Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I believe I am infected with mebroot, definitely need assistance.


  • Please log in to reply
8 replies to this topic

#1 Arkitekt

Arkitekt

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:52 AM

Posted 18 September 2017 - 01:16 AM

Hello, I am new to this forum, and hope I get a solution. I have been battling a virus for nearly a year now. I have seen a few posts with the same problem calling it a super Trojan. I cannot do anything to rid my machine if this. All I have ascertained is that whenever I try to clean install windows, it is always corrupt. The install will not read the official DVD, instead installing from a malicious ram disk that uses its own files. Bootmgr and bootsect.bak are shr attributes, ergo sfc nor dism will work because the entire file system is corrupt. The ramdisk x:boot has hidden attrib $wimdesc. At least 2 rat files are installed icrav03 and ticrf. I believe most of this is done using xml files. The ramdisk cannot be owned nor deleted because the files are read only. Diskpart shows 1 disk= disk0 which I turn shows 2 volumes DVD-rom UDP and c: system active. Registry shows install as ramdisk c: windows recovery environment winload.exe via c:panther. I believe this all originates from a boot.sdi file. Can someone please help resolve this issue. At the moment, I have just a bare install and deleted the rat files and there originating folders i.e.-ratings etc. thanks in advance

H.marshall

BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • BC Advisor
  • 12,912 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:03:52 AM

Posted 18 September 2017 - 06:03 AM

A RAM disk is created using a third party program that would not be on an official DVD. Once you completely kill the power going to your RAM the RAM is erased. Malware

that existed on the hard drive would be killed during a reformat and clean install of Windows. So, I don't know why you think you cannot clean install Windows using the official DVD.

icrav03 and ticrf......Those are legit file names for Windows.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#3 Arkitekt

Arkitekt
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:52 AM

Posted 18 September 2017 - 09:24 AM

Hello and thank you for responding. I totally agree with what you are saying, however, there are several points that lead me to this conclusion. First, I have been in touch with Microsoft twice, both techs agree that something is going on with my system. They both say that my installation files are incorrect, however, they concur that it is a hardware issue. Second, I have changed the motherboard, removed the cmos battery, pressed the power button to ten secs, and removed both the CD-ROM and the ssd. Still yet, when I start up, the same ramdrive is sitting there at x:boot, with installation files. Using hirens, mbrcheck tells me that the mbr is unknown and possibly infected. Running attrib on the x drive shows the bootmgr and bootsect.bak as shr, maybe they should be that way. As I said, I agree that all memory should be wiped with no power, how does that explain the ramdrive being there with no rom drive, USB, or hdd. One further note, using ubuntu dmesg, it shows where ram is stolen to create a ramdisk, (maybe normal) I don't know. BCD shows 2 bootloaders, path c :\ windows\system32\winload.exe and ramdisk recovery=[boot]\sources\boot.wim with device options boot\boot\boot.sdi . Windows registry shows is install as using winpeshl.exe. Do you have any further thoughts other than I'm crazy.

#4 buddy215

buddy215

  • BC Advisor
  • 12,912 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:03:52 AM

Posted 18 September 2017 - 12:06 PM

What is the situation now with the computer? Are you able to use it? Have you installed any programs? Are you getting any errors or warnings?


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#5 Arkitekt

Arkitekt
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:52 AM

Posted 18 September 2017 - 04:41 PM

The current state is a new installation using an official Microsoft win7 sp1 DVD. I have not done anything with it, however, there seems to be some questionable activity while checking the event logs. The first 9 events are dated 11/20/2010, sources is service control mgr, and the events are stopping several services:diagnostic policy, windows event log, power svc, desktop window mgr session mgr, dist. Link tracking client, windows search, security center, software shadow copy provider,and user profile svc. All of this is attributed to computer 37L4247F27-25???? The next 3 events are dated 9/18/2017: netbios name and DNS name of this machine have been changed from 37L4247F27-25 to WIN-FAP9Q7A3UOA, Microsoft ® Windows ® 6.01.7601 Svc Pack 1 multiprocessor Free, and event log was started. Then back to date 11/29/2010 16 events: dhcpv6 client svc stopped. Shutdown flag value 1 (user ID s-1-5-19), dhcpv4 client svc stopped. Shutdown flag value 1 and the rest are just svc stops. Then back to date 9/18/2017 kernel events followed by pnp svc's subsystems have changed state (user ID s-1-5-18) etc. I'm no expert, but I believe this is a kernel level infection using the graphics memory. Sorry for posting all of that, just trying to give you all info possible. I do know that if I disable all virtual drivers, I cannot access disk mgmnt and in reboot, it won't boot because system is missing vdvroot.sys or .dll, can't recall.

#6 Arkitekt

Arkitekt
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:52 AM

Posted 18 September 2017 - 04:43 PM

One more thing, last install had error missing vdrvroot.sys code 0xc000000f.

#7 Arkitekt

Arkitekt
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:52 AM

Posted 18 September 2017 - 05:06 PM

Sorry for posting all of this, it may be pertinent. Under security event log, LSASS.EXE starts and auditing subsystem is initialized. Account Null SID was successfully logged on. Per user audit policy table created, security enabled local group created (target Sid s-1-5-32-551 subject user I'd s-1-5-18), security enabled local group changed (backup operators builtin target same subject user Sid same subject user name 37L4247F27-25$), sec. enabled local group created (built in/replicator), and it continues to create groups. Then my user account was changed tied to Sid s-1-5-18. Something about target domain name not authority login process name advapi negotiate logon guid {00000000-0000-0000-0000-0000000000} process name c:\windows\system32\services.exe. This maybe normal, I don't know. The Current OS shows as windows-nt.

#8 buddy215

buddy215

  • BC Advisor
  • 12,912 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:03:52 AM

Posted 18 September 2017 - 07:17 PM

Well...malware is not involved as far as I can tell. Best I can tell you is make sure the computer has the correct time. For more comments/ assistance you

could start a topic in the Windows 7 Forum. But if I were you I would stop looking for any problem(s) to solve and start using the computer and of course

get all of the critical updates for 7.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#9 Arkitekt

Arkitekt
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:52 AM

Posted 18 September 2017 - 07:23 PM

Thanks, I wasn't sure. The thing runs fine and I did run several a/v's that found nothing. I run a business and wanted to make sure no sensitive info got out. I do appreciate your time. I'll just update and go about my business. Again, your help is appreciated.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users