Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infection causing hardware damage?


  • Please log in to reply
6 replies to this topic

#1 R0cketer

R0cketer

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:08 AM

Posted 14 October 2009 - 03:07 PM

Ok first off, I am a member of the IT department at my work place, and are a bit perplexed what we have or don't have.

We have a computer that was running incredibly slow, we were also having a major slowdown in our network, with this computer appearing to be a source of a lot of traffic. Investigated it and having ran several utilities, it has symantec anvirus as default virus protection, we never really were able to find out if anything was infecting it. Having read a fair amount and tried to learn how to use it, we tried combofix and it detected a couple of .msi files but not a lot. Tried to a defrag then and it said errors, rebooted it and showed as dirty, and the fun began.

Scanned for a day or so, and of course after it cleaned it, the drive wasn't booting. Figured that was coming, moved the drive to another machine, attempting to use it as a slave and try to recover some data. It would scan, did so for a few days, lost the drive access a time or 2, but finished the scan finally, with very little acessible. Also had a problem with Symantec trying to run an installer on the system drive, which already has it. Figured that was an attempt from the drive to infect the other drive. Now the original drive is making the clicks of doom. Figure its toast. If that was the case, we've lost some important data but that was kind of expected originally.

Problem is that the second drive, in the system we put the 'infected' slave drive in, is now giving some errors and thus far, we haven't been able to find anything on it. It's kind of confusing, it appears that whatever was on the first drive has jumped/infected the other drive, which appears to be corrupting the drive itself. Not sure what is out there that could be doing that, not sure if it is, if its an ugly coincidence (doubt that), and just trying to figure out if the drive is infected, something is reporting it as damaged to cause you to erase/delete or what is going on.

Seriously at this point, just trying to figure if there is anything kind of new that sounds like this. I think it was doing physical damage to the drive by probably a write/overwrite type function but have nothing to go on or not really a solid direction to start. If its something, some infection/worm/etc trying to figure out what it is, and scan some other workplace computers to make sure its not going out or hasn't went out on the local network would be very good. The system we used to stick the drive in, is at the moment up, but after the corruption it showed, we're not sure if there is something on it, or what. So please, feel free to post some ideas/suggestions/programs, etc. We ran seatools on it (its a maxtor drive) and it showed 100 errors on the drive that didn't have any damage prior to the other one being put in there so if there is something going on, trying to nip it in the bud is very much the goal.

I'll try to help explain anything if I didn't explain it very well. Its a county government, so the IT dept is me and one other guy and we're both pretty perplexed here.

Thanks in advance.

BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:02:08 AM

Posted 14 October 2009 - 08:56 PM

I would scan for rootkits



We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

----------------------------------

Please note: If Rootrepeal fails to run, try this step: Click Settings - Options. Set the Disk Access slider to High

=====================================



Please download Win32kDiag.exe by AD and save it to your desktop.
alternate download 1
alternate download 2
  • This tool will create a diagnostic report
  • Double-click on Win32kDiag.exe to run and let it finish.
  • When it states Finished! Press any key to exit..., press any key on your keyboard to close the program.
  • A file called Win32kDiag.txt should be created on your Desktop.
  • Open that file in Notepad and copy/paste the entire contents (from Starting up... to Finished! Press any key to exit...) in your next reply.
--------------------------------------


Go to Posted Image > Run..., then copy and paste this command into the open box: cmd
Click OK.
At the command prompt C:\>, copy and paste the following command and press Enter:
DIR /a/s %windir%\scecli.dll %windir%\netlogon.dll %windir%\eventlog.dll >Log.txt & START notepad Log.txt
A file called log.txt should be created on your Desktop.
Open that file and copy/paste the contents in your next reply.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 R0cketer

R0cketer
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:08 AM

Posted 15 October 2009 - 09:06 AM

Ok here are the replies to the 3 things I think you asked

RootRepeal results


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/15 09:00
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0xA55C0000 Size: 479232 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA3DB6000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\MiniSoft\WS92\backup\Ws92link.mpe
Status: Could not get file information (Error 0xc0000008)

Path: c:\system volume information\_restore{cca15f78-7193-4ca6-8115-2b570dd6546c}\rp2127\a0264300.dll
Status: Allocation size mismatch (API: 2027520, Raw: 2093056)

Path: c:\system volume information\_restore{cca15f78-7193-4ca6-8115-2b570dd6546c}\rp2127\a0264302.sys
Status: Allocation size mismatch (API: 327680, Raw: 393216)

Path: c:\system volume information\_restore{cca15f78-7193-4ca6-8115-2b570dd6546c}\rp2127\a0264304.sys
Status: Allocation size mismatch (API: 65536, Raw: 131072)

Path: C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP2130\change.log.5
Status: Visible to the Windows API, but not on disk.

==EOF==


Next is Wink32kdiag.txt


Running from: C:\Documents and Settings\Administrator\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Administrator\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Cannot access: C:\WINDOWS\$NtUninstallKB833987$\sxs.dll

[1] 2006-10-19 09:59:58 713216 C:\WINDOWS\$hf_mig$\KB926255\SP2QFE\sxs.dll (Microsoft Corporation)

[1] 2006-10-19 09:56:32 713216 C:\WINDOWS\$NtServicePackUninstall$\sxs.dll (Microsoft Corporation)

[1] 2004-03-19 18:43:24 674816 C:\WINDOWS\$NtUninstallKB833987$\sxs.dll ()

[1] 2004-03-08 22:25:19 676864 C:\WINDOWS\$NtUninstallKB841356$\sxs.dll (Microsoft Corporation)

[1] 2004-08-04 03:56:46 713216 C:\WINDOWS\$NtUninstallKB926255$\sxs.dll (Microsoft Corporation)

[1] 2008-04-13 20:12:07 713216 C:\WINDOWS\ServicePackFiles\i386\sxs.dll (Microsoft Corporation)

[1] 2008-04-13 20:12:07 713216 C:\WINDOWS\SYSTEM32\sxs.dll (Microsoft Corporation)

[1] 2004-08-04 03:56:46 713216 C:\i386\sxs.dll (Microsoft Corporation)





Finished!

And last is the log.txt

Volume in drive C has no label.
Volume Serial Number is FC72-D620

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 03:56 AM 180,224 scecli.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 03:56 AM 407,040 netlogon.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 03:56 AM 55,808 eventlog.dll
3 File(s) 643,072 bytes

Directory of C:\WINDOWS\ERDNT\cache

04/13/2008 08:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\ERDNT\cache

04/13/2008 08:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\ERDNT\cache

04/13/2008 08:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 08:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 08:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 08:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\SYSTEM32

04/13/2008 08:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\SYSTEM32

04/13/2008 08:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\SYSTEM32

04/13/2008 08:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Total Files Listed:
12 File(s) 2,576,896 bytes
0 Dir(s) 128,911,605,760 bytes free


Hope that is what you wanted. We're not beyond wiping the computer with the currently still running computer and doing a clean install, but really trying to get a grasp on what is going on, in case it snowballs, if the things are related. If they aren't they have done one heck of a job of scaring the crap out of us lol

#4 R0cketer

R0cketer
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:08 AM

Posted 15 October 2009 - 12:33 PM

Just having done some further reading, and kind of concerned about Virut variations. Especially since it appears whatever is going on disabled virus software. As kind of an additional question related to this, what is the best tool to check for this? Getting paranoid since whatever this is has acted differently than pretty much anything I've dealt with in nearly 15 years of being here. Considering our whole network acts very sluggish of late, I'm wondering what scans/utils I should run on some other machines as kind of fire fighting before the fact. As I said, or think I said, local county government, 2 man IT team for the county, we stayed swamped and if this cascades on us, I may forget what my family looks like. Thanks again in advance.

#5 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:02:08 AM

Posted 15 October 2009 - 08:10 PM

We're not beyond wiping the computer with the currently still running computer and doing a clean install,


As you are finding out the new rootkit infections out now are devastating.
No one has yet to design a successful removal tool
We have tools that can scan the system, but then it takes customized scripts in combination with some special tools
Even then there is no guarantee. Removing files then reinstalling after reinstallation will also reinfect the computer

I would also like to warn you against using Combofix
You run the risk of turning the computer into a doorstop

Because of the nature of your job, I'm sure downtime is important
I would recommend a reformat and reinstalI would also run a pass of zeros on the hard drive before doing so
Active Killdisk free version will do this
http://www.killdisk.com/
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#6 R0cketer

R0cketer
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:08 AM

Posted 16 October 2009 - 12:21 PM

Appreciate the warning on combofix. As you stated, downtime is our enemy. We are a 2 person operation trying to keep up a small army ...and a small army who doesn't always listen to the 'dont click strange emails' advice :thumbsup: We have virus protection so combofix, has kind of became a fifth/sixth/seventh tool ran just when we're pretty whipped, not a regular toy (almost at the nothing else to try, lets give it a shot type idea). Don't know that virut is the problem, just reading and some of the descriptions sound suspicious to me.


Was there anything in the logs I posted? As for utilities to scan, particularly for rootkits and such, any suggestions are much appreciated. If this is something that is best discussed via email or message, please feel free to message me, anybody who has ideas. I'm not sure what I'm looking for on the rootrepeal program, and I think we have saphos to check with as well. SAS and malwarebytes are staples of our first line of detection as well.

Mainly just trying to determine IF the one I posted logs from is showing as infected, if it is, then a bit scared on the way it got from the crashed drive to this one. As you mentioned, that reinstallations can reinfect, trying to do as much scanning and due diligence as we can to prevent that.

Bad part is both I and my co-worker are card-carrying members, college graduates with computer information systems degrees, but due to the lack of manpower and money, most of our training is on the fly. Boards such as this have been great tools to learn, study and try to figure out ways to fight off the forces of darkness *lol*

I'm not sure what I'm looking for in the logs, so I'm deferring to your expertise here.

Thanks,

Freddy

#7 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:02:08 AM

Posted 16 October 2009 - 05:12 PM

I am not a HJT team member. I've just learned to look for subtle clues. While the logs are suspicious I would run 2 more scans to be sure

Download Sophos ARK to your Desktop from here:
http://www.sophos.com/products/free-tools/...ti-rootkit.html

Sophos does not update itself, so be sure to download the latest version from their website.

Double-click on the icon and the wizard will guide you through the installation

It is recommended that you close down all non-essential programs

Depending on the individual computer the scan can take anywhere from 5 minutes to over an hour

Start the scan by clicking Start>Programs>Sophos>Sophos Anti Rootkit>Sophos Anti Rootkit

Select the checkboxes for the areas you wish to scan
Select the Extensive scanoption

Click Start scan or hit Enter

The names of suspicious files are displayed in the results list in the upper panel

The results list may also display registry keys or values. these items should not be marked for removal

If you have any question on a file not automatically marked, go to the Sophos website: www.sophos.com
Type in the name ofthe file in the searchbox at the top of the homepage and click Search

Click Clean up checked itemsand when the dialog box appears, click yes
When the dialog box reappears, reboot the computer

A second scan is recommended

To remove Sophos ARK from your computer, go to Start>Programs>Sophos>Sophos Anti Rootkit>Uninstall Sophos Anti Rootkit

=================================================


  • Please download System Repair Engineer from here
  • Unzip/extract sreng2.zip to a folder on your desktop
  • Double-click on SREngLdr.EXE to launch System Repair Engineer
  • Click the Smart Scan Icon
  • Click Scan
  • Wait for the scan to finish
  • Click on the Save Reports button
  • Save it to your desktop, using the recommended name of SREngLOG.log
  • Close System Repair Engineer
  • Use notepad to open the SREngLOG.log file
  • Copy & paste the contents of that file as a reply to this topic
  • Note: The log may be long, and you may need several posts to post all of it
  • If you are using a custom HOSTS file, please leave out the [b]HOSTS File section, as it will make the log far too long

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users