Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Bios Virus & crazy problems - Infected or not?

  • This topic is locked This topic is locked
3 replies to this topic

#1 gggirlgeek


  • Members
  • 4 posts
  • Local time:03:41 AM

Posted 10 April 2012 - 05:11 PM

Mod EDIT:MOVED to Virus,Trojan and Malware Removal Logs ~~boopme


In the next post is my Hijack log. I am overwhelmed with the amount of changes I've done to my system and whether I actually have a virus/Bios virus. I really need help please.

My main question: I can format/flash everything and re-install - no problem. However, I have 1Tb of data on other partitions that cannot be lost (some are .exe and .zip files.) The backups are on the same system so are in danger of infection too. How do I isolate these partitions and hide them from the virus if it is as bad as a Bios virus? How do I know if it's safe to connect my old USB and HDD's to the fresh install to transfer these files?

Second, after dozens of scans with various AV/rootkit software I still can't tell if I'm even infected. (No legitimate hits.)

Thanks in advance!!

Here's the story (skip straight to Hijack log if you want):

I used the Ram PAE patch from Unawave to unlock Win 32bit to more than 3.5Gb. It or something else may have given me a Bios virus, or I may have a regular virus from a friend's USB drive.

This is a brand new system build (3/24/12.) However, it is the same installation of Windows7-x86 on the old hard drive -- used that drive in the new case and installed new mobo drivers -- re-activated Windows.

Before PAE patch:
* Many file associations were simply blank, especially .vbs, .txt, and .mp3, even though the programs were in the same path. I used a Types.exe utility previously to change the icons and associations of these files previously so this could be the problem.
* Problems with Firefox saying "the destination directory cannot be modified" when downloading.
* Often getting "Access denied" when I try to rename a file outside Windows partition. A few minutes later it is able to be done (without closing any programs or changing anything.)

***No changes after PAE patch -- same problems

After Ram module replacement 2 days ago -- and Asus overclock to advertised speed
* Mouse going crazy/ upside down orientation when in Bios
* BSOD's
* Disconnected all hardware and was able to boot
* Avast, Explorer.exe, Thunderbird and ProcessExplorer would not start -- Avast Service and interface program both would not start.
* Q-tab Explorer addon wouldn't work anymore, and still doesn't on recovered re-image (see next.)

I reset the Bios to default settings after removing the cmos battery, re-seating the ram, and unplugging the HDD's for a while (no flashing yet, until I reformat the hard drives.) No overclocking for now.

I temporarily re-imaged to my second hard drive with other data on it, only formatting a small partition. (It has A LOT of data on it that cannot be lost). It has been connected to the infected computer the whole time. I have not formatted the corrupt Windows partition yet.

The recovered image works for the most part now, with the same Pre-RAM problems though. I am also having those same problems in my old computer now, but didn't have them before.

I connected to my old computer via Ethernet before I knew I had problems so don't know if it traveled through Home network, or whether it's the backup images that are infected (since all are from the same original backup with my settings.)

Hijack log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:16:56 PM, on 9/5/12
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v8.00 (8.00.7601.17514)
Boot mode: Normal

Running processes:
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files\WinPatrol\WinPatrol.exe
C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files\SuperCopier2\SuperCopier2.exe
C:\Program Files\Volumouse\volumouse.exe
C:\Users\Mel\Local Settings\Apps\F.lux\flux.exe
P:\MyData\Evernote\Evernote Data\Evernote\EvernoteClipper.exe
P:\MyData\Evernote\Evernote Data\Evernote\EvernoteTray.exe
P:\MyData\Process Explorer\procexp.exe
P:\MyData\Evernote\Evernote Data\Evernote\Evernote.exe
C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
P:\MyData\Firefox\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Increase performance and video formats for your HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - :C:\Program Files\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll (file missing)
O2 - BHO: QTTabBar AutoLoader - {d2bf470e-ed1c-487f-a777-2bd8835eb6ce} - mscoree.dll (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - :C:\Program Files\Java\jre7\bin\jp2ssv.dll (file missing)
O3 - Toolbar: QTTabBar - {d2bf470e-ed1c-487f-a333-2bd8835eb6ce} - mscoree.dll (file missing)
O3 - Toolbar: QTTab Standard Buttons - {d2bf470e-ed1c-487f-a666-2bd8835eb6ce} - mscoree.dll (file missing)
O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
O4 - HKLM\..\Run: [SunJavaUpdateSched] :"C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [EaseUs Watch] :"C:\Program Files\EaseUS\Todo Backup\bin\EuWatch.exe"
O4 - HKLM\..\Run: [EaseUs Tray] :"C:\Program Files\EaseUS\Todo Backup\bin\TrayNotify.exe"
O4 - HKLM\..\Run: [IAStorIcon] C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKCU\..\Run: [Ditto] P:\MyData\Ditto\Ditto.exe
O4 - HKCU\..\Run: [SuperCopier2.exe] C:\Program Files\SuperCopier2\SuperCopier2.exe
O4 - HKCU\..\Run: [$Volumouse$] "C:\Program Files\Volumouse\volumouse.exe" /nodlg
O4 - HKCU\..\Run: [F.lux] "C:\Users\Mel\Local Settings\Apps\F.lux\flux.exe" /noshow
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Startup: EvernoteClipper.lnk = P:\MyData\Evernote\Evernote Data\Evernote\EvernoteClipper.exe
O4 - Startup: EvernoteTray.lnk = P:\MyData\Evernote\Evernote Data\Evernote\EvernoteTray.exe
O4 - Startup: Process Explorer.lnk = P:\MyData\Process Explorer\procexp.exe
O4 - Startup: ~Disabled
O8 - Extra context menu item: Add to Evernote 4.0 - res://P:\MyData\Evernote\Evernote Data\Evernote\EvernoteIE.dll/204
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: Intel® Content Protection HECI Service (cphs) - Intel Corporation - C:\Windows\system32\IntelCpHeciSvc.exe
O23 - Service: EaseUS Agent - CHENGDU YIWO Tech Development Co., Ltd - C:\Program Files\EaseUS\Todo Backup\bin\Agent.exe
O23 - Service: Guard Agent - CHENGDU YIWO Tech Development Co., Ltd - C:\Program Files\EaseUS\Todo Backup\bin\GuardAgent.exe
O23 - Service: Intel® Rapid Storage Technology (IAStorDataMgrSvc) - Intel Corporation - C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

End of file - 6984 bytes

Gmer log -- is Avast infected??? Gmer is not the only one that didn't like these files. Will try replacing with Avira ASAP.

GMER - http://www.gmer.net
Rootkit quick scan 2012-04-09 07:08:33
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 HDS722525VLSA80 rev.V36OA6MA
Running: gmer.exe; Driver: C:\Users\Mel\AppData\Local\Temp\kxldapob.sys

---- System - GMER 1.0.15 ----

Code \SystemRoot\System32\Drivers\aswSP.SYS ZwCreateProcessEx [0x90B298DE]
Code \SystemRoot\System32\Drivers\aswSP.SYS ObMakeTemporaryObject

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS
AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS

---- EOF - GMER 1.0.15 ----

Edited by boopme, 10 April 2012 - 07:12 PM.

BC AdBot (Login to Remove)


#2 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:11:41 AM

Posted 14 April 2012 - 05:27 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below I will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks and again sorry for the delay.

  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Posted Image
m0le is a proud member of UNITE

#3 gggirlgeek

  • Topic Starter

  • Members
  • 4 posts
  • Local time:03:41 AM

Posted 15 April 2012 - 11:12 PM

For now I am up and running again. I reformatted, re-flashed, and fresh-installed everything except for my data partitions, including my USB drive, and over-wrote the OS partitions with 0's. I also installed Windows 7 64bit instead of 32bit. For now I am also not using the OC'd ram settings to get my advertised speed. I want to try one piece of hardware at a time, slowly, so I know exactly what produces errors. So far only one little BSOD. Everything else is smooth as silk.

It seems that my problems may have been hardware or Bios related. The motherboard has some issues when the mouse is on a USB 3.0 port sometimes. When this started I was connected with a USB-to-PS/2 adapter to try and resolve the problem. I won't be trying that again! I use USB 2.0 for now.

The only reason I was extremely alarmed was because my anti-virus (Avast) was completely disabled, even after the old OS was working again. Other software started working again though. What kind of Bios reaction can disable the Anti-virus??? That really freaked me out.

I am taking a chance that it's either not a virus, or at least that it didn't infect my data partitions or networked computers. Cross your fingers for me, and thanks for the help!

#4 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:11:41 AM

Posted 16 April 2012 - 11:52 AM

Thanks for letting me know :thumbup2:


This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users