sf2010
-
Posts
1 -
Joined
-
Last visited
This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.
Help with establishing a baseline - Win 7 Ult 64 bit
in Resolved Malware Removal Logs
Posted
Hello-
Due to some suspicious activity on my notebook, I decided to clean install my OS again, but I had to do it on one of my existing HDD.
I would like to ensure that my clean install does not include any infections / backdoor trojans / MBR rootkits before I begin restoring data.
Here is my DDS output:
.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514
Run by kevin at 12:27:10 on 2012-06-18
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.16334.13925 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\IDT\WDM\STacSV64.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Hpservice.exe
C:\Windows\system32\vcsFPService.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\IDT\WDM\AESTSr64.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
C:\Windows\system32\LogonUI.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\IDT\WDM\sttray64.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\system32\notepad.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
mWinlogon: Userinit=userinit.exe
mRun: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [QLBController] C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe /start
mRun: [iAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{775BDB5F-CDAB-49B6-BFB0-9DBFB4229DA4} : DhcpNameServer = 192.168.1.1
mRun-x64: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [QLBController] C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe /start
mRun-x64: [iAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun-x64: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\kevin\AppData\Roaming\Mozilla\Firefox\Profiles\gisszhss.default\
FF - plugin: C:\Windows\system32\Wat\npWatWeb.dll
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 AESTFilters;Andrea ST Filters Service;C:\Program Files\IDT\WDM\AESTSr64.exe [2012-4-24 89600]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
R2 HPDrvMntSvc.exe;HP Quick Synchronization Service;C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-2-28 92216]
R2 hpHotkeyMonitor;hpHotkeyMonitor;C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe [2011-3-21 293944]
R2 hpsrv;HP Service;C:\Windows\system32\Hpservice.exe --> C:\Windows\system32\Hpservice.exe [?]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2012-4-24 13336]
R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2012-4-24 2656280]
R2 vcsFPService;Validity VCS Fingerprint Service;C:\Windows\System32\vcsFPService.exe [2011-3-24 2762032]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW76.sys --> C:\Windows\system32\drivers\AtihdW76.sys [?]
R3 e1cexpress;Intel® PRO/1000 PCI Express Network Connection Driver C;C:\Windows\system32\DRIVERS\e1c62x64.sys --> C:\Windows\system32\DRIVERS\e1c62x64.sys [?]
R3 JMCR;JMCR;C:\Windows\system32\DRIVERS\jmcr.sys --> C:\Windows\system32\DRIVERS\jmcr.sys [?]
R3 johci;JMicron 1394 Filter Driver;C:\Windows\system32\DRIVERS\johci.sys --> C:\Windows\system32\DRIVERS\johci.sys [?]
R3 MEIx64;Intel® Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
R3 NETwNs64;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\Windows\system32\DRIVERS\NETwNs64.sys --> C:\Windows\system32\DRIVERS\NETwNs64.sys [?]
R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;C:\Windows\system32\DRIVERS\nusb3hub.sys --> C:\Windows\system32\DRIVERS\nusb3hub.sys [?]
R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;C:\Windows\system32\DRIVERS\nusb3xhc.sys --> C:\Windows\system32\DRIVERS\nusb3xhc.sys [?]
S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-6-18 113120]
S3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2012-3-26 291696]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\system32\drivers\rdpvideominiport.sys --> C:\Windows\system32\drivers\rdpvideominiport.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2012-06-18 16:24:04 -------- d-----w- C:\Users\kevin\AppData\Local\Mozilla
2012-06-18 16:16:49 -------- d-----w- C:\jon
2012-06-18 15:55:31 69000 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{C463B7E3-14AC-4F53-A25A-0D385DECA326}\offreg.dll
2012-06-18 15:15:15 927800 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{386E66E0-BBE0-4DA4-A1CF-8724AB704B34}\gapaengine.dll
2012-06-18 15:15:12 8955792 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{C463B7E3-14AC-4F53-A25A-0D385DECA326}\mpengine.dll
2012-06-18 15:15:01 279656 ------w- C:\Windows\System32\MpSigStub.exe
2012-06-18 15:14:06 -------- d-----w- C:\Program Files (x86)\Microsoft Security Client
2012-06-18 15:14:00 -------- d-----w- C:\Program Files\Microsoft Security Client
2012-06-18 14:57:54 8955792 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{0B390EA3-BB9F-4F48-953A-6593646A8474}\mpengine.dll
2012-06-18 14:51:17 81408 ----a-w- C:\Windows\System32\imagehlp.dll
2012-06-18 14:51:17 5120 ----a-w- C:\Windows\SysWow64\wmi.dll
2012-06-18 14:51:17 5120 ----a-w- C:\Windows\System32\wmi.dll
2012-06-18 14:51:17 23408 ----a-w- C:\Windows\System32\drivers\fs_rec.sys
2012-06-18 14:51:17 220672 ----a-w- C:\Windows\System32\wintrust.dll
2012-06-18 14:51:17 172544 ----a-w- C:\Windows\SysWow64\wintrust.dll
2012-06-18 14:51:17 159232 ----a-w- C:\Windows\SysWow64\imagehlp.dll
2012-06-18 14:49:56 142336 ----a-w- C:\Windows\System32\poqexec.exe
2012-06-18 14:47:57 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
2012-06-18 14:44:06 826880 ----a-w- C:\Windows\SysWow64\rdpcore.dll
2012-06-18 14:44:06 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys
2012-06-18 14:44:06 1031680 ----a-w- C:\Windows\System32\rdpcore.dll
2012-06-18 14:43:03 -------- d-----w- C:\Windows\SysWow64\Wat
2012-06-18 14:43:02 -------- d-----w- C:\Windows\System32\Wat
.
==================== Find3M ====================
.
2012-05-15 04:01:31 1188864 ----a-w- C:\Windows\System32\wininet.dll
2012-05-15 03:03:54 981504 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-05-15 01:32:33 3146752 ----a-w- C:\Windows\System32\win32k.sys
2012-05-04 11:06:22 5559664 ----a-w- C:\Windows\System32\ntoskrnl.exe
2012-05-04 10:03:53 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2012-05-04 10:03:50 3913072 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2012-04-28 05:32:05 1112064 ----a-w- C:\Windows\System32\rdpcorets.dll
2012-04-28 03:55:21 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys
2012-04-26 05:41:56 77312 ----a-w- C:\Windows\System32\rdpwsx.dll
2012-04-26 05:41:55 149504 ----a-w- C:\Windows\System32\rdpcorekmts.dll
2012-04-26 05:34:27 9216 ----a-w- C:\Windows\System32\rdrmemptylst.exe
2012-04-24 17:57:54 0 ----a-w- C:\Windows\ativpsrm.bin
2012-04-24 17:41:02 1045776 ----a-w- C:\Windows\SysWow64\MSJET35.DLL
2012-04-24 17:41:01 368912 ----a-w- C:\Windows\SysWow64\VBAR332.DLL
2012-04-24 17:41:01 252176 ----a-w- C:\Windows\SysWow64\MSRD2X35.DLL
2012-04-24 17:41:01 24848 ----a-w- C:\Windows\SysWow64\MSJTER35.DLL
2012-04-24 17:41:01 123664 ----a-w- C:\Windows\SysWow64\MSJINT35.DLL
2012-04-24 17:10:45 175616 ----a-w- C:\Windows\System32\msclmd.dll
2012-04-24 17:10:45 152576 ----a-w- C:\Windows\SysWow64\msclmd.dll
2012-04-20 03:45:41 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2012-04-20 03:16:44 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-03-30 11:35:47 1918320 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2012-03-21 00:44:12 98688 ----a-w- C:\Windows\System32\drivers\NisDrvWFP.sys
2012-03-21 00:44:12 203888 ----a-w- C:\Windows\System32\drivers\MpFilter.sys
.
============= FINISH: 12:27:26.61 ===============
Thank you.
Also, is there a correct forum to post a question about GMER results?
I ran the app and I am unsure about the result:
http://imageshack.us/photo/my-images/163/gmerresult.png/