================
01:14:31.0744 4936   Scan finished
01:14:31.0760 4936   ============================================================
01:14:31.0776 1164   Detected object count: 1
01:14:31.0776 1164   Actual detected object count: 1
01:23:45.0239 1164   \Device\Harddisk0\DR0\# - copied to quarantine
01:23:45.0239 1164   \Device\Harddisk0\DR0 - copied to quarantine
01:23:45.0317 1164   \Device\Harddisk0\DR0\TDLFS\mbr - copied to quarantine
01:23:45.0317 1164   \Device\Harddisk0\DR0\TDLFS\vbr - copied to quarantine
01:23:45.0333 1164   \Device\Harddisk0\DR0\TDLFS\bid - copied to quarantine
01:23:45.0349 1164   \Device\Harddisk0\DR0\TDLFS\affid - copied to quarantine
01:23:45.0349 1164   \Device\Harddisk0\DR0\TDLFS\boot - copied to quarantine
01:23:45.0349 1164   \Device\Harddisk0\DR0\TDLFS\cmd32 - copied to quarantine
01:23:45.0707 1164   \Device\Harddisk0\DR0\TDLFS\cmd64 - copied to quarantine
01:23:45.0817 1164   \Device\Harddisk0\DR0\TDLFS\dbg32 - copied to quarantine
01:23:45.0895 1164   \Device\Harddisk0\DR0\TDLFS\dbg64 - copied to quarantine
01:23:46.0066 1164   \Device\Harddisk0\DR0\TDLFS\drv32 - copied to quarantine
01:23:46.0175 1164   \Device\Harddisk0\DR0\TDLFS\drv64 - copied to quarantine
01:23:46.0285 1164   \Device\Harddisk0\DR0\TDLFS\ldr32 - copied to quarantine
01:23:46.0347 1164   \Device\Harddisk0\DR0\TDLFS\ldr64 - copied to quarantine
01:23:46.0441 1164   \Device\Harddisk0\DR0\TDLFS\subid - copied to quarantine
01:23:46.0503 1164   \Device\Harddisk0\DR0\TDLFS\info - copied to quarantine
01:23:46.0519 1164   \Device\Harddisk0\DR0\TDLFS\mainfb.script - copied to quarantine
01:23:46.0581 1164   \Device\Harddisk0\DR0\TDLFS\com64 - copied to quarantine
01:23:46.0643 1164   \Device\Harddisk0\DR0\TDLFS\serf_conf - copied to quarantine
01:23:46.0706 1164   \Device\Harddisk0\DR0\TDLFS\serf332 - copied to quarantine
01:23:46.0909 1164   \Device\Harddisk0\DR0\TDLFS\serf364 - copied to quarantine
01:23:47.0002 1164   \Device\Harddisk0\DR0\TDLFS\main - copied to quarantine
01:23:47.0018 1164   \Device\Harddisk0\DR0\TDLFS\bbr232 - copied to quarantine
01:23:47.0158 1164   \Device\Harddisk0\DR0\TDLFS\bbr264 - copied to quarantine
01:23:47.0314 1164   \Device\Harddisk0\DR0\TDLFS\bbr_conf - copied to quarantine
01:23:47.0408 1164   \Device\Harddisk0\DR0 ( Rootkit.Boot.SST.b ) - will be cured on reboot
01:23:47.0408 1164   \Device\Harddisk0\DR0 - ok
01:23:47.0673 1164   \Device\Harddisk0\DR0 ( Rootkit.Boot.SST.b ) - User select action: Cure
01:26:08.0058 4808   Deinitialize success

[The E]

Moral of the story: Always have an up-to-date malware scanner.

[Nemesis6]

I remember when I first ran into one of these things. Normally I notice when I get an infection from a site -- harddisk starts loading excessively, website doesn't respond, a java icon appears in the bottom right tray(I've since disabled java totally). This time I didn't notice it, but I was running NOD32, which suddenly started intercepting trafic to some dodgy click-site(affiliate gets money for each website visit), but I thought it was just one visit from earlier because the dialog didn't go away, and I didn't think I was infected. I removed it with one of those MBR-cleaner thingies, but if I hadn't known that they could infect that part of the computer, I'd have been totally ****ed.

[Bobboau]

oh, great these things again.
/*wonders if it is a conspiracy to promote boot encryption*/

[Nuke]

time for an obligatory "nuke the site from orbit. its the only way to be sure."
this is why linux live cds make good hard drive wipers. you need to delete all the partitions

[jr2]

Nah, fixboot /mbr      Actually, from what I'm seeing, TDLFS is some sort of hidden partition that can be created that acts as part of the boot sector??  It'd be nice to get a filesystem driver for that and actually use it, as like some sort of utility partition.

http://support.kaspersky.com/viruses/solutions?qid=208280748

-tdlfs – detect the TDLFS file system, that the TDL 3 / 4 rootkits create in the last sectors of a hard disk for storing its files. It is possible to quarantine all these files.

Actually, this stuff wouldn't be such a threat if there were more utilities making the entire boot sector / partition table / file system more open and transparent.  'Cause then, while anyone could throw a monkey wrench into it, anyone who has a clue as to what they are doing could fix it, too.  Currently, it seems only those with access to either some Pro Utils made by super geeks, or the super geeks themselves (with their trusty hex editors) stand a chance of actually making the computer do what they want.

Like, I heard that there's a bootsector virus that actually encrypts your MBR and holds it for ransom until you pay up.  Now, I'm pretty sure that you can re-build an MBR fairly easily (I've done so with a bit of trial and error and the aide of tools before), however, most really don't know where to even begin looking for that type of information.  To search online for it, you have to at least have enough knowledge to sort out the "Fix hard disk errors now! for a nominal fee and dubious results, if any" from the actual useful information, and sort that out from information that does not pertain to you, such as how to create and use an extended boot record, when all you want is to repair your normal boot record.