Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Dell M5010, New Mobo and Possible Rootkit???


19 Jun 2013   #1

Windows 7 Home Premium, 64 bit
 
 
Dell M5010, New Mobo and Possible Rootkit???

Long time lurker of the forum, first time poster. The info I have found here has always been so helpful that I've never needed to ask for help until now - I have one Dell's crappy and cursed over-heating laptops. Two months ago, it was barely out of warranty when the board died. After screaming and threatening to sue, Dell sent a tech to my loft (yes - IN HOME repair) and replaced it free of charge, but afterwards the fan didn't operate. Dell completely ignored my questions & complaints about this. Took me about a month, but I discovered SpeedFan, figured out how to operate it and solved that problem. While I was looking for solution, I noticed every search engine was returning the exact same findings. Most of the results didn't make sense and there were only five pages of findings, on every search engine. Additionally, I've noticed some rather questionable files when poking around Autoruns and Regedit. For example - Promise Super Track Ex Driver for Windows and an entry called "FalconBetaAccount". What are those? Neither sound legit??? Yesterday, a printer that I don't own showed up on my network (screen shots attached).


I have a firewall & virus protection with an annual subscription and I haven't done any covert downloading recently... Its been at least several months before the board was replaced. So I am not sure where it came from? I've scanned with Norton 360 (have subscription), Malwarebytes, Malwarebytes Chameleon, Webroot Portable, OTL, GMER, etc. and nothing. I can't find it?! So I decided to scan with everything again... Just now, GMER popped up on the screen under the "Rootkit/Malware" tab a list with a list containing the files below (text file from GMER attached).

Are these files the rootkit(s)??? Does SpeedFan contain the rootkit? I gotta have SpeedFan or my laptop will spontaneously combust and burn my building down! I am completely confused!


Also, I have two computers networked via my wireless router/cable modem (desktop XP, laptop Windows 7). Over the weekend, I noticed that my desktop was returning screwy search engine results too. I drag files back and forth between my desktop and laptop constantly. Did I pass the infection to my desktop??? Is my iPhone safe??? I kinda know what I am doing. But truthfully, I know just enough to be dangerous, so someone HELP ME PLEASE!


GMER 2.1.19163 - GMER - Rootkit Detector and Remover
Rootkit scan 2013-06-19 09:53:47
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000069 ST964032 rev.0002 596.17GB
Running: zhpmch4f.exe; Driver: C:\Users\Misti\AppData\Local\Temp\kxdyqpoc.sys


---- User code sections - GMER 2.1 ----

.text C:\Program Files (x86)\SpeedFan\speedfan.exe[4012] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000778d1465 2 bytes [8D, 77]
.text C:\Program Files (x86)\SpeedFan\speedfan.exe[4012] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000778d14bb 2 bytes [8D, 77]
.text ... * 2

---- Threads - GMER 2.1 ----

Thread C:\Windows\SysWOW64\ntdll.dll [1404:1408] 0000000000e60d9a
Thread C:\Windows\SysWOW64\ntdll.dll [1404:1124] 00000000748de196
Thread C:\Windows\SysWOW64\ntdll.dll [1404:2596] 0000000071b0eec8
Thread C:\Windows\SysWOW64\ntdll.dll [1404:2628] 0000000071b0eec8
Thread C:\Windows\SysWOW64\ntdll.dll [1404:1796] 0000000071b0eec8
Thread C:\Windows\SysWOW64\ntdll.dll [1404:1912] 0000000071e73bff
Thread C:\Windows\SysWOW64\ntdll.dll [1404:2964] 0000000074057019
Thread C:\Windows\SysWOW64\ntdll.dll [1404:3068] 0000000073901854

---- EOF - GMER 2.1 ----




Attached Thumbnails
Dell M5010, New Mobo and Possible Rootkit???-promise-super-track-ex-driver-windows.jpg   Dell M5010, New Mobo and Possible Rootkit???-falcon-beta-account.jpg   Dell M5010, New Mobo and Possible Rootkit???-no-lexmark-printer-my-house.jpg  
Attached Files
File Type: log GMER - Result maybe.log (1.8 KB, 1 views)
My System SpecsSystem Spec
.

19 Jun 2013   #2
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

Download DDS from one of these links:
DDS.com
DDS.pif
  • Disable any script blocking protection
  • Double click the dds icon to run the tool.
  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt <--- will be minimized in the task tray
  • Save both reports to your desktop.
Include the contents of both logs in your next post.
The scan will instruct you to post Attach.txt as an attachment.
My System SpecsSystem Spec
19 Jun 2013   #3

Windows 7 Home Premium, 64 bit
 
 

Thanks! Will do as soon as Malwarebytes finishes scanning again (fourth try). After my post, I downloaded and ran Kaspersey's TDSS and RogueKiller. TDSS = Zero. RogueKiller quarantined eight registry entries. Woo hoo!!! Finally! I was beginning to think I was imagining the search redirects! So far Malwarebytes has found two items (which could just be cookies) and has been running for about 45 minutes. I will run your suggestion and update shortly.
My System SpecsSystem Spec
.


19 Jun 2013   #4
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

Okay ... waiting
My System SpecsSystem Spec
19 Jun 2013   #5

Windows 7 Home Premium
 
 

onlinealias,

Could you also post the RogueKiller report: RKreport.txt (Mode: Scan), or, the RKreport (Mode: Delete)

It would be best to know what we are dealing with.

Both reports are found on the Desktop.


Thanks!
My System SpecsSystem Spec
20 Jun 2013   #6

Windows 7 Home Premium, 64 bit
 
 

Sorry for the delay! I kinda took a very long nap yesterday... Here's Rogue Killer:

RogueKiller V8.6.1 _x64_ [Jun 17 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : RogueKiller - Geeks to Go Forums
Website : Download RogueKiller (Official website)
Blog : tigzy-RK

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Misti [Admin rights]
Mode : Remove -- Date : 06/19/2013 11:47:21
| ARK || FAK || MBR |

Bad processes : 0

Registry Entries : 10
[HJ POL] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> REPLACED (2)
[HJ POL] HKLM\[...]\System : EnableLUA (0) -> REPLACED (1)
[HJ POL] HKLM\[...]\Wow6432Node\[...]\System : ConsentPromptBehaviorAdmin (0) -> REPLACED (2)
[HJ POL] HKLM\[...]\Wow6432Node\[...]\System : EnableLUA (0) -> REPLACED (1)
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> REPLACED (1)
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowVideos (0) -> REPLACED (1)
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowHelp (0) -> REPLACED (1)
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> REPLACED (1)
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

Scheduled tasks : 0

Startup Entries : 2
[Default][SUSP PATH] Best Buy pc app.lnk : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk @C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe "C:\ProgramData\Best Buy pc app\Best Buy pc app.application" [-][x][x][x] -> DELETED
[Default User][SUSP PATH] Best Buy pc app.lnk : C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk @C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe "C:\ProgramData\Best Buy pc app\Best Buy pc app.application" [-][x][x][x] -> [0x2] The system cannot find the file specified.

Web browsers : 0

Particular Files / Folders:

Driver : [NOT LOADED]

External Hives:

Infection :

HOSTS File:
--> %SystemRoot%\System32\drivers\etc\hosts


127.0.0.1 3dns-1.adobe.com 3dns-2.adobe.com 3dns-3.adobe.com 3dns-4.adobe.com 3dns.adobe.com activate-sea.adobe.com activate-sjc0.adobe.com activate.adobe.com activate.wip.adobe.com activate.wip1.adobe.com activate.wip2.adobe.com activate.wip3.adobe.com activate.wip4.adobe.com adobe-dns-1.adobe.com adobe-dns-2.adobe.com
127.0.0.1 adobe-dns-3.adobe.com adobe-dns-4.adobe.com adobe-dns.adobe.com adobeereg.com crl.verisign.net ereg.adobe.com ereg.wip.adobe.com ereg.wip1.adobe.com ereg.wip2.adobe.com ereg.wip3.adobe.com ereg.wip4.adobe.com hl2rcv.adobe.com ood.opsource.net practivate.adobe practivate.adobe.com
127.0.0.1 practivate.adobe.ipp practivate.adobe.newoa practivate.adobe.ntp wip.adobe.com wip1.adobe.com wip2.adobe.com wip3.adobe.com wip4.adobe.com wwis-dubc1-vip60.adobe.com Registration www.wip.adobe.com www.wip1.adobe.com www.wip2.adobe.com www.wip3.adobe.com Adobe


MBR Check:

+++++ PhysicalDrive0: ST964032 0AS SATA Disk Device +++++
--- User ---
[MBR] a2be468dfb7b7f55588693a580d25a99
[BSP] d5d062379b50baac4cebe0aade65397a : Windows 7/8 MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 15000 Mo
2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 30926848 | Size: 595378 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] d5f67f7b55c6c1b14e0b15ac9cc2ce5e
[BSP] d5d062379b50baac4cebe0aade65397a : Windows 7/8 MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 15000 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 30926848 | Size: 595378 Mo

Finished : << RKreport[0]_D_06192013_114721.txt >>
RKreport[0]_S_06192013_114605.txt




My System SpecsSystem Spec
20 Jun 2013   #7

Windows 7 Home Premium, 64 bit
 
 

The "attach" file from DDS has been attached.


Attached Files
File Type: txt attach.txt (1.2 KB, 5 views)
My System SpecsSystem Spec
20 Jun 2013   #8

Windows 7 Home Premium, 64 bit
 
 

This isn't normal, is it?


Attached Thumbnails
Dell M5010, New Mobo and Possible Rootkit???-system-idle-process.jpg  
My System SpecsSystem Spec
20 Jun 2013   #9

Windows 7 Ultimate 32-Bit & Windows 7 Ultimate 64-Bit
 
 

onlinealias

Your DDS log is pretty short

Upload both the DDS and the Attach text files .
My System SpecsSystem Spec
20 Jun 2013   #10
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

Download Combofix from any of the links below, and save it to your desktop.<--Important
Link 1
Link 2
Link 3

Click on this link Here to see a list of programs that should be disabled.
The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
Next: Disconnect from the internet. If you are on Cable or DSL, unplug your computer from the modem.
Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.
This includes Antivirus, Firewall, and any Spyware scanners that run in the background.
  • Double click combofix.exe and follow the prompts.
  • When finished, it will produce a log for you.
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Please be patient while the scan runs, at times it may appear to stall.
When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply
After rebooting ensure your Security applications have been re-enabled.

In your next reply post:
ComboFix.txt
***A guide and tutorial on "How to use Combofix" can be found here:
ComboFix: A guide and tutorial on using ComboFix

IF CF won't run:
During the download, rename Combofix.exe to sVchost.exe
My System SpecsSystem Spec
Reply

 Dell M5010, New Mobo and Possible Rootkit???




Thread Tools




Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 05:11 PM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33