Got infected with a worm/spyware/bootkit that created a hidden HFS partition- viewed via testdisk- I’m actually missing 22gb from my hd, installed over 110 acpi irq devices, infected ntkrnlpa.exe and battery driver and almost everything by the looks of it. It defeated all scanners except mebroot_helpassist which detected the entire c: drive, i let it delete everything it could then ran gmer and it picked up stuff finally, ran tdss and it came back with zero signed system drivers. Ran rootkitkiller from sysinternals and it detected 935 modifed registry entries but crashed while i was saving the log. I lost the tdss log also but below is a few of what i was able to get. When i was running rootkitkiller there was a driver operating from user/temp/local folder that would appear with a random name, This driver is what caused it to crash, as i tried these same steps several times. I obtained a dump from it and it crashes everything i try to view it with and when i tried to open it in IE it downloaded itself to my pc. I’m fairly sure this is an unknown modifed mebroot/sinowal/tdl4 infection. I know of one other person with perhaps the same infection. I’ve got copies of fonts it uses and ntuser.dat logs as well and several files from Windows_AppPatch_en-US. I obtained these files from a barebones Win7 32 bit install that had been mangled by the mebroot_helpassist. I am posting a few logs and will wait for a reply before i put the system files up, especially the dump file, thats a quaranteed infection if you want one for first hand analysis.

GMER 2.1.19357 - http://www.gmer.net
3rd party scan 2014-08-01 03:22:06
Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-0 TOSHIBA_MK3261GSYN rev.MH000A 298.09GB
Running: xe7jt.exe; Driver: C:\Users\HA_HA\AppData\Local\Temp\ugloipow.sys

---- Kernel code sections - GMER 2.1 ----

.text ntkrnlpa.exe!ZwSaveKey + 13C1 82652339 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 8268BD52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, …] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
? system32\drivers\28440539.sys The system cannot find the path specified. !
? system32\DRIVERS\compbatt.sys The system cannot find the path specified. !
? system32\drivers\msahci.sys The system cannot find the path specified. !
? system32\drivers\amdxata.sys The system cannot find the path specified. !
? system32\DRIVERS\blbdrive.sys The system cannot find the path specified. !
? system32\DRIVERS\igdkmd32.sys The system cannot find the path specified. !
? system32\DRIVERS\swenum.sys The system cannot find the path specified. !
? System32\Drivers\secdrv.SYS The system cannot find the path specified. !
? C:\Users\HA_HA\AppData\Local\Temp\aswMBR.sys The system cannot find the file specified. !
? C:\Users\HA_HA\AppData\Local\Temp\aswVmm.sys The system cannot find the file specified. !
? C:\Users\HA_HA\Desktop\SysinternalsSuite\PORTMSYS.SYS The system cannot find the file specified. !
? C:\Users\HA_HA\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !
? C:\Windows\system32\Drivers\RKREVEAL150.SYS The system cannot find the file specified. !

---- Devices - GMER 2.1 ----

Device \FileSystem\01225575 \Device\KLMD30052014_02100202_B 28440539.sys
Device \Driver\00000467 \Device\KLMD30052014_02100202 28440539.sys

---- Registry - GMER 2.1 ----

Reg HKLM\SYSTEM\CurrentControlSet\Control@ServiceControlManagerExtension C:\Windows\system32\scext.dll (Service Control Manager Extension DLL for non-minwin/Microsoft Corporation)(2009-07-13 23:19:25)
Reg HKLM\SYSTEM\CurrentControlSet\Control\Class{25DBCE51-6C8F-4A72-8A6D-B54C2B4FC835}@ClassDesc C:\Windows\System32\SysClass.Dll (System Class Installer

Cut short for space:

aswMBR version 1.0.1.2041 Copyright(c) 2014 AVAST Software
Run date: 2014-08-01 02:51:49

02:51:49.071 OS Version: Windows 6.1.7601 Service Pack 1
02:51:49.071 Number of processors: 2 586 0x170A
02:51:49.071 ComputerName: HA_HA-PC UserName: HA_HA
02:51:49.633 Initialize success
02:51:49.633 VM: initialized successfully
02:51:49.633 VM: Intel CPU virtualization not supported
02:51:52.781 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-0
02:51:52.781 Disk 0 Vendor: TOSHIBA_MK3261GSYN MH000A Size: 305245MB BusType: 11
02:51:52.906 Disk 0 MBR read successfully
02:51:52.906 Disk 0 MBR scan
02:51:52.906 Disk 0 Windows 7 default MBR code
02:51:52.922 Disk 0 Partition 1 00 07 HPFS/NTFS NTFS 100 MB offset 2048
02:51:52.937 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 115000 MB offset 206848
02:51:52.953 Disk 0 Partition 3 80 (A) 07 HPFS/NTFS NTFS 83510 MB offset 235726848
02:51:52.968 Disk 0 default boot code
02:51:52.968 Disk 0 Partition - 00 0F Extended LBA 106633 MB offset 406755328
02:51:52.984 Disk 0 Partition 4 00 07 HPFS/NTFS NTFS 106632 MB offset 406757376
02:51:53.000 Disk 0 scanning sectors +625139712
02:51:53.046 Disk 0 scanning C:\Windows\system32\drivers
02:51:54.825 Service scanning
02:52:03.998 Modules scanning
02:52:07.820 Module: C:\Windows\system32\drivers\spsys.sys SUSPICIOUS
02:52:08.069 Module: C:\Windows\System32\ntdll.dll SUSPICIOUS
02:52:08.210 Module: C:\Windows\System32\apisetschema.dll SUSPICIOUS
02:52:08.319 Module: C:\Windows\System32\iertutil.dll SUSPICIOUS
02:52:08.397 Module: C:\Windows\System32\imm32.dll SUSPICIOUS
02:52:08.537 Module: C:\Windows\System32\msvcrt.dll SUSPICIOUS
02:52:08.631 Module: C:\Windows\System32\ole32.dll SUSPICIOUS
02:52:08.787 Module: C:\Windows\System32\gdi32.dll SUSPICIOUS
02:52:08.943 Module: C:\Windows\System32\user32.dll SUSPICIOUS
02:52:09.224 Module: C:\Windows\System32\oleaut32.dll SUSPICIOUS
02:52:09.286 Disk 0 trace - called modules:
02:52:09.302 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll ataport.SYS PCIIDEX.SYS msahci.sys
02:52:09.317 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x85936898]
02:52:09.317 3 CLASSPNP.SYS[8ab8359e] → nt!IofCallDriver → [0x85469568]
02:52:09.333 5 ACPI.sys[8a6c43d4] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T0L0-0[0x8546f030]
02:52:09.333 Scan finished successfully
02:52:23.716 Disk 0 MBR has been saved successfully to “C:\Users\HA_HA\Desktop\MBR.dat”
02:52:23.716 The log file has been saved successfully to “C:\Users\HA_HA\Desktop\aswMBR.txt”
Letting it fix mbr doesnt work.

MBR.DAT opened in notepad

3ÀŽÐ¼ |ŽÀŽØ¾ |¿ ¹ üó¤PhËû¹ ½¾a€~ |…
ƒÅâñ͈V UÆFÆF ´A»ªUÍ]rûUªu ÷Á
tþFf€~ t&fh fÿvh h |h
h ´BŠV ‹ôÍŸƒÄžë¸
» |ŠV Šv
ŠNŠnÍfasþNu€~ €„Š ²€ë„U2äŠV Í]랁>þ}Uªunÿv è uú°Ñædèƒ °ßæè| °ÿædèu û¸ »Íf#Àu;fûTCPAu2ù
r,fha» fh  fh fSfSfUfh fh | fah aÍZ2öê | Í ·aë ¶aë µa2ä a‹ð¬< t »a ´Íëòôëý+Éädë $àø$ÃInvalid partition table Error loading operating system Missing operating system c{š„•VÓ ! aß   ßaþÿÿ ( À €þÿÿaþÿÿ è °1
þÿÿþÿÿ ˜> H
Uª

I would like to upload the other files for also but will wait for instruction. Until I get rid of the hidden partitions and the infection from current ntsf partitions all in one swoop there seems to be no way to get rid of this. I’ve ran dban several times. Sysinternals load order is below.

Boot WdfLoadGroup n/a* Wdf01000 Kernel Mode Driver Frameworks service
Boot Boot Bus Extender 1 ACPI Microsoft ACPI Driver
Boot Boot Bus Extender 2 msisadrv
Boot Boot Bus Extender 3 pci PCI Bus Driver
Boot Boot Bus Extender 6 vdrvroot Microsoft Virtual Drive Enumerator Driver
Boot Boot Bus Extender n/a* partmgr @%SystemRoot%\system32\drivers\partmgr.sys,-100
Boot System Bus Extender 7 Compbatt Microsoft Composite Battery Driver
Boot System Bus Extender 9 volmgr Volume Manager Driver
Boot System Bus Extender 10 volmgrx @%SystemRoot%\system32\drivers\volmgrx.sys,-100
Boot System Bus Extender n/a* mountmgr @%SystemRoot%\system32\drivers\mountmgr.sys,-100
Boot SCSI Miniport 33 atapi IDE Channel
Boot SCSI Miniport 64 msahci
Boot SCSI miniport n/a* amdxata
Boot FSFilter Infrastructure 1 FltMgr @%SystemRoot%\system32\drivers\fltmgr.sys,-10001
Boot FSFilter Bottom n/a* FileInfo @%SystemRoot%\system32\drivers\fileinfo.sys,-100
Boot Filter 1 CLFS @%SystemRoot%\system32\clfs.sys,-100
Boot Base 1 KSecDD
Boot Base 2 CNG
Boot Base n/a* pcw Performance Counters for Windows Driver
Boot File System n/a* Fs_Rec
Boot NDIS Wrapper n/a* NDIS @%SystemRoot%\system32\drivers\ndis.sys,-200
Boot Cryptography 2 KSecPkg
Boot PNP_TDI 3 Tcpip @%SystemRoot%\system32\tcpipcfg.dll,-50003
Boot n/a* n/a* Disk Disk Driver
Boot PnP Filter* 5* fvevol @%SystemRoot%\system32\drivers\fvevol.sys,-100
Boot n/a* n/a* hwpolicy @%systemroot%\system32\drivers\hwpolicy.sys,-101
Boot Network* n/a* Mup @%systemroot%\system32\drivers\mup.sys,-101
Boot PnP Filter* 2* rdyboost ReadyBoost
Boot n/a* n/a* spldr Security Processor Loader Driver
Boot n/a* n/a* volsnap Storage volumes
System SCSI CDROM Class 3 cdrom CD-ROM Driver
System Base 1 Null
System Base 2 Beep Beep
System Video Save 1 VgaSave
System Video Save n/a* RDPCDD @%systemroot%\system32\DRIVERS\RDPCDD.sys,-100
System Video Save n/a* RDPENCDD @%systemroot%\system32\drivers\RDPENCDD.sys,-101
System Video Save n/a* RDPREFMP @%systemroot%\system32\drivers\RdpRefMp.sys,-101
System File system n/a* Msfs
System File system n/a* Npfs
System PNP_TDI 4 tdx @%SystemRoot%\system32\tcpipcfg.dll,-50004
System PNP_TDI n/a* AFD @%systemroot%\system32\drivers\afd.sys,-1000
System PNP_TDI n/a* NetBT @%SystemRoot%\system32\drivers\netbt.sys,-2
System NDIS 16 WfpLwf WFP Lightweight Filter
System NDIS 18 Psched @%SystemRoot%\System32\drivers\pacer.sys,-101
System NetBIOSGroup 2 NetBIOS NetBIOS Interface
System n/a* n/a* blbdrive
System Network* n/a* DfsC @%systemroot%\system32\drivers\dfsc.sys,-101
System n/a* n/a* discache @%systemroot%\system32\drivers\discache.sys,-102
System n/a* n/a* mssmbios Microsoft System Management BIOS Driver
System n/a* n/a* nsiproxy @%SystemRoot%\system32\drivers\nsiproxy.sys,-2
System Network* 4* rdbss @%systemroot%\system32\wkssvc.dll,-1000
System n/a* n/a* TermDD Terminal Device Driver
System n/a* n/a* Wanarpv6 @%systemroot%\system32\rascfg.dll,-32012
Automatic FSFilter Virtualization n/a* luafv @%systemroot%\system32\drivers\luafv.sys,-100
Automatic COM Infrastructure n/a* DcomLaunch @oleres.dll,-5012
Automatic COM Infrastructure n/a* RpcEptMapper @%windir%\system32\RpcEpMap.dll,-1001
Automatic COM Infrastructure n/a* RpcSs @oleres.dll,-5010
Automatic Event Log n/a* eventlog @%SystemRoot%\system32\wevtsvc.dll,-200
Automatic AudioGroup n/a* AudioEndpointBuilder @%SystemRoot%\system32\audiosrv.dll,-204
Automatic AudioGroup n/a* Audiosrv @%SystemRoot%\system32\audiosrv.dll,-200
Automatic ProfSvc_Group n/a* gpsvc @gpapi.dll,-112
Automatic profsvc_group n/a* ProfSvc @%systemroot%\system32\profsvc.dll,-300
Automatic ProfSvc_Group n/a* SENS @%SystemRoot%\system32\Sens.dll,-200
Automatic ProfSvc_Group n/a* Themes @%SystemRoot%\System32\themeservice.dll,-8192
Automatic UIGroup n/a* UxSms @%SystemRoot%\system32\dwm.exe,-2000
Automatic MS_WindowsLocalValidation n/a* SamSs @%SystemRoot%\system32\samsrv.dll,-1
Automatic PlugPlay n/a* PlugPlay @%SystemRoot%\system32\umpnpmgr.dll,-100
Automatic Plugplay n/a* Power @%SystemRoot%\system32\umpo.dll,-100
Automatic NDIS 14 rspndr Link-Layer Topology Discovery Responder
Automatic NDIS 15 lltdio Link-Layer Topology Discovery Mapper I/O Driver
Automatic TDI n/a* Dhcp @%SystemRoot%\system32\dhcpcore.dll,-100
Automatic TDI n/a* Dnscache @%SystemRoot%\System32\dnsapi.dll,-101
Automatic TDI n/a* lmhosts @%SystemRoot%\system32\lmhsvc.dll,-101
Automatic ShellSvcGroup n/a* ShellHWDetection @%SystemRoot%\System32\shsvcs.dll,-12288
Automatic SchedulerGroup n/a* Schedule @%SystemRoot%\system32\schedsvc.dll,-100
Automatic SpoolerGroup n/a* Spooler @%systemroot%\system32\spoolsv.exe,-1
Automatic NetworkProvider n/a* BFE @%SystemRoot%\system32\bfe.dll,-1001
Automatic NetworkProvider n/a* LanmanWorkstation @%systemroot%\system32\wkssvc.dll,-100
Automatic NetworkProvider n/a* MpsSvc @%SystemRoot%\system32\FirewallAPI.dll,-23090
Automatic Extended Base n/a* Parvdm
Automatic n/a* n/a* CryptSvc @%SystemRoot%\system32\cryptsvc.dll,-1001
Automatic n/a* n/a* DPS @%systemroot%\system32\dps.dll,-500
Automatic n/a* n/a* EventSystem @comres.dll,-2450
Automatic n/a* n/a* FontCache @%systemroot%\system32\FntCache.dll,-100
Automatic n/a* n/a* iphlpsvc @%SystemRoot%\system32\iphlpsvc.dll,-500
Automatic n/a* n/a* LanmanServer @%systemroot%\system32\srvsvc.dll,-100
Automatic n/a* n/a* MMCSS @%systemroot%\system32\mmcss.dll,-100
Automatic n/a* n/a* NlaSvc @%SystemRoot%\System32\nlasvc.dll,-1
Automatic n/a* n/a* nsi @%SystemRoot%\system32\nsisvc.dll,-200
Automatic n/a* n/a* PEAUTH PEAUTH
Automatic n/a* n/a* secdrv Security Driver
Automatic n/a* n/a* sppsvc @%SystemRoot%\system32\sppsvc.exe,-101
Automatic n/a* n/a* SysMain @%SystemRoot%\system32\sysmain.dll,-1000
Automatic n/a* n/a* tcpipreg TCP/IP Registry Compatibility
Automatic n/a* n/a* TrkWks @%SystemRoot%\system32\trkwks.dll,-1
Automatic n/a* n/a* WinDefend @%ProgramFiles%\Windows Defender\MsMpRes.dll,-103
Automatic n/a* n/a* Winmgmt @%Systemroot%\system32\wbem\wmisvc.dll,-205
Automatic n/a* n/a* wscsvc @%SystemRoot%\System32\wscsvc.dll,-200
Automatic n/a* n/a* WSearch @%systemroot%\system32\SearchIndexer.exe,-103
Automatic n/a* n/a* wuauserv @%systemroot%\system32\wuaueng.dll,-105

Follow instructions https://forum.avast.com/index.php?topic=53253.0
Attach Malwarebytes and Farbar Recovery Scan logs

If you have the file you think is infected, upload and test it at one of these places www.virustotal.com / www.metascan-online.com / www.jotti.org
Post link to scan result here

Hi first we will check the extra partition although 22 GB is much larger that the normal size

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application

https://dl.dropbox.com/u/73555776/tdss%20start.JPG

[*]Then click on Change parameters.

https://dl.dropbox.com/u/73555776/tdss%20Change%20param.JPG

[*]Check the boxes beside Verify Driver Digital Signature, Detect TDLFS file system and Use KSN to scan objects , then click OK.

[*]Click the Start Scan button.

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

https://dl.dropbox.com/u/73555776/tdss%20threat.JPG

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

[*]Get the report by selecting Reports

https://dl.dropbox.com/u/73555776/tdss%20report.JPG

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

Please copy and paste its contents on your next reply.