Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Concerned about possible bios infection (Computer #2)


  • This topic is locked This topic is locked
3 replies to this topic

#1 pacificdenizen

pacificdenizen

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:07:33 PM

Posted 29 May 2011 - 10:48 AM

Thank you very much in advance for any help or advice you can give.

I have another thread pending for my first sick computer, but I am also seeking help for an Acer Aspire running Windows Vista.

In short, I believe I may have transferred a rootkit from the first (Dell XP) computer to this Acer through a memory stick. The other computer had been receiving messages from Combofix detecting rootkit activity, even after reinstalling XP from disk (didn't realize I wasn't supposed to run Combofix before I posted about that computer).

Shortly after the memory stick was moved to the Acer Vista computer (yes, I am an idiot), I got a message from the new computer that the boot information had been changed.

"Warning: The boot devices have been changed. BBS boot priority will be affected. Please enter setup to check."

Soon afterward, I got error messages from Windows update that I did not have the necessary permissions to update, even though I was the administrator for the computer.

Then the computer alerted me that unauthorized changes had been made to Windows and I would no longer receive notifications. I could not log into my account, and Windows informed me that my account had been disabled.

I tried to restore to factory settings several times using Acer's recovery program. I do not have a disk, so used the "restore to factory settings" option in Acer. Each time, the problems eventually recurred. I was able to get online a few times and download updates before being shut out. McAfee Stinger found an Artemis virus and deleted about 50 to 75 files. It also noted two boot sectors????? Following directions I found online, I even attempted to flash the bios and then reinstall, but I am not sure if the bios flash was successful, because problems recurred.

During this process (I am sorry I don't remember the sequence), I got a black screen a couple of times, stating that the disk was invalid.

I also got a blue screen, with the following message:

BC Code 1000007e
BCP1 C0000D05
BCP2 8BA27035
BCP3 87DB4288
BCP4 87DB3F84
os Version 6-0-6000
Service Pack 0
Product 768-1

I was given the option to do startup repair during one reboot. When I tried to run it, I got the following message:

Startup repair cannot repair this computer.

Problem Event Name: Startup Repair V2
Problem Signature 01 - Auto Fallover
Problem Signature 02 - 6.0.6000.16386.6.0.6001.18000
Problem Signature 03 - 2
Problem Signature 04 - 65537
Problem Signature 05 - Unknown
Problem Signature 06 - Bad Patch
Problem Signature 07 - 0
Problem Signature 08 - 3
Problem Signature 09 - Wrp Repair


I just restored to factory settings again. I noticed that during the system install, a command box appeared on the screen with writing on it. It was something in system32, but it disappeared so quickly I could not read it.

Upon arrival to my desktop for the first time, I entered the Control Panel and then the Event log and noticed many errors and alerts, including the following:

Security Auditing - Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.
File Name: \Device\HarddiskVolume2\Windows\System32\drivers\srtsp.sys

The audit log was cleared
s-1-5-21-108174893-2530054443-403708811-500
Log Name: Security (Date from 2006????!)

A logon was attempted using explicit credentials

Special privileges assigned to new logon.

Windows firewall was unable to notify the user that it blocked an application from accepting incoming connections onthe network (this message appeared prior to setting up networking)

The event logging service has shut down

An attempt was made to register a security event service.

IRQARB: ACPI BIOS does not contain an IRQ for the device in PCI slot 9, function 0.
IRQARB: ACPI BIOS does not contain an IRQ for the device in PCI slot 11, function 0.
IRQARB: ACPI BIOS does not contain an IRQ for the device in PCI slot 12, function 0.

Windows Defender has detected changes. Microsoft recommends that you analyze the software that made these changes for potential risks.



The process C:\Windows\system32\winlogon.exe has initiated the restart of computer on behalf of user....No title for this reason could be found.
Source: User32
S-1-5-21-108174893-2530054

The Netbios name and DNS host of this machine have been changed from ....... to ......

The shadow copies of volume .......... were aborted during detection.

******There are about 50 notifications about USER PnP.**********

I am not even sure which alerts may be important and which aren't, and where to start to address these problems. I am sorry if I have cluttered this post with unnecessary information. Please, I would be very grateful for any help you can give.

Thank you,

pacificdenizen

Edited by pacificdenizen, 29 May 2011 - 11:16 AM.


BC AdBot (Login to Remove)

 


#2 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:11:33 PM

Posted 09 June 2011 - 03:03 PM

Since you have ran combofix, Please follow the instructions in ==>This Guide<==.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include the link to this topic in your new topic and a description of your computer issues and what you have done to resolve them.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

Once you have created the new topic, please reply back here with a link to the new topic.

#3 pacificdenizen

pacificdenizen
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:07:33 PM

Posted 10 June 2011 - 06:08 PM

Thank you, cryptodan.

Here is a link to the new topic I posted:

http://www.bleepingcomputer.com/forums/topic403029.html

Just to be clear, I didn't run Combofix on this computer (I don't think). I was referring to the computer I may have transferred this infection from (via thumb drive) when I mentioned Combofix.

I hope my new topic is clear. I ran into a glitch when running the scans but tried to explain what happened and what I did.

Thank you again very much for your help,

pacificdenizen

#4 hamluis

hamluis

    Moderator


  • Moderator
  • 55,723 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:06:33 PM

Posted 11 June 2011 - 01:23 PM

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the logs you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on, the Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the Malware Removal Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Now that your log is posted and you are waiting, please DO NOT make another reply until it has been responded to by a member of the Malware Removal Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another Malware Removal Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic.

Louis




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users