A challenge for Malware Bytes Removal team

[pgpav2003]

Ok did the list parts and it is showing suspicious file. ............ListParts by Farbar Version: 16-01-2013

Ran by pete (administrator) on 30-01-2013 at 07:42:34

Windows 7 (X64)

Running From: C:\Users\pete\Desktop

Language: 0409

************************************************************

========================= Memory info ======================

Percentage of memory in use: 23%

Total physical RAM: 3954.68 MB

Available physical RAM: 3038.62 MB

Total Pagefile: 7907.5 MB

Available Pagefile: 6995.53 MB

Total Virtual: 4095.88 MB

Available Virtual: 3996.21 MB

======================= Partitions =========================

1 Drive c: (S3A9506D003) (Fixed) (Total:582.97 GB) (Free:559.38 GB) NTFS ==>[system with boot components (obtained from reading drive)]

3 Drive e: () (Removable) (Total:0.95 GB) (Free:0.57 GB) FAT32

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 596 GB 0 B

Disk 1 Online 979 MB 0 B

Partitions of Disk 0:

===============

Disk ID: 6F414327

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Recovery 1500 MB 1024 KB

Partition 2 Primary 582 GB 1501 MB

Partition 3 Primary 11 GB 584 GB

======================================================================================================

Disk: 0

Partition 1

Type : 27

Hidden: Yes

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 System NTFS Partition 1500 MB Healthy Hidden

======================================================================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 C S3A9506D003 NTFS Partition 582 GB Healthy Boot

======================================================================================================

Disk: 0

Partition 3

Type : 17 (Suspicious Type)

Hidden: Yes

Active: No

There is no volume associated with this partition.

======================================================================================================

Partitions of Disk 1:

===============

The disk you specified is not valid.

There is no disk selected.

======================================================================================================

'bcdedit' is not recognized as an internal or external command,

operable program or batch file.

****** End Of Log ******

[pgpav2003]

I don't mind trying to wipe the whole disk clean and doing another full factory reset to see if the same suspicious partition turns up again.. But I will wait for your yay or nay on that.

[TheDarkKnight]

Hello pgpav2003,

That log didn't show anything of importance. You could try a factory reset and see how things are.

[pgpav2003]

OK I am doing the wipe the hard drive clean and zero'ing the drive with the Toshiba tools. Its a long process but will see how it goes . I don't believe its going to work because I saw 2 bios posts and know for sure that is not normal .... which leads me back to the initial this is a bios hack on all of the machines . If the hard drive always has a small inaccessible partition at the beginning of the drive I cant reach sector zero there fore they will always be in control of my machines. I will let you know how it goes.. cheers

[TheDarkKnight]

Hello pgpav2003,

We will have a look at the partition issue you think is present once you have formatted.

[pgpav2003]

ok did the factory reset and again it only called for 3 out of the 4 disks. I followed this up by using rogue killer imediately after and again that same acer partition has come up. There is definately something pushing the install past sector zero to maintain control of the computer.

Here is the mbr report

+++++ PhysicalDrive0: TOSHIBA MK6465GSX ATA Device +++++

--- User ---

[MBR] 14e8556750d71ec00f2fc0d0c3de1169

[bSP] 9ae1aab3ff9d5051e434a0c8a6efa73a : Windows Vista MBR Code

Partition table:

0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 596964 Mo

2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 1225656320 | Size: 12015 Mo

User = LL1 ... OK!

User = LL2 ... OK!

[pgpav2003]

RogueKiller V8.4.3 _x64_ [Jan 27 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7600 ) 64 bits version

Started in : Normal mode

User : Peter [Admin rights]

Mode : Remove -- Date : 01/31/2013 03:58:56

| ARK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 2 ¤¤¤

[HJ DESK] HKLM\[...]\Services\Microsoft\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)

[HJ DESK] HKLM\[...]\Services\Microsoft\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\windows\system32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤

and here is the files Rogue killer tried to remove and replace

[pgpav2003]

aparently it cant replace the files so I guess something is stopping it...........

[pgpav2003]

tests from mini toolbox supplied because they are probably using internal networking to keep the crud in place

MiniToolBox by Farbar Version:10-01-2013

Ran by Peter (administrator) on 31-01-2013 at 04:11:27

Running from "C:\Users\Peter\Downloads"

Windows 7 Home Premium (X64)

Boot Mode: Normal

***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.

No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= Hosts content: =================================

========================= IP Configuration: ================================

Broadcom 802.11n Network Adapter = Wireless Network Connection (Connected)

Realtek PCIe FE Family Controller = Local Area Connection (Media disconnected)

# ----------------------------------

# IPv4 Configuration

# ----------------------------------

pushd interface ipv4

reset

set global icmpredirects=enabled

popd

# End of IPv4 configuration

Windows IP Configuration

Host Name . . . . . . . . . . . . : Peter-PC

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

Wireless LAN adapter Wireless Network Connection:

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Broadcom 802.11n Network Adapter

Physical Address. . . . . . . . . : E8-39-DF-16-23-C4

DHCP Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

Link-local IPv6 Address . . . . . : fe80::79ff:1300:5f58:46b3%12(Preferred)

IPv4 Address. . . . . . . . . . . : 192.168.0.5(Preferred)

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Lease Obtained. . . . . . . . . . : Thursday, 31 January 2013 3:41:19 AM

Lease Expires . . . . . . . . . . : Friday, 1 February 2013 3:41:19 AM

Default Gateway . . . . . . . . . : 192.168.0.1

DHCP Server . . . . . . . . . . . : 192.168.0.1

DHCPv6 IAID . . . . . . . . . . . : 317209055

DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-18-9B-F9-4C-88-AE-1D-45-F4-9A

DNS Servers . . . . . . . . . . . : 192.168.0.1

NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Realtek PCIe FE Family Controller

Physical Address. . . . . . . . . : 88-AE-1D-45-F4-9A

DHCP Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{BEE03102-2679-4104-84E0-5A2D74B84423}:

Media State . . . . . . . . . . . : Media disconnected

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Microsoft ISATAP Adapter

Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0

DHCP Enabled. . . . . . . . . . . : No

Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface

Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0

DHCP Enabled. . . . . . . . . . . : No

Autoconfiguration Enabled . . . . : Yes

IPv6 Address. . . . . . . . . . . : 2001:0:9d38:6ab8:2440:7a9:3f57:fffa(Preferred)

Link-local IPv6 Address . . . . . : fe80::2440:7a9:3f57:fffa%13(Preferred)

Default Gateway . . . . . . . . . : ::

NetBIOS over Tcpip. . . . . . . . : Disabled

Server: UnKnown

Address: 192.168.0.1

Name: google.com

Addresses: 2404:6800:4006:803::1008

74.125.237.73

74.125.237.78

74.125.237.64

74.125.237.65

74.125.237.66

74.125.237.67

74.125.237.68

74.125.237.69

74.125.237.70

74.125.237.71

74.125.237.72

Pinging google.com [74.125.237.72] with 32 bytes of data:

Reply from 74.125.237.72: bytes=32 time=57ms TTL=57

Reply from 74.125.237.72: bytes=32 time=56ms TTL=57

Ping statistics for 74.125.237.72:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 56ms, Maximum = 57ms, Average = 56ms

Server: UnKnown

Address: 192.168.0.1

Name: yahoo.com

Addresses: 98.139.183.24

206.190.36.45

98.138.253.109

Pinging yahoo.com [98.138.253.109] with 32 bytes of data:

Reply from 98.138.253.109: bytes=32 time=287ms TTL=47

Reply from 98.138.253.109: bytes=32 time=358ms TTL=47

Ping statistics for 98.138.253.109:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 287ms, Maximum = 358ms, Average = 322ms

Pinging 127.0.0.1 with 32 bytes of data:

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================

Interface List

12...e8 39 df 16 23 c4 ......Broadcom 802.11n Network Adapter

11...88 ae 1d 45 f4 9a ......Realtek PCIe FE Family Controller

1...........................Software Loopback Interface 1

14...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter

13...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface

===========================================================================

IPv4 Route Table

===========================================================================

Active Routes:

Network Destination Netmask Gateway Interface Metric

0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.5 30

127.0.0.0 255.0.0.0 On-link 127.0.0.1 306

127.0.0.1 255.255.255.255 On-link 127.0.0.1 306

127.255.255.255 255.255.255.255 On-link 127.0.0.1 306

192.168.0.0 255.255.255.0 On-link 192.168.0.5 286

192.168.0.5 255.255.255.255 On-link 192.168.0.5 286

192.168.0.255 255.255.255.255 On-link 192.168.0.5 286

224.0.0.0 240.0.0.0 On-link 127.0.0.1 306

224.0.0.0 240.0.0.0 On-link 192.168.0.5 286

255.255.255.255 255.255.255.255 On-link 127.0.0.1 306

255.255.255.255 255.255.255.255 On-link 192.168.0.5 286

===========================================================================

Persistent Routes:

None

IPv6 Route Table

===========================================================================

Active Routes:

If Metric Network Destination Gateway

13 58 ::/0 On-link

1 306 ::1/128 On-link

13 58 2001::/32 On-link

13 306 2001:0:9d38:6ab8:2440:7a9:3f57:fffa/128

On-link

12 286 fe80::/64 On-link

13 306 fe80::/64 On-link

13 306 fe80::2440:7a9:3f57:fffa/128

On-link

12 286 fe80::79ff:1300:5f58:46b3/128

On-link

1 306 ff00::/8 On-link

13 306 ff00::/8 On-link

12 286 ff00::/8 On-link

===========================================================================

Persistent Routes:

None

========================= Winsock entries =====================================

Catalog5 01 C:\Windows\SysWOW64\NLAapi.dll [51712] (Microsoft Corporation)

Catalog5 02 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)

Catalog5 03 C:\Windows\SysWOW64\winrnr.dll [20992] (Microsoft Corporation)

Catalog5 04 C:\Windows\SysWOW64\napinsp.dll [52224] (Microsoft Corporation)

Catalog5 05 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)

Catalog5 06 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)

Catalog5 07 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [134528] (Microsoft Corporation)

Catalog5 08 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [134528] (Microsoft Corporation)

Catalog9 01 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)

Catalog9 02 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)

Catalog9 03 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)

Catalog9 04 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)

Catalog9 05 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)

Catalog9 06 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)

Catalog9 07 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)

Catalog9 08 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)

Catalog9 09 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)

Catalog9 10 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)

x64-Catalog5 01 C:\Windows\System32\NLAapi.dll [70144] (Microsoft Corporation)

x64-Catalog5 02 C:\Windows\System32\mswsock.dll [320000] (Microsoft Corporation)

x64-Catalog5 03 C:\Windows\System32\winrnr.dll [28672] (Microsoft Corporation)

x64-Catalog5 04 C:\Windows\System32\napinsp.dll [68096] (Microsoft Corporation)

x64-Catalog5 05 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)

x64-Catalog5 06 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)

x64-Catalog5 07 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [168304] (Microsoft Corporation)

x64-Catalog5 08 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [168304] (Microsoft Corporation)

x64-Catalog9 01 C:\Windows\System32\mswsock.dll [320000] (Microsoft Corporation)

x64-Catalog9 02 C:\Windows\System32\mswsock.dll [320000] (Microsoft Corporation)

x64-Catalog9 03 C:\Windows\System32\mswsock.dll [320000] (Microsoft Corporation)

x64-Catalog9 04 C:\Windows\System32\mswsock.dll [320000] (Microsoft Corporation)

x64-Catalog9 05 C:\Windows\System32\mswsock.dll [320000] (Microsoft Corporation)

x64-Catalog9 06 C:\Windows\System32\mswsock.dll [320000] (Microsoft Corporation)

x64-Catalog9 07 C:\Windows\System32\mswsock.dll [320000] (Microsoft Corporation)

x64-Catalog9 08 C:\Windows\System32\mswsock.dll [320000] (Microsoft Corporation)

x64-Catalog9 09 C:\Windows\System32\mswsock.dll [320000] (Microsoft Corporation)

x64-Catalog9 10 C:\Windows\System32\mswsock.dll [320000] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:

==================

Error: (01/31/2013 03:32:37 AM) (Source: Microsoft-Windows-RestartManager) (User: Peter-PC)

Description: Application or service 'Bing Bar' could not be shut down.

Error: (01/31/2013 03:00:26 AM) (Source: Microsoft-Windows-User Profiles Service) (User: NT AUTHORITY)

Description: Windows cannot delete the profile directory C:\Users\Administrator. This error may be caused by files in this directory being used by another program.

DETAIL - The directory is not empty.

Error: (01/31/2013 02:52:08 AM) (Source: SideBySide) (User: )

Description: Activation context generation failed for "WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"1".Error in manifest or policy file "WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"2" on line WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"3.

Component identity found in manifest does not match the identity of the component requested.

Reference is WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1".

Definition is WLMFDS,processorArchitecture="x86",type="win32",version="1.0.0.1".

Please use sxstrace.exe for detailed diagnosis.

Error: (01/31/2013 02:52:08 AM) (Source: SideBySide) (User: )

Description: Activation context generation failed for "WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"1".Error in manifest or policy file "WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"2" on line WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"3.

Component identity found in manifest does not match the identity of the component requested.

Reference is WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1".

Definition is WLMFDS,processorArchitecture="x86",type="win32",version="1.0.0.1".

Please use sxstrace.exe for detailed diagnosis.

System errors:

=============

Error: (01/31/2013 03:05:54 AM) (Source: Microsoft-Windows-Time-Service) (User: NT AUTHORITY)

Description: The time service has detected that the system time needs to be changed by -62979 seconds. The time service will not change the system time by more than 54000 seconds. Verify that your time and time zone are correct, and that the time source time.windows.com,0x9 (ntp.m|0x9|0.0.0.0:123->65.55.21.24:123) is working properly.

Microsoft Office Sessions:

=========================

Error: (01/31/2013 03:32:37 AM) (Source: Microsoft-Windows-RestartManager)(User: Peter-PC)

Description: 2C:\Program Files (x86)\MSN Toolbar\Platform\5.0.1407.0\mswinext.exeBing Bar0221720640

Error: (01/31/2013 03:00:26 AM) (Source: Microsoft-Windows-User Profiles Service)(User: NT AUTHORITY)

Description: C:\Users\AdministratorThe directory is not empty.

Error: (01/31/2013 02:52:08 AM) (Source: SideBySide)(User: )

Description: WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"WLMFDS,processorArchitecture="x86",type="win32",version="1.0.0.1"C:\Program Files (x86)\Windows Live\Photo Gallery\MovieMaker.ExeC:\Program Files (x86)\Windows Live\Photo Gallery\WLMFDS.DLL8

Error: (01/31/2013 02:52:08 AM) (Source: SideBySide)(User: )

Description: WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"WLMFDS,processorArchitecture="x86",type="win32",version="1.0.0.1"C:\Program Files (x86)\Windows Live\Photo Gallery\MovieMaker.ExeC:\Program Files (x86)\Windows Live\Photo Gallery\WLMFDS.DLL8

=========================== Installed Programs ============================

Adobe Flash Player 10 ActiveX (Version: 10.0.45.2)

Adobe Reader 9.3 (Version: 9.3.0)

ATI Catalyst Install Manager (Version: 3.0.765.0)

Bejeweled 2 Deluxe (Version: 2.2.0.82)

Bluetooth Stack for Windows by Toshiba (Version: v7.10.10(T))

Broadcom 802.11 Network Adapter (Version: 5.60.48.42)

Catalyst Control Center - Branding (Version: 1.00.0000)

Catalyst Control Center Core Implementation (Version: 2010.0315.1050.17562)

Catalyst Control Center Graphics Full Existing (Version: 2010.0315.1050.17562)

Catalyst Control Center Graphics Full New (Version: 2010.0315.1050.17562)

Catalyst Control Center Graphics Light (Version: 2010.0315.1050.17562)

Catalyst Control Center Graphics Previews Common (Version: 2010.0315.1050.17562)

Catalyst Control Center Graphics Previews Vista (Version: 2010.0315.1050.17562)

Catalyst Control Center InstallProxy (Version: 2010.0315.1050.17562)

Catalyst Control Center Localization All (Version: 2010.0315.1050.17562)

ccc-core-static (Version: 2010.0315.1050.17562)

ccc-utility64 (Version: 2010.0315.1050.17562)

CCC Help Chinese Standard (Version: 2010.0315.1049.17562)

CCC Help Chinese Traditional (Version: 2010.0315.1049.17562)

CCC Help Czech (Version: 2010.0315.1049.17562)

CCC Help Danish (Version: 2010.0315.1049.17562)

CCC Help Dutch (Version: 2010.0315.1049.17562)

CCC Help English (Version: 2010.0315.1049.17562)

CCC Help Finnish (Version: 2010.0315.1049.17562)

CCC Help French (Version: 2010.0315.1049.17562)

CCC Help German (Version: 2010.0315.1049.17562)

CCC Help Greek (Version: 2010.0315.1049.17562)

CCC Help Hungarian (Version: 2010.0315.1049.17562)

CCC Help Italian (Version: 2010.0315.1049.17562)

CCC Help Japanese (Version: 2010.0315.1049.17562)

CCC Help Korean (Version: 2010.0315.1049.17562)

CCC Help Norwegian (Version: 2010.0315.1049.17562)

CCC Help Polish (Version: 2010.0315.1049.17562)

CCC Help Portuguese (Version: 2010.0315.1049.17562)

CCC Help Russian (Version: 2010.0315.1049.17562)

CCC Help Spanish (Version: 2010.0315.1049.17562)

CCC Help Swedish (Version: 2010.0315.1049.17562)

CCC Help Thai (Version: 2010.0315.1049.17562)

CCC Help Turkish (Version: 2010.0315.1049.17562)

Chuzzle Deluxe (Version: 2.2.0.82)

Corel WinDVD (Version: 10.0.5.349)

Escape Rosecliff Island (Version: 2.2.0.82)

FATE - The Traitor Soul (Version: 2.2.0.82)

Final Drive Nitro (Version: 2.2.0.82)

HDAUDIO Soft Data Fax Modem with SmartCP (Version: 7.80.4.50)

Intel® Management Engine Components (Version: 6.0.0.1179)

Intel® Turbo Boost Technology Driver (Version: 01.01.01.1007)

Java 6 Update 17 (Version: 6.0.170)

Jewel Quest 3 (Version: 2.2.0.82)

Junk Mail filter update (Version: 14.0.8089.726)

Microsoft Application Error Reporting (Version: 12.0.6015.5000)

Microsoft Choice Guard (Version: 2.0.48.0)

Microsoft Silverlight (Version: 3.0.40818.0)

Microsoft SQL Server 2005 Compact Edition [ENU] (Version: 3.1.0000)

Microsoft Visual C++ 2005 Redistributable (Version: 8.0.50727.42)

Microsoft Visual C++ 2005 Redistributable (Version: 8.0.56336)

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (Version: 9.0.30729.4148)

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)

MSVCRT (Version: 14.0.1468.721)

Penguins! (Version: 2.2.0.82)

PlayReady PC Runtime amd64 (Version: 1.3.0)

Polar Bowler (Version: 2.2.0.82)

Realtek Ethernet Controller Driver For Windows 7 (Version: 7.13.112.2010)

Realtek HDMI Audio Driver for ATI (Version: 6.0.1.5992)

Realtek High Definition Audio Driver (Version: 6.0.1.6069)

Realtek USB 2.0 Card Reader (Version: 6.1.7600.30111)

Synaptics Pointing Device Driver (Version: 15.0.8.1)

TOSHIBA Assist (Version: 3.00.11)

TOSHIBA Bulletin Board (Version: 1.6.07.64)

TOSHIBA ConfigFree (Version: 8.0.28)

TOSHIBA Disc Creator (Version: 2.1.0.2 for x64)

TOSHIBA eco Utility (Version: 1.2.11.64)

TOSHIBA Flash Cards Support Utility (Version: 1.63.0.6C)

TOSHIBA Hardware Setup (Version: 1.63.0.22C)

TOSHIBA HDD/SSD Alert (Version: 3.1.64.6)

TOSHIBA Media Controller (Version: 1.0.80.3.64)

TOSHIBA Media Controller Plug-in (Version: 1.0.5.10)

TOSHIBA PC Health Monitor (Version: 1.6.0.64)

TOSHIBA Recovery Media Creator (Version: 2.1.0.4 for x64)

TOSHIBA ReelTime (Version: 1.6.06.64)

TOSHIBA Service Station (Version: 2.1.40)

TOSHIBA Speech System Applications (Version: 1.00.2518)

TOSHIBA Speech System SR Engine(U.S.) Version1.0

TOSHIBA Speech System TTS Engine(U.S.) Version1.0

TOSHIBA Supervisor Password (Version: 1.63.0.9C)

TOSHIBA Value Added Package (Version: 1.3.3.64)

TOSHIBA Web Camera Application (Version: 1.1.1.15)

Utility Common Driver (Version: 1.0.52.1C)

Virtual Villagers - The Secret City (Version: 2.2.0.82)

WildTangent Games (Version: 1.0.0.80)

WildTangent ORB Game Console

Windows Live Call (Version: 14.0.8064.0206)

Windows Live Communications Platform (Version: 14.0.8064.206)

Windows Live Essentials (Version: 14.0.8089.0726)

Windows Live Essentials (Version: 14.0.8089.726)

Windows Live ID Sign-in Assistant (Version: 6.500.3165.0)

Windows Live Mail (Version: 14.0.8089.0726)

Windows Live Messenger (Version: 14.0.8089.0726)

Windows Live Movie Maker (Version: 14.0.8091.0730)

Windows Live Photo Gallery (Version: 14.0.8081.709)

Windows Live Sync (Version: 14.0.8089.726)

Windows Live Upload Tool (Version: 14.0.8014.1029)

Windows Live Writer (Version: 14.0.8089.0726)

Zuma's Revenge (Version: 2.2.0.82)

========================= Devices: ================================

========================= Memory info: ===================================

Percentage of memory in use: 32%

Total physical RAM: 3954.68 MB

Available physical RAM: 2655.1 MB

Total Pagefile: 7907.5 MB

Available Pagefile: 6392 MB

Total Virtual: 4095.88 MB

Available Virtual: 3968.55 MB

========================= Partitions: =====================================

1 Drive c: (S3A9506D003) (Fixed) (Total:582.97 GB) (Free:561.22 GB) NTFS

========================= Users: ========================================

User accounts for \\

Administrator Guest Peter

========================= Minidump Files ==================================

No minidump file found

========================= Restore Points ==================================

31-01-2013 11:02:51 TOSHIBA Default System Restore Point

31-01-2013 11:12:16 Removed 2007 Microsoft Office system

31-01-2013 11:15:33 Removed Microsoft Office 2003 Web Components

31-01-2013 11:16:40 Removed Microsoft Office 2007 Primary Interop Assemblies

31-01-2013 11:17:07 Removed Microsoft Office Small Business Connectivity Components

31-01-2013 11:17:41 Removed Microsoft Office Suite Activation Assistant.

31-01-2013 11:27:05 Windows Update

31-01-2013 11:31:09 Removed Microsoft SQL Server Native Client

31-01-2013 11:38:12 Removed Norton Online Backup

31-01-2013 11:43:47 Configured TOSHIBA Face Recognition

**** End of log ****

[TheDarkKnight]

Hey pgpav2003,

Please download aswMBR by gmer to your Desktop.

• Please visit this site for instructions on how to run the tool.
  
• Once familiar with this tool, double click aswMBR.exe to run it.
  
• Click the Scan button to start the scan.
  
• Once the scan has completed, please save the aswMBR.txt log to the Desktop and post it in your next reply.

[pgpav2003]

aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software

Run date: 2013-01-31 09:07:50

-----------------------------

09:07:50.604 OS Version: Windows x64 6.1.7600

09:07:50.604 Number of processors: 4 586 0x2502

09:07:50.604 ComputerName: PETER-PC UserName: Peter

09:07:52.024 Initialize success

09:11:25.179 AVAST engine defs: 13013000

09:13:04.317 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1

09:13:04.333 Disk 0 Vendor: TOSHIBA_MK6465GSX GJ003M Size: 610480MB BusType: 3

09:13:04.348 Disk 0 MBR read successfully

09:13:04.348 Disk 0 MBR scan

09:13:04.364 Disk 0 Windows VISTA default MBR code

09:13:04.364 Disk 0 Partition 1 80 (A) 27 Hidden NTFS WinRE NTFS 1500 MB offset 2048

09:13:04.380 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 596964 MB offset 3074048

09:13:04.426 Disk 0 Partition 3 00 17 Hidd HPFS/NTFS NTFS 12015 MB offset 1225656320

09:13:04.473 Disk 0 scanning C:\windows\system32\drivers

09:13:09.808 Service scanning

09:13:37.998 Modules scanning

09:13:38.013 Disk 0 trace - called modules:

09:13:38.044 ntoskrnl.exe CLASSPNP.SYS disk.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys

09:13:38.060 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004c48060]

09:13:38.060 3 CLASSPNP.SYS[fffff880018a543f] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-1[0xfffffa80049a7060]

09:13:39.136 AVAST engine scan C:\windows

09:13:41.180 AVAST engine scan C:\windows\system32

09:15:15.014 AVAST engine scan C:\windows\system32\drivers

09:15:22.315 AVAST engine scan C:\Users\Peter

09:15:50.489 AVAST engine scan C:\ProgramData

09:16:24.263 Scan finished successfully

09:17:28.082 Disk 0 MBR has been saved successfully to "C:\Users\Peter\Desktop\MBR.dat"

09:17:28.114 The log file has been saved successfully to "C:\Users\Peter\Desktop\aswMBR normal run.txt"

[pgpav2003]

I ran this straight after and the acer is still there

RogueKiller V8.4.3 _x64_ [Jan 27 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7600 ) 64 bits version

Started in : Normal mode

User : Peter [Admin rights]

Mode : Scan -- Date : 01/31/2013 09:31:22

| ARK || MBR |

¤¤¤ Bad processes : 2 ¤¤¤

[sUSP PATH] aswMBR (1).exe -- C:\Users\Peter\Desktop\aswMBR (1).exe -> KILLED [TermProc]

[RESIDUE] aswMBR (1).exe -- C:\Users\Peter\Desktop\aswMBR (1).exe -> KILLED [TermProc]

¤¤¤ Registry Entries : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\windows\system32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: TOSHIBA MK6465GSX ATA Device +++++

--- User ---

[MBR] 06b406295e220c5574631cbea909e762

[bSP] 5a7dd3144b9ace3ab1bcbef773604b7f : Windows 7/8 MBR Code

Partition table:

0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 596964 Mo

2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 1225656320 | Size: 12015 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1]_S_01312013_02d0931.txt >>

RKreport[1]_S_01312013_02d0931.txt

[pgpav2003]

straight after the scan I was blue screened and crash dunped ..

Also during the factory reset although I set the time date and geo location as one normally does and it was accepted and saved on the next boot my clock was 10 hrs different ....

and all things to do with time etc needed to be reset

[TheDarkKnight]

Hello pgpav2003,

If you see this topic:

http://www.bleepingcomputer.com/forums/topic481022.html

The partition you are worried about is fine. On this particular computer (ignore the time issues for now) what issues are currently present?

[pgpav2003]

I guess because the logs don't show any thing that you think I am wrong but I know that I am not......If the machine is wiped clean and dosent ask for the fourth instillation disk then I am sure that it isn't clean. Initially when we started I said it was a bios and binary hack and I am still of that complete belief. Just like there are lieing numbers in maths there are lieing numbers on the hard drive and I am sure that these hackers are making good use of them to move things just enough to trick everyone and everything. Today I did a netstat on my asus win 8 machine after a clean reinstall. I renamed the pc and when I looked at the netstat I could see that I was connected to the old instillation and on checking the router log could see that the old instillation was connecting to the internet even though I had no browsers open and windows update was shut off.. If you want to give up its ok.. I have been at this a long time now and I guess you must be sick of it.. All I can say is I have been working with computers since windows 95 and this is the first time I have ever been truly baffled by what has been happening . But I do stress I know my computers like the back of my hand and I do know when I am being fooled with.. I don't intend to give up because the people that did this don't deserve to get away with it. Walk in take and trash..........and hide like little children ..

[TheDarkKnight]

Good evening pgpav2003,

Are you reinstalling or reformatting? If you are only reinstalling, then you are actually not wiping the disc; only wiping out the old operating system but leaving the files behind.

As for the 4 installation discs, I would imagine that the 4th disc has extras on it. The fact that you can log in etc means that Windows has installed correctly. But let me know if you are actually reformatting or only reinstalling.

[pgpav2003]

the 4th disc actually contains the 32 bit instillation files... I checked.. So I guess that its probable that the hackers are already using that set of instructions so the instillation dosent ask for it.....and that's how they control everything simply by owning the boot. As I said even on a clean install it was installed twice the initial instillation gets to a certain point and then starts again and then finishes. I have done enough factory resets on the machine to know what is happening is just wrong

[TheDarkKnight]

Hey pgpav2003,

When you install Windows it will often stop, restart and then continue. The newer systems (7 and 8) do this. I installed recently and that is exactly what happened.

This article:

http://www.forbes.com/sites/andygreenberg/2012/07/26/meet-rakshasa-the-malware-infection-designed-to-be-undetectable-and-incurable/

It mentions how to possibly fight a BIOS infection. You could give the suggestions in the article a shot.

BIOS infections are pretty much considered a theory and not reality. The helpers here (like myself) have never seen such an infection.

But give the article a go and let me know how it goes.

[pgpav2003]

well it certainly seems to be very rare but somewhere between that and TDSS is what I do seem to have.

[pgpav2003]

But getting back to my initial posts and sticking with what I can physically see happening as well as maintaining direction in this . There is a block in the bios stopping full ownership... I suffered from a phone attack as well when all of this started but I don't have it connected to the net.. Both of the above tell me that It is a personal attack to gain credentials and control of the pc.. There is piracy involved here I buy the software and they send me a cloned copy via my own download as it passes through their server first , which I presume is why I can never activate under normal net connections I also set my network stuff as stand alone computer but that never sticks and I always end up becoming a work station which also fits with the above. I will still keep persisting as well as baring the article you supplied in mind . Thanks again for your help.

[TheDarkKnight]

Hey pgpav2003,

Let me know how you get on with the suggestions form the article.

[BaffleD]

Interesting....I have a Toshiba Touchscreen...I'm pulling my hair out dealing with what seems to be the same issue(s)- I look nothing like my profile pic now X~)

Mind if I join in here?

pgpav2003-

I too have become a workstation....not sure how that came about.

I've tried quite a few of the things that TheDarkNight has recommended here, some from Hirens, some from SafeMode, and some from an an Admin account....

Been pouring over Event Logs and disabling various services....it's getting mess at this point....I'm rusty troubleshooting, and not entirely sure what all I can get away with disabling here in WIN 7...

I've felt for a little while that my system was compromised....but kind-of ignored it finding scenarios where some the activity could be normal...

But at 1:28 AM on the 27th (a few days ago, I was searching for some background texture images on Google and clicked on one and suddenly Microsoft Essentials went nuts..

My display went WHITE with the desktop running fine behind it. ctrl-alt-del worked, but returned to the blank-white screen...Going into Safe-Mode just rebooted...

These are what event logs show-

Warning 1/29/2013 1:28:47 AM Microsoft Antimalware 1116 None

Name: TrojanDownloader:Win32/Karagany.I

Name: VirTool:Win32/CeeInject.gen!HL

Name: Trojan:Win32/Sirefef!cfg

Name: Trojan:Win64/Sirefef.AE

Name: PWS:Win32/Fareit.gen!I

Name: TrojanDropper:Win32/Sirefef.gen!A

Name: Trojan:Win64/Sirefef.AE

Name: Trojan:Win32/Urausy.C

I was hoping that Malwarebytes and the other tools I used shredded the above issues....I think so....BUT- Wasn't sure about this SuperAntiSpyware-

Trojan.Dropper/SVCHost-Fake

C:\PROGRAM FILES (X86)\MALWAREBYTES' ANTI-MALWARE\CHAMELEON\SVCHOST.EXE

Not sure if that is a false-positive or if along the way Malwarebytes got compromised....

I stumbled onto this post when reviewing this information, unconvinced that all my issues are resolved, wondering if by any chance I'm screwed from boot-

0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo 1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 937035 Mo 2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 1922121728 | Size: 15333 Mo User = LL1 User = LL2

I was getting ready next to burn a couple Linux live drives to work from (also with additional rescue/malware tools) until I was I was on solid ground.

BTW- My troubleshooting has not in anyway been organized....Basically try this try that....

I was just hoping maybe If I joined in, perhaps TheDarkNight would have more ammo from logs I could share, from a comparison perspective?

Since nothing I've done has been organized, perhaps a tech strategy would be necessary, as I have no idea where to begin from here.

I'm feeling pretty confident though that my system is still compromised from as far back as 08/2012 or likely longer....(Connected to "free" Internet provided by my residence)- SO who knows what all my system has been subjected too....and I wasn't as security-diligent during that period either.

Just a day or two before the Trojan attack- I had just gained Admin access and setup our residential firewall/modem here where I'm living now.

TheDarkNight- Is there anything I can do to better help? I didn't want to just dump all my unorganized documentation without both of your approval....I'm pretty positive I have some or much of the same going on as pgpav2003 here.

If so, let me know what you'd like me to do.

Otherwise, I'll just follow along.

Either way- Thanks to both of you in advance

[pgpav2003]

Hi Baffle D I have no objection at all to sharing information in regards to this but I guess we should wait and see what our mentor has to say on the subject.. I am currently gathering info on the roms in my Toshiba and hope to take it off net and flash each and every one of the roms with new compatible firm ware. As well as do the same for the the network routers and cards. A very time consuming job.. I still think that the bios is the key to all of this because if it is compromised so will everything else be. Some of the things that I did try before coming here that seemed to work for a short period of time was to strip the internal networking capabilities from the sytem files as well as the shadow copy and also delete internet explorer while off net then encrypt the drive . That seemed to hold it for awhile but I must have left some doorway open somewhere and they got back in after attacking my router for about a half hr straight ... I presume that attack was to brake the egis encryption code as the following day I was again a work station.. The inventor of this hack is very very good normally I do all my own virus removal but this one seems to be a little more than the average type hack.. It displays all of the characteristics of a tdds hack but also has the characteristics of the Roushan bios virus that the Dark Night kindly posted in a previous post.. Not sure which way to run on this one but I distinctly remember how my installs used to be and they are markedly different now. Anyway will leave it till the Dark Night adds his reply cheers and I hope a combined solution will come from what we do

[pgpav2003]

One other thing I did find is that this virus does seem to affect the Xara program for web design ......and I have a sneaky suspicion that the virus may be used to access your server area so be very careful not to touch your sites with the infected computer

[BaffleD]

WOW- I have XARA....

I was also looking at uninstalling IE9 based on log results...

MAN! Pretty much everything your talking about is hitting home with me...

I told my girl- "This is a particularly nasty SOMETHING...I may have to actually join a forum somewhere and ask for help"

She gave that raised eyebrow look- You know- the one when a guy actually stops, asks for directions and buys a map X~)

YTD- Downloader That's also part of XARA.

I was also looking at the Guest account...

Unfortunately- I'm not sure how much of this are separate issues due to how long I've been laxing security wise.

I think killing what I have so far though, has brought me even-keel with yours situation, so yeah- I agree, I'll hang tight and wait for yall's direction.

I feel the same as you though- I typically know my system....and this one don;t feel like mine right now...