Jump to content

Possible mebroot infection

TennVols72

By TennVols72
in Resolved Malware Removal Logs

 Share

Recommended Posts

TennVols72

TennVols72

Posted
Posted

Hello, I am new to this forum, and hope I get a solution.  I have been battling a virus for nearly a year now.  I have seen a few posts with the same problem calling it a super Trojan.  I cannot do anything to rid my machine if this.  All I have ascertained is that whenever I try to clean install windows, it is always corrupt.  The install will not read the official DVD, instead installing from a malicious ram disk that uses its own files.  Bootmgr and bootsect.bak are shr attributes, ergo sfc nor dism will work because the entire file system is corrupt.  The ramdisk x:boot has hidden attrib $wimdesc. At least 2 rat files are installed icrav03 and ticrf.  I believe most of this is done using xml files.  The ramdisk cannot be owned nor deleted because the files are read only.  Diskpart shows 1 disk= disk0 which I turn shows 2 volumes DVD-rom UDP and c: system active. Registry shows install as ramdisk c: windows recovery environment winload.exe  via c:panther. I believe this all originates from a boot.sdi file.  Can someone please help resolve this issue.  At the moment, I have just a bare install and deleted the rat files and there originating folders i.e.-ratings etc. thanks in advance

H.marshall

Link to post
Share on other sites
TennVols72

TennVols72

Posted
  • Author
Posted
On 9/17/2017 at 12:54 AM, TennVols72 said:

Hello, I am new to this forum, and hope I get a solution.  I have been battling a virus for nearly a year now.  I have seen a few posts with the same problem calling it a super Trojan.  I cannot do anything to rid my machine if this.  All I have ascertained is that whenever I try to clean install windows, it is always corrupt.  The install will not read the official DVD, instead installing from a malicious ram disk that uses its own files.  Bootmgr and bootsect.bak are shr attributes, ergo sfc nor dism will work because the entire file system is corrupt.  The ramdisk x:boot has hidden attrib $wimdesc. At least 2 rat files are installed icrav03 and ticrf.  I believe most of this is done using xml files.  The ramdisk cannot be owned nor deleted because the files are read only.  Diskpart shows 1 disk= disk0 which I turn shows 2 volumes DVD-rom UDP and c: system active. Registry shows install as ramdisk c: windows recovery environment winload.exe  via c:panther. I believe this all originates from a boot.sdi file.  Can someone please help resolve this issue.  At the moment, I have just a bare install and deleted the rat files and there originating folders i.e.-ratings etc. thanks in advance

H.marshall

 

IMG_0556.PNG

IMG_0557.PNG

IMG_0558.PNG

IMG_0559.PNG

IMG_0560.PNG

IMG_0561.PNG

IMG_0562.PNG

IMG_0570.PNG

IMG_0571.PNG

Link to post
Share on other sites
TennVols72

TennVols72

Posted
  • Author
Posted (edited)

Hello, my apologies, I didn't see the message in the corner. This is my first time using this, I appreciate your patience. I see that you would like me to download the rootkit version.  I have actually purchased the full version, would you still like the rootkit only version? Oh, and I thank you for your assistance with this matter.

Edited by TennVols72
Link to post
Share on other sites
TennVols72

TennVols72

Posted
  • Author
Posted (edited)

hello Ron, i downloaded the mbam rootkit to my desktop, then ran it per the directions you gave. it found no malware, however, It took 16 minutes and 23 seconds to run. It was not responding at startup, then while updating, and finally when exiting. I do believe there is something wrong here, do you have any more suggestions for me to try?

Thanks,
Heath M.

Edited by TennVols72
Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Please run the following steps and post back the logs as an attachment when ready. It's quite late for me so I'll check back on you again sometime tomorrow.

If one of the steps has an issue, please move to the next and let me know on your reply. Thanks

STEP 01

  • If you're already running Malwarebytes 3 then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
  • If you don't have Malwarebytes 3 installed yet please download it from here and install it.
  • Once installed then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
  • Once the scan is completed click on the Export Summary button and save the file as a Text file to your desktop or other location you can find, and attach that log on your next reply.
  • If Malwarebytes won't run then please skip to the next step and let me know on your next reply.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Right-click on the program and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is updated.
  • Click Scan.
  • When finished, please click Clean.
  • Your PC should reboot now if any items were found.
  • After reboot, a log file will be opened. Copy its content into your next reply.

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here.
  • Please attach the Additions.txt log to your reply as well.

 

Thanks

Ron

 

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

It does not look like the computer is infected, but you are having some computer issues. Let's try a full disk check for a couple of your drives.

Please click on START and type in CMD.EXE and when it shows on the menu, right click and choose "Run as administrator"

Then type the following and press the Enter key.

CHKDSK   E:  /R

Then do the same thing for the C drive. However the C: drive will say it cannot lock the drive and ask if you want to run it on reboot. Press the Y key and Enter key, then reboot and let it run. It can take a few hours to complete.

 

CHKDSK   C:  /R

 

After the check disks complete and the computer has rebooted please run the following to get the logs for it.

 

Press the Windows + R keys to open the Run dialog, type powershell.exe, and press Enter.

In PowerShell, copy and paste the command below, and press Enter

get-winevent -FilterHashTable @{logname="Application"; id="1001"}| ?{$_.providername –match "wininit"} | fl timecreated, message | out-file Desktop\CHKDSKResults.txt

CHKDSKResults.txt file will be created on your desktop, that is the log file of your chkdsk scan results from Event Viewer.

Please upload that file on your next reply

 

 

Link to post
Share on other sites
TennVols72

TennVols72

Posted
  • Author
Posted

This is what I got for the C: drive.  I tried to find the log manually to no avail.  Alot of entries about root logons' and cmiv2. maybe you can direct me?

PS C:\Windows\system32>  get-winevent -FilterHashTable @{logname="Application"; id="1001"}
ninit"} | fl timecreated, message | out-file Desktop\CHKDSKResults.txt
Out-File : Could not find a part of the path 'C:\Windows\system32\Desktop\CHKDSKResults.tx
At line:1 char:141
+  get-winevent -FilterHashTable @{logname="Application"; id="1001"}| ?{$_.providername -m
ted, message | out-file <<<<  Desktop\CHKDSKResults.txt
    + CategoryInfo          : OpenError: (:) [Out-File], DirectoryNotFoundException
    + FullyQualifiedErrorId : FileOpenFailure,Microsoft.PowerShell.Commands.OutFileCommand

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

The log says this file is missing. Can you reboot the computer and go to that folder and see if the file is there.

C:\Windows\System32\codeintegrity\Bootcat.cache             IS MISSING <==== ATTENTION

You can see if this tool can repair the file if it's missing.

https://support.microsoft.com/en-us/help/947821/fix-windows-update-errors-by-using-the-dism-or-system-update-readiness

Ron

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept