TechSpot

HELP! major worm hidden partition, dual fifo

By logikz
May 17, 2007
  1. defiantly it is hidden, i have 320 gig drive only regs 298 at max, shows 320 in text type fields. It is copying itself to discs i make and reinstalling on computers which use these discs. Danger is high, help me here is rootkitrevealer
     
  2. momok

    momok TS Rookie Posts: 2,265

    Hi logikz,

    Please do not copy or paste your logs. Instead, attach the .log or .txt files to your thread. Your pasted logs shall very soon be removed by the moderator.

    Meanwhile, I request that you do the following.
    Download LSPFix from http://cexx.org/lspfix.htm
    1. Disconnect from the Internet, go to the LSPfix file and extract/unzip LSP-Fix into its own folder [C:\lspfix].
    2. Open the lspfix folder and double-click on LSPFix.exe to start the program.
    3. Check the "I know what I am doing" checkbox.
    4. Select (highlight) all instances of 'nwprovau.dll' in the left column under "Keep".
    5. Click the arrow >> so it goes over to the right column under "Remove".
    6. Click "Finish" and LSPfix will remove references to the file and restore the chain numbers.
    7. Restart your computer

    Important: Please read this thread HERE before you decide whether to clean or reformat your system.

    Should you decide to clean your computer, please go ahead to Viruses/Spyware/Malware, preliminary removal instructions and follow the steps to cleaning your computer. The thread provides a comprehensive mix of steps to remove common malware, as well as provide us logs of your system to look at so we can further remove any tricky nasties.
    Do follow all the instructions exactly.

    Thereafter, please post fresh HijackThis, AVG Antispyware and Combofix logs as attachments into this thread. Do not copy and paste if not it will be ignored and/or removed by the moderators.


    Regards,
    Your friendly Momok =)

    This thread is for the use of logikz only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. logikz

    logikz TS Rookie Topic Starter Posts: 19

    ok uploaded scans
     

    Attached Files:

  4. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Your logs appear to be clean already.

    Please download and run CCleaner via step 9 of the instructions HERE.

    Turn off system restore (XP/ME only). Learn how to do that HERE.
    This will remove all the remaining nasties from your old restore points.

    After that turn system restore back on.
    This would have created a new safe and clean restore point for your system.

    Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
    May I recommend you to read this article.
    This can help to prevent future infections.

    Should you have any further problems, please post in this thread.


    Regards,
    Your friendly Momok =)

    This thread is for the use of logikz only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. logikz

    logikz TS Rookie Topic Starter Posts: 19

    can you look at this scan? There is defiantly something wrong with this comp.
     
  6. xanimefanx

    xanimefanx TS Rookie Posts: 82

    hmm well its not completley clean you have

    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    Unnecessary (deactivated) entry that can be fixed.

    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    Unnecessary (deactivated) entry that can be fixed.

    Momok should be able to help you with removing those files :D
    although its not a virus i think it should free up some space
     
  7. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Do not fix those two files.
    They are legit, but appears to be missing because of a HijackThis bug. There are several other files that often appear that way in HijackThis too because of the bug.

    You asked for a relook at the scan. I've checked your logs and they appear to be clean.
    If you wish to double confirm, you may post fresh ComboFix, HijackThis and AVG Antispyware logs from normal mode.


    Regards,
    Your friendly Momok =)

    This thread is for the use of logikz only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  8. logikz

    logikz TS Rookie Topic Starter Posts: 19

    lots of stuff about migration when i never use these things. I get errors about being in 64 bit when i had formatted that OS off my system along with everything else. I did a format and it still registers 64 bit system. I get information about my "Computer Configuration "undocked"" When i booted another computer's harddrive up with this as a slave it shows both a windows folder and a windows.0 folder. It has to do with VolSnap i believe. Also a hidden partition maybe of 12 bit format so i cant read it. There is always a registry entry even on fresh installation called "Mr.Enigma" and another "redbook" I also read entries about it using "Whistler" and "WinSafer". i attatched a few things assosiated i believe.

    This was found in \windows\system32\PreInstall\WinSE\wxp_x86_0409_v1

    second file is found at C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles

    I completely reinstalled / formatted on 5/16/2007 at appx 11:00 pm. attatched drivers list

    and when i delete files it goes to both a \Recycler folder on both my C:\ and E:\ drives. this is all very strange.
     
  9. momok

    momok TS Rookie Posts: 2,265

    Hi,

    You have some nasties on your system. Please follow the instructions.

    Important: Please read this thread HERE before you decide whether to clean or reformat your system.

    Should you decide to clean your computer, please go ahead to Viruses/Spyware/Malware, preliminary removal instructions and follow the steps given. These are a comprehensive mix of steps to remove common malware, as well as provide us logs of your system to look at so we can further remove any tricky nasties.
    Do follow all the instructions exactly.

    Thereafter, please post fresh HijackThis, AVG Antispyware and Combofix logs as attachments into this thread. Do not copy and paste if not it will be ignored and/or removed by the moderators.

    Also, please let me know the results of the AVG Antirootkit scan


    Regards,
    Your friendly Momok =)

    This thread is for the use of logikz only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  10. logikz

    logikz TS Rookie Topic Starter Posts: 19

    Fresh logs posted. if this helps, a while ago i had flashed my bios with this program on here. I was given a corrupted version of windows XP professional which i installed. Lots of problems arose. I cant installed avg anti-spyware because it says im running 64 bit OS. I have already reinstalled windows, here is fresh logs. The virus is still on my system, those nasties were also from a near fresh install, they are packaged in with volsnap, or possibly some .xml datafactory.

    if it helps, after the fresh reinstall my pagefile stayed the same size, and is evergrowing. i have a couple different system folders, from these names C:\Windows\System32 and C:\windows\SYSTEM32
    strageland eh? every computer around me seems to be infected with this virus, it self installs on CDs and floppies, it seems neverending...

    this is the boot manager that i cannot get rid off. Once this arrived, the virus arrived.

    panda scan
     
  11. Phantasm66

    Phantasm66 TS Rookie Posts: 5,734   +7

    A hidden partition???? Are you yanking my chain??!

    If you've actually got A HIDDEN PARTITION on your machine that contains some kind of rootkit technology or something, then what are you waiting for...

    FORMAT AND REINSTALL!!
     
  12. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Since you've identified that the problem arises from your CD, I would advise you to get a new one (clean and legit one) and do a reformat and reinstall. It would be the most straightforward way since your OS was also just recently installed and it doesnt hurt to take the safest route.

    However if you'd like to clean your system, I'll try my best to help you. Your ComboFix log is just filled with tonnes of dlls and executables which normally do not even appear in the average user's system log. It will take some time to sort out the bad files to clean.

    Let me know your decision again.


    Regards,
    Your friendly Momok =)

    This thread is for the use of logikz only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  13. logikz

    logikz TS Rookie Topic Starter Posts: 19

    The problem is that i installed a corrupted version ONCE. My discs i am currently using are factory windows CD's. i have home edition sp2, home edition, and xp pro x64. All with legit CD keys and the CD's are not burnt or nething, they are straight from the company. I think cleaning would be the best idea because after format / reinstall im left at the same place. another prob is that i get an internet multicast directed at port 1600 from my router all the time, dunno what that is. If you could help me i would appreciate it, ive been combating this virus /worm / trojan / backdoor for long times, and it has all my computers, harddrives infected along with everyone i know..
     
  14. momok

    momok TS Rookie Posts: 2,265

    Hi,

    In that case it would be the right decision to do the format. As for your other computers and hard drives, the extent of infection may vary, even if they are similar. I'll have to look at some ComboFix and HJT logs before I can guide you through cleaning.

    I'm not sure if the internet port redirection is a result of the infection. When you have completed your fresh install of Windows, let us know if it still occurs.


    Regards,
    Your friendly Momok =)

    This thread is for the use of logikz only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  15. logikz

    logikz TS Rookie Topic Starter Posts: 19

    after fresh reinstall again.. still haveing same probs

    more logs may be usefull...
     
  16. momok

    momok TS Rookie Posts: 2,265

    Hi,

    You have posted mostly irrelevant logs. We do not read those logs here. Please post only the requested logs from the following instructions.

    Please visit Viruses/Spyware/Malware, preliminary removal instructions and follow the steps given. These are a comprehensive mix of steps to remove common malware, as well as provide us logs of your system to look at so we can further remove any tricky nasties.
    Do follow all the instructions exactly.

    Thereafter, please post fresh HijackThis, AVG Antispyware and Combofix logs from normal mode as attachments into this thread. Do not copy and paste if not it will be ignored and/or removed.

    Also, please let me know the results of the AVG Antirootkit scan


    Regards,
    Your friendly momok =)

    This thread is for the use of logikz only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  17. logikz

    logikz TS Rookie Topic Starter Posts: 19

    here is proof im getting this reinstalled with EVERY format. please help me, dont say "format and reinstall" cuz i have done it 50000000000 times. i need real help.

    here these ones
     
  18. Phantasm66

    Phantasm66 TS Rookie Posts: 5,734   +7

    Download a linux disk.

    Boot from it, but choose Rescue mode.

    then (assuming you have a regular HDD controller) do this:

    dd if=/dev/zero of=/dev/hda

    that will write zeros all over your drive.

    once finished (it should take ages) repartition, format and install again.

    It should work, I don't know anything that can survive a dd from dev zero.
     
  19. momok

    momok TS Rookie Posts: 2,265

    Hi,

    If you wish to try the format once more, do go ahead with Phantasm66's instructions. However, if you wish to have a go at cleaning your system, I will do my best to guide you. But firstly you will need to have to follow the instructions.

    The 15 step preliminary removal guide is supposed to equip us with 3 logs: AVG Antispyware, ComboFix and HijackThis. Until now, I have only seen one. Also, I need to know what the AVG Anti Rootkit scan turns up, if anything.

    Only then can we provide any targetted step by step removal guide for you. If you wish to clean your system but have not completed the steps in our preliminary removal guide, do continue to complete them before providing us with the three logs and the anti rootkit scan results.


    Regards,
    Your friendly momok =)

    This thread is for the use of logikz only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  20. logikz

    logikz TS Rookie Topic Starter Posts: 19

    so i find these files. imjpdsvr and a bunch more imjp files which are all japanese. i havent installed japanese stuff... they are all microsoft IME files, this is after a fresh reinstall. Also, after a fresh reinstall / format my pagefile has not changed it's size...
     
  21. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Do not delete any files on your own without supervision. Those files are legit and are not japanese. For more information on one of them, please see HERE.

    That said, I really really need to see the log files from the instructions that I have given you. They may seem intimidating, but almost every user who went through that process and recieved further guidance from us in the cleaning process managed to rid their system of infections.

    It's been 11 posts since I've asked you to go through the steps once more, and I've repeated myself three times. Please post the requested logs or nobody on this forum will be able to help you much.


    Regards,
    Your friendly momok =)

    This thread is for the use of logikz only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  22. logikz

    logikz TS Rookie Topic Starter Posts: 19

    new logs after regfix..
     
  23. momok

    momok TS Rookie Posts: 2,265

    Hi,

    You are running an outdated version of HijackThis.
    You can obtain the latest version from the link in my signature.

    Have HijackThis fix the following entries:

    F2 - REG:system.ini: UserInit=userinit (filesize 26112 bytes, MD5 B5FEB3B971A8B8C81CE9DE65031A87E5)
    O4 - HKLM\..\RunOnce: [InnoSetupRegFile.0000000001] "C:\WINDOWS\is-IDCDT.exe" /REG (filesize 663040 bytes, MD5 4CC9F9220262154F4B72821C74AE971F)
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

    You have not posted all the requested logs. (ComboFix and AVG Antispyware)
    Please do so in your next reply, including a fresh HijackThis log.


    Regards,
    Your friendly momok =)

    This thread is for the use of logikz only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  24. logikz

    logikz TS Rookie Topic Starter Posts: 19

    New logs, i dont have windows xp 32bit im using 64 bit. i have some logs, but combofix doesnt work.

    more logs, if you can help me to clean or get a clean install let me know.

    this one is strange

    The Plug and Play operation cannot be completed because a device driver is preventing the device from stopping. The name of the device driver is listed as the vetoing service name below.
    Vetoed device: STORAGE\VOLUME\1&30A96598&0&SIGNATURE22F022FOFFSET7E00LENGTH18713FB800
    Vetoing device: STORAGE\Volume\1&30a96598&0&Signature22F022FOffset7E00Length18713FB800
    Vetoing service name: FileSystem\Ntfs
    Veto type 6: PNP_VetoDevice
    When Windows attempts to install, upgrade, remove, or reconfigure a device, it queries the driver responsible for that device to confirm that the operation can be performed. If any of these drivers denies permission (query-removal veto), then the computer must be restarted in order to complete the operation.
    User Action
    Restart your computer.

    i really want to fix this problem, its been going on for months and months. should i find 32 bit?
     
  25. momok

    momok TS Rookie Posts: 2,265

    Hi,

    I must reiterate for the final time. I do not need to see all these log files. I only need three: HijackThis, ComboFix and AVG Antispyware.

    It also appears more and more to me that your problem may not be malware related. Several of your HijackThis entries show (file missing) for system files and to be honest I have no idea why is that so for your system.

    Everytime I see your HijackThis log I see new software. I understand your concerns with the system, but please do not go around downloading more and more tools for your system while we are still in the midst of fixing it.

    It sounds like you have several problems which do not seem linked to malware infection. If you have a back up of your important files and documents, I would actually suggest a reformat. The fact that I found a commercial keylogger on your system increases my conviction that you should do so. If you do banking on your system, please contact your bank and inform them that your information may have been compromised.

    That said, if you still wish to have a go at cleaning your system, please do the following.

    Download Combofix from the link in my signature and replace your existing Combofix.exe file.

    You may wish to copy and paste these instructions on notepad for easier reference later.

    Boot into safe mode under your normal user name. See how HERE

    Next turn on "Show all files and folders, including hidden and system". See how HERE

    Go to start > run and type services.msc. Press the enter key.
    Search for the following services. Double click to select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    Logical Disk Manager Administrative Service
    Event Log
    HTTP SSL
    IIS Admin Service
    IMAPI CD-Burning COM Service
    Distributed Transaction Coordinator
    FTP Publishing Service
    Message Queuing
    Net Logon
    NT LM Security Support Provider
    NVIDIA Display Driver Service
    Plug and Play
    IPSEC Services
    Protected Storage
    Remote Desktop Help Session Manager
    Security Accounts Manager
    SNMP Trap Service
    Virtual Disk Service
    Volume Shadow Copy
    WMI Performance Adapter


    Go to start > Control Panel > Add and Remove Programs.
    Remove anything related to the following:

    HYENA < this is a known commercial keylogger

    Open your task manager by pressing holding ctrl, alt and pressing del. Alternatively, use ctrl + shift + esc. Go to the processes tab, and end the following processes, if found:

    hyena.exe

    After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):

    F2 - REG:system.ini: UserInit=userinit (filesize 26112 bytes, MD5 29A1877F2D0EACFF20B6507A3C00F31B)
    O1 - Hosts: ECHO is off.

    All O23 entries.

    Close HJT.


    Navigate in Windows Explorer and delete the following files and folders in bold.

    D:\Program Files (x86)\Hyena\

    Reboot into normal mode and rehide your protected OS files.

    Thereafter, please post fresh HJT, ComboFix and AVG Antispyware logs from normal mode as attachments into this thread. I do not need other logs.


    Regards,
    Your friendly momok =)

    This thread is for the use of logikz only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...