Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Definitely Hacked System


  • Please log in to reply
39 replies to this topic

#1 setigamer

setigamer

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle, WA
  • Local time:07:13 PM

Posted 08 June 2013 - 05:57 AM

I've known for a bit that this system was compromised. I mistakenly used a free site to store some large files for friends to download (2shared.com) and it installed an infected download manager. I believe it was something called IlividTool and DataMngr. It was actually kind of fun to witness the progression of the infection. Chinese chars showed up in the registry, there's a recovery file called c:\Recovery\winre.zip that I found and made a copy of (167MB for anybody who wants to study this) that restores their basic system if I manage to clean up their mess. I no longer have access to the folder (as Admin on the box). Got several hundred domains listed in the registry, I did not ask DDS.com to scan the domains, these do NOT look safe. So at the very least my computer is a bot of some sort. Occasionally the computer goes to locked station if it's idle for more than 5 minutes, even though this is all disabled. The HDD is usually churning serious butter during that time until I log back in.

 

The initial hack came through a program called DataMine, I believe. I had a saved zip of the software but whoever has access deleted it before I could save to CD. I do have full registry hives and some Process Explorer snapshots of anomalies. I have about 8 different versions of Explorer.exe throughout the system. All programs that run now have an assigned ALPC Port    \RPC Control\OLE8F64DB8406BB42FF986307B92518 which has perms for ANONYMOUS LOGON, even though I don't allow remote connections or anonymous logons. I've lost security privileges all over the place, whoever is on this knows their work. Set everything up via RPC for easy remote control.

 

That's all for now. I'd love it if somebody would be interested in doing some research with the files I've backed up like full registry hives, winre.zip recovery system, and I'd be willing to even delay my full system wipe and fresh install for research purposes.

 

Thanks for your time and interest :)

 

Vic

 

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.16576
Run by seti at 3:14:19 on 2013-06-08
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.1.1033.18.8174.4395 [GMT -7:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Spybot - Search and Destroy *Enabled/Outdated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
SP: COMODO Antivirus *Disabled/Outdated* {0C2D2636-923D-EE52-2A83-E643204A8275}
FW: COMODO Firewall *Enabled* {8F7746F7-FE68-E084-3B6C-7404A51E8FB3}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\BitKinex\bitkinexsvc.exe
C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe
C:\Program Files (x86)\Intel\Intel Desktop Utilities\iduServ.exe
C:\Program Files (x86)\Intel\FSC\FSCAppServ.exe
C:\Windows\system32\IProsetMonitor.exe
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Program Files (x86)\SpybotSD2\SDFSSvc.exe
C:\Program Files (x86)\SpybotSD2\SDUpdSvc.exe
C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe
C:\Program Files (x86)\SpybotSD2\SDWSCSvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\SpybotSD2\SDUpdate.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe
C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\COMODO\COMODO Internet Security\cistray.exe
C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe
C:\Program Files (x86)\FreeAlarmClock\FreeAlarmClock.exe
C:\Program Files (x86)\Google\Drive\googledrivesync.exe
C:\Users\seti\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files (x86)\Intel\Intel Desktop Utilities\iptray.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files (x86)\Razer\Diamondback\Razer\Diamondback\razerhid.exe
C:\Program Files (x86)\SpybotSD2\SDTray.exe
C:\Program Files (x86)\Google\Drive\googledrivesync.exe
C:\Program Files (x86)\Winamp\winampa.exe
C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Razer\Diamondback\Razer\Diamondback\razertra.exe
D:\Steam\Steam.exe
C:\Program Files (x86)\Common Files\Steam\SteamService.exe
C:\Program Files\COMODO\COMODO Internet Security\cis.exe
C:\Program Files (x86)\Razer\Diamondback\Razer\Diamondback\razerofa.exe
C:\Users\seti\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files\Zune\Zune.exe
C:\Windows\explorer.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\TwoFerBackup\IRcap\mirc.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_7_700_202.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_7_700_202.exe
C:\Program Files (x86)\Notepad++\notepad++.exe
C:\Program Files (x86)\XYplorer\XYplorer.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Users\seti\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\calc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxps://outlook.com/microsoft.com
mWinlogon: Userinit = userinit.exe,
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\SpybotSD2\SDHelper.dll
BHO: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
BHO: Free Download Manager: {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files (x86)\Free Download Manager\iefdm2.dll
BHO: Microsoft Web Test Recorder 10.0 Helper: {DDA57003-0068-4ed2-9D32-4D1EC707D94D} - C:\Program Files (x86)\Microsoft Visual Studio 10.0\Common7\IDE\PrivateAssemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO100.dll
TB: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
EB: Web Test Recorder 10.0: {5802D092-1784-4908-8CDB-99B6842D353D} -
uRun: [Steam] "D:\Steam\steam.exe" -silent
uRun: [KeePass Password Safe 2] "C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe"
uRun: [Spybot-S&D Cleaning] "C:\Program Files (x86)\SpybotSD2\SDCleaner.exe" /autoclean
uRun: [FreeAC] C:\Program Files (x86)\FreeAlarmClock\FreeAlarmClock.exe -autorun
uRun: [GoogleDriveSync] "C:\Program Files (x86)\Google\Drive\googledrivesync.exe" /autostart
uRun: [Google Update] "C:\Users\seti\AppData\Local\Google\Update\GoogleUpdate.exe" /c
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [ipTray.exe] "C:\Program Files (x86)\Intel\Intel Desktop Utilities\ipTray.exe"
mRun: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
mRun: [KeePass 2 PreLoad] "C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe" --preload
mRun: [Diamondback] C:\Program Files (x86)\Razer\Diamondback\Razer\Diamondback\razerhid.exe
mRun: [SDTray] "C:\Program Files (x86)\SpybotSD2\SDTray.exe"
mRun: [WinampAgent] "C:\Program Files (x86)\Winamp\winampa.exe"
mRun: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
StartupFolder: C:\Users\seti\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\seti\AppData\Roaming\Dropbox\bin\Dropbox.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\CARDIS~1\STARTG~1.LNK - C:\Program Files (x86)\Comodo\GeekBuddy\launcher.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: &Download with BitKinex - C:\Program Files (x86)\BitKinex\ieext_cp.htm
IE: &Register in BitKinex - C:\Program Files (x86)\BitKinex\ieext_reg.htm
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\SpybotSD2\SDHelper.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.
TCP: NameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{C6D9BB1A-61D1-4091-9A57-F615E343CB54} : NameServer = 8.26.56.26
TCP: Interfaces\{C6D9BB1A-61D1-4091-9A57-F615E343CB54} : DHCPNameServer = 75.75.75.75 75.75.76.76
Notify: SDWinLogon - SDWinLogon.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\27.0.1453.110\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
IFEO: notepad.exe - C:\Program Files (x86)\Notepad++\notepad++.exe
IFEO: taskmgr.exe - "D:\TWOFERBACKUP\BIN\SYSINTERNALS\PROCEXP.EXE"
x64-BHO: avast! WebRep: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
x64-TB: avast! WebRep: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
x64-Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
x64-Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [COMODO Internet Security] C:\Program Files\COMODO\COMODO Internet Security\cistray.exe
.
INFO: x64-HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.
x64-SSODL: WebCheck - <orphaned>
x64-IFEO: notepad.exe - C:\Program Files (x86)\Notepad++\notepad++.exe
x64-IFEO: taskmgr.exe - "D:\TWOFERBACKUP\BIN\SYSINTERNALS\PROCEXP.EXE"
Hosts: 127.0.0.1    validation.sls.microsoft.com
Hosts: 127.0.0.1    www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\seti\AppData\Roaming\Mozilla\Firefox\Profiles\94p4tphx.default\
FF - prefs.js: browser.startup.homepage - about:home
FF - prefs.js: network.proxy.type - 0
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.145\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\5.1.20125.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\npuplaypc.dll
FF - plugin: C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\npuplaypchub.dll
FF - plugin: C:\Users\seti\AppData\Local\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Users\seti\AppData\Local\Google\Update\1.3.21.145\npGoogleUpdate3.dll
FF - plugin: C:\Users\seti\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - plugin: C:\Users\seti\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: C:\Users\seti\AppData\Roaming\Mozilla\plugins\npo1d.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_202.dll
FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
FF - ExtSQL: 2013-04-20 04:36; keefox@chris.tomlinson; C:\Users\seti\AppData\Roaming\Mozilla\Firefox\Profiles\94p4tphx.default\extensions\keefox@chris.tomlinson
FF - ExtSQL: 2013-06-01 03:48; {62b958b4-9962-4fc2-9983-01a9a42d6f2d}; C:\Users\seti\AppData\Roaming\Mozilla\Firefox\Profiles\94p4tphx.default\extensions\{62b958b4-9962-4fc2-9983-01a9a42d6f2d}.xpi
.
============= SERVICES / DRIVERS ===============
.
R0 aswRvrt;aswRvrt;C:\Windows\System32\drivers\aswRvrt.sys [2013-3-6 65336]
R0 aswVmm;aswVmm;C:\Windows\System32\drivers\aswVmm.sys [2013-3-6 189936]
R0 SmartDefragDriver;SmartDefragDriver;C:\Windows\System32\drivers\SmartDefragDriver.sys [2013-1-6 17720]
R1 aswSnx;aswSnx;C:\Windows\System32\drivers\aswSnx.sys [2013-2-21 1025808]
R1 aswSP;aswSP;C:\Windows\System32\drivers\aswSP.sys [2013-2-21 378432]
R1 cmderd;COMODO Internet Security Eradication Driver;C:\Windows\System32\drivers\cmderd.sys [2013-1-16 23168]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;C:\Windows\System32\drivers\cmdguard.sys [2013-1-16 706560]
R1 cmdHlp;COMODO Internet Security Helper Driver;C:\Windows\System32\drivers\cmdhlp.sys [2013-1-16 48360]
R1 sepdal;sepdal;C:\Windows\System32\drivers\sepdal.sys [2012-7-11 16816]
R2 aswFsBlk;aswFsBlk;C:\Windows\System32\drivers\aswFsBlk.sys [2013-2-21 33400]
R2 aswMonFlt;aswMonFlt;C:\Windows\System32\drivers\aswMonFlt.sys [2013-2-21 80816]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2013-5-15 46808]
R2 BitKinex;BitKinex File Transfer Service;C:\Program Files (x86)\BitKinex\bitkinexsvc.exe DISPATCH --> C:\Program Files (x86)\BitKinex\bitkinexsvc.exe DISPATCH [?]
R2 DragonUpdater;COMODO Dragon Update Service;C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe [2013-6-4 2095752]
R2 IduService;Intel® Desktop Utilities Service;C:\Program Files (x86)\Intel\Intel Desktop Utilities\iduServ.exe [2012-7-10 642800]
R2 Intel® Desktop Boards FSC Application Service;Intel® Desktop Boards FSC Application Service;C:\Program Files (x86)\Intel\FSC\FSCAppServ.exe [2012-7-10 65536]
R2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;C:\Windows\System32\IPROSetMonitor.exe [2012-6-5 190824]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;C:\Program Files (x86)\SpybotSD2\SDFSSvc.exe [2013-3-22 1103392]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;C:\Program Files (x86)\SpybotSD2\SDUpdSvc.exe [2013-3-22 1369624]
R2 SDWSCService;Spybot-S&D 2 Security Center Service;C:\Program Files (x86)\SpybotSD2\SDWSCSvc.exe [2013-3-22 168384]
R3 cpuio;CPUIO Service;C:\Windows\SysWOW64\drivers\cpuiox64.sys [2012-8-19 15384]
R3 Razerlow;Razer Pro|Solutions;C:\Windows\System32\drivers\Razerlow.sys [2005-11-7 21120]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 cmdvirth;COMODO Virtual Service Manager;C:\Program Files\COMODO\COMODO Internet Security\cmdvirth.exe [2013-1-24 158928]
S3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2012-7-11 1432400]
S3 LVRS64;Logitech RightSound Filter Driver;C:\Windows\System32\drivers\lvrs64.sys [2012-1-18 351136]
S3 LVUVC64;Logitech HD Webcam C310(UVC);C:\Windows\System32\drivers\lvuvc64.sys [2012-1-18 4865568]
S3 MEMSWEEP2;MEMSWEEP2;C:\Windows\System32\97C0.tmp [2013-6-8 6144]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2012-11-18 19456]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2012-11-18 57856]
S3 VaneFltr;Lachesis Mouse Driver;C:\Windows\System32\drivers\Lachesis.sys [2012-7-21 29952]
S3 VBoxUSB;VirtualBox USB;C:\Windows\System32\drivers\VBoxUSB.sys [2012-9-13 105816]
S3 VSPerfDrv100;Performance Tools Driver 10.0;C:\Program Files (x86)\Microsoft Visual Studio 10.0\Team Tools\Performance Tools\x64\VSPerfDrv100.sys [2011-1-18 68440]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-7-6 1255736]
S4 Te.Service;Te.Service;C:\Program Files (x86)\Windows Kits\8.0\Testing\Runtimes\TAEF\Wex.Services.exe [2012-5-18 127488]
S4 TeamViewer8;TeamViewer 8;C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe [2013-4-23 3560288]
.
=============== File Associations ===============
.
FileExt: .txt: Notepad++_file="C:\Program Files (x86)\Notepad++\notepad++.exe" "%1"
FileExt: .ini: Notepad++_file="C:\Program Files (x86)\Notepad++\notepad++.exe" "%1"
FileExt: .vbs: Notepad++_file="C:\Program Files (x86)\Notepad++\notepad++.exe" "%1"
FileExt: .js: Notepad++_file="C:\Program Files (x86)\Notepad++\notepad++.exe" "%1"
FileExt: .vbe: VBEFile="C:\Windows\System32\CScript.exe" "%1" %* [default=Open2]
FileExt: .jse: JSEFile=C:\Windows\System32\CScript.exe "%1" %* [default=Open2]
FileExt: .wsf: WSFFile="C:\Windows\System32\CScript.exe" "%1" %* [default=Open2]
.
=============== Created Last 30 ================
.
2013-06-08 09:30:18    6144    ------w-    C:\Windows\System32\97C0.tmp
2013-06-08 09:28:41    6144    ------w-    C:\Windows\System32\1D24.tmp
2013-06-08 09:28:29    --------    d-----w-    C:\Program Files (x86)\Sophos
2013-06-07 06:30:41    9460464    ----a-w-    C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{D6655A5D-EA3B-48C1-BFA1-9EE93856F25B}\mpengine.dll
2013-06-05 16:10:13    47368    ----a-w-    C:\Windows\SysWow64\certsentry.dll
2013-06-01 10:19:18    --------    d-----w-    C:\Users\seti\AppData\Roaming\Mp3tag
2013-05-31 12:50:13    --------    d-----w-    C:\Program Files\DivX
2013-05-31 12:50:10    --------    d-----w-    C:\Program Files (x86)\Common Files\DivX Shared
2013-05-31 12:49:43    --------    d-----w-    C:\Program Files (x86)\DivX
2013-05-31 12:48:32    --------    d-----w-    C:\ProgramData\DivX
2013-05-31 12:42:24    206336    ----a-w-    C:\Windows\System32\unrar64.dll
2013-05-31 12:42:24    148992    ----a-w-    C:\Windows\System32\lagarith.dll
2013-05-31 12:42:22    127488    ----a-w-    C:\Windows\System32\ff_vfw.dll
2013-05-31 12:42:22    --------    d-----w-    C:\Program Files\K-Lite Codec Pack x64
2013-05-31 12:41:03    --------    d-----w-    C:\Users\seti\AppData\Roaming\avidemux
2013-05-31 12:40:57    --------    d-----w-    C:\Program Files (x86)\Avidemux 2.6
2013-05-31 12:40:13    73728    ----a-w-    C:\Windows\system\vdremote.dll
2013-05-31 12:40:13    65536    ----a-w-    C:\Windows\system\vdsvrlnk.dll
2013-05-31 11:27:30    --------    d-----w-    C:\Program Files (x86)\Mp3tag
2013-05-29 23:08:28    26520    ----a-w-    C:\Program Files (x86)\Mozilla Firefox\plugin-hang-ui.exe
2013-05-29 23:08:28    262552    ----a-w-    C:\Program Files (x86)\Mozilla Firefox\browser\components\browsercomps.dll
2013-05-29 15:03:22    348160    ----a-w-    C:\Windows\SysWow64\msvcr71.dll
2013-05-29 15:03:22    1060864    ----a-w-    C:\Windows\SysWow64\mfc71.dll
2013-05-15 19:53:24    983400    ----a-w-    C:\Windows\System32\drivers\dxgkrnl.sys
2013-05-11 10:20:36    --------    d-----w-    C:\FRST
2013-05-11 09:34:19    --------    d-----w-    C:\Users\seti\AppData\Roaming\XYplorer
2013-05-11 09:34:17    --------    d-----w-    C:\Program Files (x86)\XYplorer
2013-05-10 07:57:26    187456    ----a-w-    C:\Program Files (x86)\Mozilla Firefox\plugins\nppdf32.dll
.
==================== Find3M  ====================
.
2013-06-05 16:10:13    56072    ----a-w-    C:\Windows\System32\certsentry.dll
2013-05-29 23:07:11    71048    ----a-w-    C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-05-29 23:07:11    692104    ----a-w-    C:\Windows\SysWow64\FlashPlayerApp.exe
2013-05-09 08:59:07    72016    ----a-w-    C:\Windows\System32\drivers\aswRdr2.sys
2013-05-09 08:59:07    65336    ----a-w-    C:\Windows\System32\drivers\aswRvrt.sys
2013-05-09 08:59:07    189936    ----a-w-    C:\Windows\System32\drivers\aswVmm.sys
2013-05-09 08:59:07    1025808    ----a-w-    C:\Windows\System32\drivers\aswSnx.sys
2013-05-09 08:59:06    80816    ----a-w-    C:\Windows\System32\drivers\aswMonFlt.sys
2013-05-09 08:58:37    41664    ----a-w-    C:\Windows\avastSS.scr
2013-05-02 09:06:08    278800    ------w-    C:\Windows\System32\MpSigStub.exe
2013-04-25 11:55:10    27016    ----a-w-    C:\Windows\SysWow64\drivers\PROCEXP141.SYS
2013-04-23 14:04:10    437176    ----a-w-    C:\Windows\System32\guard64.dll
2013-04-23 14:04:10    348048    ----a-w-    C:\Windows\SysWow64\guard32.dll
2013-04-15 17:38:52    48360    ----a-w-    C:\Windows\System32\drivers\cmdhlp.sys
2013-04-15 17:38:51    706560    ----a-w-    C:\Windows\System32\drivers\cmdguard.sys
2013-04-15 17:38:51    23168    ----a-w-    C:\Windows\System32\drivers\cmderd.sys
2013-04-15 17:38:38    43216    ----a-w-    C:\Windows\System32\cmdcsr.dll
2013-04-15 17:38:29    343760    ----a-w-    C:\Windows\System32\cmdvrt64.dll
2013-04-15 17:38:28    45776    ----a-w-    C:\Windows\System32\cmdkbd64.dll
2013-04-15 17:38:25    276688    ----a-w-    C:\Windows\SysWow64\cmdvrt32.dll
2013-04-15 17:38:24    40656    ----a-w-    C:\Windows\SysWow64\cmdkbd32.dll
2013-04-13 05:49:23    135168    ----a-w-    C:\Windows\apppatch\AppPatch64\AcXtrnal.dll
2013-04-13 05:49:19    350208    ----a-w-    C:\Windows\apppatch\AppPatch64\AcLayers.dll
2013-04-13 05:49:19    308736    ----a-w-    C:\Windows\apppatch\AppPatch64\AcGenral.dll
2013-04-13 05:49:19    111104    ----a-w-    C:\Windows\apppatch\AppPatch64\acspecfc.dll
2013-04-13 04:45:16    474624    ----a-w-    C:\Windows\apppatch\AcSpecfc.dll
2013-04-13 04:45:15    2176512    ----a-w-    C:\Windows\apppatch\AcGenral.dll
2013-04-12 14:45:08    1656680    ----a-w-    C:\Windows\System32\drivers\ntfs.sys
2013-04-10 06:01:54    265064    ----a-w-    C:\Windows\System32\drivers\dxgmms1.sys
2013-04-10 03:30:50    3153920    ----a-w-    C:\Windows\System32\win32k.sys
2013-04-05 06:52:14    2242048    ----a-w-    C:\Windows\System32\wininet.dll
2013-04-05 06:50:36    3958784    ----a-w-    C:\Windows\System32\jscript9.dll
2013-04-05 06:50:31    67072    ----a-w-    C:\Windows\System32\iesetup.dll
2013-04-05 06:50:31    136704    ----a-w-    C:\Windows\System32\iesysprep.dll
2013-04-05 05:28:24    1767424    ----a-w-    C:\Windows\SysWow64\wininet.dll
2013-04-05 05:26:26    2877440    ----a-w-    C:\Windows\SysWow64\jscript9.dll
2013-04-05 05:26:21    61440    ----a-w-    C:\Windows\SysWow64\iesetup.dll
2013-04-05 05:26:21    109056    ----a-w-    C:\Windows\SysWow64\iesysprep.dll
2013-04-05 04:43:00    2706432    ----a-w-    C:\Windows\System32\mshtml.tlb
2013-04-05 04:29:45    2706432    ----a-w-    C:\Windows\SysWow64\mshtml.tlb
2013-04-05 03:51:11    89600    ----a-w-    C:\Windows\System32\RegisterIEPKEYs.exe
2013-04-05 03:38:25    71680    ----a-w-    C:\Windows\SysWow64\RegisterIEPKEYs.exe
2013-04-04 21:50:32    25928    ----a-w-    C:\Windows\System32\drivers\mbam.sys
2013-03-23 01:09:28    354656    ----a-w-    C:\Windows\SysWow64\DivXControlPanelApplet.cpl
2013-03-19 06:04:06    5550424    ----a-w-    C:\Windows\System32\ntoskrnl.exe
2013-03-19 05:53:58    48640    ----a-w-    C:\Windows\System32\wwanprotdim.dll
2013-03-19 05:53:58    230400    ----a-w-    C:\Windows\System32\wwansvc.dll
2013-03-19 05:46:56    43520    ----a-w-    C:\Windows\System32\csrsrv.dll
2013-03-19 05:04:13    3968856    ----a-w-    C:\Windows\SysWow64\ntkrnlpa.exe
2013-03-19 05:04:10    3913560    ----a-w-    C:\Windows\SysWow64\ntoskrnl.exe
2013-03-19 04:47:50    6656    ----a-w-    C:\Windows\SysWow64\apisetschema.dll
2013-03-19 03:06:33    112640    ----a-w-    C:\Windows\System32\smss.exe
2013-03-15 17:37:32    423784    ----a-w-    C:\Windows\System32\Aeon.scr
.
============= FINISH:  3:14:45.44 ===============
 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 setigamer

setigamer
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle, WA
  • Local time:07:13 PM

Posted 08 June 2013 - 06:38 AM

Does anybody know where we can get a list of the main Windows 7 system files (like lsm.exe, lsass.exe, svchost.exe, etc) and their proper MD5 or SHA256 footprints?

 

Holy cow!!! Just discovered the FCIV (File Checksum Integrity Verifier)  tool from Microsoft. I ran a full checksum of %systemroot% (fciv -add %systemroot% -r -XML d:\fciv\sysroot.xml)

I knew it wouldn't have permissions (though I ran it as Admin) to get into certain areas. Check this out! I found where they store their standard user dir structure. Attaching the error log of the fciv.exe output.

 

LOL! Oh man this just got even more fun. I'm going to ghost this drive to preserve it.

 

 

 

Vic

 

Attached Files



#3 setigamer

setigamer
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle, WA
  • Local time:07:13 PM

Posted 08 June 2013 - 07:08 AM

I haven't run this in a while, I should get an updated one. Chances are I no longer have access to some of those folders.

 

Farbar Recovery Scan Tool (x64) Version: 10-05-2013 01
Ran by SYSTEM at 2013-05-11 02:23:58
Running from G:\
Boot Mode: Recovery

================== Search: "explorer.exe" ===================

C:\Windows\explorer.exe
[2012-07-06 00:45] - [2011-02-24 22:19] - 2871808 ____A (Microsoft Corporation) 332FEAB1435662FC6C672E25BEB37BE3

C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.21669_none_ba87e574ddfe652d\explorer.exe
[2012-07-06 00:45] - [2011-02-25 21:19] - 2616320 ____A (Microsoft Corporation) 0FB9C74046656D1579A64660AD67B746

C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17567_none_b9fc4815c4e292b5\explorer.exe
[2012-07-06 00:45] - [2011-02-24 21:30] - 2616320 ____A (Microsoft Corporation) 8B88EBBB05A0E56B7DCC708498C02B3E

C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17514_none_ba2f56d3c4bcbafb\explorer.exe
[2012-07-06 01:48] - [2010-11-20 04:17] - 2616320 ____A (Microsoft Corporation) 40D777B7A95E00593EB1568C68514493

C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20910_none_b8ce9756e0b786a4\explorer.exe
[2012-07-06 00:45] - [2011-02-25 21:51] - 2614784 ____A (Microsoft Corporation) 255CF508D7CFB10E0794D6AC93280BD8

C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20563_none_b89b8100e0dd69c2\explorer.exe
[2012-07-06 00:45] - [2009-10-30 22:00] - 2614272 ____A (Microsoft Corporation) C76153C7ECA00FA852BB0C193378F917

C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20500_none_b8d95faae0af7617\explorer.exe
[2012-07-06 00:46] - [2009-08-02 21:49] - 2613248 ____A (Microsoft Corporation) 9FF6C4C91A3711C0A3B18F87B08B518D

C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16768_none_b816eb59c7bb4020\explorer.exe
[2012-07-06 00:45] - [2011-02-25 21:33] - 2614784 ____A (Microsoft Corporation) 2AF58D15EDC06EC6FDACCE1F19482BBF

C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16450_none_b819b343c7ba6202\explorer.exe
[2012-07-06 00:45] - [2009-10-30 21:45] - 2614272 ____A (Microsoft Corporation) 2626FC9755BE22F805D3CFA0CE3EE727

C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16404_none_b853c407c78e3ba9\explorer.exe
[2012-07-06 00:46] - [2009-08-02 21:35] - 2613248 ____A (Microsoft Corporation) B95EEB0F4E5EFBF1038A35B3351CF047

C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_b7fe430bc7ce3761\explorer.exe
[2009-07-13 15:41] - [2009-07-13 17:14] - 2613248 ____A (Microsoft Corporation) 15BC38A7492BEFE831966ADB477CF76F

C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.21669_none_b0333b22a99da332\explorer.exe
[2012-07-06 00:45] - [2011-02-25 22:14] - 2871808 ____A (Microsoft Corporation) 3B69712041F3D63605529BD66DC00C48

C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17567_none_afa79dc39081d0ba\explorer.exe
[2012-07-06 00:45] - [2011-02-24 22:19] - 2871808 ____A (Microsoft Corporation) 332FEAB1435662FC6C672E25BEB37BE3

C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17514_none_afdaac81905bf900\explorer.exe
[2012-07-06 01:48] - [2010-11-20 05:24] - 2872320 ____A (Microsoft Corporation) AC4C51EB24AA95B77F705AB159189E24

C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20910_none_ae79ed04ac56c4a9\explorer.exe
[2012-07-06 00:45] - [2011-02-25 22:26] - 2870784 ____A (Microsoft Corporation) E38899074D4951D31B4040E994DD7C8D

C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20563_none_ae46d6aeac7ca7c7\explorer.exe
[2012-07-06 00:45] - [2009-10-30 22:38] - 2870272 ____A (Microsoft Corporation) B8EC4BD49CE8F6FC457721BFC210B67F

C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20500_none_ae84b558ac4eb41c\explorer.exe
[2012-07-06 00:46] - [2009-08-02 22:19] - 2868224 ____A (Microsoft Corporation) 700073016DAC1C3D2E7E2CE4223334B6

C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16768_none_adc24107935a7e25\explorer.exe
[2012-07-06 00:45] - [2011-02-25 22:23] - 2870272 ____A (Microsoft Corporation) 0862495E0C825893DB75EF44FAEA8E93

C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16450_none_adc508f19359a007\explorer.exe
[2012-07-06 00:45] - [2009-10-30 22:34] - 2870272 ____A (Microsoft Corporation) 9AAAEC8DAC27AA17B053E6352AD233AE

C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16404_none_adff19b5932d79ae\explorer.exe
[2012-07-06 00:46] - [2009-08-02 22:17] - 2868224 ____A (Microsoft Corporation) F170B4A061C9E026437B193B4D571799

C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_ada998b9936d7566\explorer.exe
[2009-07-13 15:56] - [2009-07-13 17:39] - 2868224 ____A (Microsoft Corporation) C235A51CB740E45FFA0EBFB9BAFCDA64

C:\Windows\SysWOW64\explorer.exe
[2012-07-06 00:45] - [2011-02-24 21:30] - 2616320 ____A (Microsoft Corporation) 8B88EBBB05A0E56B7DCC708498C02B3E

C:\Program Files (x86)\SpybotSD2\explorer.exe
[2013-03-22 03:37] - [2012-11-13 13:07] - 3906584 ____A (Safer-Networking Ltd.) E4A0900CF535888DDD85B10040CA3E34

====== End Of Search ======



#4 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:09:13 PM

Posted 10 June 2013 - 01:56 PM

Hello setigamer and welcome to Bleeping Computer!

I am D-FRED-BROWN and I will be helping you. smile.png

Please print or save this topic. It will make it easier for you to follow the instructions and complete all of the necessary steps.


----------Step 1----------------
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.
----------Step 2----------------
Please download Malwarebytes Anti-Rootkit from HERE
  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt
----------Step 3----------------
Please download ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

***IMPORTANT: save ComboFix to your Desktop***

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please go here to see a list of programs that should be disabled.

**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall**

Please include the C:\ComboFix.txt in your next reply for further review.


NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.


----------Step 4----------------
Please download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
----------Step 5----------------
In your next reply, please include the following:
  • TDSSKiller's logfile
  • MBAR mbar-log.txt and system-log.txt
  • ComboFix's report (C:\ComboFix.txt)
  • Security Check checkup.txt
After that, please let me know: How is your computer running now? Do you have any questions or concerns you'd like me to address? Don't hesitate to ask. smile.png

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Note:

Please make sure you are subscribed to this topic: Click on the "Follow This Topic" Button (at the top right of this page), make sure that the "Receive notification" box is checked and that it is set to "Instantly"

-------> Your topic will be closed if you haven't replied within 3 days! <--------
(If I don't respond within 24 hours, please send me a PM)




-DFB
Proud graduate of SpywareInfo Bootcamp
Follow me on Twitter! @dfredbrown
Posted Image
Unified Network of Instructors and Trained Eliminators

I volunteer my free time to help you. Please consider making a donation so I can continue helping people like you.
Posted Image
Thank you!

#5 setigamer

setigamer
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle, WA
  • Local time:07:13 PM

Posted 11 June 2013 - 06:21 AM

Thank you very much for the useful information!!! I will be working this perhaps tonight if I find time. I will be posting results.



#6 setigamer

setigamer
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle, WA
  • Local time:07:13 PM

Posted 11 June 2013 - 08:05 AM

Hi, ran the tools. Any tool that needed updating I had to re-enable the network device. I usually run most tools with network disabled. ComboFix wouldn't run and it was deleted off the desktop. I changed the name to something generic. I'll have to do something clever... The log files are being messed with and are marked for deletion. LOL. I'll post soon.



#7 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:09:13 PM

Posted 11 June 2013 - 11:43 AM

The log files are being messed with and are marked for deletion.

 

If you get that error, just reboot the computer.

 

If you can't run ComboFix, try renaming it and running it from Safe Mode.


Proud graduate of SpywareInfo Bootcamp
Follow me on Twitter! @dfredbrown
Posted Image
Unified Network of Instructors and Trained Eliminators

I volunteer my free time to help you. Please consider making a donation so I can continue helping people like you.
Posted Image
Thank you!

#8 setigamer

setigamer
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle, WA
  • Local time:07:13 PM

Posted 11 June 2013 - 12:10 PM

Rebooted and they disappeared :). I did get ComboFix to run by renaming it. I'll run the lot again tonight. Thanks!!!



#9 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:09:13 PM

Posted 11 June 2013 - 12:16 PM

Sounds good. Keep me posted :thumbup2:


Proud graduate of SpywareInfo Bootcamp
Follow me on Twitter! @dfredbrown
Posted Image
Unified Network of Instructors and Trained Eliminators

I volunteer my free time to help you. Please consider making a donation so I can continue helping people like you.
Posted Image
Thank you!

#10 setigamer

setigamer
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle, WA
  • Local time:07:13 PM

Posted 16 June 2013 - 12:34 AM

Super crazy. I've done quite a bit of digging and research on this box. Trying to save the OS drive to VHD so I reboot into a VM when I change base OS on this. There's a main user that connects and has a profile in HKCU. I think he's the "owner" of the machine, and as far as I can tell he's renting space and bandwidth, there's been a couple other visitors and he's even banned one. Again, I'm speculating because I've never seen such a complete compromise (which is why I allowed it). Got some super interesting registry hives saved and zipped up some killer folders from \windows and \windows\system32. They shrank the size of my OS drive and are shadow mounting another partition I think they're using for drive space. They also have changed the boot code and perhaps even done something in firmware (still investigating). All my ducks almost in a row now, I've had enough and need to finish this project.

 

Just wanted to keep the thread alive. Really interesting stuff :D. I'll post some stuff this weekend, promise. Oh.. the infection came from iLiViD DataMgr. They mask it as a LogiShared (Logitech webcam). They have a fake USB device via stuff in that folder. I have it all zipped up and saved the registry stuff to accompany it.

 

V



#11 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:09:13 PM

Posted 16 June 2013 - 02:33 AM

I'm not sure I understand what you're trying to say- what are you using the machine for?

 

Would you still like me to help you clean the machine? If so, please post the logs I have requested above.


Proud graduate of SpywareInfo Bootcamp
Follow me on Twitter! @dfredbrown
Posted Image
Unified Network of Instructors and Trained Eliminators

I volunteer my free time to help you. Please consider making a donation so I can continue helping people like you.
Posted Image
Thank you!

#12 setigamer

setigamer
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle, WA
  • Local time:07:13 PM

Posted 17 June 2013 - 06:47 AM

I plan to, I had some serious issues over the weekend. I have to disconnect from the Internet and rename the stuff to run to get the results you want. I spent some time learning about how they do all this from the registry perspective and also from the extensive files they have in the %systemroot% folder tree. I thought it would be more productive to preserve the OS image on this machine in a VHD, to put it in a controlled and protected environment. I'll get those logs you want now and post in a bit. I do appreciate your time, so thank you.

 

V



#13 setigamer

setigamer
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle, WA
  • Local time:07:13 PM

Posted 17 June 2013 - 08:15 AM

Ok, here we go. Yesterday I changed the perms on a ton of registry items. I spoofed login info for a bunch of services to turn them off, also disabled about a dozen WAN devices that showed up in my device manager. They might have a workaround for that though. Included a nice layout.txt that's in the c:\windows\prefetch folder. You'll enjoy that. Also included the critical device db from HKLM\System\CurrentControlSet001. I have almost every hive saved so if you want more let me know. Ok bedtime :)

 

Thanks!

 

V

Attached Files



#14 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:09:13 PM

Posted 17 June 2013 - 09:47 AM

Please don't make anymore changes on your own- it makes it tougher for me to keep track of the modifications we're making on your system.

 

---------------------------

 

Please do the following:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:
 

 

KILLALL::

 

Driver::
45935177
34830393

File::
C:\Windows\System32\Drivers\45935177.sys
C:\Windows\System32\Drivers\34830393.sys
 

Reboot::



Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I shall require in your next reply.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Please include the newly-created C:\ComboFix.txt in your next reply, and let me know how things are running now
 


Edited by D-FRED-BROWN, 17 June 2013 - 09:48 AM.

Proud graduate of SpywareInfo Bootcamp
Follow me on Twitter! @dfredbrown
Posted Image
Unified Network of Instructors and Trained Eliminators

I volunteer my free time to help you. Please consider making a donation so I can continue helping people like you.
Posted Image
Thank you!

#15 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:09:13 PM

Posted 17 June 2013 - 09:54 AM

I have to disconnect from the Internet and rename the stuff to run to get the results you want.

 

What do you mean by this? Do the programs I requested you run crash when connected to the internet? Do they not even start? Please give me some more insight.


Edited by D-FRED-BROWN, 17 June 2013 - 09:54 AM.

Proud graduate of SpywareInfo Bootcamp
Follow me on Twitter! @dfredbrown
Posted Image
Unified Network of Instructors and Trained Eliminators

I volunteer my free time to help you. Please consider making a donation so I can continue helping people like you.
Posted Image
Thank you!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users