Jump to content

iamtrebor

Members
  • Posts

    3
  • Joined

  • Last visited

Reputation

0 Neutral
  1. Got infected with a worm/spyware/bootkit that created a hidden HFS partition- viewed via testdisk- I'm actually missing 22gb from my hd, installed over 110 acpi irq devices, infected ntkrnlpa.exe and battery driver and almost everything by the looks of it. It defeated all scanners except mebroot_helpassist which detected the entire c: drive, i let it delete everything it could then ran gmer and it picked up stuff finally, ran tdss and it came back with zero signed system drivers. Ran rootkitkiller from sysinternals and it detected 935 modifed registry entries but crashed while i was saving the log. I lost the tdss log also but below is a few of what i was able to get. When i was running rootkitkiller there was a driver operating from user/temp/local folder that would appear with a random name, This driver is what caused it to crash, as i tried these same steps several times. I obtained a dump from it and it crashes everything i try to view it with and when i tried to open it in IE it downloaded itself to my pc. I'm fairly sure this is an unknown modifed mebroot/sinowal/tdl4 infection. I know of one other person with perhaps the same infection. I've got copies of fonts it uses and ntuser.dat logs as well and several files from Windows_AppPatch_en-US. I obtained these files from a barebones Win7 32 bit install that had been mangled by the mebroot_helpassist. I am posting a few logs and will wait for a reply before i put the system files up, especially the dump file, thats a quaranteed infection if you want one for first hand analysis. GMER 2.1.19357 - http://www.gmer.net3rd party scan 2014-08-01 03:22:06Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 TOSHIBA_MK3261GSYN rev.MH000A 298.09GBRunning: xe7jt.exe; Driver: C:\Users\HA_HA\AppData\Local\Temp\ugloipow.sys ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwSaveKey + 13C1 82652339 1 Byte [06].text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 8268BD52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}? system32\drivers\28440539.sys The system cannot find the path specified. !? system32\DRIVERS\compbatt.sys The system cannot find the path specified. !? system32\drivers\msahci.sys The system cannot find the path specified. !? system32\drivers\amdxata.sys The system cannot find the path specified. !? system32\DRIVERS\blbdrive.sys The system cannot find the path specified. !? system32\DRIVERS\igdkmd32.sys The system cannot find the path specified. !? system32\DRIVERS\swenum.sys The system cannot find the path specified. !? System32\Drivers\secdrv.SYS The system cannot find the path specified. !? C:\Users\HA_HA\AppData\Local\Temp\aswMBR.sys The system cannot find the file specified. !? C:\Users\HA_HA\AppData\Local\Temp\aswVmm.sys The system cannot find the file specified. !? C:\Users\HA_HA\Desktop\SysinternalsSuite\PORTMSYS.SYS The system cannot find the file specified. !? C:\Users\HA_HA\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !? C:\Windows\system32\Drivers\RKREVEAL150.SYS The system cannot find the file specified. ! ---- Devices - GMER 2.1 ---- Device \FileSystem\01225575 \Device\KLMD30052014_02100202_B 28440539.sysDevice \Driver\00000467 \Device\KLMD30052014_02100202 28440539.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control@ServiceControlManagerExtension C:\Windows\system32\scext.dll (Service Control Manager Extension DLL for non-minwin/Microsoft Corporation)(2009-07-13 23:19:25)Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{25DBCE51-6C8F-4A72-8A6D-B54C2B4FC835}@ClassDesc C:\Windows\System32\SysClass.Dll (System Class Installer Cut short for space: aswMBR version 1.0.1.2041 Copyright© 2014 AVAST SoftwareRun date: 2014-08-01 02:51:49-----------------------------02:51:49.071 OS Version: Windows 6.1.7601 Service Pack 102:51:49.071 Number of processors: 2 586 0x170A02:51:49.071 ComputerName: HA_HA-PC UserName: HA_HA02:51:49.633 Initialize success02:51:49.633 VM: initialized successfully02:51:49.633 VM: Intel CPU virtualization not supported 02:51:52.781 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-002:51:52.781 Disk 0 Vendor: TOSHIBA_MK3261GSYN MH000A Size: 305245MB BusType: 1102:51:52.906 Disk 0 MBR read successfully02:51:52.906 Disk 0 MBR scan02:51:52.906 Disk 0 Windows 7 default MBR code02:51:52.922 Disk 0 Partition 1 00 07 HPFS/NTFS NTFS 100 MB offset 204802:51:52.937 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 115000 MB offset 20684802:51:52.953 Disk 0 Partition 3 80 (A) 07 HPFS/NTFS NTFS 83510 MB offset 23572684802:51:52.968 Disk 0 default boot code02:51:52.968 Disk 0 Partition - 00 0F Extended LBA 106633 MB offset 40675532802:51:52.984 Disk 0 Partition 4 00 07 HPFS/NTFS NTFS 106632 MB offset 40675737602:51:53.000 Disk 0 scanning sectors +62513971202:51:53.046 Disk 0 scanning C:\Windows\system32\drivers02:51:54.825 Service scanning02:52:03.998 Modules scanning02:52:07.820 Module: C:\Windows\system32\drivers\spsys.sys **SUSPICIOUS**02:52:08.069 Module: C:\Windows\System32\ntdll.dll **SUSPICIOUS**02:52:08.210 Module: C:\Windows\System32\apisetschema.dll **SUSPICIOUS**02:52:08.319 Module: C:\Windows\System32\iertutil.dll **SUSPICIOUS**02:52:08.397 Module: C:\Windows\System32\imm32.dll **SUSPICIOUS**02:52:08.537 Module: C:\Windows\System32\msvcrt.dll **SUSPICIOUS**02:52:08.631 Module: C:\Windows\System32\ole32.dll **SUSPICIOUS**02:52:08.787 Module: C:\Windows\System32\gdi32.dll **SUSPICIOUS**02:52:08.943 Module: C:\Windows\System32\user32.dll **SUSPICIOUS**02:52:09.224 Module: C:\Windows\System32\oleaut32.dll **SUSPICIOUS**02:52:09.286 Disk 0 trace - called modules:02:52:09.302 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll ataport.SYS PCIIDEX.SYS msahci.sys 02:52:09.317 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85936898]02:52:09.317 3 CLASSPNP.SYS[8ab8359e] -> nt!IofCallDriver -> [0x85469568]02:52:09.333 5 ACPI.sys[8a6c43d4] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x8546f030]02:52:09.333 Scan finished successfully02:52:23.716 Disk 0 MBR has been saved successfully to "C:\Users\HA_HA\Desktop\MBR.dat"02:52:23.716 The log file has been saved successfully to "C:\Users\HA_HA\Desktop\aswMBR.txt" Letting it fix mbr doesnt work. MBR.DAT opened in notepad 3ÀŽÐ¼ |ŽÀŽØ¾ |¿ ¹ üó¤PhËû¹ ½¾€~ |…ƒÅâñ͈V UÆFÆF ´A»ªUÍ]rûUªu ÷Á tþFf`€~ t&fh fÿvh h |h h ´BŠV ‹ôÍŸƒÄžë¸» |ŠV ŠvŠNŠnÍfasþNu€~ €„Š ²€ë„U2äŠV Í]ëž>þ}Uªunÿv è uú°Ñædèƒ °ßæ`è| °ÿædèu û¸ »Íf#Àu;fûTCPAu2ùr,fh» fh fh fSfSfUfh fh | fah ÍZ2öê | Í ·ë ¶ë µ2ä ‹ð¬< t » ´Íëòôëý+Éädë $àø$ÃInvalid partition table Error loading operating system Missing operating system c{š„•VÓ ! ß ßþÿÿ ( À €þÿÿþÿÿ è °1 þÿÿþÿÿ ˜> HUª I would like to upload the other files for also but will wait for instruction. Until I get rid of the hidden partitions and the infection from current ntsf partitions all in one swoop there seems to be no way to get rid of this. I've ran dban several times. Sysinternals load order is below. Boot WdfLoadGroup n/a* Wdf01000 Kernel Mode Driver Frameworks serviceBoot Boot Bus Extender 1 ACPI Microsoft ACPI DriverBoot Boot Bus Extender 2 msisadrv Boot Boot Bus Extender 3 pci PCI Bus DriverBoot Boot Bus Extender 6 vdrvroot Microsoft Virtual Drive Enumerator DriverBoot Boot Bus Extender n/a* partmgr @%SystemRoot%\system32\drivers\partmgr.sys,-100Boot System Bus Extender 7 Compbatt Microsoft Composite Battery DriverBoot System Bus Extender 9 volmgr Volume Manager DriverBoot System Bus Extender 10 volmgrx @%SystemRoot%\system32\drivers\volmgrx.sys,-100Boot System Bus Extender n/a* mountmgr @%SystemRoot%\system32\drivers\mountmgr.sys,-100Boot SCSI Miniport 33 atapi IDE ChannelBoot SCSI Miniport 64 msahci Boot SCSI miniport n/a* amdxata Boot FSFilter Infrastructure 1 FltMgr @%SystemRoot%\system32\drivers\fltmgr.sys,-10001Boot FSFilter Bottom n/a* FileInfo @%SystemRoot%\system32\drivers\fileinfo.sys,-100Boot Filter 1 CLFS @%SystemRoot%\system32\clfs.sys,-100Boot Base 1 KSecDD Boot Base 2 CNG Boot Base n/a* pcw Performance Counters for Windows DriverBoot File System n/a* Fs_Rec Boot NDIS Wrapper n/a* NDIS @%SystemRoot%\system32\drivers\ndis.sys,-200Boot Cryptography 2 KSecPkg Boot PNP_TDI 3 Tcpip @%SystemRoot%\system32\tcpipcfg.dll,-50003Boot n/a* n/a* Disk Disk DriverBoot PnP Filter* 5* fvevol @%SystemRoot%\system32\drivers\fvevol.sys,-100Boot n/a* n/a* hwpolicy @%systemroot%\system32\drivers\hwpolicy.sys,-101Boot Network* n/a* Mup @%systemroot%\system32\drivers\mup.sys,-101Boot PnP Filter* 2* rdyboost ReadyBoostBoot n/a* n/a* spldr Security Processor Loader DriverBoot n/a* n/a* volsnap Storage volumesSystem SCSI CDROM Class 3 cdrom CD-ROM DriverSystem Base 1 Null System Base 2 Beep BeepSystem Video Save 1 VgaSave System Video Save n/a* RDPCDD @%systemroot%\system32\DRIVERS\RDPCDD.sys,-100System Video Save n/a* RDPENCDD @%systemroot%\system32\drivers\RDPENCDD.sys,-101System Video Save n/a* RDPREFMP @%systemroot%\system32\drivers\RdpRefMp.sys,-101System File system n/a* Msfs System File system n/a* Npfs System PNP_TDI 4 tdx @%SystemRoot%\system32\tcpipcfg.dll,-50004System PNP_TDI n/a* AFD @%systemroot%\system32\drivers\afd.sys,-1000System PNP_TDI n/a* NetBT @%SystemRoot%\system32\drivers\netbt.sys,-2System NDIS 16 WfpLwf WFP Lightweight FilterSystem NDIS 18 Psched @%SystemRoot%\System32\drivers\pacer.sys,-101System NetBIOSGroup 2 NetBIOS NetBIOS InterfaceSystem n/a* n/a* blbdrive System Network* n/a* DfsC @%systemroot%\system32\drivers\dfsc.sys,-101System n/a* n/a* discache @%systemroot%\system32\drivers\discache.sys,-102System n/a* n/a* mssmbios Microsoft System Management BIOS DriverSystem n/a* n/a* nsiproxy @%SystemRoot%\system32\drivers\nsiproxy.sys,-2System Network* 4* rdbss @%systemroot%\system32\wkssvc.dll,-1000System n/a* n/a* TermDD Terminal Device DriverSystem n/a* n/a* Wanarpv6 @%systemroot%\system32\rascfg.dll,-32012Automatic FSFilter Virtualization n/a* luafv @%systemroot%\system32\drivers\luafv.sys,-100Automatic COM Infrastructure n/a* DcomLaunch @oleres.dll,-5012Automatic COM Infrastructure n/a* RpcEptMapper @%windir%\system32\RpcEpMap.dll,-1001Automatic COM Infrastructure n/a* RpcSs @oleres.dll,-5010Automatic Event Log n/a* eventlog @%SystemRoot%\system32\wevtsvc.dll,-200Automatic AudioGroup n/a* AudioEndpointBuilder @%SystemRoot%\system32\audiosrv.dll,-204Automatic AudioGroup n/a* Audiosrv @%SystemRoot%\system32\audiosrv.dll,-200Automatic ProfSvc_Group n/a* gpsvc @gpapi.dll,-112Automatic profsvc_group n/a* ProfSvc @%systemroot%\system32\profsvc.dll,-300Automatic ProfSvc_Group n/a* SENS @%SystemRoot%\system32\Sens.dll,-200Automatic ProfSvc_Group n/a* Themes @%SystemRoot%\System32\themeservice.dll,-8192Automatic UIGroup n/a* UxSms @%SystemRoot%\system32\dwm.exe,-2000Automatic MS_WindowsLocalValidation n/a* SamSs @%SystemRoot%\system32\samsrv.dll,-1Automatic PlugPlay n/a* PlugPlay @%SystemRoot%\system32\umpnpmgr.dll,-100Automatic Plugplay n/a* Power @%SystemRoot%\system32\umpo.dll,-100Automatic NDIS 14 rspndr Link-Layer Topology Discovery ResponderAutomatic NDIS 15 lltdio Link-Layer Topology Discovery Mapper I/O DriverAutomatic TDI n/a* Dhcp @%SystemRoot%\system32\dhcpcore.dll,-100Automatic TDI n/a* Dnscache @%SystemRoot%\System32\dnsapi.dll,-101Automatic TDI n/a* lmhosts @%SystemRoot%\system32\lmhsvc.dll,-101Automatic ShellSvcGroup n/a* ShellHWDetection @%SystemRoot%\System32\shsvcs.dll,-12288Automatic SchedulerGroup n/a* Schedule @%SystemRoot%\system32\schedsvc.dll,-100Automatic SpoolerGroup n/a* Spooler @%systemroot%\system32\spoolsv.exe,-1Automatic NetworkProvider n/a* BFE @%SystemRoot%\system32\bfe.dll,-1001Automatic NetworkProvider n/a* LanmanWorkstation @%systemroot%\system32\wkssvc.dll,-100Automatic NetworkProvider n/a* MpsSvc @%SystemRoot%\system32\FirewallAPI.dll,-23090Automatic Extended Base n/a* Parvdm Automatic n/a* n/a* CryptSvc @%SystemRoot%\system32\cryptsvc.dll,-1001Automatic n/a* n/a* DPS @%systemroot%\system32\dps.dll,-500Automatic n/a* n/a* EventSystem @comres.dll,-2450Automatic n/a* n/a* FontCache @%systemroot%\system32\FntCache.dll,-100Automatic n/a* n/a* iphlpsvc @%SystemRoot%\system32\iphlpsvc.dll,-500Automatic n/a* n/a* LanmanServer @%systemroot%\system32\srvsvc.dll,-100Automatic n/a* n/a* MMCSS @%systemroot%\system32\mmcss.dll,-100Automatic n/a* n/a* NlaSvc @%SystemRoot%\System32\nlasvc.dll,-1Automatic n/a* n/a* nsi @%SystemRoot%\system32\nsisvc.dll,-200Automatic n/a* n/a* PEAUTH PEAUTHAutomatic n/a* n/a* secdrv Security DriverAutomatic n/a* n/a* sppsvc @%SystemRoot%\system32\sppsvc.exe,-101Automatic n/a* n/a* SysMain @%SystemRoot%\system32\sysmain.dll,-1000Automatic n/a* n/a* tcpipreg TCP/IP Registry CompatibilityAutomatic n/a* n/a* TrkWks @%SystemRoot%\system32\trkwks.dll,-1Automatic n/a* n/a* WinDefend @%ProgramFiles%\Windows Defender\MsMpRes.dll,-103Automatic n/a* n/a* Winmgmt @%Systemroot%\system32\wbem\wmisvc.dll,-205Automatic n/a* n/a* wscsvc @%SystemRoot%\System32\wscsvc.dll,-200Automatic n/a* n/a* WSearch @%systemroot%\system32\SearchIndexer.exe,-103Automatic n/a* n/a* wuauserv @%systemroot%\system32\wuaueng.dll,-105
  2. hitman pro picks up on afd.sys and another randomly named file that , when i clicked "show info " it tells me its the sysinternal rootkithunter. Which doesnt start up when i run it.
  3. I had this problem and another forum said i was in the clear even while i insisted i wasn't. Whatever it is evades all the scans i throw at it. I do believe its in the bios or chip or it mounts to a peripheral port or something. I ran dban twice and installed win7 with brand new hp recovery discs they sent me. The virus is still here. I could tell almost immediately after i booted up. After searching through a lot of files i ran a sysinternal tool called winobject it shows a base named object section called rothinttable. I also have these search-ms:displayname=Search%20Results%20in%20winsxs&crumb=location:C%3A%5CWindows%5Cwinsxs\x86_microsoft-windows-s..rotection.resources_31bf3856ad364e35_6.1.7600.16385_en-us_bf744834f155827b search-ms:displayname=Search%20Results%20in%20winsxs&crumb=location:C%3A%5CWindows%5Cwinsxs\amd64_microsoft-windows-s..rotection.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1b92e3b8a9b2f3b1 2 manifests c\windows\winsxs\manifests\amd64_microsoft-windows- s..rotection.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1b92e3b8a9b2f3b1.manifest c\windows\winsxs\manifests\x86_microsoft-windows-s..rotection.resources_31bf3856ad364e35_6.1.7600.16385_en-us_bf744834f155827b.manifest There is also a self updater MUM with the same "31bf38..." number. as all of the above. I know a mum is an xp updater and i am also convinced that whatever it is it fools the windows resource protection somehow. If these files are legit why are they traced to "rot" files. WUClient-SelfUpdate-Core-TopLevel~31bf3856ad364e35~amd64~~7.6.7600.256.mum WUClient-SelfUpdate-Aux-TopLevel~31bf3856ad364e35~amd64~~7.6.7600.256.mum WUClient-SelfUpdate-ActiveX~31bf3856ad364e35~amd64~~7.6.7600.256.mum And then this file with the template names inside it C:\Windows\winsxs\amd64_microsoft-windows-p..al-securitytemplate_31bf3856ad364e35_6.1.7600.16385_none_49dd84a06c7c8863 puwk.inf dwup.inf defltwk.inf deflbase.inf There is also a cmdl.32 inside C:\Windows\SysWOW64 and in C:\Windows\System32 Sticky key option got stuck at one time and at logon screen i had to continually change this option with ease of access options in order to type, even after i confirmed several times that sticky keys were turned off. I had 11 different network adapters installed recently when there should be only 2 - was 3 but i unistalled the pci cardreader. Which is something else now. When i go to reinstall the cardreader it acts as if it succeeded, i reboot and it tells me that the bus 0 port 5 (not sure of the exact location right now but it is duplicable i've done it 3 times) doesnt have enough memory. I tried troubleshooting and all that but it doesnt work. Also just now today after erasing several suspect files i ran a sfc/scannow and it came back saying that there were bad files that couldnt be fixed. When i look all the way at the bottom of the log file for it it says "all registry keys and files were restored". I ran COMBOFIX immediately after and it found a corrupted userinit.exe and this c:\program files (x86)\Java\jre7\bin\jp2ssv.dll
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.