Backdoor tidserv!inf; Malwarebytes crashed and computer becomes unresponsive during quick scan

Kylekatarn10 · January 13, 2013

Hi,

I have had a Backdoor Tidserv!inf on my computer. My anti-virus Norton Internet Security was unable to remove it so after trying a couple of related Norton extensions such as Power-Eraser and the Tidserv removal tool I downloaded Malwarebytes. After performing a quick scan and detecting a number of threats such trojans, etc. Malwarebytes successfully removed them and prompted me to restart my PC. After restarting I ran another quick scan however this time it crashed. I attempted 3 or 4 more quick scans since then but every time Malwarebytes crashes and my computer becomes unresponsive. Per instructions here are the DDS logs:

DDS (Ver_2012-11-20.01) - NTFS_x86

Internet Explorer: 9.0.8112.16457 BrowserJavaVersion: 10.7.2

Run by Kevin at 13:24:41 on 2013-01-13

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3069.1549 [GMT -8:00]

.

AV: Norton Internet Security *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}

SP: Norton Internet Security *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}

FW: Norton Internet Security *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}

.

============== Running Processes ================

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\nvvsvc.exe

C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

C:\Windows\system32\SLsvc.exe

C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe

C:\Windows\system32\nvvsvc.exe

C:\Windows\System32\spoolsv.exe

C:\Program Files\Intel\IntelDH\CCU\AlertService.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\20.2.0.19\ccSvcHst.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\DRIVERS\xaudio.exe

C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe

C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\taskeng.exe

C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\20.2.0.19\ccSvcHst.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

C:\Program Files\Ask.com\Updater\Updater.exe

C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Windows\system32\taskeng.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Windows\ehome\ehtray.exe

C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

C:\Program Files\Pando Networks\Media Booster\PMB.exe

C:\Program Files\Common Files\Apple\Internet Services\ubd.exe

C:\Users\Kevin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe

C:\Windows\system32\msiexec.exe

C:\Program Files\NVIDIA Corporation\Display\nvtray.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Windows\ehome\ehmsas.exe

C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k GPSvcGroup

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\svchost.exe -k hpdevmgmt

C:\Windows\System32\svchost.exe -k HPZ12

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://start.funmoods.com/?f=1&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1QzutDtDtCzy0DtCtB0AyCtBtD0C0AtA0B0AtN0D0Tzu0CtBtCzytN1L2XzutBtFtCtFtCtFtAtCtB&cr=1085946328

uWindow Title = Internet Explorer provided by Dell

mStart Page = hxxp://start.funmoods.com/?f=1&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1QzutDtDtCzy0DtCtB0AyCtBtD0C0AtA0B0AtN0D0Tzu0CtBtCzytN1L2XzutBtFtCtFtCtFtAtCtB&cr=1085946328

mSearchAssistant = hxxp://www.google.com/ie

uURLSearchHooks: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} -

mURLSearchHooks: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} -

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>

BHO: {1036AD63-AEAC-460B-9060-C96005D4DC86} - <orphaned>

BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Conduit Engine: {30F9B915-B755-4826-820B-08FBA6BD249D} - c:\program files\conduitengine\ConduitEngine.dll

BHO: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll

BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\program files\norton internet security\norton internet security\engine\20.2.0.19\coieplg.dll

BHO: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\program files\norton internet security\norton internet security\engine\20.2.0.19\ips\ipsbho.dll

BHO: Funmoods Helper Object: {75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} -

BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll

BHO: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} -

BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Privacy Safeguard BHO: {A42D2EB4-DD31-4BB5-8AA5-8D4E04806DBE} - c:\program files\privacysafeguard\PrivacySafeGuard.dll

BHO: FrostWire Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\ask.com\GenericAskToolbar.dll

BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll

TB: BitTorrentBar Toolbar: {88C7F2AA-F93F-432C-8F0E-B7D85967A527} -

TB: Conduit Engine: {30F9B915-B755-4826-820B-08FBA6BD249D} - c:\program files\conduitengine\ConduitEngine.dll

TB: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} -

TB: Conduit Engine: {30F9B915-B755-4826-820B-08FBA6BD249D} - c:\program files\conduitengine\ConduitEngine.dll

TB: FrostWire Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\ask.com\GenericAskToolbar.dll

TB: Funmoods Toolbar: {A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} -

TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton internet security\norton internet security\engine\20.2.0.19\coieplg.dll

uRun: [sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun

uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe

uRun: [steam] "c:\program files\steam\Steam.exe" -silent

uRun: [iSUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler

uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent

uRun: [sbitunesagent] c:\program files\songbird\songbirditunesagent.exe

uRun: [Hole plus] "c:\programdata\ticksetupsetup.1fngd7q"

uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun

uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe

uRun: [MobileDocuments] c:\program files\common files\apple\internet services\ubd.exe

uRun: [spotify Web Helper] "c:\users\kevin\appdata\roaming\spotify\data\SpotifyWebHelper.exe"

uRun: [spotify] "c:\users\kevin\appdata\roaming\spotify\spotify.exe" /uri spotify:autostart

uRun: [skype] "c:\program files\skype\phone\Skype.exe" /minimized /regrun

mRun: [Windows Defender] c:\program files\windows defender\MSASCui.exe -hide

mRun: [symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe

mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"

mRun: [ApnUpdater] "c:\program files\ask.com\updater\Updater.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

dRun: [iSUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler

StartupFolder: c:\users\kevin\appdata\roaming\micros~1\windows\startm~1\programs\startup\lastfm~1.lnk - c:\program files\last.fm\LastFMHelper.exe

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe

uPolicies-Explorer: NoDriveTypeAutoRun = dword:145

mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0

mPolicies-System: EnableLUA = dword:0

mPolicies-System: EnableUIADesktopToggle = dword:0

mPolicies-Explorer: NoDriveTypeAutoRun = dword:145

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {CAFEEFAC-0017-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: NameServer = 192.168.0.1

TCP: Interfaces\{39C7A135-16F8-45FC-9816-A71F882A2504} : DHCPNameServer = 192.168.0.1

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll

LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg

mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\24.0.1312.52\installer\setup.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome

.

============= SERVICES / DRIVERS ===============

.

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1402000.013\symds.sys [2013-1-11 368288]

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1402000.013\symefa.sys [2013-1-11 927904]

R1 ccSet_NIS;Norton Internet Security Settings Manager;c:\windows\system32\drivers\nis\1402000.013\ccsetx86.sys [2013-1-11 134304]

R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_20.1.0.24\definitions\ipsdefs\20130111.002\IDSvix86.sys [2013-1-11 386720]

R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\nis\1402000.013\symtdiv.sys [2013-1-11 350368]

R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-9-23 21504]

R2 MCLServiceATL;Intel® Application Tracker;c:\program files\intel\inteldh\intel media server\shells\MCLServiceATL.exe [2006-11-18 174552]

R2 NIS;Norton Internet Security;c:\program files\norton internet security\norton internet security\engine\20.2.0.19\ccsvchst.exe [2013-1-11 143928]

R2 nmsgopro;GoProto Protocol Driver for NMS;c:\windows\system32\drivers\nmsgopro.sys [2006-9-27 28672]

R2 nmsunidr;UniDriver for NMS;c:\windows\system32\drivers\nmsunidr.sys [2006-10-19 7424]

R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2012-10-2 382824]

R3 EuMusDesignVirtualAudioCableWdm;Virtual Audio Cable (WDM);c:\windows\system32\drivers\vrtaucbl.sys [2008-12-6 50944]

R3 IntelDH;IntelDH Driver;c:\windows\system32\drivers\IntelDH.sys [2007-2-1 5504]

S1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_20.1.0.24\definitions\bashdefs\20130107.001\BHDrvx86.sys [2012-11-29 995488]

S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1402000.013\ironx86.sys [2013-1-11 175264]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-11-9 160944]

S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\steam\steamapps\common\dragon age origins\bin_ship\daupdatersvc.service.exe --> c:\program files\steam\steamapps\common\dragon age origins\bin_ship\DAUpdaterSvc.Service.exe [?]

S3 idrmkl;idrmkl;c:\users\kevin\appdata\local\temp\idrmkl.sys [2011-8-26 29696]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2013-1-13 40776]

S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-8-2 32512]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

S4 DQLWinService;DQLWinService;c:\program files\common files\intel\inteldh\nms\adpplugins\DQLWinService.exe [2006-10-29 208896]

S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-10-29 24652]

.

=============== Created Last 30 ================

.

2013-01-13 10:08:50 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2013-01-13 09:45:47 -------- d-----w- c:\users\kevin\appdata\roaming\Malwarebytes

2013-01-13 09:45:30 -------- d-----w- c:\programdata\Malwarebytes

2013-01-13 09:45:28 21104 ----a-w- c:\windows\system32\drivers\mbam.sys

2013-01-13 09:45:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2013-01-12 04:42:23 350368 ----a-r- c:\windows\system32\drivers\nis\1402000.013\symtdiv.sys

2013-01-12 04:42:22 927904 ----a-w- c:\windows\system32\drivers\nis\1402000.013\symefa.sys

2013-01-12 04:42:22 368288 ----a-w- c:\windows\system32\drivers\nis\1402000.013\symds.sys

2013-01-12 04:42:22 338592 ----a-r- c:\windows\system32\drivers\nis\1402000.013\symnets.sys

2013-01-12 04:42:22 32888 ----a-r- c:\windows\system32\drivers\nis\1402000.013\srtspx.sys

2013-01-12 04:42:22 21400 ----a-r- c:\windows\system32\drivers\nis\1402000.013\symelam.sys

2013-01-12 04:42:21 586400 ----a-w- c:\windows\system32\drivers\nis\1402000.013\srtsp.sys

2013-01-12 04:42:21 175264 ----a-r- c:\windows\system32\drivers\nis\1402000.013\ironx86.sys

2013-01-12 04:42:21 134304 ----a-w- c:\windows\system32\drivers\nis\1402000.013\ccsetx86.sys

2013-01-12 04:40:54 9103 ----a-w- c:\windows\system32\drivers\nis\1402000.013\symvtcer.dat

2013-01-12 04:40:54 -------- d-----w- c:\windows\system32\drivers\nis\1402000.013

2013-01-10 07:34:52 -------- d-----r- c:\program files\Skype

2013-01-09 08:23:41 204288 ----a-w- c:\windows\system32\ncrypt.dll

2013-01-09 08:23:41 1400832 ----a-w- c:\windows\system32\msxml6.dll

2013-01-09 08:23:40 2048000 ----a-w- c:\windows\system32\win32k.sys

2012-12-23 17:22:17 9728 ----a-w- c:\windows\system32\Wdfres.dll

2012-12-23 17:22:07 66560 ----a-w- c:\windows\system32\drivers\WUDFPf.sys

2012-12-23 17:22:07 16896 ----a-w- c:\windows\system32\winusb.dll

2012-12-23 17:22:07 155136 ----a-w- c:\windows\system32\drivers\WUDFRd.sys

2012-12-23 17:22:06 73216 ----a-w- c:\windows\system32\WUDFSvc.dll

2012-12-23 17:22:06 172032 ----a-w- c:\windows\system32\WUDFPlatform.dll

2012-12-23 17:22:05 526952 ----a-w- c:\windows\system32\drivers\Wdf01000.sys

2012-12-23 17:22:05 47720 ----a-w- c:\windows\system32\drivers\WdfLdr.sys

2012-12-23 17:22:04 613888 ----a-w- c:\windows\system32\WUDFx.dll

2012-12-23 17:22:04 38912 ----a-w- c:\windows\system32\WUDFCoinstaller.dll

2012-12-23 17:22:04 196608 ----a-w- c:\windows\system32\WUDFHost.exe

2012-12-23 17:13:18 293376 ----a-w- c:\windows\system32\atmfd.dll

2012-12-23 17:13:17 34304 ----a-w- c:\windows\system32\atmlib.dll

2012-12-23 15:52:29 75776 ----a-w- c:\windows\system32\synceng.dll

2012-12-23 15:52:28 985088 ----a-w- c:\windows\system32\crypt32.dll

2012-12-23 15:52:28 376320 ----a-w- c:\windows\system32\dpnet.dll

2012-12-23 15:52:28 23040 ----a-w- c:\windows\system32\dpnsvr.exe

2012-12-23 15:52:27 98304 ----a-w- c:\windows\system32\cryptnet.dll

2012-12-23 15:52:27 133120 ----a-w- c:\windows\system32\cryptsvc.dll

2012-12-23 15:52:23 224640 ----a-w- c:\windows\system32\drivers\volsnap.sys

2012-12-23 15:52:21 172544 ----a-w- c:\windows\system32\wintrust.dll

2012-12-23 15:52:15 2048 ----a-w- c:\windows\system32\tzres.dll

2012-12-23 15:52:02 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe

2012-12-23 15:52:02 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe

2012-12-23 15:32:06 -------- d-sh--w- C:\found.001

2012-12-18 20:07:11 106240 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll

2012-12-18 20:07:11 106240 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll

.

==================== Find3M ====================

.

2013-01-12 04:46:24 142496 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2013-01-09 01:21:44 74248 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2013-01-09 01:21:44 697864 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-11-14 02:09:22 1800704 ----a-w- c:\windows\system32\jscript9.dll

2012-11-14 01:58:15 1427968 ----a-w- c:\windows\system32\inetcpl.cpl

2012-11-14 01:57:37 1129472 ----a-w- c:\windows\system32\wininet.dll

2012-11-14 01:49:25 142848 ----a-w- c:\windows\system32\ieUnatt.exe

2012-11-14 01:48:27 420864 ----a-w- c:\windows\system32\vbscript.dll

2012-11-14 01:44:42 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2009-01-23 21:03:00 417792 ----a-w- c:\program files\BNUpdate.exe

2009-01-23 21:02:26 65536 ----a-w- c:\program files\SEditPTB.loc

2009-01-23 21:02:26 65536 ----a-w- c:\program files\SEditITA.loc

2009-01-23 21:02:26 65536 ----a-w- c:\program files\SEditFRA.loc

2009-01-23 21:02:26 65536 ----a-w- c:\program files\SEditESP.loc

2009-01-23 21:02:26 65536 ----a-w- c:\program files\SEditENU.loc

2009-01-23 21:02:26 65536 ----a-w- c:\program files\SEditDEU.loc

2009-01-10 07:57:42 557310 ----a-w- c:\program files\battle.snp

2009-01-10 07:57:42 409600 ----a-w- c:\program files\storm.dll

2009-01-10 07:57:42 127767 ----a-w- c:\program files\standard.snp

2009-01-10 07:57:42 1220608 ----a-w- c:\program files\StarCraft.exe

2008-12-20 06:33:26 125440 ----a-w- c:\program files\iccwc3.icc

2008-12-20 06:01:32 327680 ----a-w- c:\program files\Launcher.exe

2008-12-20 06:01:30 128512 ----a-w- c:\program files\iccscbn.icc

2008-12-19 07:46:50 24064 ----a-w- c:\program files\w3lh.dll

2008-12-07 10:07:38 691545 ----a-w- c:\program files\unins000.exe

2008-09-17 05:31:06 642560 ----a-w- c:\program files\Chaosplugin.bwl

2007-09-13 07:19:36 95232 ----a-w- c:\program files\Smackw32.dll

2007-09-13 07:19:36 662474 ----a-w- c:\program files\InstCC.exe

2007-09-13 07:19:36 315392 ----a-w- c:\program files\Riched20.dll

2007-09-13 07:19:36 150528 ----a-w- c:\program files\SEditPTG.loc

2007-08-21 10:21:08 53248 ----a-w- c:\program files\nocd1151.bwl

2007-05-18 04:51:58 1016320 ----a-w- c:\program files\StarEdit.exe

.

============= FINISH: 13:27:04.46 ===============

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2012-11-20.01)

.

Microsoft® Windows Vista™ Home Premium

Boot Device: \Device\HarddiskVolume3

Install Date: 2/1/2007 9:46:38 AM

System Uptime: 1/13/2013 1:10:07 PM (0 hours ago)

.

Motherboard: Dell Inc. | | 0WG855

Processor: Intel® Core2 CPU 6600 @ 2.40GHz | Microprocessor | 2394/1066mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 223 GiB total, 42.91 GiB free.

D: is FIXED (NTFS) - 10 GiB total, 5.6 GiB free.

E: is CDROM ()

.

==== Disabled Device Manager Items =============

.

Class GUID: {4D36E97B-E325-11CE-BFC1-08002BE10318}

Description: A738UC83 IDE Controller

Device ID: ACPI\PNPA000\4&5D18F2DF&0

Manufacturer: (Standard mass storage controllers)

Name: A738UC83 IDE Controller

PNP Device ID: ACPI\PNPA000\4&5D18F2DF&0

Service: a48achfq

.

==== System Restore Points ===================

.

RP2681: 1/12/2013 10:03:20 PM - Norton_Power_Eraser_20130112220320601

.

==== Installed Programs ======================

.

Update for Microsoft Office 2007 (KB2508958)

Adobe AIR

Adobe Flash Player 11 ActiveX

Adobe Flash Player 11 Plugin

Adobe Reader 9.5.3

Adobe Shockwave Player 11.5

Age of Mythology

Age of Mythology - The Titans Expansion

AIM 7

APC PowerChute Personal Edition

Apple Application Support

Apple Mobile Device Support

Apple Software Update

Ask Toolbar

Audiosurf

Bandisoft MPEG-1 Decoder

BioWare Premium Module: Neverwinter Nights Kingmaker

BitTorrent

BitTorrent 6.0

Bonjour

Bridge From Special K

BufferChm

Call of Duty® 4 - Modern Warfare 1.4 Patch

Call of Duty® 4 - Modern Warfare 1.5 Multiplayer Patch

Call of Duty® 4 - Modern Warfare 1.6 Patch

Call of Duty® 4 - Modern Warfare 1.7 Patch

Company of Heroes

Conduit Engine

Conexant D850 PCI V.92 Modem

Counter-Strike: Source

CustomerResearchQFolder

D1400

D1400_Help

D3DX10

DellConnect

DellSupport

Deus Ex: Game of the Year Edition

DeviceManagementQFolder

Diablo II

Digital Line Detect

DivX Setup

dj_sf_ProductContext

dj_sf_software

dj_sf_software_req

Documentation & Support Launcher

DOOM 3

DOOM II: Hell on Earth

Download Updater (AOL LLC)

EarthLink Setup Files

eSupportQFolder

Finale PrintMusic 2007

Games, Music, & Photos Launcher

GOM Player

GOMTV Streamer

Google Chrome

Google Earth

Google Update Helper

Half-Life

Half-Life 2

Half-Life 2: Lost Coast

Half-Life: Blue Shift

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

HP Customer Participation Program 8.0

HP Deskjet 8.0 Software

HP Imaging Device Functions 8.0

HP Photosmart Essential

HP Solution Center 8.0

HPProductAssistant

HPSSupply

iCloud

Intel® Matrix Storage Manager

Intel® Viiv Software

Interlok driver setup x32

iTunes

Java 7 Update 7

Java Auto Updater

Java DB 10.5.3.0

Java SE Development Kit 6 Update 22

JavaFX 2.1.1

Jeopardy! 2003

Last.fm 1.5.4.27091

LiveUpdate 3.2 (Symantec Corporation)

LiveUpdate Notice (Symantec Corporation)

LucasArts' Jedi Knight

LucasArts' Mysteries of the Sith

Malwarebytes Anti-Malware version 1.70.0.1100

MarketResearch

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Security Update (KB2698023)

Microsoft .NET Framework 1.1 Security Update (KB2742597)

Microsoft .NET Framework 1.1 Security Update (KB979906)

Microsoft .NET Framework 3.5 SP1

Microsoft .NET Framework 4 Client Profile

Microsoft .NET Framework 4 Extended

Microsoft Application Error Reporting

Microsoft AppLocale

Microsoft Games for Windows - LIVE Redistributable

Microsoft Games for Windows Marketplace

Microsoft Office 2007 Service Pack 3 (SP3)

Microsoft Office Excel MUI (English) 2007

Microsoft Office File Validation Add-In

Microsoft Office Home and Student 2007

Microsoft Office OneNote MUI (English) 2007

Microsoft Office PowerPoint MUI (English) 2007

Microsoft Office Proof (English) 2007

Microsoft Office Proof (French) 2007

Microsoft Office Proof (Spanish) 2007

Microsoft Office Proofing (English) 2007

Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)

Microsoft Office Shared MUI (English) 2007

Microsoft Office Shared Setup Metadata MUI (English) 2007

Microsoft Office Word MUI (English) 2007

Microsoft Silverlight

Microsoft SQL Server 2005 Compact Edition [ENU]

Microsoft VC9 runtime libraries

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570

Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319

Microsoft Windows Application Compatibility Database

Microsoft WSE 3.0 Runtime

Microsoft XNA Framework Redistributable 4.0

MobileMe Control Panel

Modem Diagnostic Tool

Morrowind: Game of the Year

Move Networks Media Player for Internet Explorer

MSVCRT

MSXML 4.0 SP2 (KB927978)

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB941833)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

MSXML4 Parser

NetBeans IDE 6.9.1

NetWaiting

NetZeroInstallers

Nexon Game Manager

Norton Internet Security

Norton Security Scan

NVIDIA 3D Vision Driver 306.97

NVIDIA Control Panel 306.97

NVIDIA Graphics Driver 306.97

NVIDIA Install Application

NVIDIA PhysX

NVIDIA Stereoscopic 3D Driver

OGA Notifier 2.0.0048.0

OpenAL

Opposing Force

Oregon Trail II

Origin

Pando Media Booster

Penumbra

Privacy SafeGuard version 1.1

Quake

QuickTime

Rosetta Stone Version 3

Roxio Creator Audio

Roxio Creator BDAV Plugin

Roxio Creator Copy

Roxio Creator Data

Roxio Creator DE

Roxio Creator Tools

Roxio Drag-to-Disc

Roxio Express Labeler

Roxio MyDVD DE

Roxio Update Manager

Security Update for CAPICOM (KB931906)

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2736416)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2736428)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)

Security Update for Microsoft .NET Framework 4 Extended (KB2416472)

Security Update for Microsoft .NET Framework 4 Extended (KB2487367)

Security Update for Microsoft .NET Framework 4 Extended (KB2656351)

Security Update for Microsoft .NET Framework 4 Extended (KB2736428)

Security Update for Microsoft .NET Framework 4 Extended (KB2742595)

Security Update for Microsoft Office 2007 suites (KB2596615) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596754) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2687311) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2687441) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2687499) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2760416) 32-Bit Edition

Security Update for Microsoft Office Excel 2007 (KB2687307) 32-Bit Edition

Security Update for Microsoft Office InfoPath 2007 (KB2687440) 32-Bit Edition

Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition

Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition

Security Update for Microsoft Office Word 2007 (KB2760421) 32-Bit Edition

Segoe UI

Sid Meier's Civilization IV

SigmaTel Audio

Skype™ 6.0

SolutionCenter

Sonic Activation Module

Source Dedicated Server

Source SDK Base - Orange Box

Spotify

Star Wars Jedi Knight Jedi Academy

Star Wars JK II Jedi Outcast

Star Wars® Knights of the Old Republic® II: The Sith Lords

Star Wars: Knights of the Old Republic

StarCraft II

Status

Steam

Super Meat Boy

SWAT 4

System Requirements Lab

Team Fortress Classic

Terraria

The Sims™ 3

The Sims™ 3 Late Night

The Ultimate DOOM

Toolbox

TrayApp

UnloadSupport

Update for 2007 Microsoft Office System (KB967642)

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2473228)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Microsoft .NET Framework 4 Client Profile (KB2600217)

Update for Microsoft .NET Framework 4 Extended (KB2468871)

Update for Microsoft .NET Framework 4 Extended (KB2533523)

Update for Microsoft .NET Framework 4 Extended (KB2600217)

Update for Microsoft Office 2007 Help for Common Features (KB963673)

Update for Microsoft Office 2007 suites (KB2596660) 32-Bit Edition

Update for Microsoft Office 2007 suites (KB2596848) 32-Bit Edition

Update for Microsoft Office Excel 2007 Help (KB963678)

Update for Microsoft Office OneNote 2007 Help (KB963670)

Update for Microsoft Office Powerpoint 2007 Help (KB963669)

Update for Microsoft Office Script Editor Help (KB963671)

Update for Microsoft Office Word 2007 Help (KB963665)

URL Assistant

User's Guides

VC80CRTRedist - 8.0.50727.6195

Ventrilo Client

Viewpoint Media Player

Virtual Audio Cable 4.9

Visual C++ 2008 x86 Runtime - (v9.0.30729)

Visual C++ 2008 x86 Runtime - v9.0.30729.01

Warcraft III

Warcraft III: All Products

WebReg

Winamp

Winamp Detector Plug-in

Winamp Essentials Pack

Windows Live Communications Platform

Windows Live Essentials

Windows Live ID Sign-in Assistant

Windows Live Installer

Windows Live Movie Maker

Windows Live Photo Common

Windows Live Photo Gallery

Windows Live PIMT Platform

Windows Live SOXE

Windows Live SOXE Definitions

Windows Live UX Platform

Windows Live UX Platform Language Pack

WinRAR archiver

Yahoo! Messenger

Yahoo! Software Update

.

==== Event Viewer Messages From Past Week ========

.

1/13/2013 2:25:47 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

1/13/2013 2:25:46 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}

1/13/2013 2:25:40 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD BHDrvx86 ccSet_NIS DfsC eeCtrl IDSVix86 Lbd NetBIOS netbt nsiproxy PSched RasAcd rdbss Smb spldr sptd SRTSPX SymIRON SYMTDIv tdx Wanarpv6

1/13/2013 2:25:40 AM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.

1/13/2013 2:25:40 AM, Error: Service Control Manager [7001] - The WebDav Client Redirector Driver service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.

1/13/2013 2:25:40 AM, Error: Service Control Manager [7001] - The WebClient service depends on the WebDav Client Redirector Driver service which failed to start because of the following error: The dependency service or group failed to start.

1/13/2013 2:25:40 AM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.

1/13/2013 2:25:40 AM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.

1/13/2013 2:25:40 AM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.

1/13/2013 2:25:40 AM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.

1/13/2013 2:25:40 AM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service service which failed to start because of the following error: A device attached to the system is not functioning.

1/13/2013 2:25:40 AM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.

1/13/2013 2:25:40 AM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.

1/13/2013 2:25:40 AM, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.

1/13/2013 2:25:40 AM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.

1/13/2013 2:25:40 AM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.

1/13/2013 2:25:40 AM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.

1/13/2013 2:25:05 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}

1/13/2013 2:25:05 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}

1/13/2013 2:25:02 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

1/13/2013 2:24:50 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}

1/13/2013 2:24:25 AM, Error: Microsoft-Windows-TerminalServices-LocalSessionManager [1048] - Terminal Service start failed. The relevant status code was This service cannot be started in Safe Mode .

1/13/2013 2:24:25 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service TermService with arguments "" in order to run the server: {F9A874B6-F8A8-4D73-B5A8-AB610816828B}

1/13/2013 2:24:23 AM, Error: EventLog [6008] - The previous system shutdown at 2:13:45 AM on 1/13/2013 was unexpected.

1/13/2013 2:23:42 AM, Error: sptd [4] - Driver detected an internal error in its data structures for .

1/13/2013 2:11:30 AM, Error: Service Control Manager [7022] - The Windows Update service hung on starting.

1/13/2013 2:07:23 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Lbd Smb

1/13/2013 12:27:15 PM, Error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume OS.

1/13/2013 12:27:15 PM, Error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume C:.

1/13/2013 12:19:39 PM, Error: EventLog [6008] - The previous system shutdown at 2:34:53 AM on 1/13/2013 was unexpected.

1/13/2013 1:12:07 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: BHDrvx86 Lbd Smb SymIRON

1/13/2013 1:12:07 PM, Error: Service Control Manager [7005] - The LoadUserProfile call failed with the following error: Access is denied.

1/13/2013 1:12:07 PM, Error: Service Control Manager [7000] - The npkcrypt service failed to start due to the following error: The system cannot find the path specified.

1/13/2013 1:11:16 PM, Error: EventLog [6008] - The previous system shutdown at 12:27:30 PM on 1/13/2013 was unexpected.

.

==== End Of File ===========================

Thanks in advance!

Maniac · January 13, 2013

Hello Kylekatarn10! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
Make sure you read all of the instructions and fixes thoroughly before continuing with them.
Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.
Do not perform any kind of scanning and fixing without my instructions. If you want to proceed on your own, please let me know.

BACKDOOR WARNING

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

Help: I Got Hacked. Now What Do I Do?

Help: I Got Hacked. Now What Do I Do? Part II

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please let me know.

Kylekatarn10 · January 13, 2013

Thanks for the quick reply. I would prefer not to re-format the the entire machine so a cleanup would be preferable. How would I go about doing this?

Maniac · January 13, 2013

Step 1

Please uninstall the following applications:

Ask Toolbar

BitTorrent

BitTorrent 6.0

Conduit Engine

Viewpoint Media Player

Step 2

Please download Junkware Removal Tool to your desktop.

Shut down your protection software now to avoid potential conflicts.
Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next message.

Step 3

Please download Malwarebytes Anti-Rootkit from here.

Unzip the contents to a folder in a convenient location.
Open the folder where the contents were unzipped and run mbar.exe ( right click and select Run as adminsistrator for Vista and Windows 7)
Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
Click on the Cleanup button to remove any threats and reboot if prompted to do so.
Wait while the system shuts down and the cleanup process is performed.
Please post the two logs produced.

In your next reply, post the following log files:

Junkware Removal Tool log
Malwarebytes Anti-Rootkit log
a new fresh DDS log

Kylekatarn10 · January 14, 2013

Darn. So, I followed your instructions until I used the Malwarebytes Anti-Rootkit program. It crashed and caused my computer to become completely unresponsive twice, both times after discovering 19 malware at different points in each scan. Anyway, here is the JRT log and fresh DDS logs:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Junkware Removal Tool (JRT) by Thisisu

Version: 4.4.2 (01.08.2013:1)

OS: Windows Vista Home Premium x86

Ran by Kevin on Sun 01/13/2013 at 16:27:21.49

Blog: http://thisisudax.blogspot.com

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~ Services

Successfully stopped: [service] viewpoint manager service

Successfully deleted: [service] viewpoint manager service

~~~ Registry Values

Successfully deleted: [Registry Value] hkey_current_user\software\microsoft\internet explorer\toolbar\webbrowser\\{30f9b915-b755-4826-820b-08fba6bd249d}

Successfully deleted: [Registry Value] hkey_current_user\software\microsoft\internet explorer\toolbar\webbrowser\\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}

Successfully deleted: [Registry Value] hkey_current_user\software\microsoft\internet explorer\urlsearchhooks\\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}

Successfully deleted: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\toolbar\\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}

Successfully deleted: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\urlsearchhooks\\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}

Successfully deleted: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\toolbar\\{a4c272ec-ed9e-4ace-a6f2-9558c7f29ef3}

Successfully repaired: [Registry Value] hkey_current_user\software\microsoft\internet explorer\main\\Start Page

Successfully repaired: [Registry Value] hkey_users\.default\software\microsoft\internet explorer\main\\Start Page

Successfully repaired: [Registry Value] hkey_users\s-1-5-18\software\microsoft\internet explorer\main\\Start Page

Successfully repaired: [Registry Value] hkey_users\s-1-5-19\software\microsoft\internet explorer\main\\Start Page

Successfully repaired: [Registry Value] hkey_users\s-1-5-20\software\microsoft\internet explorer\main\\Start Page

Successfully repaired: [Registry Value] hkey_users\S-1-5-21-2446573200-3105183575-2128207625-1001\software\microsoft\internet explorer\main\\Start Page

Successfully repaired: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\main\\Start Page

~~~ Registry Keys

Successfully deleted: [Registry Key] hkey_classes_root\escort.escortiepane

Successfully deleted: [Registry Key] hkey_classes_root\escort.escortiepane.1

Successfully deleted: [Registry Key] hkey_classes_root\f

Successfully deleted: [Registry Key] hkey_classes_root\funmoods.dskbnd

Successfully deleted: [Registry Key] hkey_classes_root\funmoods.dskbnd.1

Successfully deleted: [Registry Key] hkey_classes_root\funmoods.funmoodshlpr

Successfully deleted: [Registry Key] hkey_classes_root\funmoods.funmoodshlpr.1

Successfully deleted: [Registry Key] hkey_classes_root\funmoodsapp.appcore

Successfully deleted: [Registry Key] hkey_classes_root\funmoodsapp.appcore.1

Successfully deleted: [Registry Key] hkey_local_machine\software\conduit

Successfully deleted: [Registry Key] hkey_current_user\software\softonic

Successfully deleted: [Registry Key] hkey_current_user\software\appdatalow\software\crossrider

Successfully deleted: [Registry Key] hkey_current_user\software\appdatalow\software\pricegong

Successfully deleted: [Registry Key] hkey_local_machine\software\classes\appid\dnu.exe

Successfully deleted: [Registry Key] hkey_local_machine\software\classes\appid\escort.dll

Successfully deleted: [Registry Key] hkey_local_machine\software\classes\appid\escortapp.dll

Successfully deleted: [Registry Key] hkey_local_machine\software\classes\appid\escorteng.dll

Successfully deleted: [Registry Key] hkey_local_machine\software\classes\appid\escortlbr.dll

Successfully deleted: [Registry Key] hkey_local_machine\software\classes\conduit.engine

Successfully deleted: [Registry Key] hkey_local_machine\software\classes\dnupdate

Successfully deleted: [Registry Key] hkey_local_machine\software\classes\dnupdater.downloaduibrowser

Successfully deleted: [Registry Key] hkey_local_machine\software\classes\dnupdater.downloaduibrowser.1

Successfully deleted: [Registry Key] hkey_local_machine\software\classes\dnupdater.downloadupdcontroller

Successfully deleted: [Registry Key] hkey_local_machine\software\classes\dnupdater.downloadupdcontroller.1

Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\active setup\installed components\{03f998b2-0e00-11d3-a498-00104b6eb52e}

Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\active setup\installed components\{1b00725b-c455-4de6-bfb6-ad540ad427cd}

Successfully deleted: [Registry Key-Heur] HKEY_LOCAL_MACHINE\software\classes\Toolbar.CT2790392

Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects\{02478d38-c3f9-4efb-9b51-7695eca05670}

Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects\{1036ad63-aeac-460b-9060-c96005d4dc86}

Successfully deleted: [Registry Key] hkey_classes_root\clsid\{75ebb0aa-4214-4cb4-90ec-e3e07ecd04f7}

Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects\{75ebb0aa-4214-4cb4-90ec-e3e07ecd04f7}

Successfully deleted: [Registry Key] hkey_classes_root\clsid\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}

Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}

Successfully deleted: [Registry Key] hkey_classes_root\clsid\{965b9dbe-b104-44ac-950a-8a5f97aff439}

Successfully deleted: [Registry Key] hkey_classes_root\clsid\{a42d2eb4-dd31-4bb5-8aa5-8d4e04806dbe}

Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects\{a42d2eb4-dd31-4bb5-8aa5-8d4e04806dbe}

Successfully deleted: [Registry Key] hkey_classes_root\clsid\{a4c272ec-ed9e-4ace-a6f2-9558c7f29ef3}

Successfully deleted: [Registry Key] hkey_classes_root\clsid\{a9db719c-7156-415e-b49d-bad039de4f13}

Successfully deleted: [Registry Key] hkey_classes_root\clsid\{f03fd9d0-4f2b-497c-8a71-dd41d70b07d9}

Successfully deleted: [Registry Key] hkey_current_user\software\microsoft\internet explorer\searchscopes\{afbcb7e0-f91a-4951-9f31-58fee57a25c4}

Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\internet explorer\searchscopes\{afbcb7e0-f91a-4951-9f31-58fee57a25c4}

Failed to delete: [Registry Key] "hkey_local_machine\software\microsoft\windows nt\currentversion\schedule\taskcache\tree\scheduled update for ask toolbar"

~~~ Files

Successfully deleted: [File] "C:\Users\Kevin\appdata\local\funmoods.crx"

Successfully deleted: [File] "C:\Users\Kevin\appdata\local\funmoods-speeddial.crx"

Successfully deleted: [File] C:\eula.1028.txt

Successfully deleted: [File] C:\eula.1031.txt

Successfully deleted: [File] C:\eula.1033.txt

Successfully deleted: [File] C:\eula.1036.txt

Successfully deleted: [File] C:\eula.1040.txt

Successfully deleted: [File] C:\eula.1041.txt

Successfully deleted: [File] C:\eula.1042.txt

Successfully deleted: [File] C:\eula.2052.txt

Successfully deleted: [File] C:\install.res.1028.dll

Successfully deleted: [File] C:\install.res.1031.dll

Successfully deleted: [File] C:\install.res.1033.dll

Successfully deleted: [File] C:\install.res.1036.dll

Successfully deleted: [File] C:\install.res.1040.dll

Successfully deleted: [File] C:\install.res.1041.dll

Successfully deleted: [File] C:\install.res.1042.dll

Successfully deleted: [File] C:\install.res.2052.dll

Successfully deleted: [File] C:\install.res.3082.dll

~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\installmate"

Successfully deleted: [Folder] "C:\ProgramData\premium"

Successfully deleted: [Folder] "C:\ProgramData\trymedia"

Successfully deleted: [Folder] "C:\ProgramData\viewpoint"

Successfully deleted: [Folder] "C:\Users\Kevin\AppData\Roaming\iwin"

Successfully deleted: [Folder] "C:\Users\Kevin\appdata\locallow\boost_interprocess"

Successfully deleted: [Folder] "C:\Users\Kevin\appdata\locallow\conduit"

Successfully deleted: [Folder] "C:\Users\Kevin\appdata\locallow\pricegong"

Successfully deleted: [Folder] "C:\Program Files\conduit"

Successfully deleted: [Folder] "C:\Program Files\conduitengine"

Successfully deleted: [Folder] "C:\Program Files\privacysafeguard"

Successfully deleted: [Folder] "C:\Program Files\trymedia"

Successfully deleted: [Folder] "C:\Program Files\viewpoint"

Successfully deleted: [Folder] "C:\Program Files\Common Files\software update utility"

Successfully deleted: [Folder] "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\privacy safeguard"

Successfully deleted: [Folder] "C:\Users\Kevin\appdata\locallow\asktoolbar"

~~~ Chrome

Successfully deleted: [Folder] C:\Users\Kevin\appdata\local\Google\Chrome\User Data\Default\Extensions\cjpglkicenollcignonpgiafdgfeehoj

Successfully deleted: [Registry Key] hkey_current_user\software\google\chrome\extensions\bbjciahceamgodcoidkjpchnokgfpphh

Successfully deleted: [Registry Key] hkey_local_machine\software\google\chrome\extensions\bbjciahceamgodcoidkjpchnokgfpphh

Successfully deleted: [Registry Key] hkey_current_user\software\google\chrome\extensions\cjpglkicenollcignonpgiafdgfeehoj

Successfully deleted: [Registry Key] hkey_local_machine\software\google\chrome\extensions\cjpglkicenollcignonpgiafdgfeehoj

Successfully deleted: [Registry Key] hkey_local_machine\software\google\chrome\extensions\geggofhlfbcmanadhknllmlajiafopoh

~~~ Event Viewer Logs were cleared

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Scan was completed on Sun 01/13/2013 at 16:29:54.80

End of JRT log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

DDS (Ver_2012-11-20.01) - NTFS_x86

Internet Explorer: 9.0.8112.16457 BrowserJavaVersion: 10.7.2

Run by Kevin at 17:19:08 on 2013-01-13

.

============== Running Processes ================

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\nvvsvc.exe

C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

C:\Windows\system32\SLsvc.exe

C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe

C:\Windows\system32\nvvsvc.exe

C:\Windows\System32\spoolsv.exe

C:\Program Files\Intel\IntelDH\CCU\AlertService.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\20.2.0.19\ccSvcHst.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Windows\system32\DRIVERS\xaudio.exe

C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe

C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe

C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe

C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\20.2.0.19\ccSvcHst.exe

C:\Windows\system32\Dwm.exe

C:\Windows\system32\taskeng.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\taskeng.exe

C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe

C:\Program Files\NVIDIA Corporation\Display\nvtray.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Windows\ehome\ehtray.exe

C:\Program Files\Steam\Steam.exe

C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

C:\Program Files\Pando Networks\Media Booster\PMB.exe

C:\Program Files\Common Files\Apple\Internet Services\ubd.exe

C:\Users\Kevin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe

C:\Users\Kevin\AppData\Roaming\Spotify\spotify.exe

C:\Windows\ehome\ehmsas.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Windows\system32\msiexec.exe

C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe

C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k GPSvcGroup

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\svchost.exe -k hpdevmgmt

C:\Windows\System32\svchost.exe -k HPZ12

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com

uWindow Title = Internet Explorer provided by Dell

mStart Page = hxxp://www.google.com