Author Topic: is this an unknown variant  (Read 462 times)

0 Members and 1 Guest are viewing this topic.

REDACTED

  • Guest
is this an unknown variant
« on: August 01, 2014, 11:59:21 PM »
Got infected with a worm/spyware/bootkit that created a hidden HFS partition- viewed via testdisk- I'm actually missing 22gb from my hd, installed over 110 acpi irq devices, infected ntkrnlpa.exe and battery driver and almost everything by the looks of it. It defeated all scanners except mebroot_helpassist which detected the entire c: drive, i let it delete everything it could then ran gmer  and it picked up stuff finally, ran tdss and it came back with zero signed system drivers. Ran rootkitkiller from sysinternals and it detected 935 modifed registry entries but crashed while i was saving the log.  I lost the tdss log also but below is a few of what i was able to get. When i was running rootkitkiller there was a driver operating from user/temp/local folder that would appear with a random name, This driver is what caused it to crash, as i tried these same steps several times. I obtained a dump from it and it crashes everything i try to view it with and when i tried to open it in IE it downloaded itself to my pc. I'm fairly sure this is an unknown modifed mebroot/sinowal/tdl4 infection. I know of one other person with perhaps the same infection. I've got copies of fonts it uses and ntuser.dat logs as well and several files from Windows_AppPatch_en-US. I obtained these files from a barebones Win7 32 bit install that had been mangled by the mebroot_helpassist. I am posting a few logs and will wait for a reply before i put the system files up, especially the dump file, thats a quaranteed infection if you want one for first hand analysis.

GMER 2.1.19357 - http://www.gmer.net
3rd party scan 2014-08-01 03:22:06
Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 TOSHIBA_MK3261GSYN rev.MH000A 298.09GB
Running: xe7jt.exe; Driver: C:\Users\HA_HA\AppData\Local\Temp\ugloipow.sys




---- Kernel code sections - GMER 2.1 ----


.text   ntkrnlpa.exe!ZwSaveKey + 13C1                                                                                                                                                                                         82652339 1 Byte  [06]
.text   ntkrnlpa.exe!KiDispatchInterrupt + 5A2                                                                                                                                                                                8268BD52 19 Bytes  [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
?       system32\drivers\28440539.sys                                                                                                                                                                                         The system cannot find the path specified. !
?       system32\DRIVERS\compbatt.sys                                                                                                                                                                                         The system cannot find the path specified. !
?       system32\drivers\msahci.sys                                                                                                                                                                                           The system cannot find the path specified. !
?       system32\drivers\amdxata.sys                                                                                                                                                                                          The system cannot find the path specified. !
?       system32\DRIVERS\blbdrive.sys                                                                                                                                                                                         The system cannot find the path specified. !
?       system32\DRIVERS\igdkmd32.sys                                                                                                                                                                                         The system cannot find the path specified. !
?       system32\DRIVERS\swenum.sys                                                                                                                                                                                           The system cannot find the path specified. !
?       System32\Drivers\secdrv.SYS                                                                                                                                                                                           The system cannot find the path specified. !
?       C:\Users\HA_HA\AppData\Local\Temp\aswMBR.sys                                                                                                                                                                          The system cannot find the file specified. !
?       C:\Users\HA_HA\AppData\Local\Temp\aswVmm.sys                                                                                                                                                                          The system cannot find the file specified. !
?       C:\Users\HA_HA\Desktop\SysinternalsSuite\PORTMSYS.SYS                                                                                                                                                                 The system cannot find the file specified. !
?       C:\Users\HA_HA\AppData\Local\Temp\mbr.sys                                                                                                                                                                             The system cannot find the file specified. !
?       C:\Windows\system32\Drivers\RKREVEAL150.SYS                                                                                                                                                                           The system cannot find the file specified. !


---- Devices - GMER 2.1 ----


Device  \FileSystem\01225575 \Device\KLMD30052014_02100202_B                                                                                                                                                                  28440539.sys
Device  \Driver\00000467 \Device\KLMD30052014_02100202                                                                                                                                                                        28440539.sys


---- Registry - GMER 2.1 ----


Reg     HKLM\SYSTEM\CurrentControlSet\Control@ServiceControlManagerExtension                                                                                                                                                  C:\Windows\system32\scext.dll (Service Control Manager Extension DLL for non-minwin/Microsoft Corporation)(2009-07-13 23:19:25)
Reg     HKLM\SYSTEM\CurrentControlSet\Control\Class\{25DBCE51-6C8F-4A72-8A6D-B54C2B4FC835}@ClassDesc                                                                                                                          C:\Windows\System32\SysClass.Dll (System Class Installer


   Cut short for space:



aswMBR version 1.0.1.2041 Copyright(c) 2014 AVAST Software
Run date: 2014-08-01 02:51:49
-----------------------------
02:51:49.071    OS Version: Windows 6.1.7601 Service Pack 1
02:51:49.071    Number of processors: 2 586 0x170A
02:51:49.071    ComputerName: HA_HA-PC  UserName: HA_HA
02:51:49.633    Initialize success
02:51:49.633    VM: initialized successfully
02:51:49.633    VM: Intel CPU virtualization not supported
02:51:52.781    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
02:51:52.781    Disk 0 Vendor: TOSHIBA_MK3261GSYN MH000A Size: 305245MB BusType: 11
02:51:52.906    Disk 0 MBR read successfully
02:51:52.906    Disk 0 MBR scan
02:51:52.906    Disk 0 Windows 7 default MBR code
02:51:52.922    Disk 0 Partition 1 00     07    HPFS/NTFS NTFS          100 MB offset 2048
02:51:52.937    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS       115000 MB offset 206848
02:51:52.953    Disk 0 Partition 3 80 (A) 07    HPFS/NTFS NTFS        83510 MB offset 235726848
02:51:52.968    Disk 0 default boot code
02:51:52.968    Disk 0 Partition - 00     0F Extended LBA            106633 MB offset 406755328
02:51:52.984    Disk 0 Partition 4 00     07    HPFS/NTFS NTFS       106632 MB offset 406757376
02:51:53.000    Disk 0 scanning sectors +625139712
02:51:53.046    Disk 0 scanning C:\Windows\system32\drivers
02:51:54.825    Service scanning
02:52:03.998    Modules scanning
02:52:07.820    Module: C:\Windows\system32\drivers\spsys.sys  **SUSPICIOUS**
02:52:08.069    Module: C:\Windows\System32\ntdll.dll  **SUSPICIOUS**
02:52:08.210    Module: C:\Windows\System32\apisetschema.dll  **SUSPICIOUS**
02:52:08.319    Module: C:\Windows\System32\iertutil.dll  **SUSPICIOUS**
02:52:08.397    Module: C:\Windows\System32\imm32.dll  **SUSPICIOUS**
02:52:08.537    Module: C:\Windows\System32\msvcrt.dll  **SUSPICIOUS**
02:52:08.631    Module: C:\Windows\System32\ole32.dll  **SUSPICIOUS**
02:52:08.787    Module: C:\Windows\System32\gdi32.dll  **SUSPICIOUS**
02:52:08.943    Module: C:\Windows\System32\user32.dll  **SUSPICIOUS**
02:52:09.224    Module: C:\Windows\System32\oleaut32.dll  **SUSPICIOUS**
02:52:09.286    Disk 0 trace - called modules:
02:52:09.302    ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll ataport.SYS PCIIDEX.SYS msahci.sys
02:52:09.317    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85936898]
02:52:09.317    3 CLASSPNP.SYS[8ab8359e] -> nt!IofCallDriver -> [0x85469568]
02:52:09.333    5 ACPI.sys[8a6c43d4] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x8546f030]
02:52:09.333    Scan finished successfully
02:52:23.716    Disk 0 MBR has been saved successfully to "C:\Users\HA_HA\Desktop\MBR.dat"
02:52:23.716    The log file has been saved successfully to "C:\Users\HA_HA\Desktop\aswMBR.txt"
      Letting it fix mbr doesnt work.


MBR.DAT opened in notepad



3ÀŽÐ¼ |ŽÀŽØ¾ |¿ ¹ üó¤PhËû¹ ½¾€~  | …ƒÅâñ͈V UÆFÆF ´A»ªUÍ]rûUªu ÷Á tþFf`€~ t&fh    fÿvh  h |h h ´BŠV ‹ôÍŸƒÄžë¸» |ŠV ŠvŠNŠnÍfasþNu €~ €„Š ²€ë„U2äŠV Í]랁>þ}Uªunÿv è uú°Ñædèƒ °ßæ`è| °ÿædèu û¸ »Íf#Àu;fûTCPAu2ùr,fh»  fh   fh   fSfSfUfh    fh |  fah  ÍZ2öê |  Í ·ë ¶ë µ2ä ‹ð¬< t » ´Íëòôëý+Éädë $àø$ÃInvalid partition table Error loading operating system Missing operating system   c{š„•VÓ    ! ß       ß þÿÿ (  À €þÿÿþÿÿ è  °1
 þÿÿþÿÿ ˜> H





I would like to upload the other files for also but will wait for instruction. Until I get rid of the hidden partitions and the infection from current ntsf partitions all in one swoop there seems to be no way to get rid of this. I've ran dban several times. Sysinternals load order is below.



Boot WdfLoadGroup n/a* Wdf01000 Kernel Mode Driver Frameworks service
Boot Boot Bus Extender 1 ACPI Microsoft ACPI Driver
Boot Boot Bus Extender 2 msisadrv
Boot Boot Bus Extender 3 pci PCI Bus Driver
Boot Boot Bus Extender 6 vdrvroot Microsoft Virtual Drive Enumerator Driver
Boot Boot Bus Extender n/a* partmgr @%SystemRoot%\system32\drivers\partmgr.sys,-100
Boot System Bus Extender 7 Compbatt Microsoft Composite Battery Driver
Boot System Bus Extender 9 volmgr Volume Manager Driver
Boot System Bus Extender 10 volmgrx @%SystemRoot%\system32\drivers\volmgrx.sys,-100
Boot System Bus Extender n/a* mountmgr @%SystemRoot%\system32\drivers\mountmgr.sys,-100
Boot SCSI Miniport 33 atapi IDE Channel
Boot SCSI Miniport 64 msahci
Boot SCSI miniport n/a* amdxata
Boot FSFilter Infrastructure 1 FltMgr @%SystemRoot%\system32\drivers\fltmgr.sys,-10001
Boot FSFilter Bottom n/a* FileInfo @%SystemRoot%\system32\drivers\fileinfo.sys,-100
Boot Filter 1 CLFS @%SystemRoot%\system32\clfs.sys,-100
Boot Base 1 KSecDD
Boot Base 2 CNG
Boot Base n/a* pcw Performance Counters for Windows Driver
Boot File System n/a* Fs_Rec
Boot NDIS Wrapper n/a* NDIS @%SystemRoot%\system32\drivers\ndis.sys,-200
Boot Cryptography 2 KSecPkg
Boot PNP_TDI 3 Tcpip @%SystemRoot%\system32\tcpipcfg.dll,-50003
Boot n/a* n/a* Disk Disk Driver
Boot PnP Filter* 5* fvevol @%SystemRoot%\system32\drivers\fvevol.sys,-100
Boot n/a* n/a* hwpolicy @%systemroot%\system32\drivers\hwpolicy.sys,-101
Boot Network* n/a* Mup @%systemroot%\system32\drivers\mup.sys,-101
Boot PnP Filter* 2* rdyboost ReadyBoost
Boot n/a* n/a* spldr Security Processor Loader Driver
Boot n/a* n/a* volsnap Storage volumes
System SCSI CDROM Class 3 cdrom CD-ROM Driver
System Base 1 Null
System Base 2 Beep Beep
System Video Save 1 VgaSave
System Video Save n/a* RDPCDD @%systemroot%\system32\DRIVERS\RDPCDD.sys,-100
System Video Save n/a* RDPENCDD @%systemroot%\system32\drivers\RDPENCDD.sys,-101
System Video Save n/a* RDPREFMP @%systemroot%\system32\drivers\RdpRefMp.sys,-101
System File system n/a* Msfs
System File system n/a* Npfs
System PNP_TDI 4 tdx @%SystemRoot%\system32\tcpipcfg.dll,-50004
System PNP_TDI n/a* AFD @%systemroot%\system32\drivers\afd.sys,-1000
System PNP_TDI n/a* NetBT @%SystemRoot%\system32\drivers\netbt.sys,-2
System NDIS 16 WfpLwf WFP Lightweight Filter
System NDIS 18 Psched @%SystemRoot%\System32\drivers\pacer.sys,-101
System NetBIOSGroup 2 NetBIOS NetBIOS Interface
System n/a* n/a* blbdrive
System Network* n/a* DfsC @%systemroot%\system32\drivers\dfsc.sys,-101
System n/a* n/a* discache @%systemroot%\system32\drivers\discache.sys,-102
System n/a* n/a* mssmbios Microsoft System Management BIOS Driver
System n/a* n/a* nsiproxy @%SystemRoot%\system32\drivers\nsiproxy.sys,-2
System Network* 4* rdbss @%systemroot%\system32\wkssvc.dll,-1000
System n/a* n/a* TermDD Terminal Device Driver
System n/a* n/a* Wanarpv6 @%systemroot%\system32\rascfg.dll,-32012
Automatic FSFilter Virtualization n/a* luafv @%systemroot%\system32\drivers\luafv.sys,-100
Automatic COM Infrastructure n/a* DcomLaunch @oleres.dll,-5012
Automatic COM Infrastructure n/a* RpcEptMapper @%windir%\system32\RpcEpMap.dll,-1001
Automatic COM Infrastructure n/a* RpcSs @oleres.dll,-5010
Automatic Event Log n/a* eventlog @%SystemRoot%\system32\wevtsvc.dll,-200
Automatic AudioGroup n/a* AudioEndpointBuilder @%SystemRoot%\system32\audiosrv.dll,-204
Automatic AudioGroup n/a* Audiosrv @%SystemRoot%\system32\audiosrv.dll,-200
Automatic ProfSvc_Group n/a* gpsvc @gpapi.dll,-112
Automatic profsvc_group n/a* ProfSvc @%systemroot%\system32\profsvc.dll,-300
Automatic ProfSvc_Group n/a* SENS @%SystemRoot%\system32\Sens.dll,-200
Automatic ProfSvc_Group n/a* Themes @%SystemRoot%\System32\themeservice.dll,-8192
Automatic UIGroup n/a* UxSms @%SystemRoot%\system32\dwm.exe,-2000
Automatic MS_WindowsLocalValidation n/a* SamSs @%SystemRoot%\system32\samsrv.dll,-1
Automatic PlugPlay n/a* PlugPlay @%SystemRoot%\system32\umpnpmgr.dll,-100
Automatic Plugplay n/a* Power @%SystemRoot%\system32\umpo.dll,-100
Automatic NDIS 14 rspndr Link-Layer Topology Discovery Responder
Automatic NDIS 15 lltdio Link-Layer Topology Discovery Mapper I/O Driver
Automatic TDI n/a* Dhcp @%SystemRoot%\system32\dhcpcore.dll,-100
Automatic TDI n/a* Dnscache @%SystemRoot%\System32\dnsapi.dll,-101
Automatic TDI n/a* lmhosts @%SystemRoot%\system32\lmhsvc.dll,-101
Automatic ShellSvcGroup n/a* ShellHWDetection @%SystemRoot%\System32\shsvcs.dll,-12288
Automatic SchedulerGroup n/a* Schedule @%SystemRoot%\system32\schedsvc.dll,-100
Automatic SpoolerGroup n/a* Spooler @%systemroot%\system32\spoolsv.exe,-1
Automatic NetworkProvider n/a* BFE @%SystemRoot%\system32\bfe.dll,-1001
Automatic NetworkProvider n/a* LanmanWorkstation @%systemroot%\system32\wkssvc.dll,-100
Automatic NetworkProvider n/a* MpsSvc @%SystemRoot%\system32\FirewallAPI.dll,-23090
Automatic Extended Base n/a* Parvdm
Automatic n/a* n/a* CryptSvc @%SystemRoot%\system32\cryptsvc.dll,-1001
Automatic n/a* n/a* DPS @%systemroot%\system32\dps.dll,-500
Automatic n/a* n/a* EventSystem @comres.dll,-2450
Automatic n/a* n/a* FontCache @%systemroot%\system32\FntCache.dll,-100
Automatic n/a* n/a* iphlpsvc @%SystemRoot%\system32\iphlpsvc.dll,-500
Automatic n/a* n/a* LanmanServer @%systemroot%\system32\srvsvc.dll,-100
Automatic n/a* n/a* MMCSS @%systemroot%\system32\mmcss.dll,-100
Automatic n/a* n/a* NlaSvc @%SystemRoot%\System32\nlasvc.dll,-1
Automatic n/a* n/a* nsi @%SystemRoot%\system32\nsisvc.dll,-200
Automatic n/a* n/a* PEAUTH PEAUTH
Automatic n/a* n/a* secdrv Security Driver
Automatic n/a* n/a* sppsvc @%SystemRoot%\system32\sppsvc.exe,-101
Automatic n/a* n/a* SysMain @%SystemRoot%\system32\sysmain.dll,-1000
Automatic n/a* n/a* tcpipreg TCP/IP Registry Compatibility
Automatic n/a* n/a* TrkWks @%SystemRoot%\system32\trkwks.dll,-1
Automatic n/a* n/a* WinDefend @%ProgramFiles%\Windows Defender\MsMpRes.dll,-103
Automatic n/a* n/a* Winmgmt @%Systemroot%\system32\wbem\wmisvc.dll,-205
Automatic n/a* n/a* wscsvc @%SystemRoot%\System32\wscsvc.dll,-200
Automatic n/a* n/a* WSearch @%systemroot%\system32\SearchIndexer.exe,-103
Automatic n/a* n/a* wuauserv @%systemroot%\system32\wuaueng.dll,-105

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37612
  • Not a avast user
Re: is this an unknown variant
« Reply #1 on: August 02, 2014, 12:26:58 AM »
Follow instructions  https://forum.avast.com/index.php?topic=53253.0
Attach Malwarebytes and Farbar Recovery Scan logs


Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37612
  • Not a avast user
Re: is this an unknown variant
« Reply #2 on: August 02, 2014, 12:33:15 AM »
If you have the file you think is infected, upload and test it at one of these places  www.virustotal.com  /  www.metascan-online.com  /  www.jotti.org
Post link to scan result here


Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: is this an unknown variant
« Reply #3 on: August 02, 2014, 11:49:08 AM »
Hi first we will check the extra partition although 22 GB is much larger that the normal size

Download the latest version of TDSSKiller from here and save it to your Desktop.
 
 
  • Doubleclick on TDSSKiller.exe to run the application


  • Then click on Change parameters.
     

     
  • Check the boxes beside Verify Driver Digital Signature, Detect TDLFS file system  and Use KSN to scan objects , then click OK.
     
  • Click the Start Scan button.
     
     
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
     

     
  • If malicious objects are found, they will show in the Scan results and offer three (3) options.
  • Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

  • Get the report by selecting Reports

 
  • Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
Please copy and paste its contents on your next reply.