helpme33

Members
  • Content count

    1
  • Joined

  • Last visited

About helpme33

  • Rank
    New Member
  1. Hi everyone Desperately need help here. Basically I'm fairly sure the pc is infected with something that has root access, possibly a hidden boot partition on the hard drive, or worse (bios). Basically there's all sorts of processes, services & things running that I don't think should be. Windows Update won't work, there are now Group Policy controls running, even though the pc is a home pc. The firewall seems to be configured to leave the system wide open, there's quite a few DCOM things running. Also, this may be normal I'm not sure, but I'm using a 500GB hdd that has the system reserved partition that windows sets up automatically, but this partition is marked as active, & the actual c: drive partition is marked at BOOT, PAGEFILE, CRASHDUMP & Primary. I've wiped the hardrive partitions & reinstalled a few times, cleared & updated the bios but it just reinstalls back this way. All these logs are from a clean install with nothing but the programs themselves installed. There's also a hidden group of non-plug & play objects in the device manager controlling a lot of network authority stuff. I also have another blank 500gb installed, but this been formatted & had its partitions wiped. Please HHEELLPP! MBAM Quick sCAN Malwarebytes Anti-Malware (Trial) 1.62.0.1300 www.malwarebytes.org Database version: v2012.07.13.03 Windows 7 x64 NTFS Internet Explorer 8.0.7600.16385 pc1 :: pc [administrator] Protection: Enabled 26/01/2011 00:55:26 mbam-log-2011-01-26 (00-55-26).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 201673 Time elapsed: 58 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end) DDS SCAN . DDS (Ver_2011-08-26.01) - NTFSAMD64 Internet Explorer: 8.0.7600.16385 Run by pc1 at 0:59:36 on 2011-01-26 Microsoft Windows 7 Ultimate 6.1.7600.0.1252.353.1033.18.4095.2871 [GMT 0:00] . SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . ============== Running Processes =============== . C:\Windows\system32\wininit.exe C:\Windows\system32\lsm.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Windows\system32\svchost.exe -k RPCSS C:\Windows\system32\sppsvc.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\svchost.exe -k netsvcs C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\system32\svchost.exe -k NetworkService C:\Windows\system32\svchost.exe -k LocalService C:\Windows\System32\spoolsv.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\taskhost.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe C:\Windows\System32\svchost.exe -k secsvcs C:\Windows\system32\svchost.exe -k SDRSVC C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe C:\Windows\system32\conhost.exe C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\conhost.exe C:\Windows\SysWOW64\cscript.exe C:\Windows\system32\wbem\wmiprvse.exe . ============== Pseudo HJT Report =============== . uStart Page = hxxp://www.google.ie/ mWinlogon: Userinit=userinit.exe mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray mRunOnce: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent mPolicies-explorer: NoActiveDesktop = 1 (0x1) mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1) mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3) mPolicies-system: EnableUIADesktopToggle = 0 (0x0) TCP: Interfaces\{3BFE3A88-130E-4593-B34E-3562A7D3A0FE} : NameServer = 89.101.160.4,89.101.160.5 mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray mRunOnce-x64: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent . ============= SERVICES / DRIVERS =============== . R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-1-26 655944] R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?] . =============== Created Last 30 ================ . 2011-01-26 08:28:43 -------- d-----w- C:\Windows\Panther 2011-01-26 00:54:59 -------- d-----w- C:\Users\pc1\AppData\Roaming\Malwarebytes 2011-01-26 00:54:53 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys 2011-01-26 00:54:53 -------- d-----w- C:\ProgramData\Malwarebytes 2011-01-26 00:54:53 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware 2011-01-26 00:54:20 9013136 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{86AEB329-7848-41E3-8648-A1AA45834322}\mpengine.dll 2011-01-26 00:44:38 2622464 ----a-w- C:\Windows\System32\wucltux.dll 2011-01-26 00:44:26 36864 ----a-w- C:\Windows\System32\wuapp.exe 2011-01-26 00:44:26 186752 ----a-w- C:\Windows\System32\wuwebv.dll . ==================== Find3M ==================== . . ============= FINISH: 0:59:55.25 =============== COMBOFIX LOG ComboFix 12-07-13.01 - pc1 26/01/2011 1:06.1.4 - x64 Microsoft Windows 7 Ultimate 6.1.7600.0.1252.353.1033.18.4095.2879 [GMT 0:00] Running from: c:\users\pc1\Desktop\ComboFix.exe SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . ((((((((((((((((((((((((( Files Created from 2010-12-26 to 2011-01-26 ))))))))))))))))))))))))))))))) . . 2011-01-26 08:28 . 2011-01-26 00:37 -------- d-----w- c:\windows\Panther 2011-01-26 00:54 . 2012-07-03 13:46 24904 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-01-26 00:54 . 2011-01-26 00:54 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware 2011-01-26 00:54 . 2011-01-26 00:54 -------- d-----w- c:\programdata\Malwarebytes 2011-01-26 00:54 . 2012-06-18 03:12 9013136 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{86AEB329-7848-41E3-8648-A1AA45834322}\mpengine.dll 2011-01-26 00:44 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll 2011-01-26 00:44 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe 2011-01-26 00:44 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll 2011-01-26 00:44 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll 2011-01-26 00:44 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll 2011-01-26 00:44 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll 2011-01-26 00:44 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll 2011-01-26 00:44 . 2012-06-02 15:19 186752 ----a-w- c:\windows\system32\wuwebv.dll 2011-01-26 00:44 . 2012-06-02 15:15 36864 ----a-w- c:\windows\system32\wuapp.exe 2011-01-26 00:37 . 2011-01-26 00:37 -------- d-----w- c:\users\pc1 2011-01-26 00:37 . 2011-01-26 00:37 -------- d-----w- C:\Recovery . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorUser"= 3 (0x3) "EnableUIADesktopToggle"= 0 (0x0) . S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-07-03 655944] S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-07-03 24904] . . --- Other Services/Drivers In Memory --- . *NewlyCreated* - NSIPROXY *NewlyCreated* - WS2IFSL . . --------- X64 Entries ----------- . . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "LoadAppInit_DLLs"=0x0 . ------- Supplementary Scan ------- . uLocal Page = c:\windows\system32\blank.htm uStart Page = hxxp://www.google.ie/ mLocal Page = c:\windows\SysWOW64\blank.htm TCP: Interfaces\{3BFE3A88-130E-4593-B34E-3562A7D3A0FE}: NameServer = 89.101.160.4,89.101.160.5 . . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . ------------------------ Other Running Processes ------------------------ . c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe . ************************************************************************** . Completion time: 2011-01-26 01:12:28 - machine was rebooted ComboFix-quarantined-files.txt 2011-01-26 01:12 . Pre-Run: 484,271,935,488 bytes free Post-Run: 484,153,880,576 bytes free . - - End Of File - - 8655822A4F1CA92D69687DBF9A1F2EFC ASWMBR LOG aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software Run date: 2011-01-26 01:58:37 ----------------------------- 01:58:37.227 OS Version: Windows x64 6.1.7600 01:58:37.227 Number of processors: 4 586 0xF0B 01:58:37.227 ComputerName: PC UserName: 01:58:38.024 Initialize success 01:59:19.970 AVAST engine defs: 12071300 01:59:39.658 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000052 01:59:39.658 Disk 0 Vendor: WDC_WD50 01.0 Size: 476940MB BusType: 3 01:59:39.673 Disk 1 \Device\Harddisk1\DR1 -> \Device\00000053 01:59:39.673 Disk 1 Vendor: WDC_WD50 01.0 Size: 476940MB BusType: 3 01:59:39.673 Disk 0 MBR read successfully 01:59:39.689 Disk 0 MBR scan 01:59:39.689 Disk 0 Windows 7 default MBR code 01:59:39.689 Disk 0 Partition 1 00 07 HPFS/NTFS NTFS 476938 MB offset 2048 01:59:39.705 Disk 0 scanning C:\Windows\system32\drivers 01:59:43.142 Service scanning 01:59:52.564 Modules scanning 01:59:52.564 Disk 0 trace - called modules: 01:59:52.580 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys storport.sys hal.dll nvstor.sys 01:59:52.580 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004d4a060] 01:59:52.580 3 CLASSPNP.SYS[fffff8800199343f] -> nt!IofCallDriver -> [0xfffffa8004aefd80] 01:59:52.595 5 ACPI.sys[fffff88000f17781] -> nt!IofCallDriver -> \Device\00000052[0xfffffa8004ae0540] 01:59:53.439 AVAST engine scan C:\ 02:08:49.573 Scan finished successfully 02:10:01.354 Disk 0 MBR has been saved successfully to "C:\Users\pc1\Desktop\MBR.dat" 02:10:01.354 The log file has been saved successfully to "C:\Users\pc1\Desktop\aswMBR.txt" Can anyone help with this? Do I even have anything suspicious running or is it all normal? PLEASE ADVISE..... DDS Attach.txt