I know you probably just want logs and not waffley back stories so ill try and keep it as relevant and descriptive as possible as possible.
A week ago or so my computer started suffering random reboots and hangs, a couple of days later the cpu fan speed went up to 4400rpm on bootup and stayed that high almost constantly with some random surges to higher speeds. after checking fan connections and blowing compressed air through the heat sink to no avail I reflashed the bios.
This worked and the fan speed was back to its normal 2300rpm. I used the computer normal for a while then switched it off, the next day the fan speed was back up to 4400rpm, suggesting to me with my limited knowledge that the bios had been corrupted again and I was probably dealing with a rootkit.
So i've completed you 6 steps, some of which I ran in windows 7 some of which I ran on minixp with Hirens Boot CD, here are the logs
MBMA - failed to start of HBCD, ran in win7
Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org
Database version: 7745
Windows 6.1.7600
Internet Explorer 8.0.7600.16385
18/09/2011 22:48:58
mbam-log-2011-09-18 (22-48-58).txt
Scan type: Quick scan
Objects scanned: 177068
Time elapsed: 1 minute(s), 37 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
GMER - Windows7 produced an empty log and only allowed me to select Services, registries and files.
my original HBCD scan produced this log:
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2011-09-18 12:11:21
Windows 5.1.2600
Running: G-MER.exe; Driver: B:\Temp\kwtdypog.sys
---- System - GMER 1.0.15 ----
INT 0x01 \SystemRoot\system32\drivers\dummy.sys F7A977C0
INT 0x03 \SystemRoot\system32\drivers\dummy.sys F7A977E0
INT 0x1F \I386\SYSTEM32\HALAACPI.DLL 80A18FD0
INT 0x37 \I386\SYSTEM32\HALAACPI.DLL 80A18728
INT 0x3D \I386\SYSTEM32\HALAACPI.DLL 80A19B70
INT 0x41 \I386\SYSTEM32\HALAACPI.DLL 80A199CC
INT 0x50 \I386\SYSTEM32\HALAACPI.DLL 80A18800
INT 0xC1 \I386\SYSTEM32\HALAACPI.DLL 80A18984
INT 0xD1 \I386\SYSTEM32\HALAACPI.DLL 80A17D34
INT 0xE1 \I386\SYSTEM32\HALAACPI.DLL 80A18F0C
INT 0xE3 \I386\SYSTEM32\HALAACPI.DLL 80A18C70
INT 0xFD \I386\SYSTEM32\HALAACPI.DLL 80A19464
INT 0xFE \I386\SYSTEM32\HALAACPI.DLL 80A19604
---- Kernel code sections - GMER 1.0.15 ----
? \I386\SYSTEM32\NTKRNLMP.EXE kernel module suspicious modification
? \I386\SYSTEM32\NTKRNLMP.EXE The system cannot find the file specified. !
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs dc_fsf.sys
AttachedDevice \Driver\ftdisk \Device\HarddiskVolume1 dcrypt.sys
AttachedDevice \Driver\ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\ftdisk \Device\HarddiskVolume2 dcrypt.sys
AttachedDevice \Driver\ftdisk \Device\HarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\ftdisk \Device\HarddiskVolume3 dcrypt.sys
AttachedDevice \Driver\ftdisk \Device\HarddiskVolume3 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\ftdisk \Device\HarddiskVolume4 dcrypt.sys
AttachedDevice \Driver\ftdisk \Device\HarddiskVolume4 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\ftdisk \Device\HarddiskVolume5 dcrypt.sys
AttachedDevice \Driver\ftdisk \Device\HarddiskVolume5 snapman.sys (Acronis Snapshot API/Acronis)
Device \Driver\ACPI_HAL \Device\00000008 HALAACPI.DLL
AttachedDevice \FileSystem\Fastfat \Fat dc_fsf.sys
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Threads - GMER 1.0.15 ----
Thread System [4:148] BB6C5096
---- EOF - GMER 1.0.15 ----
I then realised the selected drive was the X drive which was the minixp ram drive
So I selected the what hbcd was calling my J drive which is normally my C drive, this took a very long time to scan so I went to bed and when I came back to it the scan was complete but the computer was hung. I tried again, this time when I clicked save I got a blue screen stop error message
"STOP: 0x0000008E (0x000009A, 0x808425BB, 0xBBB86E4, 0x00000000)"
So I started a scan and stoped it early just to give you a view of the log which despite being for a different drive actually looks like the original xdrive log at the beginning:
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2011-09-19 11:25:58
Windows 5.1.2600
Running: G-MER.exe; Driver: B:\Temp\kwtdypog.sys
---- System - GMER 1.0.15 ----
INT 0x01 \SystemRoot\system32\drivers\dummy.sys F7A5C7C0
INT 0x03 \SystemRoot\system32\drivers\dummy.sys F7A5C7E0
INT 0x1F \I386\SYSTEM32\HALAACPI.DLL 80A18FD0
INT 0x37 \I386\SYSTEM32\HALAACPI.DLL 80A18728
INT 0x3D \I386\SYSTEM32\HALAACPI.DLL 80A19B70
INT 0x41 \I386\SYSTEM32\HALAACPI.DLL 80A199CC
INT 0x50 \I386\SYSTEM32\HALAACPI.DLL 80A18800
INT 0xC1 \I386\SYSTEM32\HALAACPI.DLL 80A18984
INT 0xD1 \I386\SYSTEM32\HALAACPI.DLL 80A17D34
INT 0xE1 \I386\SYSTEM32\HALAACPI.DLL 80A18F0C
INT 0xE3 \I386\SYSTEM32\HALAACPI.DLL 80A18C70
INT 0xFD \I386\SYSTEM32\HALAACPI.DLL 80A19464
INT 0xFE \I386\SYSTEM32\HALAACPI.DLL 80A19604
---- Kernel code sections - GMER 1.0.15 ----
? \I386\SYSTEM32\NTKRNLMP.EXE kernel module suspicious modification
? \I386\SYSTEM32\NTKRNLMP.EXE The system cannot find the file specified. !
---- Threads - GMER 1.0.15 ----
Thread System [4:148] BB6C5096
---- EOF - GMER 1.0.15 ----
DDS
dds: -win7 version. hbcd gave a much shorter log
.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385
Run by Tom at 11:47:22 on 2011-09-19
Microsoft Windows 7 Home Basic 6.1.7600.0.1252.1.1033.18.4095.2879 [GMT 1:00]
.
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files (x86)\MagicDisc\MagicDisc.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\Tom\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Tom\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Tom\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Users\Tom\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\SysWOW64\ctfmon.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTor.dll
mURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTor.dll
mWinlogon: Userinit=userinit.exe,
BHO: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - C:\Program Files (x86)\ConduitEngine\prxConduitEngin.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
BHO: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTor.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTor.dll
TB: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - C:\Program Files (x86)\ConduitEngine\prxConduitEngin.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
uRun: [Google Update] "C:\Users\Tom\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [Steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent
uRun: [EA Core] "C:\Program Files (x86)\Electronic Arts\EADM\Core.exe" -silent
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
StartupFolder: C:\Users\Tom\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\MAGICD~1.LNK - C:\Program Files (x86)\MagicDisc\MagicDisc.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\MCAFEE~1.LNK - C:\Program Files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{B24440CD-6E5D-4152-8AB4-7F179985B39D} : DhcpNameServer = 192.168.0.1
BHO-X64: Conduit Engine : {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\prxConduitEngin.dll
BHO-X64: Conduit Engine - No File
BHO-X64: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
BHO-X64: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTor.dll
BHO-X64: uTorrentBar - No File
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTor.dll
TB-X64: Conduit Engine : {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\prxConduitEngin.dll
TB-X64: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
Hosts: 78.47.251.150 easyanticheat.se # misleading site
Hosts: 78.47.251.150 www.easyanticheat.se # misleading site
Hosts: 78.47.251.150 easyanticheat.com # misleading site
Hosts: 78.47.251.150 www.easyanticheat.com # misleading site
Hosts: 78.47.251.150 easyanticheat.org # misleading site
.
Note: multiple HOSTS entries found. Please refer to Attach.txt
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;C:\Windows\system32\drivers\aswSnx.sys --> C:\Windows\system32\drivers\aswSnx.sys [?]
R1 aswSP;aswSP;C:\Windows\system32\drivers\aswSP.sys --> C:\Windows\system32\drivers\aswSP.sys [?]
R2 aswFsBlk;aswFsBlk;C:\Windows\system32\drivers\aswFsBlk.sys --> C:\Windows\system32\drivers\aswFsBlk.sys [?]
R2 aswMonFlt;aswMonFlt;\??\C:\Windows\system32\drivers\aswMonFlt.sys --> C:\Windows\system32\drivers\aswMonFlt.sys [?]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2011-9-8 42184]
R2 cpuz135;cpuz135;\??\C:\Windows\system32\drivers\cpuz135_x64.sys --> C:\Windows\system32\drivers\cpuz135_x64.sys [?]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;C:\Windows\system32\DRIVERS\e1y60x64.sys --> C:\Windows\system32\DRIVERS\e1y60x64.sys [?]
S3 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW76.sys --> C:\Windows\system32\drivers\AtihdW76.sys [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service;C:\Program Files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
.
=============== Created Last 30 ================
.
2011-12-12 12:18:06 25640 ----a-w- C:\Windows\gdrv.sys
2011-09-16 20:21:36 -------- d-----w- C:\Users\Tom\rootkit
2011-09-11 23:40:49 -------- d-----w- C:\Program Files (x86)\SpeedFan
2011-09-08 14:49:58 -------- d-----w- C:\Users\Tom\AppData\Roaming\mIRC
2011-09-08 14:49:58 -------- d-----w- C:\Program Files (x86)\mIRC
2011-09-08 14:35:20 -------- d-----w- C:\Program Files\Ventrilo
2011-09-08 14:34:36 -------- d-----w- C:\Program Files (x86)\Common Files\Wise Installation Wizard
2011-09-08 10:10:26 600920 ----a-w- C:\Windows\System32\drivers\aswSnx.sys
2011-09-08 10:10:23 64856 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys
2011-09-08 10:08:56 40112 ----a-w- C:\Windows\avastSS.scr
2011-09-08 10:08:50 -------- d-----w- C:\ProgramData\AVAST Software
2011-09-08 10:08:50 -------- d-----w- C:\Program Files\AVAST Software
2011-09-08 09:56:42 8862544 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{B813A7FF-8CF1-401F-B620-F5D864BF2BA9}\mpengine.dll
2011-09-08 09:54:27 -------- d-----w- C:\Users\Tom\AppData\Roaming\Malwarebytes
2011-09-08 09:54:23 -------- d-----w- C:\ProgramData\Malwarebytes
2011-09-08 09:54:20 25416 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-09-08 09:54:20 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-09-03 12:37:05 -------- d-----w- C:\Users\Tom\AppData\Local\dxhr
2011-09-03 12:36:23 -------- d-----w- C:\Users\Tom\AppData\Local\28050
2011-08-25 16:30:39 -------- d-----w- C:\Users\Tom\AppData\Local\ElevatedDiagnostics
2011-08-25 12:52:44 -------- d-----w- C:\Users\Tom\AppData\Local\Gas Powered Games
2011-08-25 12:23:49 -------- d-----w- C:\Program Files (x86)\SystemRequirementsLab
2011-08-24 11:17:52 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2011-08-24 11:17:52 2048 ----a-w- C:\Windows\System32\tzres.dll
.
==================== Find3M ====================
.
2011-12-12 23:24:13 280736 ----a-w- C:\Windows\SysWow64\PnkBstrB.xtr
2011-12-12 23:24:13 280736 ----a-w- C:\Windows\SysWow64\PnkBstrB.exe
2011-12-12 23:23:48 280736 ----a-w- C:\Windows\SysWow64\PnkBstrB.ex0
2011-12-12 23:08:20 6656 ----a-w- C:\Windows\System32\lpcio.dll
2011-07-29 10:50:05 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2011-07-22 05:35:08 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2011-07-22 04:56:17 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-07-16 05:26:54 362496 ----a-w- C:\Windows\System32\wow64win.dll
2011-07-16 05:26:53 243200 ----a-w- C:\Windows\System32\wow64.dll
2011-07-16 05:26:53 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
2011-07-16 05:26:18 214528 ----a-w- C:\Windows\System32\winsrv.dll
2011-07-16 05:24:09 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
2011-07-16 05:21:32 422400 ----a-w- C:\Windows\System32\KernelBase.dll
2011-07-16 05:17:46 338432 ----a-w- C:\Windows\System32\conhost.exe
2011-07-16 04:36:09 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
2011-07-16 04:32:14 44032 ----a-w- C:\Windows\apppatch\acwow64.dll
2011-07-16 04:31:50 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
2011-07-16 04:30:29 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
2011-07-16 04:30:27 272384 ----a-w- C:\Windows\SysWow64\KernelBase.dll
2011-07-16 02:26:12 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
2011-07-16 02:26:11 2048 ----a-w- C:\Windows\SysWow64\user.exe
2011-07-16 02:21:47 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2011-07-16 02:21:47 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2011-07-16 02:21:47 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2011-07-16 02:21:47 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2011-07-14 10:06:56 9359872 ----a-w- C:\Windows\System32\drivers\atikmdag.sys
2011-07-14 10:06:44 4017152 ----a-w- C:\Windows\SysWow64\atiumdva.dll
2011-07-14 10:06:10 52736 ----a-w- C:\Windows\SysWow64\atimpc32.dll
2011-07-14 10:06:10 52736 ----a-w- C:\Windows\SysWow64\amdpcom32.dll
2011-07-14 10:06:09 43520 ----a-w- C:\Windows\SysWow64\ati2edxx.dll
2011-07-14 10:06:05 38912 ----a-w- C:\Windows\System32\atiu9p64.dll
2011-07-14 10:06:03 356352 ----a-w- C:\Windows\SysWow64\atipdlxx.dll
2011-07-14 10:06:00 485376 ----a-w- C:\Windows\System32\atieclxx.exe
2011-07-14 10:05:55 462848 ----a-w- C:\Windows\System32\ATIDEMGX.dll
2011-07-14 10:05:55 46080 ----a-w- C:\Windows\SysWow64\aticalrt.dll
2011-07-14 10:05:55 120320 ----a-w- C:\Windows\System32\atitmm64.dll
2011-07-14 10:05:53 40960 ----a-w- C:\Windows\System32\atiuxp64.dll
2011-07-14 10:05:52 23336960 ----a-w- C:\Windows\System32\atio6axx.dll
2011-07-14 10:05:26 5008384 ----a-w- C:\Windows\System32\atidxx64.dll
2011-07-14 10:05:20 309760 ----a-w- C:\Windows\System32\drivers\atikmpag.sys
2011-07-14 10:04:54 6847488 ----a-w- C:\Windows\SysWow64\aticaldd.dll
2011-07-14 10:04:09 31744 ----a-w- C:\Windows\SysWow64\atiuxpag.dll
2011-07-14 10:03:23 5486592 ----a-w- C:\Windows\System32\atiumd64.dll
2011-07-14 10:03:08 262144 ----a-w- C:\Windows\SysWow64\atiadlxy.dll
2011-07-14 10:02:45 12800 ----a-w- C:\Windows\SysWow64\atiglpxx.dll
2011-07-14 10:02:45 12800 ----a-w- C:\Windows\System32\atiglpxx.dll
2011-07-14 10:02:39 278528 ----a-w- C:\Windows\SysWow64\Oemdspif.dll
2011-07-14 10:02:24 58880 ----a-w- C:\Windows\System32\coinst.dll
2011-07-14 10:02:22 1113088 ----a-w- C:\Windows\System32\atiumd6v.dll
2011-07-14 10:02:18 14848 ----a-w- C:\Windows\System32\atig6pxx.dll
2011-07-14 10:02:04 44032 ----a-w- C:\Windows\SysWow64\aticalcl.dll
2011-07-14 10:01:27 32768 ----a-w- C:\Windows\SysWow64\atigktxx.dll
2011-07-14 10:00:48 1828864 ----a-w- C:\Windows\SysWow64\atiumdmv.dll
2011-07-14 10:00:35 8489472 ----a-w- C:\Windows\System32\aticaldd64.dll
2011-07-14 10:00:31 39936 ----a-w- C:\Windows\System32\atig6txx.dll
2011-07-14 10:00:24 688128 ----a-w- C:\Windows\SysWow64\aticfx32.dll
2011-07-14 10:00:17 151552 ----a-w- C:\Windows\System32\atiapfxx.exe
2011-07-14 10:00:16 53760 ----a-w- C:\Windows\System32\atimpc64.dll
2011-07-14 10:00:16 53760 ----a-w- C:\Windows\System32\amdpcom64.dll
2011-07-14 09:59:55 17940992 ----a-w- C:\Windows\SysWow64\atioglxx.dll
2011-07-14 09:59:45 51200 ----a-w- C:\Windows\System32\aticalrt64.dll
2011-07-14 09:59:42 29184 ----a-w- C:\Windows\SysWow64\atiu9pag.dll
2011-07-14 09:59:29 423424 ----a-w- C:\Windows\System32\atipdl64.dll
2011-07-14 09:59:21 4219904 ----a-w- C:\Windows\SysWow64\atidxx32.dll
2011-07-14 09:58:45 4330496 ----a-w- C:\Windows\SysWow64\atiumdag.dll
2011-07-14 09:58:45 204288 ----a-w- C:\Windows\System32\atiesrxx.exe
2011-07-14 09:58:44 59392 ----a-w- C:\Windows\System32\atiedu64.dll
2011-07-14 09:58:09 811008 ----a-w- C:\Windows\System32\aticfx64.dll
2011-07-14 09:58:01 3810816 ----a-w- C:\Windows\System32\atiumd6a.dll
2011-07-14 09:57:40 366592 ----a-w- C:\Windows\System32\atiadlxx.dll
2011-07-14 09:57:40 16384 ----a-w- C:\Windows\System32\atimuixx.dll
2011-07-14 09:57:39 53248 ----a-w- C:\Windows\System32\drivers\ati2erec.dll
2011-07-11 11:02:27 0 ----a-w- C:\Windows\SysWow64\ConduitEngine.tmp
2011-07-09 02:44:55 287744 ----a-w- C:\Windows\System32\drivers\mrxsmb10.sys
2011-06-23 10:43:29 75136 ----a-w- C:\Windows\SysWow64\PnkBstrA.exe
2011-06-23 05:29:39 5507968 ----a-w- C:\Windows\System32\ntoskrnl.exe
2011-06-23 04:38:05 3957120 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2011-06-23 04:38:04 3902336 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2011-06-22 22:19:05 2250024 ----a-w- C:\Windows\SysWow64\pbsvc.exe
2011-06-22 21:34:44 44544 ----a-w- C:\Windows\System32\aticalcl64.dll
2011-06-22 18:52:33 2434856 ----a-w- C:\Windows\SysWow64\pbsvc_bc2.exe
.
============= FINISH: 11:47:46.92 ===============
Attach:- win7 version
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Home Basic
Boot Device: \Device\HarddiskVolume2
Install Date: 14/06/2011 23:54:33
System Uptime: 19/09/2011 11:39:39 (0 hours ago)
.
Motherboard: Acer | | EG43M
Processor: Intel(R) Core(TM)2 Quad CPU Q8300 @ 2.50GHz | CPU 1 | 2499/333mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 342 GiB total, 76.919 GiB free.
D: is FIXED (NTFS) - 343 GiB total, 279.18 GiB free.
E: is CDROM (CDFS)
G: is Removable
H: is Removable
I: is Removable
J: is Removable
K: is CDROM (UDF)
L: is CDROM (CDFS)
M: is FIXED (NTFS) - 932 GiB total, 587.81 GiB free.
N: is CDROM (UDF)
O: is FIXED (NTFS) - 0 GiB total, 0.069 GiB free.
P: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e96f-e325-11ce-bfc1-08002be10318}
Description: Microsoft PS/2 Mouse
Device ID: ACPI\PNP0F03\4&242CC0DB&0
Manufacturer: Microsoft
Name: Microsoft PS/2 Mouse
PNP Device ID: ACPI\PNP0F03\4&242CC0DB&0
Service: i8042prt
.
==== System Restore Points ===================
.
RP38: 12/08/2011 15:03:10 - Windows Update
RP39: 12/08/2011 21:13:38 - Windows Update
RP40: 15/08/2011 19:34:09 - Installed DirectX
RP41: 23/08/2011 15:09:45 - Scheduled Checkpoint
RP42: 25/08/2011 01:31:23 - Windows Update
RP43: 03/09/2011 13:10:30 - Installed DirectX
RP44: 03/09/2011 13:15:29 - Installed DirectX
RP45: 08/09/2011 11:08:32 - avast! Free Antivirus Setup
RP46: 08/09/2011 15:35:03 - Installed Ventrilo Client for Windows x64
.
==== Hosts File Hijack ======================
.
Hosts: 78.47.251.150 easyanticheat.se # misleading site
Hosts: 78.47.251.150 www.easyanticheat.se # misleading site
Hosts: 78.47.251.150 easyanticheat.com # misleading site
Hosts: 78.47.251.150 www.easyanticheat.com # misleading site
Hosts: 78.47.251.150 easyanticheat.org # misleading site
Hosts: 78.47.251.150 www.easyanticheat.org # misleading site
.
==== Installed Programs ======================
.
µTorrent
Adobe AIR
Adobe Flash Player ActiveX
Age of Empires III
Age of Empires III - The Asian Dynasties
Age of Empires III - The WarChiefs
And Yet It Moves 1.2.0
avast! Free Antivirus
Battlefield: Bad Company™ 2
Call of Duty 4: Modern Warfare
Call of Duty: Modern Warfare 2 - Multiplayer
Catalyst Control Center
Catalyst Control Center - Branding
Catalyst Control Center Graphics Previews Common
Catalyst Control Center InstallProxy
CCC Help English
Conduit Engine
Counter-Strike: Source
Crayon Physics Deluxe version 55
Deus Ex: Human Revolution
Dropbox
Far Cry 2
Garry's Mod
GIMP 2.6.11
Google Chrome
Half-Life
Half-Life 2
Half-Life 2: Deathmatch
Half-Life 2: Episode One
Half-Life 2: Episode Two
Java Auto Updater
Java(TM) 6 Update 26
Just Cause 2
Left 4 Dead
Left 4 Dead 2
MagicDisc 2.7.106
Malwarebytes' Anti-Malware version 1.51.2.1300
McAfee Security Scan Plus
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
Microsoft WSE 3.0 Runtime
mIRC
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Portal
Portal 2
PunkBuster Services
Realtek High Definition Audio Driver
SpeedFan (remove only)
Steam
Supreme Commander 2
System Requirements Lab CYRI
Team Fortress 2
The Sims™ 3
The Sims™ 3 Fast Lane Stuff
The Sims™ 3 Late Night
TrackMania United 0.2.0.1
uTorrentBar Toolbar
VVVVVV version 2.0
Winamp
Winamp Detector Plug-in
.
==== Event Viewer Messages From Past Week ========
.
12/12/2011 00:10:27, Error: Service Control Manager [7023] - The Function Discovery Resource Publication service terminated with the following error: %%-2147014847
12/09/2011 00:28:04, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x000000c2 (0x0000000000000007, 0x0000000000001097, 0x00000000c0220f44, 0xfffff80002e8c8ed). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 091211-20124-01.
11/12/2011 17:34:13, Error: Microsoft-Windows-Time-Service [34] - The time service has detected that the system time needs to be changed by -7775935 seconds. The time service will not change the system time by more than 54000 seconds. Verify that your time and time zone are correct, and that the time source time.windows.com,0x9 (ntp.m|0x9|0.0.0.0:123->64.4.31.162:123) is working properly.
.
==== End Of File ===========================
A week ago or so my computer started suffering random reboots and hangs, a couple of days later the cpu fan speed went up to 4400rpm on bootup and stayed that high almost constantly with some random surges to higher speeds. after checking fan connections and blowing compressed air through the heat sink to no avail I reflashed the bios.
This worked and the fan speed was back to its normal 2300rpm. I used the computer normal for a while then switched it off, the next day the fan speed was back up to 4400rpm, suggesting to me with my limited knowledge that the bios had been corrupted again and I was probably dealing with a rootkit.
So i've completed you 6 steps, some of which I ran in windows 7 some of which I ran on minixp with Hirens Boot CD, here are the logs
MBMA - failed to start of HBCD, ran in win7
Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org
Database version: 7745
Windows 6.1.7600
Internet Explorer 8.0.7600.16385
18/09/2011 22:48:58
mbam-log-2011-09-18 (22-48-58).txt
Scan type: Quick scan
Objects scanned: 177068
Time elapsed: 1 minute(s), 37 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
GMER - Windows7 produced an empty log and only allowed me to select Services, registries and files.
my original HBCD scan produced this log:
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2011-09-18 12:11:21
Windows 5.1.2600
Running: G-MER.exe; Driver: B:\Temp\kwtdypog.sys
---- System - GMER 1.0.15 ----
INT 0x01 \SystemRoot\system32\drivers\dummy.sys F7A977C0
INT 0x03 \SystemRoot\system32\drivers\dummy.sys F7A977E0
INT 0x1F \I386\SYSTEM32\HALAACPI.DLL 80A18FD0
INT 0x37 \I386\SYSTEM32\HALAACPI.DLL 80A18728
INT 0x3D \I386\SYSTEM32\HALAACPI.DLL 80A19B70
INT 0x41 \I386\SYSTEM32\HALAACPI.DLL 80A199CC
INT 0x50 \I386\SYSTEM32\HALAACPI.DLL 80A18800
INT 0xC1 \I386\SYSTEM32\HALAACPI.DLL 80A18984
INT 0xD1 \I386\SYSTEM32\HALAACPI.DLL 80A17D34
INT 0xE1 \I386\SYSTEM32\HALAACPI.DLL 80A18F0C
INT 0xE3 \I386\SYSTEM32\HALAACPI.DLL 80A18C70
INT 0xFD \I386\SYSTEM32\HALAACPI.DLL 80A19464
INT 0xFE \I386\SYSTEM32\HALAACPI.DLL 80A19604
---- Kernel code sections - GMER 1.0.15 ----
? \I386\SYSTEM32\NTKRNLMP.EXE kernel module suspicious modification
? \I386\SYSTEM32\NTKRNLMP.EXE The system cannot find the file specified. !
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs dc_fsf.sys
AttachedDevice \Driver\ftdisk \Device\HarddiskVolume1 dcrypt.sys
AttachedDevice \Driver\ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\ftdisk \Device\HarddiskVolume2 dcrypt.sys
AttachedDevice \Driver\ftdisk \Device\HarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\ftdisk \Device\HarddiskVolume3 dcrypt.sys
AttachedDevice \Driver\ftdisk \Device\HarddiskVolume3 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\ftdisk \Device\HarddiskVolume4 dcrypt.sys
AttachedDevice \Driver\ftdisk \Device\HarddiskVolume4 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\ftdisk \Device\HarddiskVolume5 dcrypt.sys
AttachedDevice \Driver\ftdisk \Device\HarddiskVolume5 snapman.sys (Acronis Snapshot API/Acronis)
Device \Driver\ACPI_HAL \Device\00000008 HALAACPI.DLL
AttachedDevice \FileSystem\Fastfat \Fat dc_fsf.sys
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Threads - GMER 1.0.15 ----
Thread System [4:148] BB6C5096
---- EOF - GMER 1.0.15 ----
I then realised the selected drive was the X drive which was the minixp ram drive
So I selected the what hbcd was calling my J drive which is normally my C drive, this took a very long time to scan so I went to bed and when I came back to it the scan was complete but the computer was hung. I tried again, this time when I clicked save I got a blue screen stop error message
"STOP: 0x0000008E (0x000009A, 0x808425BB, 0xBBB86E4, 0x00000000)"
So I started a scan and stoped it early just to give you a view of the log which despite being for a different drive actually looks like the original xdrive log at the beginning:
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2011-09-19 11:25:58
Windows 5.1.2600
Running: G-MER.exe; Driver: B:\Temp\kwtdypog.sys
---- System - GMER 1.0.15 ----
INT 0x01 \SystemRoot\system32\drivers\dummy.sys F7A5C7C0
INT 0x03 \SystemRoot\system32\drivers\dummy.sys F7A5C7E0
INT 0x1F \I386\SYSTEM32\HALAACPI.DLL 80A18FD0
INT 0x37 \I386\SYSTEM32\HALAACPI.DLL 80A18728
INT 0x3D \I386\SYSTEM32\HALAACPI.DLL 80A19B70
INT 0x41 \I386\SYSTEM32\HALAACPI.DLL 80A199CC
INT 0x50 \I386\SYSTEM32\HALAACPI.DLL 80A18800
INT 0xC1 \I386\SYSTEM32\HALAACPI.DLL 80A18984
INT 0xD1 \I386\SYSTEM32\HALAACPI.DLL 80A17D34
INT 0xE1 \I386\SYSTEM32\HALAACPI.DLL 80A18F0C
INT 0xE3 \I386\SYSTEM32\HALAACPI.DLL 80A18C70
INT 0xFD \I386\SYSTEM32\HALAACPI.DLL 80A19464
INT 0xFE \I386\SYSTEM32\HALAACPI.DLL 80A19604
---- Kernel code sections - GMER 1.0.15 ----
? \I386\SYSTEM32\NTKRNLMP.EXE kernel module suspicious modification
? \I386\SYSTEM32\NTKRNLMP.EXE The system cannot find the file specified. !
---- Threads - GMER 1.0.15 ----
Thread System [4:148] BB6C5096
---- EOF - GMER 1.0.15 ----
DDS
dds: -win7 version. hbcd gave a much shorter log
.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385
Run by Tom at 11:47:22 on 2011-09-19
Microsoft Windows 7 Home Basic 6.1.7600.0.1252.1.1033.18.4095.2879 [GMT 1:00]
.
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files (x86)\MagicDisc\MagicDisc.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\Tom\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Tom\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Tom\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Users\Tom\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\SysWOW64\ctfmon.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTor.dll
mURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTor.dll
mWinlogon: Userinit=userinit.exe,
BHO: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - C:\Program Files (x86)\ConduitEngine\prxConduitEngin.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
BHO: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTor.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTor.dll
TB: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - C:\Program Files (x86)\ConduitEngine\prxConduitEngin.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
uRun: [Google Update] "C:\Users\Tom\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [Steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent
uRun: [EA Core] "C:\Program Files (x86)\Electronic Arts\EADM\Core.exe" -silent
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
StartupFolder: C:\Users\Tom\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\MAGICD~1.LNK - C:\Program Files (x86)\MagicDisc\MagicDisc.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\MCAFEE~1.LNK - C:\Program Files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{B24440CD-6E5D-4152-8AB4-7F179985B39D} : DhcpNameServer = 192.168.0.1
BHO-X64: Conduit Engine : {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\prxConduitEngin.dll
BHO-X64: Conduit Engine - No File
BHO-X64: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
BHO-X64: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTor.dll
BHO-X64: uTorrentBar - No File
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTor.dll
TB-X64: Conduit Engine : {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\prxConduitEngin.dll
TB-X64: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
Hosts: 78.47.251.150 easyanticheat.se # misleading site
Hosts: 78.47.251.150 www.easyanticheat.se # misleading site
Hosts: 78.47.251.150 easyanticheat.com # misleading site
Hosts: 78.47.251.150 www.easyanticheat.com # misleading site
Hosts: 78.47.251.150 easyanticheat.org # misleading site
.
Note: multiple HOSTS entries found. Please refer to Attach.txt
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;C:\Windows\system32\drivers\aswSnx.sys --> C:\Windows\system32\drivers\aswSnx.sys [?]
R1 aswSP;aswSP;C:\Windows\system32\drivers\aswSP.sys --> C:\Windows\system32\drivers\aswSP.sys [?]
R2 aswFsBlk;aswFsBlk;C:\Windows\system32\drivers\aswFsBlk.sys --> C:\Windows\system32\drivers\aswFsBlk.sys [?]
R2 aswMonFlt;aswMonFlt;\??\C:\Windows\system32\drivers\aswMonFlt.sys --> C:\Windows\system32\drivers\aswMonFlt.sys [?]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2011-9-8 42184]
R2 cpuz135;cpuz135;\??\C:\Windows\system32\drivers\cpuz135_x64.sys --> C:\Windows\system32\drivers\cpuz135_x64.sys [?]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;C:\Windows\system32\DRIVERS\e1y60x64.sys --> C:\Windows\system32\DRIVERS\e1y60x64.sys [?]
S3 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW76.sys --> C:\Windows\system32\drivers\AtihdW76.sys [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service;C:\Program Files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
.
=============== Created Last 30 ================
.
2011-12-12 12:18:06 25640 ----a-w- C:\Windows\gdrv.sys
2011-09-16 20:21:36 -------- d-----w- C:\Users\Tom\rootkit
2011-09-11 23:40:49 -------- d-----w- C:\Program Files (x86)\SpeedFan
2011-09-08 14:49:58 -------- d-----w- C:\Users\Tom\AppData\Roaming\mIRC
2011-09-08 14:49:58 -------- d-----w- C:\Program Files (x86)\mIRC
2011-09-08 14:35:20 -------- d-----w- C:\Program Files\Ventrilo
2011-09-08 14:34:36 -------- d-----w- C:\Program Files (x86)\Common Files\Wise Installation Wizard
2011-09-08 10:10:26 600920 ----a-w- C:\Windows\System32\drivers\aswSnx.sys
2011-09-08 10:10:23 64856 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys
2011-09-08 10:08:56 40112 ----a-w- C:\Windows\avastSS.scr
2011-09-08 10:08:50 -------- d-----w- C:\ProgramData\AVAST Software
2011-09-08 10:08:50 -------- d-----w- C:\Program Files\AVAST Software
2011-09-08 09:56:42 8862544 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{B813A7FF-8CF1-401F-B620-F5D864BF2BA9}\mpengine.dll
2011-09-08 09:54:27 -------- d-----w- C:\Users\Tom\AppData\Roaming\Malwarebytes
2011-09-08 09:54:23 -------- d-----w- C:\ProgramData\Malwarebytes
2011-09-08 09:54:20 25416 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-09-08 09:54:20 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-09-03 12:37:05 -------- d-----w- C:\Users\Tom\AppData\Local\dxhr
2011-09-03 12:36:23 -------- d-----w- C:\Users\Tom\AppData\Local\28050
2011-08-25 16:30:39 -------- d-----w- C:\Users\Tom\AppData\Local\ElevatedDiagnostics
2011-08-25 12:52:44 -------- d-----w- C:\Users\Tom\AppData\Local\Gas Powered Games
2011-08-25 12:23:49 -------- d-----w- C:\Program Files (x86)\SystemRequirementsLab
2011-08-24 11:17:52 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2011-08-24 11:17:52 2048 ----a-w- C:\Windows\System32\tzres.dll
.
==================== Find3M ====================
.
2011-12-12 23:24:13 280736 ----a-w- C:\Windows\SysWow64\PnkBstrB.xtr
2011-12-12 23:24:13 280736 ----a-w- C:\Windows\SysWow64\PnkBstrB.exe
2011-12-12 23:23:48 280736 ----a-w- C:\Windows\SysWow64\PnkBstrB.ex0
2011-12-12 23:08:20 6656 ----a-w- C:\Windows\System32\lpcio.dll
2011-07-29 10:50:05 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2011-07-22 05:35:08 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2011-07-22 04:56:17 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-07-16 05:26:54 362496 ----a-w- C:\Windows\System32\wow64win.dll
2011-07-16 05:26:53 243200 ----a-w- C:\Windows\System32\wow64.dll
2011-07-16 05:26:53 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
2011-07-16 05:26:18 214528 ----a-w- C:\Windows\System32\winsrv.dll
2011-07-16 05:24:09 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
2011-07-16 05:21:32 422400 ----a-w- C:\Windows\System32\KernelBase.dll
2011-07-16 05:17:46 338432 ----a-w- C:\Windows\System32\conhost.exe
2011-07-16 04:36:09 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
2011-07-16 04:32:14 44032 ----a-w- C:\Windows\apppatch\acwow64.dll
2011-07-16 04:31:50 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
2011-07-16 04:30:29 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
2011-07-16 04:30:27 272384 ----a-w- C:\Windows\SysWow64\KernelBase.dll
2011-07-16 02:26:12 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
2011-07-16 02:26:11 2048 ----a-w- C:\Windows\SysWow64\user.exe
2011-07-16 02:21:47 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2011-07-16 02:21:47 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2011-07-16 02:21:47 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2011-07-16 02:21:47 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2011-07-14 10:06:56 9359872 ----a-w- C:\Windows\System32\drivers\atikmdag.sys
2011-07-14 10:06:44 4017152 ----a-w- C:\Windows\SysWow64\atiumdva.dll
2011-07-14 10:06:10 52736 ----a-w- C:\Windows\SysWow64\atimpc32.dll
2011-07-14 10:06:10 52736 ----a-w- C:\Windows\SysWow64\amdpcom32.dll
2011-07-14 10:06:09 43520 ----a-w- C:\Windows\SysWow64\ati2edxx.dll
2011-07-14 10:06:05 38912 ----a-w- C:\Windows\System32\atiu9p64.dll
2011-07-14 10:06:03 356352 ----a-w- C:\Windows\SysWow64\atipdlxx.dll
2011-07-14 10:06:00 485376 ----a-w- C:\Windows\System32\atieclxx.exe
2011-07-14 10:05:55 462848 ----a-w- C:\Windows\System32\ATIDEMGX.dll
2011-07-14 10:05:55 46080 ----a-w- C:\Windows\SysWow64\aticalrt.dll
2011-07-14 10:05:55 120320 ----a-w- C:\Windows\System32\atitmm64.dll
2011-07-14 10:05:53 40960 ----a-w- C:\Windows\System32\atiuxp64.dll
2011-07-14 10:05:52 23336960 ----a-w- C:\Windows\System32\atio6axx.dll
2011-07-14 10:05:26 5008384 ----a-w- C:\Windows\System32\atidxx64.dll
2011-07-14 10:05:20 309760 ----a-w- C:\Windows\System32\drivers\atikmpag.sys
2011-07-14 10:04:54 6847488 ----a-w- C:\Windows\SysWow64\aticaldd.dll
2011-07-14 10:04:09 31744 ----a-w- C:\Windows\SysWow64\atiuxpag.dll
2011-07-14 10:03:23 5486592 ----a-w- C:\Windows\System32\atiumd64.dll
2011-07-14 10:03:08 262144 ----a-w- C:\Windows\SysWow64\atiadlxy.dll
2011-07-14 10:02:45 12800 ----a-w- C:\Windows\SysWow64\atiglpxx.dll
2011-07-14 10:02:45 12800 ----a-w- C:\Windows\System32\atiglpxx.dll
2011-07-14 10:02:39 278528 ----a-w- C:\Windows\SysWow64\Oemdspif.dll
2011-07-14 10:02:24 58880 ----a-w- C:\Windows\System32\coinst.dll
2011-07-14 10:02:22 1113088 ----a-w- C:\Windows\System32\atiumd6v.dll
2011-07-14 10:02:18 14848 ----a-w- C:\Windows\System32\atig6pxx.dll
2011-07-14 10:02:04 44032 ----a-w- C:\Windows\SysWow64\aticalcl.dll
2011-07-14 10:01:27 32768 ----a-w- C:\Windows\SysWow64\atigktxx.dll
2011-07-14 10:00:48 1828864 ----a-w- C:\Windows\SysWow64\atiumdmv.dll
2011-07-14 10:00:35 8489472 ----a-w- C:\Windows\System32\aticaldd64.dll
2011-07-14 10:00:31 39936 ----a-w- C:\Windows\System32\atig6txx.dll
2011-07-14 10:00:24 688128 ----a-w- C:\Windows\SysWow64\aticfx32.dll
2011-07-14 10:00:17 151552 ----a-w- C:\Windows\System32\atiapfxx.exe
2011-07-14 10:00:16 53760 ----a-w- C:\Windows\System32\atimpc64.dll
2011-07-14 10:00:16 53760 ----a-w- C:\Windows\System32\amdpcom64.dll
2011-07-14 09:59:55 17940992 ----a-w- C:\Windows\SysWow64\atioglxx.dll
2011-07-14 09:59:45 51200 ----a-w- C:\Windows\System32\aticalrt64.dll
2011-07-14 09:59:42 29184 ----a-w- C:\Windows\SysWow64\atiu9pag.dll
2011-07-14 09:59:29 423424 ----a-w- C:\Windows\System32\atipdl64.dll
2011-07-14 09:59:21 4219904 ----a-w- C:\Windows\SysWow64\atidxx32.dll
2011-07-14 09:58:45 4330496 ----a-w- C:\Windows\SysWow64\atiumdag.dll
2011-07-14 09:58:45 204288 ----a-w- C:\Windows\System32\atiesrxx.exe
2011-07-14 09:58:44 59392 ----a-w- C:\Windows\System32\atiedu64.dll
2011-07-14 09:58:09 811008 ----a-w- C:\Windows\System32\aticfx64.dll
2011-07-14 09:58:01 3810816 ----a-w- C:\Windows\System32\atiumd6a.dll
2011-07-14 09:57:40 366592 ----a-w- C:\Windows\System32\atiadlxx.dll
2011-07-14 09:57:40 16384 ----a-w- C:\Windows\System32\atimuixx.dll
2011-07-14 09:57:39 53248 ----a-w- C:\Windows\System32\drivers\ati2erec.dll
2011-07-11 11:02:27 0 ----a-w- C:\Windows\SysWow64\ConduitEngine.tmp
2011-07-09 02:44:55 287744 ----a-w- C:\Windows\System32\drivers\mrxsmb10.sys
2011-06-23 10:43:29 75136 ----a-w- C:\Windows\SysWow64\PnkBstrA.exe
2011-06-23 05:29:39 5507968 ----a-w- C:\Windows\System32\ntoskrnl.exe
2011-06-23 04:38:05 3957120 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2011-06-23 04:38:04 3902336 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2011-06-22 22:19:05 2250024 ----a-w- C:\Windows\SysWow64\pbsvc.exe
2011-06-22 21:34:44 44544 ----a-w- C:\Windows\System32\aticalcl64.dll
2011-06-22 18:52:33 2434856 ----a-w- C:\Windows\SysWow64\pbsvc_bc2.exe
.
============= FINISH: 11:47:46.92 ===============
Attach:- win7 version
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Home Basic
Boot Device: \Device\HarddiskVolume2
Install Date: 14/06/2011 23:54:33
System Uptime: 19/09/2011 11:39:39 (0 hours ago)
.
Motherboard: Acer | | EG43M
Processor: Intel(R) Core(TM)2 Quad CPU Q8300 @ 2.50GHz | CPU 1 | 2499/333mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 342 GiB total, 76.919 GiB free.
D: is FIXED (NTFS) - 343 GiB total, 279.18 GiB free.
E: is CDROM (CDFS)
G: is Removable
H: is Removable
I: is Removable
J: is Removable
K: is CDROM (UDF)
L: is CDROM (CDFS)
M: is FIXED (NTFS) - 932 GiB total, 587.81 GiB free.
N: is CDROM (UDF)
O: is FIXED (NTFS) - 0 GiB total, 0.069 GiB free.
P: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e96f-e325-11ce-bfc1-08002be10318}
Description: Microsoft PS/2 Mouse
Device ID: ACPI\PNP0F03\4&242CC0DB&0
Manufacturer: Microsoft
Name: Microsoft PS/2 Mouse
PNP Device ID: ACPI\PNP0F03\4&242CC0DB&0
Service: i8042prt
.
==== System Restore Points ===================
.
RP38: 12/08/2011 15:03:10 - Windows Update
RP39: 12/08/2011 21:13:38 - Windows Update
RP40: 15/08/2011 19:34:09 - Installed DirectX
RP41: 23/08/2011 15:09:45 - Scheduled Checkpoint
RP42: 25/08/2011 01:31:23 - Windows Update
RP43: 03/09/2011 13:10:30 - Installed DirectX
RP44: 03/09/2011 13:15:29 - Installed DirectX
RP45: 08/09/2011 11:08:32 - avast! Free Antivirus Setup
RP46: 08/09/2011 15:35:03 - Installed Ventrilo Client for Windows x64
.
==== Hosts File Hijack ======================
.
Hosts: 78.47.251.150 easyanticheat.se # misleading site
Hosts: 78.47.251.150 www.easyanticheat.se # misleading site
Hosts: 78.47.251.150 easyanticheat.com # misleading site
Hosts: 78.47.251.150 www.easyanticheat.com # misleading site
Hosts: 78.47.251.150 easyanticheat.org # misleading site
Hosts: 78.47.251.150 www.easyanticheat.org # misleading site
.
==== Installed Programs ======================
.
µTorrent
Adobe AIR
Adobe Flash Player ActiveX
Age of Empires III
Age of Empires III - The Asian Dynasties
Age of Empires III - The WarChiefs
And Yet It Moves 1.2.0
avast! Free Antivirus
Battlefield: Bad Company™ 2
Call of Duty 4: Modern Warfare
Call of Duty: Modern Warfare 2 - Multiplayer
Catalyst Control Center
Catalyst Control Center - Branding
Catalyst Control Center Graphics Previews Common
Catalyst Control Center InstallProxy
CCC Help English
Conduit Engine
Counter-Strike: Source
Crayon Physics Deluxe version 55
Deus Ex: Human Revolution
Dropbox
Far Cry 2
Garry's Mod
GIMP 2.6.11
Google Chrome
Half-Life
Half-Life 2
Half-Life 2: Deathmatch
Half-Life 2: Episode One
Half-Life 2: Episode Two
Java Auto Updater
Java(TM) 6 Update 26
Just Cause 2
Left 4 Dead
Left 4 Dead 2
MagicDisc 2.7.106
Malwarebytes' Anti-Malware version 1.51.2.1300
McAfee Security Scan Plus
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
Microsoft WSE 3.0 Runtime
mIRC
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Portal
Portal 2
PunkBuster Services
Realtek High Definition Audio Driver
SpeedFan (remove only)
Steam
Supreme Commander 2
System Requirements Lab CYRI
Team Fortress 2
The Sims™ 3
The Sims™ 3 Fast Lane Stuff
The Sims™ 3 Late Night
TrackMania United 0.2.0.1
uTorrentBar Toolbar
VVVVVV version 2.0
Winamp
Winamp Detector Plug-in
.
==== Event Viewer Messages From Past Week ========
.
12/12/2011 00:10:27, Error: Service Control Manager [7023] - The Function Discovery Resource Publication service terminated with the following error: %%-2147014847
12/09/2011 00:28:04, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x000000c2 (0x0000000000000007, 0x0000000000001097, 0x00000000c0220f44, 0xfffff80002e8c8ed). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 091211-20124-01.
11/12/2011 17:34:13, Error: Microsoft-Windows-Time-Service [34] - The time service has detected that the system time needs to be changed by -7775935 seconds. The time service will not change the system time by more than 54000 seconds. Verify that your time and time zone are correct, and that the time source time.windows.com,0x9 (ntp.m|0x9|0.0.0.0:123->64.4.31.162:123) is working properly.
.
==== End Of File ===========================