[Salagubang]

Hi,

Well DrWeb didn't detect infections.

Do you have the original windows installation CD for your laptop handy? any Recovery CDs?
What is the make and model of your laptop?

[Advertisements]

Salagubang,
I run dr. web on complete scan and only got half way thru when i had to stop it to sling some reports to the office and it did find one trojan....which i will upload the report with this post.I will try and rerun it all the way thru while at work ...so hopefully ill have it to you by say 3 oclock.I have snooped thru the registry keys and have found numerous blocks, filters and such........i also recall seeing security and or antivirus override somewhere!?You havent found anything suspicious in any otl logs?I studied the tutorial majorly and had suspicions about one of the navidia and clearwire services along with some other things......but im by no means a comp. wiz ....just know how to use them.what is your thought of uploading some files and or folders to media fire that i know i dont need.....for you to take a peek at?the computer is a samsung model np-qx410-j01us.come up with something let me know.Thanks!Well just tried to upload the dr. web log but cant cause it is now a shell command as of 30 minutes ago!??So the trojan it found was otl (siggen 2.2......)!?

[luvdacowboys2011]

Salagubang,
I run dr. web on complete scan and only got half way thru when i had to stop it to sling some reports to the office and it did find one trojan....which i will upload the report with this post.I will try and rerun it all the way thru while at work ...so hopefully ill have it to you by say 3 oclock.I have snooped thru the registry keys and have found numerous blocks, filters and such........i also recall seeing security and or antivirus override somewhere!?You havent found anything suspicious in any otl logs?I studied the tutorial majorly and had suspicions about one of the navidia and clearwire services along with some other things......but im by no means a comp. wiz ....just know how to use them.what is your thought of uploading some files and or folders to media fire that i know i dont need.....for you to take a peek at?the computer is a samsung model np-qx410-j01us.come up with something let me know.Thanks!Well just tried to upload the dr. web log but cant cause it is now a shell command as of 30 minutes ago!??So the trojan it found was otl (siggen 2.2......)!?

[Salagubang]

Yes it will find OTL as infected but I am sure it is a "false positive". I also noticed what you mean by the nvidia component using the App_init to load and taken note of it.

what is your thought of uploading some files and or folders to media fire that i know i dont need.....for you to take a peek at?

Ok, please upload it so I could take a peek.

Next, lets have a rootkit scan.

GMER Rootkit Scanner

• GMER Rootkit Scanner - Download - Homepage
• Download GMER
• Extract the contents of the zipped file to desktop.
• Double click GMER.exe.
  
• If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
• In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
• IAT/EAT
• Drives/Partition other than Systemdrive (typically C:\)
• Show All (don't miss this one)
  
  NOTE - Not all of the tick boxes will be available if you are running a 64bit Operating System. You may also get an error message display on the screen when using a 64bit Operating System, this is normal, just click on OK and let it carry on.
  
  
  Click the image to enlarge it

• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
• Save the log where you can easily find it, such as your desktop.

**Caution**Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Please copy and paste the report into your Post.

[luvdacowboys2011]

[attachment=49612:log4.txt][attachment=49611:log3.txt][attachment=49610:lo2.txt][attachment=49609:log.txt]And of course found nothing!I re-tried opening documents and settings again and im denied ...says dont have proper permission to open.?here is just a FEW logs and or folders i will post now for to look at!how can i see if windows installed matches product key on tag?[attachment=49613:log5.txt]

[luvdacowboys2011]

Salagubang,
Heres my boy coming on thru today!I found this log while surfing the registry keys along with other things>I deleted the keys but my firewall is asking permission to let him thru so hes still around!

[Salagubang]

Hi,

Good investigation discovering some leak I thought billy was your userprofile, if not then the machine is somehow compromised.

If your Wifi/wimax connection is serving as a hotspot, you can as simply right click on the connection and disable the connection altogether.

I'll be removing some AVP remnant drivers.

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  DRV:64bit: - [2009/10/22 13:54:24 | 000,040,464 | ---- | M] (Kaspersky Lab) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\92540052.sys -- (92540052)
  DRV:64bit: - [2009/10/22 13:54:24 | 000,040,464 | ---- | M] (Kaspersky Lab) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\91863762.sys -- (91863762)
  DRV:64bit: - [2009/10/22 13:54:24 | 000,040,464 | ---- | M] (Kaspersky Lab) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\81473662.sys -- (81473662)
  DRV:64bit: - [2009/10/22 13:54:24 | 000,040,464 | ---- | M] (Kaspersky Lab) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\81272702.sys -- (81272702)
  DRV:64bit: - [2009/10/22 13:54:24 | 000,040,464 | ---- | M] (Kaspersky Lab) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\73865212.sys -- (73865212)
  DRV:64bit: - [2009/10/22 13:54:24 | 000,040,464 | ---- | M] (Kaspersky Lab) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\59570762.sys -- (59570762)
  DRV:64bit: - [2009/10/22 13:54:24 | 000,040,464 | ---- | M] (Kaspersky Lab) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\52997302.sys -- (52997302)
  DRV:64bit: - [2009/10/22 13:54:24 | 000,040,464 | ---- | M] (Kaspersky Lab) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\36793592.sys -- (36793592)
  DRV:64bit: - [2009/10/22 13:54:24 | 000,040,464 | ---- | M] (Kaspersky Lab) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\07921142.sys -- (07921142)
  DRV:64bit: - [2009/10/22 13:54:24 | 000,040,464 | ---- | M] (Kaspersky Lab) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\07585642.sys -- (07585642)
  DRV:64bit: - [2009/10/09 23:30:56 | 000,352,784 | ---- | M] (Kaspersky Lab) [File_System | System | Running] -- C:\Windows\SysNative\drivers\8127270.sys -- (setup_9.0.0.722_28.04.2011_04-08drv)
  DRV:64bit: - [2009/09/25 17:59:46 | 000,157,712 | ---- | M] (Kaspersky Lab) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\92540051.sys -- (92540051)
  DRV:64bit: - [2009/09/25 17:59:46 | 000,157,712 | ---- | M] (Kaspersky Lab) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\91863761.sys -- (91863761)
  DRV:64bit: - [2009/09/25 17:59:46 | 000,157,712 | ---- | M] (Kaspersky Lab) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\81473661.sys -- (81473661)
  DRV:64bit: - [2009/09/25 17:59:46 | 000,157,712 | ---- | M] (Kaspersky Lab) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\81272701.sys -- (81272701)
  DRV:64bit: - [2009/09/25 17:59:46 | 000,157,712 | ---- | M] (Kaspersky Lab) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\73865211.sys -- (73865211)
  DRV:64bit: - [2009/09/25 17:59:46 | 000,157,712 | ---- | M] (Kaspersky Lab) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\59570761.sys -- (59570761)
  DRV:64bit: - [2009/09/25 17:59:46 | 000,157,712 | ---- | M] (Kaspersky Lab) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\52997301.sys -- (52997301)
  DRV:64bit: - [2009/09/25 17:59:46 | 000,157,712 | ---- | M] (Kaspersky Lab) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\36793591.sys -- (36793591)
  DRV:64bit: - [2009/09/25 17:59:46 | 000,157,712 | ---- | M] (Kaspersky Lab) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\07921141.sys -- (07921141)
  DRV:64bit: - [2009/09/25 17:59:46 | 000,157,712 | ---- | M] (Kaspersky Lab) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\07585641.sys -- (07585641)
  DRV - [2011/04/28 20:40:27 | 000,013,312 | ---- | M] () [Kernel | System | Stopped] -- C:\Windows\SysWOW64\drivers\vdewntyx.sys -- (vdewntyx)
  DRV - [2011/04/28 20:40:26 | 000,011,264 | ---- | M] () [Kernel | System | Stopped] -- C:\Windows\SysWOW64\drivers\uzewntyx.sys -- (uzewntyx)
  O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
  
  
  :Services
  
  :Reg
  
  :Files
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [EMPTYFLASH]
  [CREATERESTOREPOINT]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

[luvdacowboys2011]

salagubang

Trust me i tried my dangest last nite to get rid of this guy.....found a log from today where he does a complete copy ,uninstall,then re- install!he had to do that because your script looked just like mine.....i think!only thing i was leaving out was the intel engine ............in the logs it gives the process,services,drivers, all needed for otl.........but seems to me id be deleting my whole system!???Theres also 2 more users (click users)with locks .....its a well known parrern!i will try your script and hope!I thought you hung me out to dry.....thanks!I promise i will make it worth your while.........more so if you delivered him on my door step!??haha


Billy

[Salagubang]

Hi,

No I didn't. I am just as stumped and clueless as how to clear these invaders in your system without breaking critical system files one way or another. And the scans not detecting malicious to boot - but that is the nature of trojans and backdoors do anyways.

I will be looking for other options.

[luvdacowboys2011]

Hey salagubang.....Yours does just like mine.......goes to not responding!i saved script to desktop to try it in safe mode and GONE!!IM gonna grab it again and save it to my removable and go to safe mode again!BUT LAST NITE I WAS DOING IT....OTL.... AND HAD alot MORE IN THE FIX BOX!??.

[Salagubang]

Hi Billy,

Do you think, it would be convenient and not much of a constraint(under the circumstances) that we insert your original Windows installation CD and perform a clean install, or if its available, a full system restore to factory state for the machine to be trustworthy again.

[luvdacowboys2011]

salagubang
I did your script and got the same message when i logged in.......warning you are logged in under a temporary profile!i went to see if the new users are still there and they are.....userupdatus is the main one i THINK!I was putting a WHOLE lot more in as the fix......but i was leaving out the" files" under command!I was adding them one by one!I am running a new scan as im typing and will post when done!Thanks!

[luvdacowboys2011]

salagubang
I would if i had them......but i have wiped the dell and did a a reinstall 2 (by 2 different companies)and the 2 one was saying the first didnt do it right ....and it happened again!How is this happening is what i really wanna know!This happened to my dads desktop as soon as i put the driver downloader in without even getting on the internet......!I inserted the driver software in this machine and it has a shell command with what looks like a smiley face under the name........and its not even full...........like i was told it was supposed to be!This guy is GOOD......good enough i have printed out everything and what i couldnt i took pictures of!Its like he acts like its his computer and dont even care I know.....its HIS and to GIVE it up!Im only worried about the U.S. government sites that are saved to favorites and links.....go striaght to social security card in what looks like spanish!I will prolly email and send (?) with paperwork,photos and anything else and hope they can catch this person ....if not for me but EVERYONE else.cause it is really making me wanna take my money out of the bank and put it in my pillow case....hes that good!I have recieved a call from visa confirming a large transaction when this all started.....and when i questioned them they said i needed to get with my institution.....i said well who are you then??she said she only had a very limited amount of info in front of her....like only last 4 digits of S.S. and so on!Called my bank and they told me they didnt have any record of it??I have never heard of these kinda problems and be honest not easy tell someone and not feel like they are thinking im a parinoid person........that im not .....except when it comes to being backdoored by a snake!that makes me wanna catch this person even more so.....Like you i gotta work and earn my money and its not just for me either![attachment=49670:OTL.Txt]It should be dated 4/30/11/ at 8:33 run 15.....noticed today if i dont run it from F:\ drive it is a previous run from days ago!

[luvdacowboys2011]

Salagubang


After looking at the log and then the log from his uninstall and reinstall the intel engine.....has gotta go!If so.. and she crashes oh well it prolly is anyway and like you say can i really trust this machine anyway?After all before this started i havent licked a stamp since .......i cant even remember when!YEARS!I really dont think there is a fix cause he makes a total copy of everything and uninstalls and reinstall!??But like i have said im no comp. expert.

[Salagubang]

We'll be trying a little experiment if the Dell Recovery Partition is still existent in your machine.

Restart the machine then when the Dell splash screen appears during startup, press <Ctrl> + <F11> and release them at the same time. This should fire up the MBR to initiate the recovery process.

Do not yet proceed with recovery but tell me if its still functioning.

[luvdacowboys2011]

Salubang

I rerun your script in normal mode and i must say it looks promising!MOSTLY all not found!and it actually did run instead of NOT RESPONDING!Could you have done the impossible?If you did i will be very impressed because i had doubt anybody could... other than the trash can!Ieven ALMOST convinced myself to buy a mac monday.....you might have saved me some change Sal!I just went and surfed the dell and it has the same favs. and links this does along with folders from 2006 up until 4-26-11.....and i have never put it on the internet........it was a total wipe and install with disc i got from dell!?[attachment=49673:04302011_214345.log]