Jump to content

SMART HDD blocking Malwarebytes and I cannot remove SMART HDD


Recommended Posts

DDS.txt

This is my first time posting and hope that I can be helped. My son's laptop has been infected by SMART HDD. All of the files are hidden. I do not know if he deleted any temp files before asking me for help. I tried, RKill, TDS rootkiller, and tried to use MBAMvirus removal. I ran RKill about 10 times while leaving the "warnings" open as I kept running it. I followed all the directions. Also, should I have my son stop using the laptop to go online until SMART HDD is still on it? He plays WOW and I am assuming this is why he keeps getting adware...Is that safe to say? Thank you for your assistance!

.

DDS (Ver_2011-08-26.01) - NTFSAMD64

Internet Explorer: 9.0.8112.16421

Run by FIXED at 12:27:43 on 2012-04-21

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4008.1571 [GMT -7:00]

.

AV: Norton Internet Security *Disabled/Outdated* {63DF5164-9100-186D-2187-8DC619EFD8BF}

AV: AVG Anti-Virus Free Edition 2011 *Disabled/Outdated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}

SP: AVG Anti-Virus Free Edition 2011 *Disabled/Outdated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}

SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: Norton Internet Security *Disabled/Outdated* {D8BEB080-B73A-17E3-1B37-B6B462689202}

FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}

.

============== Running Processes ===============

.

C:\windows\system32\wininit.exe

C:\windows\system32\lsm.exe

C:\windows\system32\svchost.exe -k DcomLaunch

C:\windows\system32\svchost.exe -k RPCSS

C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\windows\system32\svchost.exe -k netsvcs

C:\windows\system32\svchost.exe -k LocalService

C:\windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\GFNEXSrv.exe

C:\windows\System32\spoolsv.exe

C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files (x86)\AVG\AVG10\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\windows\System32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files (x86)\Norton Internet Security\Engine\18.7.1.3\ccSvcHst.exe

C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.10.26\ccSvcHst.exe

C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe

C:\windows\sysWOW64\svchost.exe -k netsvc

C:\windows\system32\svchost.exe -k imgsvc

C:\windows\system32\TODDSrv.exe

C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe

C:\Program Files (x86)\AVG\AVG10\avgnsa.exe

C:\Program Files (x86)\AVG\AVG10\avgemca.exe

C:\windows\system32\conhost.exe

C:\windows\system32\wbem\wmiprvse.exe

C:\windows\system32\wbem\unsecapp.exe

C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE

C:\windows\system32\SearchIndexer.exe

C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe

C:\Program Files (x86)\Norton Internet Security\Engine\18.7.1.3\ccSvcHst.exe

C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.10.26\ccSvcHst.exe

C:\windows\system32\Dwm.exe

C:\windows\Explorer.EXE

C:\Windows\System32\igfxtray.exe

C:\Windows\System32\hkcmd.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe

C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe

C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\windows\system32\igfxsrvc.exe

C:\Program Files\TOSHIBA\BulletinBoard\TosNcCore.exe

C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe

C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files (x86)\Toshiba\TOSHIBA Service Station\ToshibaServiceStation.exe

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

C:\Program Files (x86)\AVG\AVG10\avgtray.exe

C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

C:\Program Files (x86)\iTunes\iTunesHelper.exe

C:\ProgramData\RgWtsvfNRFiS.exe

C:\windows\system32\igfxext.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\windows\System32\svchost.exe -k LocalServicePeerNet

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\ProgramData\ct4yZIq59QHAej.exe

C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe

C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe

C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.10.26\SymcPCCULaunchSvc.exe

C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe

C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe

C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe

C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe

C:\windows\system32\wuauclt.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\windows\SysWOW64\ping.exe

C:\windows\system32\conhost.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\windows\SysWOW64\ping.exe

C:\windows\system32\conhost.exe

C:\windows\system32\SearchFilterHost.exe

C:\windows\system32\SearchProtocolHost.exe

C:\windows\SysWOW64\cmd.exe

C:\windows\system32\DllHost.exe

C:\windows\system32\conhost.exe

C:\windows\SysWOW64\cscript.exe

C:\windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://start.toshiba.com/g/

uDefault_Page_URL = hxxp://start.toshiba.com/g/

uInternet Settings,ProxyOverride = <local>;*.local

mWinlogon: Userinit=userinit.exe,

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files (x86)\AVG\AVG10\avgssie.dll

BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - C:\Program Files (x86)\Norton Internet Security\Engine\18.7.1.3\coIEPlg.dll

BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files (x86)\Norton Internet Security\Engine\18.7.1.3\IPS\IPSBHO.DLL

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2291.0\npwinext.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

BHO: TOSHIBA Media Controller Plug-in: {f3c88694-effa-4d78-b409-54b7b2535b14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll

TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - C:\Program Files (x86)\Norton Internet Security\Engine\18.7.1.3\coIEPlg.dll

TB: @C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2291.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2291.0\npwinext.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

uRun: [fdafebbfcbbecdct] "C:\ProgramData\fdafebbfcbbecdct.exe"

mRun: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60

mRun: [ToshibaAppPlace] "C:\Program Files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe"

mRun: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Toshiba\Toshiba Online Backup\Activation\TOBuActivation.exe" UNATTENDED

mRun: [AVG_TRAY] C:\Program Files (x86)\AVG\AVG10\avgtray.exe

mRun: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe

mRun: [<NO NAME>]

mRun: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume

mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"

mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

mRun: [dplaysvr] C:\windows\system32\config\systemprofile\AppData\Local\dplaysvr.exe

mRun: [RgWtsvfNRFiS.exe] C:\ProgramData\RgWtsvfNRFiS.exe

dRun: [dplaysvr] C:\windows\system32\config\systemprofile\AppData\Local\dplaysvr.exe

dRun: [fdafebbfcbbecdct] "C:\ProgramData\fdafebbfcbbecdct.exe"

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-explorer: HideSCAHealth = 1 (0x1)

mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: PromptOnSecureDesktop = 0 (0x0)

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

LSP: mswsock.dll

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} - hxxp://nxcache.nexon.net/mabinogi/renderer/mabiweb.2010.5.03.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab

TCP: DhcpNameServer = 192.168.1.254

TCP: Interfaces\{2EDDEF0C-9ABE-47C2-A4E7-23EF9B1ABB6B} : DhcpNameServer = 192.168.1.254

TCP: Interfaces\{2EDDEF0C-9ABE-47C2-A4E7-23EF9B1ABB6B}\0556163656026202C4F66756 : DhcpNameServer = 192.168.7.254

TCP: Interfaces\{2EDDEF0C-9ABE-47C2-A4E7-23EF9B1ABB6B}\2375942554032313 : DhcpNameServer = 192.168.1.254

TCP: Interfaces\{2EDDEF0C-9ABE-47C2-A4E7-23EF9B1ABB6B}\2375942554734393 : DhcpNameServer = 192.168.1.254

TCP: Interfaces\{2EDDEF0C-9ABE-47C2-A4E7-23EF9B1ABB6B}\8686F6E6F62737 : DhcpNameServer = 192.168.6.1 64.134.255.2 64.134.255.10

TCP: Interfaces\{AEA65422-7736-4FA7-A989-0935EC6BCD79} : DhcpNameServer = 192.168.1.254

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG10\avgpp.dll

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll

SubSystems: Windows = basesrv,1 winsrv:UserServerDllInitialization,3 consrv:ConServerDllInitialization,2 sxssrv,4

BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO-X64: AcroIEHelperStub - No File

BHO-X64: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG10\avgssie.dll

BHO-X64: WormRadar.com IESiteBlocker.NavFilter - No File

BHO-X64: Symantec NCO BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\18.7.1.3\coIEPlg.dll

BHO-X64: Symantec NCO BHO - No File

BHO-X64: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\18.7.1.3\IPS\IPSBHO.DLL

BHO-X64: Symantec Intrusion Prevention - No File

BHO-X64: Search Helper: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll

BHO-X64: Search Helper - No File

BHO-X64: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll

BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

BHO-X64: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2291.0\npwinext.dll

BHO-X64: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

BHO-X64: TOSHIBA Media Controller Plug-in: {F3C88694-EFFA-4d78-B409-54B7B2535B14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll

TB-X64: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\18.7.1.3\coIEPlg.dll

TB-X64: @C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2291.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2291.0\npwinext.dll

TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

mRun-x64: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60

mRun-x64: [ToshibaAppPlace] "C:\Program Files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe"

mRun-x64: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Toshiba\Toshiba Online Backup\Activation\TOBuActivation.exe" UNATTENDED

mRun-x64: [AVG_TRAY] C:\Program Files (x86)\AVG\AVG10\avgtray.exe

mRun-x64: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe

mRun-x64: [(Default)]

mRun-x64: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume

mRun-x64: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"

mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

mRun-x64: [dplaysvr] C:\windows\system32\config\systemprofile\AppData\Local\dplaysvr.exe

mRun-x64: [RgWtsvfNRFiS.exe] C:\ProgramData\RgWtsvfNRFiS.exe

Hosts: 94.63.147.16 www.google.com

Hosts: 94.63.147.17 www.bing.com

.

============= SERVICES / DRIVERS ===============

.

R0 AVGIDSEH;AVGIDSEH;C:\windows\system32\DRIVERS\AVGIDSEH.Sys --> C:\windows\system32\DRIVERS\AVGIDSEH.Sys [?]

R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\windows\system32\DRIVERS\avgrkx64.sys --> C:\windows\system32\DRIVERS\avgrkx64.sys [?]

R0 SymDS;Symantec Data Store;C:\windows\system32\drivers\NISx64\1207010.003\SYMDS64.SYS --> C:\windows\system32\drivers\NISx64\1207010.003\SYMDS64.SYS [?]

R0 SymEFA;Symantec Extended File Attributes;C:\windows\system32\drivers\NISx64\1207010.003\SYMEFA64.SYS --> C:\windows\system32\drivers\NISx64\1207010.003\SYMEFA64.SYS [?]

R0 tos_sps64;TOSHIBA tos_sps64 Service;C:\windows\system32\DRIVERS\tos_sps64.sys --> C:\windows\system32\DRIVERS\tos_sps64.sys [?]

R1 Avgldx64;AVG AVI Loader Driver;C:\windows\system32\DRIVERS\avgldx64.sys --> C:\windows\system32\DRIVERS\avgldx64.sys [?]

R1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\windows\system32\DRIVERS\avgmfx64.sys --> C:\windows\system32\DRIVERS\avgmfx64.sys [?]

R1 Avgtdia;AVG TDI Driver;C:\windows\system32\DRIVERS\avgtdia.sys --> C:\windows\system32\DRIVERS\avgtdia.sys [?]

R1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\BASHDefs\20111210.003\BHDrvx64.sys [2011-12-17 1156216]

R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\IPSDefs\20111216.001\IDSviA64.sys [2011-12-17 488568]

R1 SymIRON;Symantec Iron Driver;C:\windows\system32\drivers\NISx64\1207010.003\Ironx64.SYS --> C:\windows\system32\drivers\NISx64\1207010.003\Ironx64.SYS [?]

R1 SymNetS;Symantec Network Security WFP Driver;C:\windows\system32\Drivers\NISx64\1207010.003\SYMNETS.SYS --> C:\windows\system32\Drivers\NISx64\1207010.003\SYMNETS.SYS [?]

R1 vwififlt;Virtual WiFi Filter Driver;C:\windows\system32\DRIVERS\vwififlt.sys --> C:\windows\system32\DRIVERS\vwififlt.sys [?]

R2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG10\avgwdsvc.exe [2011-2-8 269520]

R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2010-2-28 821664]

R2 GFNEXSrv;GFNEX Service;C:\Windows\System32\GFNEXSrv.exe --> C:\Windows\System32\GFNEXSrv.exe [?]

R2 NIS;Norton Internet Security;C:\Program Files (x86)\Norton Internet Security\Engine\18.7.1.3\ccsvchst.exe [2012-4-3 130008]

R2 Norton PC Checkup Application Launcher;Toshiba Laptop Checkup Application Launcher;C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.10.26\SymcPCCULaunchSvc.exe [2011-6-24 135608]

R2 PCCUJobMgr;Common Client Job Manager Service;C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.10.26\ccSvcHst.exe [2011-6-24 126392]

R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2009-12-2 483688]

R2 SPService;SPService;C:\windows\sysWOW64\svchost.exe -k netsvc --> C:\windows\sysWOW64\svchost.exe -k netsvc [?]

R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-6-24 2656280]

R3 AVGIDSDriver;AVGIDSDriver;C:\windows\system32\DRIVERS\AVGIDSDriver.Sys --> C:\windows\system32\DRIVERS\AVGIDSDriver.Sys [?]

R3 AVGIDSFilter;AVGIDSFilter;C:\windows\system32\DRIVERS\AVGIDSFilter.Sys --> C:\windows\system32\DRIVERS\AVGIDSFilter.Sys [?]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-11-18 138360]

R3 MEIx64;Intel® Management Engine Interface;C:\windows\system32\DRIVERS\HECIx64.sys --> C:\windows\system32\DRIVERS\HECIx64.sys [?]

R3 PGEffect;Pangu effect driver;C:\windows\system32\DRIVERS\pgeffect.sys --> C:\windows\system32\DRIVERS\pgeffect.sys [?]

R3 RTL8167;Realtek 8167 NT Driver;C:\windows\system32\DRIVERS\Rt64win7.sys --> C:\windows\system32\DRIVERS\Rt64win7.sys [?]

R3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;C:\windows\system32\DRIVERS\rtl8192Ce.sys --> C:\windows\system32\DRIVERS\rtl8192Ce.sys [?]

R3 Sftfs;Sftfs;C:\windows\system32\DRIVERS\Sftfslh.sys --> C:\windows\system32\DRIVERS\Sftfslh.sys [?]

R3 Sftplay;Sftplay;C:\windows\system32\DRIVERS\Sftplaylh.sys --> C:\windows\system32\DRIVERS\Sftplaylh.sys [?]

R3 Sftredir;Sftredir;C:\windows\system32\DRIVERS\Sftredirlh.sys --> C:\windows\system32\DRIVERS\Sftredirlh.sys [?]

R3 Sftvol;Sftvol;C:\windows\system32\DRIVERS\Sftvollh.sys --> C:\windows\system32\DRIVERS\Sftvollh.sys [?]

R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2009-12-2 209768]

R3 TMachInfo;TMachInfo;C:\Program Files (x86)\Toshiba\TOSHIBA Service Station\TMachInfo.exe [2011-6-24 54136]

R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-12-8 137632]

S2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [2011-8-18 7390560]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-6-24 136176]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-3-29 253088]

S3 GamesAppService;GamesAppService;C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]

S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-6-24 136176]

S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]

S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\windows\system32\Drivers\RtsUStor.sys --> C:\windows\system32\Drivers\RtsUStor.sys [?]

S3 TsUsbFlt;TsUsbFlt;C:\windows\system32\drivers\tsusbflt.sys --> C:\windows\system32\drivers\tsusbflt.sys [?]

S3 TsUsbGD;Remote Desktop Generic USB Device;C:\windows\system32\drivers\TsUsbGD.sys --> C:\windows\system32\drivers\TsUsbGD.sys [?]

S3 USBAAPL64;Apple Mobile USB Driver;C:\windows\system32\Drivers\usbaapl64.sys --> C:\windows\system32\Drivers\usbaapl64.sys [?]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\system32\Wat\WatAdminSvc.exe --> C:\windows\system32\Wat\WatAdminSvc.exe [?]

S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]

.

=============== Created Last 30 ================

.

2012-04-19 02:32:56 -------- d--h--w- C:\TDSSKiller_Quarantine

2012-04-19 01:55:35 744590 ---ha-w- C:\windows\System32\PerfStringBackup.TMP

2012-04-17 01:18:12 220672 ---ha-w- C:\ProgramData\ct4yZIq59QHAej.exe

2012-04-17 01:06:00 -------- d--h--w- C:\Users\FIXED\AppData\Roaming\Tific

2012-04-17 01:05:48 -------- d--h--w- C:\Users\FIXED\AppData\Local\Symantec

2012-04-16 20:14:46 0 --sha-w- C:\windows\System32\dds_trash_log.cmd

2012-04-16 14:14:28 -------- d-----we C:\windows\system64

2012-04-16 14:10:00 300032 ---ha-w- C:\ProgramData\RgWtsvfNRFiS.exe

2012-04-16 14:07:59 86016 ---ha-w- C:\ProgramData\fdafebbfcbbecdct.exe

2012-04-16 07:27:38 20480 ---ha-w- C:\windows\svchost.exe

2012-04-14 13:59:46 5559152 ----a-w- C:\windows\System32\ntoskrnl.exe

2012-04-14 13:59:45 3968368 ----a-w- C:\windows\SysWow64\ntkrnlpa.exe

2012-04-14 13:59:45 3913072 ----a-w- C:\windows\SysWow64\ntoskrnl.exe

2012-04-12 13:13:18 23408 ----a-w- C:\windows\System32\drivers\fs_rec.sys

2012-04-12 13:13:17 81408 ----a-w- C:\windows\System32\imagehlp.dll

2012-04-12 13:13:17 5120 ----a-w- C:\windows\SysWow64\wmi.dll

2012-04-12 13:13:17 5120 ----a-w- C:\windows\System32\wmi.dll

2012-04-12 13:13:17 220672 ----a-w- C:\windows\System32\wintrust.dll

2012-04-12 13:13:17 172544 ----a-w- C:\windows\SysWow64\wintrust.dll

2012-04-12 13:13:17 159232 ----a-w- C:\windows\SysWow64\imagehlp.dll

2012-04-08 15:47:19 -------- d--h--w- C:\Program Files (x86)\AT&T WorldNet Setup

2012-04-08 15:42:26 -------- d--h--w- C:\Sierra

2012-04-08 15:41:15 225280 ---h--w- C:\Program Files (x86)\Common Files\InstallShield\IScript\iscript.dll

2012-04-08 15:41:14 77824 ---ha-w- C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\ctor.dll

2012-04-08 15:41:14 32768 ---h--w- C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\objectps.dll

2012-04-08 15:41:14 176128 ---h--w- C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\iuser.dll

2012-04-08 15:41:13 21840 ---hatw- C:\windows\SysWow64\SIntfNT.dll

2012-04-08 15:41:13 17212 ---hatw- C:\windows\SysWow64\SIntf32.dll

2012-04-08 15:41:13 12067 ---hatw- C:\windows\SysWow64\SIntf16.dll

2012-04-05 07:54:38 -------- d--h--w- C:\Program Files\iTunes

2012-04-05 07:54:38 -------- d--h--w- C:\Program Files\iPod

2012-04-05 07:54:38 -------- d--h--w- C:\Program Files (x86)\iTunes

2012-04-05 07:52:43 -------- d--h--w- C:\Program Files\Bonjour

2012-04-05 07:52:43 -------- d--h--w- C:\Program Files (x86)\Bonjour

2012-04-05 07:50:31 159744 ---ha-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin7.dll

2012-04-05 07:50:31 159744 ---ha-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin6.dll

2012-04-05 07:50:31 159744 ---ha-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin5.dll

2012-04-05 07:50:31 159744 ---ha-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin4.dll

2012-04-05 07:50:31 159744 ---ha-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin3.dll

2012-04-05 07:50:31 159744 ---ha-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin2.dll

2012-04-05 07:50:31 159744 ---ha-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin.dll

2012-04-05 03:36:15 -------- d--h--w- C:\Users\FIXED\AppData\Roaming\WildTangent

2012-04-05 03:33:21 -------- d--h--w- C:\Program Files (x86)\WildGames

2012-04-05 02:54:57 86528 ---ha-w- C:\windows\bnetunin.exe

2012-04-05 02:54:57 61440 ---ha-w- C:\windows\diabunin.exe

2012-04-05 02:54:52 -------- d--h--w- C:\Diablo

2012-04-03 22:19:33 912504 ----a-w- C:\windows\System32\drivers\NISx64\1207010.003\symefa64.sys

2012-04-03 22:19:33 744568 ----a-w- C:\windows\System32\drivers\NISx64\1207010.003\srtsp64.sys

2012-04-03 22:19:33 450680 ----a-w- C:\windows\System32\drivers\NISx64\1207010.003\symds64.sys

2012-04-03 22:19:33 40568 ----a-w- C:\windows\System32\drivers\NISx64\1207010.003\srtspx64.sys

2012-04-03 22:19:33 386168 ----a-w- C:\windows\System32\drivers\NISx64\1207010.003\symnets.sys

2012-04-03 22:19:33 171128 ----a-w- C:\windows\System32\drivers\NISx64\1207010.003\ironx64.sys

2012-04-03 22:19:24 -------- d-----w- C:\windows\System32\drivers\NISx64\1207010.003

2012-03-29 14:05:05 8741536 ---ha-w- C:\windows\SysWow64\FlashPlayerInstaller.exe

2012-03-29 13:56:14 418464 ---ha-w- C:\windows\SysWow64\FlashPlayerApp.exe

2012-03-28 00:40:39 -------- d--h--w- C:\Users\FIXED\AppData\Local\Apple Computer

2012-03-28 00:40:29 34152 ---ha-w- C:\windows\System32\drivers\GEARAspiWDM.sys

2012-03-28 00:40:29 126312 ---ha-w- C:\windows\System32\GEARAspi64.dll

2012-03-28 00:40:29 107368 ---ha-w- C:\windows\SysWow64\GEARAspi.dll

2012-03-28 00:40:03 -------- d--h--w- C:\ProgramData\{93E26451-CD9A-43A5-A2FA-C42392EA4001}

2012-03-28 00:38:46 -------- d--h--w- C:\Users\FIXED\AppData\Local\Apple

.

==================== Find3M ====================

.

2012-04-14 04:00:52 70304 ---ha-w- C:\windows\SysWow64\FlashPlayerCPLApp.cpl

2012-04-04 22:56:40 24904 ---ha-w- C:\windows\System32\drivers\mbam.sys

2012-02-28 06:56:48 2311168 ----a-w- C:\windows\System32\jscript9.dll

2012-02-28 06:49:56 1390080 ----a-w- C:\windows\System32\wininet.dll

2012-02-28 06:48:57 1493504 ----a-w- C:\windows\System32\inetcpl.cpl

2012-02-28 06:42:55 2382848 ----a-w- C:\windows\System32\mshtml.tlb

2012-02-28 01:18:55 1799168 ----a-w- C:\windows\SysWow64\jscript9.dll

2012-02-28 01:11:21 1427456 ----a-w- C:\windows\SysWow64\inetcpl.cpl

2012-02-28 01:11:07 1127424 ----a-w- C:\windows\SysWow64\wininet.dll

2012-02-28 01:03:16 2382848 ----a-w- C:\windows\SysWow64\mshtml.tlb

2012-02-17 06:38:26 1031680 ----a-w- C:\windows\System32\rdpcore.dll

2012-02-17 05:34:22 826880 ----a-w- C:\windows\SysWow64\rdpcore.dll

2012-02-17 04:58:24 210944 ----a-w- C:\windows\System32\drivers\rdpwd.sys

2012-02-17 04:57:32 23552 ----a-w- C:\windows\System32\drivers\tdtcp.sys

2012-02-15 18:01:50 52736 ---ha-w- C:\windows\System32\drivers\usbaapl64.sys

2012-02-15 18:01:50 4547944 ---ha-w- C:\windows\System32\usbaaplrc.dll

2012-02-10 06:36:07 1544192 ----a-w- C:\windows\System32\DWrite.dll

2012-02-10 05:38:43 1077248 ----a-w- C:\windows\SysWow64\DWrite.dll

2012-02-07 02:30:21 525544 ---ha-w- C:\windows\System32\deployJava1.dll

2012-02-03 04:34:34 3145728 ----a-w- C:\windows\System32\win32k.sys

2012-01-25 06:38:39 77312 ----a-w- C:\windows\System32\rdpwsx.dll

2012-01-25 06:38:38 149504 ----a-w- C:\windows\System32\rdpcorekmts.dll

2012-01-25 06:33:30 9216 ----a-w- C:\windows\System32\rdrmemptylst.exe

.

============= FINISH: 12:28:18.20 ===============

Link to post
Share on other sites

Welcome to the forum

Your computer is infected with a nasty rootkit. Please read the following information first.

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards and......

  • There's a possibility that you'll lose your internet connections which I may not be able to correct and will require a repair install.
  • There's also a possibility that during the cleaning procedure the computer will become unusable (won't boot) which will result in a repair install or complete format and install.
  • I strongly suggest you back up all of the important items on the system before we continue.

Please let me know you have read this and agree to it.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

---------------------------------------------

From your DDS log...these are the visible problems right now:

LSP: mswsock.dll <---this indicates the Rootkit.ZeroAccess, a BackDoor Trojan.

C:\ProgramData\RgWtsvfNRFiS.exe <------these are from the fake program

C:\ProgramData\ct4yZIq59QHAej.exe

C:\ProgramData\fdafebbfcbbecdct.exe

Hosts: 94.63.147.16 www.google.com <---your host file is also hijacked.

Hosts: 94.63.147.17 www.bing.com

------------------------------------------

See if you can run RogueKiller:

If it won't run, try to rename it to userinit.exe or .com, ,scr or try abc.exe , .com or .scr

and/or......

See if following this guide works.

--------------------------

RogueKiller:

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system (don't run any other options)

Post back the report.

Let me know.....MrC

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.