Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

hacker remote controlling my pc?


  • This topic is locked This topic is locked
68 replies to this topic

#1 dankman405

dankman405

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:okc
  • Local time:05:58 PM

Posted 19 November 2012 - 12:21 AM

hi im new here i recently noticed alot of weird files accumulating in an appdata/roaming folder somewhere im pretty sure my laptop has been compromised i am supposed to be running windows 7 64bit but somewhere in there it says im running windows NT 32 bit? my full computer name had became mangled/decorated i fixed that i think but i need to get this guy off my computer its getting frustrating, it hacked my wifi router or something cause my android phone and ps3 have been acting up and they connect with wifi it has something to do with the digi notar bad certificate thing...well heres my dds



DDS (Ver_2012-11-07.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16455
Run by Administrator at 23:04:41 on 2012-11-18
#Option Extended Search is enabled.
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2814.1804 [GMT -8:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\NTI\Gateway MyBackup\IScheduleSvc.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\NTI\Gateway MyBackup\BackupManagerTray.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\SearchIndexer.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uSearch Bar = Preserve
mWinlogon: Userinit = userinit.exe
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
mRun: [BackupManagerTray] "C:\Program Files (x86)\NTI\Gateway MyBackup\BackupManagerTray.exe" -h -k
mRun: [OOTag] C:\Program Files (x86)\Gateway\OOBEOffer\OOTag.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
TCP: NameServer = 68.105.28.11 68.105.29.11 68.105.28.12
TCP: Interfaces\{E28CA6DF-F14D-4235-A2FD-79CF14DE9179} : DHCPNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
SSODL: WebCheck - <orphaned>
x64-Run: [Trigger New Acer AlaunchX] c:\OEM\Preload\Command\AlaunchX\AppInRun.exe
x64-RunOnce: [New Acer AlaunchX] c:\OEM\Preload\Command\AlaunchX\LaunchAlaunchX.exe
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2009-8-18 203264]
R2 NTI IScheduleSvc;NTI IScheduleSvc;C:\Program Files (x86)\NTI\Gateway MyBackup\IScheduleSvc.exe [2011-3-9 257344]
R3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;C:\Windows\System32\drivers\k57nd60a.sys [2009-6-10 270848]
R3 SrvHsfHDA;SrvHsfHDA;C:\Windows\System32\drivers\VSTAZL6.SYS [2009-7-13 292864]
R3 SrvHsfV92;SrvHsfV92;C:\Windows\System32\drivers\VSTDPV6.SYS [2009-7-13 1485312]
R3 SrvHsfWinac;SrvHsfWinac;C:\Windows\System32\drivers\VSTCNXT6.SYS [2009-7-13 740864]
S2 Live Updater Service;Live Updater Service;C:\Program Files\Gateway\Gateway Updater\UpdaterService.exe --> C:\Program Files\Gateway\Gateway Updater\UpdaterService.exe [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-11-18 1255736]
S3 WisINT15;WisINT15;D:\Factory\WisINT15.sys [2009-10-28 2339]
.
=============== Created Last 60 ================
.
2012-11-19 03:55:20 -------- d-----w- C:\Windows\OEMTemp
2012-11-19 00:42:43 -------- d-----w- C:\Program Files (x86)\Common Files\Symantec Shared
2012-11-18 21:40:36 0 ----a-w- C:\Windows\ativpsrm.bin
2012-11-18 21:38:46 -------- d-----w- C:\Windows\SysWow64\Wat
2012-11-18 21:38:46 -------- d-----w- C:\Windows\System32\Wat
2012-11-18 21:21:27 9728 ----a-w- C:\Windows\System32\Wdfres.dll
2012-11-18 21:21:27 785512 ----a-w- C:\Windows\System32\drivers\Wdf01000.sys
2012-11-18 21:21:27 54376 ----a-w- C:\Windows\System32\drivers\WdfLdr.sys
2012-11-18 21:21:27 2560 ----a-w- C:\Windows\System32\drivers\en-US\wdf01000.sys.mui
2012-11-18 21:03:01 87040 ----a-w- C:\Windows\System32\drivers\WUDFPf.sys
2012-11-18 21:03:01 84992 ----a-w- C:\Windows\System32\WUDFSvc.dll
2012-11-18 21:03:01 198656 ----a-w- C:\Windows\System32\drivers\WUDFRd.sys
2012-11-18 21:03:00 744448 ----a-w- C:\Windows\System32\WUDFx.dll
2012-11-18 21:03:00 45056 ----a-w- C:\Windows\System32\WUDFCoinstaller.dll
2012-11-18 21:03:00 229888 ----a-w- C:\Windows\System32\WUDFHost.exe
2012-11-18 21:03:00 194048 ----a-w- C:\Windows\System32\WUDFPlatform.dll
2012-11-18 20:57:18 5559664 ----a-w- C:\Windows\System32\ntoskrnl.exe
2012-11-18 20:57:18 3968880 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2012-11-18 20:57:18 3914096 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2012-11-18 20:57:16 2004480 ----a-w- C:\Windows\System32\msxml6.dll
2012-11-18 20:57:16 1881600 ----a-w- C:\Windows\System32\msxml3.dll
2012-11-18 20:57:16 1390080 ----a-w- C:\Windows\SysWow64\msxml6.dll
2012-11-18 20:57:15 2048 ----a-w- C:\Windows\SysWow64\msxml3r.dll
2012-11-18 20:57:15 2048 ----a-w- C:\Windows\System32\msxml3r.dll
2012-11-18 20:57:15 1236992 ----a-w- C:\Windows\SysWow64\msxml3.dll
2012-11-18 20:57:09 3146240 ----a-w- C:\Windows\System32\win32k.sys
2012-11-18 20:57:01 870912 ----a-w- C:\Windows\SysWow64\XpsPrint.dll
2012-11-18 20:57:01 1465344 ----a-w- C:\Windows\System32\XpsPrint.dll
2012-11-18 20:56:52 515584 ----a-w- C:\Windows\System32\timedate.cpl
2012-11-18 20:56:52 478720 ----a-w- C:\Windows\SysWow64\timedate.cpl
2012-11-18 20:56:49 43520 ----a-w- C:\Windows\System32\csrsrv.dll
2012-11-18 20:56:15 75120 ----a-w- C:\Windows\System32\drivers\partmgr.sys
2012-11-18 20:54:20 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
2012-11-18 20:53:49 574464 ----a-w- C:\Windows\System32\d3d10level9.dll
2012-11-18 20:48:36 8199504 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2012-11-18 20:48:31 9291768 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{BCC6F843-CF89-4E4E-AFCA-A04648C044F3}\mpengine.dll
2012-11-18 20:48:04 59392 ----a-w- C:\Windows\System32\browcli.dll
2012-11-18 20:48:04 41984 ----a-w- C:\Windows\SysWow64\browcli.dll
2012-11-18 20:48:04 136704 ----a-w- C:\Windows\System32\browser.dll
2012-11-18 20:48:01 503808 ----a-w- C:\Windows\System32\srcore.dll
2012-11-18 20:48:01 43008 ----a-w- C:\Windows\SysWow64\srclient.dll
2012-11-18 20:46:50 77312 ----a-w- C:\Windows\System32\packager.dll
2012-11-18 20:46:50 67072 ----a-w- C:\Windows\SysWow64\packager.dll
2012-11-18 20:39:51 81408 ----a-w- C:\Windows\System32\imagehlp.dll
2012-11-18 20:39:51 5120 ----a-w- C:\Windows\SysWow64\wmi.dll
2012-11-18 20:39:51 5120 ----a-w- C:\Windows\System32\wmi.dll
2012-11-18 20:39:51 23408 ----a-w- C:\Windows\System32\drivers\fs_rec.sys
2012-11-18 20:39:51 159232 ----a-w- C:\Windows\SysWow64\imagehlp.dll
2012-11-18 20:38:07 826880 ----a-w- C:\Windows\SysWow64\rdpcore.dll
2012-11-18 20:38:07 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys
2012-11-18 20:38:07 1031680 ----a-w- C:\Windows\System32\rdpcore.dll
2012-11-18 20:06:42 -------- d-----w- C:\ProgramData\USTechSupport
2012-11-18 19:46:47 2622464 ----a-w- C:\Windows\System32\wucltux.dll
2012-11-18 19:46:42 99840 ----a-w- C:\Windows\System32\wudriver.dll
2012-11-18 19:46:38 36864 ----a-w- C:\Windows\System32\wuapp.exe
2012-11-18 19:46:38 186752 ----a-w- C:\Windows\System32\wuwebv.dll
2012-11-18 19:18:37 121 ----a-w- C:\RunDism.bat
2012-11-18 10:13:11 288768 ----a-w- C:\Windows\System32\drivers\mrxsmb10.sys
2012-11-18 10:12:39 180736 ----a-w- C:\Windows\System32\ifsutil.dll
2012-11-18 10:12:39 148992 ----a-w- C:\Windows\SysWow64\ifsutil.dll
2012-11-18 09:58:59 -------- d-----w- C:\Windows\NAPP_Dism_Log
.
==================== Find6M ====================
.
2012-10-03 17:56:54 1914248 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2012-10-03 17:44:21 70656 ----a-w- C:\Windows\System32\nlaapi.dll
2012-10-03 17:44:21 303104 ----a-w- C:\Windows\System32\nlasvc.dll
2012-10-03 17:44:17 246272 ----a-w- C:\Windows\System32\netcorehc.dll
2012-10-03 17:44:17 18944 ----a-w- C:\Windows\System32\netevent.dll
2012-10-03 17:44:16 216576 ----a-w- C:\Windows\System32\ncsi.dll
2012-10-03 17:42:16 569344 ----a-w- C:\Windows\System32\iphlpsvc.dll
2012-10-03 16:42:24 18944 ----a-w- C:\Windows\SysWow64\netevent.dll
2012-10-03 16:42:24 175104 ----a-w- C:\Windows\SysWow64\netcorehc.dll
2012-10-03 16:42:23 156672 ----a-w- C:\Windows\SysWow64\ncsi.dll
2012-10-03 16:07:26 45568 ----a-w- C:\Windows\System32\drivers\tcpipreg.sys
2012-09-25 22:47:43 78336 ----a-w- C:\Windows\SysWow64\synceng.dll
2012-09-25 22:46:17 95744 ----a-w- C:\Windows\System32\synceng.dll
2012-09-14 19:19:29 2048 ----a-w- C:\Windows\System32\tzres.dll
2012-09-14 18:28:53 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2012-08-24 18:05:07 220160 ----a-w- C:\Windows\System32\wintrust.dll
2012-08-24 16:57:48 172544 ----a-w- C:\Windows\SysWow64\wintrust.dll
2012-08-22 18:12:40 950128 ----a-w- C:\Windows\System32\drivers\ndis.sys
2012-08-22 18:12:40 376688 ----a-w- C:\Windows\System32\drivers\netio.sys
2012-08-22 18:12:33 288624 ----a-w- C:\Windows\System32\drivers\FWPKCLNT.SYS
2012-08-21 21:01:00 245760 ----a-w- C:\Windows\System32\OxpsConverter.exe
2012-08-20 18:48:44 362496 ----a-w- C:\Windows\System32\wow64win.dll
2012-08-20 18:48:44 243200 ----a-w- C:\Windows\System32\wow64.dll
2012-08-20 18:48:44 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
2012-08-20 18:48:43 215040 ----a-w- C:\Windows\System32\winsrv.dll
2012-08-20 18:48:37 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
2012-08-20 18:48:35 424448 ----a-w- C:\Windows\System32\KernelBase.dll
2012-08-20 18:46:22 338432 ----a-w- C:\Windows\System32\conhost.exe
2012-08-20 17:40:21 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
2012-08-20 17:38:44 44032 ----a-w- C:\Windows\apppatch\acwow64.dll
2012-08-20 17:38:26 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
2012-08-20 17:37:19 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
2012-08-20 17:37:18 274944 ----a-w- C:\Windows\SysWow64\KernelBase.dll
2012-08-20 15:38:21 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
2012-08-20 15:38:20 2048 ----a-w- C:\Windows\SysWow64\user.exe
2012-08-20 15:33:28 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2012-08-20 15:33:28 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2012-08-20 15:33:28 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2012-08-20 15:33:28 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2012-08-11 00:56:03 715776 ----a-w- C:\Windows\System32\kerberos.dll
2012-08-10 23:56:14 542208 ----a-w- C:\Windows\SysWow64\kerberos.dll
2012-08-02 16:57:20 490496 ----a-w- C:\Windows\SysWow64\d3d10level9.dll
2012-07-04 20:26:03 41472 ----a-w- C:\Windows\System32\drivers\RNDISMP.sys
2012-06-06 06:02:54 1133568 ----a-w- C:\Windows\System32\cdosys.dll
2012-06-06 05:03:06 805376 ----a-w- C:\Windows\SysWow64\cdosys.dll
2012-06-02 05:50:10 458704 ----a-w- C:\Windows\System32\drivers\cng.sys
2012-06-02 05:48:16 95600 ----a-w- C:\Windows\System32\drivers\ksecdd.sys
2012-06-02 05:48:16 151920 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
2012-06-02 05:45:31 340992 ----a-w- C:\Windows\System32\schannel.dll
2012-06-02 05:44:21 307200 ----a-w- C:\Windows\System32\ncrypt.dll
2012-06-02 05:41:28 184320 ----a-w- C:\Windows\System32\cryptsvc.dll
2012-06-02 05:41:28 140288 ----a-w- C:\Windows\System32\cryptnet.dll
2012-06-02 05:41:27 1464320 ----a-w- C:\Windows\System32\crypt32.dll
2012-06-02 04:40:42 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
2012-06-02 04:40:39 225280 ----a-w- C:\Windows\SysWow64\schannel.dll
2012-06-02 04:39:10 219136 ----a-w- C:\Windows\SysWow64\ncrypt.dll
2012-06-02 04:36:29 140288 ----a-w- C:\Windows\SysWow64\cryptsvc.dll
2012-06-02 04:36:29 1159680 ----a-w- C:\Windows\SysWow64\crypt32.dll
2012-06-02 04:36:29 103936 ----a-w- C:\Windows\SysWow64\cryptnet.dll
2012-05-31 20:25:12 279656 ------w- C:\Windows\System32\MpSigStub.exe
.
============= FINISH: 23:05:02.27 ===============

Edited by dankman405, 19 November 2012 - 12:28 AM.


BC AdBot (Login to Remove)

 


#2 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:58 AM

Posted 19 November 2012 - 02:36 PM

Hello and welcome to BleepingComputer! :)



I am Elle and I will be helping you out with your problem. Firstly, you should know that we are working with specific tools which are used to identify the possible threats present on your system so I will analyze the results they produce.


As a start we need to have some more up-to-date logs than the ones you have already provided. The current state of the files on your system might have changed so we need to get a clear look on that aspect. DO NOT bring any changes to the system except the ones I tell you to as that may produce more damage than helping us.

If you will encounter a delay of over 2 days from me, please don't hesitate and private message me (link in the signature).
Do not forget to check your topic periodically and subscribe to it so that you can receive notifications regarding my replies.



Please generate another DDS log (download it from http://download.bleepingcomputer.com/sUBs/dds.com'>here if you haven't already) and post it in your next reply along with other changes that may have occured since you last posted.
Also download and run GMER from this link: GMER download link.



Thank you very much for your patience.




Regards,

Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#3 dankman405

dankman405
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:okc
  • Local time:05:58 PM

Posted 24 November 2012 - 10:35 AM

well i downloaded gmer and ran it but when i downloaded dds i got some swearware file it says

Type of file:MS-DOS Application (.com)
Description: DDS, Doesn't Do Squat
Location:C:\Users\mypc\Desktop
Size:672 KB (688,992 bytes)
Size on disk:676 KB (692,224 bytes)
Security:This file came from another computer and might be blocked to help protect this computer [unblock button]


after i posted that first dds log the pc rebooted and all my browsers were missing so i downloaded one on a flash drive and now im back browsing but who knows for how long, and the gmer didnt kill all processes when i tried, it did however find a rootkit in my registry why cant i run dds though?

((((UPDATE)))
filetype association registry was mixed up, i got it to run now heres the dds.txt





DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16421
Run by Dankman at 8:48:53 on 2012-11-24
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2814.1714 [GMT -8:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\wuauclt.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uSearch Bar = Preserve
mWinlogon: Userinit = userinit.exe
mRun: [OOTag] C:\Program Files (x86)\Gateway\OOBEOffer\OOTag.exe
mRun: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe
mRunOnce: [SymSilent] "C:\Program Files (x86)\SymSilent\SymSilent.exe" /_spawn /service
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
TCP: NameServer = 68.105.28.11 68.105.29.11 68.105.28.12
TCP: Interfaces\{2E9DD83D-B9D2-4267-B754-918072B088EA} : DHCPNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
SSODL: WebCheck - <orphaned>
x64-Run: [Trigger New Acer AlaunchX] c:\OEM\Preload\Command\AlaunchX\AppInRun.exe
x64-RunOnce: [New Acer AlaunchX] c:\OEM\Preload\Command\AlaunchX\LaunchAlaunchX.exe
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;C:\Windows\System32\drivers\k57nd60a.sys [2009-6-10 270848]
R3 SrvHsfHDA;SrvHsfHDA;C:\Windows\System32\drivers\VSTAZL6.SYS [2009-7-13 292864]
R3 SrvHsfV92;SrvHsfV92;C:\Windows\System32\drivers\VSTDPV6.SYS [2009-7-13 1485312]
R3 SrvHsfWinac;SrvHsfWinac;C:\Windows\System32\drivers\VSTCNXT6.SYS [2009-7-13 740864]
S2 DsiWMIService;Dritek WMI Service;C:\Program Files (x86)\Launch Manager\dsiwmis.exe [2011-8-12 353360]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2012-11-24 19456]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2012-11-24 57856]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2012-11-24 30208]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-11-24 1255736]
.
=============== File Associations ===============
.
FileExt: .com: Applications\cmd.exe.exe="C:\Windows\System32\cmd.exe.exe" "%1" [UserChoice]
.
=============== Created Last 30 ================
.
2012-11-24 16:25:32 -------- d-----w- C:\Users\Dankman\AppData\Local\Apps
2012-11-24 16:24:57 -------- d-----w- C:\Users\Dankman\AppData\Local\ElevatedDiagnostics
2012-11-24 16:13:52 -------- d-----w- C:\Program Files (x86)\Launch Manager
2012-11-24 16:08:36 -------- d-----w- C:\Windows\OEMTemp
2012-11-24 14:29:16 -------- d-----w- C:\Windows\SysWow64\Wat
2012-11-24 14:29:16 -------- d-----w- C:\Windows\System32\Wat
2012-11-24 14:00:07 3072 ----a-w- C:\Windows\System32\drivers\en-US\tsusbflt.sys.mui
2012-11-24 13:55:54 81408 ----a-w- C:\Windows\System32\imagehlp.dll
2012-11-24 13:55:54 5120 ----a-w- C:\Windows\SysWow64\wmi.dll
2012-11-24 13:55:54 5120 ----a-w- C:\Windows\System32\wmi.dll
2012-11-24 13:55:54 23408 ----a-w- C:\Windows\System32\drivers\fs_rec.sys
2012-11-24 13:55:54 159232 ----a-w- C:\Windows\SysWow64\imagehlp.dll
2012-11-24 13:54:42 514560 ----a-w- C:\Windows\SysWow64\qdvd.dll
2012-11-24 13:54:42 366592 ----a-w- C:\Windows\System32\qdvd.dll
2012-11-24 13:54:41 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
2012-11-24 13:54:41 458712 ----a-w- C:\Windows\System32\drivers\cng.sys
2012-11-24 13:54:41 340992 ----a-w- C:\Windows\System32\schannel.dll
2012-11-24 13:54:41 307200 ----a-w- C:\Windows\System32\ncrypt.dll
2012-11-24 13:54:41 247808 ----a-w- C:\Windows\SysWow64\schannel.dll
2012-11-24 13:54:41 220160 ----a-w- C:\Windows\SysWow64\ncrypt.dll
2012-11-24 13:54:41 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
2012-11-24 13:54:41 154480 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
2012-11-24 13:54:41 1448448 ----a-w- C:\Windows\System32\lsasrv.dll
2012-11-24 13:54:40 1659760 ----a-w- C:\Windows\System32\drivers\ntfs.sys
2012-11-24 13:17:58 5559664 ----a-w- C:\Windows\System32\ntoskrnl.exe
2012-11-24 13:16:52 75776 ----a-w- C:\Windows\SysWow64\psisrndr.ax
2012-11-24 13:16:52 613888 ----a-w- C:\Windows\System32\psisdecd.dll
2012-11-24 13:16:52 465408 ----a-w- C:\Windows\SysWow64\psisdecd.dll
2012-11-24 13:16:52 108032 ----a-w- C:\Windows\System32\psisrndr.ax
2012-11-24 13:16:51 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys
2012-11-24 13:16:41 498688 ----a-w- C:\Windows\System32\drivers\afd.sys
2012-11-24 13:16:40 75120 ----a-w- C:\Windows\System32\drivers\partmgr.sys
2012-11-24 13:16:39 715776 ----a-w- C:\Windows\System32\kerberos.dll
2012-11-24 13:16:39 542208 ----a-w- C:\Windows\SysWow64\kerberos.dll
2012-11-24 13:16:37 3216384 ----a-w- C:\Windows\System32\msi.dll
2012-11-24 13:16:36 95744 ----a-w- C:\Windows\System32\synceng.dll
2012-11-24 13:16:36 78336 ----a-w- C:\Windows\SysWow64\synceng.dll
2012-11-24 13:16:36 2342400 ----a-w- C:\Windows\SysWow64\msi.dll
2012-11-24 13:09:58 1731920 ----a-w- C:\Windows\System32\ntdll.dll
2012-11-24 13:06:42 -------- d-----w- C:\Users\Dankman\AppData\Roaming\WildTangent
2012-11-24 13:01:54 826880 ----a-w- C:\Windows\SysWow64\rdpcore.dll
2012-11-24 13:01:54 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys
2012-11-24 13:01:54 1031680 ----a-w- C:\Windows\System32\rdpcore.dll
2012-11-24 12:57:14 2622464 ----a-w- C:\Windows\System32\wucltux.dll
2012-11-24 12:57:10 99840 ----a-w- C:\Windows\System32\wudriver.dll
2012-11-24 12:57:06 36864 ----a-w- C:\Windows\System32\wuapp.exe
2012-11-24 12:57:06 186752 ----a-w- C:\Windows\System32\wuwebv.dll
2012-11-24 06:55:53 -------- d-----w- C:\Users\Dankman\AppData\Local\Microsoft Games
2012-11-24 06:43:37 -------- d-----w- C:\Program Files (x86)\Common Files\Symantec Shared
2012-11-24 06:08:23 -------- d-----w- C:\Users\Dankman\AppData\Local\Diagnostics
2012-11-24 06:07:31 -------- d-----w- C:\Users\Dankman\AppData\Local\VirtualStore
2012-11-23 21:06:06 288768 ----a-w- C:\Windows\System32\drivers\mrxsmb10.sys
2012-11-23 21:05:34 180736 ----a-w- C:\Windows\System32\ifsutil.dll
2012-11-23 21:05:34 148992 ----a-w- C:\Windows\SysWow64\ifsutil.dll
2012-11-23 21:04:48 -------- d---a-w- C:\book
2012-11-23 20:57:15 -------- d-----w- C:\Windows\NAPP_Dism_Log
.
==================== Find3M ====================
.
2012-10-18 18:25:58 3149824 ----a-w- C:\Windows\System32\win32k.sys
2012-10-09 18:17:13 55296 ----a-w- C:\Windows\System32\dhcpcsvc6.dll
2012-10-09 18:17:13 226816 ----a-w- C:\Windows\System32\dhcpcore6.dll
2012-10-09 17:40:31 44032 ----a-w- C:\Windows\SysWow64\dhcpcsvc6.dll
2012-10-09 17:40:31 193536 ----a-w- C:\Windows\SysWow64\dhcpcore6.dll
2012-10-03 17:56:54 1914248 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2012-10-03 17:44:21 70656 ----a-w- C:\Windows\System32\nlaapi.dll
2012-10-03 17:44:21 303104 ----a-w- C:\Windows\System32\nlasvc.dll
2012-10-03 17:44:17 246272 ----a-w- C:\Windows\System32\netcorehc.dll
2012-10-03 17:44:17 18944 ----a-w- C:\Windows\System32\netevent.dll
2012-10-03 17:44:16 216576 ----a-w- C:\Windows\System32\ncsi.dll
2012-10-03 17:42:16 569344 ----a-w- C:\Windows\System32\iphlpsvc.dll
2012-10-03 16:42:24 18944 ----a-w- C:\Windows\SysWow64\netevent.dll
2012-10-03 16:42:24 175104 ----a-w- C:\Windows\SysWow64\netcorehc.dll
2012-10-03 16:42:23 156672 ----a-w- C:\Windows\SysWow64\ncsi.dll
2012-10-03 16:07:26 45568 ----a-w- C:\Windows\System32\drivers\tcpipreg.sys
2012-09-14 19:19:29 2048 ----a-w- C:\Windows\System32\tzres.dll
2012-09-14 18:28:53 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2012-08-30 17:12:02 3968880 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2012-08-30 17:12:02 3914096 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
.
============= FINISH: 8:49:06.09 ===============

Edited by dankman405, 24 November 2012 - 11:52 AM.


#4 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:58 AM

Posted 24 November 2012 - 05:11 PM

Hi there,


That's a false positive, the file is perfectly clean.

And what about the GMER log? Also, you are missing a logfile. Didn't DDS produce another log named Attach.txt?




Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#5 dankman405

dankman405
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:okc
  • Local time:05:58 PM

Posted 24 November 2012 - 06:41 PM

oh sorry elle i must have forgot to send it heres the dds attachment text Attached File  attach.txt   2.59KB   2 downloads i cant get gmer to produce a log it seems under the Rootkit/malware tab the first 8 check boxes are greyd and unselectable so i suspect that my hacker is limiting my scan results. also when i use netstat in elevated command about 50 different foreign ip/hosts come pouring down the screen, are there any other tools i can use to further assist you in assisting me? :thumbsup: Much appreciation

Thankz



#6 dankman405

dankman405
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:okc
  • Local time:05:58 PM

Posted 24 November 2012 - 06:51 PM

could it be possible the hacker is in my ethernet cable router? forcing anything that connects to be sent off to some rogue server?
:busy:

Edited by dankman405, 24 November 2012 - 11:58 PM.


#7 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:58 AM

Posted 26 November 2012 - 11:38 AM

By the way, I have a question:


Do you suspect anything to be the cause of the unusual symptoms? (e.g. an installed program, you accessed a suspicious webpage, etc.)

I will be back with a reply ASAP.


Elle

Edited by Blind Faith, 26 November 2012 - 11:38 AM.

Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#8 dankman405

dankman405
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:okc
  • Local time:05:58 PM

Posted 26 November 2012 - 06:47 PM

no what made me suspect there was something wrong is that one day there was a printer connected to my devices list, in investigated and it was printing off xml documents but in command or powershell form somehow also dritek launch manager comes back every time i reboot and system preparation tools with an option to enter a system out of box experience or something

could this cause my system to think its the first time its been turned on? x64-Run: [Trigger New Acer AlaunchX] c:\OEM\Preload\Command\AlaunchX\AppInRun.exe

i think i have removed the virus but maybe some things the virus used to run were left behind heres a recent dds let me know if anything looks to be out of order



DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer:
Run by Dankman at 17:22:06 on 2012-11-26
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2814.1976 [GMT -6:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\taskeng.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Google\Update\1.3.21.123\GoogleCrashHandler.exe
C:\Program Files (x86)\Google\Update\1.3.21.123\GoogleCrashHandler64.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\wuauclt.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uSearch Bar = Preserve
mRun: [OOTag] C:\Program Files (x86)\Gateway\OOBEOffer\OOTag.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
TCP: NameServer = 68.105.28.11 68.105.29.11 68.105.28.12
TCP: Interfaces\{2E9DD83D-B9D2-4267-B754-918072B088EA} : DHCPNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
SSODL: WebCheck - <orphaned>
x64-Run: [Trigger New Acer AlaunchX] c:\OEM\Preload\Command\AlaunchX\AppInRun.exe
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2009-8-18 203264]
R3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;C:\Windows\System32\drivers\k57nd60a.sys [2009-6-10 270848]
R3 SrvHsfHDA;SrvHsfHDA;C:\Windows\System32\drivers\VSTAZL6.SYS [2009-7-13 292864]
R3 SrvHsfV92;SrvHsfV92;C:\Windows\System32\drivers\VSTDPV6.SYS [2009-7-13 1485312]
R3 SrvHsfWinac;SrvHsfWinac;C:\Windows\System32\drivers\VSTCNXT6.SYS [2009-7-13 740864]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2012-11-24 19456]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2012-11-24 57856]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2012-11-24 30208]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-11-24 1255736]
.
=============== File Associations ===============
.
FileExt: .com: Applications\cmd.exe.exe="C:\Windows\System32\cmd.exe.exe" "%1" [UserChoice]
.
=============== Created Last 30 ================
.
2012-11-26 20:20:19 -------- d-----w- C:\Users\Dankman\AppData\Local\Google
2012-11-26 20:20:01 73656 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-11-26 20:20:01 697272 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-11-26 19:52:52 -------- d-----w- C:\220ba1745afac0120176e5
2012-11-25 09:51:31 2560 ----a-w- C:\Windows\System32\drivers\en-US\wdf01000.sys.mui
2012-11-25 09:51:30 9728 ----a-w- C:\Windows\System32\Wdfres.dll
2012-11-25 09:51:30 785512 ----a-w- C:\Windows\System32\drivers\Wdf01000.sys
2012-11-25 09:51:30 54376 ----a-w- C:\Windows\System32\drivers\WdfLdr.sys
2012-11-25 09:51:13 87040 ----a-w- C:\Windows\System32\drivers\WUDFPf.sys
2012-11-25 09:51:13 84992 ----a-w- C:\Windows\System32\WUDFSvc.dll
2012-11-25 09:51:13 198656 ----a-w- C:\Windows\System32\drivers\WUDFRd.sys
2012-11-25 09:51:13 194048 ----a-w- C:\Windows\System32\WUDFPlatform.dll
2012-11-25 09:51:12 744448 ----a-w- C:\Windows\System32\WUDFx.dll
2012-11-25 09:51:12 45056 ----a-w- C:\Windows\System32\WUDFCoinstaller.dll
2012-11-25 09:51:12 229888 ----a-w- C:\Windows\System32\WUDFHost.exe
2012-11-25 05:47:36 -------- d-----w- C:\Users\Dankman\AppData\Local\temp
2012-11-25 05:44:41 -------- d-sh--w- C:\$RECYCLE.BIN
2012-11-25 05:38:30 98816 ----a-w- C:\Windows\sed.exe
2012-11-25 05:38:30 256000 ----a-w- C:\Windows\PEV.exe
2012-11-25 05:38:30 208896 ----a-w- C:\Windows\MBR.exe
2012-11-24 19:19:15 0 ----a-w- C:\Windows\ativpsrm.bin
2012-11-24 16:25:32 -------- d-----w- C:\Users\Dankman\AppData\Local\Apps
2012-11-24 16:24:57 -------- d-----w- C:\Users\Dankman\AppData\Local\ElevatedDiagnostics
2012-11-24 16:08:36 -------- d-----w- C:\Windows\OEMTemp
2012-11-24 14:29:16 -------- d-----w- C:\Windows\SysWow64\Wat
2012-11-24 14:29:16 -------- d-----w- C:\Windows\System32\Wat
2012-11-24 14:00:07 3072 ----a-w- C:\Windows\System32\drivers\en-US\tsusbflt.sys.mui
2012-11-24 13:55:54 81408 ----a-w- C:\Windows\System32\imagehlp.dll
2012-11-24 13:55:54 5120 ----a-w- C:\Windows\SysWow64\wmi.dll
2012-11-24 13:55:54 5120 ----a-w- C:\Windows\System32\wmi.dll
2012-11-24 13:55:54 23408 ----a-w- C:\Windows\System32\drivers\fs_rec.sys
2012-11-24 13:55:54 159232 ----a-w- C:\Windows\SysWow64\imagehlp.dll
2012-11-24 13:54:42 514560 ----a-w- C:\Windows\SysWow64\qdvd.dll
2012-11-24 13:54:42 366592 ----a-w- C:\Windows\System32\qdvd.dll
2012-11-24 13:54:41 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
2012-11-24 13:54:41 458712 ----a-w- C:\Windows\System32\drivers\cng.sys
2012-11-24 13:54:41 340992 ----a-w- C:\Windows\System32\schannel.dll
2012-11-24 13:54:41 307200 ----a-w- C:\Windows\System32\ncrypt.dll
2012-11-24 13:54:41 247808 ----a-w- C:\Windows\SysWow64\schannel.dll
2012-11-24 13:54:41 220160 ----a-w- C:\Windows\SysWow64\ncrypt.dll
2012-11-24 13:54:41 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
2012-11-24 13:54:41 154480 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
2012-11-24 13:54:41 1448448 ----a-w- C:\Windows\System32\lsasrv.dll
2012-11-24 13:54:40 1659760 ----a-w- C:\Windows\System32\drivers\ntfs.sys
2012-11-24 13:17:58 5559664 ----a-w- C:\Windows\System32\ntoskrnl.exe
2012-11-24 13:16:52 75776 ----a-w- C:\Windows\SysWow64\psisrndr.ax
2012-11-24 13:16:52 613888 ----a-w- C:\Windows\System32\psisdecd.dll
2012-11-24 13:16:52 465408 ----a-w- C:\Windows\SysWow64\psisdecd.dll
2012-11-24 13:16:52 108032 ----a-w- C:\Windows\System32\psisrndr.ax
2012-11-24 13:16:51 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys
2012-11-24 13:16:41 498688 ----a-w- C:\Windows\System32\drivers\afd.sys
2012-11-24 13:16:40 75120 ----a-w- C:\Windows\System32\drivers\partmgr.sys
2012-11-24 13:16:39 715776 ----a-w- C:\Windows\System32\kerberos.dll
2012-11-24 13:16:39 542208 ----a-w- C:\Windows\SysWow64\kerberos.dll
2012-11-24 13:16:37 3216384 ----a-w- C:\Windows\System32\msi.dll
2012-11-24 13:16:36 95744 ----a-w- C:\Windows\System32\synceng.dll
2012-11-24 13:16:36 78336 ----a-w- C:\Windows\SysWow64\synceng.dll
2012-11-24 13:16:36 2342400 ----a-w- C:\Windows\SysWow64\msi.dll
2012-11-24 13:09:58 1731920 ----a-w- C:\Windows\System32\ntdll.dll
2012-11-24 13:06:42 -------- d-----w- C:\Users\Dankman\AppData\Roaming\WildTangent
2012-11-24 13:01:54 826880 ----a-w- C:\Windows\SysWow64\rdpcore.dll
2012-11-24 13:01:54 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys
2012-11-24 13:01:54 1031680 ----a-w- C:\Windows\System32\rdpcore.dll
2012-11-24 12:57:14 2622464 ----a-w- C:\Windows\System32\wucltux.dll
2012-11-24 12:57:10 99840 ----a-w- C:\Windows\System32\wudriver.dll
2012-11-24 12:57:06 36864 ----a-w- C:\Windows\System32\wuapp.exe
2012-11-24 12:57:06 186752 ----a-w- C:\Windows\System32\wuwebv.dll
2012-11-24 06:55:53 -------- d-----w- C:\Users\Dankman\AppData\Local\Microsoft Games
2012-11-24 06:43:37 -------- d-----w- C:\Program Files (x86)\Common Files\Symantec Shared
2012-11-24 06:08:23 -------- d-----w- C:\Users\Dankman\AppData\Local\Diagnostics
2012-11-24 06:07:31 -------- d-----w- C:\Users\Dankman\AppData\Local\VirtualStore
2012-11-23 21:06:06 288768 ----a-w- C:\Windows\System32\drivers\mrxsmb10.sys
2012-11-23 21:05:34 180736 ----a-w- C:\Windows\System32\ifsutil.dll
2012-11-23 21:05:34 148992 ----a-w- C:\Windows\SysWow64\ifsutil.dll
2012-11-23 20:57:15 -------- d-----w- C:\Windows\NAPP_Dism_Log
.
==================== Find3M ====================
.
2012-10-18 18:25:58 3149824 ----a-w- C:\Windows\System32\win32k.sys
2012-10-09 18:17:13 55296 ----a-w- C:\Windows\System32\dhcpcsvc6.dll
2012-10-09 18:17:13 226816 ----a-w- C:\Windows\System32\dhcpcore6.dll
2012-10-09 17:40:31 44032 ----a-w- C:\Windows\SysWow64\dhcpcsvc6.dll
2012-10-09 17:40:31 193536 ----a-w- C:\Windows\SysWow64\dhcpcore6.dll
2012-10-08 11:31:03 2312704 ----a-w- C:\Windows\System32\jscript9.dll
2012-10-08 11:23:52 1392128 ----a-w- C:\Windows\System32\wininet.dll
2012-10-08 11:22:55 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
2012-10-08 11:18:22 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
2012-10-08 11:17:35 599040 ----a-w- C:\Windows\System32\vbscript.dll
2012-10-08 11:13:33 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2012-10-08 07:56:24 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll
2012-10-08 07:48:03 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-10-08 07:47:44 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2012-10-08 07:44:05 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2012-10-08 07:43:21 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll
2012-10-08 07:40:56 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-10-03 17:56:54 1914248 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2012-10-03 17:44:21 70656 ----a-w- C:\Windows\System32\nlaapi.dll
2012-10-03 17:44:21 303104 ----a-w- C:\Windows\System32\nlasvc.dll
2012-10-03 17:44:17 246272 ----a-w- C:\Windows\System32\netcorehc.dll
2012-10-03 17:44:17 18944 ----a-w- C:\Windows\System32\netevent.dll
2012-10-03 17:44:16 216576 ----a-w- C:\Windows\System32\ncsi.dll
2012-10-03 17:42:16 569344 ----a-w- C:\Windows\System32\iphlpsvc.dll
2012-10-03 16:42:24 18944 ----a-w- C:\Windows\SysWow64\netevent.dll
2012-10-03 16:42:24 175104 ----a-w- C:\Windows\SysWow64\netcorehc.dll
2012-10-03 16:42:23 156672 ----a-w- C:\Windows\SysWow64\ncsi.dll
2012-10-03 16:07:26 45568 ----a-w- C:\Windows\System32\drivers\tcpipreg.sys
2012-09-14 19:19:29 2048 ----a-w- C:\Windows\System32\tzres.dll
2012-09-14 18:28:53 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2012-08-30 17:12:02 3968880 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2012-08-30 17:12:02 3914096 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
.
============= FINISH: 17:22:36.55 ===============


Attached File  attach.txt   4.71KB   1 downloads


#9 dankman405

dankman405
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:okc
  • Local time:05:58 PM

Posted 26 November 2012 - 06:57 PM

also before i started having these problems i used a sd card to get a movie called "mac and me" from a friends laptop and downloaded it to my laptop, after i started gettin problems i asked him if his laptop was secure and he stated that he thought it was infected...then i snooped around on his laptop and saw alot of the files that mine had on it so maybe thats how the intrusion occurred..but are there any more scans i can use to better assist you in assisting me? my system is working alot more smoothly, but still having the problem with my system preparing for first use every reboot, then when i get on driteklaunchmanager prevents me from accessing the desktop til i get the start bar to pop up long enough to exit launch manager which stays frozen at 7% loaded, once i get it closed it gives a message that my system isnt supported so launch manager was unable to start and my windows diagnostics and updates always get errors now, and no matter if i installed updates or not my shut down button has a yellow sheild with an exclamation mark in the middle when i hover a message says "installs updates then shuts down your computer" but when i click it it does the setup is preparing your system for first use stuff again then im back at square one, its like the system is in a never ending loop.

Edited by dankman405, 26 November 2012 - 07:02 PM.


#10 dankman405

dankman405
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:okc
  • Local time:05:58 PM

Posted 26 November 2012 - 07:40 PM

in my credential manager i have a generic credential..
internet or network address: virtualapp/didlogical
username: 02dvfhaghlep
password: 8 black circles

what is this?
another odd thing is my wifi button on my touch panel lights up as if its turned on even if i disable the adapter..it will turn off if i touch it, but when i reboot it turns back on automatically

#11 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:58 AM

Posted 27 November 2012 - 07:37 AM

Hi there,



I don't see an Anti Virus Program running on your machine

Download and install an antivirus program, and make sure that you keep it updated
New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
Three good antivirus programs free for non-commercial home use are Avast!, Antivir and Microsoft Security Essentials
Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.


========================================================================================================

Please download ComboFix from one of these locations:
  • Bleepingcomputer
    ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.







Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#12 dankman405

dankman405
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:okc
  • Local time:05:58 PM

Posted 28 November 2012 - 12:00 AM

OK I downloaded avast and updated it, heres my combofix log Attached File  Combofix.txt   22.63KB   12 downloads

#13 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:58 AM

Posted 30 November 2012 - 04:53 AM

Hi there,


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

DirLook::
C:\Users\Dankman\AppData\Roaming


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.



==============================================================================================



Please download Rootkit Unhooker from one of the following links and save it to your desktop.
Link 1 (.exe file)
Link 2 (zipped file)
Link 3 (.rar file)In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.

  • Double-click on RKUnhookerLE.exe to start the program.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • Click the Report tab, then click Scan.
  • Check Drivers, Stealth, and uncheck the rest.
  • Click OK.
  • Wait until it's finished and then go to File > Save Report.
  • Save the report to your Desktop.
  • Copy and paste the contents of the report into your next reply.
-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".





Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#14 dankman405

dankman405
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:okc
  • Local time:05:58 PM

Posted 01 December 2012 - 09:30 AM

when i double click all three of those links send me to
Not Found
The requested URL /ARKs/RKUnhookerLE.EXE was not found on this server.

heres that log


Edited by dankman405, 01 December 2012 - 12:39 PM.


#15 dankman405

dankman405
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:okc
  • Local time:05:58 PM

Posted 01 December 2012 - 12:40 PM

Attached File  Combofix.txt   38.24KB   8 downloads




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users