Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

unknown rootkit or boot sector virus


  • This topic is locked This topic is locked
8 replies to this topic

#1 jopa66

jopa66

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Windsor CANADA
  • Local time:10:18 AM

Posted 17 December 2010 - 02:00 AM

The probelm computer is my daughter's. It is currently at my home and *not* connected to the Internet, pending resolution to affliction. Custom built by local dealer in Dec. 2008 has been running flawlessly till now.

Firstly, I am not a newbie. My own level of expertise is somewhere between advanced user and expert, and I'm in need of expert advice.

Original problems began about a month ago - constant Blue Screens when surfing the Net. Error message in event viewer:
"The driver ati2dvag for the display device \Device\Video0 got stuck in an infinite loop. This usually indicates a problem with the device itself or with the device driver programming the hardware incorrectly. Please check with your hardware device vendor for any driver updates.

Stop: 0x000000EA (0x885B6C10,0x890a1800,0xBA4E3CBC,0x00000001)

ati2dvag

System Specs:
Processor Name: Intel Pentium Dual Core E2200
Original Processor Frequency: 2200.0 MHz
Original Processor Frequency [MHz]: 2200
CPU ID: 000006FD
CPU Brand Name: IntelŪ PentiumŪ Dual CPU E2200 @ 2.20GHz
CPU Vendor: GenuineIntel

[Motherboard]
Motherboard Model: ASUS P5Q
Motherboard Chipset: Intel P45 (Eaglelake-P) + ICH10R
Motherboard Slots: 2xPCI, 3xPCI Express x1, 1xPCI Express x16
[(G)MCH Features]
Secondary PCI Express Port x16: Supported

BIOS ----------------------------------------------------------------------


BIOS Vendor: American Megatrends Inc.
BIOS Version: 1306
BIOS Release Date: 08/20/2008

Memory --------------------------------------------------------------------


[General information]
Total Memory Size: 2 GBytes
Total Memory Size [MB]: 2048
Row: 0 - 2048 MB PC2-6400 DDR2-SDRAM Kingston 9905429-008.A01LF -----------


[General Module Information]
Module Number: 0
Module Size: 2048 MBytes
Memory Type: DDR2-SDRAM
DIMM Type: Regular Unbuffered (UDIMM)

TI RADEON HD 3450/4230/4250 (RV620 LE) -----------------------------------
(3450 is the actual card)

[General Information]
Original Device Name: ATI RADEON HD 3450/4230/4250 (RV620 LE)
Device Class: VGA Compatible Adapter
Revision ID: 0
Bus Number: 1
Device Number: 0
Function Number: 0
PCI Latency Timer: 0
[PCI Express]
Version: 2.0
Maximum Link Width: 16x
Current Link Width: 16x
Maximum Link Speed: 5.0 Gb/s
Current Link Speed: 5.0 Gb/s
Device/Port Type: Legacy PCI Express Endpoint
Slot Implemented: No
Active State Power Management (ASPM) Support: L0s and L1 Entry
Active State Power Management (ASPM) Status: Disabled
[System Resources]
Interrupt Line: IRQ16
Interrupt Pin: INTA#
Memory Base Address 0 D0000000
Memory Base Address 2 FE9E0000
I/O Base Address 4 B000
[Features]
Bus Mastering: Enabled
Running At 66 MHz: Not Capable
Fast Back-to-Back Transactions: Not Capable


ATI RV620 - High Definition Audio Controller ------------------------------

[General Information]
Original Device Name: ATI RV620 - High Definition Audio Controller
Device Class: Mixed mode device
Revision ID: 0
Bus Number: 1
Device Number: 0
Function Number: 1
PCI Latency Timer: 0
[PCI Express]
Version: 2.0
Maximum Link Width: 16x
Current Link Width: 16x
Maximum Link Speed: 5.0 Gb/s
Current Link Speed: 5.0 Gb/s
Device/Port Type: Legacy PCI Express Endpoint
Slot Implemented: No
Active State Power Management (ASPM) Support: L0s and L1 Entry
Active State Power Management (ASPM) Status: Disabled
[System Resources]
Interrupt Line: IRQ17
Interrupt Pin: INTB#
Memory Base Address 0 FE9FC000
[Features]
Bus Mastering: Enabled
Running At 66 MHz: Not Capable
Fast Back-to-Back Transactions: Not Capable

Marvell 88SE6121 SATA2 Controller -----------------------------------------


[General Information]
Original Device Name: Marvell 88SE6121 SATA2 Controller
Device Class: IDE Controller
Revision ID: B2
Bus Number: 3
Device Number: 0
Function Number: 0
PCI Latency Timer: 0
[PCI Express]
Version: 1.0
Maximum Link Width: 1x
Current Link Width: 1x
Maximum Link Speed: 2.5 Gb/s
Current Link Speed: 2.5 Gb/s
Device/Port Type: Legacy PCI Express Endpoint
Slot Implemented: No
Active State Power Management (ASPM) Support: L0s Entry
Active State Power Management (ASPM) Status: Disabled
[System Resources]
Interrupt Line: IRQ16
Interrupt Pin: INTA#
I/O Base Address 0 DC00
I/O Base Address 1 D880
I/O Base Address 2 D800
I/O Base Address 3 D480
I/O Base Address 4 D400
Memory Base Address 5 FEBFFC00

Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller (L1e) --------------


[General Information]
Original Device Name: Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller (L1e) (onboard)
Device Class: Ethernet Adapter
Revision ID: B0

(S)ATA/ATAPI Drives -------------------------------------------------------



ST3500410AS ---------------------------------------------------------------


[General Information]
Drive Controller: Serial ATA 3Gb/s
Drive Model: Seagate ST3500410AS
Drive Revision: CC34
Drive Serial Number: 6VM0A7YH
Drive Capacity: 476,940 MBytes (500 GB)
Drive Capacity [MB]: 476940
Media Rotation Rate: 7200 RPM
[Drive Geometry]
Number of Cylinders: 16383
Number of Heads: 16
Sectors Per Track: 63
Bytes Per Sector: Unknown
Bytes Per Track: Unknown
Number Of ECC Bytes: 4
Number of Sectors: 16514064
Total 32-bit LBA Sectors: 268435455
Total 48-bit LBA Sectors: 976773168
Cache Buffer Size: 16384 KBytes

*********************************************************
Traditional troubleshooting was done: Virus scans (Avira), Malwarebytes, Spybot.
Updated Video drivers.
Physically reseated Video Card and Memory.
Rolled back Video drivers
Re-install updated drivers without Catalyst Control Center.
Backed up data, reformat and re-install Windows XP. Partitioned drive before re-install to C:\(system) and D:\(data)
Installed original MotherBoard and Video drivers.
Have downloaded BIOS updates but have not yet flashed BIOS or re-updated Video drivers.

Connected to my router - the system will Blue Screen almost every time I try using Windows to search for my computer to retieve the backed up data. Have no problem going the other way. ie: I can see this machine and copy files to it.

At this point, I suspect hardware issues and bring it to the dealer who built it. I explained what i had already done and asked him to try changing out the Video card (or maybe motherboard?). He did not do this. Instead, he repeated the malware scans and said he found a boot sector virus. He charged me $80.00 and assured me it was working fine. And yes it does work fine - as long as you don't go on the Internet or try to connect to my computer again. The Blue Screen issue remains. He graciously made a houscall to my daughter's, re-ran his malware scans as well as ComboFix. His conclusion was the boot sector virus had come back and advised her to use Firefox instead of IE and to get a router. The problem returned again a day or so later and before we had setup a router for her. I returned the system to his shop and insisted he check out the hardware. He insists that a boot sector virus would survive the re-partition, re-foramt and re-install of Windows. However he did run hardware diagnostics. I don't know what the app was but he showed me the results and appareently the Video card did pass but the Hard Drive showed a failure in its cache. Again he says this could be the boot sector virus that has somehow survived and advises me to zero out the drive and re-install Windows again. And this is where I need your expert help.

The system is again at my house - but is stand-alone. I ran ComboFix myself and it did say there was rootkit activity and wanted to restart the machine. I allowed this but the system did not reboot. After 5 minutes of waiting I rebooted myself (had to use the power switch) and ComboFix resumed scanning when rebooted. I saved the results of that scan and decided to send it to this forum for in-depth analysis. That is when I discovered the other tools that you would have me use before I post my problem to the forum.

So now I have logs for ComboFix, DDS, and Gmer in that order. I will send these as well. I hope this is OK.

***************************************************************************************************
DDS.log


DDS (Ver_10-12-12.02) - NTFSx86
Run by chantelle at 21:04:56.71 on 12/16/10
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1583 [GMT -5:00]


AV: AntiVir Desktop *Enabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Portable Apps\WeatherAlert\WeatherAlert.exe
C:\tools\Fixes\dds.scr


============== Pseudo HJT Report ===============

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [ATICustomerCare] "c:\program files\ati\aticustomercare\ATICustomerCare.exe"
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1292089478281
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll


================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\chante~1\applic~1\mozilla\firefox\profiles\3b6sbmvl.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}


============= SERVICES / DRIVERS ===============

R0 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [2008-6-23 150568]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-12-11 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-12-11 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-12-11 267944]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-12-11 61960]


=============== Created Last 30 ================

2010-12-17 01:58:50 -------- d-----w- c:\docume~1\chante~1\applic~1\SolSoft
2010-12-17 01:58:49 -------- d-----w- c:\docume~1\chante~1\locals~1\applic~1\SolSoft
2010-12-17 01:57:42 -------- d-----w- c:\docume~1\chante~1\applic~1\Thinstall
2010-12-17 00:48:07 -------- d-----w- C:\tools
2010-12-16 23:06:08 -------- d-----w- c:\docume~1\chante~1\locals~1\applic~1\Help
2010-12-16 19:08:32 -------- d-----w- c:\windows\Logs
2010-12-14 15:36:30 69824 ----a-w- c:\windows\system32\drivers\LxrJD31d.sys
2010-12-14 15:36:30 61440 ----a-w- c:\windows\system32\LxrJD20Sat.dll
2010-12-14 15:36:30 53248 ----a-w- c:\windows\system32\LxrJD31s.exe
2010-12-14 15:36:30 249856 ----a-w- c:\windows\system32\LxrJD31.dll
2010-12-14 15:36:30 167936 ----a-w- c:\windows\system32\LxrJD31c.exe
2010-12-14 15:36:30 1548288 ----a-w- c:\windows\system32\JDSecure31.exe
2010-12-14 15:36:30 146432 ----a-w- c:\windows\system32\LxrJD31p.exe
2010-12-13 22:53:09 -------- d-----w- c:\windows\system32\NtmsData
2010-12-13 22:51:19 215920 ----a-w- c:\windows\system32\muweb.dll
2010-12-12 00:06:43 -------- d-----w- c:\docume~1\chante~1\locals~1\applic~1\ATI
2010-12-11 23:33:27 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-12-11 23:33:26 159232 ----a-w- c:\windows\system32\ptpusd.dll
2010-12-11 23:33:26 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2010-12-11 23:33:26 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-12-11 21:17:56 -------- d-----w- c:\docume~1\chante~1\locals~1\applic~1\Mozilla
2010-12-11 18:02:41 -------- d-----w- c:\docume~1\chante~1\applic~1\Avira
2010-12-11 17:56:47 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-12-11 17:56:47 -------- d-----w- c:\program files\Avira
2010-12-11 17:56:47 -------- d-----w- c:\docume~1\alluse~1\applic~1\Avira
2010-12-06 20:55:36 -------- d-----w- c:\docume~1\chante~1\applic~1\Malwarebytes
2010-12-06 20:53:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-06 20:53:51 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-12-06 20:53:48 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-06 20:53:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-06 20:15:28 -------- d-sha-r- C:\cmdcons
2010-12-06 19:46:27 -------- d-----w- c:\program files\Trend Micro
2010-12-04 19:23:43 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2010-12-04 19:23:43 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-12-04 19:23:41 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2010-12-04 19:23:41 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-12-04 19:23:31 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2010-12-04 19:23:31 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2010-12-04 19:23:28 32384 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2010-12-04 19:23:28 32384 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2010-12-04 19:23:24 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2010-12-04 19:23:24 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2010-12-03 16:20:12 -------- d-----w- c:\program files\PerformanceTest
2010-12-03 15:49:38 -------- d-----w- c:\docume~1\chante~1\applic~1\ElevatedDiagnostics
2010-12-02 21:04:08 -------- d-----w- C:\Portable Apps
2010-12-01 19:35:35 450560 ----a-w- c:\windows\system32\ATIDEMGX.dll
2010-12-01 19:35:35 311296 ----a-w- c:\windows\system32\atiiiexx.dll
2010-12-01 19:35:31 -------- d-----w- c:\program files\ATI
2010-12-01 19:34:47 -------- d-----w- C:\ATI
2010-12-01 11:56:07 -------- d-----w- c:\windows\system32\appmgmt
2010-12-01 11:40:29 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
2010-12-01 11:31:44 7680 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-12-01 11:12:10 265728 -c----w- c:\windows\system32\dllcache\http.sys
2010-12-01 10:44:32 -------- d-----w- c:\windows\system32\URTTemp
2010-12-01 10:29:39 -------- dc-h--w- c:\windows\$hf_mig$
2010-12-01 10:27:44 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-12-01 10:27:44 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-12-01 10:27:44 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-12-01 10:27:44 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-12-01 10:27:43 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-12-01 10:27:43 1986560 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-12-01 10:27:42 11080192 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-12-01 10:26:48 2190080 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-12-01 10:26:48 2146304 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-12-01 10:26:48 2024448 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-12-01 10:24:37 457216 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-12-01 10:24:29 8704 -c----w- c:\windows\system32\dllcache\tsbyuv.dll
2010-12-01 10:24:29 48128 -c----w- c:\windows\system32\dllcache\iyuv_32.dll
2010-12-01 10:24:26 17920 -c----w- c:\windows\system32\dllcache\msyuv.dll
2010-12-01 10:22:47 2067968 -c----w- c:\windows\system32\dllcache\mstscax.dll
2010-12-01 10:10:03 -------- d-----w- c:\windows\system32\XPSViewer
2010-12-01 10:09:49 89088 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-12-01 10:09:44 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-12-01 10:09:44 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-12-01 10:09:44 597504 ------w- c:\windows\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-12-01 10:09:44 117760 ------w- c:\windows\system32\prntvpt.dll
2010-12-01 10:09:43 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-12-01 10:09:43 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-12-01 10:03:16 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2010-12-01 10:03:16 -------- d-----w- c:\windows\system32\SoftwareDistribution
2010-12-01 10:02:33 -------- d-sh--w- c:\documents and settings\chantelle\IECompatCache
2010-12-01 10:02:16 -------- d-sh--w- c:\documents and settings\chantelle\PrivacIE
2010-11-30 23:53:04 -------- d-----w- c:\program files\UPHClean
2010-11-30 23:52:32 -------- d-----w- c:\program files\Microsoft Calculator Plus
2010-11-30 23:52:01 266360 ----a-w- c:\windows\system32\TweakUI.exe
2010-11-30 23:45:54 -------- d-----w- c:\program files\MSECache
2010-11-30 23:45:15 28552 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\mdippr.dll
2010-11-30 23:45:15 28040 ----a-w- c:\windows\system32\mdimon.dll
2010-11-30 23:44:44 -------- d-----w- c:\program files\common files\L&H
2010-11-30 23:44:40 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-11-30 23:44:16 -------- d-----w- c:\windows\SHELLNEW
2010-11-30 22:50:12 0 ----a-w- c:\windows\ativpsrm.bin
2010-11-30 22:43:01 84992 ----a-r- c:\windows\system32\drivers\AtiHdAud.sys
2010-11-30 22:42:50 69715 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\ctor.dll
2010-11-30 22:42:50 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\DotNetInstaller.exe
2010-11-30 22:42:50 266240 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iscript.dll
2010-11-30 22:42:50 192512 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iuser.dll
2010-11-30 22:42:49 729088 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iKernel.dll
2010-11-30 22:42:49 311428 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\setup.dll
2010-11-30 22:42:49 188548 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iGdi.dll
2010-11-30 22:42:25 593920 ------w- c:\windows\system32\ati2sgag.exe
2010-11-30 22:42:01 -------- d-----w- c:\program files\ATI Technologies
2010-11-30 22:41:17 212992 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\ILog.dll
2010-11-30 22:29:01 -------- d-----w- c:\program files\Atheros Communications Inc
2010-11-30 22:23:06 24576 ----a-r- c:\windows\system32\AsIO.dll
2010-11-30 22:23:06 12400 ----a-r- c:\windows\system32\drivers\AsIO.sys
2010-11-30 22:23:04 11832 ----a-w- c:\windows\system32\drivers\AsInsHelp64.sys
2010-11-30 22:23:04 10216 ----a-w- c:\windows\system32\drivers\AsInsHelp32.sys
2010-11-30 22:23:04 -------- d-----w- c:\program files\ASUS
2010-11-30 22:22:55 77824 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\ctor.dll
2010-11-30 22:22:55 32768 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\objectps.dll
2010-11-30 22:22:55 225280 ----a-w- c:\program files\common files\installshield\iscript\iscript.dll
2010-11-30 22:22:55 176128 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\iuser.dll
2010-11-30 22:22:54 614532 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\IKernel.exe
2010-11-30 22:22:20 -------- d-----w- c:\program files\Marvell
2010-11-30 22:21:43 36864 ----a-r- c:\windows\system32\drivers\l1e51x86.sys
2010-11-30 22:21:38 -------- d-----w- c:\windows\system32\Atheros_L1e
2010-11-30 22:20:29 -------- d-----w- c:\windows\system32\Lang
2010-11-30 22:18:58 69632 ------r- c:\windows\Alcmtr.exe
2010-11-30 21:51:21 -------- d-----w- c:\windows\ASUSInstAll
2010-11-30 21:48:20 -------- d-----w- c:\windows\system32\ReinstallBackups
2010-11-30 21:48:18 53248 ----a-r- c:\windows\system32\CSVer.dll
2010-11-30 21:48:04 -------- d-----w- C:\Intel
2010-11-30 21:45:56 5810 ----a-r- c:\windows\system32\drivers\ASACPI.sys
2010-11-30 21:45:41 10296 ----a-w- c:\windows\system32\drivers\ASUSHWIO.SYS
2010-11-30 21:13:37 -------- d-s---w- c:\windows\system32\Microsoft


==================== Find3M ====================

2010-11-30 22:18:48 315392 ----a-w- c:\windows\HideWin.exe
2010-10-27 03:17:30 16330752 ----a-w- c:\windows\system32\atioglxx.dll
2010-10-27 03:10:46 57344 ----a-w- c:\windows\system32\aticalrt.dll
2010-10-27 03:10:36 53248 ----a-w- c:\windows\system32\aticalcl.dll
2010-10-27 03:09:28 4489216 ----a-w- c:\windows\system32\aticaldd.dll
2010-10-27 02:51:30 3958784 ----a-w- c:\windows\system32\ati3duag.dll
2010-10-27 02:49:48 301056 ----a-w- c:\windows\system32\ati2dvag.dll
2010-10-27 02:48:12 393216 ----a-w- c:\windows\system32\atiok3x2.dll
2010-10-27 02:36:08 2671744 ----a-w- c:\windows\system32\ativvaxx.dll
2010-10-27 02:30:46 212992 ----a-w- c:\windows\system32\atipdlxx.dll
2010-10-27 02:30:32 155648 ----a-w- c:\windows\system32\Oemdspif.dll
2010-10-27 02:30:24 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe
2010-10-27 02:30:16 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2010-10-27 02:30:04 159744 ----a-w- c:\windows\system32\ati2evxx.dll
2010-10-27 02:28:32 614400 ----a-w- c:\windows\system32\ati2evxx.exe
2010-10-27 02:27:02 53248 ----a-w- c:\windows\system32\ATIDDC.DLL
2010-10-27 02:26:16 143360 ----a-w- c:\windows\system32\atiapfxx.exe
2010-10-27 02:22:30 651264 ----a-w- c:\windows\system32\atikvmag.dll
2010-10-27 02:20:30 64512 ----a-w- c:\windows\system32\atimpc32.dll
2010-10-27 02:20:30 64512 ----a-w- c:\windows\system32\amdpcom32.dll
2010-10-27 02:20:30 196608 ----a-w- c:\windows\system32\atiadlxx.dll
2010-10-27 02:20:12 17408 ----a-w- c:\windows\system32\atitvo32.dll
2010-10-27 02:14:32 704512 ----a-w- c:\windows\system32\ati2cqag.dll
2010-09-18 17:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll


============= FINISH: 21:05:33.12 ===============





Attached Files



BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:18 AM

Posted 17 December 2010 - 03:58 AM

Hello jopa66 ,

Posted Image

Wow....I can see all the work put into this so far. :blink:

What I see based on these logs is not a boot sector virus. There are, however, 2 files that have failed sigcheck. These may be infected and causing the problems. The newer malware commonly uses this trick, so they should be replaced with copies from i386 to be sure one way or the other. They are:

c:\windows\system32\drivers\tcpip.sys
c:\windows\system32\sfcfiles.dll

Please let me know if the problems persist after a reboot.

I would be very interested to know what your tech used that said you had a boot sector virus, and see the report from it. There is nothing in either DDS or ComboFix that indicates any problem with the MBR.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 jopa66

jopa66
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Windsor CANADA
  • Local time:10:18 AM

Posted 17 December 2010 - 12:16 PM

Thanx for getting back to me tea. I just spoke with the tech in question and apparently the diagnostic tool he used was a copy (unlicensed) of the Geek Squad tools. :mellow: Based on his results I have checked this hard drive with Seatools from Seagate as well as Western Digital "Data LifeGuard" I cannot get this drive to fail. However, when I use "Performance Test" from Passware the system will crash (reboot) every time I try the Video Tests (2D - didn't make it to 3D). I neglected to mention in my first post that these tests were already done. I have now replaced the two files that you mentioned with known good copies from a working system and the problem is still there after a reboot...
Have not run any further diagnostics... awaiting your instructions.

And also a question please -
Do you know for certain if a virus (boot sector or otherwise), or rootkit or any malware could actually survive a re-partionaing and reformatting of the HD?
And can a malware actually infect the BIOS rendering hardware useless?

(sorry - that's two questions):whistle:

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:18 AM

Posted 17 December 2010 - 08:10 PM

Hello,

Heh....ask me as many questions as you need to. If I don't know the answer I'll get you someone who does. :thumbup2:

I'm sorry for my delay in replying, but I wanted to doublecheck with a colleague before I posted. I don't think this is malware at all. You don't have a boot sector virus, or any other kind of virus from what I can tell. It isn't the hard drive either. I actually think you had the answer early on in your original post......the video card may be bad. You said you suggested this to your "tech", but he did nothing. I also suggest you get your money back and hire another tech.

You can try this : Start up with F8 and choose VGA mode....see if it bluescreens then. The other thing would be to simply buy a new one (Use your 80.00 refund. :) ).

Do you know for certain if a virus (boot sector or otherwise), or rootkit or any malware could actually survive a re-partionaing and reformatting of the HD?

It would be rare, but yes, possible.

And can a malware actually infect the BIOS rendering hardware useless?

Yes, but that's even rarer still, a very miniscule chance of that ever happening with its own built in protection in place. Google it. :wink: Flashing the BIOS would kill it.

Let me know how you come out in VGA mode. :thumbup2:

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 jopa66

jopa66
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Windsor CANADA
  • Local time:10:18 AM

Posted 17 December 2010 - 10:26 PM

I tend to agree with you (or else agree with you agreeing with me..??) After posting my last message I went out and purchased a new video card. Have not yet installed as I had other things to do. Decided to change allegiance this time and opted for NVIDIA instead of ATI. Thanks for the tip about VGA mode. Didn't think of that. Will try that before installing the card. As for the refund - well I don't think I'll hold my breath for that one. I will post back my results to let you know.

Edited by jopa66, 17 December 2010 - 10:30 PM.


#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:18 AM

Posted 17 December 2010 - 10:33 PM

or else agree with you agreeing with me..??

Indeed! :lol:

Post when you're ready....I'm not going anywhere. :thumbup2:

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 jopa66

jopa66
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Windsor CANADA
  • Local time:10:18 AM

Posted 19 December 2010 - 02:31 PM

Hello Tea... Just a final update on this issue. Problem was definitely the video card. When disabling hardware acceleration in the Display Properties page - the probelm was not there. Re-enabling hardware acceleration would cause the problem to return. Video card is now replaced and problem solved. Thank you for the help with analyzing those logs.

~jopa

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:18 AM

Posted 19 December 2010 - 02:38 PM

Hello,

you're most welcome, and I'm so glad it's all fixed. :thumbup2: I'm sorry you had such a rough time before that though.

Happiest of holidays to you and your family.

Take care,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:18 AM

Posted 27 December 2010 - 12:04 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users