Luyabell Posted April 21, 2012 ID:544809 Share Posted April 21, 2012 DDS.txtThis is my first time posting and hope that I can be helped. My son's laptop has been infected by SMART HDD. All of the files are hidden. I do not know if he deleted any temp files before asking me for help. I tried, RKill, TDS rootkiller, and tried to use MBAMvirus removal. I ran RKill about 10 times while leaving the "warnings" open as I kept running it. I followed all the directions. Also, should I have my son stop using the laptop to go online until SMART HDD is still on it? He plays WOW and I am assuming this is why he keeps getting adware...Is that safe to say? Thank you for your assistance!.DDS (Ver_2011-08-26.01) - NTFSAMD64Internet Explorer: 9.0.8112.16421Run by FIXED at 12:27:43 on 2012-04-21Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4008.1571 [GMT -7:00].AV: Norton Internet Security *Disabled/Outdated* {63DF5164-9100-186D-2187-8DC619EFD8BF}AV: AVG Anti-Virus Free Edition 2011 *Disabled/Outdated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}SP: AVG Anti-Virus Free Edition 2011 *Disabled/Outdated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}SP: Norton Internet Security *Disabled/Outdated* {D8BEB080-B73A-17E3-1B37-B6B462689202}FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}.============== Running Processes ===============.C:\windows\system32\wininit.exeC:\windows\system32\lsm.exeC:\windows\system32\svchost.exe -k DcomLaunchC:\windows\system32\svchost.exe -k RPCSSC:\windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\windows\system32\svchost.exe -k netsvcsC:\windows\system32\svchost.exe -k LocalServiceC:\windows\system32\svchost.exe -k NetworkServiceC:\Windows\System32\GFNEXSrv.exeC:\windows\System32\spoolsv.exeC:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exeC:\Program Files (x86)\AVG\AVG10\avgwdsvc.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\windows\System32\svchost.exe -k LocalServiceNoNetworkC:\Program Files (x86)\Norton Internet Security\Engine\18.7.1.3\ccSvcHst.exeC:\Program Files (x86)\Norton PC Checkup\Engine\2.0.10.26\ccSvcHst.exeC:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exeC:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exeC:\windows\sysWOW64\svchost.exe -k netsvcC:\windows\system32\svchost.exe -k imgsvcC:\windows\system32\TODDSrv.exeC:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exeC:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXEC:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exeC:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exeC:\Program Files (x86)\AVG\AVG10\avgnsa.exeC:\Program Files (x86)\AVG\AVG10\avgemca.exeC:\windows\system32\conhost.exeC:\windows\system32\wbem\wmiprvse.exeC:\windows\system32\wbem\unsecapp.exeC:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXEC:\windows\system32\SearchIndexer.exeC:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exeC:\Program Files (x86)\Norton Internet Security\Engine\18.7.1.3\ccSvcHst.exeC:\Program Files (x86)\Norton PC Checkup\Engine\2.0.10.26\ccSvcHst.exeC:\windows\system32\Dwm.exeC:\windows\Explorer.EXEC:\Windows\System32\igfxtray.exeC:\Windows\System32\hkcmd.exeC:\Windows\System32\igfxpers.exeC:\Program Files\TOSHIBA\Power Saver\TPwrMain.exeC:\Program Files\TOSHIBA\FlashCards\TCrdMain.exeC:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeC:\Program Files\Realtek\Audio\HDA\RAVBg64.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\windows\system32\igfxsrvc.exeC:\Program Files\TOSHIBA\BulletinBoard\TosNcCore.exeC:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exeC:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\Program Files (x86)\Toshiba\TOSHIBA Service Station\ToshibaServiceStation.exeC:\Program Files\Synaptics\SynTP\SynTPHelper.exeC:\Program Files (x86)\AVG\AVG10\avgtray.exeC:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exeC:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeC:\Program Files (x86)\iTunes\iTunesHelper.exeC:\ProgramData\RgWtsvfNRFiS.exeC:\windows\system32\igfxext.exeC:\Program Files\iPod\bin\iPodService.exeC:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonationC:\windows\System32\svchost.exe -k LocalServicePeerNetC:\Program Files\Windows Media Player\wmpnetwk.exeC:\ProgramData\ct4yZIq59QHAej.exeC:\Program Files (x86)\Microsoft\Search Enhancement Pack\SCServer\SCServer.exeC:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exeC:\Program Files (x86)\Norton PC Checkup\Engine\2.0.10.26\SymcPCCULaunchSvc.exeC:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exeC:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exeC:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exeC:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exeC:\windows\system32\wuauclt.exeC:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Program Files (x86)\Internet Explorer\iexplore.exeC:\windows\SysWOW64\ping.exeC:\windows\system32\conhost.exeC:\Program Files (x86)\Internet Explorer\iexplore.exeC:\windows\SysWOW64\ping.exeC:\windows\system32\conhost.exeC:\windows\system32\SearchFilterHost.exeC:\windows\system32\SearchProtocolHost.exeC:\windows\SysWOW64\cmd.exeC:\windows\system32\DllHost.exeC:\windows\system32\conhost.exeC:\windows\SysWOW64\cscript.exeC:\windows\system32\wbem\wmiprvse.exe.============== Pseudo HJT Report ===============.uStart Page = hxxp://start.toshiba.com/g/uDefault_Page_URL = hxxp://start.toshiba.com/g/uInternet Settings,ProxyOverride = <local>;*.localmWinlogon: Userinit=userinit.exe,BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllBHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files (x86)\AVG\AVG10\avgssie.dllBHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - C:\Program Files (x86)\Norton Internet Security\Engine\18.7.1.3\coIEPlg.dllBHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files (x86)\Norton Internet Security\Engine\18.7.1.3\IPS\IPSBHO.DLLBHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dllBHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dllBHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllBHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dllBHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2291.0\npwinext.dllBHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dllBHO: TOSHIBA Media Controller Plug-in: {f3c88694-effa-4d78-b409-54b7b2535b14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dllTB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - C:\Program Files (x86)\Norton Internet Security\Engine\18.7.1.3\coIEPlg.dllTB: @C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2291.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2291.0\npwinext.dllTB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dlluRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"uRun: [fdafebbfcbbecdct] "C:\ProgramData\fdafebbfcbbecdct.exe"mRun: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60mRun: [ToshibaAppPlace] "C:\Program Files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe"mRun: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Toshiba\Toshiba Online Backup\Activation\TOBuActivation.exe" UNATTENDEDmRun: [AVG_TRAY] C:\Program Files (x86)\AVG\AVG10\avgtray.exemRun: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exemRun: [<NO NAME>]mRun: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resumemRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottimemRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"mRun: [dplaysvr] C:\windows\system32\config\systemprofile\AppData\Local\dplaysvr.exemRun: [RgWtsvfNRFiS.exe] C:\ProgramData\RgWtsvfNRFiS.exedRun: [dplaysvr] C:\windows\system32\config\systemprofile\AppData\Local\dplaysvr.exedRun: [fdafebbfcbbecdct] "C:\ProgramData\fdafebbfcbbecdct.exe"mPolicies-explorer: NoActiveDesktop = 1 (0x1)mPolicies-explorer: HideSCAHealth = 1 (0x1)mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)mPolicies-system: EnableLUA = 0 (0x0)mPolicies-system: EnableUIADesktopToggle = 0 (0x0)mPolicies-system: PromptOnSecureDesktop = 0 (0x0)IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dllLSP: mswsock.dllDPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cabDPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} - hxxp://nxcache.nexon.net/mabinogi/renderer/mabiweb.2010.5.03.cabDPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cabTCP: DhcpNameServer = 192.168.1.254TCP: Interfaces\{2EDDEF0C-9ABE-47C2-A4E7-23EF9B1ABB6B} : DhcpNameServer = 192.168.1.254TCP: Interfaces\{2EDDEF0C-9ABE-47C2-A4E7-23EF9B1ABB6B}\0556163656026202C4F66756 : DhcpNameServer = 192.168.7.254TCP: Interfaces\{2EDDEF0C-9ABE-47C2-A4E7-23EF9B1ABB6B}\2375942554032313 : DhcpNameServer = 192.168.1.254TCP: Interfaces\{2EDDEF0C-9ABE-47C2-A4E7-23EF9B1ABB6B}\2375942554734393 : DhcpNameServer = 192.168.1.254TCP: Interfaces\{2EDDEF0C-9ABE-47C2-A4E7-23EF9B1ABB6B}\8686F6E6F62737 : DhcpNameServer = 192.168.6.1 64.134.255.2 64.134.255.10TCP: Interfaces\{AEA65422-7736-4FA7-A989-0935EC6BCD79} : DhcpNameServer = 192.168.1.254Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG10\avgpp.dllHandler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dllSubSystems: Windows = basesrv,1 winsrv:UserServerDllInitialization,3 consrv:ConServerDllInitialization,2 sxssrv,4BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllBHO-X64: AcroIEHelperStub - No FileBHO-X64: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG10\avgssie.dllBHO-X64: WormRadar.com IESiteBlocker.NavFilter - No FileBHO-X64: Symantec NCO BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\18.7.1.3\coIEPlg.dllBHO-X64: Symantec NCO BHO - No FileBHO-X64: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\18.7.1.3\IPS\IPSBHO.DLLBHO-X64: Symantec Intrusion Prevention - No FileBHO-X64: Search Helper: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dllBHO-X64: Search Helper - No FileBHO-X64: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dllBHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllBHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dllBHO-X64: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2291.0\npwinext.dllBHO-X64: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dllBHO-X64: TOSHIBA Media Controller Plug-in: {F3C88694-EFFA-4d78-B409-54B7B2535B14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dllTB-X64: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\18.7.1.3\coIEPlg.dllTB-X64: @C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2291.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2291.0\npwinext.dllTB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dllmRun-x64: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60mRun-x64: [ToshibaAppPlace] "C:\Program Files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe"mRun-x64: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Toshiba\Toshiba Online Backup\Activation\TOBuActivation.exe" UNATTENDEDmRun-x64: [AVG_TRAY] C:\Program Files (x86)\AVG\AVG10\avgtray.exemRun-x64: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exemRun-x64: [(Default)]mRun-x64: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resumemRun-x64: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottimemRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"mRun-x64: [dplaysvr] C:\windows\system32\config\systemprofile\AppData\Local\dplaysvr.exemRun-x64: [RgWtsvfNRFiS.exe] C:\ProgramData\RgWtsvfNRFiS.exeHosts: 94.63.147.16 www.google.comHosts: 94.63.147.17 www.bing.com.============= SERVICES / DRIVERS ===============.R0 AVGIDSEH;AVGIDSEH;C:\windows\system32\DRIVERS\AVGIDSEH.Sys --> C:\windows\system32\DRIVERS\AVGIDSEH.Sys [?]R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\windows\system32\DRIVERS\avgrkx64.sys --> C:\windows\system32\DRIVERS\avgrkx64.sys [?]R0 SymDS;Symantec Data Store;C:\windows\system32\drivers\NISx64\1207010.003\SYMDS64.SYS --> C:\windows\system32\drivers\NISx64\1207010.003\SYMDS64.SYS [?]R0 SymEFA;Symantec Extended File Attributes;C:\windows\system32\drivers\NISx64\1207010.003\SYMEFA64.SYS --> C:\windows\system32\drivers\NISx64\1207010.003\SYMEFA64.SYS [?]R0 tos_sps64;TOSHIBA tos_sps64 Service;C:\windows\system32\DRIVERS\tos_sps64.sys --> C:\windows\system32\DRIVERS\tos_sps64.sys [?]R1 Avgldx64;AVG AVI Loader Driver;C:\windows\system32\DRIVERS\avgldx64.sys --> C:\windows\system32\DRIVERS\avgldx64.sys [?]R1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\windows\system32\DRIVERS\avgmfx64.sys --> C:\windows\system32\DRIVERS\avgmfx64.sys [?]R1 Avgtdia;AVG TDI Driver;C:\windows\system32\DRIVERS\avgtdia.sys --> C:\windows\system32\DRIVERS\avgtdia.sys [?]R1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\BASHDefs\20111210.003\BHDrvx64.sys [2011-12-17 1156216]R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\IPSDefs\20111216.001\IDSviA64.sys [2011-12-17 488568]R1 SymIRON;Symantec Iron Driver;C:\windows\system32\drivers\NISx64\1207010.003\Ironx64.SYS --> C:\windows\system32\drivers\NISx64\1207010.003\Ironx64.SYS [?]R1 SymNetS;Symantec Network Security WFP Driver;C:\windows\system32\Drivers\NISx64\1207010.003\SYMNETS.SYS --> C:\windows\system32\Drivers\NISx64\1207010.003\SYMNETS.SYS [?]R1 vwififlt;Virtual WiFi Filter Driver;C:\windows\system32\DRIVERS\vwififlt.sys --> C:\windows\system32\DRIVERS\vwififlt.sys [?]R2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG10\avgwdsvc.exe [2011-2-8 269520]R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2010-2-28 821664]R2 GFNEXSrv;GFNEX Service;C:\Windows\System32\GFNEXSrv.exe --> C:\Windows\System32\GFNEXSrv.exe [?]R2 NIS;Norton Internet Security;C:\Program Files (x86)\Norton Internet Security\Engine\18.7.1.3\ccsvchst.exe [2012-4-3 130008]R2 Norton PC Checkup Application Launcher;Toshiba Laptop Checkup Application Launcher;C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.10.26\SymcPCCULaunchSvc.exe [2011-6-24 135608]R2 PCCUJobMgr;Common Client Job Manager Service;C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.10.26\ccSvcHst.exe [2011-6-24 126392]R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2009-12-2 483688]R2 SPService;SPService;C:\windows\sysWOW64\svchost.exe -k netsvc --> C:\windows\sysWOW64\svchost.exe -k netsvc [?]R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-6-24 2656280]R3 AVGIDSDriver;AVGIDSDriver;C:\windows\system32\DRIVERS\AVGIDSDriver.Sys --> C:\windows\system32\DRIVERS\AVGIDSDriver.Sys [?]R3 AVGIDSFilter;AVGIDSFilter;C:\windows\system32\DRIVERS\AVGIDSFilter.Sys --> C:\windows\system32\DRIVERS\AVGIDSFilter.Sys [?]R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-11-18 138360]R3 MEIx64;Intel® Management Engine Interface;C:\windows\system32\DRIVERS\HECIx64.sys --> C:\windows\system32\DRIVERS\HECIx64.sys [?]R3 PGEffect;Pangu effect driver;C:\windows\system32\DRIVERS\pgeffect.sys --> C:\windows\system32\DRIVERS\pgeffect.sys [?]R3 RTL8167;Realtek 8167 NT Driver;C:\windows\system32\DRIVERS\Rt64win7.sys --> C:\windows\system32\DRIVERS\Rt64win7.sys [?]R3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;C:\windows\system32\DRIVERS\rtl8192Ce.sys --> C:\windows\system32\DRIVERS\rtl8192Ce.sys [?]R3 Sftfs;Sftfs;C:\windows\system32\DRIVERS\Sftfslh.sys --> C:\windows\system32\DRIVERS\Sftfslh.sys [?]R3 Sftplay;Sftplay;C:\windows\system32\DRIVERS\Sftplaylh.sys --> C:\windows\system32\DRIVERS\Sftplaylh.sys [?]R3 Sftredir;Sftredir;C:\windows\system32\DRIVERS\Sftredirlh.sys --> C:\windows\system32\DRIVERS\Sftredirlh.sys [?]R3 Sftvol;Sftvol;C:\windows\system32\DRIVERS\Sftvollh.sys --> C:\windows\system32\DRIVERS\Sftvollh.sys [?]R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2009-12-2 209768]R3 TMachInfo;TMachInfo;C:\Program Files (x86)\Toshiba\TOSHIBA Service Station\TMachInfo.exe [2011-6-24 54136]R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-12-8 137632]S2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [2011-8-18 7390560]S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-6-24 136176]S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-3-29 253088]S3 GamesAppService;GamesAppService;C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-6-24 136176]S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\windows\system32\Drivers\RtsUStor.sys --> C:\windows\system32\Drivers\RtsUStor.sys [?]S3 TsUsbFlt;TsUsbFlt;C:\windows\system32\drivers\tsusbflt.sys --> C:\windows\system32\drivers\tsusbflt.sys [?]S3 TsUsbGD;Remote Desktop Generic USB Device;C:\windows\system32\drivers\TsUsbGD.sys --> C:\windows\system32\drivers\TsUsbGD.sys [?]S3 USBAAPL64;Apple Mobile USB Driver;C:\windows\system32\Drivers\usbaapl64.sys --> C:\windows\system32\Drivers\usbaapl64.sys [?]S3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\system32\Wat\WatAdminSvc.exe --> C:\windows\system32\Wat\WatAdminSvc.exe [?]S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184].=============== Created Last 30 ================.2012-04-19 02:32:56 -------- d--h--w- C:\TDSSKiller_Quarantine2012-04-19 01:55:35 744590 ---ha-w- C:\windows\System32\PerfStringBackup.TMP2012-04-17 01:18:12 220672 ---ha-w- C:\ProgramData\ct4yZIq59QHAej.exe2012-04-17 01:06:00 -------- d--h--w- C:\Users\FIXED\AppData\Roaming\Tific2012-04-17 01:05:48 -------- d--h--w- C:\Users\FIXED\AppData\Local\Symantec2012-04-16 20:14:46 0 --sha-w- C:\windows\System32\dds_trash_log.cmd2012-04-16 14:14:28 -------- d-----we C:\windows\system642012-04-16 14:10:00 300032 ---ha-w- C:\ProgramData\RgWtsvfNRFiS.exe2012-04-16 14:07:59 86016 ---ha-w- C:\ProgramData\fdafebbfcbbecdct.exe2012-04-16 07:27:38 20480 ---ha-w- C:\windows\svchost.exe2012-04-14 13:59:46 5559152 ----a-w- C:\windows\System32\ntoskrnl.exe2012-04-14 13:59:45 3968368 ----a-w- C:\windows\SysWow64\ntkrnlpa.exe2012-04-14 13:59:45 3913072 ----a-w- C:\windows\SysWow64\ntoskrnl.exe2012-04-12 13:13:18 23408 ----a-w- C:\windows\System32\drivers\fs_rec.sys2012-04-12 13:13:17 81408 ----a-w- C:\windows\System32\imagehlp.dll2012-04-12 13:13:17 5120 ----a-w- C:\windows\SysWow64\wmi.dll2012-04-12 13:13:17 5120 ----a-w- C:\windows\System32\wmi.dll2012-04-12 13:13:17 220672 ----a-w- C:\windows\System32\wintrust.dll2012-04-12 13:13:17 172544 ----a-w- C:\windows\SysWow64\wintrust.dll2012-04-12 13:13:17 159232 ----a-w- C:\windows\SysWow64\imagehlp.dll2012-04-08 15:47:19 -------- d--h--w- C:\Program Files (x86)\AT&T WorldNet Setup2012-04-08 15:42:26 -------- d--h--w- C:\Sierra2012-04-08 15:41:15 225280 ---h--w- C:\Program Files (x86)\Common Files\InstallShield\IScript\iscript.dll2012-04-08 15:41:14 77824 ---ha-w- C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\ctor.dll2012-04-08 15:41:14 32768 ---h--w- C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\objectps.dll2012-04-08 15:41:14 176128 ---h--w- C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\iuser.dll2012-04-08 15:41:13 21840 ---hatw- C:\windows\SysWow64\SIntfNT.dll2012-04-08 15:41:13 17212 ---hatw- C:\windows\SysWow64\SIntf32.dll2012-04-08 15:41:13 12067 ---hatw- C:\windows\SysWow64\SIntf16.dll2012-04-05 07:54:38 -------- d--h--w- C:\Program Files\iTunes2012-04-05 07:54:38 -------- d--h--w- C:\Program Files\iPod2012-04-05 07:54:38 -------- d--h--w- C:\Program Files (x86)\iTunes2012-04-05 07:52:43 -------- d--h--w- C:\Program Files\Bonjour2012-04-05 07:52:43 -------- d--h--w- C:\Program Files (x86)\Bonjour2012-04-05 07:50:31 159744 ---ha-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin7.dll2012-04-05 07:50:31 159744 ---ha-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin6.dll2012-04-05 07:50:31 159744 ---ha-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin5.dll2012-04-05 07:50:31 159744 ---ha-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin4.dll2012-04-05 07:50:31 159744 ---ha-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin3.dll2012-04-05 07:50:31 159744 ---ha-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin2.dll2012-04-05 07:50:31 159744 ---ha-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin.dll2012-04-05 03:36:15 -------- d--h--w- C:\Users\FIXED\AppData\Roaming\WildTangent2012-04-05 03:33:21 -------- d--h--w- C:\Program Files (x86)\WildGames2012-04-05 02:54:57 86528 ---ha-w- C:\windows\bnetunin.exe2012-04-05 02:54:57 61440 ---ha-w- C:\windows\diabunin.exe2012-04-05 02:54:52 -------- d--h--w- C:\Diablo2012-04-03 22:19:33 912504 ----a-w- C:\windows\System32\drivers\NISx64\1207010.003\symefa64.sys2012-04-03 22:19:33 744568 ----a-w- C:\windows\System32\drivers\NISx64\1207010.003\srtsp64.sys2012-04-03 22:19:33 450680 ----a-w- C:\windows\System32\drivers\NISx64\1207010.003\symds64.sys2012-04-03 22:19:33 40568 ----a-w- C:\windows\System32\drivers\NISx64\1207010.003\srtspx64.sys2012-04-03 22:19:33 386168 ----a-w- C:\windows\System32\drivers\NISx64\1207010.003\symnets.sys2012-04-03 22:19:33 171128 ----a-w- C:\windows\System32\drivers\NISx64\1207010.003\ironx64.sys2012-04-03 22:19:24 -------- d-----w- C:\windows\System32\drivers\NISx64\1207010.0032012-03-29 14:05:05 8741536 ---ha-w- C:\windows\SysWow64\FlashPlayerInstaller.exe2012-03-29 13:56:14 418464 ---ha-w- C:\windows\SysWow64\FlashPlayerApp.exe2012-03-28 00:40:39 -------- d--h--w- C:\Users\FIXED\AppData\Local\Apple Computer2012-03-28 00:40:29 34152 ---ha-w- C:\windows\System32\drivers\GEARAspiWDM.sys2012-03-28 00:40:29 126312 ---ha-w- C:\windows\System32\GEARAspi64.dll2012-03-28 00:40:29 107368 ---ha-w- C:\windows\SysWow64\GEARAspi.dll2012-03-28 00:40:03 -------- d--h--w- C:\ProgramData\{93E26451-CD9A-43A5-A2FA-C42392EA4001}2012-03-28 00:38:46 -------- d--h--w- C:\Users\FIXED\AppData\Local\Apple.==================== Find3M ====================.2012-04-14 04:00:52 70304 ---ha-w- C:\windows\SysWow64\FlashPlayerCPLApp.cpl2012-04-04 22:56:40 24904 ---ha-w- C:\windows\System32\drivers\mbam.sys2012-02-28 06:56:48 2311168 ----a-w- C:\windows\System32\jscript9.dll2012-02-28 06:49:56 1390080 ----a-w- C:\windows\System32\wininet.dll2012-02-28 06:48:57 1493504 ----a-w- C:\windows\System32\inetcpl.cpl2012-02-28 06:42:55 2382848 ----a-w- C:\windows\System32\mshtml.tlb2012-02-28 01:18:55 1799168 ----a-w- C:\windows\SysWow64\jscript9.dll2012-02-28 01:11:21 1427456 ----a-w- C:\windows\SysWow64\inetcpl.cpl2012-02-28 01:11:07 1127424 ----a-w- C:\windows\SysWow64\wininet.dll2012-02-28 01:03:16 2382848 ----a-w- C:\windows\SysWow64\mshtml.tlb2012-02-17 06:38:26 1031680 ----a-w- C:\windows\System32\rdpcore.dll2012-02-17 05:34:22 826880 ----a-w- C:\windows\SysWow64\rdpcore.dll2012-02-17 04:58:24 210944 ----a-w- C:\windows\System32\drivers\rdpwd.sys2012-02-17 04:57:32 23552 ----a-w- C:\windows\System32\drivers\tdtcp.sys2012-02-15 18:01:50 52736 ---ha-w- C:\windows\System32\drivers\usbaapl64.sys2012-02-15 18:01:50 4547944 ---ha-w- C:\windows\System32\usbaaplrc.dll2012-02-10 06:36:07 1544192 ----a-w- C:\windows\System32\DWrite.dll2012-02-10 05:38:43 1077248 ----a-w- C:\windows\SysWow64\DWrite.dll2012-02-07 02:30:21 525544 ---ha-w- C:\windows\System32\deployJava1.dll2012-02-03 04:34:34 3145728 ----a-w- C:\windows\System32\win32k.sys2012-01-25 06:38:39 77312 ----a-w- C:\windows\System32\rdpwsx.dll2012-01-25 06:38:38 149504 ----a-w- C:\windows\System32\rdpcorekmts.dll2012-01-25 06:33:30 9216 ----a-w- C:\windows\System32\rdrmemptylst.exe.============= FINISH: 12:28:18.20 =============== Link to post Share on other sites More sharing options...
MrCharlie Posted April 22, 2012 ID:544976 Share Posted April 22, 2012 Welcome to the forumYour computer is infected with a nasty rootkit. Please read the following information first.You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.BACKDOOR WARNING------------------------------One or more of the identified infections is known to use a backdoor.This allows hackers to remotely control your computer, steal critical system information and download and execute files.I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?http://www.dslreports.com/faq/10451When Should I Format, How Should I Reinstallhttp://www.dslreports.com/faq/10063I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards and......There's a possibility that you'll lose your internet connections which I may not be able to correct and will require a repair install.There's also a possibility that during the cleaning procedure the computer will become unusable (won't boot) which will result in a repair install or complete format and install.I strongly suggest you back up all of the important items on the system before we continue.Please let me know you have read this and agree to it.Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.---------------------------------------------From your DDS log...these are the visible problems right now:LSP: mswsock.dll <---this indicates the Rootkit.ZeroAccess, a BackDoor Trojan.C:\ProgramData\RgWtsvfNRFiS.exe <------these are from the fake programC:\ProgramData\ct4yZIq59QHAej.exeC:\ProgramData\fdafebbfcbbecdct.exeHosts: 94.63.147.16 www.google.com <---your host file is also hijacked.Hosts: 94.63.147.17 www.bing.com------------------------------------------See if you can run RogueKiller:If it won't run, try to rename it to userinit.exe or .com, ,scr or try abc.exe , .com or .scrand/or......See if following this guide works.--------------------------RogueKiller:Please remove any usb or external drives from the computer before you run this scan!Please download and run RogueKiller.For Windows XP, double-click to start.For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.Click Scan to scan the system (don't run any other options)Post back the report.Let me know.....MrC Link to post Share on other sites More sharing options...
LDTate Posted April 26, 2012 ID:546230 Share Posted April 26, 2012 Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts