Jump to content

Laptop infected with Trojan.ZbotR


jraftop

Recommended Posts

Hello there, I'm sure I have a trojan on my laptop:

My laptop began to act strangely over a period of 3 or 4 days. Avira detected a hidden object but no virus/trojan detection Malwarebytes showed no detection. Chrome refused to run, it would open momentarily then shut again - I couldn't even uninstall it), Steam begun to end unexpectantly and I was getting memory errors with WerFault.exe. After a reboot Avira detected 85 hidden objects but still no specific detection. Malwarebytes detected Trojan.ZbotR in the Appdata/Roaming folder and in the registry. I removed rebooted but Avira still detected hidden objects and Malwarebytes detected the same infection.

I then attempted a gung-ho approach in an attempt to remove the infection and found a FAQ on the web about way to hopefully remove malware which involved doing the following:

Disabled Tea-Timer, Avira and Defender

Installied Ad-Aware and ran it (Don't think it achieved anything)

Ran TFC

Ran OTL

Ran an ESET Online Scan which detected the following: C:\Users\Raft\AppData\Roaming\Skype\julesraft\httpfe\WPDShextAutoplay.exe a variant of Win32/Kryptik.AOQT trojan (cleaned by deleting - quarantined)

After a reboot Avira detected 9 hidden object and a Malwarebytes detected the same infection. I then ran off to work and this evening I have rebooted and re-run Avira and Malwarebytes. The former still detects 9 hidden objects but Malwarebytes doesn't detect anything.

I have attached the DDS logs below:

DDS (Ver_2012-11-07.01) - NTFS_AMD64

Internet Explorer: 9.0.8112.16455 BrowserJavaVersion: 10.9.2

Run by Raft at 20:11:56 on 2012-11-15

Microsoft Windows 7 Ultimate 6.1.7601.1.1252.44.1033.18.4061.2793 [GMT 0:00]

.

AV: Lavasoft Ad-Aware *Disabled/Updated* {445B48C3-0FA4-6B16-8F07-6506F305D800}

AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}

SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}

SP: Lavasoft Ad-Aware *Disabled/Updated* {FF3AA927-299E-6498-B5B7-5E74888292BD}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

FW: Lavasoft Ad-Aware *Disabled* {7C60C9E6-45CB-6A4E-A458-CC330DD69F7B}

.

============== Running Processes ===============

.

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe

C:\Windows\system32\nvvsvc.exe

C:\Windows\System32\WUDFHost.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\System32\spoolsv.exe

C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files (x86)\Ad-Aware Antivirus\AdAwareService.exe

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe

C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\NVIDIA Corporation\Display\nvtray.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

C:\Program Files (x86)\iTunes\iTunesHelper.exe

C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe

C:\PROGRA~2\AD-AWA~1\AdAware.exe

C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe

C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe

C:\Program Files (x86)\Ad-Aware Antivirus\SBAMSvc.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\System32\svchost.exe -k LocalServicePeerNet

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe

C:\Windows\SysWOW64\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE

C:\Windows\splwow64.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\System32\cscript.exe

.

============== Pseudo HJT Report ===============

.

uSearch Bar = hxxp://www.google.com/ie

uSearch Page = hxxp://www.google.com

uDefault_Search_URL = hxxp://www.google.com/ie

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mWinlogon: Userinit = userinit.exe,

BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll

BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll

BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll

uRun: [AlcoholAutomount] "C:\Program Files (x86)\Alcohol Soft\Alcohol 52\AxAutoMntSrv.exe" -automount

mRun: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min

mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

mRun: [Ad-Aware Browsing Protection] "C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe"

mRun: [Ad-Aware Antivirus] "C:\Program Files (x86)\Ad-Aware Antivirus\AdAwareLauncher" --windows-run

mPolicies-Explorer: NoActiveDesktop = dword:1

mPolicies-Explorer: NoActiveDesktopChanges = dword:1

mPolicies-System: ConsentPromptBehaviorAdmin = dword:5

mPolicies-System: ConsentPromptBehaviorUser = dword:3

mPolicies-System: EnableUIADesktopToggle = dword:0

IE: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab

TCP: NameServer = 194.168.4.100 194.168.8.100

TCP: Interfaces\{BF339D0F-1AB2-49F5-BA87-5212C7F8F7DE} : DHCPNameServer = 194.168.4.100 194.168.8.100

SSODL: WebCheck - <orphaned>

x64-SSODL: WebCheck - <orphaned>

.

============= SERVICES / DRIVERS ===============

.

R1 avkmgr;avkmgr;C:\Windows\System32\drivers\avkmgr.sys [2012-5-18 27760]

R1 SBRE;SBRE;C:\Windows\System32\drivers\sbredrv.sys [2012-11-14 57976]

R2 Ad-Aware Service;Ad-Aware Service;C:\Program Files (x86)\Ad-Aware Antivirus\AdAwareService.exe [2012-9-20 1236368]

R2 AntiVirSchedulerService;Avira Scheduler;C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [2012-5-18 86224]

R2 AntiVirService;Avira Realtime Protection;C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [2012-5-18 110032]

R2 avgntflt;avgntflt;C:\Windows\System32\drivers\avgntflt.sys [2012-5-18 98848]

R2 SBAMSvc;Ad-Aware;C:\Program Files (x86)\Ad-Aware Antivirus\SBAMSvc.exe [2011-12-19 3289032]

R2 sbapifs;sbapifs;C:\Windows\System32\drivers\sbapifs.sys [2011-11-29 74872]

R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2012-11-13 1153368]

R2 StarWindServiceAE;StarWind AE Service;C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe [2009-12-23 370688]

R3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);C:\Windows\System32\drivers\L1C62x64.sys [2009-6-10 57344]

R3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\Windows\System32\drivers\NETw5s64.sys [2009-9-15 6952960]

R3 winbondcir;Winbond IR Transceiver;C:\Windows\System32\drivers\winbondcir.sys [2007-3-28 46592]

S2 AxAutoMntSrv;Alcohol Virtual Drive Auto-mount Service;C:\Program Files (x86)\Alcohol Soft\Alcohol 52\AxAutoMntSrv.exe [2012-1-5 75624]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\System32\drivers\netw5v64.sys [2009-6-10 5434368]

S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2012-5-18 20992]

S3 RTCore64;RTCore64;C:\Program Files (x86)\MSI Afterburner\RTCore64.sys [2012-5-14 10568]

S3 sbhips;sbhips;C:\Windows\System32\drivers\sbhips.sys [2012-11-14 60536]

S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2012-5-19 59392]

S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-7-9 52736]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-5-18 1255736]

.

=============== Created Last 30 ================

.

2012-11-14 22:19:14 -------- d-----w- C:\Program Files (x86)\ESET

2012-11-14 19:50:54 785512 ----a-w- C:\Windows\System32\drivers\Wdf01000.sys

2012-11-14 19:50:54 54376 ----a-w- C:\Windows\System32\drivers\WdfLdr.sys

2012-11-14 19:50:54 2560 ----a-w- C:\Windows\System32\drivers\en-US\wdf01000.sys.mui

2012-11-14 19:50:53 9728 ----a-w- C:\Windows\System32\Wdfres.dll

2012-11-14 19:32:38 87040 ----a-w- C:\Windows\System32\drivers\WUDFPf.sys

2012-11-14 19:32:38 198656 ----a-w- C:\Windows\System32\drivers\WUDFRd.sys

2012-11-14 19:32:35 84992 ----a-w- C:\Windows\System32\WUDFSvc.dll

2012-11-14 19:32:34 194048 ----a-w- C:\Windows\System32\WUDFPlatform.dll

2012-11-14 19:32:32 744448 ----a-w- C:\Windows\System32\WUDFx.dll

2012-11-14 19:32:32 45056 ----a-w- C:\Windows\System32\WUDFCoinstaller.dll

2012-11-14 19:32:32 229888 ----a-w- C:\Windows\System32\WUDFHost.exe

2012-11-14 19:26:58 95744 ----a-w- C:\Windows\System32\synceng.dll

2012-11-14 19:26:58 78336 ----a-w- C:\Windows\SysWow64\synceng.dll

2012-11-14 18:51:43 -------- d-----w- C:\Users\Raft\AppData\Roaming\LavasoftStatistics

2012-11-14 18:47:24 60536 ----a-w- C:\Windows\System32\drivers\sbhips.sys

2012-11-14 18:47:23 57976 ----a-w- C:\Windows\System32\drivers\sbredrv.sys

2012-11-14 18:47:23 45936 ----a-w- C:\Windows\System32\sbbd.exe

2012-11-14 18:47:21 -------- d-----w- C:\Program Files (x86)\Ad-Aware Antivirus

2012-11-14 18:47:09 -------- d-----w- C:\Users\Raft\AppData\Local\Downloaded Installations

2012-11-14 18:46:58 -------- d-----w- C:\Users\Raft\AppData\Local\adawarebp

2012-11-14 18:46:58 -------- d-----w- C:\ProgramData\blekko toolbars

2012-11-14 18:46:57 -------- d-----w- C:\ProgramData\Ad-Aware Browsing Protection

2012-11-14 18:46:51 -------- d-----w- C:\Program Files (x86)\adawaretb

2012-11-14 18:46:49 -------- d-----w- C:\Program Files (x86)\Toolbar Cleaner

2012-11-14 18:45:54 -------- d-----w- C:\Users\Raft\AppData\Roaming\Ad-Aware Antivirus

2012-11-14 18:42:44 -------- d-----w- C:\Program Files (x86)\Trend Micro

2012-11-13 21:28:04 33240 ----a-w- C:\Windows\System32\drivers\GEARAspiWDM.sys

2012-11-13 21:27:16 -------- d-----w- C:\Program Files\iPod

2012-11-13 21:27:15 -------- d-----w- C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69

2012-11-13 21:27:15 -------- d-----w- C:\Program Files\iTunes

2012-11-13 19:21:00 -------- d-----w- C:\Program Files\CCleaner

2012-11-13 19:06:27 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy

2012-11-13 19:06:27 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy

2012-11-13 19:03:16 95208 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll

2012-11-13 19:00:16 -------- d-----w- C:\Users\Raft\AppData\Roaming\Malwarebytes

2012-11-13 19:00:10 -------- d-----w- C:\ProgramData\Malwarebytes

2012-11-13 19:00:09 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys

2012-11-13 19:00:09 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware

2012-11-10 18:00:14 -------- d-----w- C:\GOG Games

2012-11-10 18:00:07 -------- d-----w- C:\Users\Raft\AppData\Local\Programs

2012-11-10 15:51:07 -------- d-----w- C:\Arcanum

2012-10-23 19:24:56 2048 ----a-w- C:\Windows\SysWow64\tzres.dll

2012-10-23 19:24:56 2048 ----a-w- C:\Windows\System32\tzres.dll

2012-10-23 19:24:51 715776 ----a-w- C:\Windows\System32\kerberos.dll

2012-10-23 19:24:51 542208 ----a-w- C:\Windows\SysWow64\kerberos.dll

2012-10-23 19:24:46 1464320 ----a-w- C:\Windows\System32\crypt32.dll

2012-10-23 19:24:44 184320 ----a-w- C:\Windows\System32\cryptsvc.dll

2012-10-23 19:24:44 140288 ----a-w- C:\Windows\SysWow64\cryptsvc.dll

2012-10-23 19:24:44 140288 ----a-w- C:\Windows\System32\cryptnet.dll

2012-10-23 19:24:44 1159680 ----a-w- C:\Windows\SysWow64\crypt32.dll

2012-10-23 19:24:44 103936 ----a-w- C:\Windows\SysWow64\cryptnet.dll

.

==================== Find3M ====================

.

2012-11-13 19:02:59 821736 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll

2012-11-13 19:02:59 746984 ----a-w- C:\Windows\SysWow64\deployJava1.dll

2012-10-18 18:25:58 3149824 ----a-w- C:\Windows\System32\win32k.sys

2012-10-09 18:17:13 55296 ----a-w- C:\Windows\System32\dhcpcsvc6.dll

2012-10-09 18:17:13 226816 ----a-w- C:\Windows\System32\dhcpcore6.dll

2012-10-09 17:40:31 44032 ----a-w- C:\Windows\SysWow64\dhcpcsvc6.dll

2012-10-09 17:40:31 193536 ----a-w- C:\Windows\SysWow64\dhcpcore6.dll

2012-10-08 11:31:03 2312704 ----a-w- C:\Windows\System32\jscript9.dll

2012-10-08 11:23:52 1392128 ----a-w- C:\Windows\System32\wininet.dll

2012-10-08 11:22:55 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl

2012-10-08 11:18:22 173056 ----a-w- C:\Windows\System32\ieUnatt.exe

2012-10-08 11:17:35 599040 ----a-w- C:\Windows\System32\vbscript.dll

2012-10-08 11:13:33 2382848 ----a-w- C:\Windows\System32\mshtml.tlb

2012-10-08 07:56:24 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll

2012-10-08 07:48:03 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll

2012-10-08 07:47:44 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl

2012-10-08 07:44:05 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe

2012-10-08 07:43:21 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll

2012-10-08 07:40:56 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb

2012-10-03 17:56:54 1914248 ----a-w- C:\Windows\System32\drivers\tcpip.sys

2012-10-03 17:44:21 70656 ----a-w- C:\Windows\System32\nlaapi.dll

2012-10-03 17:44:21 303104 ----a-w- C:\Windows\System32\nlasvc.dll

2012-10-03 17:44:17 246272 ----a-w- C:\Windows\System32\netcorehc.dll

2012-10-03 17:44:17 18944 ----a-w- C:\Windows\System32\netevent.dll

2012-10-03 17:44:16 216576 ----a-w- C:\Windows\System32\ncsi.dll

2012-10-03 17:42:16 569344 ----a-w- C:\Windows\System32\iphlpsvc.dll

2012-10-03 16:42:24 18944 ----a-w- C:\Windows\SysWow64\netevent.dll

2012-10-03 16:42:24 175104 ----a-w- C:\Windows\SysWow64\netcorehc.dll

2012-10-03 16:42:23 156672 ----a-w- C:\Windows\SysWow64\ncsi.dll

2012-10-03 16:07:26 45568 ----a-w- C:\Windows\System32\drivers\tcpipreg.sys

2012-08-31 18:19:35 1659760 ----a-w- C:\Windows\System32\drivers\ntfs.sys

2012-08-30 18:03:45 5559664 ----a-w- C:\Windows\System32\ntoskrnl.exe

2012-08-30 17:12:02 3968880 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe

2012-08-30 17:12:02 3914096 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe

2012-08-24 18:05:07 220160 ----a-w- C:\Windows\System32\wintrust.dll

2012-08-24 16:57:48 172544 ----a-w- C:\Windows\SysWow64\wintrust.dll

2012-08-22 18:12:40 950128 ----a-w- C:\Windows\System32\drivers\ndis.sys

2012-08-22 18:12:40 376688 ----a-w- C:\Windows\System32\drivers\netio.sys

2012-08-22 18:12:33 288624 ----a-w- C:\Windows\System32\drivers\FWPKCLNT.SYS

2012-08-21 21:01:00 245760 ----a-w- C:\Windows\System32\OxpsConverter.exe

2012-08-21 13:01:20 125872 ----a-w- C:\Windows\System32\GEARAspi64.dll

2012-08-21 13:01:20 106928 ----a-w- C:\Windows\SysWow64\GEARAspi.dll

2012-08-20 18:48:44 362496 ----a-w- C:\Windows\System32\wow64win.dll

2012-08-20 18:48:44 243200 ----a-w- C:\Windows\System32\wow64.dll

2012-08-20 18:48:44 13312 ----a-w- C:\Windows\System32\wow64cpu.dll

2012-08-20 18:48:43 215040 ----a-w- C:\Windows\System32\winsrv.dll

2012-08-20 18:48:37 16384 ----a-w- C:\Windows\System32\ntvdm64.dll

2012-08-20 18:48:35 424448 ----a-w- C:\Windows\System32\KernelBase.dll

2012-08-20 18:46:22 338432 ----a-w- C:\Windows\System32\conhost.exe

2012-08-20 17:40:21 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll

2012-08-20 17:38:44 44032 ----a-w- C:\Windows\apppatch\acwow64.dll

2012-08-20 17:38:26 25600 ----a-w- C:\Windows\SysWow64\setup16.exe

2012-08-20 17:37:19 5120 ----a-w- C:\Windows\SysWow64\wow32.dll

2012-08-20 17:37:18 274944 ----a-w- C:\Windows\SysWow64\KernelBase.dll

2012-08-20 15:38:21 7680 ----a-w- C:\Windows\SysWow64\instnm.exe

2012-08-20 15:38:20 2048 ----a-w- C:\Windows\SysWow64\user.exe

2012-08-20 15:33:28 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll

2012-08-20 15:33:28 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll

2012-08-20 15:33:28 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll

2012-08-20 15:33:28 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll

.

============= FINISH: 20:12:05.25 ===============

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2012-11-07.01)

.

Microsoft Windows 7 Ultimate

Boot Device: \Device\HarddiskVolume2

Install Date: 18/05/2012 23:04:46

System Uptime: 15/11/2012 19:00:19 (1 hours ago)

.

Motherboard: Acer | | JM50-MV

Processor: Intel® Core™2 Duo CPU T6500 @ 2.10GHz | U2E1 | 2100/200mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 282 GiB total, 227.721 GiB free.

D: is CDROM ()

F: is CDROM ()

G: is CDROM ()

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP51: 13/11/2012 19:01:31 - Installed Java 7 Update 9

RP52: 13/11/2012 22:37:04 - Installed Java™ 7 Update 4

RP53: 14/11/2012 19:31:26 - Windows Update

RP54: 15/11/2012 18:30:27 - Removed Steam

RP55: 15/11/2012 18:32:59 - Removed Skype™ 5.10

.

==== Installed Programs ======================

.

2007 Microsoft Office Suite Service Pack 2 (SP2)

7-Zip 9.20 (x64 edition)

Ad-Aware Antivirus

Ad-Aware Browsing Protection

Adobe Flash Player 11 ActiveX 64-bit

Adobe Reader X (10.1.4)

Apple Application Support

Apple Mobile Device Support

Apple Software Update

Avira Free Antivirus

Bonjour

CCleaner

ESET Online Scanner v3

HijackThis 2.0.2

iTunes

Java 7 Update 9

Java Auto Updater

Java™ 7 Update 4

JavaFX 2.1.1

Malwarebytes Anti-Malware version 1.65.1.1000

Media Player Classic - Home Cinema 1.6.1.4235 x64

Microsoft .NET Framework 4 Client Profile

Microsoft Office Access MUI (English) 2007

Microsoft Office Access Setup Metadata MUI (English) 2007

Microsoft Office Excel MUI (English) 2007

Microsoft Office InfoPath MUI (English) 2007

Microsoft Office Office 64-bit Components 2007

Microsoft Office Outlook MUI (English) 2007

Microsoft Office PowerPoint MUI (English) 2007

Microsoft Office Professional Plus 2007

Microsoft Office Proof (English) 2007

Microsoft Office Proof (French) 2007

Microsoft Office Proof (Spanish) 2007

Microsoft Office Proofing (English) 2007

Microsoft Office Publisher MUI (English) 2007

Microsoft Office Shared 64-bit MUI (English) 2007

Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007

Microsoft Office Shared MUI (English) 2007

Microsoft Office Shared Setup Metadata MUI (English) 2007

Microsoft Office Word MUI (English) 2007

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219

MSI Afterburner 2.2.1

MSI Kombustor 2.3.0

NVIDIA Control Panel 301.42

NVIDIA Graphics Driver 301.42

NVIDIA HD Audio Driver 1.3.16.0

NVIDIA Install Application

NVIDIA PhysX

NVIDIA PhysX System Software 9.12.0213

NVIDIA Update 1.8.15

NVIDIA Update Components

Picasa 3

Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)

SpeedFan (remove only)

Spybot - Search & Destroy

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Microsoft .NET Framework 4 Client Profile (KB2600217)

VLC media player 2.0.1

.

==== Event Viewer Messages From Past Week ========

.

15/11/2012 19:00:54, Error: Service Control Manager [7000] - The atksgt service failed to start due to the following error: This driver has been blocked from loading

15/11/2012 19:00:54, Error: Application Popup [875] - Driver atksgt.sys has been blocked from loading.

13/11/2012 21:26:13, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Apple Mobile Device service, but this action failed with the following error: An instance of the service is already running.

13/11/2012 21:25:13, Error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

13/11/2012 21:24:41, Error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

13/11/2012 21:14:39, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\DR1.

13/11/2012 18:54:41, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Apple Mobile Device service to connect.

13/11/2012 18:54:41, Error: Service Control Manager [7000] - The Apple Mobile Device service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

10/11/2012 15:42:12, Error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume E:.

.

==== End Of File ===========================

Link to post
Share on other sites

Hello jraftop and :welcome:! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

  • If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
  • I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  • Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  • Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  • Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.
  • Do not perform any kind of scanning and fixing without my instructions. If you want to proceed on your own, please let me know.

Step 1

Anti-Virus programs take up an enormous amount of your computer's resources when they are actively scanning your computer. Having two anti-virus programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash. My suggestion is to uninstall Ad-Aware Antivirus and Ad-Aware Browsing Protection and to keep Avira Free Antivirus. Finally, restart your computer.

Step 2

Please download Malwarebytes Anti-Rootkit from here.

  1. Unzip the contents to a folder in a convenient location.
  2. Open the folder where the contents were unzipped and run mbar.exe ( right click and select Run as adminsistrator for Vista and Windows 7)
  3. Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  4. Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  5. Wait while the system shuts down and the cleanup process is performed.
  6. Please post the two logs produced.

In your next reply, post the following log files:

  • Malwarebytes' Anti-Rootkit log
  • a new fresh DDS log

Link to post
Share on other sites

Hi Maniac

Many thanks for the quick response. I uninstalled Ad-Aware and then ran the Rootkit which did not find any malware. I have pasted the Malwarebytes Rootkit log first, followed by the DDS logs:

Rootkit:

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.01.0.1009

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

Account is Administrative

Internet Explorer version: 9.0.8112.16421

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED

CPU speed: 2.094000 GHz

Memory total: 4258193408, free: 2788265984

------------ Kernel report ------------

11/15/2012 21:49:31

------------ Loaded modules -----------

\SystemRoot\system32\ntoskrnl.exe

\SystemRoot\system32\hal.dll

\SystemRoot\system32\kdcom.dll

\SystemRoot\system32\mcupdate_GenuineIntel.dll

\SystemRoot\system32\PSHED.dll

\SystemRoot\system32\CLFS.SYS

\SystemRoot\system32\CI.dll

\SystemRoot\system32\drivers\Wdf01000.sys

\SystemRoot\system32\drivers\WDFLDR.SYS

\SystemRoot\System32\Drivers\sptd.sys

\SystemRoot\system32\drivers\ACPI.sys

\SystemRoot\system32\drivers\WMILIB.SYS

\SystemRoot\system32\drivers\msisadrv.sys

\SystemRoot\system32\drivers\vdrvroot.sys

\SystemRoot\system32\drivers\pci.sys

\SystemRoot\System32\drivers\partmgr.sys

\SystemRoot\system32\DRIVERS\compbatt.sys

\SystemRoot\system32\DRIVERS\BATTC.SYS

\SystemRoot\system32\drivers\volmgr.sys

\SystemRoot\System32\drivers\volmgrx.sys

\SystemRoot\System32\drivers\mountmgr.sys

\SystemRoot\system32\drivers\vmbus.sys

\SystemRoot\system32\drivers\winhv.sys

\SystemRoot\system32\drivers\atapi.sys

\SystemRoot\system32\drivers\ataport.SYS

\SystemRoot\system32\drivers\msahci.sys

\SystemRoot\system32\drivers\PCIIDEX.SYS

\SystemRoot\system32\drivers\amdxata.sys

\SystemRoot\system32\drivers\fltmgr.sys

\SystemRoot\system32\drivers\fileinfo.sys

\SystemRoot\System32\Drivers\Ntfs.sys

\SystemRoot\System32\Drivers\msrpc.sys

\SystemRoot\System32\Drivers\ksecdd.sys

\SystemRoot\System32\Drivers\cng.sys

\SystemRoot\System32\drivers\pcw.sys

\SystemRoot\System32\Drivers\Fs_Rec.sys

\SystemRoot\system32\drivers\ndis.sys

\SystemRoot\system32\drivers\NETIO.SYS

\SystemRoot\System32\Drivers\ksecpkg.sys

\SystemRoot\System32\drivers\tcpip.sys

\SystemRoot\System32\drivers\fwpkclnt.sys

\SystemRoot\system32\drivers\vmstorfl.sys

\SystemRoot\system32\drivers\volsnap.sys

\SystemRoot\System32\Drivers\spldr.sys

\SystemRoot\SysWOW64\speedfan.sys

\SystemRoot\System32\drivers\rdyboost.sys

\SystemRoot\System32\Drivers\mup.sys

\SystemRoot\System32\drivers\hwpolicy.sys

\SystemRoot\System32\DRIVERS\fvevol.sys

\SystemRoot\system32\DRIVERS\disk.sys

\SystemRoot\system32\DRIVERS\CLASSPNP.SYS

\SystemRoot\system32\drivers\cdrom.sys

\SystemRoot\System32\Drivers\Null.SYS

\SystemRoot\System32\Drivers\Beep.SYS

\SystemRoot\System32\drivers\vga.sys

\SystemRoot\System32\drivers\VIDEOPRT.SYS

\SystemRoot\System32\drivers\watchdog.sys

\SystemRoot\System32\DRIVERS\RDPCDD.sys

\SystemRoot\system32\drivers\rdpencdd.sys

\SystemRoot\system32\drivers\rdprefmp.sys

\SystemRoot\System32\Drivers\Msfs.SYS

\SystemRoot\System32\Drivers\Npfs.SYS

\SystemRoot\system32\DRIVERS\tdx.sys

\SystemRoot\system32\DRIVERS\TDI.SYS

\SystemRoot\system32\drivers\afd.sys

\SystemRoot\System32\DRIVERS\netbt.sys

\SystemRoot\system32\DRIVERS\wfplwf.sys

\SystemRoot\system32\DRIVERS\pacer.sys

\SystemRoot\system32\DRIVERS\vwififlt.sys

\SystemRoot\system32\DRIVERS\netbios.sys

\SystemRoot\system32\DRIVERS\wanarp.sys

\SystemRoot\system32\drivers\termdd.sys

\SystemRoot\system32\DRIVERS\rdbss.sys

\SystemRoot\system32\drivers\nsiproxy.sys

\SystemRoot\system32\drivers\mssmbios.sys

\SystemRoot\System32\drivers\discache.sys

\SystemRoot\system32\drivers\csc.sys

\SystemRoot\System32\Drivers\dfsc.sys

\SystemRoot\system32\DRIVERS\blbdrive.sys

\SystemRoot\system32\DRIVERS\avkmgr.sys

\SystemRoot\system32\DRIVERS\avipbb.sys

\SystemRoot\system32\DRIVERS\tunnel.sys

\SystemRoot\system32\DRIVERS\CmBatt.sys

\SystemRoot\system32\drivers\wmiacpi.sys

\SystemRoot\system32\DRIVERS\nvlddmkm.sys

\SystemRoot\System32\drivers\dxgkrnl.sys

\SystemRoot\System32\drivers\dxgmms1.sys

\SystemRoot\system32\DRIVERS\usbuhci.sys

\SystemRoot\system32\DRIVERS\USBPORT.SYS

\SystemRoot\system32\DRIVERS\usbehci.sys

\SystemRoot\system32\drivers\HDAudBus.sys

\SystemRoot\system32\DRIVERS\NETw5s64.sys

\SystemRoot\System32\drivers\vwifibus.sys

\SystemRoot\system32\DRIVERS\L1C62x64.sys

\SystemRoot\system32\DRIVERS\winbondcir.sys

\SystemRoot\system32\drivers\i8042prt.sys

\SystemRoot\system32\drivers\kbdclass.sys

\SystemRoot\system32\DRIVERS\mouclass.sys

\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys

\SystemRoot\System32\Drivers\ahjksefy.SYS

\SystemRoot\System32\Drivers\SCSIPORT.SYS

\SystemRoot\system32\DRIVERS\intelppm.sys

\SystemRoot\system32\drivers\CompositeBus.sys

\SystemRoot\system32\DRIVERS\AgileVpn.sys

\SystemRoot\system32\DRIVERS\rasl2tp.sys

\SystemRoot\system32\DRIVERS\ndistapi.sys

\SystemRoot\system32\DRIVERS\ndiswan.sys

\SystemRoot\system32\DRIVERS\raspppoe.sys

\SystemRoot\system32\DRIVERS\raspptp.sys

\SystemRoot\system32\DRIVERS\rassstp.sys

\SystemRoot\system32\DRIVERS\rdpbus.sys

\SystemRoot\system32\drivers\swenum.sys

\SystemRoot\system32\drivers\ks.sys

\SystemRoot\system32\DRIVERS\circlass.sys

\SystemRoot\system32\DRIVERS\umbus.sys

\SystemRoot\system32\DRIVERS\usbhub.sys

\SystemRoot\System32\Drivers\NDProxy.SYS

\SystemRoot\system32\drivers\HdAudio.sys

\SystemRoot\system32\drivers\portcls.sys

\SystemRoot\system32\drivers\drmk.sys

\SystemRoot\system32\drivers\ksthunk.sys

\SystemRoot\system32\DRIVERS\agrsm64.sys

\SystemRoot\system32\DRIVERS\USBD.SYS

\SystemRoot\system32\drivers\modem.sys

\SystemRoot\system32\drivers\nvhda64v.sys

\SystemRoot\system32\DRIVERS\hidir.sys

\SystemRoot\system32\DRIVERS\HIDCLASS.SYS

\SystemRoot\system32\DRIVERS\HIDPARSE.SYS

\SystemRoot\system32\drivers\kbdhid.sys

\SystemRoot\system32\DRIVERS\mouhid.sys

\SystemRoot\System32\Drivers\crashdmp.sys

\SystemRoot\System32\Drivers\dump_dumpata.sys

\SystemRoot\System32\Drivers\dump_msahci.sys

\SystemRoot\System32\Drivers\dump_dumpfve.sys

\SystemRoot\System32\win32k.sys

\SystemRoot\System32\drivers\Dxapi.sys

\SystemRoot\system32\DRIVERS\usbccgp.sys

\SystemRoot\System32\Drivers\usbvideo.sys

\SystemRoot\system32\DRIVERS\hidusb.sys

\SystemRoot\system32\DRIVERS\monitor.sys

\SystemRoot\System32\TSDDD.dll

\SystemRoot\System32\cdd.dll

\SystemRoot\system32\drivers\luafv.sys

\SystemRoot\system32\DRIVERS\avgntflt.sys

\SystemRoot\system32\drivers\WudfPf.sys

\SystemRoot\system32\DRIVERS\WinUSB.sys

\SystemRoot\system32\DRIVERS\WUDFRd.sys

\SystemRoot\system32\DRIVERS\lltdio.sys

\SystemRoot\system32\DRIVERS\nwifi.sys

\SystemRoot\system32\DRIVERS\ndisuio.sys

\SystemRoot\system32\DRIVERS\rspndr.sys

\SystemRoot\system32\drivers\HTTP.sys

\SystemRoot\system32\DRIVERS\bowser.sys

\SystemRoot\System32\drivers\mpsdrv.sys

\SystemRoot\system32\DRIVERS\mrxsmb.sys

\SystemRoot\system32\DRIVERS\mrxsmb10.sys

\SystemRoot\system32\DRIVERS\mrxsmb20.sys

\SystemRoot\system32\DRIVERS\lirsgt.sys

\SystemRoot\system32\drivers\peauth.sys

\SystemRoot\System32\Drivers\secdrv.SYS

\SystemRoot\System32\DRIVERS\srvnet.sys

\SystemRoot\System32\drivers\tcpipreg.sys

\SystemRoot\System32\DRIVERS\srv2.sys

\SystemRoot\System32\DRIVERS\srv.sys

\SystemRoot\system32\drivers\spsys.sys

\??\C:\Windows\system32\drivers\mbamchameleon.sys

\??\C:\Windows\system32\drivers\mbamswissarmy.sys

\Windows\System32\ntdll.dll

\Windows\System32\smss.exe

\Windows\System32\apisetschema.dll

\Windows\System32\autochk.exe

\Windows\System32\user32.dll

\Windows\System32\imm32.dll

\Windows\System32\msctf.dll

\Windows\System32\nsi.dll

\Windows\System32\shell32.dll

\Windows\System32\rpcrt4.dll

\Windows\System32\wininet.dll

\Windows\System32\Wldap32.dll

\Windows\System32\iertutil.dll

\Windows\System32\shlwapi.dll

\Windows\System32\difxapi.dll

\Windows\System32\lpk.dll

\Windows\System32\urlmon.dll

\Windows\System32\ole32.dll

\Windows\System32\imagehlp.dll

\Windows\System32\psapi.dll

\Windows\System32\msvcrt.dll

\Windows\System32\kernel32.dll

\Windows\System32\comdlg32.dll

\Windows\System32\advapi32.dll

\Windows\System32\setupapi.dll

\Windows\System32\normaliz.dll

\Windows\System32\ws2_32.dll

\Windows\System32\usp10.dll

\Windows\System32\clbcatq.dll

\Windows\System32\sechost.dll

\Windows\System32\gdi32.dll

\Windows\System32\oleaut32.dll

\Windows\System32\cfgmgr32.dll

\Windows\System32\wintrust.dll

\Windows\System32\comctl32.dll

\Windows\System32\KernelBase.dll

\Windows\System32\crypt32.dll

\Windows\System32\devobj.dll

\Windows\System32\msasn1.dll

\Windows\SysWOW64\normaliz.dll

----------- End -----------

<<<1>>>

Upper Device Name: \Device\Harddisk0\DR0

Upper Device Object: 0xfffffa8004c65060

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-0\

Lower Device Object: 0xfffffa80046d5060

Lower Device Driver Name: \Driver\atapi\

Driver name found: atapi

DriverEntry returned 0x0

Function returned 0x0

Downloaded database version: v2012.11.15.08

Downloaded database version: v2012.11.14.03

Initializing...

Done!

Scanning directory: C:\Windows\system32\drivers...

<<<2>>>

Device number: 0, partition: 2

Physical Sector Size: 512

Drive: 0, DevicePointer: 0xfffffa8004c65060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xfffffa8004c65b90, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xfffffa8004c65060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

DevicePointer: 0xfffffa80046d5060, DeviceName: \Device\Ide\IdeDeviceP0T0L0-0\, DriverName: \Driver\atapi\

------------ End ----------

Upper DeviceData: 0xfffff8a002477340, 0xfffffa8004c65060, 0xfffffa80040fe790

Lower DeviceData: 0xfffff8a002d07280, 0xfffffa80046d5060, 0xfffffa8006e43e40

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Done!

Drive 0

Scanning MBR on drive 0...

Inspecting partition table:

MBR Signature: 55AA

Disk Signature: C6B8921

Partition information:

Partition 0 type is Other (0x27)

Partition is NOT ACTIVE.

Partition starts at LBA: 2048 Numsec = 27262976

Partition 1 type is Primary (0x7)

Partition is ACTIVE.

Partition starts at LBA: 27265024 Numsec = 590557184

Partition file system is NTFS

Partition is bootable

Partition 2 type is Other (0x12)

Partition is NOT ACTIVE.

Partition starts at LBA: 617822208 Numsec = 7317504

Partition 3 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Disk Size: 320072933376 bytes

Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-2047-625122448-625142448)...

Done!

Performing system, memory and registry scan...

Done!

Scan finished

=======================================

DDS Logs:

DDS (Ver_2012-11-07.01) - NTFS_AMD64

Internet Explorer: 9.0.8112.16455 BrowserJavaVersion: 10.9.2

Run by Raft at 22:03:18 on 2012-11-15

Microsoft Windows 7 Ultimate 6.1.7601.1.1252.44.1033.18.4061.2749 [GMT 0:00]

.

AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}

SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\System32\WUDFHost.exe

C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe

C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files\NVIDIA Corporation\Display\nvtray.exe

C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe

C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

C:\Program Files (x86)\iTunes\iTunesHelper.exe

C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\taskhost.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Windows\System32\svchost.exe -k LocalServicePeerNet

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe

C:\Windows\System32\svchost.exe -k secsvcs

C:\Windows\system32\vssvc.exe

C:\Windows\System32\svchost.exe -k swprv

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\System32\cscript.exe

.

============== Pseudo HJT Report ===============

.

uSearch Bar = hxxp://www.google.com/ie

uSearch Page = hxxp://www.google.com

uDefault_Search_URL = hxxp://www.google.com/ie

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mWinlogon: Userinit = userinit.exe,

BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll

BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll

BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll

uRun: [AlcoholAutomount] "C:\Program Files (x86)\Alcohol Soft\Alcohol 52\AxAutoMntSrv.exe" -automount

mRun: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min

mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

mRunOnce: [Z1] C:\Users\Raft\Desktop\mbar-1.01.0.1009\mbar\mbar.exe /cleanup /s

mPolicies-Explorer: NoActiveDesktop = dword:1

mPolicies-Explorer: NoActiveDesktopChanges = dword:1

mPolicies-System: ConsentPromptBehaviorAdmin = dword:5

mPolicies-System: ConsentPromptBehaviorUser = dword:3

mPolicies-System: EnableUIADesktopToggle = dword:0

IE: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab

TCP: NameServer = 194.168.4.100 194.168.8.100

TCP: Interfaces\{BF339D0F-1AB2-49F5-BA87-5212C7F8F7DE} : DHCPNameServer = 194.168.4.100 194.168.8.100

SSODL: WebCheck - <orphaned>

x64-SSODL: WebCheck - <orphaned>

.

============= SERVICES / DRIVERS ===============

.

R1 avkmgr;avkmgr;C:\Windows\System32\drivers\avkmgr.sys [2012-5-18 27760]

R2 AntiVirSchedulerService;Avira Scheduler;C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [2012-5-18 86224]

R2 AntiVirService;Avira Realtime Protection;C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [2012-5-18 110032]

R2 avgntflt;avgntflt;C:\Windows\System32\drivers\avgntflt.sys [2012-5-18 98848]

R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2012-11-13 1153368]

R2 StarWindServiceAE;StarWind AE Service;C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe [2009-12-23 370688]

R3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);C:\Windows\System32\drivers\L1C62x64.sys [2009-6-10 57344]

R3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\Windows\System32\drivers\NETw5s64.sys [2009-9-15 6952960]

R3 winbondcir;Winbond IR Transceiver;C:\Windows\System32\drivers\winbondcir.sys [2007-3-28 46592]

S2 AxAutoMntSrv;Alcohol Virtual Drive Auto-mount Service;C:\Program Files (x86)\Alcohol Soft\Alcohol 52\AxAutoMntSrv.exe [2012-1-5 75624]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\System32\drivers\netw5v64.sys [2009-6-10 5434368]

S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2012-5-18 20992]

S3 RTCore64;RTCore64;C:\Program Files (x86)\MSI Afterburner\RTCore64.sys [2012-5-14 10568]

S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2012-5-19 59392]

S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-7-9 52736]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-5-18 1255736]

.

=============== Created Last 30 ================

.

2012-11-15 22:01:50 8955792 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll

2012-11-15 22:01:44 9291768 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{052C45F4-6D3D-49BD-857D-4737E4D1AE5C}\mpengine.dll

2012-11-14 22:19:14 -------- d-----w- C:\Program Files (x86)\ESET

2012-11-14 19:50:54 785512 ----a-w- C:\Windows\System32\drivers\Wdf01000.sys

2012-11-14 19:50:54 54376 ----a-w- C:\Windows\System32\drivers\WdfLdr.sys

2012-11-14 19:50:54 2560 ----a-w- C:\Windows\System32\drivers\en-US\wdf01000.sys.mui

2012-11-14 19:50:53 9728 ----a-w- C:\Windows\System32\Wdfres.dll

2012-11-14 19:32:38 87040 ----a-w- C:\Windows\System32\drivers\WUDFPf.sys

2012-11-14 19:32:38 198656 ----a-w- C:\Windows\System32\drivers\WUDFRd.sys

2012-11-14 19:32:35 84992 ----a-w- C:\Windows\System32\WUDFSvc.dll

2012-11-14 19:32:34 194048 ----a-w- C:\Windows\System32\WUDFPlatform.dll

2012-11-14 19:32:32 744448 ----a-w- C:\Windows\System32\WUDFx.dll

2012-11-14 19:32:32 45056 ----a-w- C:\Windows\System32\WUDFCoinstaller.dll

2012-11-14 19:32:32 229888 ----a-w- C:\Windows\System32\WUDFHost.exe

2012-11-14 19:26:58 95744 ----a-w- C:\Windows\System32\synceng.dll

2012-11-14 19:26:58 78336 ----a-w- C:\Windows\SysWow64\synceng.dll

2012-11-14 18:51:43 -------- d-----w- C:\Users\Raft\AppData\Roaming\LavasoftStatistics

2012-11-14 18:47:09 -------- d-----w- C:\Users\Raft\AppData\Local\Downloaded Installations

2012-11-14 18:46:58 -------- d-----w- C:\ProgramData\blekko toolbars

2012-11-14 18:46:51 -------- d-----w- C:\Program Files (x86)\adawaretb

2012-11-14 18:46:49 -------- d-----w- C:\Program Files (x86)\Toolbar Cleaner

2012-11-14 18:42:44 -------- d-----w- C:\Program Files (x86)\Trend Micro

2012-11-13 21:28:04 33240 ----a-w- C:\Windows\System32\drivers\GEARAspiWDM.sys

2012-11-13 21:27:16 -------- d-----w- C:\Program Files\iPod

2012-11-13 21:27:15 -------- d-----w- C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69

2012-11-13 21:27:15 -------- d-----w- C:\Program Files\iTunes

2012-11-13 19:21:00 -------- d-----w- C:\Program Files\CCleaner

2012-11-13 19:06:27 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy

2012-11-13 19:06:27 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy

2012-11-13 19:03:16 95208 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll

2012-11-13 19:00:16 -------- d-----w- C:\Users\Raft\AppData\Roaming\Malwarebytes

2012-11-13 19:00:10 -------- d-----w- C:\ProgramData\Malwarebytes

2012-11-13 19:00:09 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys

2012-11-13 19:00:09 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware

2012-11-10 18:00:14 -------- d-----w- C:\GOG Games

2012-11-10 18:00:07 -------- d-----w- C:\Users\Raft\AppData\Local\Programs

2012-11-10 15:51:07 -------- d-----w- C:\Arcanum

2012-10-23 19:24:56 2048 ----a-w- C:\Windows\SysWow64\tzres.dll

2012-10-23 19:24:56 2048 ----a-w- C:\Windows\System32\tzres.dll

2012-10-23 19:24:51 715776 ----a-w- C:\Windows\System32\kerberos.dll

2012-10-23 19:24:51 542208 ----a-w- C:\Windows\SysWow64\kerberos.dll

2012-10-23 19:24:46 1464320 ----a-w- C:\Windows\System32\crypt32.dll

2012-10-23 19:24:44 184320 ----a-w- C:\Windows\System32\cryptsvc.dll

2012-10-23 19:24:44 140288 ----a-w- C:\Windows\SysWow64\cryptsvc.dll

2012-10-23 19:24:44 140288 ----a-w- C:\Windows\System32\cryptnet.dll

2012-10-23 19:24:44 1159680 ----a-w- C:\Windows\SysWow64\crypt32.dll

2012-10-23 19:24:44 103936 ----a-w- C:\Windows\SysWow64\cryptnet.dll

.

==================== Find3M ====================

.

2012-11-13 19:02:59 821736 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll

2012-11-13 19:02:59 746984 ----a-w- C:\Windows\SysWow64\deployJava1.dll

2012-10-18 18:25:58 3149824 ----a-w- C:\Windows\System32\win32k.sys

2012-10-09 18:17:13 55296 ----a-w- C:\Windows\System32\dhcpcsvc6.dll

2012-10-09 18:17:13 226816 ----a-w- C:\Windows\System32\dhcpcore6.dll

2012-10-09 17:40:31 44032 ----a-w- C:\Windows\SysWow64\dhcpcsvc6.dll

2012-10-09 17:40:31 193536 ----a-w- C:\Windows\SysWow64\dhcpcore6.dll

2012-10-08 11:31:03 2312704 ----a-w- C:\Windows\System32\jscript9.dll

2012-10-08 11:23:52 1392128 ----a-w- C:\Windows\System32\wininet.dll

2012-10-08 11:22:55 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl

2012-10-08 11:18:22 173056 ----a-w- C:\Windows\System32\ieUnatt.exe

2012-10-08 11:17:35 599040 ----a-w- C:\Windows\System32\vbscript.dll

2012-10-08 11:13:33 2382848 ----a-w- C:\Windows\System32\mshtml.tlb

2012-10-08 07:56:24 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll

2012-10-08 07:48:03 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll

2012-10-08 07:47:44 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl

2012-10-08 07:44:05 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe

2012-10-08 07:43:21 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll

2012-10-08 07:40:56 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb

2012-10-03 17:56:54 1914248 ----a-w- C:\Windows\System32\drivers\tcpip.sys

2012-10-03 17:44:21 70656 ----a-w- C:\Windows\System32\nlaapi.dll

2012-10-03 17:44:21 303104 ----a-w- C:\Windows\System32\nlasvc.dll

2012-10-03 17:44:17 246272 ----a-w- C:\Windows\System32\netcorehc.dll

2012-10-03 17:44:17 18944 ----a-w- C:\Windows\System32\netevent.dll

2012-10-03 17:44:16 216576 ----a-w- C:\Windows\System32\ncsi.dll

2012-10-03 17:42:16 569344 ----a-w- C:\Windows\System32\iphlpsvc.dll

2012-10-03 16:42:24 18944 ----a-w- C:\Windows\SysWow64\netevent.dll

2012-10-03 16:42:24 175104 ----a-w- C:\Windows\SysWow64\netcorehc.dll

2012-10-03 16:42:23 156672 ----a-w- C:\Windows\SysWow64\ncsi.dll

2012-10-03 16:07:26 45568 ----a-w- C:\Windows\System32\drivers\tcpipreg.sys

2012-08-31 18:19:35 1659760 ----a-w- C:\Windows\System32\drivers\ntfs.sys

2012-08-30 18:03:45 5559664 ----a-w- C:\Windows\System32\ntoskrnl.exe

2012-08-30 17:12:02 3968880 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe

2012-08-30 17:12:02 3914096 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe

2012-08-24 18:05:07 220160 ----a-w- C:\Windows\System32\wintrust.dll

2012-08-24 16:57:48 172544 ----a-w- C:\Windows\SysWow64\wintrust.dll

2012-08-22 18:12:40 950128 ----a-w- C:\Windows\System32\drivers\ndis.sys

2012-08-22 18:12:40 376688 ----a-w- C:\Windows\System32\drivers\netio.sys

2012-08-22 18:12:33 288624 ----a-w- C:\Windows\System32\drivers\FWPKCLNT.SYS

2012-08-21 21:01:00 245760 ----a-w- C:\Windows\System32\OxpsConverter.exe

2012-08-21 13:01:20 125872 ----a-w- C:\Windows\System32\GEARAspi64.dll

2012-08-21 13:01:20 106928 ----a-w- C:\Windows\SysWow64\GEARAspi.dll

2012-08-20 18:48:44 362496 ----a-w- C:\Windows\System32\wow64win.dll

2012-08-20 18:48:44 243200 ----a-w- C:\Windows\System32\wow64.dll

2012-08-20 18:48:44 13312 ----a-w- C:\Windows\System32\wow64cpu.dll

2012-08-20 18:48:43 215040 ----a-w- C:\Windows\System32\winsrv.dll

2012-08-20 18:48:37 16384 ----a-w- C:\Windows\System32\ntvdm64.dll

2012-08-20 18:48:35 424448 ----a-w- C:\Windows\System32\KernelBase.dll

2012-08-20 18:46:22 338432 ----a-w- C:\Windows\System32\conhost.exe

2012-08-20 17:40:21 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll

2012-08-20 17:38:44 44032 ----a-w- C:\Windows\apppatch\acwow64.dll

2012-08-20 17:38:26 25600 ----a-w- C:\Windows\SysWow64\setup16.exe

2012-08-20 17:37:19 5120 ----a-w- C:\Windows\SysWow64\wow32.dll

2012-08-20 17:37:18 274944 ----a-w- C:\Windows\SysWow64\KernelBase.dll

2012-08-20 15:38:21 7680 ----a-w- C:\Windows\SysWow64\instnm.exe

2012-08-20 15:38:20 2048 ----a-w- C:\Windows\SysWow64\user.exe

2012-08-20 15:33:28 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll

2012-08-20 15:33:28 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll

2012-08-20 15:33:28 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll

2012-08-20 15:33:28 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll

.

============= FINISH: 22:03:26.67 ===============

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2012-11-07.01)

.

Microsoft Windows 7 Ultimate

Boot Device: \Device\HarddiskVolume2

Install Date: 18/05/2012 23:04:46

System Uptime: 15/11/2012 21:44:33 (1 hours ago)

.

Motherboard: Acer | | JM50-MV

Processor: Intel® Core2 Duo CPU T6500 @ 2.10GHz | U2E1 | 2100/200mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 282 GiB total, 226.817 GiB free.

D: is CDROM ()

F: is CDROM ()

G: is CDROM ()

.

==== Disabled Device Manager Items =============

.

Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}

Description: SBRE

Device ID: ROOT\LEGACY_SBRE\0000

Manufacturer:

Name: SBRE

PNP Device ID: ROOT\LEGACY_SBRE\0000

Service: SBRE

.

==== System Restore Points ===================

.

RP51: 13/11/2012 19:01:31 - Installed Java 7 Update 9

RP52: 13/11/2012 22:37:04 - Installed Java 7 Update 4

RP53: 14/11/2012 19:31:26 - Windows Update

RP54: 15/11/2012 18:30:27 - Removed Steam

RP55: 15/11/2012 18:32:59 - Removed Skype™ 5.10

.

==== Installed Programs ======================

.

2007 Microsoft Office Suite Service Pack 2 (SP2)

7-Zip 9.20 (x64 edition)

Adobe Flash Player 11 ActiveX 64-bit

Adobe Reader X (10.1.4)

Apple Application Support

Apple Mobile Device Support

Apple Software Update

Avira Free Antivirus

Bonjour

CCleaner

ESET Online Scanner v3

HijackThis 2.0.2

iTunes

Java 7 Update 9

Java Auto Updater

Java 7 Update 4

JavaFX 2.1.1

Malwarebytes Anti-Malware version 1.65.1.1000

Media Player Classic - Home Cinema 1.6.1.4235 x64

Microsoft .NET Framework 4 Client Profile

Microsoft Office Access MUI (English) 2007

Microsoft Office Access Setup Metadata MUI (English) 2007

Microsoft Office Excel MUI (English) 2007

Microsoft Office InfoPath MUI (English) 2007

Microsoft Office Office 64-bit Components 2007

Microsoft Office Outlook MUI (English) 2007

Microsoft Office PowerPoint MUI (English) 2007

Microsoft Office Professional Plus 2007

Microsoft Office Proof (English) 2007

Microsoft Office Proof (French) 2007

Microsoft Office Proof (Spanish) 2007

Microsoft Office Proofing (English) 2007

Microsoft Office Publisher MUI (English) 2007

Microsoft Office Shared 64-bit MUI (English) 2007

Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007

Microsoft Office Shared MUI (English) 2007

Microsoft Office Shared Setup Metadata MUI (English) 2007

Microsoft Office Word MUI (English) 2007

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219

MSI Afterburner 2.2.1

MSI Kombustor 2.3.0

NVIDIA Control Panel 301.42

NVIDIA Graphics Driver 301.42

NVIDIA HD Audio Driver 1.3.16.0

NVIDIA Install Application

NVIDIA PhysX

NVIDIA PhysX System Software 9.12.0213

NVIDIA Update 1.8.15

NVIDIA Update Components

Picasa 3

Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)

SpeedFan (remove only)

Spybot - Search & Destroy

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Microsoft .NET Framework 4 Client Profile (KB2600217)

VLC media player 2.0.1

.

==== Event Viewer Messages From Past Week ========

.

15/11/2012 21:45:26, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SBRE

15/11/2012 21:45:03, Error: Service Control Manager [7000] - The atksgt service failed to start due to the following error: This driver has been blocked from loading

15/11/2012 21:45:03, Error: Application Popup [875] - Driver atksgt.sys has been blocked from loading.

15/11/2012 21:42:40, Error: volsnap [8] - The flush and hold writes operation on volume C: timed out while waiting for a release writes command.

13/11/2012 21:26:13, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Apple Mobile Device service, but this action failed with the following error: An instance of the service is already running.

13/11/2012 21:25:13, Error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

13/11/2012 21:24:41, Error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

13/11/2012 21:14:39, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\DR1.

13/11/2012 18:54:41, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Apple Mobile Device service to connect.

13/11/2012 18:54:41, Error: Service Control Manager [7000] - The Apple Mobile Device service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

10/11/2012 15:42:12, Error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume E:.

.

==== End Of File ===========================

Thanks

jraftop

Link to post
Share on other sites

Here's the other Malware Rootkit log:

Malwarebytes Anti-Rootkit 1.1.0.1009

www.malwarebytes.org

Database version: v2012.11.15.08

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Raft :: RAFT-PC [administrator]

15/11/2012 21:58:46

mbar-log-2012-11-15 (21-58-46).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken

Scan options disabled: PUP | PUM | P2P

Objects scanned: 27009

Time elapsed: 8 minute(s), 37 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Link to post
Share on other sites

Hi Maniac

I have been at work all day but I have run Avira again since the logs above and it has detected 1 hidden object and another infection. Avira scan log attached:

Avira Free Antivirus

Report file date: 16 November 2012 15:17

Scanning for 4505461 virus strains and unwanted programs.

The program is running as an unrestricted full version.

Online services are available.

Licensee : Avira Free Antivirus

Serial number : 0000149996-ADJIE-0000001

Platform : Windows 7 Ultimate

Windows version : (Service Pack 1) [6.1.7601]

Boot mode : Normally booted

Username : Raft

Computer name : RAFT-PC

Version information:

BUILD.DAT : 12.1.9.1236 40872 Bytes 11/10/2012 15:58:00

AVSCAN.EXE : 12.3.0.48 468256 Bytes 14/11/2012 14:34:17

AVSCAN.DLL : 12.3.0.15 54736 Bytes 02/05/2012 14:31:39

LUKE.DLL : 12.3.0.15 68304 Bytes 02/05/2012 00:31:47

AVSCPLR.DLL : 12.3.0.14 97032 Bytes 01/05/2012 23:13:36

AVREG.DLL : 12.3.0.17 232200 Bytes 18/05/2012 22:32:16

VBASE000.VDF : 7.10.0.0 19875328 Bytes 06/11/2009 19:18:34

VBASE001.VDF : 7.11.0.0 13342208 Bytes 14/12/2010 00:23:21

VBASE002.VDF : 7.11.19.170 14374912 Bytes 20/12/2011 00:32:24

VBASE003.VDF : 7.11.21.238 4472832 Bytes 01/02/2012 10:58:50

VBASE004.VDF : 7.11.26.44 4329472 Bytes 28/03/2012 11:43:53

VBASE005.VDF : 7.11.34.116 4034048 Bytes 29/06/2012 11:26:45

VBASE006.VDF : 7.11.41.250 4902400 Bytes 06/09/2012 18:52:03

VBASE007.VDF : 7.11.45.207 2363904 Bytes 11/10/2012 19:20:27

VBASE008.VDF : 7.11.45.208 2048 Bytes 11/10/2012 19:20:27

VBASE009.VDF : 7.11.45.209 2048 Bytes 11/10/2012 19:20:27

VBASE010.VDF : 7.11.45.210 2048 Bytes 11/10/2012 19:20:27

VBASE011.VDF : 7.11.45.211 2048 Bytes 11/10/2012 19:20:27

VBASE012.VDF : 7.11.45.212 2048 Bytes 11/10/2012 19:20:27

VBASE013.VDF : 7.11.45.213 2048 Bytes 11/10/2012 19:20:28

VBASE014.VDF : 7.11.46.65 220160 Bytes 16/10/2012 19:20:28

VBASE015.VDF : 7.11.46.153 173568 Bytes 18/10/2012 19:20:28

VBASE016.VDF : 7.11.46.223 162304 Bytes 19/10/2012 19:20:28

VBASE017.VDF : 7.11.47.35 126464 Bytes 22/10/2012 19:20:28

VBASE018.VDF : 7.11.47.95 175616 Bytes 24/10/2012 19:20:11

VBASE019.VDF : 7.11.47.177 164352 Bytes 26/10/2012 19:20:12

VBASE020.VDF : 7.11.47.229 143360 Bytes 28/10/2012 19:20:25

VBASE021.VDF : 7.11.48.47 138240 Bytes 30/10/2012 19:20:12

VBASE022.VDF : 7.11.48.135 122880 Bytes 01/11/2012 20:17:24

VBASE023.VDF : 7.11.48.209 142848 Bytes 05/11/2012 19:46:04

VBASE024.VDF : 7.11.48.243 119296 Bytes 05/11/2012 19:46:05

VBASE025.VDF : 7.11.49.47 136704 Bytes 07/11/2012 19:46:16

VBASE026.VDF : 7.11.49.135 194560 Bytes 09/11/2012 14:34:08

VBASE027.VDF : 7.11.49.209 188416 Bytes 12/11/2012 14:34:10

VBASE028.VDF : 7.11.50.27 212992 Bytes 14/11/2012 19:03:33

VBASE029.VDF : 7.11.50.28 2048 Bytes 14/11/2012 19:03:33

VBASE030.VDF : 7.11.50.29 2048 Bytes 14/11/2012 19:03:33

VBASE031.VDF : 7.11.50.70 143872 Bytes 16/11/2012 14:34:14

Engine version : 8.2.10.202

AEVDF.DLL : 8.1.2.10 102772 Bytes 13/07/2012 21:19:48

AESCRIPT.DLL : 8.1.4.66 463227 Bytes 12/11/2012 14:34:12

AESCN.DLL : 8.1.9.4 131445 Bytes 15/11/2012 19:03:36

AESBX.DLL : 8.2.5.12 606578 Bytes 16/06/2012 14:02:39

AERDL.DLL : 8.2.0.74 643445 Bytes 07/11/2012 19:46:21

AEPACK.DLL : 8.3.0.40 815479 Bytes 12/11/2012 14:34:12

AEOFFICE.DLL : 8.1.2.50 201084 Bytes 05/11/2012 19:46:08

AEHEUR.DLL : 8.1.4.138 5542265 Bytes 15/11/2012 19:03:35

AEHELP.DLL : 8.1.25.2 258423 Bytes 23/10/2012 19:20:30

AEGEN.DLL : 8.1.6.10 438646 Bytes 15/11/2012 19:03:33

AEEXP.DLL : 8.2.0.10 119158 Bytes 05/11/2012 19:46:09

AEEMU.DLL : 8.1.3.2 393587 Bytes 13/07/2012 21:19:42

AECORE.DLL : 8.1.29.2 201079 Bytes 07/11/2012 19:46:16

AEBB.DLL : 8.1.1.4 53619 Bytes 05/11/2012 19:46:05

AVWINLL.DLL : 12.3.0.15 27344 Bytes 01/05/2012 23:59:21

AVPREF.DLL : 12.3.0.32 50720 Bytes 14/11/2012 14:34:16

AVREP.DLL : 12.3.0.15 179208 Bytes 01/05/2012 23:13:35

AVARKT.DLL : 12.3.0.33 209696 Bytes 14/11/2012 14:34:16

AVEVTLOG.DLL : 12.3.0.15 169168 Bytes 01/05/2012 23:28:49

SQLITE3.DLL : 3.7.0.1 398288 Bytes 16/04/2012 22:11:02

AVSMTP.DLL : 12.3.0.32 63480 Bytes 13/08/2012 19:06:47

NETNT.DLL : 12.3.0.15 17104 Bytes 02/05/2012 00:33:29

RCIMAGE.DLL : 12.3.0.31 4445944 Bytes 13/08/2012 19:06:32

RCTEXT.DLL : 12.3.0.32 97056 Bytes 14/11/2012 14:34:15

Configuration settings for the scan:

Jobname.............................: Complete system scan

Configuration file..................: C:\program files (x86)\avira\antivir desktop\sysscan.avp

Logging.............................: default

Primary action......................: Interactive

Secondary action....................: Ignore

Scan master boot sector.............: on

Scan boot sector....................: on

Boot sectors........................: C:,

Process scan........................: on

Extended process scan...............: on

Scan registry.......................: on

Search for rootkits.................: on

Integrity checking of system files..: off

Scan all files......................: All files

Scan archives.......................: on

Recursion depth.....................: 20

Smart extensions....................: on

Macro heuristic.....................: on

File heuristic......................: extended

Start of the scan: 16 November 2012 15:17

Starting master boot sector scan:

Master boot sector HD0

[iNFO] No virus was found!

Start scanning boot sectors:

Boot sector 'C:\'

[iNFO] No virus was found!

Starting search for hidden objects.

Hidden driver

[NOTE] A memory modification has been detected, which could potentially be used to hide file access attempts.

The scan of running processes will be started

Scan process 'avscan.exe' - '81' Module(s) have been scanned

Scan process 'avcenter.exe' - '111' Module(s) have been scanned

Scan process 'iTunesHelper.exe' - '69' Module(s) have been scanned

Scan process 'jusched.exe' - '25' Module(s) have been scanned

Scan process 'avgnt.exe' - '82' Module(s) have been scanned

Scan process 'daemonu.exe' - '63' Module(s) have been scanned

Scan process 'SDWinSec.exe' - '48' Module(s) have been scanned

Scan process 'StarWindServiceAE.exe' - '36' Module(s) have been scanned

Scan process 'AppleMobileDeviceService.exe' - '63' Module(s) have been scanned

Scan process 'avguard.exe' - '62' Module(s) have been scanned

Scan process 'armsvc.exe' - '24' Module(s) have been scanned

Scan process 'sched.exe' - '43' Module(s) have been scanned

Starting to scan executable files (registry).

The registry was scanned ( '1594' files ).

Starting the file scan:

Begin scan in 'C:\'

C:\Users\Raft\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\7QSCQB67\rFQfXT.bdKx

[DETECTION] Contains a recognition pattern of the (harmful) BDS/Caphaw.D.326 back-door program

Beginning disinfection:

C:\Users\Raft\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\7QSCQB67\rFQfXT.bdKx

[DETECTION] Contains a recognition pattern of the (harmful) BDS/Caphaw.D.326 back-door program

[NOTE] The file was moved to the quarantine directory under the name '5535c5c2.qua'.

End of the scan: 16 November 2012 16:15

Used time: 54:50 Minute(s)

The scan has been done completely.

26111 Scanned directories

455174 Files were scanned

1 Viruses and/or unwanted programs were found

0 Files were classified as suspicious

0 Files were deleted

0 Viruses and unwanted programs were repaired

1 Files were moved to quarantine

0 Files were renamed

0 Files cannot be scanned

455173 Files not concerned

3480 Archives were scanned

0 Warnings

2 Notes

522302 Objects were scanned with rootkit scan

1 Hidden objects were found

Link to post
Share on other sites

BACKDOOR WARNING

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

Help: I Got Hacked. Now What Do I Do?

Help: I Got Hacked. Now What Do I Do? Part II

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please let me know.

Link to post
Share on other sites

That sounds worrying. I will definitely format and re-install Windows 7 on this laptop then. I do have 2 quick questions:

1) I have an external HDD which contains a lot of backed up stuff which I do not want to lose. However, this HDD has been recently used on this laptop. I have no clue if the infection may have come from the HDD or if the HDD has been infected by the laptop. Is there anyway to ensure that the HDD is clean without formatting?

2) I also have a desktop PC which I recently ran a routine scan on and is showing a hidden object in Avira but no other signs. Malwarebytes, ESET and Avira are not picking up any infection. Considering the external HDD has been used on both computers do you recommend that the desktop should also be reformatted or should I post the DSS logs on this forum to see if there is any actual infection? Keeping in mind that Avira did not detect any hidden objects a couple of weeks ago.

Many thanks for all your help with this.

jraftop

Link to post
Share on other sites

1) I have an external HDD which contains a lot of backed up stuff which I do not want to lose. However, this HDD has been recently used on this laptop. I have no clue if the infection may have come from the HDD or if the HDD has been infected by the laptop. Is there anyway to ensure that the HDD is clean without formatting?

It is a difficult answer. You should perform some scanning on the data there.

2) I also have a desktop PC which I recently ran a routine scan on and is showing a hidden object in Avira but no other signs. Malwarebytes, ESET and Avira are not picking up any infection. Considering the external HDD has been used on both computers do you recommend that the desktop should also be reformatted or should I post the DSS logs on this forum to see if there is any actual infection? Keeping in mind that Avira did not detect any hidden objects a couple of weeks ago.

This is a backdoor, which means that wherever you have been connected it, can be expected everything. I suggest you to format this PC.

Some malware prevention tips:

users.telenet.be/bluepatchy/miekiemoes/prevention.html

Good luck! :)

Link to post
Share on other sites

  • 2 weeks later...
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.