Jump to content

I think I'm infected with a very clever rootkit..

Recommended Posts


I'm not sure what kind of virus or rootkit it's called, but some anti virus I tried to run were stopped or failed to launch.

I used to have avast as real time protection and MBAM as scanner (both free). Avast got corrupted all of a sudden

when I did system restore. It prompted for a license when I was registered as a free user. Also it won't do a boot scan

which is supposed to be one of its features. I was infected a month ago with "quicksearch info virus but adw cleaner fixed it.

Malwarebytes doesn't find anything after a scan, (but it found a rootkit immediately after quick search virus infection) neither TDSS killer.

Norton power eraser failed to launch when I fix the settings for a rootkit scan. Kaspersky virus scanner not only failed to launch

but my PC shutdown as well and went to blue screen. I just did start up repair then system restore and everything

went back to normal.

I also tried Dr Web cure it today and - well it's amazing at first since they function in enhanced mode.

It found a DHP virus (a backdoor trojan, if I remember it correctly). However, when I tried to run it again for the

third time it wouldn't launch all of a sudden. I tried it 4 times. I even tried to shut down my firewall but nothing worked.

I'm using Eset Nod32 free trial as my real time protection by the way but it hasn't found anything yet.

I would really appreciate your help with this. Thanks!

Below are the DDS logs:


==== Installed Programs ======================


ActiveCheck component for HP Active Support Library

Adobe Flash Player 11 Plugin

Apple Mobile Device Support

BIOS Configuration for HP ProtectTools



Compatibility Pack for the 2007 Office system

Credential Manager for HP ProtectTools

DirectX 9 Runtime

DivX Setup

Drive Encryption for HP ProtectTools

DriverMax 6

EaseUS Todo Backup Free 4.5

Embedded Security for HP ProtectTools

ESET NOD32 Antivirus

General Module

Glary Utilities

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

HP ProtectTools Security Manager

HP Total Care Advisor

HPAsset component for HP Active Support Library

Intel® Graphics Media Accelerator Driver

Intel® Management Engine Interface

Intel® PRO Network Connections

Intel® Active Management Technology

Java 7 Update 17

Java Auto Updater

LastPass (uninstall only)

LightScribe System Software

Malwarebytes Anti-Malware version

Microsoft .NET Framework 3.5 SP1

Microsoft .NET Framework 4 Client Profile

Microsoft Office XP Professional

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Mouse Suite

Mozilla Firefox 20.0.1 (x86 en-US)

Mozilla Maintenance Service

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

MSXML 4.0 SP3 Parser

MSXML 4.0 SP3 Parser (KB2758694)

Norton Bootable Recovery Tool Wizard

PDF Complete

Privatefirewall 7.0


Revo Uninstaller 1.94

Roxio Activation Module

Roxio Creator Audio

Roxio Creator Business

Roxio Creator Business v10

Roxio Creator Copy

Roxio Creator Data

Roxio Creator Tools

Roxio Express Labeler 3

Roxio MyDVD

Secunia PSI (

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2736416)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)

Skype Click to Call

Skype™ 6.3


Sonic CinePlayer Decoder Pack



Twins video to iPod-Zune-PSP-3GP 1.1

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Microsoft .NET Framework 4 Client Profile (KB2600217)

USB2.0 PC Camera(0050.2010.0326.3015)

VC80CRTRedist - 8.0.50727.6195

Veetle TV


==== End Of File ===========================

DDS (Ver_2012-11-20.01) - NTFS_x86

Internet Explorer: 9.0.8112.16476 BrowserJavaVersion: 10.17.2

Run by Gabriel at 19:39:43 on 2013-04-29


============== Running Processes ================




c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe


C:\Program Files\Privacyware\Privatefirewall 7.0\pfsvc.exe


C:\Program Files\SUPERAntiSpyware\SASCORE.EXE


C:\Program Files\Intel\AMT\atchksrv.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\EaseUS\Todo Backup\bin\Agent.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\Program Files\EaseUS\Todo Backup\bin\GuardAgent.exe



C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Intel\AMT\LMS.exe

C:\New Files\Mbites\mbamscheduler.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\PDF Complete\pdfsvc.exe


C:\Program Files\Secunia\PSI\sua.exe

C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe

C:\Program Files\Intel\AMT\UNS.exe




c:\Program Files\Hewlett-Packard\IAM\bin\asghost.exe


C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe







C:\Program Files\Privacyware\Privatefirewall 7.0\PFGUI.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\System32\svchost.exe -k Cognizance

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k secsvcs

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k GPSvcGroup

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation


============== Pseudo HJT Report ===============


uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=smb&pf=desktop

uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=smb&pf=desktop

mStart Page = hxxp://www.google.com

mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=smb&pf=desktop

mURLSearchHooks: <No Name>: - LocalServer32 - <no file>

BHO: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll

BHO: LastPass Vault: {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - c:\program files\lastpass\LPToolbar.dll

BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: Credential Manager for HP ProtectTools: {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - c:\program files\hewlett-packard\iam\bin\ItIEAddIn.dll

TB: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - c:\program files\lastpass\LPToolbar.dll

mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice

mRun: [Privatefirewall] c:\program files\privacyware\privatefirewall 7.0\PFGUI.exe

mPolicies-Explorer: NoDriveTypeAutoRun = dword:255

mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0

mPolicies-System: EnableUIADesktopToggle = dword:0

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre7\bin\jp2iexp.dll

IE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - c:\program files\lastpass\LPToolbar.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - <orphaned>

DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/_layouts/ClientBin/ieawsdc32.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

TCP: NameServer =

TCP: Interfaces\{6CD329FA-F9D5-4519-AC5A-36DBD16AF952} : NameServer =,

TCP: Interfaces\{6CD329FA-F9D5-4519-AC5A-36DBD16AF952} : DHCPNameServer =

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll

Notify: igfxcui - igfxdev.dll

Notify: SDWinLogon - SDWinLogon.dll

SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL

LSA: Notification Packages = SbHpNp scecli ASWLNPkg

LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg

mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"


================= FIREFOX ===================


FF - ProfilePath - c:\users\gabriel\appdata\roaming\mozilla\firefox\profiles\zrqaokgz.default\

FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll

FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll

FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll

FF - plugin: c:\program files\veetle\player\npvlc.dll

FF - plugin: c:\program files\veetle\plugins\npVeetle.dll

FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_7_700_169.dll

FF - plugin: c:\windows\system32\npdeployJava1.dll

FF - plugin: c:\windows\system32\npmproxy.dll


============= SERVICES / DRIVERS ===============


R? A2DDA;A2 Direct Disk Access Support Driver



R? b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0

R? clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86

R? GUCI_AVS;Generic USB Controller Interface (AVS)

R? MBAMService;MBAMService


R? RoxMediaDB10;RoxMediaDB10

R? Secunia PSI Agent;Secunia PSI Agent

R? SkypeUpdate;Skype Updater

R? WPFFontCache_v0400;Windows Presentation Foundation Font Cache

S? !SASCORE;SAS Core Service

S? ASBroker;Logon Session Broker

S? ASChannel;Local Communication Channel

S? eamonm;eamonm

S? EaseUS Agent;EaseUS Agent Service

S? ehdrv;ehdrv

S? ekrn;ESET Service

S? epfwwfpr;epfwwfpr





S? FontCache;Windows Font Cache Service

S? Guard Agent;Guard Agent Service

S? HpFkCryptService;Drive Encryption Service

S? MBAMProtector;MBAMProtector

S? MBAMScheduler;MBAMScheduler

S? pdfcDispatcher;PDF Document Manager

S? PersonalSecureDrive;PersonalSecureDrive

S? PFNet;Privacyware network service

S? pwipf6;Privacyware Filter Driver

S? RsvLock;RsvLock

S? SafeBoot;SafeBoot



S? SbAlg;SbAlg

S? SbFsLock;SbFsLock

S? Secunia Update Agent;Secunia Update Agent

S? Skype C2C Service;Skype C2C Service

S? SMR322;Symantec SMR Utility Service 3.2.2

S? UNS;Intel® Active Management Technology User Notification Service


=============== Created Last 30 ================


9999-10-13 12:15:26 808 ----a-w- c:\windows\system32\drivers\etc\hosts-lms.tmp

2013-04-29 08:58:10 -------- d-----w- C:\Stinger_Quarantine

2013-04-29 00:42:47 98392 ----a-w- c:\windows\system32\drivers\SMR322.SYS

2013-04-28 16:18:47 -------- d-----w- c:\users\gabriel\Doctor Web

2013-04-28 13:08:29 -------- d-----w- c:\programdata\SMR322

2013-04-28 13:07:29 -------- d-----w- c:\users\gabriel\appdata\local\NPE

2013-04-27 00:21:25 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2013-04-27 00:16:12 6906960 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{112685b7-e4b1-415b-89ce-4d12539b00b9}\mpengine.dll

2013-04-20 23:18:02 -------- d-----w- c:\users\gabriel\appdata\roaming\SUPERAntiSpyware.com

2013-04-16 10:30:47 26840 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys

2013-04-16 10:27:15 106928 ----a-w- c:\windows\system32\GEARAspi.dll

2013-04-16 10:26:00 -------- d-----w- c:\windows\system32\drivers\nbrtwizard\0501000.01A

2013-04-16 10:26:00 -------- d-----w- c:\windows\system32\drivers\NBRTWizard

2013-04-16 10:25:55 -------- d-----w- c:\program files\Norton Bootable Recovery Tool Wizard

2013-04-16 10:24:23 -------- d-----w- c:\programdata\NortonInstaller

2013-04-16 10:24:23 -------- d-----w- c:\program files\NortonInstaller

2013-04-16 09:01:42 -------- d-----w- c:\programdata\Norton

2013-04-16 07:51:10 -------- d-----w- c:\users\gabriel\appdata\local\Google

2013-04-16 07:28:27 -------- d-----w- c:\users\gabriel\appdata\roaming\Malwarebytes

2013-04-16 07:28:17 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2013-04-16 07:24:47 -------- d-----w- C:\New Files

2013-04-16 07:15:57 -------- d-----w- c:\program files\Glary Utilities

2013-04-16 07:10:34 -------- d-----w- c:\users\gabriel\appdata\local\Macromedia

2013-04-15 10:45:33 -------- d-----w- c:\users\gabriel\pappa pics

2013-04-15 10:23:53 -------- d-----w- c:\users\gabriel\appdata\local\Mozilla

2013-04-15 10:21:41 -------- d-----w- c:\users\gabriel\appdata\local\Apple

2013-04-15 10:10:29 -------- d-----w- c:\users\gabriel\appdata\roaming\GlarySoft

2013-04-15 06:19:41 -------- d-----w- c:\users\gabriel\btr

2013-04-15 06:06:54 -------- d-----w- c:\users\gabriel\appdata\local\Privatefirewall

2013-04-15 06:04:15 -------- d-----w- c:\users\gabriel\appdata\local\Hewlett-Packard

2013-04-15 02:55:02 -------- d-----w- c:\program files\Glary Utilities2

2013-04-14 12:02:05 -------- d-----w- c:\program files\ESET

2013-04-13 07:21:35 128672 ----a-w- c:\windows\system32\drivers\pwipf6.sys

2013-04-13 07:21:16 -------- d-----w- c:\program files\Privacyware

2013-04-10 07:47:10 1082232 ----a-w- c:\windows\system32\drivers\ntfs.sys

2013-04-10 07:47:07 3603816 ----a-w- c:\windows\system32\ntkrnlpa.exe

2013-04-10 07:47:07 3551080 ----a-w- c:\windows\system32\ntoskrnl.exe

2013-04-10 07:47:06 64000 ----a-w- c:\windows\system32\smss.exe

2013-04-10 07:47:06 49152 ----a-w- c:\windows\system32\csrsrv.dll

2013-04-10 07:47:03 2067968 ----a-w- c:\windows\system32\mstscax.dll

2013-04-10 07:46:59 376320 ----a-w- c:\windows\system32\winsrv.dll

2013-04-10 07:46:55 2049024 ----a-w- c:\windows\system32\win32k.sys


==================== Find3M ====================


2013-04-14 14:25:16 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2013-04-14 14:25:16 691592 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2013-03-18 13:54:12 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll

2013-03-18 13:54:10 861088 ----a-w- c:\windows\system32\npdeployJava1.dll

2013-03-18 13:54:10 782240 ----a-w- c:\windows\system32\deployJava1.dll

2013-03-17 23:53:11 869376 ----a-w- c:\windows\is-V5090.exe

2013-03-11 17:10:56 237088 ------w- c:\windows\system32\MpSigStub.exe

2013-02-22 03:46:00 1800704 ----a-w- c:\windows\system32\jscript9.dll

2013-02-22 03:38:00 1129472 ----a-w- c:\windows\system32\wininet.dll

2013-02-22 03:37:50 1427968 ----a-w- c:\windows\system32\inetcpl.cpl

2013-02-22 03:34:17 142848 ----a-w- c:\windows\system32\ieUnatt.exe

2013-02-22 03:34:03 420864 ----a-w- c:\windows\system32\vbscript.dll

2013-02-22 03:31:46 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2013-02-20 03:07:38 171680 ----a-w- c:\windows\system32\drivers\eamonm.sys

2013-02-12 01:57:27 15872 ----a-w- c:\windows\system32\drivers\usb8023.sys

2012-09-29 15:21:56 10974280 ----a-w- c:\program files\common files\lpuninstall.exe


============= FINISH: 19:40:07.55 ===============

Link to post
Share on other sites

Hello roy2020 and :welcome:! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

  • If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
  • I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  • Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  • Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  • Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.
  • Do not perform any kind of scanning and fixing without my instructions. If you want to proceed on your own, please let me know.

If it was backdoor take a look on that:


One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

Help: I Got Hacked. Now What Do I Do?

Help: I Got Hacked. Now What Do I Do? Part II

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please let me know.

Link to post
Share on other sites

Hi Maniac,

Okay I read your links and it almost gave me a heart attack.. ;) I think i'll just follow your recommendation to do a re install. Oh by the way, I use Last Pass as my Password manager and it's pretty tough. I think the only way they could steal my card information is through a key logger..( am I right with this?).. Can we just check on that if there's one present in my PC right now? Fortunately, up to now there's still no unauthorized transaction on my card. But I deleted the card information on my Last Pass account anyway.

Is it true key loggers are easy to spot by top anti virus softwares?


Link to post
Share on other sites

I think the only way they could steal my card information is through a key logger..( am I right with this?)

We could say so.

Can we just check on that if there's one present in my PC right now?

You said that you want to reinstall? So that is not necessary, because if you not backup any executable files (like .exe), everything will be fine.

Fortunately, up to now there's still no unauthorized transaction on my card.

Not necessarily be today or tomorrow, just make sure it will not happen.

Is it true key loggers are easy to spot by top anti virus softwares?

There is no answer for this question. Just remember that there is no 100% guarantee with your or any other antivirus software.

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.