Jump to content

need help please


Recommended Posts

I had this problem and another forum said i was in the clear even while i insisted i wasn't. Whatever it is evades all the scans i throw at it. I do believe its in the bios or chip or it mounts to a peripheral port or something. I ran dban twice and installed win7 with brand new hp recovery discs they sent me. The virus is still here. I could tell almost immediately after i booted up. After searching through a lot of files i ran a sysinternal tool called winobject it shows a base named object section called rothinttable. I also have these 

 

search-ms:displayname=Search%20Results%20in%20winsxs&crumb=location:C%3A%5CWindows%5Cwinsxs\x86_microsoft-windows-s..rotection.resources_31bf3856ad364e35_6.1.7600.16385_en-us_bf744834f155827b

 

search-ms:displayname=Search%20Results%20in%20winsxs&crumb=location:C%3A%5CWindows%5Cwinsxs\amd64_microsoft-windows-s..rotection.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1b92e3b8a9b2f3b1

 

 2 manifests

 

 c\windows\winsxs\manifests\amd64_microsoft-windows-

s..rotection.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1b92e3b8a9b2f3b1.manifest

 

 c\windows\winsxs\manifests\x86_microsoft-windows-s..rotection.resources_31bf3856ad364e35_6.1.7600.16385_en-us_bf744834f155827b.manifest

 

There is also a self updater MUM with the same  "31bf38..." number. as all of the above. I know a mum is an xp updater and i am also convinced that whatever it is it fools the windows resource protection somehow. If these files are legit why are they traced to "rot" files.

 

WUClient-SelfUpdate-Core-TopLevel~31bf3856ad364e35~amd64~~7.6.7600.256.mum

 

WUClient-SelfUpdate-Aux-TopLevel~31bf3856ad364e35~amd64~~7.6.7600.256.mum

 

WUClient-SelfUpdate-ActiveX~31bf3856ad364e35~amd64~~7.6.7600.256.mum

 

And then this file with the  template names inside it

 

C:\Windows\winsxs\amd64_microsoft-windows-p..al-securitytemplate_31bf3856ad364e35_6.1.7600.16385_none_49dd84a06c7c8863

 

puwk.inf           dwup.inf               defltwk.inf                deflbase.inf

 

There is also a cmdl.32 inside C:\Windows\SysWOW64 and in  C:\Windows\System32

 

 Sticky key option got stuck at one time and at logon screen i had to continually change this option with ease of access options in order to type, even after i confirmed several times that sticky keys were turned off.

 

I had 11 different network adapters installed recently when there should be only 2 - was 3 but i unistalled the pci cardreader. 

Which is something else now. When i go to reinstall the cardreader it acts as if it succeeded, i reboot and it tells me that the bus 0 port 5 (not sure of the exact location right now but it is duplicable i've done it 3 times) doesnt have enough memory. I tried troubleshooting and all that but it doesnt work. 

 

Also just now today after erasing several suspect files i ran a sfc/scannow and it came back saying that there were bad  files that couldnt be fixed. When i look all the way at the bottom of the log file for it it says "all registry keys and files were restored".   I ran COMBOFIX immediately after and it found a corrupted userinit.exe and  this  c:\program files (x86)\Java\jre7\bin\jp2ssv.dll

 

Link to post
Share on other sites

  • 3 weeks later...

Got infected with a worm/spyware/bootkit that created a hidden HFS partition- viewed via testdisk- I'm actually missing 22gb from my hd, installed over 110 acpi irq devices, infected ntkrnlpa.exe and battery driver and almost everything by the looks of it. It defeated all scanners except mebroot_helpassist which detected the entire c: drive, i let it delete everything it could then ran gmer  and it picked up stuff finally, ran tdss and it came back with zero signed system drivers. Ran rootkitkiller from sysinternals and it detected 935 modifed registry entries but crashed while i was saving the log.  I lost the tdss log also but below is a few of what i was able to get. When i was running rootkitkiller there was a driver operating from user/temp/local folder that would appear with a random name, This driver is what caused it to crash, as i tried these same steps several times. I obtained a dump from it and it crashes everything i try to view it with and when i tried to open it in IE it downloaded itself to my pc. I'm fairly sure this is an unknown modifed mebroot/sinowal/tdl4 infection. I know of one other person with perhaps the same infection. I've got copies of fonts it uses and ntuser.dat logs as well and several files from Windows_AppPatch_en-US. I obtained these files from a barebones Win7 32 bit install that had been mangled by the mebroot_helpassist. I am posting a few logs and will wait for a reply before i put the system files up, especially the dump file, thats a quaranteed infection if you want one for first hand analysis.

 

GMER 2.1.19357 - http://www.gmer.net
3rd party scan 2014-08-01 03:22:06
Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 TOSHIBA_MK3261GSYN rev.MH000A 298.09GB
Running: xe7jt.exe; Driver: C:\Users\HA_HA\AppData\Local\Temp\ugloipow.sys
 
 
---- Kernel code sections - GMER 2.1 ----
 
.text   ntkrnlpa.exe!ZwSaveKey + 13C1                                                                                                                                                                                         82652339 1 Byte  [06]
.text   ntkrnlpa.exe!KiDispatchInterrupt + 5A2                                                                                                                                                                                8268BD52 19 Bytes  [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
?       system32\drivers\28440539.sys                                                                                                                                                                                         The system cannot find the path specified. !
?       system32\DRIVERS\compbatt.sys                                                                                                                                                                                         The system cannot find the path specified. !
?       system32\drivers\msahci.sys                                                                                                                                                                                           The system cannot find the path specified. !
?       system32\drivers\amdxata.sys                                                                                                                                                                                          The system cannot find the path specified. !
?       system32\DRIVERS\blbdrive.sys                                                                                                                                                                                         The system cannot find the path specified. !
?       system32\DRIVERS\igdkmd32.sys                                                                                                                                                                                         The system cannot find the path specified. !
?       system32\DRIVERS\swenum.sys                                                                                                                                                                                           The system cannot find the path specified. !
?       System32\Drivers\secdrv.SYS                                                                                                                                                                                           The system cannot find the path specified. !
?       C:\Users\HA_HA\AppData\Local\Temp\aswMBR.sys                                                                                                                                                                          The system cannot find the file specified. !
?       C:\Users\HA_HA\AppData\Local\Temp\aswVmm.sys                                                                                                                                                                          The system cannot find the file specified. !
?       C:\Users\HA_HA\Desktop\SysinternalsSuite\PORTMSYS.SYS                                                                                                                                                                 The system cannot find the file specified. !
?       C:\Users\HA_HA\AppData\Local\Temp\mbr.sys                                                                                                                                                                             The system cannot find the file specified. !
?       C:\Windows\system32\Drivers\RKREVEAL150.SYS                                                                                                                                                                           The system cannot find the file specified. !
 
---- Devices - GMER 2.1 ----
 
Device  \FileSystem\01225575 \Device\KLMD30052014_02100202_B                                                                                                                                                                  28440539.sys
Device  \Driver\00000467 \Device\KLMD30052014_02100202                                                                                                                                                                        28440539.sys
 
---- Registry - GMER 2.1 ----
 
Reg     HKLM\SYSTEM\CurrentControlSet\Control@ServiceControlManagerExtension                                                                                                                                                  C:\Windows\system32\scext.dll (Service Control Manager Extension DLL for non-minwin/Microsoft Corporation)(2009-07-13 23:19:25)
Reg     HKLM\SYSTEM\CurrentControlSet\Control\Class\{25DBCE51-6C8F-4A72-8A6D-B54C2B4FC835}@ClassDesc                                                                                                                          C:\Windows\System32\SysClass.Dll (System Class Installer 
 
   Cut short for space:
 
aswMBR version 1.0.1.2041 Copyright© 2014 AVAST Software
Run date: 2014-08-01 02:51:49
-----------------------------
02:51:49.071    OS Version: Windows 6.1.7601 Service Pack 1
02:51:49.071    Number of processors: 2 586 0x170A
02:51:49.071    ComputerName: HA_HA-PC  UserName: HA_HA
02:51:49.633    Initialize success
02:51:49.633    VM: initialized successfully
02:51:49.633    VM: Intel CPU virtualization not supported 
02:51:52.781    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
02:51:52.781    Disk 0 Vendor: TOSHIBA_MK3261GSYN MH000A Size: 305245MB BusType: 11
02:51:52.906    Disk 0 MBR read successfully
02:51:52.906    Disk 0 MBR scan
02:51:52.906    Disk 0 Windows 7 default MBR code
02:51:52.922    Disk 0 Partition 1 00     07    HPFS/NTFS NTFS          100 MB offset 2048
02:51:52.937    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS       115000 MB offset 206848
02:51:52.953    Disk 0 Partition 3 80 (A) 07    HPFS/NTFS NTFS        83510 MB offset 235726848
02:51:52.968    Disk 0 default boot code
02:51:52.968    Disk 0 Partition - 00     0F Extended LBA            106633 MB offset 406755328
02:51:52.984    Disk 0 Partition 4 00     07    HPFS/NTFS NTFS       106632 MB offset 406757376
02:51:53.000    Disk 0 scanning sectors +625139712
02:51:53.046    Disk 0 scanning C:\Windows\system32\drivers
02:51:54.825    Service scanning
02:52:03.998    Modules scanning
02:52:07.820    Module: C:\Windows\system32\drivers\spsys.sys  **SUSPICIOUS**
02:52:08.069    Module: C:\Windows\System32\ntdll.dll  **SUSPICIOUS**
02:52:08.210    Module: C:\Windows\System32\apisetschema.dll  **SUSPICIOUS**
02:52:08.319    Module: C:\Windows\System32\iertutil.dll  **SUSPICIOUS**
02:52:08.397    Module: C:\Windows\System32\imm32.dll  **SUSPICIOUS**
02:52:08.537    Module: C:\Windows\System32\msvcrt.dll  **SUSPICIOUS**
02:52:08.631    Module: C:\Windows\System32\ole32.dll  **SUSPICIOUS**
02:52:08.787    Module: C:\Windows\System32\gdi32.dll  **SUSPICIOUS**
02:52:08.943    Module: C:\Windows\System32\user32.dll  **SUSPICIOUS**
02:52:09.224    Module: C:\Windows\System32\oleaut32.dll  **SUSPICIOUS**
02:52:09.286    Disk 0 trace - called modules:
02:52:09.302    ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll ataport.SYS PCIIDEX.SYS msahci.sys 
02:52:09.317    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85936898]
02:52:09.317    3 CLASSPNP.SYS[8ab8359e] -> nt!IofCallDriver -> [0x85469568]
02:52:09.333    5 ACPI.sys[8a6c43d4] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x8546f030]
02:52:09.333    Scan finished successfully
02:52:23.716    Disk 0 MBR has been saved successfully to "C:\Users\HA_HA\Desktop\MBR.dat"
02:52:23.716    The log file has been saved successfully to "C:\Users\HA_HA\Desktop\aswMBR.txt"
      Letting it fix mbr doesnt work.
 
MBR.DAT opened in notepad
 
3ÀŽÐ¼ |ŽÀŽØ¾ |¿ ¹ üó¤PhËû¹ ½¾€~  |…ƒÅâñ͈V UÆFÆF ´A»ªUÍ]rûUªu ÷Á tþFf`€~ t&fh    fÿvh  h |h h ´BŠV ‹ôÍŸƒÄžë¸» |ŠV ŠvŠNŠnÍfasþNu€~ €„Š ²€ë„U2äŠV Í]ëž>þ}Uªunÿv è uú°Ñædèƒ °ßæ`è| °ÿædèu û¸ »Íf#Àu;fûTCPAu2ùr,fh»  fh  fh   fSfSfUfh    fh |  fah  ÍZ2öê |  Í ·ë ¶ë µ2ä ‹ð¬< t » ´Íëòôëý+Éädë $àø$ÃInvalid partition table Error loading operating system Missing operating system   c{š„•VÓ    ! ß      ßþÿÿ (  À €þÿÿþÿÿ è °1
 þÿÿþÿÿ ˜> H
 
 
I would like to upload the other files for also but will wait for instruction. Until I get rid of the hidden partitions and the infection from current ntsf partitions all in one swoop there seems to be no way to get rid of this. I've ran dban several times. Sysinternals load order is below.
 
Boot WdfLoadGroup n/a* Wdf01000 Kernel Mode Driver Frameworks service
Boot Boot Bus Extender 1 ACPI Microsoft ACPI Driver
Boot Boot Bus Extender 2 msisadrv
Boot Boot Bus Extender 3 pci PCI Bus Driver
Boot Boot Bus Extender 6 vdrvroot Microsoft Virtual Drive Enumerator Driver
Boot Boot Bus Extender n/a* partmgr @%SystemRoot%\system32\drivers\partmgr.sys,-100
Boot System Bus Extender 7 Compbatt Microsoft Composite Battery Driver
Boot System Bus Extender 9 volmgr Volume Manager Driver
Boot System Bus Extender 10 volmgrx @%SystemRoot%\system32\drivers\volmgrx.sys,-100
Boot System Bus Extender n/a* mountmgr @%SystemRoot%\system32\drivers\mountmgr.sys,-100
Boot SCSI Miniport 33 atapi IDE Channel
Boot SCSI Miniport 64 msahci
Boot SCSI miniport n/a* amdxata
Boot FSFilter Infrastructure 1 FltMgr @%SystemRoot%\system32\drivers\fltmgr.sys,-10001
Boot FSFilter Bottom n/a* FileInfo @%SystemRoot%\system32\drivers\fileinfo.sys,-100
Boot Filter 1 CLFS @%SystemRoot%\system32\clfs.sys,-100
Boot Base 1 KSecDD
Boot Base 2 CNG
Boot Base n/a* pcw Performance Counters for Windows Driver
Boot File System n/a* Fs_Rec
Boot NDIS Wrapper n/a* NDIS @%SystemRoot%\system32\drivers\ndis.sys,-200
Boot Cryptography 2 KSecPkg
Boot PNP_TDI 3 Tcpip @%SystemRoot%\system32\tcpipcfg.dll,-50003
Boot n/a* n/a* Disk Disk Driver
Boot PnP Filter* 5* fvevol @%SystemRoot%\system32\drivers\fvevol.sys,-100
Boot n/a* n/a* hwpolicy @%systemroot%\system32\drivers\hwpolicy.sys,-101
Boot Network* n/a* Mup @%systemroot%\system32\drivers\mup.sys,-101
Boot PnP Filter* 2* rdyboost ReadyBoost
Boot n/a* n/a* spldr Security Processor Loader Driver
Boot n/a* n/a* volsnap Storage volumes
System SCSI CDROM Class 3 cdrom CD-ROM Driver
System Base 1 Null
System Base 2 Beep Beep
System Video Save 1 VgaSave
System Video Save n/a* RDPCDD @%systemroot%\system32\DRIVERS\RDPCDD.sys,-100
System Video Save n/a* RDPENCDD @%systemroot%\system32\drivers\RDPENCDD.sys,-101
System Video Save n/a* RDPREFMP @%systemroot%\system32\drivers\RdpRefMp.sys,-101
System File system n/a* Msfs
System File system n/a* Npfs
System PNP_TDI 4 tdx @%SystemRoot%\system32\tcpipcfg.dll,-50004
System PNP_TDI n/a* AFD @%systemroot%\system32\drivers\afd.sys,-1000
System PNP_TDI n/a* NetBT @%SystemRoot%\system32\drivers\netbt.sys,-2
System NDIS 16 WfpLwf WFP Lightweight Filter
System NDIS 18 Psched @%SystemRoot%\System32\drivers\pacer.sys,-101
System NetBIOSGroup 2 NetBIOS NetBIOS Interface
System n/a* n/a* blbdrive
System Network* n/a* DfsC @%systemroot%\system32\drivers\dfsc.sys,-101
System n/a* n/a* discache @%systemroot%\system32\drivers\discache.sys,-102
System n/a* n/a* mssmbios Microsoft System Management BIOS Driver
System n/a* n/a* nsiproxy @%SystemRoot%\system32\drivers\nsiproxy.sys,-2
System Network* 4* rdbss @%systemroot%\system32\wkssvc.dll,-1000
System n/a* n/a* TermDD Terminal Device Driver
System n/a* n/a* Wanarpv6 @%systemroot%\system32\rascfg.dll,-32012
Automatic FSFilter Virtualization n/a* luafv @%systemroot%\system32\drivers\luafv.sys,-100
Automatic COM Infrastructure n/a* DcomLaunch @oleres.dll,-5012
Automatic COM Infrastructure n/a* RpcEptMapper @%windir%\system32\RpcEpMap.dll,-1001
Automatic COM Infrastructure n/a* RpcSs @oleres.dll,-5010
Automatic Event Log n/a* eventlog @%SystemRoot%\system32\wevtsvc.dll,-200
Automatic AudioGroup n/a* AudioEndpointBuilder @%SystemRoot%\system32\audiosrv.dll,-204
Automatic AudioGroup n/a* Audiosrv @%SystemRoot%\system32\audiosrv.dll,-200
Automatic ProfSvc_Group n/a* gpsvc @gpapi.dll,-112
Automatic profsvc_group n/a* ProfSvc @%systemroot%\system32\profsvc.dll,-300
Automatic ProfSvc_Group n/a* SENS @%SystemRoot%\system32\Sens.dll,-200
Automatic ProfSvc_Group n/a* Themes @%SystemRoot%\System32\themeservice.dll,-8192
Automatic UIGroup n/a* UxSms @%SystemRoot%\system32\dwm.exe,-2000
Automatic MS_WindowsLocalValidation n/a* SamSs @%SystemRoot%\system32\samsrv.dll,-1
Automatic PlugPlay n/a* PlugPlay @%SystemRoot%\system32\umpnpmgr.dll,-100
Automatic Plugplay n/a* Power @%SystemRoot%\system32\umpo.dll,-100
Automatic NDIS 14 rspndr Link-Layer Topology Discovery Responder
Automatic NDIS 15 lltdio Link-Layer Topology Discovery Mapper I/O Driver
Automatic TDI n/a* Dhcp @%SystemRoot%\system32\dhcpcore.dll,-100
Automatic TDI n/a* Dnscache @%SystemRoot%\System32\dnsapi.dll,-101
Automatic TDI n/a* lmhosts @%SystemRoot%\system32\lmhsvc.dll,-101
Automatic ShellSvcGroup n/a* ShellHWDetection @%SystemRoot%\System32\shsvcs.dll,-12288
Automatic SchedulerGroup n/a* Schedule @%SystemRoot%\system32\schedsvc.dll,-100
Automatic SpoolerGroup n/a* Spooler @%systemroot%\system32\spoolsv.exe,-1
Automatic NetworkProvider n/a* BFE @%SystemRoot%\system32\bfe.dll,-1001
Automatic NetworkProvider n/a* LanmanWorkstation @%systemroot%\system32\wkssvc.dll,-100
Automatic NetworkProvider n/a* MpsSvc @%SystemRoot%\system32\FirewallAPI.dll,-23090
Automatic Extended Base n/a* Parvdm
Automatic n/a* n/a* CryptSvc @%SystemRoot%\system32\cryptsvc.dll,-1001
Automatic n/a* n/a* DPS @%systemroot%\system32\dps.dll,-500
Automatic n/a* n/a* EventSystem @comres.dll,-2450
Automatic n/a* n/a* FontCache @%systemroot%\system32\FntCache.dll,-100
Automatic n/a* n/a* iphlpsvc @%SystemRoot%\system32\iphlpsvc.dll,-500
Automatic n/a* n/a* LanmanServer @%systemroot%\system32\srvsvc.dll,-100
Automatic n/a* n/a* MMCSS @%systemroot%\system32\mmcss.dll,-100
Automatic n/a* n/a* NlaSvc @%SystemRoot%\System32\nlasvc.dll,-1
Automatic n/a* n/a* nsi @%SystemRoot%\system32\nsisvc.dll,-200
Automatic n/a* n/a* PEAUTH PEAUTH
Automatic n/a* n/a* secdrv Security Driver
Automatic n/a* n/a* sppsvc @%SystemRoot%\system32\sppsvc.exe,-101
Automatic n/a* n/a* SysMain @%SystemRoot%\system32\sysmain.dll,-1000
Automatic n/a* n/a* tcpipreg TCP/IP Registry Compatibility
Automatic n/a* n/a* TrkWks @%SystemRoot%\system32\trkwks.dll,-1
Automatic n/a* n/a* WinDefend @%ProgramFiles%\Windows Defender\MsMpRes.dll,-103
Automatic n/a* n/a* Winmgmt @%Systemroot%\system32\wbem\wmisvc.dll,-205
Automatic n/a* n/a* wscsvc @%SystemRoot%\System32\wscsvc.dll,-200
Automatic n/a* n/a* WSearch @%systemroot%\system32\SearchIndexer.exe,-103
Automatic n/a* n/a* wuauserv @%systemroot%\system32\wuaueng.dll,-105
 

 

Link to post
Share on other sites

  • 3 weeks later...
  • Root Admin

Very sorry for the delay. The site has been very busy and there has been more demand for support than we were able handle for a while there.
I'm just now getting back to see if you still need help or not. If you do please reply back and let me know and I'll go ahead and assist you.

Thank you
 

Link to post
Share on other sites

  • 1 month later...
  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.