Jump to content

user1509

Members
  • Posts

    6
  • Joined

  • Last visited

Everything posted by user1509

  1. Well this is a good thing to hear. I have attached the Gparted screenshot of a disk with reappearing unallocated space from another infected PC, running XP SP3. The now GPT-formatted SSD does not seem to have it(also attached). I think I have managed to discover the source of the c0000225 error - to trigger it all I had to do is to hook my second HDD up. Apparently UEFI/BIOS tries to boot from the second (MBR) disk for whatever reason, even if I was to choose where to boot from myself. People who reported the same only had to disconnect the second disk and they would be able to boot in WIndows successfully again - this does not work in my case, however. That second disk which is MSDOS partitioned has some windows leftovers as well, and I suspect it might be also infected - it also has unallocated area. What is probably happening - BIOS tries to boot from the second drive, malicious code from the partition table/boot sector is executed and is spread(at least Mebroot is known to do that) to the GPT-formatted SSD, getting in the way of the actual Windows installation boot area, which makes the disk to become unbootable. I don't see any other reason for this to happen - people in general do not seem to have problems with Windows 7 installed on a GPT drive. So what I plan to do is to backup my data, secure erase both drives, format them to GPT. Would this be enough, if this was the problem? I also tried to scan my second PC(the one with HDD in the screenshot) with TDSSKiller and it did not detect anything. So if TDSSKiller was unfallible, this is not Alureon or other known TDL family rootkit. Anyhow, if all of this works out, the second PC I plan to clean the same way later - to wipe the disk completely, probably turn it GPT and install something other than XP on it. Too bad we were not able to identify the problem so that I or someone else reading this would know what exactly is to be done. That's it, I guess. If the threat would reappear, should I ask for this thread to be reopened or create a new one? And thanks for everything.
  2. I have reset my router and reflashed it as well before. None of the forms of the web configuration panel seem to have any changes to it. Normally router hijacks are done by simply changing DNS server settings. F-center's router checker reports DNS is fine. Neither I have open ports on it. So the tools hackers use imply NAT traversal from inside the system, which is not a hard thing to do. I do not believe router has to do anything with it, unless it was tampered with in a way so that resetting and reflashing is not a working solution. Yes, MBR implies MS-DOS partition table. And GPT is another thing of the same type. I should have worded it differently, my bad. Yet the system has to have its bootloader somewhere, am I correct? And that's what aswMBR must be showing. My motherboard supports UEFI booting, but there is no Secure boot option, only a Windows 8 one, which, if activated, refuses to boot since my video card's BIOS is not updated. And I am trying to use Windows 7. Thus the bootloader has to be on the disk itself. I have run countless tools before, TDSSKiller, MBAR and what not, that are supposed to help against rootkits and viruses. None would say there is anything wrong with the system, yet somebody still had control over it. Rootkits are made to disguise altered system files, malicious drivers, hooks and other activity of the malware, right? So that diagnostic tools would be misled in a way and report "everything is fine". Not only that, but they are also getting outdated, even if they did work at the time they were released. When hackers control the system, they can update the infection which would be undetectable by anti-rootkit tools at the time. You still have not provided the answer as to why I have growing unallocated data area at the end of the disk. I also have to mention that it was present before I had to use GPT, so it is not just 2048 bytes GPT backup. This area does not show up in diskmgmt.msc, yet it does in Gparted from outside the system. What I have found out that it is likely to be a result of a malware activity. https://labs.bitdefender.com/2011/11/tdss-bootkit-spawns-clones/ Not only that, but bootkits like SST infect the partition table. http://www.welivesecurity.com/2011/10/18/tdl4-rebooted/ The article says boot record stays untouched, which is why it can persist over reinstallations and MBR fixing tools. How do I make sure it is wiped out? The secure erase should help against that, it would seem. Yet the system crashed last time and would not boot any longer, reinstallations and bootrec did not help. That is, until I performed a secure erase again. Could something damage/infect the partition table? Or do you still think it is simply hardware conflict/misconfiguration? If so, what do I look for? So what the vector of (re?)infection would be? Could it be my USB drive I used to deliver diagnostic tools to the PC in question? How likely it is to have my hardware infected from when it was under hackers' control? Like an external USB hub or disk firmware? That is theoretically possible. Can you please answer that? Thank you for your time, and feel free to correct me.
  3. MBRDUMP appears to be empty, but it is 512 bytes, so I attached it just in case. MBRDUMP.txt Fixlog.txt tdsskiller.txt
  4. First of all, thank you for replying. Some sites and services have reported numerous log ins from my IP that I did not do or through certain ways I do not(cue telnet), and nobody who has physical access to this PC is capable of this. Neither this could be happening if somebody just got into my router. Sometimes sites showed a different IP from what my router displayed. Somebody also had the capability to type whatever into browser forms and manipulate some of the devices. I do believe it is getting overwritten, but things outside of it might not be. I also want to refer to this thread I found which hints that it is indeed possible. https://community.norton.com/en/comment/672323 As I have already mentioned, somebody had remote control over my PC even after formatting and reinstalling. Diskpart clean should have been able to wipe MBR as well, yet the rootkit came back even if all the soft and drivers were downloaded straight from the net and not my backup drivers folder outside the disk. Why do I think it is a rootkit and not just some other malware: -netstat does not show any out-of-place connections; -something is using resources of my PC as in bandwidth, CPU time, disk space or reads/writes with no specific program linked to it. For example, CPU usage in task manager when idle is off by 20% even if I were to sum up everything including "Idle" - I have never seen this happen before. Of course, "Show all users" option was checked. Also the unallocated space at the end of a disk is growing in size over time to hundreds of megabytes; -no antivirus and anti-rootkit tool have been successful in finding anything suspicious, which might be a result of a rootkit hiding itself from the system. On the current situation: When I swapped my motherboard, thinking some parts of my hardware were infected(this indeed might be too far-fetched and overly paranoid) to the UEFI one(thus partition table of a HDD becomes GPT during the install), I was not able to properly reinstall the system - I was getting boot error c0000225 on the second stage of it(after installation copying necessary files to a SSD and rebooting), which google says to be linked to a hardware configuration change or a boot sector virus. And I did not change any hardware. Then I performed a secure erase of a disk and voila - installation continues to a second stage until the end without a hitch. So then I decided to post here to have someone help me to be sure it is in fact clean, so I inserted a USB stick with all kinds of diagnostic stuff like GMER - I did not want to connect my PC to the Internet just yet. When I did, I remembered that I did not disable the Autorun feature, but did not pay it any mind. After running the tools mentioned in the first post and posting the results here, I left my PC running. When I later came back to it, it displayed the "windows restored after a serious crash" message. So I have shut the PC down, and the next day it wont boot... with a c0000225 error. No option helped - safe mode, repair, last working config, not even a repair from an installation disk and bootrec commands. Reinstallation process breaks after first stage yet again. So here I am, lost. I guess I could try doing secure erase and a reinstallation again, but I shall wait for your advice.
  5. Hello, my PC is infected with a rootkit which has persisted over several Windows reinstallations. I think this might be MBR related. This rootkit enables remote control of my PC over the Internet and creates an "unallocated" area at the end of the disk which I think to be an encrypted partition. On this Windows installation I have run GMER and aswMBR beforehand, logs attached. MBAM scan showed nothing. FRST.txt Addition.txt aswMBR.txt gmerfirstboot.log gmerfullscan.log
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.