help

This is a discussion on help within the Virus/Trojan/Spyware Help forums, part of the Tech Support Forum category. help I have been going crazy trying to fix this on my own the past 3 months... I suspect a


Reply
 
Thread Tools Search this Thread
Old 04-08-2013, 10:43 AM   #1
Registered Member
 
Join Date: Apr 2013
Posts: 13
OS: windows 8



help I have been going crazy trying to fix this on my own the past 3 months... I suspect a very complex infection involving multiple different infections.. I have done 18 windows 7 installs and 6 windows 8 installs the infection keeps reappearing... I can sense the remote compromise every time... here is my logs please have mercy

GMER 2.1.19163 - GMER - Rootkit Detector and Remover
Rootkit scan 2013-04-07 16:26:48
Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000003c SAMSUNG_SSD_830_Series rev.CXM03B1Q 238.47GB
Running: gmer.exe; Driver: C:\Users\x\AppData\Local\Temp\kwloipob.sys

---- User code sections - GMER 2.1 ----
.text C:\Program Files\Internet Explorer\iexplore.exe[804] C:\WINDOWS\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007f8e7a41532 4 bytes [A4, E7, F8, 07]
.text C:\Program Files\Internet Explorer\iexplore.exe[804] C:\WINDOWS\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007f8e7a4153a 4 bytes [A4, E7, F8, 07]
.text C:\Program Files\Internet Explorer\iexplore.exe[804] C:\WINDOWS\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007f8e7a4165a 4 bytes [A4, E7, F8, 07]
---- Threads - GMER 2.1 ----
Thread C:\WINDOWS\system32\csrss.exe [464:1516] fffff960008415e8
---- Registry - GMER 2.1 ----
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed -2126526724
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8F0DEEF3-4076-41E9-8B8C-3898CC5C5213}@LeaseObtainedTime 1365376441
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8F0DEEF3-4076-41E9-8B8C-3898CC5C5213}@T1 1365376501
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8F0DEEF3-4076-41E9-8B8C-3898CC5C5213}@T2 1365452041
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8F0DEEF3-4076-41E9-8B8C-3898CC5C5213}@LeaseTerminatesTime 1365462841
---- EOF - GMER 2.1 ----
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.16519
Run by x at 9:56:37 on 2013-04-08
AV: ESET Smart Security 6.0 *Enabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
AV: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: ESET Smart Security 6.0 *Enabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: ESET Personal firewall *Enabled* {4FE52EC8-CB26-1113-0EFE-8842E2773BAA}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k RPCSS
C:\WINDOWS\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\dwm.exe
C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\PostgreSQL\9.2\bin\pg_ctl.exe
C:\Program Files\PostgreSQL\9.2\bin\postgres.exe
C:\Program Files\PostgreSQL\9.2\bin\postgres.exe
C:\Program Files\PostgreSQL\9.2\bin\postgres.exe
C:\Program Files\PostgreSQL\9.2\bin\postgres.exe
C:\Program Files\PostgreSQL\9.2\bin\postgres.exe
C:\Program Files\PostgreSQL\9.2\bin\postgres.exe
C:\Program Files\PostgreSQL\9.2\bin\postgres.exe
C:\WINDOWS\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\WINDOWS\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\WINDOWS\system32\taskhostex.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\taskhost.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uSearch Bar = Preserve
mStart Page = about:blank
mLocal Page = about:blank
mWindow Title = Microsoft Internet Explorer
mDefault_Page_URL = about:blank
StartupFolder: C:\Users\x\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\SAMSUN~1.LNK - C:\Program Files (x86)\Samsung Magician\Samsung Magician.exe
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{8F0DEEF3-4076-41E9-8B8C-3898CC5C5213} : NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{8F0DEEF3-4076-41E9-8B8C-3898CC5C5213} : DHCPNameServer = 192.168.1.254
SSODL: WebCheck - <orphaned>
x64-Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
x64-Run: [Persistence] C:\WINDOWS\System32\igfxpers.exe
x64-Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 epfwwfp;epfwwfp;C:\WINDOWS\System32\Drivers\epfwwfp.sys [2013-2-20 58416]
R1 eamonm;eamonm;C:\WINDOWS\System32\Drivers\eamonm.sys [2013-2-20 213416]
R1 EpfwLWF;Epfw NDIS LightWeight Filter;C:\WINDOWS\System32\Drivers\EpfwLWF.sys [2013-1-10 59440]
R2 ekrn;ESET Service;C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe [2013-3-21 1341664]
R2 postgresql-x64-9.2;postgresql-x64-9.2 - PostgreSQL Server 9.2;C:/Program Files/PostgreSQL/9.2/bin/pg_ctl.exe runservice -N "postgresql-x64-9.2" -D "C:/Program Files/PostgreSQL/9.2/data" -w --> C:/Program Files/PostgreSQL/9.2/bin/pg_ctl.exe runservice -N postgresql-x64-9.2 [?]
R3 cmudaxp;ASUS Xonar Essence STX Audio Interface;C:\WINDOWS\System32\Drivers\cmudaxp.sys [2012-12-17 2734080]
RUnknown asdnet;asdnet; [x]
RUnknown asdws;asdws; [x]
SUnknown asdrm;asdrm; [x]
.
=============== File Associations ===============
.
FileExt: .vbs: VBSFile=C:\WINDOWS\SysWow64\WScript.exe "%1" %*
FileExt: .js: jsfile=C:\WINDOWS\SysWow64\WScript.exe "%1" %*
.
=============== Created Last 30 ================
.
2013-04-08 16:17:36 -------- d-----w- C:\Users\x\AppData\Roaming\ESET
2013-04-08 16:17:36 -------- d-----w- C:\Users\x\AppData\Local\ESET
2013-04-07 23:31:33 -------- d-----w- C:\Program Files\ESET
2013-04-07 21:33:25 187152 ----a-w- C:\ProgramData\Microsoft\Windows\Sqm\Manifest\Sqm10197.bin
2013-04-07 21:00:07 50784 ----a-w- C:\ProgramData\Microsoft\windowsfiltering\Sqm\Manifest\Sqm3.bin
2013-04-07 21:00:07 17536 ----a-w- C:\ProgramData\Microsoft\windowssampling\Sqm\Manifest\Sqm3.bin
2013-04-07 19:42:40 -------- d-----w- C:\Users\x\AppData\Roaming\postgresql
2013-04-07 18:02:48 -------- d-----w- C:\Users\x\AppData\Local\Opera
2013-04-07 14:43:22 9311288 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{73E347F4-C1D7-4173-86BA-E6C62388A2C5}\mpengine.dll
2013-04-07 11:54:20 -------- d-----w- C:\Program Files (x86)\TableNinja
2013-04-07 11:53:44 -------- d-----w- C:\Users\x\AppData\Local\PokerStars
2013-04-07 11:53:38 -------- d-----w- C:\Program Files (x86)\PokerStars
2013-04-07 11:41:57 9311288 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2013-04-07 11:41:01 -------- d-----w- C:\Users\x\AppData\Local\Hold'em_Manager
2013-04-07 11:40:49 778856 ----a-w- C:\WINDOWS\SysWow64\PresentationNative_v0300.dll
2013-04-07 11:40:49 35400 ----a-w- C:\WINDOWS\SysWow64\TsWpfWrp.exe
2013-04-07 11:40:49 35400 ----a-w- C:\WINDOWS\System32\TsWpfWrp.exe
2013-04-07 11:40:49 124040 ----a-w- C:\WINDOWS\System32\PresentationCFFRasterizerNative_v0300.dll
2013-04-07 11:40:49 1166440 ----a-w- C:\WINDOWS\System32\PresentationNative_v0300.dll
2013-04-07 11:40:49 102528 ----a-w- C:\WINDOWS\SysWow64\PresentationCFFRasterizerNative_v0300.dll
2013-04-07 07:11:39 -------- d-----w- C:\HM2Archive
2013-04-07 07:11:37 -------- d-----w- C:\Users\x\AppData\Roaming\HEM Data
2013-04-07 0746 -------- d-----w- C:\Users\x\AppData\Local\IsolatedStorage
2013-04-07 0746 -------- d-----w- C:\ProgramData\XHEO INC
2013-04-07 0739 -------- d-----w- C:\Users\x\AppData\Roaming\HoldemManager
2013-04-07 04:52:48 -------- d-----w- C:\Program Files (x86)\Holdem Manager 2
2013-04-07 04:45:54 -------- d-----w- C:\Program Files\PostgreSQL
2013-04-07 04:42:08 -------- d-----w- C:\ProgramData\Samsung
2013-04-07 04:42:08 -------- d-----w- C:\Program Files (x86)\Samsung Magician
2013-04-07 04:42:02 -------- d-----w- C:\Users\x\AppData\Local\Programs
2013-04-07 04:42:00 82944 ----a-w- C:\WINDOWS\SysWow64\dskquota.dll
2013-04-07 04:42:00 109568 ----a-w- C:\WINDOWS\System32\dskquota.dll
2013-04-07 04:40:51 178176 ----a-w- C:\WINDOWS\System32\SystemEventsBrokerServer.dll
2013-04-07 04:38:58 524768 ----a-w- C:\WINDOWS\difxapi.dll
2013-04-07 04:38:58 359424 ----a-w- C:\WINDOWS\System32\CmiInstallResAll64.dll
2013-04-07 04:38:15 -------- d-----w- C:\Program Files (x86)\PSQLINSTALL
2013-04-07 04:26:54 -------- d-----w- C:\Users\x\AppData\Roaming\Anvisoft
2013-04-07 04:26:49 -------- d-----w- C:\ProgramData\Anvisoft
2013-04-07 04:26:46 -------- d-----w- C:\Program Files (x86)\Anvisoft
2013-04-07 04:22:59 11459584 ----a-w- C:\WINDOWS\System32\glcndFilter.dll
2013-04-07 04:11:13 16114176 ----a-w- C:\Program Files\Common Files\Microsoft Shared\Microsoft Camera Codec Pack\MicrosoftRawCodec.dll
2013-04-07 04:11:12 15541248 ----a-w- C:\Program Files (x86)\Common Files\Microsoft Shared\Microsoft Camera Codec Pack\MicrosoftRawCodec.dll
2013-04-07 04:07:18 282744 ------w- C:\WINDOWS\System32\MpSigStub.exe
2013-04-07 04:07:12 56832 ----a-w- C:\WINDOWS\System32\OpenCL.DLL
2013-04-07 04:07:12 56320 ----a-w- C:\WINDOWS\SysWow64\OpenCL.DLL
2013-04-07 04:07:12 -------- d-----w- C:\Intel
2013-04-07 04:03:14 17888 ----a-w- C:\WINDOWS\SysWow64\msvcr100_clr0400.dll
2013-04-07 04:03:14 17888 ----a-w- C:\WINDOWS\System32\msvcr100_clr0400.dll
2013-04-07 04:01:23 2893824 ----a-w- C:\WINDOWS\System32\msmpeg2vdec.dll
2013-04-07 04:01:23 2400256 ----a-w- C:\WINDOWS\SysWow64\msmpeg2vdec.dll
2013-04-07 04:01:17 144384 ----a-w- C:\WINDOWS\System32\tssdisai.dll
2013-04-07 04:01:17 135680 ----a-w- C:\WINDOWS\System32\appserverai.dll
2013-04-07 04:01:17 126976 ----a-w- C:\WINDOWS\System32\RDWebAI.dll
2013-04-07 04:01:17 122880 ----a-w- C:\WINDOWS\System32\VmHostAI.dll
2013-04-07 04:01:16 148480 ----a-w- C:\WINDOWS\System32\poqexec.exe
2013-04-07 04:01:16 132608 ----a-w- C:\WINDOWS\SysWow64\poqexec.exe
2013-04-07 03:55:41 -------- d-----w- C:\Users\x\AppData\Local\Diagnostics
2013-04-07 03:36:23 -------- d-----w- C:\WINDOWS\Panther
2013-04-07 01:37:12 -------- d--h--w- C:\ESD
.
==================== Find3M ====================
.
2013-04-07 04:39:06 419840 ----a-w- C:\WINDOWS\System32\wrap_oal.dll
2013-04-07 04:39:06 413696 ----a-w- C:\WINDOWS\SysWow64\wrap_oal.dll
2013-04-07 04:39:06 111616 ----a-w- C:\WINDOWS\System32\OpenAL32.dll
2013-04-07 04:39:06 102400 ----a-w- C:\WINDOWS\SysWow64\OpenAL32.dll
2013-03-05 23:07:25 78168 ----a-w- C:\WINDOWS\SysWow64\FlashPlayerCPLApp.cpl
2013-03-05 23:07:25 692568 ----a-w- C:\WINDOWS\SysWow64\FlashPlayerApp.exe
2013-03-02 08:22:18 361984 ----a-w- C:\WINDOWS\SysWow64\MFMediaEngine.dll
2013-03-02 02:44:30 468992 ----a-w- C:\WINDOWS\System32\MFMediaEngine.dll
2013-02-20 18:07:40 58416 ----a-w- C:\WINDOWS\System32\drivers\epfwwfp.sys
2013-02-20 18:07:38 213416 ----a-w- C:\WINDOWS\System32\drivers\eamonm.sys
2013-02-15 07:58:59 39936 ----a-w- C:\WINDOWS\apppatch\apppatch64\acspecfc.dll
2013-02-15 06:35:40 444416 ----a-w- C:\WINDOWS\apppatch\AcSpecfc.dll
2013-02-12 01:30:04 44032 ----a-w- C:\WINDOWS\SysWow64\UXInit.dll
2013-02-12 00:56:19 53760 ----a-w- C:\WINDOWS\System32\UXInit.dll
2013-02-12 00:25:18 4041728 ----a-w- C:\WINDOWS\System32\win32k.sys
2013-02-12 00:17:50 20992 ----a-w- C:\WINDOWS\System32\drivers\usb8023.sys
2013-02-07 04:09:56 69864 ----a-w- C:\WINDOWS\System32\drivers\pdc.sys
2013-02-07 03:34:58 10115072 ----a-w- C:\WINDOWS\System32\twinui.dll
2013-02-07 03:33:47 2302464 ----a-w- C:\WINDOWS\System32\authui.dll
2013-02-07 03:33:42 2146816 ----a-w- C:\WINDOWS\System32\actxprxy.dll
2013-02-07 01:34:00 8856576 ----a-w- C:\WINDOWS\SysWow64\twinui.dll
2013-02-07 01:33:03 2033664 ----a-w- C:\WINDOWS\SysWow64\authui.dll
2013-02-07 01:33:01 754176 ----a-w- C:\WINDOWS\SysWow64\actxprxy.dll
2013-02-05 22:31:11 622080 ----a-w- C:\WINDOWS\System32\drivers\srv2.sys
2013-02-05 22:29:09 370688 ----a-w- C:\WINDOWS\System32\drivers\mrxsmb.sys
2013-02-05 22:28:48 247808 ----a-w- C:\WINDOWS\System32\drivers\srvnet.sys
2013-02-05 22:28:36 215552 ----a-w- C:\WINDOWS\System32\drivers\mrxsmb20.sys
2013-02-05 04:58:01 1766912 ----a-w- C:\WINDOWS\SysWow64\wininet.dll
2013-02-05 04:56:33 2877952 ----a-w- C:\WINDOWS\SysWow64\jscript9.dll
2013-02-05 04:56:27 61440 ----a-w- C:\WINDOWS\SysWow64\iesetup.dll
2013-02-05 04:56:27 109056 ----a-w- C:\WINDOWS\SysWow64\iesysprep.dll
2013-02-05 03:55:27 2706432 ----a-w- C:\WINDOWS\SysWow64\mshtml.tlb
2013-02-05 01:44:50 534528 ----a-w- C:\WINDOWS\SysWow64\uxtheme.dll
2013-02-04 22:39:47 2246656 ----a-w- C:\WINDOWS\System32\wininet.dll
2013-02-04 22:39:39 907776 ----a-w- C:\WINDOWS\System32\uxtheme.dll
2013-02-04 22:38:55 3966464 ----a-w- C:\WINDOWS\System32\jscript9.dll
2013-02-04 22:38:53 136704 ----a-w- C:\WINDOWS\System32\iesysprep.dll
2013-02-02 11:19:44 496872 ----a-w- C:\WINDOWS\System32\drivers\usbhub.sys
2013-02-02 11:19:44 446184 ----a-w- C:\WINDOWS\System32\drivers\USBHUB3.SYS
2013-02-02 11:19:41 329960 ----a-w- C:\WINDOWS\System32\drivers\storport.sys
2013-02-02 11:19:33 61672 ----a-w- C:\WINDOWS\System32\drivers\crashdmp.sys
2013-02-02 10:54:54 1933544 ----a-w- C:\WINDOWS\System32\drivers\ntfs.sys
2013-02-02 10:28:54 993512 ----a-w- C:\WINDOWS\System32\drivers\ndis.sys
2013-02-02 10:28:54 2226408 ----a-w- C:\WINDOWS\System32\drivers\tcpip.sys
2013-02-02 08:40:58 375808 ----a-w- C:\WINDOWS\SysWow64\wbem\WmiPrvSE.exe
2013-02-02 08:40:55 80896 ----a-w- C:\WINDOWS\SysWow64\tasklist.exe
2013-02-02 08:40:55 79360 ----a-w- C:\WINDOWS\SysWow64\taskkill.exe
2013-02-02 08:40:36 155136 ----a-w- C:\WINDOWS\SysWow64\XpsRasterService.dll
2013-02-02 08:40:35 370688 ----a-w- C:\WINDOWS\SysWow64\WWanAPI.dll
2013-02-02 08:40:27 131072 ----a-w- C:\WINDOWS\SysWow64\wbem\WmiDcPrv.dll
2013-02-02 08:40:26 410624 ----a-w- C:\WINDOWS\SysWow64\wlroamextension.dll
2013-02-02 08:40:22 197632 ----a-w- C:\WINDOWS\SysWow64\Windows.Networking.Connectivity.dll
2013-02-02 08:40:22 10792448 ----a-w- C:\WINDOWS\SysWow64\Windows.UI.Xaml.dll
2013-02-02 08:40:01 356352 ----a-w- C:\WINDOWS\SysWow64\SettingSync.dll
2013-02-02 08:39:59 325632 ----a-w- C:\WINDOWS\SysWow64\schannel.dll
2013-02-02 08:39:47 18432 ----a-w- C:\WINDOWS\SysWow64\npmproxy.dll
2013-02-02 08:39:34 55296 ----a-w- C:\WINDOWS\SysWow64\nlaapi.dll
2013-02-02 08:39:34 15872 ----a-w- C:\WINDOWS\SysWow64\nlmproxy.dll
2013-02-02 08:39:34 12288 ----a-w- C:\WINDOWS\SysWow64\nlmsprep.dll
2013-02-02 08:39:33 115712 ----a-w- C:\WINDOWS\SysWow64\netprofm.dll
2013-02-02 08:39:28 5090816 ----a-w- C:\WINDOWS\SysWow64\mstscax.dll
2013-02-02 08:39:15 157696 ----a-w- C:\WINDOWS\SysWow64\mbsmsapi.dll
2013-02-02 08:38:54 567808 ----a-w- C:\WINDOWS\SysWow64\duser.dll
2013-02-02 08:24:19 107520 ----a-w- C:\WINDOWS\System32\taskkill.exe
2013-02-02 08:24:19 102400 ----a-w- C:\WINDOWS\System32\tasklist.exe
2013-02-02 08:23:44 228352 ----a-w- C:\WINDOWS\System32\XpsRasterService.dll
2013-02-02 08:23:43 475136 ----a-w- C:\WINDOWS\System32\WWanAPI.dll
2013-02-02 08:23:37 611840 ----a-w- C:\WINDOWS\System32\wpd_ci.dll
2013-02-02 08:23:37 105472 ----a-w- C:\WINDOWS\System32\wpdbusenum.dll
2013-02-02 08:23:30 830464 ----a-w- C:\WINDOWS\System32\wbem\WmiPrvSD.dll
2013-02-02 08:23:28 543232 ----a-w- C:\WINDOWS\System32\wlroamextension.dll
2013-02-02 08:23:21 13643264 ----a-w- C:\WINDOWS\System32\Windows.UI.Xaml.dll
2013-02-02 08:23:19 293376 ----a-w- C:\WINDOWS\System32\Windows.Networking.Connectivity.dll
2013-02-02 08:23:18 731648 ----a-w- C:\WINDOWS\System32\win32spl.dll
2013-02-02 08:23:16 87552 ----a-w- C:\WINDOWS\System32\wersvc.dll
2013-02-02 08:22:28 448512 ----a-w- C:\WINDOWS\System32\SettingSync.dll
2013-02-02 08:22:22 416256 ----a-w- C:\WINDOWS\System32\schannel.dll
2013-02-02 08:21:45 467456 ----a-w- C:\WINDOWS\System32\netprofmsvc.dll
2013-02-02 08:21:44 385024 ----a-w- C:\WINDOWS\System32\ncsi.dll
2013-02-02 08:21:38 5977600 ----a-w- C:\WINDOWS\System32\mstscax.dll
2013-02-02 08:21:10 225280 ----a-w- C:\WINDOWS\System32\mbsmsapi.dll
2013-02-02 08:20:47 260096 ----a-w- C:\WINDOWS\System32\hotspotauth.dll
2013-02-02 08:20:31 729600 ----a-w- C:\WINDOWS\System32\duser.dll
2013-02-02 07:30:05 2706432 ----a-w- C:\WINDOWS\System32\mshtml.tlb
2013-02-02 07:25:52 297984 ----a-w- C:\WINDOWS\System32\drivers\ks.sys
2013-02-02 07:25:26 82944 ----a-w- C:\WINDOWS\System32\drivers\hidclass.sys
2013-02-02 07:25:23 37632 ----a-w- C:\WINDOWS\System32\drivers\BthAvrcpTg.sys
2013-02-02 05:41:57 1437184 ----a-w- C:\WINDOWS\SysWow64\GdiPlus.dll
2013-02-02 05:31:54 1690624 ----a-w- C:\WINDOWS\System32\GdiPlus.dll
2013-01-29 01:57:05 35232 ----a-w- C:\WINDOWS\System32\drivers\WdBoot.sys
2013-01-28 23:08:22 230904 ----a-w- C:\WINDOWS\System32\drivers\WdFilter.sys
2013-01-14 03:56:14 6967016 ----a-w- C:\WINDOWS\System32\ntoskrnl.exe
2013-01-12 02:02:34 64624 ----a-w- C:\WINDOWS\System32\drivers\HECIx64.sys
2013-01-10 22:08:16 59440 ----a-w- C:\WINDOWS\System32\drivers\EpfwLWF.sys
2013-01-10 22:08:16 190232 ----a-w- C:\WINDOWS\System32\drivers\epfw.sys
2013-01-10 22:08:14 150616 ----a-w- C:\WINDOWS\System32\drivers\ehdrv.sys
2013-01-10 01:53:32 28904 ----a-w- C:\WINDOWS\System32\drivers\msgpiowin32.sys
2013-01-10 01:40:39 1448168 ----a-w- C:\WINDOWS\System32\drivers\dxgkrnl.sys
2013-01-10 01:40:38 303848 ----a-w- C:\WINDOWS\System32\drivers\dxgmms1.sys
2013-01-10 01:39:29 194280 ----a-w- C:\WINDOWS\System32\drivers\sdbus.sys
.
============= FINISH: 9:56:42.05 ===============
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 8
Boot Device: \Device\HarddiskVolume1
Install Date: 4/6/2013 8:39:05 PM
System Uptime: 4/8/2013 9:14:58 AM (0 hours ago)
.
Motherboard: ASUSTeK COMPUTER INC. | | SABERTOOTH Z77
Processor: Intel(R) Core(TM) i7-3770K CPU @ 3.50GHz | LGA1155 | 3501/100mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 215 GiB total, 170.079 GiB free.
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e96a-e325-11ce-bfc1-08002be10318}
Description: Standard SATA AHCI Controller
Device ID: PCI\VEN_8086&DEV_1E02&SUBSYS_84CA1043&REV_04\3&11583659&0&FA
Manufacturer: Standard SATA AHCI Controller
Name: Standard SATA AHCI Controller
PNP Device ID: PCI\VEN_8086&DEV_1E02&SUBSYS_84CA1043&REV_04\3&11583659&0&FA
Service: storahci
.
==== System Restore Points ===================
.
RP1: 4/6/2013 8:49:52 PM - a
.
==== Installed Programs ======================
.
ASUS Xonar Essence STX Audio
ESET Smart Security
Holdem Manager 2
Intel(R) Processor Graphics
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219
OpenAL
Opera 12.15
PokerStars
PostgreSQL 9.2
Samsung Magician
TableNinja
.
==== Event Viewer Messages From Past Week ========
.
4/7/2013 8:14:25 AM, Error: Schannel [36888] - A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 51. The Windows SChannel error state is 900.
4/7/2013 4:31:40 PM, Error: Service Control Manager [7030] - The ESET Service service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
4/7/2013 4:29:36 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "Unavailable" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
4/7/2013 4:28:56 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "Unavailable" in order to run the server: {D3DCB472-7261-43CE-924B-0704BD730D5F}
4/7/2013 4:28:56 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "Unavailable" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
4/7/2013 4:28:15 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "Unavailable" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
4/7/2013 4:19:39 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "Unavailable" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
4/7/2013 4:12:17 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
4/7/2013 4:03:07 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service dps with arguments "Unavailable" in order to run the server: {7022A3B3-D004-4F52-AF11-E9E987FEE25F}
4/7/2013 4:03:05 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
4/7/2013 4:03:03 PM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.
4/7/2013 4:03:01 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "Unavailable" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
4/6/2013 9:10:12 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070103: Intel driver update for Intel(R) Management Engine Interface.
4/6/2013 8:36:31 PM, Error: Service Control Manager [7023] - The Network List Service service terminated with the following error: The device is not ready.
4/6/2013 8:36:31 PM, Error: Service Control Manager [7023] - The IP Helper service terminated with the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
4/6/2013 8:36:20 PM, Error: volmgr [46] - Crash dump initialization failed!
4/6/2013 10:01:17 PM, Error: Service Control Manager [7022] - The AD Blocker Service service hung on starting.
.
==== End Of File ===========================
Attached Files
File Type: zip SysInspector-XDSD23-130408-0953.zip (228.2 KB, 25 views)

__________________
hackked is offline   Reply With Quote
Old 04-08-2013, 09:16 PM   #2
Registered Member
 
Join Date: Apr 2013
Posts: 13
OS: windows 8



hello greetings I think im dealing with the infection located somewhere as mass storage drive and it actually morphs from mass storage ram to pci mass storage I understand this might be time consuming but I need someone who is well crafted against advance persistent attacks and willing to work on this project with me... I will compensate for time for someone who wants to treat this as work.

__________________
hackked is offline   Reply With Quote
Old 04-29-2013, 06:00 AM   #3
Administrator
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,338
OS: WinXP Home, Vista, Windows 7 64bit



Hello hackked,

Why do you suspect remote connections? When you performed the Windows 7 reinstalls, did you wipe the hard drive first?

Please download Malwarebytes Anti-Rootkit from here Malwarebytes : Malwarebytes Anti-Rootkit and save it to your desktop.

Be sure to print out and follow the instructions provided on that same page.

Caution: This is a beta version so please be sure to read the disclaimer and back up any important data before using.
  • Double click the mbar.zip file to open it, then 'Extract all files'.
  • Double click the mbar folder to open it, then double click mbar.exe to start the tool.
Check for Updates, then Scan your system for malware

If malware is found, do NOT press the Cleanup button yet. Click EXIT.

I'd like to see the log first so I can see what it sees. You'll find the log in that mbar folder as MBAR-log-<date and time>***.txt . Please attach that to your next reply.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline   Reply With Quote
Old 04-30-2013, 11:42 AM   #4
Registered Member
 
Join Date: Apr 2013
Posts: 13
OS: windows 8



thank you so much for replying im going to do this now... i dont suspect remote hacking i know its happening... i can tell with pin point accuracy when someone accesses my computer via remote log in i just dont know all the correct terms and all and i have had no luck fixing it..... yes i have wiped the drive with dbam nuke program
__________________
hackked is offline   Reply With Quote
Old 04-30-2013, 11:58 AM   #5
Registered Member
 
Join Date: Apr 2013
Posts: 13
OS: windows 8



---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.05.0.1001

(c) Malwarebytes Corporation 2011-2012

OS version: 6.2.9200 Windows 8 x64

Account is Administrative

Internet Explorer version: 10.0.9200.16540

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, E:\ DRIVE_FIXED
CPU speed: 2.809000 GHz
Memory total: 17144266752, free: 14990942208

------------ Kernel report ------------
04/30/2013 11:47:59
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kd.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\System32\drivers\CLFS.SYS
\SystemRoot\System32\drivers\tm.sys
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\BOOTVID.dll
\SystemRoot\system32\CI.dll
\SystemRoot\System32\drivers\msrpc.sys
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\System32\Drivers\acpiex.sys
\SystemRoot\System32\Drivers\WppRecorder.sys
\SystemRoot\System32\drivers\ACPI.sys
\SystemRoot\System32\drivers\WMILIB.SYS
\SystemRoot\System32\drivers\msisadrv.sys
\SystemRoot\System32\drivers\pci.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\system32\drivers\tpm.sys
\SystemRoot\System32\drivers\vdrvroot.sys
\SystemRoot\system32\drivers\pdc.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\System32\drivers\spaceport.sys
\SystemRoot\System32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\System32\drivers\storahci.sys
\SystemRoot\System32\drivers\storport.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\System32\drivers\fileinfo.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\DRIVERS\wfplwfs.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\System32\drivers\volsnap.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\disk.sys
\SystemRoot\System32\drivers\CLASSPNP.SYS
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\DRIVERS\cmderd.sys
\SystemRoot\system32\DRIVERS\cmdguard.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\BasicRender.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\System32\drivers\BasicDisplay.sys
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\System32\DRIVERS\cmdhlp.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\inspect.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\System32\drivers\npsvctrig.sys
\SystemRoot\System32\drivers\mssmbios.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\System32\drivers\CompositeBus.sys
\SystemRoot\system32\DRIVERS\kdnic.sys
\SystemRoot\System32\drivers\umbus.sys
\SystemRoot\System32\drivers\intelppm.sys
\SystemRoot\system32\DRIVERS\atikmpag.sys
\SystemRoot\system32\DRIVERS\atikmdag.sys
\SystemRoot\System32\drivers\HDAudBus.sys
\SystemRoot\System32\drivers\HECIx64.sys
\SystemRoot\System32\drivers\usbehci.sys
\SystemRoot\System32\drivers\USBPORT.SYS
\SystemRoot\system32\DRIVERS\Rt630x64.sys
\SystemRoot\system32\DRIVERS\ASACPI.sys
\SystemRoot\System32\drivers\serial.sys
\SystemRoot\System32\drivers\serenum.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\System32\drivers\swenum.sys
\SystemRoot\System32\drivers\ks.sys
\SystemRoot\System32\drivers\rdpbus.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\System32\drivers\usbhub.sys
\SystemRoot\System32\drivers\USBD.SYS
\SystemRoot\system32\drivers\HdAudio.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\ksthunk.sys
\SystemRoot\System32\Drivers\dump_diskdump.sys
\SystemRoot\System32\Drivers\dump_storahci.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\HIDPARSE.SYS
\SystemRoot\System32\drivers\USBSTOR.SYS
\SystemRoot\System32\drivers\usbccgp.sys
\SystemRoot\System32\drivers\hidusb.sys
\SystemRoot\System32\drivers\HIDCLASS.SYS
\SystemRoot\System32\drivers\kbdhid.sys
\SystemRoot\System32\drivers\kbdclass.sys
\SystemRoot\System32\drivers\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\System32\Drivers\fastfat.SYS
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\system32\drivers\Ndu.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\drivers\condrv.sys
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\System32\drivers\mouclass.sys
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\system32\DRIVERS\WUDFRd.sys
\SystemRoot\System32\drivers\WpdUpFltr.sys
\SystemRoot\System32\drivers\mouhid.sys
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\mbamswissarmy.sys
----------- End -----------
<<<1>>>
Upper Device Name: \Device\Harddisk1\DR3
Upper Device Object: 0xfffffa800c874060
Upper Device Driver Name: \Driver\disk\
Lower Device Name: \Device\00000040\
Lower Device Object: 0xfffffa800c865060
Lower Device Driver Name: \Driver\USBSTOR\
Driver name found: USBSTOR
Initialization returned 0x0
Load Function returned 0x0
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xfffffa800df2f060
Upper Device Driver Name: \Driver\disk\
Lower Device Name: \Device\00000032\
Lower Device Object: 0xfffffa800c9d77f0
Lower Device Driver Name: \Driver\storahci\
Driver name found: storahci
Initialization returned 0x0
Port sub-driver loaded: \??\C:\Windows\System32\Drivers\storport.sys (0x0)
Load Function returned 0x0
Downloaded database version: v2013.04.30.06
Downloaded database version: v2013.04.25.01
Initializing...
Done!
<<<2>>>
Device number: 0, partition: 2
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xfffffa800df2f060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa800de94920, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa800df2f060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
DevicePointer: 0xfffffa800c9d77f0, DeviceName: \Device\00000032\, DriverName: \Driver\storahci\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
Upper DeviceData: 0xfffff8a008fd59f0, 0xfffffa800df2f060, 0xfffffa800d64e740
Lower DeviceData: 0xfffff8a009bbc680, 0xfffffa800c9d77f0, 0xfffffa800d65e660
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning directory: C:\Windows\system32\drivers...
<<<2>>>
Device number: 0, partition: 2
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: AAE9B975

Partition information:

Partition 0 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 2048 Numsec = 716800
Partition file system is NTFS
Partition is bootable

Partition 1 type is Primary (0x7)
Partition is NOT ACTIVE.
Partition starts at LBA: 718848 Numsec = 499396608

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 256060514304 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-2047-500098192-500118192)...
Physical Sector Size: 512
Drive: 1, DevicePointer: 0xfffffa800c874060, DeviceName: \Device\Harddisk1\DR3\, DriverName: \Driver\disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa800f71e560, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa800c874060, DeviceName: \Device\Harddisk1\DR3\, DriverName: \Driver\disk\
DevicePointer: 0xfffffa800c865060, DeviceName: \Device\00000040\, DriverName: \Driver\USBSTOR\
------------ End ----------
Alternate DeviceName: \Device\Harddisk1\DR3\, DriverName: \Driver\disk\
Upper DeviceData: 0xfffff8a0081d54c0, 0xfffffa800c874060, 0xfffffa8010a833e0
Lower DeviceData: 0xfffff8a0096db280, 0xfffffa800c865060, 0xfffffa800d6cd4f0
Drive 1
Scanning MBR on drive 1...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 0

Partition information:

Partition 0 type is Other (0xc)
Partition is ACTIVE.
Partition starts at LBA: 2048 Numsec = 60592128
Partition file system is FAT32
Partition is bootable

Partition 1 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 31024349184 bytes
Sector size: 512 bytes

Done!
Performing system, memory and registry scan...
Done!
Scan finished
=======================================


the focus on the breach is to get access to realtime screen data and they do this by adding a host of drivers to have a many many monitor drivers attached
__________________
hackked is offline   Reply With Quote
Old 04-30-2013, 03:51 PM   #6
Administrator
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,338
OS: WinXP Home, Vista, Windows 7 64bit



Hi hackked,

I'm not seeing any malware in the logs. Unfortunately, we can't remove what we can't see. Tell me more about how you know, perhaps I can try to figure it out from there.

What are you using opendns? Why are you using SQL? Are those necessary?
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline   Reply With Quote
Old 04-30-2013, 09:02 PM   #7
Registered Member
 
Join Date: Apr 2013
Posts: 13
OS: windows 8



I was trying to set up a dynamic ip. But failed. I know because of differences in environment and because I went and enabled all of logging and I can pin point the times of breach. And sure enough logs show the impersonation special login and the time is at vulnerable stage of computing where the information is theft. I actually think it is being stored either on memory or other non storage device. As far as programs. I only need PostgreSQL holdemmanager2 pokerstars and security software. I know the SQL is risky and I tried a Linux build but hem wasn't compatible. The malware actually takes control of my entire os from windows update modular to the Internet explorer itself. The malware force installs a host of malicious drivers to manipulate the system into creating dozens of virtual adapters backdoor remote access as well as additional monitors duplicating my screen. Which brings me to my next reason I know when I'm being compromised. I use a 30 inch monitor and I also have a 20 inch monitor as well now when I extend screens picture quality is fine. Nothing changes in pixel density not chart numbers. Now if I duplicate the screen. Visual performance is diminished in the 30. I'm sure it has to do with screens not being same size but there is also a difference in audio as I use high performance headphones. Now as far as the logging goes. The malware actually tries to destroy it but uses a wrong syntax command something like wrong hash or something. The point is they make an attempt at destroying special log on impersonation level 5 logs. And it's always at times where I have patterned vulnerable stages of my computing and can cross check times and motive for specific times. This is not throwing darts. It is close to impossible for possibility of randomness. This is clear intent of sabotogical theft
__________________
hackked is offline   Reply With Quote
Old 04-30-2013, 09:09 PM   #8
Registered Member
 
Join Date: Apr 2013
Posts: 13
OS: windows 8



Do you have a recommendation on how I can nuke my keyboard/monitor mouse ram and anything else that memory space can be hijacked. I am attempting another dram nuke on my own. I'm also gonna take out my memory sticks and try and install the os first. I know the way I get reinfected is that my attempt at a clean install is being tainted by a men cache of redirect a host of malicious drivers to replace the reg core drivers.
__________________
hackked is offline   Reply With Quote
Old 05-01-2013, 08:20 PM   #9
Administrator
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,338
OS: WinXP Home, Vista, Windows 7 64bit



In the 8 yrs I've been doing this, I have never run into any sort of malware, nor heard of any malware that runs from peripheral devices such as a keyboard or mouse.

Quote:
The malware force installs a host of malicious drivers to manipulate the system into creating dozens of virtual adapters backdoor remote access as well as additional monitors duplicating my screen
What logs are you viewing that show you this invasion?
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline   Reply With Quote
Old 05-03-2013, 07:07 AM   #10
Registered Member
 
Join Date: Apr 2013
Posts: 13
OS: windows 8



The Microsoft event viewer logs. And it appears to be mainly the recycler Trojan horse.
__________________
hackked is offline   Reply With Quote
Old 05-03-2013, 07:10 AM   #11
Registered Member
 
Join Date: Apr 2013
Posts: 13
OS: windows 8



Everything I read about it. Fits perfectly. I think it's a variant of it. I have $recycler.bin locked folder and inside of it is another recycle folder and it creates a hidden locked folder called documents and settings where inside is a bunch of shortcuts to admin tools as well as my desktop and start menses. And a bunch of programs called natuser. I also have a hiberfil.sys file and pagefil.sys file both close to 1 m Kb large on a brand new install.
__________________
hackked is offline   Reply With Quote
Old 05-03-2013, 07:11 AM   #12
Registered Member
 
Join Date: Apr 2013
Posts: 13
OS: windows 8



What if the keyboard is g19 which has special USB ports as well as firmware for LCD screen.
__________________
hackked is offline   Reply With Quote
Old 05-03-2013, 07:19 PM   #13
Administrator
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,338
OS: WinXP Home, Vista, Windows 7 64bit



Quote:
I have $recycler.bin locked folder and inside of it is another recycle folder and it creates a hidden locked folder called documents and settings where inside is a bunch of shortcuts to admin tools as well as my desktop and start mensus
Can you get me a screen shot of that?

I don't see anything recent in the Event Viewer logs referencing the recyler Trojan horse aslo, none of the scans are showing that.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline   Reply With Quote
Old 05-04-2013, 10:15 PM   #14
Registered Member
 
Join Date: Apr 2013
Posts: 13
OS: windows 8



I formatted everything but I have all the event logs The $recycle.bin Trojan is normal but It's using the icon of a recyclable bin and inside of it is another recycle bin but what it actually is is a program that unloads a about ten dif users and groups which is where the breach comes in and they All have a lnk shortcut folder with shortcuts to all admin tools and remote ports as well as my desktop "which is the reason for the breach in first place".

The main guts of the operation starts with a partition but not a normal kind this one is tricked out to blend in with operating system install partition but its actually all tricked out drivers to take full control of my os. I'm talking drivers for everything including windows update itself and a bunch of protocall network drivers as well as drivers to take over every thing and also a lot of focus on drivers that start on boot that is heavily weighted toward volume shadow copy emulator and boot disk as well as netbios tcip drivers.

So I think I'm doomed the second I press the power button and have no chance to format the partition. I tried using dban nuke as well as Samsung secure delete boot. Both show the drive missing about 20 gbs and I tried to fix the partition set and it just doesn't read the hidden drive.

Another thing that happened is my monitor and this is on both of my infected motherboards starts to flicker bright white during the bios screen like flashes it In a bad way. Like almost like something is gonna break. The file inside of this $recycle.bin which has unknown owner and I or my admin account has access.

But the thing is I went and locked out the creatorrights user and authenticated users and locked the folder for everyone. I also put size of recycle.bin to 0, And what happened next was an explosion on my desktop instead of 1 folder with all those natuser.dat files and the folder with all the shortcuts to admin tools and desktop they all got spread out in individual files.

And there was 1 file that said it wasn't found and gave a \\localc$\\gmt-1500 host not found. So I enabled my Internet and mapped that address to my network and then it created a hard drive on my computer and inside of that address were all the rouge drivers and services as well as the natuser files.

It said it was a LAN server I've changed. Routers twice. It almost seems like my router is being hosted on another router or something. Is it possible someone can get access to my router from the other side. It's very possible the nefarious ones are physically very close as I am in a community complex.
__________________
hackked is offline   Reply With Quote
Old 05-06-2013, 04:12 PM   #15
Administrator
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,338
OS: WinXP Home, Vista, Windows 7 64bit



It is possible that someone has hijacked your router, but you've changed routers twice. Did you change the default login and password to the router?
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline   Reply With Quote
Old 05-14-2013, 08:45 AM   #16
Registered Member
 
Join Date: Apr 2013
Posts: 13
OS: windows 8



Yes I actually deleted the tech login and super user account as well.

I have found a filesystem.squashfs $recycle.bin partition on all of my hard drives. I have been trying unsuccessfully to delete the partition and the file system. I'm sure this is the main reason of my compromises as I have also used 3G air cards and have been compromised as well
__________________
hackked is offline   Reply With Quote
Old 05-16-2013, 01:08 PM   #17
Administrator
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,338
OS: WinXP Home, Vista, Windows 7 64bit



Quote:
filesystem.squashfs $recycle.bin
That's Linux based file system. What do you mean it's a partition? What tool are you using and how are you determining this?

__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2


All times are GMT -7. The time now is 04:51 AM.


Copyright 2001 - 2014, Tech Support Forum

Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts