Roykirk

Members

View Profile See their activity

Posts
15
Joined
January 1, 2013
Last visited
May 31, 2016

Content Type

All Activity

Events

Profiles

Forums

Topics
Posts

Everything posted by Roykirk

Persistent svchost.exe trojan, Malwarebytes can't clean it

Roykirk replied to Roykirk's topic in Resolved Malware Removal Logs

Uninstalls of all the tools and logs are complete. IE was already set that way and he uses Firefox for the most part. Ran TFC. Installed the WOT addon in Firefox. Backups were already occurring to my NAS. I plan to add online backup as well for offsite backups. I'll look into ERUNT, but as it appears to need to run manually in Win7 x64, I'll probably not put it on his machine, but may well use it on mine. As for PC safety and security, I'll pass the articles on to him. I already practice safe browsing and such myself and have yet to get a malware infection on any of my own PCs in the last decade or more. Feel free to close the thread. Thanks again for your assistance.
Persistent svchost.exe trojan, Malwarebytes can't clean it

Roykirk replied to Roykirk's topic in Resolved Malware Removal Logs

Everything looks very good now. No performance problems that I can see, no redirects on Google search results, internet apps are working well as are normal apps. Thank you so much for your help. This was critical for a project my son was working on. Hope you received the donation already.
Persistent svchost.exe trojan, Malwarebytes can't clean it

Roykirk replied to Roykirk's topic in Resolved Malware Removal Logs

Thanks. I was thinking that the Java was the only concern as well. All the others are legit based on what I know we've installed before. I've updated Java, cleared the cache, updated Adobe Reader and took a Flash update that was offered as well. After installing the software that I wanted to install when I discovered all these issues (Roxio Creator), I'll check the system out more thoroughly. Right now I don't appear to be getting the redirects I was getting before, so that's looking good.
Persistent svchost.exe trojan, Malwarebytes can't clean it

Roykirk replied to Roykirk's topic in Resolved Malware Removal Logs

Results of ESETSCAN: C:\Program Files (x86)\Dell DataSafe Local Backup\hstart.exe a variant of Win32/HiddenStart.A application C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\hstart.exe a variant of Win32/HiddenStart.A application C:\Users\Iain\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\0\60942c0-5de76673 a variant of Java/Exploit.CVE-2012-5076.Q trojan C:\Users\Iain\Downloads\PDFCreator-1_6_1_setup.exe Win32/OpenCandy application C:\Users\Iain\Downloads\pdfcreator-setup.exe Win32/DownloadAdmin.F application
Persistent svchost.exe trojan, Malwarebytes can't clean it

Roykirk replied to Roykirk's topic in Resolved Malware Removal Logs

MBAM scan resulted in no malware found: Malwarebytes Anti-Malware 1.70.0.1100 www.malwarebytes.org Database version: v2013.01.01.03 Windows 7 Service Pack 1 x64 NTFS Internet Explorer 9.0.8112.16421 Iain :: IAININSPIRON15R [administrator] 1/1/2013 11:07:22 AM mbam-log-2013-01-01 (11-07-22).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 212588 Time elapsed: 1 minute(s), 49 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end) Going to the ESET site now to run that scan.
Persistent svchost.exe trojan, Malwarebytes can't clean it

Roykirk replied to Roykirk's topic in Resolved Malware Removal Logs

AdwCleaner results: # AdwCleaner v2.104 - Logfile created 01/01/2013 at 11:01:31 # Updated 29/12/2012 by Xplode # Operating system : Windows 7 Home Premium Service Pack 1 (64 bits) # User : Iain - IAININSPIRON15R # Boot Mode : Normal # Running from : C:\Users\Iain\Desktop\AdwCleaner.exe # Option [Delete] ***** [services] ***** ***** [Files / Folders] ***** ***** [Registry] ***** Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5} ***** [internet Browsers] ***** -\\ Internet Explorer v9.0.8112.16457 [OK] Registry is clean. -\\ Mozilla Firefox v17.0.1 (en-US) File : C:\Users\Iain\AppData\Roaming\Mozilla\Firefox\Profiles\tqk8kjzm.default\prefs.js [OK] File is clean. -\\ Google Chrome v23.0.1271.97 File : C:\Users\Iain\AppData\Local\Google\Chrome\User Data\Default\Preferences [OK] File is clean. ************************* AdwCleaner[s1].txt - [911 octets] - [01/01/2013 11:01:31] ########## EOF - C:\AdwCleaner[s1].txt - [970 octets] ########## Running MalwareBytes Quick Scan now.
Persistent svchost.exe trojan, Malwarebytes can't clean it

Roykirk replied to Roykirk's topic in Resolved Malware Removal Logs

JRT.txt results: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Junkware Removal Tool (JRT) by Thisisu Version: 4.3.2 (12.29.2012:3) OS: Windows 7 Home Premium x64 Ran by Iain on Tue 01/01/2013 at 10:50:06.07 Blog: http://thisisudax.blogspot.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~ Services ~~~ Registry Values ~~~ Registry Keys ~~~ Files ~~~ Folders Successfully deleted: [Folder] "C:\Users\Iain\AppData\Roaming\pdfforge" ~~~ FireFox Successfully deleted: [File] C:\Users\Iain\AppData\Roaming\mozilla\firefox\profiles\tqk8kjzm.default\extensions\nwvnykuvfj@nwvnykuvfj.org.xpi [Tracur] ~~~ Event Viewer Logs were cleared ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Scan was completed on Tue 01/01/2013 at 10:55:19.70 End of JRT log ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Running AdwCleaner now.
Persistent svchost.exe trojan, Malwarebytes can't clean it

Roykirk replied to Roykirk's topic in Resolved Malware Removal Logs

Is it safe to uninstall ComboFix and re-enable MSE? Also, I don't have the option to get immediate notification to replies on this topic. I haven't received a single email on it even though I'm following it. Is this option not available because I'm a new user? Thanks.
Persistent svchost.exe trojan, Malwarebytes can't clean it

Roykirk replied to Roykirk's topic in Resolved Malware Removal Logs

ComboFix Log File: ComboFix 13-01-01.02 - Iain 01/01/2013 9:12.1.4 - x64 Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.6046.3748 [GMT -8:00] Running from: c:\users\Iain\Desktop\ComboFix.exe AV: Microsoft Security Essentials *Disabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C} SP: Microsoft Security Essentials *Disabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21} SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\programdata\Roaming c:\users\Iain\AppData\Local\Microsoft\Windows\Temporary Internet Files\{123B91EB-AA46-4F01-AED0-45B0AFA71E2C}.xps c:\users\Iain\AppData\Local\Microsoft\Windows\Temporary Internet Files\{152260FD-F5B1-4053-9398-28DE499BC5E0}.xps c:\users\Iain\AppData\Local\Microsoft\Windows\Temporary Internet Files\{6D1C9A87-E5E1-4511-9D2D-9BF3C7235653}.xps c:\users\Iain\AppData\Local\Microsoft\Windows\Temporary Internet Files\{F1D5DEE6-39E2-4075-9A68-B7CFC6CEFD1B}.xps c:\users\Iain\PremiereElements_10_Content_ALL_LS15.exe c:\users\Iain\PremiereElements_9_Content_ALL_LS15.exe c:\windows\RPSETUP.EXE.LOG . . ((((((((((((((((((((((((( Files Created from 2012-12-01 to 2013-01-01 ))))))))))))))))))))))))))))))) . . 2013-01-01 17:21 . 2013-01-01 17:21 -------- d-----w- c:\users\Default\AppData\Local\temp 2013-01-01 16:40 . 2013-01-01 16:40 76232 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{25DE138F-7C4D-4DCD-A3C2-5AFC23C2D7AF}\offreg.dll 2013-01-01 15:42 . 2012-11-08 17:24 9125352 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{25DE138F-7C4D-4DCD-A3C2-5AFC23C2D7AF}\mpengine.dll 2013-01-01 04:20 . 2013-01-01 04:20 -------- d-----w- c:\users\Iain\AppData\Roaming\pdfforge 2013-01-01 04:20 . 2012-05-05 18:54 137000 ----a-w- c:\windows\SysWow64\MSMAPI32.OCX 2013-01-01 04:20 . 2012-10-29 02:32 103936 ----a-w- c:\windows\system32\pdfcmon.dll 2013-01-01 04:20 . 2012-05-05 18:54 662288 ----a-w- c:\windows\SysWow64\MSCOMCT2.OCX 2013-01-01 04:20 . 2013-01-01 04:20 -------- d-----w- c:\program files (x86)\PDFCreator 2013-01-01 04:20 . 2012-05-05 18:54 23552 ----a-w- c:\windows\SysWow64\MSMPIDE.DLL 2013-01-01 04:19 . 2013-01-01 04:19 -------- d-----w- c:\users\Iain\AppData\Local\Programs 2012-12-31 05:33 . 2012-12-31 05:34 -------- d-----w- c:\users\Iain\AppData\Local\Akamai 2012-12-30 20:29 . 2012-11-08 17:24 9125352 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll 2012-12-24 16:16 . 2012-12-24 16:16 -------- d-----w- c:\windows\Sun 2012-12-21 11:00 . 2012-12-16 14:13 34304 ----a-w- c:\windows\SysWow64\atmlib.dll 2012-12-21 11:00 . 2012-12-16 17:11 46080 ----a-w- c:\windows\system32\atmlib.dll 2012-12-21 11:00 . 2012-12-16 14:45 367616 ----a-w- c:\windows\system32\atmfd.dll 2012-12-21 11:00 . 2012-12-16 14:13 295424 ----a-w- c:\windows\SysWow64\atmfd.dll 2012-12-21 08:08 . 2012-12-21 08:08 -------- d-----w- c:\users\Default\AppData\Roaming\Apple Computer 2012-12-21 08:08 . 2012-12-21 08:08 -------- d-----w- c:\users\Default\AppData\Local\Apple Computer 2012-12-21 08:08 . 2012-12-21 08:08 -------- d-----w- c:\programdata\34BE82C4-E596-4e99-A191-52C6199EBF69 2012-12-19 05:49 . 2012-12-19 05:49 -------- d-----w- c:\program files\iTunes 2012-12-19 05:49 . 2012-12-19 05:49 -------- d-----w- c:\program files (x86)\iTunes 2012-12-19 05:49 . 2012-12-19 05:49 -------- d-----w- c:\program files\iPod 2012-12-18 04:39 . 2012-12-18 04:39 -------- d-----w- c:\users\Iain\AppData\Roaming\LEGO Company 2012-12-18 04:39 . 2012-12-18 04:39 -------- d-----w- c:\program files (x86)\LEGO Company 2012-12-18 00:34 . 2012-11-09 05:45 2048 ----a-w- c:\windows\system32\tzres.dll 2012-12-11 04:59 . 2012-12-11 04:59 -------- d-----w- c:\users\Iain\AppData\Local\DellUI . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-12-18 04:26 . 2012-09-19 01:36 67413224 ----a-w- c:\windows\system32\MRT.exe 2012-12-15 00:49 . 2012-09-19 02:15 24176 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-11-30 17:17 . 2012-11-30 17:19 972264 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B344789F-3CA7-4423-844D-F2FAC7FEBE1A}\gapaengine.dll 2012-10-25 11:12 . 2012-10-25 11:12 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx 2012-10-25 11:12 . 2012-10-25 11:12 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts 2012-10-16 08:38 . 2012-11-30 17:10 135168 ----a-w- c:\windows\apppatch\AppPatch64\AcXtrnal.dll 2012-10-16 08:38 . 2012-11-30 17:10 350208 ----a-w- c:\windows\apppatch\AppPatch64\AcLayers.dll 2012-10-16 07:39 . 2012-11-30 17:10 561664 ----a-w- c:\windows\apppatch\AcLayers.dll 2012-10-09 18:17 . 2012-11-15 15:40 55296 ----a-w- c:\windows\system32\dhcpcsvc6.dll 2012-10-09 18:17 . 2012-11-15 15:40 226816 ----a-w- c:\windows\system32\dhcpcore6.dll 2012-10-09 17:40 . 2012-11-15 15:40 44032 ----a-w- c:\windows\SysWow64\dhcpcsvc6.dll 2012-10-09 17:40 . 2012-11-15 15:40 193536 ----a-w- c:\windows\SysWow64\dhcpcore6.dll 2012-10-04 16:40 . 2012-12-18 00:34 44032 ----a-w- c:\windows\apppatch\acwow64.dll 2012-10-03 22:56 . 2012-10-03 22:56 972192 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll 2012-10-03 17:56 . 2012-11-15 15:40 1914248 ----a-w- c:\windows\system32\drivers\tcpip.sys 2012-10-03 17:44 . 2012-11-15 15:40 70656 ----a-w- c:\windows\system32\nlaapi.dll 2012-10-03 17:44 . 2012-11-15 15:40 303104 ----a-w- c:\windows\system32\nlasvc.dll 2012-10-03 17:44 . 2012-11-15 15:40 246272 ----a-w- c:\windows\system32\netcorehc.dll 2012-10-03 17:44 . 2012-11-15 15:40 18944 ----a-w- c:\windows\system32\netevent.dll 2012-10-03 17:44 . 2012-11-15 15:40 216576 ----a-w- c:\windows\system32\ncsi.dll 2012-10-03 17:42 . 2012-11-15 15:40 569344 ----a-w- c:\windows\system32\iphlpsvc.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Steam"="c:\program files (x86)\Steam\Steam.exe" [2012-12-05 1354736] "BackgroundSwitcher"="c:\program files (x86)\johnsadventures.com\John's Background Switcher\BackgroundSwitcher.exe" [2012-09-16 119928] "Akamai NetSession Interface"="c:\users\Iain\AppData\Local\Akamai\netsession_win.exe" [2012-10-09 4441920] . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "AMD AVT"="start AMD Accelerated Video Transcoding device initialization" [X] "StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-03-26 636032] "IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIconLaunch.exe" [2012-02-29 56088] "USB3MON"="c:\program files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe" [2012-03-27 291608] "Dell DataSafe Online"="c:\program files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe" [2010-08-26 1117528] "NeroLauncher"="c:\program files (x86)\Nero\SyncUP\NeroLauncher.exe" [2012-03-10 66872] "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280] "BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520] "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848] "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008] "Dell Webcam Central"="c:\program files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2012-05-09 577536] "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-10-25 421888] "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-12-12 152544] . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] "Z1"="c:\users\Iain\Desktop\mbar\mbar.exe" [2012-12-04 1342312] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 5 (0x5) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableUIADesktopToggle"= 0 (0x0) . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc] @="Service" . R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576] R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-07-13 160944] R3 AMPPALP;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Protocol;c:\windows\system32\DRIVERS\amppal.sys [2011-12-05 195584] R3 intaud_WaveExtensible;Intel WiDi Audio Device;c:\windows\system32\drivers\intelaud.sys [2012-01-26 34200] R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [2011-12-08 273168] R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-08-31 128456] R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-09-13 368896] R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392] R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232] R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-07-09 52736] R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-09-19 1255736] R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184] S0 amdkmpfd;AMD PCI Root Bus Lower Filter;c:\windows\system32\DRIVERS\amdkmpfd.sys [2012-03-20 32896] S0 iusb3hcs;Intel® USB 3.0 Host Controller Switch Driver;c:\windows\system32\drivers\iusb3hcs.sys [2012-03-28 19224] S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2010-03-19 55856] S2 AdobeActiveFileMonitor9.0;Adobe Active File Monitor V9;c:\program files (x86)\Adobe\Elements 9 Organizer\PhotoshopElementsFileAgent.exe [2010-09-30 169408] S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2012-03-25 235520] S2 AMPPALR3;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Service;c:\program files\Intel\BluetoothHS\BTHSAmpPalService.exe [2011-12-05 659968] S2 Bluetooth Device Monitor;Bluetooth Device Monitor;c:\program files (x86)\Intel\Bluetooth\devmonsrv.exe [2012-05-15 1014096] S2 Bluetooth OBEX Service;Bluetooth OBEX Service;c:\program files (x86)\Intel\Bluetooth\obexsrv.exe [2012-05-15 1104208] S2 BTHSSecurityMgr;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Security Service;c:\program files\Intel\BluetoothHS\BTHSSecurityMgr.exe [2011-12-05 135952] S2 CxUtilSvc;CxUtilSvc;c:\program files\Conexant\SA3\CxUtilSvc.exe [2012-05-18 109184] S2 DellDigitalDelivery;Dell Digital Delivery Service;c:\program files (x86)\Dell Digital Delivery\DeliveryService.exe [2012-10-09 173568] S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2012-02-01 13592] S2 Intel® Capability Licensing Service Interface;Intel® Capability Licensing Service Interface;c:\program files\Intel\iCLS Client\HeciServer.exe [2012-01-11 627936] S2 NAUpdate;Nero Update;c:\program files (x86)\Nero\Update\NASvc.exe [2011-11-26 687400] S2 NOBU;Dell DataSafe Online;c:\program files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe SERVICE [x] S2 RosettaStoneDaemon;RosettaStoneDaemon;c:\program files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe [2012-06-19 1646608] S2 SftService;SoftThinks Agent Service;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE [2012-02-16 1695040] S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2012-01-21 363800] S2 ZeroConfigService;Intel® PROSet/Wireless Zero Configuration Service;c:\program files\Intel\WiFi\bin\ZeroConfigService.exe [2011-12-08 594704] S3 AMPPAL;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Virtual Adapter;c:\windows\system32\DRIVERS\AMPPAL.sys [2011-12-05 195584] S3 Bluetooth Media Service;Bluetooth Media Service;c:\program files (x86)\Intel\Bluetooth\mediasrv.exe [2012-05-15 1304912] S3 btmaux;Intel Bluetooth Auxiliary Service;c:\windows\system32\DRIVERS\btmaux.sys [2012-02-13 95232] S3 btmhsf;btmhsf;c:\windows\system32\DRIVERS\btmhsf.sys [2012-02-13 747008] S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [2011-06-16 176000] S3 ETD;Dell Touchpad;c:\windows\system32\DRIVERS\ETD.sys [2012-03-14 201008] S3 ibtfltcoex;ibtfltcoex;c:\windows\system32\DRIVERS\iBtFltCoex.sys [2012-03-21 60928] S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2011-12-05 331264] S3 intelkmd;intelkmd;c:\windows\system32\DRIVERS\igdpmd64.sys [2012-03-19 14745600] S3 iusb3hub;Intel® USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\iusb3hub.sys [2012-03-28 356632] S3 iusb3xhc;Intel® USB 3.0 eXtensible Host Controller Driver;c:\windows\system32\DRIVERS\iusb3xhc.sys [2012-03-28 789272] S3 iwdbus;IWD Bus Enumerator;c:\windows\system32\DRIVERS\iwdbus.sys [2012-01-26 25496] S3 RSUSBVSTOR;RtsUVStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RTSUVSTOR.sys [2012-02-01 313448] S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-11-29 646248] . . Contents of the 'Scheduled Tasks' folder . 2013-01-01 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-14 02:12] . 2013-01-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3505123584-442060581-2397128338-1000Core.job - c:\users\Iain\AppData\Local\Google\Update\GoogleUpdate.exe [2012-09-19 02:11] . 2013-01-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3505123584-442060581-2397128338-1000UA.job - c:\users\Iain\AppData\Local\Google\Update\GoogleUpdate.exe [2012-09-19 02:11] . . --------- X64 Entries ----------- . . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ETDCtrl"="c:\program files\Elantech\ETDCtrl.exe" [2012-03-14 2894640] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-03-19 170264] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-03-19 398616] "Persistence"="c:\windows\system32\igfxpers.exe" [2012-03-19 439064] "SmartAudio"="c:\program files\CONEXANT\SA3\SACpl.exe" [2012-02-21 1654400] "BLEServicesCtrl"="c:\program files (x86)\Intel\Bluetooth\BleServicesCtrl.exe" [2012-03-15 178960] "BTMTrayAgent"="c:\program files (x86)\Intel\Bluetooth\btmshell.dll" [2012-05-15 11406608] "AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-07-29 497648] . ------- Supplementary Scan ------- . uLocal Page = c:\windows\system32\blank.htm mLocal Page = c:\windows\SysWOW64\blank.htm uInternet Settings,ProxyOverride = *.local;<local> IE: E&xport to Microsoft Excel - c:\progra~2\MIF5BA~1\Office14\EXCEL.EXE/3000 IE: LastPass - file://c:\users\Iain\AppData\LocalLow\LastPass\context.html?cmd=lastpass IE: LastPass Fill Forms - file://c:\users\Iain\AppData\LocalLow\LastPass\context.html?cmd=fillforms IE: Se&nd to OneNote - c:\progra~2\MIF5BA~1\Office14\ONBttnIE.dll/105 TCP: DhcpNameServer = 66.151.145.1 4.2.2.4 76.14.0.9 192.168.2.1 FF - ProfilePath - c:\users\Iain\AppData\Roaming\Mozilla\Firefox\Profiles\tqk8kjzm.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ . - - - - ORPHANS REMOVED - - - - . Toolbar-Locked - (no file) Toolbar-Locked - (no file) HKLM-Run-MSC - c:\program files\Microsoft Security Client\mssecex.exe . . . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions] @Denied: (2) (LocalSystem) "{9F6B5CC3-5C7B-4B5C-97AF-19DEC1E380E5}"=hex:51,66,7a,6c,4c,1d,38,12,ad,5f,78, 9b,49,12,32,0e,e8,b9,5a,9e,c4,bd,c4,f1 "{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc, 1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7 "{72853161-30C5-4D22-B7F9-0BBC1D38A37E}"=hex:51,66,7a,6c,4c,1d,38,12,0f,32,96, 76,f7,7e,4c,08,c8,ef,48,fc,18,66,e7,6a "{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"=hex:51,66,7a,6c,4c,1d,38,12,d5,94,07, 72,c2,98,42,03,c9,fd,97,9a,f4,87,69,57 "{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23, 94,30,02,d1,0f,f1,da,12,24,73,56,27,d2 "{95D9ECF5-2A4D-4550-BE49-70D42F71296E}"=hex:51,66,7a,6c,4c,1d,38,12,9b,ef,ca, 91,7f,64,3e,00,c1,5f,33,94,2a,2f,6d,7a "{B4F3A835-0E21-4959-BA22-42B3008E02FF}"=hex:51,66,7a,6c,4c,1d,38,12,5b,ab,e0, b0,13,40,37,0c,c5,34,01,f3,05,d0,46,eb "{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db, df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd "{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}"=hex:51,66,7a,6c,4c,1d,38,12,8f,19,47, 2e,c4,15,0b,03,d7,b5,8c,e9,62,70,06,85 . [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration] @Denied: (2) (LocalSystem) "Timestamp"=hex:b9,4a,50,61,71,d7,cd,01 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_278_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_278_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_278_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_278_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Shockwave Flash Object" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_278.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus] @="0" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID] @="ShockwaveFlash.ShockwaveFlash.11" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_278.ocx, 1" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="ShockwaveFlash.ShockwaveFlash" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Macromedia Flash Factory Object" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_278.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID] @="FlashFactory.FlashFactory.1" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_278.ocx, 1" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="FlashFactory.FlashFactory" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*] @="?????????????????? v1" . [HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*\CLSID] @="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}" . [HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*] @="?????????????????? v2" . [HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*\CLSID] @="{9BE31822-FDAD-461B-AD51-BE1D1C159921}" . [HKEY_LOCAL_MACHINE\software\McAfee] "SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79, 00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\ . [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}] @Denied: (A) (Everyone) "Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}" . [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3] @Denied: (A) (Everyone) . [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0] "Key"="ActionsPane3" "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd" . [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . Completion time: 2013-01-01 09:32:48 ComboFix-quarantined-files.txt 2013-01-01 17:32 . Pre-Run: 586,376,806,400 bytes free Post-Run: 593,976,578,048 bytes free . - - End Of File - - 70310E864F85EC9D961AC624D13D9161
Persistent svchost.exe trojan, Malwarebytes can't clean it

Roykirk replied to Roykirk's topic in Resolved Malware Removal Logs

Even though the rootkit is supposedly cleaned, and I also ran the fixdamage tool, the web browsers are still being redirected to adware parking sites rather than where they should be going. Seems like there's still some kind of nasty proxy hidden somewhere that has not been found yet.
Persistent svchost.exe trojan, Malwarebytes can't clean it

Roykirk replied to Roykirk's topic in Resolved Malware Removal Logs

--------------------------------------- Malwarebytes Anti-Rootkit BETA 1.01.0.1011 © Malwarebytes Corporation 2011-2012 OS version: 6.1.7601 Windows 7 Service Pack 1 x64 Account is Administrative Internet Explorer version: 9.0.8112.16421 File system is: NTFS Disk drives: C:\ DRIVE_FIXED CPU speed: 2.494000 GHz Memory total: 6340063232, free: 3581767680 ------------ Kernel report ------------ 01/01/2013 08:27:23 ------------ Loaded modules ----------- \SystemRoot\system32\ntoskrnl.exe \SystemRoot\system32\hal.dll \SystemRoot\system32\kdcom.dll \SystemRoot\system32\mcupdate_GenuineIntel.dll \SystemRoot\system32\PSHED.dll \SystemRoot\system32\CLFS.SYS \SystemRoot\system32\CI.dll \SystemRoot\system32\drivers\Wdf01000.sys \SystemRoot\system32\drivers\WDFLDR.SYS \SystemRoot\system32\drivers\ACPI.sys \SystemRoot\system32\drivers\WMILIB.SYS \SystemRoot\system32\drivers\msisadrv.sys \SystemRoot\system32\drivers\pci.sys \SystemRoot\system32\drivers\vdrvroot.sys \SystemRoot\system32\drivers\iusb3hcs.sys \SystemRoot\System32\drivers\partmgr.sys \SystemRoot\system32\DRIVERS\compbatt.sys \SystemRoot\system32\DRIVERS\BATTC.SYS \SystemRoot\system32\drivers\volmgr.sys \SystemRoot\System32\drivers\volmgrx.sys \SystemRoot\System32\drivers\mountmgr.sys \SystemRoot\system32\drivers\iaStor.sys \SystemRoot\system32\drivers\amdxata.sys \SystemRoot\system32\drivers\fltmgr.sys \SystemRoot\system32\drivers\fileinfo.sys \SystemRoot\system32\DRIVERS\MpFilter.sys \SystemRoot\System32\Drivers\PxHlpa64.sys \SystemRoot\System32\Drivers\Ntfs.sys \SystemRoot\System32\Drivers\msrpc.sys \SystemRoot\System32\Drivers\ksecdd.sys \SystemRoot\System32\Drivers\cng.sys \SystemRoot\System32\drivers\pcw.sys \SystemRoot\System32\Drivers\Fs_Rec.sys \SystemRoot\system32\drivers\ndis.sys \SystemRoot\system32\drivers\NETIO.SYS \SystemRoot\System32\Drivers\ksecpkg.sys \SystemRoot\System32\drivers\tcpip.sys \SystemRoot\System32\drivers\fwpkclnt.sys \SystemRoot\system32\drivers\volsnap.sys \SystemRoot\System32\Drivers\spldr.sys \SystemRoot\System32\drivers\rdyboost.sys \SystemRoot\System32\Drivers\mup.sys \SystemRoot\System32\drivers\hwpolicy.sys \SystemRoot\System32\DRIVERS\fvevol.sys \SystemRoot\system32\drivers\disk.sys \SystemRoot\system32\drivers\CLASSPNP.SYS \SystemRoot\system32\DRIVERS\amdkmpfd.sys \SystemRoot\system32\DRIVERS\cdrom.sys \SystemRoot\System32\Drivers\Null.SYS \SystemRoot\System32\Drivers\Beep.SYS \SystemRoot\System32\drivers\vga.sys \SystemRoot\System32\drivers\VIDEOPRT.SYS \SystemRoot\System32\drivers\watchdog.sys \SystemRoot\System32\DRIVERS\RDPCDD.sys \SystemRoot\system32\drivers\rdpencdd.sys \SystemRoot\system32\drivers\rdprefmp.sys \SystemRoot\System32\Drivers\Msfs.SYS \SystemRoot\System32\Drivers\Npfs.SYS \SystemRoot\system32\DRIVERS\tdx.sys \SystemRoot\system32\DRIVERS\TDI.SYS \SystemRoot\System32\DRIVERS\netbt.sys \SystemRoot\system32\drivers\afd.sys \SystemRoot\system32\DRIVERS\wfplwf.sys \SystemRoot\system32\DRIVERS\pacer.sys \SystemRoot\system32\DRIVERS\vwififlt.sys \SystemRoot\system32\DRIVERS\netbios.sys \SystemRoot\system32\DRIVERS\wanarp.sys \SystemRoot\system32\DRIVERS\termdd.sys \SystemRoot\system32\DRIVERS\rdbss.sys \SystemRoot\system32\drivers\nsiproxy.sys \SystemRoot\system32\DRIVERS\mssmbios.sys \SystemRoot\System32\drivers\discache.sys \SystemRoot\System32\Drivers\dfsc.sys \SystemRoot\system32\DRIVERS\blbdrive.sys \SystemRoot\system32\DRIVERS\tunnel.sys \SystemRoot\system32\DRIVERS\atikmpag.sys \SystemRoot\system32\DRIVERS\atikmdag.sys \SystemRoot\system32\DRIVERS\igdpmd64.sys \SystemRoot\System32\drivers\dxgkrnl.sys \SystemRoot\System32\drivers\dxgmms1.sys \SystemRoot\system32\DRIVERS\iusb3xhc.sys \SystemRoot\system32\DRIVERS\USBD.SYS \SystemRoot\system32\DRIVERS\HECIx64.sys \SystemRoot\system32\DRIVERS\usbehci.sys \SystemRoot\system32\DRIVERS\USBPORT.SYS \SystemRoot\system32\DRIVERS\HDAudBus.sys \SystemRoot\system32\DRIVERS\Rt64win7.sys \SystemRoot\system32\DRIVERS\NETwNs64.sys \SystemRoot\system32\DRIVERS\vwifibus.sys \SystemRoot\system32\DRIVERS\i8042prt.sys \SystemRoot\system32\DRIVERS\kbdclass.sys \SystemRoot\system32\DRIVERS\ETD.sys \SystemRoot\system32\DRIVERS\mouclass.sys \SystemRoot\system32\DRIVERS\CmBatt.sys \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys \SystemRoot\system32\DRIVERS\wmiacpi.sys \SystemRoot\system32\DRIVERS\intelppm.sys \SystemRoot\system32\DRIVERS\AMPPAL.sys \SystemRoot\system32\DRIVERS\CompositeBus.sys \SystemRoot\system32\DRIVERS\serscan.sys \SystemRoot\system32\DRIVERS\CtClsFlt.sys \SystemRoot\system32\DRIVERS\ks.sys \SystemRoot\system32\drivers\ksthunk.sys \SystemRoot\system32\DRIVERS\AgileVpn.sys \SystemRoot\system32\DRIVERS\rasl2tp.sys \SystemRoot\system32\DRIVERS\ndistapi.sys \SystemRoot\system32\DRIVERS\ndiswan.sys \SystemRoot\system32\DRIVERS\raspppoe.sys \SystemRoot\system32\DRIVERS\raspptp.sys \SystemRoot\system32\DRIVERS\rassstp.sys \SystemRoot\system32\DRIVERS\swenum.sys \SystemRoot\system32\DRIVERS\iwdbus.sys \SystemRoot\system32\DRIVERS\umbus.sys \SystemRoot\system32\DRIVERS\usbhub.sys \SystemRoot\System32\Drivers\NDProxy.SYS \SystemRoot\system32\DRIVERS\iusb3hub.sys \SystemRoot\system32\drivers\CHDRT64.sys \SystemRoot\system32\drivers\portcls.sys \SystemRoot\system32\drivers\drmk.sys \SystemRoot\system32\DRIVERS\IntcDAud.sys \SystemRoot\System32\win32k.sys \SystemRoot\System32\drivers\Dxapi.sys \SystemRoot\System32\Drivers\crashdmp.sys \SystemRoot\System32\Drivers\dump_iaStor.sys \SystemRoot\System32\Drivers\dump_dumpfve.sys \SystemRoot\System32\Drivers\RTSUVSTOR.sys \SystemRoot\system32\DRIVERS\iBtFltCoex.sys \SystemRoot\system32\DRIVERS\btmhsf.sys \SystemRoot\System32\Drivers\BTHUSB.sys \SystemRoot\System32\Drivers\bthport.sys \SystemRoot\system32\DRIVERS\usbccgp.sys \SystemRoot\System32\Drivers\usbvideo.sys \SystemRoot\system32\DRIVERS\monitor.sys \SystemRoot\System32\TSDDD.dll \SystemRoot\system32\DRIVERS\rfcomm.sys \SystemRoot\system32\drivers\BthEnum.sys \SystemRoot\system32\DRIVERS\bthpan.sys \SystemRoot\system32\DRIVERS\btmaux.sys \SystemRoot\System32\cdd.dll \SystemRoot\system32\drivers\luafv.sys \SystemRoot\system32\DRIVERS\lltdio.sys \SystemRoot\system32\DRIVERS\nwifi.sys \SystemRoot\system32\DRIVERS\ndisuio.sys \SystemRoot\system32\DRIVERS\rspndr.sys \SystemRoot\system32\drivers\HTTP.sys \SystemRoot\system32\DRIVERS\bowser.sys \SystemRoot\System32\drivers\mpsdrv.sys \SystemRoot\system32\DRIVERS\mrxsmb.sys \SystemRoot\system32\DRIVERS\mrxsmb10.sys \SystemRoot\system32\DRIVERS\mrxsmb20.sys \SystemRoot\system32\DRIVERS\vwifimp.sys \SystemRoot\system32\drivers\peauth.sys \SystemRoot\System32\Drivers\secdrv.SYS \SystemRoot\System32\DRIVERS\srvnet.sys \SystemRoot\System32\drivers\tcpipreg.sys \SystemRoot\System32\DRIVERS\srv2.sys \SystemRoot\System32\DRIVERS\srv.sys \SystemRoot\system32\DRIVERS\NisDrvWFP.sys \SystemRoot\System32\Drivers\fastfat.SYS \SystemRoot\system32\drivers\WudfPf.sys \SystemRoot\system32\DRIVERS\USBSTOR.SYS \SystemRoot\system32\DRIVERS\WUDFRd.sys \??\C:\Windows\system32\drivers\mbamchameleon.sys \??\C:\Windows\system32\drivers\mbamswissarmy.sys \Windows\System32\ntdll.dll \Windows\System32\smss.exe \Windows\System32\apisetschema.dll \Windows\System32\autochk.exe \Windows\System32\gdi32.dll \Windows\System32\iertutil.dll \Windows\System32\clbcatq.dll \Windows\System32\comdlg32.dll \Windows\System32\ws2_32.dll \Windows\System32\imagehlp.dll \Windows\System32\sechost.dll \Windows\System32\lpk.dll \Windows\System32\shlwapi.dll \Windows\System32\psapi.dll \Windows\System32\oleaut32.dll \Windows\System32\rpcrt4.dll \Windows\System32\advapi32.dll \Windows\System32\setupapi.dll \Windows\System32\user32.dll \Windows\System32\usp10.dll \Windows\System32\imm32.dll \Windows\System32\difxapi.dll \Windows\System32\ole32.dll \Windows\System32\nsi.dll \Windows\System32\msvcrt.dll \Windows\System32\wininet.dll \Windows\System32\kernel32.dll \Windows\System32\msctf.dll \Windows\System32\normaliz.dll \Windows\System32\shell32.dll \Windows\System32\urlmon.dll \Windows\System32\Wldap32.dll \Windows\System32\crypt32.dll \Windows\System32\wintrust.dll \Windows\System32\cfgmgr32.dll \Windows\System32\devobj.dll \Windows\System32\comctl32.dll \Windows\System32\KernelBase.dll \Windows\System32\msasn1.dll \Windows\SysWOW64\normaliz.dll ----------- End ----------- <<<1>>> Upper Device Name: \Device\Harddisk1\DR2 Upper Device Object: 0xfffffa800ca10280 Upper Device Driver Name: \Driver\Disk\ Lower Device Name: \Device\00000094\ Lower Device Object: 0xfffffa800d2d8060 Lower Device Driver Name: \Driver\USBSTOR\ Driver name found: USBSTOR DriverEntry returned 0x0 Function returned 0x0 <<<1>>> Upper Device Name: \Device\Harddisk0\DR0 Upper Device Object: 0xfffffa8007d48790 Upper Device Driver Name: \Driver\Disk\ Lower Device Name: \Device\Ide\IAAStorageDevice-1\ Lower Device Object: 0xfffffa8007d47050 Lower Device Driver Name: \00000337\ Driver name found: iaStor DriverEntry returned 0x0 Function returned 0x0 Downloaded database version: v2013.01.01.03 Downloaded database version: v2012.12.27.02 Initializing... Done! <<<2>>> Device number: 0, partition: 3 Physical Sector Size: 512 Drive: 0, DevicePointer: 0xfffffa8007d48790, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\ --------- Disk Stack ------ DevicePointer: 0xfffffa8006a4ab90, DeviceName: Unknown, DriverName: \Driver\partmgr\ DevicePointer: 0xfffffa8007d48790, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\ DevicePointer: 0xfffffa8007d47050, DeviceName: \Device\Ide\IAAStorageDevice-1\, DriverName: \00000337\ ------------ End ---------- Upper DeviceData: 0xfffff8a00bdf9d00, 0xfffffa8007d48790, 0xfffffa800e0d8790 Lower DeviceData: 0xfffff8a0047d02c0, 0xfffffa8007d47050, 0xfffffa80063fbce0 <<<3>>> Volume: C: File system type: NTFS SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes Scanning directory: C:\Windows\system32\drivers... Done! Drive 0 Scanning MBR on drive 0... MBR buffers are not equal MBR is forged! [5b875a22f8ce39ec096216471c83be3f] Inspecting partition table: MBR Signature: 55AA Disk Signature: 4C2A716A Partition information: Partition 0 type is Empty (0x0) Partition is ACTIVE. Partition starts at LBA: 10 Numsec = 0 Partition is not bootable Infected: VBR on Empty active partition --> [unknown Rootkit VBR Infection] Changing partition to empty and not active. New active partition is 1 on drive 0 ... Partition 0 type is Other (0xde) Partition is NOT ACTIVE. Partition starts at LBA: 63 Numsec = 80262 Partition 1 type is Primary (0x7) Partition is ACTIVE. Partition starts at LBA: 81920 Numsec = 41545728 Partition file system is NTFS Partition is bootable Partition 2 type is Primary (0x7) Partition is NOT ACTIVE. Partition starts at LBA: 41627648 Numsec = 1423517696 Partition 3 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 MBR infection found on drive 0 Disk Size: 750156374016 bytes Sector size: 512 bytes Scanning physical sectors of unpartitioned space on drive 0 (1-9-1465129168-1465149168)... Sector 1465148881 --> [Forged physical sector] Sector 1465148882 --> [Forged physical sector] Sector 1465148883 --> [Forged physical sector] Sector 1465148884 --> [Forged physical sector] Sector 1465148885 --> [Forged physical sector] Sector 1465148886 --> [Forged physical sector] Sector 1465148887 --> [Forged physical sector] Sector 1465148888 --> [Forged physical sector] Sector 1465148889 --> [Forged physical sector] Sector 1465148890 --> [Forged physical sector] Sector 1465148891 --> [Forged physical sector] Sector 1465148892 --> [Forged physical sector] Sector 1465148893 --> [Forged physical sector] Sector 1465148894 --> [Forged physical sector] Sector 1465148895 --> [Forged physical sector] Sector 1465148896 --> [Forged physical sector] Sector 1465148897 --> [Forged physical sector] Sector 1465148898 --> [Forged physical sector] Sector 1465148899 --> [Forged physical sector] Sector 1465148900 --> [Forged physical sector] Sector 1465148901 --> [Forged physical sector] Sector 1465148902 --> [Forged physical sector] Sector 1465148903 --> [Forged physical sector] Sector 1465148904 --> [Forged physical sector] Sector 1465148905 --> [Forged physical sector] Sector 1465148906 --> [Forged physical sector] Sector 1465148907 --> [Forged physical sector] Sector 1465148908 --> [Forged physical sector] Sector 1465148909 --> [Forged physical sector] Sector 1465148910 --> [Forged physical sector] Sector 1465148911 --> [Forged physical sector] Sector 1465148912 --> [Forged physical sector] Sector 1465148913 --> [Forged physical sector] Sector 1465148914 --> [Forged physical sector] Sector 1465148915 --> [Forged physical sector] Sector 1465148916 --> [Forged physical sector] Sector 1465148917 --> [Forged physical sector] Sector 1465148918 --> [Forged physical sector] Sector 1465148919 --> [Forged physical sector] Sector 1465148920 --> [Forged physical sector] Sector 1465148921 --> [Forged physical sector] Sector 1465148922 --> [Forged physical sector] Sector 1465148923 --> [Forged physical sector] Sector 1465148924 --> [Forged physical sector] Sector 1465148925 --> [Forged physical sector] Sector 1465148926 --> [Forged physical sector] Sector 1465148927 --> [Forged physical sector] Sector 1465148928 --> [Forged physical sector] Sector 1465148929 --> [Forged physical sector] Sector 1465148930 --> [Forged physical sector] Sector 1465148931 --> [Forged physical sector] Sector 1465148932 --> [Forged physical sector] Sector 1465148933 --> [Forged physical sector] Sector 1465148934 --> [Forged physical sector] Sector 1465148935 --> [Forged physical sector] Sector 1465148936 --> [Forged physical sector] Sector 1465148937 --> [Forged physical sector] Sector 1465148938 --> [Forged physical sector] Sector 1465148939 --> [Forged physical sector] Sector 1465148940 --> [Forged physical sector] Sector 1465148941 --> [Forged physical sector] Sector 1465148942 --> [Forged physical sector] Sector 1465148943 --> [Forged physical sector] Sector 1465148944 --> [Forged physical sector] Sector 1465148945 --> [Forged physical sector] Sector 1465148946 --> [Forged physical sector] Sector 1465148947 --> [Forged physical sector] Sector 1465148948 --> [Forged physical sector] Sector 1465148949 --> [Forged physical sector] Sector 1465148950 --> [Forged physical sector] Sector 1465148951 --> [Forged physical sector] Sector 1465148952 --> [Forged physical sector] Sector 1465148953 --> [Forged physical sector] Sector 1465148954 --> [Forged physical sector] Sector 1465148955 --> [Forged physical sector] Sector 1465148956 --> [Forged physical sector] Sector 1465148957 --> [Forged physical sector] Sector 1465148958 --> [Forged physical sector] Sector 1465148959 --> [Forged physical sector] Sector 1465148960 --> [Forged physical sector] Sector 1465148961 --> [Forged physical sector] Sector 1465148962 --> [Forged physical sector] Sector 1465148963 --> [Forged physical sector] Sector 1465148964 --> [Forged physical sector] Sector 1465148965 --> [Forged physical sector] Sector 1465148966 --> [Forged physical sector] Sector 1465148967 --> [Forged physical sector] Sector 1465148968 --> [Forged physical sector] Sector 1465148969 --> [Forged physical sector] Sector 1465148970 --> [Forged physical sector] Sector 1465148971 --> [Forged physical sector] Sector 1465148972 --> [Forged physical sector] Sector 1465148973 --> [Forged physical sector] Sector 1465148974 --> [Forged physical sector] Sector 1465148975 --> [Forged physical sector] Sector 1465148976 --> [Forged physical sector] Sector 1465148977 --> [Forged physical sector] Sector 1465148978 --> [Forged physical sector] Sector 1465148979 --> [Forged physical sector] Sector 1465148980 --> [Forged physical sector] Sector 1465148981 --> [Forged physical sector] Sector 1465148982 --> [Forged physical sector] Sector 1465148983 --> [Forged physical sector] Sector 1465148984 --> [Forged physical sector] Sector 1465148985 --> [Forged physical sector] Sector 1465148986 --> [Forged physical sector] Sector 1465148987 --> [Forged physical sector] Sector 1465148988 --> [Forged physical sector] Sector 1465148989 --> [Forged physical sector] Sector 1465148990 --> [Forged physical sector] Sector 1465148991 --> [Forged physical sector] Sector 1465148992 --> [Forged physical sector] Sector 1465148993 --> [Forged physical sector] Sector 1465148994 --> [Forged physical sector] Sector 1465148995 --> [Forged physical sector] Sector 1465148996 --> [Forged physical sector] Sector 1465148997 --> [Forged physical sector] Sector 1465148998 --> [Forged physical sector] Sector 1465148999 --> [Forged physical sector] Sector 1465149000 --> [Forged physical sector] Sector 1465149001 --> [Forged physical sector] Sector 1465149002 --> [Forged physical sector] Sector 1465149003 --> [Forged physical sector] Sector 1465149004 --> [Forged physical sector] Sector 1465149005 --> [Forged physical sector] Sector 1465149006 --> [Forged physical sector] Sector 1465149007 --> [Forged physical sector] Sector 1465149008 --> [Forged physical sector] Sector 1465149009 --> [Forged physical sector] Sector 1465149010 --> [Forged physical sector] Sector 1465149011 --> [Forged physical sector] Sector 1465149012 --> [Forged physical sector] Sector 1465149013 --> [Forged physical sector] Sector 1465149014 --> [Forged physical sector] Sector 1465149015 --> [Forged physical sector] Sector 1465149016 --> [Forged physical sector] Sector 1465149017 --> [Forged physical sector] Sector 1465149018 --> [Forged physical sector] Sector 1465149019 --> [Forged physical sector] Sector 1465149020 --> [Forged physical sector] Sector 1465149021 --> [Forged physical sector] Sector 1465149022 --> [Forged physical sector] Sector 1465149023 --> [Forged physical sector] Sector 1465149024 --> [Forged physical sector] Sector 1465149025 --> [Forged physical sector] Sector 1465149026 --> [Forged physical sector] Sector 1465149027 --> [Forged physical sector] Sector 1465149028 --> [Forged physical sector] Sector 1465149029 --> [Forged physical sector] Sector 1465149030 --> [Forged physical sector] Sector 1465149031 --> [Forged physical sector] Sector 1465149032 --> [Forged physical sector] Sector 1465149033 --> [Forged physical sector] Sector 1465149034 --> [Forged physical sector] Sector 1465149035 --> [Forged physical sector] Sector 1465149036 --> [Forged physical sector] Sector 1465149037 --> [Forged physical sector] Sector 1465149038 --> [Forged physical sector] Sector 1465149039 --> [Forged physical sector] Sector 1465149040 --> [Forged physical sector] Sector 1465149041 --> [Forged physical sector] Sector 1465149042 --> [Forged physical sector] Sector 1465149043 --> [Forged physical sector] Sector 1465149044 --> [Forged physical sector] Sector 1465149045 --> [Forged physical sector] Sector 1465149046 --> [Forged physical sector] Sector 1465149047 --> [Forged physical sector] Sector 1465149048 --> [Forged physical sector] Sector 1465149049 --> [Forged physical sector] Sector 1465149050 --> [Forged physical sector] Sector 1465149051 --> [Forged physical sector] Sector 1465149052 --> [Forged physical sector] Sector 1465149053 --> [Forged physical sector] Sector 1465149054 --> [Forged physical sector] Sector 1465149055 --> [Forged physical sector] Sector 1465149056 --> [Forged physical sector] Sector 1465149057 --> [Forged physical sector] Sector 1465149058 --> [Forged physical sector] Sector 1465149059 --> [Forged physical sector] Sector 1465149060 --> [Forged physical sector] Sector 1465149061 --> [Forged physical sector] Sector 1465149062 --> [Forged physical sector] Sector 1465149063 --> [Forged physical sector] Sector 1465149064 --> [Forged physical sector] Sector 1465149065 --> [Forged physical sector] Sector 1465149066 --> [Forged physical sector] Sector 1465149067 --> [Forged physical sector] Sector 1465149068 --> [Forged physical sector] Sector 1465149069 --> [Forged physical sector] Sector 1465149070 --> [Forged physical sector] Sector 1465149071 --> [Forged physical sector] Sector 1465149072 --> [Forged physical sector] Sector 1465149073 --> [Forged physical sector] Sector 1465149074 --> [Forged physical sector] Sector 1465149075 --> [Forged physical sector] Sector 1465149076 --> [Forged physical sector] Sector 1465149077 --> [Forged physical sector] Sector 1465149078 --> [Forged physical sector] Sector 1465149079 --> [Forged physical sector] Sector 1465149080 --> [Forged physical sector] Sector 1465149081 --> [Forged physical sector] Sector 1465149082 --> [Forged physical sector] Sector 1465149083 --> [Forged physical sector] Sector 1465149084 --> [Forged physical sector] Sector 1465149085 --> [Forged physical sector] Sector 1465149086 --> [Forged physical sector] Sector 1465149087 --> [Forged physical sector] Sector 1465149088 --> [Forged physical sector] Sector 1465149089 --> [Forged physical sector] Sector 1465149090 --> [Forged physical sector] Sector 1465149091 --> [Forged physical sector] Sector 1465149092 --> [Forged physical sector] Sector 1465149093 --> [Forged physical sector] Sector 1465149094 --> [Forged physical sector] Sector 1465149095 --> [Forged physical sector] Sector 1465149096 --> [Forged physical sector] Sector 1465149097 --> [Forged physical sector] Sector 1465149098 --> [Forged physical sector] Sector 1465149099 --> [Forged physical sector] Sector 1465149100 --> [Forged physical sector] Sector 1465149101 --> [Forged physical sector] Sector 1465149102 --> [Forged physical sector] Sector 1465149103 --> [Forged physical sector] Sector 1465149104 --> [Forged physical sector] Sector 1465149105 --> [Forged physical sector] Sector 1465149106 --> [Forged physical sector] Sector 1465149107 --> [Forged physical sector] Sector 1465149108 --> [Forged physical sector] Sector 1465149109 --> [Forged physical sector] Sector 1465149110 --> [Forged physical sector] Sector 1465149111 --> [Forged physical sector] Sector 1465149112 --> [Forged physical sector] Sector 1465149113 --> [Forged physical sector] Sector 1465149114 --> [Forged physical sector] Sector 1465149115 --> [Forged physical sector] Sector 1465149116 --> [Forged physical sector] Sector 1465149117 --> [Forged physical sector] Sector 1465149118 --> [Forged physical sector] Sector 1465149119 --> [Forged physical sector] Sector 1465149120 --> [Forged physical sector] Sector 1465149121 --> [Forged physical sector] Sector 1465149122 --> [Forged physical sector] Sector 1465149123 --> [Forged physical sector] Sector 1465149124 --> [Forged physical sector] Sector 1465149125 --> [Forged physical sector] Sector 1465149126 --> [Forged physical sector] Sector 1465149127 --> [Forged physical sector] Sector 1465149128 --> [Forged physical sector] Sector 1465149129 --> [Forged physical sector] Sector 1465149130 --> [Forged physical sector] Sector 1465149131 --> [Forged physical sector] Sector 1465149132 --> [Forged physical sector] Sector 1465149133 --> [Forged physical sector] Sector 1465149134 --> [Forged physical sector] Sector 1465149135 --> [Forged physical sector] Sector 1465149136 --> [Forged physical sector] Sector 1465149137 --> [Forged physical sector] Sector 1465149138 --> [Forged physical sector] Sector 1465149139 --> [Forged physical sector] Sector 1465149140 --> [Forged physical sector] Sector 1465149141 --> [Forged physical sector] Sector 1465149142 --> [Forged physical sector] Sector 1465149143 --> [Forged physical sector] Sector 1465149144 --> [Forged physical sector] Sector 1465149145 --> [Forged physical sector] Sector 1465149146 --> [Forged physical sector] Sector 1465149147 --> [Forged physical sector] Sector 1465149148 --> [Forged physical sector] Sector 1465149149 --> [Forged physical sector] Sector 1465149150 --> [Forged physical sector] Sector 1465149151 --> [Forged physical sector] Sector 1465149152 --> [Forged physical sector] Sector 1465149153 --> [Forged physical sector] Sector 1465149154 --> [Forged physical sector] Sector 1465149155 --> [Forged physical sector] Sector 1465149156 --> [Forged physical sector] Sector 1465149157 --> [Forged physical sector] Sector 1465149158 --> [Forged physical sector] Sector 1465149159 --> [Forged physical sector] Sector 1465149160 --> [Forged physical sector] Sector 1465149161 --> [Forged physical sector] Sector 1465149162 --> [Forged physical sector] Sector 1465149163 --> [Forged physical sector] Sector 1465149164 --> [Forged physical sector] Sector 1465149165 --> [Forged physical sector] Sector 1465149166 --> [Forged physical sector] Sector 1465149167 --> [Forged physical sector] Physical Sector Size: 512 Drive: 1, DevicePointer: 0xfffffa800ca10280, DeviceName: \Device\Harddisk1\DR2\, DriverName: \Driver\Disk\ --------- Disk Stack ------ DevicePointer: 0xfffffa8005d7f780, DeviceName: Unknown, DriverName: \Driver\partmgr\ DevicePointer: 0xfffffa800ca10280, DeviceName: \Device\Harddisk1\DR2\, DriverName: \Driver\Disk\ DevicePointer: 0xfffffa800d2d8060, DeviceName: \Device\00000094\, DriverName: \Driver\USBSTOR\ ------------ End ---------- Upper DeviceData: 0xfffff8a004ac44e0, 0xfffffa800ca10280, 0xfffffa800c84f790 Lower DeviceData: 0xfffff8a00b81cd00, 0xfffffa800d2d8060, 0xfffffa800d607810 Drive 1 Scanning MBR on drive 1... Inspecting partition table: MBR Signature: 55AA Disk Signature: E1BD6A19 Partition information: Partition 0 type is Primary (0x7) Partition is ACTIVE. Partition starts at LBA: 8064 Numsec = 7823488 Partition file system is NTFS Partition is not bootable Partition 1 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Partition 2 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Partition 3 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Disk Size: 4009754624 bytes Sector size: 512 bytes Done! Performing system, memory and registry scan... Infected: C:\Windows\svchost.exe --> [Trojan.Agent] Infected: C:\Windows\svchost.exe --> [Trojan.Agent] Infected: C:\$Recycle.Bin\S-1-5-21-3505123584-442060581-2397128338-1000\$f6cefb47138d3e16c179460ee63dbcbd\U --> [Trojan.Siredef.C] Infected: C:\$Recycle.Bin\S-1-5-21-3505123584-442060581-2397128338-1000\$f6cefb47138d3e16c179460ee63dbcbd\L --> [Trojan.Siredef.C] Infected: C:\$Recycle.Bin\S-1-5-21-3505123584-442060581-2397128338-1000\$f6cefb47138d3e16c179460ee63dbcbd --> [Trojan.Siredef.C] Done! Scan finished Creating System Restore point... Scheduling clean up... <<<2>>> Device number: 0, partition: 3 <<<3>>> Volume: C: File system type: NTFS SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes BCD Entry for BOOTEMS is missing Malicious Entry 26000022 for BOOTEMS present! Removal scheduling successful. System shutdown needed. System shutdown occurred ======================================= --------------------------------------- Malwarebytes Anti-Rootkit BETA 1.01.0.1011 © Malwarebytes Corporation 2011-2012 OS version: 6.1.7601 Windows 7 Service Pack 1 x64 Account is Administrative Internet Explorer version: 9.0.8112.16421 File system is: NTFS Disk drives: C:\ DRIVE_FIXED CPU speed: 2.494000 GHz Memory total: 6340063232, free: 4845805568 --------------------------------------- Malwarebytes Anti-Rootkit BETA 1.01.0.1011 © Malwarebytes Corporation 2011-2012 OS version: 6.1.7601 Windows 7 Service Pack 1 x64 Account is Administrative Internet Explorer version: 9.0.8112.16421 File system is: NTFS Disk drives: C:\ DRIVE_FIXED CPU speed: 2.494000 GHz Memory total: 6340063232, free: 4501585920 ------------ Kernel report ------------ 01/01/2013 08:41:03 ------------ Loaded modules ----------- \SystemRoot\system32\ntoskrnl.exe \SystemRoot\system32\hal.dll \SystemRoot\system32\kdcom.dll \SystemRoot\system32\mcupdate_GenuineIntel.dll \SystemRoot\system32\PSHED.dll \SystemRoot\system32\CLFS.SYS \SystemRoot\system32\CI.dll \SystemRoot\system32\drivers\Wdf01000.sys \SystemRoot\system32\drivers\WDFLDR.SYS \SystemRoot\system32\drivers\ACPI.sys \SystemRoot\system32\drivers\WMILIB.SYS \SystemRoot\system32\drivers\msisadrv.sys \SystemRoot\system32\drivers\pci.sys \SystemRoot\system32\drivers\vdrvroot.sys \SystemRoot\system32\drivers\iusb3hcs.sys \SystemRoot\System32\drivers\partmgr.sys \SystemRoot\system32\DRIVERS\compbatt.sys \SystemRoot\system32\DRIVERS\BATTC.SYS \SystemRoot\system32\drivers\volmgr.sys \SystemRoot\System32\drivers\volmgrx.sys \SystemRoot\System32\drivers\mountmgr.sys \SystemRoot\system32\drivers\iaStor.sys \SystemRoot\system32\drivers\amdxata.sys \SystemRoot\system32\drivers\fltmgr.sys \SystemRoot\system32\drivers\fileinfo.sys \SystemRoot\system32\DRIVERS\MpFilter.sys \SystemRoot\System32\Drivers\PxHlpa64.sys \SystemRoot\System32\Drivers\Ntfs.sys \SystemRoot\System32\Drivers\msrpc.sys \SystemRoot\System32\Drivers\ksecdd.sys \SystemRoot\System32\Drivers\cng.sys \SystemRoot\System32\drivers\pcw.sys \SystemRoot\System32\Drivers\Fs_Rec.sys \SystemRoot\system32\drivers\ndis.sys \SystemRoot\system32\drivers\NETIO.SYS \SystemRoot\System32\Drivers\ksecpkg.sys \SystemRoot\System32\drivers\tcpip.sys \SystemRoot\System32\drivers\fwpkclnt.sys \SystemRoot\system32\drivers\volsnap.sys \SystemRoot\System32\Drivers\spldr.sys \SystemRoot\System32\drivers\rdyboost.sys \SystemRoot\System32\Drivers\mup.sys \SystemRoot\System32\drivers\hwpolicy.sys \SystemRoot\System32\DRIVERS\fvevol.sys \SystemRoot\system32\drivers\disk.sys \SystemRoot\system32\drivers\CLASSPNP.SYS \SystemRoot\system32\DRIVERS\amdkmpfd.sys \SystemRoot\system32\DRIVERS\cdrom.sys \SystemRoot\System32\Drivers\Null.SYS \SystemRoot\System32\Drivers\Beep.SYS \SystemRoot\System32\drivers\vga.sys \SystemRoot\System32\drivers\VIDEOPRT.SYS \SystemRoot\System32\drivers\watchdog.sys \SystemRoot\System32\DRIVERS\RDPCDD.sys \SystemRoot\system32\drivers\rdpencdd.sys \SystemRoot\system32\drivers\rdprefmp.sys \SystemRoot\System32\Drivers\Msfs.SYS \SystemRoot\System32\Drivers\Npfs.SYS \SystemRoot\system32\DRIVERS\tdx.sys \SystemRoot\system32\DRIVERS\TDI.SYS \SystemRoot\System32\DRIVERS\netbt.sys \SystemRoot\system32\drivers\afd.sys \SystemRoot\system32\DRIVERS\wfplwf.sys \SystemRoot\system32\DRIVERS\pacer.sys \SystemRoot\system32\DRIVERS\vwififlt.sys \SystemRoot\system32\DRIVERS\netbios.sys \SystemRoot\system32\DRIVERS\wanarp.sys \SystemRoot\system32\DRIVERS\termdd.sys \SystemRoot\system32\DRIVERS\rdbss.sys \SystemRoot\system32\drivers\nsiproxy.sys \SystemRoot\system32\DRIVERS\mssmbios.sys \SystemRoot\System32\drivers\discache.sys \SystemRoot\System32\Drivers\dfsc.sys \SystemRoot\system32\DRIVERS\blbdrive.sys \SystemRoot\system32\DRIVERS\tunnel.sys \SystemRoot\system32\DRIVERS\atikmpag.sys \SystemRoot\system32\DRIVERS\atikmdag.sys \SystemRoot\system32\DRIVERS\igdpmd64.sys \SystemRoot\System32\drivers\dxgkrnl.sys \SystemRoot\System32\drivers\dxgmms1.sys \SystemRoot\system32\DRIVERS\iusb3xhc.sys \SystemRoot\system32\DRIVERS\USBD.SYS \SystemRoot\system32\DRIVERS\HECIx64.sys \SystemRoot\system32\DRIVERS\usbehci.sys \SystemRoot\system32\DRIVERS\USBPORT.SYS \SystemRoot\system32\DRIVERS\HDAudBus.sys \SystemRoot\system32\DRIVERS\Rt64win7.sys \SystemRoot\system32\DRIVERS\NETwNs64.sys \SystemRoot\system32\DRIVERS\vwifibus.sys \SystemRoot\system32\DRIVERS\i8042prt.sys \SystemRoot\system32\DRIVERS\kbdclass.sys \SystemRoot\system32\DRIVERS\ETD.sys \SystemRoot\system32\DRIVERS\mouclass.sys \SystemRoot\system32\DRIVERS\CmBatt.sys \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys \SystemRoot\system32\DRIVERS\wmiacpi.sys \SystemRoot\system32\DRIVERS\intelppm.sys \SystemRoot\system32\DRIVERS\AMPPAL.sys \SystemRoot\system32\DRIVERS\CompositeBus.sys \SystemRoot\system32\DRIVERS\serscan.sys \SystemRoot\system32\DRIVERS\CtClsFlt.sys \SystemRoot\system32\DRIVERS\ks.sys \SystemRoot\system32\drivers\ksthunk.sys \SystemRoot\system32\DRIVERS\AgileVpn.sys \SystemRoot\system32\DRIVERS\rasl2tp.sys \SystemRoot\system32\DRIVERS\ndistapi.sys \SystemRoot\system32\DRIVERS\ndiswan.sys \SystemRoot\system32\DRIVERS\raspppoe.sys \SystemRoot\system32\DRIVERS\raspptp.sys \SystemRoot\system32\DRIVERS\rassstp.sys \SystemRoot\system32\DRIVERS\swenum.sys \SystemRoot\system32\DRIVERS\iwdbus.sys \SystemRoot\system32\DRIVERS\umbus.sys \SystemRoot\system32\DRIVERS\usbhub.sys \SystemRoot\System32\Drivers\NDProxy.SYS \SystemRoot\system32\DRIVERS\iusb3hub.sys \SystemRoot\system32\drivers\CHDRT64.sys \SystemRoot\system32\drivers\portcls.sys \SystemRoot\system32\drivers\drmk.sys \SystemRoot\system32\DRIVERS\IntcDAud.sys \SystemRoot\System32\win32k.sys \SystemRoot\System32\drivers\Dxapi.sys \SystemRoot\System32\Drivers\crashdmp.sys \SystemRoot\System32\Drivers\dump_iaStor.sys \SystemRoot\System32\Drivers\dump_dumpfve.sys \SystemRoot\System32\Drivers\RTSUVSTOR.sys \SystemRoot\system32\DRIVERS\iBtFltCoex.sys \SystemRoot\system32\DRIVERS\btmhsf.sys \SystemRoot\System32\Drivers\BTHUSB.sys \SystemRoot\System32\Drivers\bthport.sys \SystemRoot\system32\DRIVERS\usbccgp.sys \SystemRoot\System32\Drivers\usbvideo.sys \SystemRoot\system32\DRIVERS\monitor.sys \SystemRoot\System32\TSDDD.dll \SystemRoot\system32\DRIVERS\rfcomm.sys \SystemRoot\system32\drivers\BthEnum.sys \SystemRoot\system32\DRIVERS\bthpan.sys \SystemRoot\system32\DRIVERS\btmaux.sys \SystemRoot\System32\cdd.dll \SystemRoot\system32\drivers\luafv.sys \SystemRoot\system32\DRIVERS\lltdio.sys \SystemRoot\system32\DRIVERS\nwifi.sys \SystemRoot\system32\DRIVERS\ndisuio.sys \SystemRoot\system32\DRIVERS\rspndr.sys \SystemRoot\system32\drivers\HTTP.sys \SystemRoot\system32\DRIVERS\bowser.sys \SystemRoot\System32\drivers\mpsdrv.sys \SystemRoot\system32\DRIVERS\mrxsmb.sys \SystemRoot\system32\DRIVERS\mrxsmb10.sys \SystemRoot\system32\DRIVERS\mrxsmb20.sys \SystemRoot\system32\DRIVERS\vwifimp.sys \SystemRoot\system32\drivers\peauth.sys \SystemRoot\System32\Drivers\secdrv.SYS \SystemRoot\System32\DRIVERS\srvnet.sys \SystemRoot\System32\drivers\tcpipreg.sys \SystemRoot\System32\DRIVERS\srv2.sys \SystemRoot\System32\DRIVERS\srv.sys \SystemRoot\system32\DRIVERS\NisDrvWFP.sys \SystemRoot\System32\Drivers\fastfat.SYS \??\C:\Windows\system32\drivers\mbamchameleon.sys \??\C:\Windows\system32\drivers\mbamswissarmy.sys \Windows\System32\ntdll.dll \Windows\System32\smss.exe \Windows\System32\apisetschema.dll \Windows\System32\autochk.exe \Windows\System32\urlmon.dll \Windows\System32\wininet.dll \Windows\System32\lpk.dll \Windows\System32\shell32.dll \Windows\System32\difxapi.dll \Windows\System32\shlwapi.dll \Windows\System32\gdi32.dll \Windows\System32\oleaut32.dll \Windows\System32\msctf.dll \Windows\System32\user32.dll \Windows\System32\setupapi.dll \Windows\System32\ws2_32.dll \Windows\System32\nsi.dll \Windows\System32\sechost.dll \Windows\System32\normaliz.dll \Windows\System32\imagehlp.dll \Windows\System32\imm32.dll \Windows\System32\rpcrt4.dll \Windows\System32\msvcrt.dll \Windows\System32\kernel32.dll \Windows\System32\ole32.dll \Windows\System32\comdlg32.dll \Windows\System32\Wldap32.dll \Windows\System32\iertutil.dll \Windows\System32\clbcatq.dll \Windows\System32\advapi32.dll \Windows\System32\psapi.dll \Windows\System32\usp10.dll \Windows\System32\KernelBase.dll \Windows\System32\cfgmgr32.dll \Windows\System32\wintrust.dll \Windows\System32\devobj.dll \Windows\System32\crypt32.dll \Windows\System32\comctl32.dll \Windows\System32\msasn1.dll \Windows\SysWOW64\normaliz.dll ----------- End ----------- <<<1>>> Upper Device Name: \Device\Harddisk0\DR0 Upper Device Object: 0xfffffa8006a2e790 Upper Device Driver Name: \Driver\Disk\ Lower Device Name: \Device\Ide\IAAStorageDevice-1\ Lower Device Object: 0xfffffa8007d2a050 Lower Device Driver Name: \Driver\iaStor\ Driver name found: iaStor DriverEntry returned 0x0 Function returned 0x0 Initializing... Done! <<<2>>> Device number: 0, partition: 3 Physical Sector Size: 512 Drive: 0, DevicePointer: 0xfffffa8006a2e790, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\ --------- Disk Stack ------ DevicePointer: 0xfffffa8006a32b90, DeviceName: Unknown, DriverName: \Driver\partmgr\ DevicePointer: 0xfffffa8006a2e790, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\ DevicePointer: 0xfffffa8007d2a050, DeviceName: \Device\Ide\IAAStorageDevice-1\, DriverName: \Driver\iaStor\ ------------ End ---------- Upper DeviceData: 0xfffff8a004ce5f40, 0xfffffa8006a2e790, 0xfffffa800e2ab090 Lower DeviceData: 0xfffff8a0051293c0, 0xfffffa8007d2a050, 0xfffffa800cccbe40 <<<3>>> Volume: C: File system type: NTFS SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes Scanning directory: C:\Windows\system32\drivers... Done! Drive 0 Scanning MBR on drive 0... Inspecting partition table: MBR Signature: 55AA Disk Signature: 4C2A716A Partition information: Partition 0 type is Other (0xde) Partition is NOT ACTIVE. Partition starts at LBA: 63 Numsec = 80262 Partition 1 type is Primary (0x7) Partition is ACTIVE. Partition starts at LBA: 81920 Numsec = 41545728 Partition file system is NTFS Partition is bootable Partition 2 type is Primary (0x7) Partition is NOT ACTIVE. Partition starts at LBA: 41627648 Numsec = 1423517696 Partition 3 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Disk Size: 750156374016 bytes Sector size: 512 bytes Scanning physical sectors of unpartitioned space on drive 0 (1-62-1465129168-1465149168)... Done! Performing system, memory and registry scan... Done! Scan finished =======================================
Persistent svchost.exe trojan, Malwarebytes can't clean it

Roykirk replied to Roykirk's topic in Resolved Malware Removal Logs

The first scan using Malwarebytes Anti-Rootkit had this result: Malwarebytes Anti-Rootkit 1.01.0.1011 www.malwarebytes.org Database version: v2013.01.01.03 Windows 7 Service Pack 1 x64 NTFS Internet Explorer 9.0.8112.16421 Iain :: IAININSPIRON15R [administrator] 1/1/2013 8:37:54 AM mbar-log-2013-01-01 (08-37-54).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P Scan options disabled: Objects scanned: 29693 Time elapsed: 10 minute(s), 10 second(s) Memory Processes Detected: 1 C:\Windows\svchost.exe (Trojan.Agent) -> 5544 -> Delete on reboot. Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 3 C:\$Recycle.Bin\S-1-5-21-3505123584-442060581-2397128338-1000\$f6cefb47138d3e16c179460ee63dbcbd\U (Trojan.Siredef.C) -> Delete on reboot. C:\$Recycle.Bin\S-1-5-21-3505123584-442060581-2397128338-1000\$f6cefb47138d3e16c179460ee63dbcbd\L (Trojan.Siredef.C) -> Delete on reboot. C:\$Recycle.Bin\S-1-5-21-3505123584-442060581-2397128338-1000\$f6cefb47138d3e16c179460ee63dbcbd (Trojan.Siredef.C) -> Delete on reboot. Files Detected: 4 C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\Bootstrap_0_0_10_infected.mbam (Unknown Rootkit VBR Infection) -> Delete on reboot. C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\MBR_0_infected.mbam (Unknown Rootkit VBR Infection) -> Delete on reboot. C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\Sector_0_1465148881_user.mbam (Forged physical sector) -> Delete on reboot. C:\Windows\svchost.exe (Trojan.Agent) -> Delete on reboot. (end) After a reboot, the second scan has these results: Malwarebytes Anti-Rootkit 1.01.0.1011 www.malwarebytes.org Database version: v2013.01.01.03 Windows 7 Service Pack 1 x64 NTFS Internet Explorer 9.0.8112.16421 Iain :: IAININSPIRON15R [administrator] 1/1/2013 8:49:23 AM mbar-log-2013-01-01 (08-49-23).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P Scan options disabled: Objects scanned: 29654 Time elapsed: 8 minute(s), 7 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end) I will post the system-log.txt file in the next reply as it is rather lengthy.
Persistent svchost.exe trojan, Malwarebytes can't clean it

Roykirk replied to Roykirk's topic in Resolved Malware Removal Logs

DDS.COM log (Part 2) Also including the attach.txt as an attachment . ============= SERVICES / DRIVERS =============== . R0 amdkmpfd;AMD PCI Root Bus Lower Filter;C:\Windows\System32\drivers\amdkmpfd.sys [2012-8-13 32896] R0 iusb3hcs;Intel® USB 3.0 Host Controller Switch Driver;C:\Windows\System32\drivers\iusb3hcs.sys [2012-8-13 19224] R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2012-8-30 228768] R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2012-8-13 55856] R1 MpKsl85f71c76;MpKsl85f71c76;C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{536A98C6-3CE2-4AC7-93CA-623AAEAF90F3}\MpKsl85f71c76.sys [2013-1-1 35664] R2 AdobeActiveFileMonitor9.0;Adobe Active File Monitor V9;C:\Program Files (x86)\Adobe\Elements 9 Organizer\PhotoshopElementsFileAgent.exe [2010-9-30 169408] R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2012-8-13 235520] R2 AMPPALR3;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Service;C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe [2011-12-5 659968] R2 Bluetooth Device Monitor;Bluetooth Device Monitor;C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe [2012-5-15 1014096] R2 Bluetooth OBEX Service;Bluetooth OBEX Service;C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe [2012-5-15 1104208] R2 BTHSSecurityMgr;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Security Service;C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe [2011-12-5 135952] R2 CxUtilSvc;CxUtilSvc;C:\Program Files\CONEXANT\SA3\CxUtilSvc.exe [2012-8-13 109184] R2 DellDigitalDelivery;Dell Digital Delivery Service;C:\Program Files (x86)\Dell Digital Delivery\DeliveryService.exe [2012-10-9 173568] R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2012-8-13 13592] R2 Intel® Capability Licensing Service Interface;Intel® Capability Licensing Service Interface;C:\Program Files\Intel\iCLS Client\HeciServer.exe [2012-1-10 627936] R2 NAUpdate;Nero Update;C:\Program Files (x86)\Nero\Update\NASvc.exe [2011-11-25 687400] R2 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2012-3-20 128456] R2 NOBU;Dell DataSafe Online;C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe [2010-8-25 2823000] R2 RosettaStoneDaemon;RosettaStoneDaemon;C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe [2012-6-19 1646608] R2 SftService;SoftThinks Agent Service;C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe [2012-8-13 1695040] R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2012-8-13 363800] R2 ZeroConfigService;Intel® PROSet/Wireless Zero Configuration Service;C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [2011-12-8 594704] R3 AMPPAL;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Virtual Adapter;C:\Windows\System32\drivers\AmpPal.sys [2011-12-5 195584] R3 Bluetooth Media Service;Bluetooth Media Service;C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe [2012-5-15 1304912] R3 btmaux;Intel Bluetooth Auxiliary Service;C:\Windows\System32\drivers\btmaux.sys [2012-2-13 95232] R3 btmhsf;btmhsf;C:\Windows\System32\drivers\btmhsf.sys [2012-2-13 747008] R3 CtClsFlt;Creative Camera Class Upper Filter Driver;C:\Windows\System32\drivers\CtClsFlt.sys [2012-9-28 176000] R3 ETD;Dell Touchpad;C:\Windows\System32\drivers\ETD.sys [2012-8-13 201008] R3 ibtfltcoex;ibtfltcoex;C:\Windows\System32\drivers\iBtFltCoex.sys [2012-3-21 60928] R3 IntcDAud;Intel® Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2012-8-13 331264] R3 intelkmd;intelkmd;C:\Windows\System32\drivers\igdpmd64.sys [2012-8-13 14745600] R3 iusb3hub;Intel® USB 3.0 Hub Driver;C:\Windows\System32\drivers\iusb3hub.sys [2012-8-13 356632] R3 iusb3xhc;Intel® USB 3.0 eXtensible Host Controller Driver;C:\Windows\System32\drivers\iusb3xhc.sys [2012-8-13 789272] R3 iwdbus;IWD Bus Enumerator;C:\Windows\System32\drivers\iwdbus.sys [2012-1-26 25496] R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2012-9-12 368896] R3 RSUSBVSTOR;RtsUVStor.Sys Realtek USB Card Reader;C:\Windows\System32\drivers\RtsUVStor.sys [2012-8-13 313448] R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2012-8-13 646248] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384] S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576] S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-7-13 160944] S3 AMPPALP;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Protocol;C:\Windows\System32\drivers\AmpPal.sys [2011-12-5 195584] S3 intaud_WaveExtensible;Intel WiDi Audio Device;C:\Windows\System32\drivers\intelaud.sys [2012-1-26 34200] S3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [2011-12-8 273168] S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392] S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232] S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-7-9 52736] S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-9-18 1255736] S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184] . =============== Created Last 30 ================ . 2013-01-01 15:33:09 20480 ----a-w- C:\Windows\svchost.exe 2013-01-01 15:32:40 76232 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{536A98C6-3CE2-4AC7-93CA-623AAEAF90F3}\offreg.dll 2013-01-01 15:32:15 35664 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{536A98C6-3CE2-4AC7-93CA-623AAEAF90F3}\MpKsl85f71c76.sys 2013-01-01 04:20:05 -------- d-----w- C:\Users\Iain\AppData\Roaming\pdfforge 2013-01-01 04:20:02 137000 ----a-w- C:\Windows\SysWow64\MSMAPI32.OCX 2013-01-01 04:20:01 662288 ----a-w- C:\Windows\SysWow64\MSCOMCT2.OCX 2013-01-01 04:20:01 103936 ----a-w- C:\Windows\System32\pdfcmon.dll 2013-01-01 04:20:00 23552 ----a-w- C:\Windows\SysWow64\MSMPIDE.DLL 2013-01-01 04:20:00 -------- d-----w- C:\Program Files (x86)\PDFCreator 2013-01-01 04:19:01 -------- d-----w- C:\Users\Iain\AppData\Local\Programs 2012-12-31 18:01:56 1227128 ----a-w- C:\Users\Iain\PremiereElements_9_Content_ALL_LS15.exe 2012-12-31 05:34:24 1268560 ----a-w- C:\Users\Iain\PremiereElements_10_Content_ALL_LS15.exe 2012-12-31 05:33:39 -------- d-----w- C:\Users\Iain\AppData\Local\Akamai 2012-12-30 20:29:27 9125352 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{536A98C6-3CE2-4AC7-93CA-623AAEAF90F3}\mpengine.dll 2012-12-29 02:57:56 9125352 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll 2012-12-21 11:00:27 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll 2012-12-21 11:00:26 46080 ----a-w- C:\Windows\System32\atmlib.dll 2012-12-21 11:00:25 367616 ----a-w- C:\Windows\System32\atmfd.dll 2012-12-21 11:00:25 295424 ----a-w- C:\Windows\SysWow64\atmfd.dll 2012-12-21 08:08:27 -------- d-----w- C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69 2012-12-19 05:49:04 -------- d-----w- C:\Program Files\iTunes 2012-12-19 05:49:04 -------- d-----w- C:\Program Files\iPod 2012-12-19 05:49:04 -------- d-----w- C:\Program Files (x86)\iTunes 2012-12-18 04:39:24 -------- d-----w- C:\Users\Iain\AppData\Roaming\LEGO Company 2012-12-18 04:39:04 -------- d-----w- C:\Program Files (x86)\LEGO Company 2012-12-18 00:34:51 2048 ----a-w- C:\Windows\SysWow64\tzres.dll 2012-12-11 04:59:44 -------- d-----w- C:\Users\Iain\AppData\Local\DellUI . ==================== Find3M ==================== . 2012-12-15 00:49:28 24176 ----a-w- C:\Windows\System32\drivers\mbam.sys 2012-11-22 03:26:40 3149824 ----a-w- C:\Windows\System32\win32k.sys 2012-11-14 06:11:44 2312704 ----a-w- C:\Windows\System32\jscript9.dll 2012-11-14 06:04:11 1392128 ----a-w- C:\Windows\System32\wininet.dll 2012-11-14 06:02:49 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl 2012-11-14 05:57:46 599040 ----a-w- C:\Windows\System32\vbscript.dll 2012-11-14 05:57:35 173056 ----a-w- C:\Windows\System32\ieUnatt.exe 2012-11-14 05:52:40 2382848 ----a-w- C:\Windows\System32\mshtml.tlb 2012-11-14 02:09:22 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll 2012-11-14 01:58:15 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl 2012-11-14 01:57:37 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll 2012-11-14 01:49:25 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe 2012-11-14 01:48:27 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll 2012-11-14 01:44:42 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb 2012-11-09 05:45:09 2048 ----a-w- C:\Windows\System32\tzres.dll 2012-11-02 05:59:11 478208 ----a-w- C:\Windows\System32\dpnet.dll 2012-11-02 05:11:31 376832 ----a-w- C:\Windows\SysWow64\dpnet.dll 2012-10-25 11:12:26 94208 ----a-w- C:\Windows\SysWow64\QuickTimeVR.qtx 2012-10-25 11:12:26 69632 ----a-w- C:\Windows\SysWow64\QuickTime.qts 2012-10-16 08:38:37 135168 ----a-w- C:\Windows\apppatch\AppPatch64\AcXtrnal.dll 2012-10-16 08:38:34 350208 ----a-w- C:\Windows\apppatch\AppPatch64\AcLayers.dll 2012-10-16 07:39:52 561664 ----a-w- C:\Windows\apppatch\AcLayers.dll 2012-10-09 18:17:13 55296 ----a-w- C:\Windows\System32\dhcpcsvc6.dll 2012-10-09 18:17:13 226816 ----a-w- C:\Windows\System32\dhcpcore6.dll 2012-10-09 17:40:31 44032 ----a-w- C:\Windows\SysWow64\dhcpcsvc6.dll 2012-10-09 17:40:31 193536 ----a-w- C:\Windows\SysWow64\dhcpcore6.dll 2012-10-04 17:46:16 362496 ----a-w- C:\Windows\System32\wow64win.dll 2012-10-04 17:46:15 243200 ----a-w- C:\Windows\System32\wow64.dll 2012-10-04 17:46:15 13312 ----a-w- C:\Windows\System32\wow64cpu.dll 2012-10-04 17:45:55 215040 ----a-w- C:\Windows\System32\winsrv.dll 2012-10-04 17:43:28 16384 ----a-w- C:\Windows\System32\ntvdm64.dll 2012-10-04 17:41:16 424960 ----a-w- C:\Windows\System32\KernelBase.dll 2012-10-04 16:47:41 5120 ----a-w- C:\Windows\SysWow64\wow32.dll 2012-10-04 16:47:41 274944 ----a-w- C:\Windows\SysWow64\KernelBase.dll 2012-10-04 15:21:55 338432 ----a-w- C:\Windows\System32\conhost.exe 2012-10-04 14:46:46 7680 ----a-w- C:\Windows\SysWow64\instnm.exe 2012-10-04 14:46:46 25600 ----a-w- C:\Windows\SysWow64\setup16.exe 2012-10-04 14:46:44 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll 2012-10-04 14:46:43 2048 ----a-w- C:\Windows\SysWow64\user.exe 2012-10-04 14:41:50 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll 2012-10-04 14:41:50 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll 2012-10-04 14:41:50 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll 2012-10-04 14:41:50 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll 2012-10-03 17:56:54 1914248 ----a-w- C:\Windows\System32\drivers\tcpip.sys 2012-10-03 17:44:21 70656 ----a-w- C:\Windows\System32\nlaapi.dll 2012-10-03 17:44:21 303104 ----a-w- C:\Windows\System32\nlasvc.dll 2012-10-03 17:44:17 246272 ----a-w- C:\Windows\System32\netcorehc.dll 2012-10-03 17:44:17 18944 ----a-w- C:\Windows\System32\netevent.dll 2012-10-03 17:44:16 216576 ----a-w- C:\Windows\System32\ncsi.dll 2012-10-03 17:42:16 569344 ----a-w- C:\Windows\System32\iphlpsvc.dll 2012-10-03 16:42:24 18944 ----a-w- C:\Windows\SysWow64\netevent.dll 2012-10-03 16:42:24 175104 ----a-w- C:\Windows\SysWow64\netcorehc.dll 2012-10-03 16:42:23 156672 ----a-w- C:\Windows\SysWow64\ncsi.dll 2012-10-03 16:07:26 45568 ----a-w- C:\Windows\System32\drivers\tcpipreg.sys . ============= FINISH: 7:37:58.91 =============== attach.txt
Persistent svchost.exe trojan, Malwarebytes can't clean it

Roykirk replied to Roykirk's topic in Resolved Malware Removal Logs

DDS.COM Log (Part 1) By the way, the option to "Run as Administrator" was not available when I right-clicked the executable. DDS (Ver_2012-11-20.01) - NTFS_AMD64 Internet Explorer: 9.0.8112.16457 BrowserJavaVersion: 10.7.2 Run by Iain at 7:35:18 on 2013-01-01 Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.6046.4068 [GMT -8:00] . AV: Microsoft Security Essentials *Enabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C} SP: Microsoft Security Essentials *Enabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21} SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . ============== Running Processes =============== . C:\Windows\system32\lsm.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Windows\system32\svchost.exe -k RPCSS c:\Program Files\Microsoft Security Client\MsMpEng.exe C:\Windows\system32\atiesrxx.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\svchost.exe -k netsvcs C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\svchost.exe -k NetworkService C:\Windows\system32\WLANExt.exe C:\Windows\system32\atieclxx.exe C:\Windows\System32\spoolsv.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork C:\Windows\system32\taskhost.exe C:\Windows\system32\Dwm.exe c:\Program Files (x86)\Adobe\Elements 9 Organizer\PhotoshopElementsFileAgent.exe C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe C:\Windows\Explorer.EXE C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Windows\system32\svchost.exe -k bthsvcs C:\Program Files\Conexant\SA3\CxUtilSvc.exe C:\Program Files\Intel\WiFi\bin\EvtEng.exe c:\Program Files\Intel\iCLS Client\HeciServer.exe C:\Windows\System32\svchost.exe -k HPZ12 C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe C:\Windows\System32\svchost.exe -k HPZ12 C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE C:\Windows\system32\svchost.exe -k imgsvc C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe C:\Windows\system32\wbem\unsecapp.exe C:\Windows\system32\wbem\wmiprvse.exe C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe c:\Program Files\Microsoft Security Client\NisSrv.exe C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted C:\Program Files\Elantech\ETDCtrl.exe C:\Windows\System32\igfxtray.exe C:\Windows\System32\hkcmd.exe C:\Windows\System32\igfxpers.exe C:\Program Files\Dell\QuickSet\quickset.exe C:\Program Files (x86)\Intel\Bluetooth\BleServicesCtrl.exe C:\Windows\System32\rundll32.exe C:\Users\Iain\AppData\Local\Google\Update\GoogleUpdate.exe C:\Program Files\Conexant\SA3\SmartAudio3.exe C:\Program Files (x86)\Steam\Steam.exe C:\Program Files (x86)\johnsadventures.com\John's Background Switcher\BackgroundSwitcher.exe C:\Users\Iain\AppData\Local\Akamai\netsession_win.exe C:\Program Files\Elantech\ETDCtrlHelper.exe C:\Program Files\Elantech\ETDGesture.exe C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe C:\Users\Iain\AppData\Local\Akamai\netsession_win.exe C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe C:\Program Files (x86)\iTunes\iTunesHelper.exe C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe c:\Program Files\Microsoft Security Client\MpCmdRun.exe C:\Windows\system32\SearchIndexer.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Windows Media Player\wmpnetwk.exe C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation C:\Windows\system32\SearchProtocolHost.exe C:\Windows\system32\SearchFilterHost.exe C:\Program Files (x86)\Common Files\Steam\SteamService.exe \\.\globalroot\systemroot\svchost.exe -netsvcs C:\Windows\system32\taskeng.exe C:\Windows\System32\WUDFHost.exe C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe C:\Program Files (x86)\Dell Digital Delivery\DeliveryService.exe C:\Windows\system32\wbem\wmiprvse.exe C:\Windows\system32\svchost.exe -k HPService C:\Program Files\Microsoft Security Client\msseces.exe C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe C:\Program Files (x86)\Nero\Update\NASvc.exe C:\Windows\system32\sppsvc.exe C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe C:\Windows\System32\wsqmcons.exe C:\Windows\system32\taskhost.exe C:\Windows\system32\schtasks.exe C:\Windows\System32\cscript.exe . ============== Pseudo HJT Report =============== . mWinlogon: Userinit = userinit.exe, BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll BHO: LastPass Vault: {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files (x86)\LastPass\LPToolbar.dll BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll TB: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\LastPass\LPToolbar.dll uRun: [Google Update] "C:\Users\Iain\AppData\Local\Google\Update\GoogleUpdate.exe" /c uRun: [steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent uRun: [backgroundSwitcher] "C:\Program Files (x86)\johnsadventures.com\John's Background Switcher\BackgroundSwitcher.exe" uRun: [Akamai NetSession Interface] "C:\Users\Iain\AppData\Local\Akamai\netsession_win.exe" mRun: [startCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun mRun: [AMD AVT] Cmd.exe /c start "AMD Accelerated Video Transcoding device initialization" /min "c:\Program Files (x86)\AMD AVT\bin\kdbsync.exe" aml mRun: [iAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIconLaunch.exe "C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" 60 mRun: [uSB3MON] "C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe" mRun: [Dell DataSafe Online] C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe mRun: [NeroLauncher] C:\Program Files (x86)\Nero\SyncUP\NeroLauncher.exe 900 mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" mRun: [bCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" mRun: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2 mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" mPolicies-Explorer: NoActiveDesktop = dword:1 mPolicies-System: ConsentPromptBehaviorAdmin = dword:5 mPolicies-System: ConsentPromptBehaviorUser = dword:3 mPolicies-System: EnableUIADesktopToggle = dword:0 mPolicies-Windows\System: UseOEMBackground = dword:1 IE: E&xport to Microsoft Excel - C:\PROGRA~2\MIF5BA~1\Office14\EXCEL.EXE/3000 IE: LastPass - C:\Users\Iain\AppData\LocalLow\LastPass\context.html?cmd=lastpass IE: LastPass Fill Forms - C:\Users\Iain\AppData\LocalLow\LastPass\context.html?cmd=fillforms IE: Se&nd to OneNote - C:\PROGRA~2\MIF5BA~1\Office14\ONBttnIE.dll/105 IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll IE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files (x86)\LastPass\LPToolbar.dll IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} - hxxp://ccfiles.creative.com/Web/softwareupdate/su/ocx/15102/CTSUEng.cab DPF: {D4B68B83-8710-488B-A692-D74B50BA558E} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/110926/CTPID.cab TCP: Interfaces\{EDCAA24F-C0EB-4928-8198-B1C5C98E2EF1}\354756078656E67237027596D2649602E4564777F627B6 : DHCPNameServer = 10.0.1.1 TCP: Interfaces\{EDCAA24F-C0EB-4928-8198-B1C5C98E2EF1}\66F68736163747 : DHCPNameServer = 10.0.1.1 Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll SSODL: WebCheck - <orphaned> SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL x64-BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll x64-BHO: LastPass Vault: {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files (x86)\LastPass\LPToolbar_x64.dll x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL x64-TB: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\LastPass\LPToolbar_x64.dll x64-Run: [ETDCtrl] C:\Program Files\Elantech\ETDCtrl.exe x64-Run: [igfxTray] C:\Windows\System32\igfxtray.exe x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe x64-Run: [QuickSet] c:\Program Files\Dell\QuickSet\QuickSet.exe x64-Run: [smartAudio] C:\Program Files\CONEXANT\SA3\SACpl.exe /sa3 /nv:3.0+ /dne /s x64-Run: [bLEServicesCtrl] C:\Program Files (x86)\Intel\Bluetooth\BleServicesCtrl.exe x64-Run: [bTMTrayAgent] rundll32.exe "C:\Program Files (x86)\Intel\Bluetooth\btmshell.dll",TrayApp x64-Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" x64-Run: [MSC] "c:\Program Files\Microsoft Security Client\mssecex.exe" -hide -runkey x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll x64-IE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files (x86)\LastPass\LPToolbar_x64.dll x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned> x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned> x64-Notify: igfxcui - igfxdev.dll x64-SSODL: WebCheck - <orphaned> x64-SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL . ================= FIREFOX =================== . FF - ProfilePath - C:\Users\Iain\AppData\Roaming\Mozilla\Firefox\Profiles\tqk8kjzm.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ FF - plugin: C:\PROGRA~2\MIF5BA~1\Office14\NPAUTHZ.DLL FF - plugin: C:\PROGRA~2\MIF5BA~1\Office14\NPSPWRAP.DLL FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll FF - plugin: C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrlui.dll FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll FF - plugin: C:\Users\Iain\AppData\Local\Google\Update\1.3.21.123\npGoogleUpdate3.dll FF - plugin: C:\Users\Iain\AppData\Local\Roblox\Versions\version-3ebe0cca16b6421c\NPRobloxProxy.dll FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_4_402_278.dll FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
Persistent svchost.exe trojan, Malwarebytes can't clean it

Roykirk posted a topic in Resolved Malware Removal Logs

My son's laptop has become infected with the svchost.exe trojan that I've read about in these forums and other places online. It appears to be common and also very difficult to eradicate. The symptoms are regular redirects of his web browsers to different websites than those intended, slow running of the PC, and he would often reboot the PC and it would run Startup Repair automatically. I ran Malwarebytes last night in both normal and safe mode, after using rkill and unhide, but the infection persists. I also booted into the Windows 7 Repair mode command line and ran bootrec.exe /fixmbr and bootrec.exe /fixboot, but the infection persists. C:\Windows\svchost.exe shows up after each boot and Malwarebytes scan. I have already run dds.com and will attach the results to my following replies. Andy help would be much appreciated. Thanks.

Sign In

Roykirk

Posts

Joined

Last visited

Content Type

Events

Profiles

Forums

Everything posted by Roykirk

Persistent svchost.exe trojan, Malwarebytes can't clean it

Persistent svchost.exe trojan, Malwarebytes can't clean it

Persistent svchost.exe trojan, Malwarebytes can't clean it

Persistent svchost.exe trojan, Malwarebytes can't clean it

Persistent svchost.exe trojan, Malwarebytes can't clean it

Persistent svchost.exe trojan, Malwarebytes can't clean it

Persistent svchost.exe trojan, Malwarebytes can't clean it

Persistent svchost.exe trojan, Malwarebytes can't clean it

Persistent svchost.exe trojan, Malwarebytes can't clean it

Persistent svchost.exe trojan, Malwarebytes can't clean it

Persistent svchost.exe trojan, Malwarebytes can't clean it

Persistent svchost.exe trojan, Malwarebytes can't clean it

Persistent svchost.exe trojan, Malwarebytes can't clean it

Persistent svchost.exe trojan, Malwarebytes can't clean it

Persistent svchost.exe trojan, Malwarebytes can't clean it

Browse

Activity

Personal

Business

Business Modules

Partners

Learn

Start here

Type of malware/attacks

How does it get on my computer?

Scams and grifts

Support

Important Information