Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Problems as soon as I install win8 even on GBT UEFI


  • This topic is locked This topic is locked
10 replies to this topic

#1 TECH.FAMGONZALES

TECH.FAMGONZALES

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 08 July 2013 - 03:31 AM

I am seeing weird stuff on my network.  I have tried to install a brand new OS, win8 enterprise and I get the same thing: security changes, unknown users, windows vista components, windows update changes etc. 

 

LOGS

-------

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.16384
Run by ADMIN at 1:23:39 on 2013-07-08
Microsoft Windows 8 Enterprise  6.2.9200.0.1252.1.1033.18.6025.4653 [GMT -7:00]
.
AV: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\dwm.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\SysWow64\IntelCpHeciSvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhostex.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\SearchIndexer.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Windows\System32\RuntimeBroker.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
mWinlogon: Userinit = userinit.exe
TCP: Interfaces\{5C3D31E8-E576-4AD1-954A-AD71AD014A21} : NameServer = 4.2.2.2,8.8.8.8
SSODL: WebCheck - <orphaned>
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);C:\Windows\System32\Drivers\ssudbus.sys [2013-6-4 103448]
R3 WUDFWpdMtp;WUDFWpdMtp;C:\Windows\System32\Drivers\WUDFRd.sys [2012-7-25 198656]
S3 vmbusr;Virtual Machine Bus Provider;C:\Windows\System32\Drivers\vmbusr.sys [2012-7-25 117248]
.
=============== Created Last 30 ================
.
2013-07-08 08:11:16 -------- d-----w- C:\Users\ADMIN\AppData\Local\ElevatedDiagnostics
2013-07-08 07:49:11 -------- d-----w- C:\Users\ADMIN\AppData\Local\Microsoft_Corporation
2013-07-08 07:02:20 -------- d-----w- C:\Users\ADMIN\AppData\Local\Diagnostics
2013-07-08 07:01:56 -------- d-----w- C:\Intel
2013-07-08 07:01:51 -------- d-----w- C:\Windows\LastGood.Tmp
2013-07-08 06:53:06 -------- d-----r- C:\Users\ADMIN\Searches
2013-07-08 06:53:06 -------- d-----r- C:\Users\ADMIN\Contacts
2013-07-04 16:36:24 -------- d-----w- C:\Windows\Panther
.
==================== Find3M  ====================
.
2013-06-04 16:15:02 103448 ----a-w- C:\Windows\System32\drivers\ssudbus.sys
.
============= FINISH:  1:23:45.59 ===============
 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:40 PM

Posted 10 July 2013 - 07:54 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.
  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 TECH.FAMGONZALES

TECH.FAMGONZALES
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 10 July 2013 - 09:43 PM

OK I'm here

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:40 PM

Posted 11 July 2013 - 07:05 PM

Installing a new operating system over the existing one would have eradicated any lingering malware so I'm pretty sure that this is not a malware issue. However, to be sure let's run some tests. Windows 8 may still be too new to be able to use some tools on, until the developers catch up so let me know if any tools we use fail.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Posted Image
m0le is a proud member of UNITE

#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:40 PM

Posted 16 July 2013 - 07:15 PM

Hi,

I have not had a reply from you for 5 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.

If you like you can PM me.

Thanks,


m0le


Posted Image
m0le is a proud member of UNITE

#6 TECH.FAMGONZALES

TECH.FAMGONZALES
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 17 July 2013 - 12:06 PM

I'll run the tools. It was a fresh install on a solid state disk that I used eraser software to write 2 passes of zeros. The disk was formated gbt

#7 TECH.FAMGONZALES

TECH.FAMGONZALES
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 17 July 2013 - 12:18 PM

Here are the results

------

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-07-17 10:15:40
-----------------------------
10:15:40.880    OS Version: Windows x64 6.2.9200
10:15:40.880    Number of processors: 4 586 0x2505
10:15:40.880    ComputerName: FG-LT-1  UserName: ADMIN
10:15:40.880    Initialze error 1
10:15:54.378    AVAST engine defs: 13071700
10:16:11.441    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000033
10:16:11.441    Disk 0 Vendor: SAMSUNG_SSD_PM810_2.5"_128GB AXM06D1Q Size: 122104MB BusType: 11
10:16:11.441    Disk 0 MBR read successfully
10:16:11.441    Disk 0 MBR scan
10:16:11.441    Disk 0 unknown MBR code
10:16:11.456    Disk 0 Partition 1 00     EE          GPT           2097151 MB offset 1
10:16:11.456    Disk 0 scanning C:\Windows\system32\drivers
10:16:11.456    Service scanning
10:16:12.003    Modules scanning
10:16:12.003    Disk 0 trace - called modules:
10:16:12.019    ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys storport.sys hal.dll storahci.sys
10:16:12.019    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004402060]
10:16:12.019    3 CLASSPNP.SYS[fffff8800152afea] -> nt!IofCallDriver -> [0xfffffa80037ffbf0]
10:16:12.034    5 ACPI.sys[fffff88001001a91] -> nt!IofCallDriver -> \Device\00000033[0xfffffa80037e37f0]
10:16:12.034    AVAST engine scan C:\Windows
10:16:12.034    AVAST engine scan C:\Windows\system32
10:16:12.034    AVAST engine scan C:\Windows\system32\drivers
10:16:12.050    AVAST engine scan C:\Users\ADMIN
10:16:12.050    AVAST engine scan C:\ProgramData
10:16:12.050    Scan finished successfully
10:16:28.727    Disk 0 MBR has been saved successfully to "C:\Users\ADMIN\Documents\MBR.dat"
10:16:28.727    The log file has been saved successfully to "C:\Users\ADMIN\Documents\aswMBR.txt"



#8 TECH.FAMGONZALES

TECH.FAMGONZALES
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 22 July 2013 - 05:13 PM

any thoughts



#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:40 PM

Posted 22 July 2013 - 07:18 PM

Apologies, I read the first post on the 17th of July but often the email system does not send another notification for the same thread and so I didn't know you had followed it up.

 

The aswMBR log looks fine and so it's a mystery as to what might be causing the changes.

 

Please run OTL and I will look for non-malware possibilities (such as third party software)

 

  • Please download OTL
  • Save it to your desktop.
  • Double click on the otlicon.png icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the runscan.png button.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.


Posted Image
m0le is a proud member of UNITE

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:40 PM

Posted 26 July 2013 - 09:13 PM

You still there?


Posted Image
m0le is a proud member of UNITE

#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:40 PM

Posted 27 July 2013 - 07:40 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users