AlanH

Hello I know your all busy so I'll keep this as short and as easy to read as possible. I have a rootkit that's been here for a while. I've been keylogged, monitored, lost admin rights had the bsod so I physically replaced the ram, wiped my hdd several times, gone into bios and flashed from there antivirus has stopped before finish, reads infection as clean and can't update, new anti virus doesn't pick up anything, virus is written to mbr windows can't pick up, worms itself through drivers and replaced gfx card, I have a tv and stb that I can't connect yet to the Internet because when I purchased a new laptop as soon as I connected the wifi the laptop got infected I read this can be done with dns changer as the dns dlds new malware even to clean pc's. I don't have dns changer but the dns being hijacked would do the same thing. I've used Gmer, FixTDSS, ewido, mbrscan, kaspersky, avg, mse, rootbuster, roguekiller, tdsskiller and more nothing will pick up. Based on my firewall I think there is a hidden network when I connect and l want to know what programs are the best for finding out anything hiding behind or configuring the router. When I check ipconfig it says the dns is 10.1.1.1 but wouldn't it just be the dns from the isp? No rogue dns can be displayed but all symptoms of an infected dns is there. I get skidded web sites, kiddie scripts, blocked or denial of service. I have changed my ISP account but it's like the router is still configured to be under attack because the adsl light wasn't solid before I even connect the pc to try the new account. Could it be access to the phone line alone? I know my calls have been listened in on or disconnected. -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software Run date: 2012-09-01 19:50:13 ----------------------------- 19:50:13.761 OS Version: Windows 6.1.7601 Service Pack 1 19:50:13.761 Number of processors: 1 586 0xD06 19:50:13.761 ComputerName: ALAN-LAPTOP UserName: Alan 19:50:26.995 Initialize success 19:50:33.737 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 19:50:33.737 Disk 0 Vendor: SAMSUNG_HM121HC LS100-10 Size: 114473MB BusType: 3 19:50:33.757 Disk 0 MBR read successfully 19:50:33.757 Disk 0 MBR scan 19:50:33.767 Disk 0 Windows 7 default MBR code 19:50:33.777 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 114471 MB offset 2048 19:50:33.787 Disk 0 scanning sectors +234438656 19:50:33.867 Disk 0 scanning C:\Windows\system32\drivers 19:50:40.006 Service scanning 19:50:45.714 Service krnl_akl C:\Windows\system32\drivers\krnl_akl.sys **LOCKED** 32 19:50:46.695 Service MpKsl374e93b4 c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{335F7451-63CD-471B-9718-FFC4E1316591}\MpKsl374e93b4.sys **LOCKED** 32 19:50:56.740 Modules scanning 19:51:08.757 Disk 0 trace - called modules: 19:51:08.797 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys halacpi.dll ataport.SYS intelide.sys PCIIDEX.SYS atapi.sys 19:51:08.807 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85176528] 19:51:08.817 3 CLASSPNP.SYS[87e8d59e] -> nt!IofCallDriver -> [0x844215e0] 19:51:08.827 5 ACPI.sys[8764a3d4] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x850b7030] 19:51:08.847 Scan finished successfully 20:09:46.807 Disk 0 MBR has been saved successfully to "C:\Users\Alan\Desktop\MBR.dat" 20:09:46.817 The log file has been saved successfully to "C:\Users\Alan\Desktop\aswMBR.txt" aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software Run date: 2012-09-01 20:23:26 ----------------------------- 20:23:26.028 OS Version: Windows 6.1.7601 Service Pack 1 20:23:26.028 Number of processors: 1 586 0xD06 20:23:26.028 ComputerName: ALAN-LAPTOP UserName: Alan 20:23:26.839 Initialize success 20:23:30.664 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 20:23:30.674 Disk 0 Vendor: SAMSUNG_HM121HC LS100-10 Size: 114473MB BusType: 3 20:23:30.694 Disk 0 MBR read successfully 20:23:30.704 Disk 0 MBR scan 20:23:30.704 Disk 0 Windows 7 default MBR code 20:23:30.714 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 114471 MB offset 2048 20:23:30.724 Disk 0 scanning sectors +234438656 20:23:30.784 Disk 0 scanning C:\Windows\system32\drivers 20:23:36.603 Service scanning 20:23:41.961 Service krnl_akl C:\Windows\system32\drivers\krnl_akl.sys **LOCKED** 32 20:23:42.862 Service MpKsl374e93b4 c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{335F7451-63CD-471B-9718-FFC4E1316591}\MpKsl374e93b4.sys **LOCKED** 32 20:23:52.185 Modules scanning 20:24:03.605 Disk 0 trace - called modules: 20:24:03.625 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys halacpi.dll ataport.SYS intelide.sys PCIIDEX.SYS atapi.sys 20:24:03.625 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85176528] 20:24:03.625 3 CLASSPNP.SYS[87e8d59e] -> nt!IofCallDriver -> [0x844215e0] 20:24:03.625 5 ACPI.sys[8764a3d4] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x850b7030] 20:24:03.625 Scan finished successfully 20:24:12.932 Disk 0 MBR has been saved successfully to "C:\Users\Alan\Desktop\MBR.dat" 20:24:12.952 The log file has been saved successfully to "C:\Users\Alan\Desktop\aswMBR.txt" ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- MBRScan v1.1.1 OS : Windows 7 Service Pack 1 (32 bit) PROCESSOR : x86 Family 6 Model 13 Stepping 6, GenuineIntel BOOT : Normal Boot DATE : 2012/09/01 (ISO 8601) at 20:22:50 ________________________________________________________________________________ DISK : Device\Harddisk0\DR0 __SAMSUNG HM121HC (LS100-10) BUS_TYPE : (0x03) P-ATA USE_PIO : NO MAX_TRANSFER : 128 Kb ALIGNMENT_MASK : word aligned ________________________________________________________________________________ Device\Harddisk0\DR0 111.8 Go [Fixed] ==> 7 MBR Code MBR_MD5 : EA7111D01CF65E981A7ED331D2CCCC18 MBR_SHA1 : 0DF8508901D6811ACF3FC0D5C6F718A94ED56C8A Device\Harddisk0\Partition1 111.8 Go 0x07 NTFS / HPFS __ BOOTABLE __ ________________________________________________________________________________ ############################### Additional scan ################################ DRIVER : C:\Windows\System32\Drivers\dump_dumpata.sys => Invisible on the disk ADDRESS : 0x8EABA000 SIZE : 44.0 Ko DRIVER : C:\Windows\System32\Drivers\dump_atapi.sys => Invisible on the disk ADDRESS : 0x8EAC5000 SIZE : 36.0 Ko DRIVER : C:\Windows\System32\Drivers\dump_dumpfve.sys => Invisible on the disk ADDRESS : 0x8EACE000 SIZE : 68.0 Ko DRIVER : C:\Users\Alan\AppData\Local\Temp\aswMBR.sys => Invisible on the disk ADDRESS : 0x93C00000 SIZE : 48.0 Ko BCD EmsSettings {0CE4991B-E6B3-4B16-B23C-5E0D9250E5D9} => BcdLibraryBoolean_EmsEnabled (16000020) SystemStartOptions : NOEXECUTE=OPTIN ________________________________________________________________________________ _______MBR \Device\Harddisk0\DR0 0x00000000 33 C0 8E D0 BC 00 7C 8E C0 8E D8 BE 00 7C BF 00 3À.м.|.À.ؾ.|¿. 0x00000010 06 B9 00 02 FC F3 A4 50 68 1C 06 CB FB B9 04 00 .¹..üó¤Ph..Ëû¹.. 0x00000020 BD BE 07 80 7E 00 00 7C 0B 0F 85 0E 01 83 C5 10 ½¾..~..|......Å. 0x00000030 E2 F1 CD 18 88 56 00 55 C6 46 11 05 C6 46 10 00 âñÍ..V.UÆF..ÆF.. 0x00000040 B4 41 BB AA 55 CD 13 5D 72 0F 81 FB 55 AA 75 09 ´A»ªUÍ.]r..ûUªu. 0x00000050 F7 C1 01 00 74 03 FE 46 10 66 60 80 7E 10 00 74 ÷Á..t.þF.f`.~..t 0x00000060 26 66 68 00 00 00 00 66 FF 76 08 68 00 00 68 00 &fh....f.v.h..h. 0x00000070 7C 68 01 00 68 10 00 B4 42 8A 56 00 8B F4 CD 13 |h..h..´B.V..ôÍ. 0x00000080 9F 83 C4 10 9E EB 14 B8 01 02 BB 00 7C 8A 56 00 ..Ä..Ë.¸..».|.V. 0x00000090 8A 76 01 8A 4E 02 8A 6E 03 CD 13 66 61 73 1C FE .v..N..n.Í.fas.þ 0x000000A0 4E 11 75 0C 80 7E 00 80 0F 84 8A 00 B2 80 EB 84 N.u..~......².Ë. 0x000000B0 55 32 E4 8A 56 00 CD 13 5D EB 9E 81 3E FE 7D 55 U2Ä.V.Í.]Ë..>þ}U 0x000000C0 AA 75 6E FF 76 00 E8 8D 00 75 17 FA B0 D1 E6 64 ªun.v.è..u.ú°ñÆd 0x000000D0 E8 83 00 B0 DF E6 60 E8 7C 00 B0 FF E6 64 E8 75 è..°ßÆ`è|.°.Ædèu 0x000000E0 00 FB B8 00 BB CD 1A 66 23 C0 75 3B 66 81 FB 54 .û¸.»Í.f#Àu;f.ûT 0x000000F0 43 50 41 75 32 81 F9 02 01 72 2C 66 68 07 BB 00 CPAu2.ù..r,fh.». 0x00000100 00 66 68 00 02 00 00 66 68 08 00 00 00 66 53 66 .fh....fh....fSf 0x00000110 53 66 55 66 68 00 00 00 00 66 68 00 7C 00 00 66 SfUfh....fh.|..f 0x00000120 61 68 00 00 07 CD 1A 5A 32 F6 EA 00 7C 00 00 CD ah...Í.Z2öê.|..Í 0x00000130 18 A0 B7 07 EB 08 A0 B6 07 EB 03 A0 B5 07 32 E4 ..·.Ë..¶.Ë..µ.2Ä 0x00000140 05 00 07 8B F0 AC 3C 00 74 09 BB 07 00 B4 0E CD ....Ь<.t.»..´.Í 0x00000150 10 EB F2 F4 EB FD 2B C9 E4 64 EB 00 24 02 E0 F8 .ËòôËý+ÉÄdË.$.ÀØ 0x00000160 24 02 C3 49 6E 76 61 6C 69 64 20 70 61 72 74 69 $.ÃInvalid parti 0x00000170 74 69 6F 6E 20 74 61 62 6C 65 00 45 72 72 6F 72 tion table.Error 0x00000180 20 6C 6F 61 64 69 6E 67 20 6F 70 65 72 61 74 69 loading operati 0x00000190 6E 67 20 73 79 73 74 65 6D 00 4D 69 73 73 69 6E ng system.Missin 0x000001A0 67 20 6F 70 65 72 61 74 69 6E 67 20 73 79 73 74 g operating syst 0x000001B0 65 6D 00 00 00 63 7B 9A 64 C5 C4 A3 00 00 80 20 em...c{.dÅÄ£... 0x000001C0 21 00 07 FE FF FF 00 08 00 00 00 38 F9 0D 00 00 !..þ.......8ù... 0x000001D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x000001E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x000001F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA ..............Uª ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- RogueKiller V7.4.4 [05/08/2012] by Tigzy mail: tigzyRK<at>gmail<dot>com Feedback: http://www.geekstogo...13-roguekiller/ Blog: http://tigzyrk.blogspot.com Operating System: Windows 7 (6.1.7601 Service Pack 1) 32 bits version Started in : Normal mode User: Alan [Admin rights] Mode: Scan -- Date: 09/01/2012 20:33:40 ¤¤¤ Bad processes: 0 ¤¤¤ ¤¤¤ Registry Entries: 5 ¤¤¤ [HJ] HKCU\[...]\Advanced : Start_ShowMyComputer (0) -> FOUND [HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND [HJ] HKCU\[...]\Advanced : Start_TrackProgs (0) -> FOUND [HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND [HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver: [LOADED] ¤¤¤ SSDT[39] : NtAlpcSendWaitReceivePort @ 0x82A7DCC5 -> HOOKED (Unknown @ 0x853073F0) SSDT[215] : NtProtectVirtualMemory @ 0x82A6E483 -> HOOKED (Unknown @ 0x85DA4A18) SSDT[370] : NtTerminateProcess @ 0x82A4A3E6 -> HOOKED (Unknown @ 0x85308380) S_SSDT[14] : Unknown -> HOOKED (Unknown @ 0x85DA7FD0) S_SSDT[302] : Unknown -> HOOKED (Unknown @ 0x85DA6CD8) S_SSDT[318] : Unknown -> HOOKED (Unknown @ 0x85DA1A00) S_SSDT[361] : Unknown -> HOOKED (Unknown @ 0x85D96B50) S_SSDT[402] : Unknown -> HOOKED (Unknown @ 0x85DADC90) S_SSDT[408] : Unknown -> HOOKED (Unknown @ 0x85D9CBF0) S_SSDT[434] : Unknown -> HOOKED (Unknown @ 0x85DADBC0) S_SSDT[436] : Unknown -> HOOKED (Unknown @ 0x85DADC28) S_SSDT[447] : Unknown -> HOOKED (Unknown @ 0x85DB0F68) S_SSDT[448] : Unknown -> HOOKED (Unknown @ 0x85DB0FD0) S_SSDT[490] : Unknown -> HOOKED (Unknown @ 0x85DAD868) S_SSDT[552] : Unknown -> HOOKED (Unknown @ 0x85D9C8B0) S_SSDT[585] : Unknown -> HOOKED (Unknown @ 0x85DAE858) S_SSDT[594] : Unknown -> HOOKED (Unknown @ 0x85DA0A58) S_SSDT[607] : Unknown -> HOOKED (Unknown @ 0x85DA1868) _INLINE_ : NtCreateKey -> HOOKED (Unknown @ 0x85DA6B38) _INLINE_ : NtOpenKey -> HOOKED (Unknown @ 0x85DA7E48) _INLINE_ : NtOpenKeyEx -> HOOKED (Unknown @ 0x85DADCF8) ¤¤¤ Infection : ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: SAMSUNG HM121HC ATA Device +++++ --- User --- [MBR] ea7111d01cf65e981a7ed331d2cccc18 [bSP] 41f6f0124a45d065c91422fa63be84ab : Windows 7 MBR Code Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 114471 Mo User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[3].txt >> Can anyone give me some info on this please. Did the reports I posted seem suspicious in any way?