Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Still infected after multiple formats. Unsure of Virus/Malware name.


  • This topic is locked This topic is locked
7 replies to this topic

#1 CummingPatrick

CummingPatrick

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NC
  • Local time:03:40 AM

Posted 01 November 2013 - 02:35 AM

I will give a general explanation as to the problem and will include the dds text file and the attach.txt.

 

I have been throwing every bit of knowledge I could at this while scouring the internet to find a similar solution. I am now at a point where I can no longer continue without assistance. I was working on some computers remotely with logmein that were infected at some of my previous work sites. After three days of no luck, I noticed several odd activities within my work computer. There were services I did not recognize randomly appearing and disappearing. I opened up resource monitor and realized my computer was infected. I turned off wifi, booted into safe mode and dove into some general anti-everything scanning. Here are the programs that I used: Securitycheck, roguekiller, tdsskiller, adwcleaner, spybot, hitmanpro 64, windows security essentials and I believe there was one I can not remember the name. I downloaded all programs through this site. After the well known, "restart of shame," I proceeded to format the Hard drive and load windows again. I have a LEGIT version of Windows 7 Home Premium sp1 installation DVD. I inserted that into the drive and went into the advanced options to delete and format the drive. Once Windows finished it's installation, I still noticed some odd items within resource monitor. I had not loaded the wireless drivers so there was no internet. I watched the entire process start on my computer again. I had a ubuntu 12.04 desktop CD with me that was burned from a healthy computer a month prior. After trying another format within live cd and through the windows installation CD, the virus was still there. My personal computer started showing the same signs as my work computer and before I knew it, I had lost both hard drives. I have all important files backed up onto cloud servers(which have not been accessed since this has happened) and on two separate physical external HDD's(they have not been connected to ANY computer since this happened.). I have three 500gb hard drives that I have always used for mimicking problems and finding a solution. All were in healthy working order before this incident. When I tried using them for a fresh install, they became infected as well. I have tried installing Ubuntu 13 on each computer with little success. My girlfriend grabbed a flash drive that was plugged into one of the infected computers and used it on her iMac. I noticed some of the same services and processes that my computers were having and now she basically has a $1300 paper weight sitting in our office(she is very upset to say the least.). A few weeks ago I formatted this computer with the retail Windows 7 Home Premium dvd and did not connect it to the internet until tonight(the first free time I have had to work on this issue). I have tried my hardest to find working solutions for my computers online. With no success, here I am.

 

Here is a short list of where I am currently:

Fresh install of Windows 7 Home Premium 64-bit

Windows, Ubuntu, and Mac seem to be vulnerable to this infection.

Tonight I have tried scanning with, hijackthis, tdsskiller and dds.

There are quite a number of port listeners that are listed in resource monitor.

Modem AND Router have been reset to factory settings and passwords have been changed with healthy computer.

Downloads take a long period of time(google chrome and tried to dl Avira but said 3 hours to complete 117Mb).

Cell phones and tablets connect to wifi and have no problems with speed.

Xbox and Wii both stream flawlessly on netflix and other internet based apps.

I am in the doghouse until I get the iMac working.

 

I have notifications enabled for responses that email my phone so I will be prompt in my responses. Once I am contacted, I will not deviate from the list of instructions given. I would like to have my piece of mind back, this has been a tough punch to my I.T. pride.

 

IMPORTANT: The attach.txt file was uploaded from the infected computer. I know you all know what you are doing, I just like to be safe.

 

Here is my dds report:

 

.
DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 8.0.7601.17514
Run by patt at 6:45:58 on 2013-11-01
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3835.3050 [GMT -4:00]
.
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\NETGEAR\WNA1100\WifiSvc.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files (x86)\NETGEAR\WNA1100\WNA1100.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\sppsvc.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\vds.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
mWinlogon: Userinit = userinit.exe
mRun: [jswtrayutil] "C:\Program Files (x86)\NETGEAR\WNA1100\jswtrayutil.exe"
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\NETGEA~1.LNK - C:\Program Files (x86)\NETGEAR\WNA1100\WNA1100.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{6B0E9CFC-FA01-4C33-949F-CC67F358B44B} : DHCPNameServer = 192.168.1.1
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\30.0.1599.101\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 SCMNdisP;General NDIS Protocol Driver;C:\Windows\System32\drivers\SCMNdisP.sys [2013-11-1 25056]
R1 JSWPSLWF;JumpStart Wireless Filter Driver;C:\Windows\System32\drivers\jswpslwfx.sys [2013-11-1 26624]
R2 WSWNA1100;WSWNA1100;C:\Program Files (x86)\NETGEAR\WNA1100\WifiSvc.exe [2013-11-1 297440]
R3 athur;Atheros AR9271 Wireless Network Adapter Service;C:\Windows\System32\drivers\athurx.sys [2013-11-1 1924096]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2009-6-10 187392]
S3 iscFlash;iscFlash;C:\SwSetup\sp61028\iscflashx64.sys [2010-9-15 45632]
S3 jswpsapi;JumpStart Wi-Fi Protected Setup;C:\Program Files (x86)\NETGEAR\WNA1100\jswpsapi.exe [2013-11-1 960992]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]
.
=============== Created Last 30 ================
.
2013-11-01 10:25:59 -------- d-----w- C:\Users\patt\AppData\Local\Google
2013-11-01 10:25:50 -------- d-----w- C:\Users\patt\AppData\Local\Deployment
2013-11-01 10:25:50 -------- d-----w- C:\Users\patt\AppData\Local\Apps
2013-11-01 04:02:24 1924096 ----a-w- C:\Windows\System32\drivers\athurx.sys
2013-11-01 04:02:23 26624 ----a-w- C:\Windows\System32\drivers\jswpslwfx.sys
2013-11-01 04:02:23 25056 ----a-w- C:\Windows\System32\drivers\SCMNdisP.sys
2013-11-01 04:02:20 -------- d-----w- C:\Program Files (x86)\NETGEAR
2013-11-01 04:01:57 -------- d-----w- C:\temp
2013-10-18 22:47:41 -------- d-----w- C:\system.sav
2013-10-18 22:47:02 -------- d-sh--w- C:\Windows\Installer
2013-10-18 22:47:02 -------- d-----w- C:\HP
2013-10-18 22:46:19 -------- d-----w- C:\ProgramData\Atheros
2013-10-18 22:45:48 -------- d-----w- C:\SwSetup
2013-10-17 02:39:15 -------- d-----w- C:\Windows\Panther
2013-10-16 22:49:04 -------- d-----w- C:\Users\patt\AppData\Local\VirtualStore
.
==================== Find3M  ====================
.
.
============= FINISH:  6:46:07.96 ===============
 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:40 AM

Posted 06 November 2013 - 02:40 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/512554 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,079 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:40 AM

Posted 10 November 2013 - 03:55 PM

Hello, if you still need assistance, please post the requested logs.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#4 CummingPatrick

CummingPatrick
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NC
  • Local time:03:40 AM

Posted 10 November 2013 - 04:47 PM

Good Afternoon Elise,

     Thank you for getting back to me. I know all of you at BC are extremely busy as I have been on this site for months reading all of the posts to help diagnose my issue. I would like to say you all are doing an awesome job, especially considering the high volume of tickets submitted. I am running Windows 7 Home Premium 64-bit edition. It was not the original copy of windows but it was bought and paid for and the key has only been used once prior and it was on this machine. Since the original log, I have had to re-install windows and will post the new log below. I have since downloaded and installed a lot of programs from the bleeping computer site and from this moment on, WILL NOT do anything else until you instruct me to. Here is a small description of a few things that I believe are of note.

 

I have noticed that this virus is quick to infect other hard drives cross OS platforms.

Did a diskpart cleanall from the command prompt of my windows CD. Still infected.

Tried to dl and install windows updates, with little success.

Tried to delete specific registry keys with no success.

This seems to have infected an iMac computer's hhd.

Seems to have created virtual pcii devices.

I am not concerned about saving any data. All important information was saved prior to infection.

 

 

dds log:

DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 8.0.7601.17514
Run by Patt at 16:32:59 on 2013-11-10
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3835.2427 [GMT -5:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Avira\AntiVir Desktop\avgnt.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dfsvc.exe
C:\Windows\system32\taskeng.exe
C:\Users\Patt\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Users\Patt\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://google.com/
mWinlogon: Userinit = userinit.exe
uRun: [Google Update] "C:\Users\Patt\AppData\Local\Google\Update\GoogleUpdate.exe" /c
mRun: [avgnt] "C:\Avira\AntiVir Desktop\avgnt.exe" /min
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{21994952-C1C2-4A9F-97F8-F20C9D46CA0D} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{70BD14EA-117F-453D-85E7-F6045BE7A419} : DHCPNameServer = 192.168.1.1
SSODL: WebCheck - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R1 avkmgr;avkmgr;C:\Windows\System32\drivers\avkmgr.sys [2013-11-8 28600]
R2 AntiVirSchedulerService;Avira Scheduler;C:\Avira\AntiVir Desktop\sched.exe [2013-11-8 440392]
R2 avgntflt;avgntflt;C:\Windows\System32\drivers\avgntflt.sys [2013-11-8 105856]
R2 avnetflt;avnetflt;C:\Windows\System32\drivers\avnetflt.sys [2013-11-8 83160]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2009-6-10 187392]
S2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2009-8-18 203264]
S2 AntiVirService;Avira Real-Time Protection;C:\Avira\AntiVir Desktop\avguard.exe [2013-11-8 440392]
S2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-11-7 418376]
S2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2013-11-7 701512]
S3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2013-11-7 25928]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2013-11-10 1255736]
S4 AntiVirWebService;Avira Web Protection;C:\Avira\AntiVir Desktop\avwebg7.exe [2013-11-8 1164360]
.
=============== Created Last 30 ================
.
2013-11-10 21:26:21 -------- d-----w- C:\Users\Patt\AppData\Local\Google
2013-11-10 21:25:48 -------- d-----w- C:\Users\Patt\AppData\Local\Apps
2013-11-10 21:25:47 -------- d-----w- C:\Users\Patt\AppData\Local\Deployment
2013-11-10 21:24:30 -------- d-----w- C:\Windows\SysWow64\Wat
2013-11-10 21:24:29 -------- d-----w- C:\Windows\System32\Wat
2013-11-09 00:39:08 -------- d-----w- C:\Program Files (x86)\ESET
2013-11-08 22:50:25 -------- d-----w- C:\ProgramData\Validity
2013-11-08 22:11:29 -------- d-----w- C:\Windows\System32\MRT
2013-11-08 21:49:21 8199504 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2013-11-08 21:49:16 10280728 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{F1BD21DF-DAB1-41A5-BD14-6E485B89DFF8}\mpengine.dll
2013-11-08 21:08:40 -------- d-----w- C:\Windows\System32\catroot2
2013-11-08 20:55:50 -------- d-----w- C:\Windows\System32\wbem\repository
2013-11-08 20:55:38 -------- d-----w- C:\Windows\SysWow64\wbem\Performance
2013-11-08 20:25:38 -------- d-----w- C:\Windows\ERUNT
2013-11-08 08:36:58 -------- d-sh--w- C:\$RECYCLE.BIN
2013-11-08 08:33:10 98816 ----a-w- C:\Windows\sed.exe
2013-11-08 08:33:10 256000 ----a-w- C:\Windows\PEV.exe
2013-11-08 08:33:10 208896 ----a-w- C:\Windows\MBR.exe
2013-11-08 06:57:24 116440 ----a-w- C:\Windows\System32\drivers\MBAMSwissArmy.sys
2013-11-08 06:44:41 -------- d-----w- C:\Users\Patt\AppData\Roaming\Boredom Software
2013-11-08 05:28:09 83160 ----a-w- C:\Windows\System32\drivers\avnetflt.sys
2013-11-08 05:28:09 28600 ----a-w- C:\Windows\System32\drivers\avkmgr.sys
2013-11-08 05:28:09 105856 ----a-w- C:\Windows\System32\drivers\avgntflt.sys
2013-11-08 05:28:08 -------- d-----w- C:\ProgramData\Avira
2013-11-08 05:28:08 -------- d-----w- C:\Avira
2013-11-08 05:27:23 -------- d-sh--w- C:\Windows\Installer
2013-11-08 04:31:54 -------- d-----w- C:\Users\Patt\AppData\Roaming\Malwarebytes
2013-11-08 04:31:45 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
2013-11-08 04:31:45 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-11-08 04:31:30 -------- d-----w- C:\Users\Patt\AppData\Local\Programs
2013-11-08 04:10:03 0 ----a-w- C:\Windows\SysWow64\winlogon.exe
2013-11-08 04:10:03 0 ----a-w- C:\Windows\SysWow64\smss.exe
2013-11-08 04:10:03 0 ----a-w- C:\Windows\SysWow64\services.exe
2013-11-08 04:10:03 0 ----a-w- C:\Windows\SysWow64\lsass.exe
2013-11-08 04:10:03 0 ----a-w- C:\Windows\SysWow64\csrss.exe
2013-11-08 04:09:16 -------- d-----w- C:\ProgramData\Malwarebytes
2013-11-08 04:09:12 -------- d-----w- C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2013-11-08 04:08:35 91352 ----a-w- C:\Windows\System32\drivers\mbamchameleon.sys
2013-11-08 04:06:20 -------- d-----w- C:\Program Files (x86)\Tweaking.com
2013-11-08 04:03:44 -------- d-----w- C:\FRST
2013-11-08 03:49:48 -------- d-----w- C:\AdwCleaner
2013-11-08 03:48:45 -------- d-----w- C:\Program Files (x86)\Boredom Software
2013-11-08 03:26:43 -------- d-----w- C:\Users\Patt\AppData\Local\CrashDumps
2013-11-08 02:12:15 388096 ----a-r- C:\Users\Patt\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2013-11-08 02:12:15 -------- d-----w- C:\Program Files (x86)\Trend Micro
2013-11-08 01:33:24 -------- d-----w- C:\Users\Patt\AppData\Roaming\Avira
2013-11-08 01:32:23 2622464 ----a-w- C:\Windows\System32\wucltux.dll
2013-11-08 01:32:11 99840 ----a-w- C:\Windows\System32\wudriver.dll
2013-11-08 01:32:00 36864 ----a-w- C:\Windows\System32\wuapp.exe
2013-11-08 01:32:00 186752 ----a-w- C:\Windows\System32\wuwebv.dll
2013-11-05 13:52:07 -------- d-----w- C:\Windows\Panther
.
==================== Find3M  ====================
.
2013-09-03 18:35:10 278800 ------w- C:\Windows\System32\MpSigStub.exe
.
============= FINISH: 16:33:10.80 ===============
 

 

Attached Files



#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,079 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:40 AM

Posted 11 November 2013 - 02:24 AM

Malware cannot create PCI devices on your windows installation from your Mac installation. What suspicious items do you see exactly, because I see only a clean log here. Note that many legit windows object may look random or strange on first sight.


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#6 CummingPatrick

CummingPatrick
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NC
  • Local time:03:40 AM

Posted 11 November 2013 - 11:03 AM

I apologize if I was unclear with my explanation. The Mac and virtual pciie devices are two separate issues. I am not sure if I am allowed to post screenshots of my device manager that show these devices. I have run several scans with various different programs. I believe my MBR is infected and my bios might possibly be infected as well. I have been locked out of being able to change admin rights for folders. When I attempt to run certain programs, their processes are killed before they can run(Rootkit Revealer is the main one). I am unable to find anything with A/V scanners as well as rootkit scanners. There are hidden files that I can not view unless I boot into my MSI driver disk. Winki, which is a 3.2 linux release. Those folders are $RECYCLE.BIN and a System Volume folder. The types of files have random characters as names. The $RECYCLE.BIN folder has two other folders in it called S-5-1-21 <random characters> and S-5-1-18. It also seems to be far too many open ports that I have not authorized. There are also remote access protocols that I also did not authorize. Sometimes when I try to enable/disable the real time protection for Avira, I will get an error message stating I do not have the appropriate access rights to make that type of change. I have tried to apply windows updates that are unsuccessful. That is just to name a few. I admit that after quite a few weeks of working on this issue on multiple computers/hard drives, I may be a little more sensitive than usual. I have two gmer logs that I would like you to look at, as well as some screenshots. After some extensive online research, I am confident that if there is an infection, I have a zero access trojan or a variant. 

 

As I mentioned before, I will/have not run anymore scans until instructed to. I want to be as specific and informative as possible to help you in your diagnosis and eradication. Let me know if you would like to look at the gmer scan and the aswMBR scan logs. 



#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,079 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:40 AM

Posted 11 November 2013 - 02:38 PM

All you describe is normal. The fact that Windows does not allow you to make changes to certain folders is because they contain files/folders that are required for Windows to run, Windows protects its users from accidentally deleting or altering things that should be left alone. The S-5-... folders are legit as well, they simply are the Security Identifier-named subfolders that refer to each user on your computer. A complete list of all these users can be found here: http://support.microsoft.com/kb/243330/en-us

 

And you are allowed to post a screenshot, so feel free to. :)


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,079 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:40 AM

Posted 19 January 2014 - 04:41 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users