[58Desoto]

I'm knowledgeable with computers (computer programming 1972 IBM 1401, I have been online since 1990 with sequoia data software compumarket (i still have the 5 1/4 floppies and manual), but this malware has me and everyone else stumped. i had had kaspersky, norton , trend micro all try and remove it without any fix. it is currently in 3 desktops and about 5 laptops i have. all scans usually find nothing except combo found NTDLL Mods. i can't paste them from this computer as i running spashtop browser thru a ASUS MB boot and i'm restricted to read only and have no access to the HD booting this way.

The problem i have is not the NTDLL Mods though they are a problem. The real problem i have is the MBR gets modified and a 2048 hidden part gets inserted and my first sector gets modified and then aprox 250 copies are inserted though out my HD. I have zeroed the HD in hex mode from sector 0 (1) to the end. when i create a new part in DOS , from a store bought win vista or 7 disk or a Linux disk i get the same MBR Mods when i check them in hex. I believe my BIOS is infected. I have to reflash it about once a week in my ASUS board. Asus replaced the chip once and then after it got infected they replaced it with a different model board but that also is now infected. So far i haven't been able to reflash any of my laptops as when i try to run a Bios flash program i get error messages saying i don't have permission or the file is corrupt or i don't have access to the drive with the software. i bought a new HP desktop which was sent back to HP 5 times and then they finially replaced it with a new unit but that also is now corrupt. when ever i do a chat with tech support the computer shuts down after about 1 minute. when i do run windows all my history of errors get erased. i found that my computer is a little more stable when i keep the tasks off and the error reporting off. last count for errors was over 100,000 errors. (i have a habit on reload of win to raise the KB and set to no delete). my services and also changed and some grayed out. and i can not edit or change permission on many registry items .

i would think that after flashing this ASUS bio with the factory CD and reinstalling a new HD then reinstalling 7 from a factory DVD it would be clean, But it still gets corrupted. I have done that many times without ever inserting any media. I can run GMER and combo and OTL but without fixing the underlying problem i'm not any better off. I'm at wits end. Thanks

[Advertisements]

It sounds like a version of the Zero Access rootkit tho we haven't seen it messing with the BIOS yet. One way to prevent it from taking hold of a clean system is to make sure you have the drive divided into 4 partitions. This is the maximum and it usually just gives up if it sees that there is no room for its partition. The extras partitions don't have to be very big. If you are doing a factory restore, make sure you uninstall Java before going on line as it will certainly be out of date. The factory or new version of Windows will be way behind in security updates so these will need to be installed right away. I usually slap Online Armor on a newly restored system until I get it updated. USB drives are like dirty needles so make sure you get your Online Armor off a clean system and save it to a CD.

Without an OTL log I can't be sure which version you have or what's going on. Can you:

Download OTL from
http://www.geekstogo...timers-list-it/
and Save it to your desktop.


Copy the text in the code box:

DRIVES
nnetsvcs
%SYSTEMDRIVE%\*.exe
%systemroot%\assembly\GAC_32\*.ini
%systemroot%\assembly\GAC_64\*.ini
msconfig
safebootminimal
safebootnetwork
activex
drivers32
%SYSTEMDRIVE%\*.exe
%ALLUSERSPROFILE%\Application Data\*.exe
%APPDATA%\*.
/md5start
pnrpnsp.dll 
nwprovau.dll
nlaapi.dll
napinsp.dll
mswsock.dll
winrnr.dll
wshelper.dll
services.exe
atapi.sys
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
csrss.exe
PrintIsolationHost.exe
consrv.dll
/md5stop
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
CREATERESTOREPOINT

Run OTL (Vista or Win 7 => right click and Run As Administrator)

Paste (Ctrl + v) the copied text in the box where it says Custom Scan/Fixes

Select the All option in the Extra Registry group then Run Scan.

You should get two logs. Please copy and paste both of them.


Also Download aswMBR.exe ( 511KB ) to your desktop.
Right click aswMBR.exe and Run as Administrator
uncheck trace disk IO calls
Click the "Scan" button to start scan (Accept the Avast Engine)
On completion of the scan if the Fix button is enabled (not the FixMBR button) press it and then run a new scan and click save log, save it to your desktop and post in your next reply
If the Fix button is not enabled then just click save log, save it to your desktop and post in your next reply
Please attach the MBR.dat file that should be on your desktop.

Ron

[RKinner]

It sounds like a version of the Zero Access rootkit tho we haven't seen it messing with the BIOS yet. One way to prevent it from taking hold of a clean system is to make sure you have the drive divided into 4 partitions. This is the maximum and it usually just gives up if it sees that there is no room for its partition. The extras partitions don't have to be very big. If you are doing a factory restore, make sure you uninstall Java before going on line as it will certainly be out of date. The factory or new version of Windows will be way behind in security updates so these will need to be installed right away. I usually slap Online Armor on a newly restored system until I get it updated. USB drives are like dirty needles so make sure you get your Online Armor off a clean system and save it to a CD.

Without an OTL log I can't be sure which version you have or what's going on. Can you:

Download OTL from
http://www.geekstogo...timers-list-it/
and Save it to your desktop.


Copy the text in the code box:

DRIVES
nnetsvcs
%SYSTEMDRIVE%\*.exe
%systemroot%\assembly\GAC_32\*.ini
%systemroot%\assembly\GAC_64\*.ini
msconfig
safebootminimal
safebootnetwork
activex
drivers32
%SYSTEMDRIVE%\*.exe
%ALLUSERSPROFILE%\Application Data\*.exe
%APPDATA%\*.
/md5start
pnrpnsp.dll 
nwprovau.dll
nlaapi.dll
napinsp.dll
mswsock.dll
winrnr.dll
wshelper.dll
services.exe
atapi.sys
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
csrss.exe
PrintIsolationHost.exe
consrv.dll
/md5stop
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
CREATERESTOREPOINT

Run OTL (Vista or Win 7 => right click and Run As Administrator)

Paste (Ctrl + v) the copied text in the box where it says Custom Scan/Fixes

Select the All option in the Extra Registry group then Run Scan.

You should get two logs. Please copy and paste both of them.


Also Download aswMBR.exe ( 511KB ) to your desktop.
Right click aswMBR.exe and Run as Administrator
uncheck trace disk IO calls
Click the "Scan" button to start scan (Accept the Avast Engine)
On completion of the scan if the Fix button is enabled (not the FixMBR button) press it and then run a new scan and click save log, save it to your desktop and post in your next reply
If the Fix button is not enabled then just click save log, save it to your desktop and post in your next reply
Please attach the MBR.dat file that should be on your desktop.

Ron