Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

I have one very difficult hack or virus to remove

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: I have one very difficult hack or virus to remove

Unread postby Gary R » February 5th, 2013, 7:02 pm

As far as I can see, any problems you are having are not being caused by an active infection.

Usually the discrepancy between actual disk size, and available disk size is caused by the fact that by default Windows 7 (and 8) boot from a separate "system" partition, and most manufacturers also include a "recovery" partition, which contains a "factory" copy of the OS.

However, your computer is configured to have just one partition, which is also the bootable partition, so I can't explain the discrepancy between what you believe should be your disk size, and the size indicated in the various scans we've run. The single partition layout of your disk is not "standard" and may be the source of your problems. My speciality is Malware removal, not OS setup problems, so I'm speculating here.

I think at this point you might best be served by talking with someone who specialises with hardware and OS problems and see if they can throw a light on what is going wrong with your machine.

Below are links to a number of forums that offer that kind of support, and where the standard of help is generally of a high standard ....

http://forums.whatthetech.com/index.php?showforum=119
http://forums.whatthetech.com/index.php?showforum=126

http://www.geekstogo.com/forum/forum/188-windows-8/
http://www.geekstogo.com/forum/forum/9- ... ripherals/

http://www.bleepingcomputer.com/forums/forum209.html
http://www.bleepingcomputer.com/forums/forum7.html

.... if any of them ask if you've been checked for malware, please feel free to refer them to this topic.

I don't want you to think we're just abandoning you, my only interest is in directing you towards what I believe is the most likely solution to your problems.

I'll leave this topic open for a few days, if you need to get back to me, please do.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Advertisement
Register to Remove

Re: I have one very difficult hack or virus to remove

Unread postby pgpav2003 » February 5th, 2013, 8:20 pm

Hi I can and do understand what you are saying about the hard drive and partition but still say that it is all to do with the bios hack..

I am almost certain that that hack creates or allows the creation of an untraceable hidden partition on peoples hard drives.

I also know that the hack is done in the wild because it happened to my Toshiba laptop in less than an hr while I was using the machine at the time. the Bios in that machine was fine on boot up I was then hammered with some sort of attack so I just shut down. When I booted up again I noticed the bios was different and I could no longer access it normally nor could I flash it back to normal. Taking the hard drive out makes no difference to the hack in the bios nor as in this machine crossing jumpers or pulling the battery.

I am reasonably competent with malware removal as well as system security and haven't really had any issues that I was unable to resolve bar this one.

This article may give you an indication of perhaps what I am facing as far as malware goes.......It certainly fits the bill all round .

http://www.forbes.com/sites/andygreenbe ... incurable/

I will take your advice and follow up in the other forums and hopefully they will be able to advise me how I can try to flash the bios in all of the machines that are infected. I am sure that it is the bios that allows the creation of the hidden partitions that are filled with the original os boot mbr and enough of the file system to network the two drives so as to appear to be the one and same machine .

Another reason why I believe I am on the right track is that on my little acer I took the time during a new instillation to turn off all networking ability stripped the shadow copy files from the new instillation as well as the work station file system. I then encrypted the drive . The machine seemed to work fine for a few days and then I unencrypted the drive to add some functions, after which my machine again became a workstation and the hack also became evident again .

Thank you very very much for taking the time to try and help. It is truly appreciated . I would also like to ask if you think I may be a suitable candidate for your university as helping people seems to be my main pastime in life. I am retired and have a lot of time to spend on whatever projects I deem suitable. I am also an incurable insomniac :) with a mind that will not let me sleep because it is always working on things :)

I will understand if you say no due to my machine having this problem and the rules applying to people having to have clean machines first.

cheers from down under Peter'
pgpav2003
Regular Member
 
Posts: 17
Joined: January 28th, 2013, 11:07 am

Re: I have one very difficult hack or virus to remove

Unread postby Gary R » February 6th, 2013, 2:29 am

As far as hidden partitions go, we can check for that by getting you to take a copy of your computer's MBR (Master Boot Record). If there are any hidden partitions they will have to show up in the Partition Table, else they cannot be accessed.

  • Download aswMBR.exe to your desktop.
  • Double click aswMBR.exe to run it
Image
  • Click the SCAN button to start the scan.
  • If prompted to download the latest definitions for Avast, click No.
Image
  • On completion of the scan click SAVE LOG and save it to your desktop.
  • Post the log contents in your next reply please.
  • It will also create a file MBR.dat on your Desktop, this is a copy of your MBR, and is what I'm really interested in taking a look at Please attach this file to your next reply
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: I have one very difficult hack or virus to remove

Unread postby pgpav2003 » February 6th, 2013, 3:56 am

this is what happens when trying to scan the mbr

the same thing happens with or without the antivirus updates.
You do not have the required permissions to view the files attached to this post.
pgpav2003
Regular Member
 
Posts: 17
Joined: January 28th, 2013, 11:07 am

Re: I have one very difficult hack or virus to remove

Unread postby pgpav2003 » February 6th, 2013, 4:22 am

I don't know whether its relevant or not but I saw this when I hit dir in the command console while I was trying to look for obvious file anomalies.

The area the snip is of pretty much all bold type in a run of pretty much all lowercase. It also contains info
on the different boot setups I think. Windows 7 should not be in there as It was a clean install using windows vista.



26/07/2012 06:12 64,512 setbcdlocale.dll
26/07/2012 06:12 1,885,696 setupapi.dll
26/07/2012 06:12 3,072 sfc.dll
26/07/2012 06:12 37,888 sfc.exe
26/07/2012 09:33 1,824 SFCN.dat
26/07/2012 06:12 48,640 sfc_os.dll
26/07/2012 09:33 1,644 SFLCID.dat
26/07/2012 09:33 3,348,038 SFLISTLH.dat
26/07/2012 09:33 1,692,026 SFLISTW7.dat
26/07/2012 09:33 2,682,542 SFLISTW8.dat
26/07/2012 09:33 1,459,266 SFLISTXP.dat
26/07/2012 09:33 10,879 SFPAT.inf
26/07/2012 09:33 9,280 SFPATLH.inf
26/07/2012 09:33 462 SFPATPG.INF
26/07/2012 09:33 17,655 SFPATW7.inf
26/07/2012 09:33 19,040 SFPATW8.inf
26/07/2012 09:33 4,386 SFPATXP.inf
26/07/2012 06:12 588,288 SHCore.dll
You do not have the required permissions to view the files attached to this post.
pgpav2003
Regular Member
 
Posts: 17
Joined: January 28th, 2013, 11:07 am

Re: I have one very difficult hack or virus to remove

Unread postby pgpav2003 » February 6th, 2013, 4:25 am

I also had windows defender disabled when doing the mbr scan.
pgpav2003
Regular Member
 
Posts: 17
Joined: January 28th, 2013, 11:07 am

Re: I have one very difficult hack or virus to remove

Unread postby Gary R » February 6th, 2013, 5:14 am

OK, let's have a try at getting an export of your MBR using a different tool ....

  • Please download MBRScan and save it to your desktop.
  • Double click on MBRScan.exe and click the Dump button.
  • A file Dump_Hdd0_DRO.mbr (or something similarly named) will be created on your Desktop.
  • Please attach the file to your next reply

Please Note ... If the forum will not allow you to attach the file, rename it to a .txt file type and you should then be able to attach it. I will still be able to analyse the file even with the file type change.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: I have one very difficult hack or virus to remove

Unread postby pgpav2003 » February 6th, 2013, 6:09 am

hopefully the file is here
You do not have the required permissions to view the files attached to this post.
pgpav2003
Regular Member
 
Posts: 17
Joined: January 28th, 2013, 11:07 am

Re: I have one very difficult hack or virus to remove

Unread postby pgpav2003 » February 6th, 2013, 7:00 am

I am hoping the -1 in the third sector of the dump file is the cause of the partition loss and that simply by changing it that the whole drive will be accessible once again.
pgpav2003
Regular Member
 
Posts: 17
Joined: January 28th, 2013, 11:07 am

Re: I have one very difficult hack or virus to remove

Unread postby Gary R » February 6th, 2013, 8:00 am

OK, this is the analysis of the MBR you have posted ....

MBR Analyzer v1.1.1

File : C:\Users\Gary R\Downloads\Dump_Hdd0_DR0.txt

--------------------------------------------------------------

--OFFSET-- 0-1-2-3-4-5-6-7-8-9-A-B-C-D-E-F- 0123456789ABCDEF

0x00000000 33C08ED0BC007C8EC08ED8BE007CBF00 3À.м.|.À.ؾ.|¿.
0x00000010 06B90002FCF3A450681C06CBFBB90400 .¹..üó¤Ph..Ëû¹..
0x00000020 BDBE07807E00007C0B0F85100183C510 ½¾..~..|......Å.
0x00000030 E2F1CD1888560055C6461105C6461000 âñÍ..V.UÆF..ÆF..
0x00000040 B441BBAA55CD135D720F81FB55AA7509 ´A»ªUÍ.]r..ûUªu.
0x00000050 F7C101007403FE46106660807E100074 ÷Á..t.þF.f`.~..t
0x00000060 2666680000000066FF76086800006800 &fh....f.v.h..h.
0x00000070 7C680100681000B4428A56008BF4CD13 |h..h..´B.V..ôÍ.
0x00000080 9F83C4109EEB14B80102BB007C8A5600 ..Ä..ë.¸..».|.V.
0x00000090 8A76018A4E028A6E03CD136661731EFE .v..N..n.Í.fas.þ
0x000000A0 4E110F850C00807E00800F848A00B280 N......~......².
0x000000B0 EB825532E48A5600CD135DEB9C813EFE ë.U2ä.V.Í.]ë..>þ
0x000000C0 7D55AA756EFF7600E88A000F851500B0 }Uªun.v.è......°
0x000000D0 D1E664E87F00B0DFE660E87800B0FFE6 Ñædè..°ßæ`èx.°.æ
0x000000E0 64E87100B800BBCD1A6623C0753B6681 dèq.¸.»Í.f#Àu;f.
0x000000F0 FB54435041753281F90201722C666807 ûTCPAu2.ù..r,fh.
0x00000100 BB000066680002000066680800000066 »..fh....fh....f
0x00000110 53665366556668000000006668007C00 SfSfUfh....fh.|.
0x00000120 00666168000007CD1A5A32F6EA007C00 .fah...Í.Z2öê.|.
0x00000130 00CD18A0B707EB08A0B607EB03A0B507 .Í..·.ë..¶.ë..µ.
0x00000140 32E40500078BF0AC3C0074FCBB0700B4 2ä....ð¬<.tü»..´
0x00000150 0ECD10EBF22BC9E464EB002402E0F824 .Í.ëò+Éädë.$.àø$
0x00000160 02C3496E76616C696420706172746974 .ÃInvalid partit
0x00000170 696F6E207461626C65004572726F7220 ion table.Error
0x00000180 6C6F6164696E67206F7065726174696E loading operatin
0x00000190 672073797374656D004D697373696E67 g system.Missing
0x000001A0 206F7065726174696E67207379737465 operating syste
0x000001B0 6D00000000627A995C9356EB00008020 m....bz.\.Vë...
0x000001C0 210007FEFFFF0008000000D842250000 !..þ.......ØB%..
0x000001D0 00000000000000000000000000000000 ................
0x000001E0 00000000000000000000000000000000 ................
0x000001F0 000000000000000000000000000055AA ..............Uª

---------------------------[ MBR ]----------------------------

MBR_CODE : Vista MBR Code
MD5 : 86AC6796445E71037CF547B83B0F420E
SHA1 : C8432BEE65E28217B0714E3F6C5451759C138BA9
PARTITIONS : 1
DISK_SIGNATURE : 5C9356EB
SIGNATURE_ID : AA55h

-----------------------[ PARTITION 1 ]------------------------

BOOTABLE : YES
PARTITION_TYPE : 0x07 ( NTFS / HPFS)
PARTITION_SIZE : 298 Go
STARTING_SECTOR : 2048
ENDING_SECTOR : 625139712
TOTAL_SECTORS : 625137664


The section I've highlighted in red and green is your Partition Table. The red part indicates your first partition, the area in green indicate any further partitions (in a MBR bootable drive your disk may have a maximum of 4).

This shows you have a single partition only, and that it is a bootable partition (the 80 at the start of the red section tells us it is bootable) that it is of type 07 (NTFS) formatted. Data in the section above the red highlighted area tells us that it is using a Vista MBR code.

As you can see the green section is full of 00s, which tells us there are no further partitions.

The 55AA at the end are just check digits, and are present on all functioning drives.

The only reason I can think of for your drive having an unaccessible area, is that the drive has some damaged sectors, and that your drive controller has restricted access to that area. If you do a scandsk check on a drive, it will often find damaged sectors and "fix" them. What it actually does is mark them as damaged and notify the disk controller so that it will not write data to those areas of the disk.

The area on your disk is large, and it's unusual for such a large section of damage, so it's probably advisable to perform an in depth scan of your hard drive with an appropriate disk scanning tool, but that's beyond the scope of this forum. One of the hardware forums I linked you to earlier can probably help you in that regard.

But we can see that there is no hidden partition on your computer, since even hidden partitions must load via the Partition Table, and are indicated on it. Like the 07 code indicates NTFS, there are codes for various hidden types as well, and none of them are present in your dump.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: I have one very difficult hack or virus to remove

Unread postby pgpav2003 » February 6th, 2013, 8:50 am

Thank you for taking the time to explain in such depth. I will go to the forums in your links and see how I go there.

This same type of disappearing large inaccessible areas is also now on the Toshiba laptop drive as well as the acer drive so again my suspicion is still that its a hack not just a bad bunch of partition sectors. I believe they are networking through a forced path onto that area some how and access the normal bootable partition area via the internal networking functions and turning my machines into work stations even after I turn that function off.

Ok for now I am heading down the disk analysis trail and hopefully I will be able to get back to you at a later date with some better news. I have a pro version of esaus file recovery that I own I may try that to see if I am able to uncover the faulty area before going to the forums. If you think there is anything in particular I should be looking to recover with that set of tools please let me know and I will do my best to get a copy of it and post it.
pgpav2003
Regular Member
 
Posts: 17
Joined: January 28th, 2013, 11:07 am

Re: I have one very difficult hack or virus to remove

Unread postby Gary R » February 6th, 2013, 9:20 am

We're pretty much moving outside of my area of expertise now, so just how much actual further help I can be to you is open to debate.

See if the hardware boys can check your disk out, and give you some assistance with troubleshooting your BIOS issues, and if your problems are still not resolved when they've finished, then I'll ask around and see if any of my contacts and colleagues have any suggestions.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: I have one very difficult hack or virus to remove

Unread postby Gary R » February 10th, 2013, 5:44 am

As you've not got back to me, I presume that your problems have now been addressed, in which case ....

This topic is now closed.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 289 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware