Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

LocalBox for home use is remotely manipulated via Bios and BCDedit changes


  • This topic is locked This topic is locked
9 replies to this topic

#1 jblaze36

jblaze36

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Spencerport, NY
  • Local time:11:44 PM

Posted 25 May 2014 - 07:05 PM

Hello,

 

I have some strong IT Background and had a career in the IT Field installing networks for the past 3 years.  That being said this problem has me completely stumped and I have no clue how to reconfigure this machine back to normal. 

 

  It appears that the Virus or Malware is embedded within the high ram.  Performing memory dumps, pulling the RAM and CMOS for 24 - 36 hours,  has yielded no different results.  I have tried the following in addition:

 

Mem Wipe software utilities

Reinstall Windows via Windows 7 Home Disk (purchased from a retail store)

Reinstall Windows via USB Drive containing Windows 7 Pro

Reinstall Windows from a completely different image created using Norton Ghost (base image was Sysprep for any random machine)

Reinstall Windows from another unique image created with Acronis (base image was also sysprepped for any machine)

Used Motherboard CD to reinstall drivers each time. 

Machine has Norton 360 on it. 

Used WipeDrive CD to clear HD of all data and attempted to reinstall windows.

 

 

The last bit of info - What I am experiencing on this machine is also affected any device plugged into my network.  I have a kindle (HD 7), windows phone (Nokia Lumi 1020), and 3 Windows Desktops.

These all show the same symptoms. 

 

Symptoms:

 

*edit* BCDedit shows globalsettings instead of default for boot manager in 2 sections

 

*edit* Rasman, Lanman, RCPdialer, and other remote utilities that ive never put on this or any other box are all installed on the 3 desktops. Many other programs that I have no clue what they would be used for - I assume for managing domains or virtual machines.

 

*edit* Folders for Certificates and other credential stores show certs and files that I have never seen before on any machine I've had in my life.   I see redirects in web addresses and find seemingly random log files regarding SQLlite and named pipe shares such as; ..\\.\namedpipe\s-1-5 ....  and so on.  I didn't install SQL anywhere on these machines. 

 

Workgroups still display in system properties but the local machine is actually in a Domain.  This is identified by attempting to change the account password in Control->User Accounts Control.  You cannot change a password or remove a password in the control UAC, only with Cntrl+Alt_Del ->Change Password.

 

Pausing the bios information on boot shows ACHI drives and disabling this feature in the bios results in BSOD after Bios Checks finish. 

 

Reboot to safemode + cmd prompt, with all services disabled and startup disabled - HOSTNAME.exe shows a remote hostname, PINGPATH.exe shows ip configuration not set by my router or local box. 

 

GNU + Linux with .bash commands are available when booting with the HD that was cleaned using DoD specs 3x R/WR Delete + 1 Verify

 

Modem: Motorola Surfboard SB516  

Bandwidth: 30 down and 5 up

Routers: Netgear FVS318n(updated Netgear Firmware)->Asus RT N66R (latest Merlin Build)->Cisco(updated Cisco Firmware) e2000

Local Machines: 3 x Win 7 64 bit Home Premium SP1

 

Thank you for your time in assisting me with this issue. 

 

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64 NETWORK
Internet Explorer: 11.0.9600.17041
Run by Anita at 19:33:03 on 2014-05-25
#Option Extended Search is enabled.
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.8190.6117 [GMT -4:00]
.
AV: Norton 360 *Enabled/Updated* {D87FA2C0-F526-77B1-D6EC-0EDF3936CEDB}
SP: Norton 360 *Enabled/Updated* {631E4324-D31C-783F-EC5C-35AD42B18466}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Norton 360 *Enabled* {E04423E5-BF49-76E9-FDB3-A7EAC7E589A0}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Explorer.EXE
C:\Windows\system32\ctfmon.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
mWinlogon: Userinit = userinit.exe
BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton 360\Engine\21.3.0.12\coieplg.dll
BHO: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton 360\Engine\21.3.0.12\ips\ipsbho.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton 360\Engine\21.3.0.12\coieplg.dll
uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
mRun: [Turbo Key] "C:\Program Files (x86)\ASUS\Turbo Key\TurboKey.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe" MSRun
dRunOnce: [SPReview] "C:\Windows\System32\SPReview\SPReview.exe" /sp:1 /errorfwlink: //go.microsoft.com/fwlink/?LinkID=122915  /build:7601
StartupFolder: C:\Users\Anita\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\LOGITE~1.LNK - C:\Users\Anita\Desktop\Logitech\Ereg\eReg.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\SKYPE-~1.LNK - C:\Program Files (x86)\Skype\Phone\Skype.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} - hxxp://support.asus.com/select/asusTek_sys_ctrl3.cab
TCP: NameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{51E8B31F-288D-4459-B105-CDB468572647} : DHCPNameServer = 209.18.47.61 209.18.47.62
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
SSODL: WebCheck - <orphaned>
x64-BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton 360\Engine64\21.3.0.12\coieplg.dll
x64-TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton 360\Engine64\21.3.0.12\coieplg.dll
x64-Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe -s
x64-Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;C:\Windows\System32\drivers\N360x64\1503000.00C\symds64.sys [2014-5-20 493656]
R0 SymEFA;Symantec Extended File Attributes;C:\Windows\System32\drivers\N360x64\1503000.00C\symefa64.sys [2014-5-20 1148120]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2013-6-28 677480]
S1 BHDrvx64;BHDrvx64;C:\Program Files (x86)\Norton 360\NortonData\21.1.0.18\Definitions\BASHDefs\20140510.001\BHDrvx64.sys [2014-5-9 1530160]
S1 ccSet_N360;N360 Settings Manager;C:\Windows\System32\drivers\N360x64\1503000.00C\ccsetx64.sys [2014-5-20 162392]
S1 ccSet_NZ;Norton Zone Settings Manager;C:\Windows\System32\drivers\NZx64\02005F0.006\ccsetx64.sys [2014-4-14 162392]
S1 IDSVia64;IDSVia64;C:\Program Files (x86)\Norton 360\NortonData\21.1.0.18\Definitions\IPSDefs\20140523.001\IDSviA64.sys [2014-5-23 525016]
S1 SymIRON;Symantec Iron Driver;C:\Windows\System32\drivers\N360x64\1503000.00C\ironx64.sys [2014-5-20 264280]
S1 SymNetS;Symantec Network Security WFP Driver;C:\Windows\System32\drivers\N360x64\1503000.00C\symnets.sys [2014-5-20 593112]
S2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2013-12-6 239616]
S2 AMD FUEL Service;AMD FUEL Service;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2013-12-6 344064]
S2 AODDriver4.2.0;AODDriver4.2.0;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\aoddriver2.sys [2013-9-20 59648]
S2 AsSysCtrlService;ASUS System Control Service;C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe [2013-6-28 90112]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2013-9-11 124088]
S2 N360;Norton 360;C:\Program Files (x86)\Norton 360\Engine\21.3.0.12\n360.exe [2014-5-20 265040]
S2 NZ;Norton Zone;C:\Program Files (x86)\Norton Zone\Engine\2.0.95.6\nz.exe [2014-4-14 522592]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-10-23 172192]
S2 UMVPFSrv;UMVPFSrv;C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [2012-1-18 450848]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\System32\drivers\AtihdW76.sys [2013-9-24 94208]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2014-1-4 137648]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2014-4-18 111616]
S3 LVRS64;Logitech RightSound Filter Driver;C:\Windows\System32\drivers\lvrs64.sys [2012-1-18 351136]
S3 LVUVC64;Logitech QuickCam Pro 9000(UVC);C:\Windows\System32\drivers\lvuvc64.sys [2012-1-18 4865568]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2014-1-6 19456]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2014-1-6 57856]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2013-6-28 1255736]
.
=============== Created Last 60 ================
.
2014-05-21 03:09:55 875736 ----a-w- C:\Windows\System32\drivers\N360x64\1503000.00C\srtsp64.sys
2014-05-21 03:09:55 593112 ----a-w- C:\Windows\System32\drivers\N360x64\1503000.00C\symnets.sys
2014-05-21 03:09:55 493656 ----a-r- C:\Windows\System32\drivers\N360x64\1503000.00C\symds64.sys
2014-05-21 03:09:55 36952 ----a-r- C:\Windows\System32\drivers\N360x64\1503000.00C\srtspx64.sys
2014-05-21 03:09:55 264280 ----a-r- C:\Windows\System32\drivers\N360x64\1503000.00C\ironx64.sys
2014-05-21 03:09:55 23568 ----a-r- C:\Windows\System32\drivers\N360x64\1503000.00C\symelam.sys
2014-05-21 03:09:55 162392 ----a-r- C:\Windows\System32\drivers\N360x64\1503000.00C\ccsetx64.sys
2014-05-21 03:09:55 1148120 ----a-w- C:\Windows\System32\drivers\N360x64\1503000.00C\symefa64.sys
2014-05-21 03:09:52 -------- d-----w- C:\Windows\System32\drivers\N360x64\1503000.00C
2014-05-19 21:42:38 162392 ----a-r- C:\Windows\System32\drivers\NZx64\0200610.00C\ccsetx64.sys
2014-05-19 21:42:36 -------- d-----w- C:\Windows\System32\drivers\NZx64\0200610.00C
2014-05-14 11:36:55 2724864 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2014-05-14 11:36:55 2724864 ----a-w- C:\Windows\System32\mshtml.tlb
2014-05-06 15:56:10 -------- d-s---w- C:\Windows\System32\CompatTel
2014-04-18 16:23:59 -------- d-sh--w- C:\Users\Anita\AppData\Local\EmieUserList
2014-04-18 16:23:59 -------- d-sh--w- C:\Users\Anita\AppData\Local\EmieSiteList
2014-04-14 22:00:40 162392 ----a-r- C:\Windows\System32\drivers\NZx64\02005F0.006\ccsetx64.sys
2014-04-14 22:00:39 -------- d-----w- C:\Windows\System32\drivers\NZx64\02005F0.006
.
==================== Find6M  ====================
.
2014-05-13 22:40:49 70832 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2014-05-13 22:40:49 692400 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2014-05-09 06:14:03 477184 ----a-w- C:\Windows\System32\aepdu.dll
2014-05-09 06:11:23 424448 ----a-w- C:\Windows\System32\aeinv.dll
2014-04-12 02:22:05 95680 ----a-w- C:\Windows\System32\drivers\ksecdd.sys
2014-04-12 02:22:05 155072 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
2014-04-12 02:19:38 29184 ----a-w- C:\Windows\System32\sspisrv.dll
2014-04-12 02:19:38 136192 ----a-w- C:\Windows\System32\sspicli.dll
2014-04-12 02:19:37 28160 ----a-w- C:\Windows\System32\secur32.dll
2014-04-12 02:19:32 1460736 ----a-w- C:\Windows\System32\lsasrv.dll
2014-04-12 02:19:05 31232 ----a-w- C:\Windows\System32\lsass.exe
2014-04-12 02:12:06 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
2014-04-12 02:10:56 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
2014-03-06 09:31:33 4096 ----a-w- C:\Windows\System32\ieetwcollectorres.dll
2014-03-06 08:59:04 66048 ----a-w- C:\Windows\System32\iesetup.dll
2014-03-06 08:57:34 548352 ----a-w- C:\Windows\System32\vbscript.dll
2014-03-06 08:57:20 48640 ----a-w- C:\Windows\System32\ieetwproxystub.dll
2014-03-06 08:29:40 139264 ----a-w- C:\Windows\System32\ieUnatt.exe
2014-03-06 08:29:14 111616 ----a-w- C:\Windows\System32\ieetwcollector.exe
2014-03-06 08:28:15 752640 ----a-w- C:\Windows\System32\jscript9diag.dll
2014-03-06 08:15:54 940032 ----a-w- C:\Windows\System32\MsSpellCheckingFacility.exe
2014-03-06 08:11:41 5784064 ----a-w- C:\Windows\System32\jscript9.dll
2014-03-06 08:02:34 61952 ----a-w- C:\Windows\SysWow64\iesetup.dll
2014-03-06 08:02:33 455168 ----a-w- C:\Windows\SysWow64\vbscript.dll
2014-03-06 08:01:01 51200 ----a-w- C:\Windows\SysWow64\ieetwproxystub.dll
2014-03-06 07:56:43 38400 ----a-w- C:\Windows\System32\JavaScriptCollectionAgent.dll
2014-03-06 07:46:36 4254720 ----a-w- C:\Windows\SysWow64\jscript9.dll
2014-03-06 07:38:13 112128 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2014-03-06 07:36:40 592896 ----a-w- C:\Windows\SysWow64\jscript9diag.dll
2014-03-06 07:13:43 32256 ----a-w- C:\Windows\SysWow64\JavaScriptCollectionAgent.dll
2014-03-06 07:11:15 2043904 ----a-w- C:\Windows\System32\inetcpl.cpl
2014-03-06 06:40:39 1967104 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2014-03-06 06:22:40 2260480 ----a-w- C:\Windows\System32\wininet.dll
2014-03-06 05:41:49 1789440 ----a-w- C:\Windows\SysWow64\wininet.dll
2014-03-04 09:47:01 5550016 ----a-w- C:\Windows\System32\ntoskrnl.exe
2014-03-04 09:44:21 362496 ----a-w- C:\Windows\System32\wow64win.dll
2014-03-04 09:44:21 243712 ----a-w- C:\Windows\System32\wow64.dll
2014-03-04 09:44:21 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
2014-03-04 09:44:20 39936 ----a-w- C:\Windows\System32\wincredprovider.dll
2014-03-04 09:44:10 210944 ----a-w- C:\Windows\System32\wdigest.dll
2014-03-04 09:44:08 86528 ----a-w- C:\Windows\System32\TSpkg.dll
2014-03-04 09:44:06 340992 ----a-w- C:\Windows\System32\schannel.dll
2014-03-04 09:44:03 722944 ----a-w- C:\Windows\System32\objsel.dll
2014-03-04 09:44:03 314880 ----a-w- C:\Windows\System32\msv1_0.dll
2014-03-04 09:44:03 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
2014-03-04 09:44:00 728064 ----a-w- C:\Windows\System32\kerberos.dll
2014-03-04 09:44:00 424960 ----a-w- C:\Windows\System32\KernelBase.dll
2014-03-04 09:43:56 57344 ----a-w- C:\Windows\System32\cngprovider.dll
2014-03-04 09:43:56 52736 ----a-w- C:\Windows\System32\dpapiprovider.dll
2014-03-04 09:43:56 44544 ----a-w- C:\Windows\System32\dimsroam.dll
2014-03-04 09:43:56 22016 ----a-w- C:\Windows\System32\credssp.dll
2014-03-04 09:43:55 56832 ----a-w- C:\Windows\System32\adprovider.dll
2014-03-04 09:43:55 53760 ----a-w- C:\Windows\System32\capiprovider.dll
2014-03-04 09:43:50 455168 ----a-w- C:\Windows\System32\winlogon.exe
2014-03-04 09:20:11 3969984 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2014-03-04 09:20:11 3914176 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2014-03-04 09:16:54 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
2014-03-04 09:16:18 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
2014-03-04 09:16:18 274944 ----a-w- C:\Windows\SysWow64\KernelBase.dll
2014-03-04 08:09:30 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
2014-03-04 08:09:29 2048 ----a-w- C:\Windows\SysWow64\user.exe
2014-02-07 01:23:30 3156480 ----a-w- C:\Windows\System32\win32k.sys
2014-02-04 02:35:56 190912 ----a-w- C:\Windows\System32\drivers\storport.sys
2014-02-04 02:35:49 274880 ----a-w- C:\Windows\System32\drivers\msiscsi.sys
2014-02-04 02:35:35 27584 ----a-w- C:\Windows\System32\drivers\Diskdump.sys
2014-02-04 02:32:22 1424384 ----a-w- C:\Windows\System32\WindowsCodecs.dll
2014-02-04 02:32:12 624128 ----a-w- C:\Windows\System32\qedit.dll
2014-02-04 02:28:36 2048 ----a-w- C:\Windows\System32\iologmsg.dll
2014-02-04 02:04:22 1230336 ----a-w- C:\Windows\SysWow64\WindowsCodecs.dll
2014-02-04 02:04:11 509440 ----a-w- C:\Windows\SysWow64\qedit.dll
2014-02-04 02:00:39 2048 ----a-w- C:\Windows\SysWow64\iologmsg.dll
2014-01-29 02:32:18 484864 ----a-w- C:\Windows\System32\wer.dll
2014-01-29 02:06:47 381440 ----a-w- C:\Windows\SysWow64\wer.dll
2014-01-28 02:32:46 228864 ----a-w- C:\Windows\System32\wwansvc.dll
2014-01-24 02:37:55 1684928 ----a-w- C:\Windows\System32\drivers\ntfs.sys
2013-12-24 23:09:41 1987584 ----a-w- C:\Windows\SysWow64\d3d10warp.dll
2013-12-24 22:48:32 2565120 ----a-w- C:\Windows\System32\d3d10warp.dll
2013-12-19 04:50:06 177752 ----a-w- C:\Windows\System32\drivers\SYMEVENT64x86.SYS
2013-12-06 22:07:36 78432 ----a-w- C:\Windows\System32\atimpc64.dll
2013-12-06 22:07:36 78432 ----a-w- C:\Windows\System32\amdpcom64.dll
2013-12-06 22:07:14 71704 ----a-w- C:\Windows\SysWow64\atimpc32.dll
2013-12-06 22:07:14 71704 ----a-w- C:\Windows\SysWow64\amdpcom32.dll
2013-12-06 22:04:10 143304 ----a-w- C:\Windows\System32\atiuxp64.dll
2013-12-06 22:03:46 126336 ----a-w- C:\Windows\SysWow64\atiuxpag.dll
2013-12-06 22:03:00 115512 ----a-w- C:\Windows\System32\atiu9p64.dll
2013-12-06 22:02:38 98496 ----a-w- C:\Windows\SysWow64\atiu9pag.dll
2013-12-06 22:01:52 1318552 ----a-w- C:\Windows\System32\aticfx64.dll
2013-12-06 22:01:04 1100216 ----a-w- C:\Windows\SysWow64\aticfx32.dll
2013-12-06 22:00:16 9753752 ----a-w- C:\Windows\System32\atidxx64.dll
2013-12-06 21:59:50 8406024 ----a-w- C:\Windows\SysWow64\atidxx32.dll
2013-12-06 21:59:00 8287008 ----a-w- C:\Windows\SysWow64\atiumdva.dll
2013-12-06 21:58:10 6630232 ----a-w- C:\Windows\SysWow64\atiumdag.dll
2013-12-06 21:57:20 8927704 ----a-w- C:\Windows\System32\atiumd6a.dll
2013-12-06 21:56:54 7751920 ----a-w- C:\Windows\System32\atiumd64.dll
2013-12-06 21:52:14 13207552 ----a-w- C:\Windows\System32\drivers\atikmdag.sys
2013-12-06 21:49:18 51200 ----a-w- C:\Windows\System32\kdbsdk64.dll
2013-12-06 21:44:26 38912 ----a-w- C:\Windows\SysWow64\kdbsdk32.dll
2013-12-06 21:38:52 230912 ----a-w- C:\Windows\System32\clinfo.exe
2013-12-06 21:38:34 99840 ----a-w- C:\Windows\System32\OpenVideo64.dll
2013-12-06 21:38:28 83968 ----a-w- C:\Windows\SysWow64\OpenVideo.dll
.
============= FINISH: 19:33:10.25 ===============
 

 

 

Attached File  dds.txt   16.03KB   0 downloads

Attached Files


Edited by jblaze36, 25 May 2014 - 10:45 PM.


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,760 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:44 PM

Posted 30 May 2014 - 07:10 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/535514 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 jblaze36

jblaze36
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Spencerport, NY
  • Local time:11:44 PM

Posted 30 May 2014 - 09:02 PM

The OS I am experiencing this on is Windows 7 Home Premium x 2 Desktops and 1 x Laptop (HP Split) running Windows 8.1.

 

I have the OS disk for Windows 7 Home Premium but not the laptop as it came prefabricated.   However, having the original boot disk makes no difference,.  With this issue the maleware will embed and corrupt the original DVD.  I have my original mobo cd's for all machines except the HP and the mobo discs are also corrupted.  

 

 

I have confirmed this to be true after troubleshooting for 3.5 hours with a tier 3 Microsoft engineer. 19 hours in total with the tier 1 and 2 ....I willrefrain from any obscenities although after 19 hours of literal talk/hold time and maybe 30 minutes of actual troubleshooting....I am more than frustrated with the horrid support they offer. 

 

I have also confirmed that when booting the machine, using the f8 key will take you to the advanced boot options.   If you select restore from  previous restore point, there are none - even thought the Microsoft engineer working with me, segmented his updates downloading the security updates only as they became available.  There were a total of 7 rounds of updates, each with their own restore point.  

 

If you insert the windows 7 home premium disk (retail copy purchased form Best Buy) and select repair, you will see a dos window header appear in the lower left hand corner of the screen which hovers for a moment then fades away.  This is after a fresh install of windows from a downloaded .iso from the Microsoft servers.

 

There is no X: drive on my machine when searching inside of windows after boot.  There is no drive mapped to x: period or ever previously.  I went through a fresh install process with the Microsoft engineer using an iso that was placed on a fat32 32GB USB thumb drive to boot from as well.  He drove via LogMeIn Rescue and I had the same results. 

 

Using the dos box I explored the x: directory and took an 8 minute video explaining all of my issues.   I also have the file which I believe is the root cause of the problem. 

 

In my infinite wisdom I thought to myself, hmmm un-mounting the x:\ will force the machine to boot off its regular partition.  However I was wrong and now have a machine that boots, acts like its doing everything normal via lights on the mobo but I have no boot screen, no text, nothing.  My monitor shuts itself off stating a no signal message.  I have tried via different connection types to the monitor and a USB graphics card I have which generates the same results.  The USB Adapter I am using is a Gefen USB to DVI adapter.  THe monitor is an ASUS MX299Q and the motherboard is an ASUS ROG Crosshair IV Forumla. 

 

Please let me know when someone has assessed my issue and I will gladly provide the file I spoke of a moment ago.  I believe the corruption from this begins in the bios using GNU Linux.  This is a particularly scary feat that has been accomplished and would require someone with knowledge in the GNU/Linux language (in my humble opinion)

 

 

Thank you,

 

Jblaze



#4 jblaze36

jblaze36
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Spencerport, NY
  • Local time:11:44 PM

Posted 30 May 2014 - 09:10 PM

BTW the proxy/internet issues/unable to access certain sites/certificate issues all tie into this problem.  I noticed this happening 6 months ago and tried to reach out to Red Hat, Sophos, Microsoft, Norton360 (as I had this installed on one of the machines), and Kyle Lovett whom released the vulnerability of the ASUS RT-N66U and other routers that were exploited via USB to stream data.  No one wanted to hear about the problem or even bother to review the files I had located way back then. 

 

I see about 20-30 similar posts that honestly feel like the exact issue I experienced.  Almost all have at least 3 or more symptoms that are similar.

 

I think this issue is not now or ever was fully resolved and allowing breaches in this manner.   Maybe Im wrong and the only other possibility is that the ISP Nameservers have been compromised. 

 

Data streaming is also an issue here confirmed by the previously mentioned file and the public folder as the only user in the x: directory for "x:\users\" 

 

I have a lot of data regarding this including the use of RADIUS servers for proxy/unattended access in combination with powershell. 

 

Looking forward to speaking with someone regarding this issue.  I will upload my video to youtube later this evening.


Edited by jblaze36, 30 May 2014 - 09:11 PM.


#5 jblaze36

jblaze36
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Spencerport, NY
  • Local time:11:44 PM

Posted 30 May 2014 - 10:22 PM

As an update, I sill am unable to get a bios boot screen to appear.  I am attempting to use grub now to recover this.  once I have access to my desktop again I will repost the dds logs however I attempted to use the farbar fixes and literally used almost every software made available on the download pages 1-11.  

 

Thanks once again,

 

Jblaze



#6 jblaze36

jblaze36
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Spencerport, NY
  • Local time:11:44 PM

Posted 01 June 2014 - 03:22 PM

I created a Linux-Recovery-Remix Live USB boot drive via a fat32 32GB usb 3.0 drive which allowed my machine to reboot as if nothing ever happened.  Which under normal circumstances would be great.  However, since its used the Linux drive I created to repair the x drive, I have the same issue again.  I cannot change the boot order to get the Linux recovery drive to boot first and utiize a terminal for git commands.  I believe this is ultimately whats needed to resolve the problem.

 

That being said I am also willing to stop my own repair attempts here now that I have a bootable machine and run the gauntlet of tools here at bleeping computer.  So long as my posts are actually being read.  I submitted this over the holiday weekend and haven't heard a response from anyone other than helpbot since :(   Thanks again for you time in future recovery attempts.

 

*edit DDS logs will be incoming momentarily*

 

-Jblaze


Edited by jblaze36, 01 June 2014 - 03:23 PM.


#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:44 AM

Posted 15 June 2014 - 01:30 PM

Hello, my apologies for the delay, it looks like your topic has been overlooked. Can you please post the requested log?

I have to say though, all symptoms you describe in post 1 are perfectly normal for Windows. Likewise I see no evidence of malware in your logs and RAM resident malware (that survives a reboot) simply doesn't exist (see also this blog post I made on the subject).


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#8 jblaze36

jblaze36
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Spencerport, NY
  • Local time:11:44 PM

Posted 16 June 2014 - 06:15 AM

I'd like to start over so we are both on the right foot moving forward. I want to address a couple statements in your reply and then I'll re-post the requested logs. Today I am moving to a new apartment however so the logs, likely will not be available for 36 hours until I get the machines/workbench set up again.

 

 

 

The first thing Id like to say is I want to take a step back and present the entire scope of the problem, why it is as serious/sophisticated as it is, and to stop any future assumptions (both good and bad) ahead of time. 

I previously worked for a point of sale company which certainly increase the possibility of me being a target. Secondly, this perticular company had been hacked once before about 5, 6 years prior. Last, we would work from home And connect remotely with open vpn instead of a more secure method.

 

 

 

 

Please don't assume that I'm not infected or using corrupted/manipulated/malicious files even after a reboot/restore/ HD wipe. I am by no means an expert but it would be foolish to think that I spent as much time as I have trying to fix my PC without their being an issue . Last regarding this is' I have spent over 200 hours on repair attempts, research, 3rd party assistance ( Microsoft, logmein rescue, Norton. Hp) all of whom couldn't repair the machine. I spent 19 hours alone with Microsoft tech support. 3.5 with a tier 3 engineer who finally verified that my boot disk which was a retail copy of window 7 home premium was "corrupted" . What he meant was, affected by the maleware on my machine. I also went through the process of downloading an .iso file of windows that the tech himself used to install windows on the drive. His version also was corrupted. This corruption happened some where after creation of the live .iso ->install. Yes we deleted and formatted the entire drive including deleting the system recovery partition. This means that it has to be a bios or RAM afflicton.

 

 

 

 

I agree in most cases this doesn't happen. However to say the RAM is impossible place to store malware is absolutely incorrect. A RAMdisk partition is most definitely a place you can store malware. In this perticular case it is exactly what happened. I'll provide data on this when showing my logs next.

 

 

 

 

 

Aside from the ramdisk there is also a dual boot process occuring. My bios by default was erican megatrend and my osbis booting with freedos first and chainloading American megatrenf. What is happening in freedos iss why I cannot simply fix the machine with a hard drive install. Flashing the bios did not change anything either. I re-installed the sMe version, pullled the ram and cmos for 36 hours, and repeatedly pushed the power button after turning the power supply switch off and disconnecting the cable so that no residual power was left. All of these precautions yielded the same results.

 

 

 

 

 

Hopefully we can start from there after seeing the logs and I'll be happy to provide any more details you may need /want/like to know.

 

 

 

 

 

Opps, forgot one more point to cover - rdp processes and about 6 others in post 1 such as an alternate DNS listing do not appear in a default fresh install of windows. Ever. If you look into that DNS you,LL see that is actually a name server for amazon ec2:node 8. This wouldn't be a primary choice for time Warner cable who is my ISP. I only discover he exact name of my nameserver because I happened to know the magic IP address used when migrating databases to an amazon cloud server.

Thank you for your time.

 

 

 

Jblaze


Edited by jblaze36, 16 June 2014 - 06:19 AM.


#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:44 AM

Posted 16 June 2014 - 08:03 AM

 

I agree in most cases this doesn't happen. However to say the RAM is impossible place to store malware is absolutely incorrect. A RAMdisk partition is most definitely a place you can store malware. In this perticular case it is exactly what happened. I'll provide data on this when showing my logs next.

 

It is physical impossible to store data in RAM and expect it to survive a power down.

 

If you have spent so many hours, with so many experts, and even Microsoft couldn't tell you how their own install iso became corrupted (without even asking how on earth the BIOS would manipulate the iso, which makes no sense, because the BIOS doesn't have that much space anyway, while what you imply would require a sophisticated program), why would you expect me or any other expert on this forum to have the answer for you?

 

 

Opps, forgot one more point to cover - rdp processes and about 6 others in post 1 such as an alternate DNS listing do not appear in a default fresh install of windows.

 

DNS usually is taken from your router (if thats what assigns the connected devices an IP address). 

 

 

 

Aside from the ramdisk there is also a dual boot process occuring. My bios by default was erican megatrend and my osbis booting with freedos first and chainloading American megatrenf. What is happening in freedos iss why I cannot simply fix the machine with a hard drive install. Flashing the bios did not change anything either. I re-installed the sMe version, pullled the ram and cmos for 36 hours, and repeatedly pushed the power button after turning the power supply switch off and disconnecting the cable so that no residual power was left. All of these precautions yielded the same results.

 

What exactly do you mean with "same results". What did you expect to be fixed/changed by flashing the BIOS? If you refer to the Windows installation issues, there's no reason to expect them to change becaue it is very unlikely the BiOS is in any way related to that.


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:44 AM

Posted 11 July 2014 - 01:47 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users