Dell M5010, New Mobo and Possible Rootkit???

Page 1 of 2 12 LastLast

  1. Posts : 10
    Windows 7 Home Premium, 64 bit
       #1

    Dell M5010, New Mobo and Possible Rootkit???


    Long time lurker of the forum, first time poster. The info I have found here has always been so helpful that I've never needed to ask for help until now - I have one Dell's crappy and cursed over-heating laptops. Two months ago, it was barely out of warranty when the board died. After screaming and threatening to sue, Dell sent a tech to my loft (yes - IN HOME repair) and replaced it free of charge, but afterwards the fan didn't operate. Dell completely ignored my questions & complaints about this. Took me about a month, but I discovered SpeedFan, figured out how to operate it and solved that problem. While I was looking for solution, I noticed every search engine was returning the exact same findings. Most of the results didn't make sense and there were only five pages of findings, on every search engine. Additionally, I've noticed some rather questionable files when poking around Autoruns and Regedit. For example - Promise Super Track Ex Driver for Windows and an entry called "FalconBetaAccount". What are those? Neither sound legit??? Yesterday, a printer that I don't own showed up on my network (screen shots attached).


    I have a firewall & virus protection with an annual subscription and I haven't done any covert downloading recently... Its been at least several months before the board was replaced. So I am not sure where it came from? I've scanned with Norton 360 (have subscription), Malwarebytes, Malwarebytes Chameleon, Webroot Portable, OTL, GMER, etc. and nothing. I can't find it?! So I decided to scan with everything again... Just now, GMER popped up on the screen under the "Rootkit/Malware" tab a list with a list containing the files below (text file from GMER attached).

    Are these files the rootkit(s)??? Does SpeedFan contain the rootkit? I gotta have SpeedFan or my laptop will spontaneously combust and burn my building down! I am completely confused!


    Also, I have two computers networked via my wireless router/cable modem (desktop XP, laptop Win7). Over the weekend, I noticed that my desktop was returning screwy search engine results too. I drag files back and forth between my desktop and laptop constantly. Did I pass the infection to my desktop??? Is my iPhone safe??? I kinda know what I am doing. But truthfully, I know just enough to be dangerous, so someone HELP ME PLEASE!


    GMER 2.1.19163 - GMER - Rootkit Detector and Remover
    Rootkit scan 2013-06-19 09:53:47
    Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000069 ST964032 rev.0002 596.17GB
    Running: zhpmch4f.exe; Driver: C:\Users\Misti\AppData\Local\Temp\kxdyqpoc.sys


    ---- User code sections - GMER 2.1 ----

    .text C:\Program Files (x86)\SpeedFan\speedfan.exe[4012] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000778d1465 2 bytes [8D, 77]
    .text C:\Program Files (x86)\SpeedFan\speedfan.exe[4012] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000778d14bb 2 bytes [8D, 77]
    .text ... * 2

    ---- Threads - GMER 2.1 ----

    Thread C:\Windows\SysWOW64\ntdll.dll [1404:1408] 0000000000e60d9a
    Thread C:\Windows\SysWOW64\ntdll.dll [1404:1124] 00000000748de196
    Thread C:\Windows\SysWOW64\ntdll.dll [1404:2596] 0000000071b0eec8
    Thread C:\Windows\SysWOW64\ntdll.dll [1404:2628] 0000000071b0eec8
    Thread C:\Windows\SysWOW64\ntdll.dll [1404:1796] 0000000071b0eec8
    Thread C:\Windows\SysWOW64\ntdll.dll [1404:1912] 0000000071e73bff
    Thread C:\Windows\SysWOW64\ntdll.dll [1404:2964] 0000000074057019
    Thread C:\Windows\SysWOW64\ntdll.dll [1404:3068] 0000000073901854

    ---- EOF - GMER 2.1 ----
    Attached Thumbnails Attached Thumbnails Dell M5010, New Mobo and Possible Rootkit???-promise-super-track-ex-driver-windows.jpg   Dell M5010, New Mobo and Possible Rootkit???-falcon-beta-account.jpg   Dell M5010, New Mobo and Possible Rootkit???-no-lexmark-printer-my-house.jpg  
    Dell M5010, New Mobo and Possible Rootkit??? Attached Files
      My Computer


  2. Posts : 8,608
    Windows 7 Ultimate 32bit SP1
       #2

    Download DDS from one of these links:
    DDS.com
    DDS.pif
    • Disable any script blocking protection
    • Double click the dds icon to run the tool.
    • When done, DDS will open two (2) logs:
      1. DDS.txt
      2. Attach.txt <--- will be minimized in the task tray
    • Save both reports to your desktop.

    Include the contents of both logs in your next post.
    The scan will instruct you to post Attach.txt as an attachment.
      My Computer


  3. Posts : 10
    Windows 7 Home Premium, 64 bit
    Thread Starter
       #3

    Thanks! Will do as soon as Malwarebytes finishes scanning again (fourth try). After my post, I downloaded and ran Kaspersey's TDSS and RogueKiller. TDSS = Zero. RogueKiller quarantined eight registry entries. Woo hoo!!! Finally! I was beginning to think I was imagining the search redirects! So far Malwarebytes has found two items (which could just be cookies) and has been running for about 45 minutes. I will run your suggestion and update shortly.
      My Computer


  4. Posts : 8,608
    Windows 7 Ultimate 32bit SP1
       #4

    Okay ... waiting
      My Computer


  5. Posts : 2,470
    Windows 7 Home Premium
       #5

    onlinealias,

    Could you also post the RogueKiller report: RKreport.txt (Mode: Scan), or, the RKreport (Mode: Delete)

    It would be best to know what we are dealing with.

    Both reports are found on the Desktop.


    Thanks!
      My Computer


  6. Posts : 10
    Windows 7 Home Premium, 64 bit
    Thread Starter
       #6

    Sorry for the delay! I kinda took a very long nap yesterday... Here's Rogue Killer:

    RogueKiller V8.6.1 _x64_ [Jun 17 2013] by Tigzy
    mail : tigzyRK<at>gmail<dot>com
    Feedback : RogueKiller - Geeks to Go Forums
    Website : Download RogueKiller (Official website)
    Blog : tigzy-RK

    Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Normal mode
    User : Misti [Admin rights]
    Mode : Remove -- Date : 06/19/2013 11:47:21
    | ARK || FAK || MBR |

    ¤¤¤ Bad processes : 0 ¤¤¤

    ¤¤¤ Registry Entries : 10 ¤¤¤
    [HJ POL] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> REPLACED (2)
    [HJ POL] HKLM\[...]\System : EnableLUA (0) -> REPLACED (1)
    [HJ POL] HKLM\[...]\Wow6432Node\[...]\System : ConsentPromptBehaviorAdmin (0) -> REPLACED (2)
    [HJ POL] HKLM\[...]\Wow6432Node\[...]\System : EnableLUA (0) -> REPLACED (1)
    [HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> REPLACED (1)
    [HJ SMENU] HKCU\[...]\Advanced : Start_ShowVideos (0) -> REPLACED (1)
    [HJ SMENU] HKCU\[...]\Advanced : Start_ShowHelp (0) -> REPLACED (1)
    [HJ SMENU] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> REPLACED (1)
    [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
    [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

    ¤¤¤ Scheduled tasks : 0 ¤¤¤

    ¤¤¤ Startup Entries : 2 ¤¤¤
    [Default][SUSP PATH] Best Buy pc app.lnk : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk @C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe "C:\ProgramData\Best Buy pc app\Best Buy pc app.application" [-][x][x][x] -> DELETED
    [Default User][SUSP PATH] Best Buy pc app.lnk : C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk @C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe "C:\ProgramData\Best Buy pc app\Best Buy pc app.application" [-][x][x][x] -> [0x2] The system cannot find the file specified.

    ¤¤¤ Web browsers : 0 ¤¤¤

    ¤¤¤ Particular Files / Folders: ¤¤¤

    ¤¤¤ Driver : [NOT LOADED] ¤¤¤

    ¤¤¤ External Hives: ¤¤¤

    ¤¤¤ Infection : ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤
    --> %SystemRoot%\System32\drivers\etc\hosts


    127.0.0.1 3dns-1.adobe.com 3dns-2.adobe.com 3dns-3.adobe.com 3dns-4.adobe.com 3dns.adobe.com activate-sea.adobe.com activate-sjc0.adobe.com activate.adobe.com activate.wip.adobe.com activate.wip1.adobe.com activate.wip2.adobe.com activate.wip3.adobe.com activate.wip4.adobe.com adobe-dns-1.adobe.com adobe-dns-2.adobe.com
    127.0.0.1 adobe-dns-3.adobe.com adobe-dns-4.adobe.com adobe-dns.adobe.com adobeereg.com crl.verisign.net ereg.adobe.com ereg.wip.adobe.com ereg.wip1.adobe.com ereg.wip2.adobe.com ereg.wip3.adobe.com ereg.wip4.adobe.com hl2rcv.adobe.com ood.opsource.net practivate.adobe practivate.adobe.com
    127.0.0.1 practivate.adobe.ipp practivate.adobe.newoa practivate.adobe.ntp wip.adobe.com wip1.adobe.com wip2.adobe.com wip3.adobe.com wip4.adobe.com wwis-dubc1-vip60.adobe.com Registration www.wip.adobe.com www.wip1.adobe.com www.wip2.adobe.com www.wip3.adobe.com Adobe


    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: ST964032 0AS SATA Disk Device +++++
    --- User ---
    [MBR] a2be468dfb7b7f55588693a580d25a99
    [BSP] d5d062379b50baac4cebe0aade65397a : Windows 7/8 MBR Code
    Partition table:
    0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
    1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 15000 Mo
    2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 30926848 | Size: 595378 Mo
    User = LL1 ... OK!
    User != LL2 ... KO!
    --- LL2 ---
    [MBR] d5f67f7b55c6c1b14e0b15ac9cc2ce5e
    [BSP] d5d062379b50baac4cebe0aade65397a : Windows 7/8 MBR Code
    Partition table:
    0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
    1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 15000 Mo
    2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 30926848 | Size: 595378 Mo

    Finished : << RKreport[0]_D_06192013_114721.txt >>
    RKreport[0]_S_06192013_114605.txt




      My Computer


  7. Posts : 10
    Windows 7 Home Premium, 64 bit
    Thread Starter
       #7

    The "attach" file from DDS has been attached.
    Dell M5010, New Mobo and Possible Rootkit??? Attached Files
      My Computer


  8. Posts : 10
    Windows 7 Home Premium, 64 bit
    Thread Starter
       #8

    This isn't normal, is it?
    Attached Thumbnails Attached Thumbnails Dell M5010, New Mobo and Possible Rootkit???-system-idle-process.jpg  
      My Computer


  9. Posts : 6,830
    Windows 7 Ultimate 32-Bit & Windows 7 Ultimate 64-Bit
       #9

    onlinealias

    Your DDS log is pretty short

    Upload both the DDS and the Attach text files .
      My Computer


  10. Posts : 8,608
    Windows 7 Ultimate 32bit SP1
       #10

    Download Combofix from any of the links below, and save it to your desktop.<--Important
    Link 1
    Link 2
    Link 3

    Click on this link Here to see a list of programs that should be disabled.
    The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
    Next: Disconnect from the internet. If you are on Cable or DSL, unplug your computer from the modem.
    Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.
    This includes Antivirus, Firewall, and any Spyware scanners that run in the background.
    • Double click combofix.exe and follow the prompts.
    • When finished, it will produce a log for you.
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall
    Please be patient while the scan runs, at times it may appear to stall.
    When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
    Post this log in your next reply
    After rebooting ensure your Security applications have been re-enabled.

    In your next reply post:
    ComboFix.txt
    ***A guide and tutorial on "How to use Combofix" can be found here:
    ComboFix: A guide and tutorial on using ComboFix

    IF CF won't run:
    During the download, rename Combofix.exe to sVchost.exe
      My Computer


 
Page 1 of 2 12 LastLast

  Related Discussions
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 16:38.
Find Us