Jump to content

Bit Coin Miner / Trojan - svchost.exe

Recommended Posts

Alright, so today I found that my svchost.exe was using 25% cpu usage (remains at a constant 25%), and immediatly that gave me red flags. I know from past experience that virus' often use svchost, and the high cpu usage was a bad sign. I ran norton and it picked up nothing, then I ran MBAM and it told me that I have a PUP.BitCoinMiner and Trojan.Agent.Gen. I tried removing them using the program, but after the computer restarted they were back and svchost usage was at 25% as usual.

Link to post
Share on other sites


DDS (Ver_2012-11-20.01) - NTFS_AMD64

Internet Explorer: 10.0.9200.16537 BrowserJavaVersion: 10.9.2

Run by Shaun at 23:53:07 on 2013-05-04

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.2.1033.18.16335.12441 [GMT -5:00]


AV: AVG Internet Security 2013 *Enabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: AVG Internet Security 2013 *Enabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}

FW: AVG Internet Security 2013 *Enabled* {36AFA1E1-4CDC-7EF8-11EE-C77C3581ABA2}


============== Running Processes ===============



C:\Windows\system32\svchost.exe -k DcomLaunch


C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k GPSvcGroup

C:\Program Files\Tablet\Pen\WTabletServiceCon.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe



C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Intel\iCLS Client\HeciServer.exe

C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files (x86)\MSI\Super-Charger\ChargeService.exe


C:\Program Files (x86)\Razer\Core\64bit\rzovlmon.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe



C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted



C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe

C:\Program Files (x86)\Steam\Steam.exe

C:\Program Files (x86)\puush\puush.exe

C:\Program Files (x86)\Skype\Phone\Skype.exe

C:\Program Files\Tablet\Pen\Pen_TabletUser.exe

C:\Program Files\Tablet\Pen\WacomHost.exe

C:\Program Files\Tablet\Pen\Pen_Tablet.exe

C:\Program Files\Tablet\Pen\Pen_TouchUser.exe

C:\Program Files (x86)\DisplayFusion\DisplayFusion.exe

C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe

C:\Program Files (x86)\MSI\Super-Charger\Super-Charger.exe

C:\Program Files (x86)\LOLReplay\LOLRecorder.exe

C:\Program Files (x86)\RescueTime\RescueTime.exe

C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe


C:\Program Files (x86)\iTunes\iTunesHelper.exe

C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe

C:\Program Files\NVIDIA Corporation\Display\nvtray.exe

C:\Program Files (x86)\DisplayFusion\DisplayFusionHookx86.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files\Windows Media Player\wmpnetwk.exe

"C:\Users\Shaun\AppData\Local\Temp\svchost.exe" -o http://p.c4a68dc959943caf76d5cb46c97201f2.com -O r6:r6 -l 1

C:\Program Files (x86)\Common Files\Steam\SteamService.exe

C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe


C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe

C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe

C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe


C:\Program Files (x86)\Norton 360\Engine\\ccSvcHst.exe

C:\Program Files (x86)\Norton 360\Engine\\ccSvcHst.exe

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe






============== Pseudo HJT Report ===============


mWinlogon: Userinit = userinit.exe,

BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton 360\Engine\\coieplg.dll

BHO: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton 360\Engine\\ips\ipsbho.dll

BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll

BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL

BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll

TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton 360\Engine\\coieplg.dll

uRun: [steam] "C:\Program Files (x86)\Steam\steam.exe" -silent

uRun: [puush] C:\Program Files (x86)\puush\puush.exe

uRun: [AdobeBridge] <no file>

mRun: [uSB3MON] "C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe"

mRun: [super-Charger] C:\Program Files (x86)\MSI\Super-Charger\Super-Charger.exe

mRun: [iAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIconLaunch.exe "C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" 60

mRun: [Razer Synapse] "C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe"

mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"

mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

mRun: [switchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe

mRun: [AdobeCS6ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe" -launchedbylogin

mRun: [VirtualCloneDrive] "C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun: [Adobe] C:\Users\Shaun\AppData\Roaming\Adobe\color.vbe

StartupFolder: C:\Users\Shaun\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\Shaun\AppData\Roaming\Dropbox\bin\Dropbox.exe

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\LOLREC~1.LNK - C:\Program Files (x86)\LOLReplay\LOLRecorder.exe

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\RESCUE~1.LNK - C:\Program Files (x86)\RescueTime\RescueTime.exe

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\SKETCH~1.LNK - C:\Program Files (x86)\Autodesk\SketchBookPro2011\SketchBookSnapshot.exe

mPolicies-Explorer: NoActiveDesktop = dword:1

mPolicies-Explorer: NoActiveDesktopChanges = dword:1

mPolicies-Explorer: HideSCAHealth = dword:1

mPolicies-System: ConsentPromptBehaviorAdmin = dword:5

mPolicies-System: ConsentPromptBehaviorUser = dword:3

mPolicies-System: EnableUIADesktopToggle = dword:0

IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office14\EXCEL.EXE/3000

Trusted Zone: clonewarsadventures.com

Trusted Zone: freerealms.com

Trusted Zone: soe.com

Trusted Zone: sony.com

TCP: NameServer =

TCP: Interfaces\{19673566-DA50-4180-AA45-576BAEFC2222} : DHCPNameServer =

TCP: Interfaces\{F1CCB1B4-5437-4D7E-B40D-EF2962DFED71} : DHCPNameServer =

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll

SSODL: WebCheck - <orphaned>

mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\26.0.1410.64\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome

x64-BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll

x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL

x64-BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll

x64-Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"

x64-Run: [Cmaudio8788] C:\Windows\syswow64\RunDll32.exe C:\Windows\Syswow64\cmicnfgp.dll,CMICtrlWnd

x64-Run: [XboxStat] "C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun

x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL

x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>

x64-SSODL: WebCheck - <orphaned>


============= SERVICES / DRIVERS ===============


R0 iaStorA;iaStorA;C:\Windows\System32\drivers\iaStorA.sys [2012-11-27 647736]

R0 iaStorF;iaStorF;C:\Windows\System32\drivers\iaStorF.sys [2012-11-27 28216]

R0 iusb3hcs;Intel® USB 3.0 Host Controller Switch Driver;C:\Windows\System32\drivers\iusb3hcs.sys [2012-11-26 19224]

R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2013-1-7 56208]

R0 RzFilter;RzFilter;C:\Windows\System32\drivers\RzFilter.sys [2013-4-22 73944]

R0 SymDS;Symantec Data Store;C:\Windows\System32\drivers\N360x64\1403010.016\symds64.sys [2013-5-4 493656]

R0 SymEFA;Symantec Extended File Attributes;C:\Windows\System32\drivers\N360x64\1403010.016\symefa64.sys [2013-5-4 1139800]

R1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.3.0.36\Definitions\BASHDefs\20130412.001\BHDrvx64.sys [2013-4-12 1390680]

R1 ccSet_N360;Norton 360 Settings Manager;C:\Windows\System32\drivers\N360x64\1403010.016\ccsetx64.sys [2013-5-4 168096]

R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.3.0.36\Definitions\IPSDefs\20130503.001\IDSviA64.sys [2013-5-3 513184]

R1 SymIRON;Symantec Iron Driver;C:\Windows\System32\drivers\N360x64\1403010.016\ironx64.sys [2013-5-4 224416]

R1 SYMNETS;Symantec Network Security WFP Driver;C:\Windows\System32\drivers\N360x64\1403010.016\symnets.sys [2013-5-4 432800]

R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2012-11-27 14904]

R2 Intel® Capability Licensing Service Interface;Intel® Capability Licensing Service Interface;C:\Program Files\Intel\iCLS Client\HeciServer.exe [2012-3-7 629984]

R2 jhi_service;Intel® Dynamic Application Loader Host Interface Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe [2012-11-26 165144]

R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-5-4 418376]

R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2013-5-4 701512]

R2 MSI_SuperCharger;MSI_SuperCharger;C:\Program Files (x86)\MSI\Super-Charger\ChargeService.exe [2012-11-26 142904]

R2 N360;Norton 360;C:\Program Files (x86)\Norton 360\Engine\\ccsvchst.exe [2013-5-4 144520]

R2 RzOvlMon;Razer Overlay Subsystem Emergency Service;C:\Program Files (x86)\Razer\Core\64bit\RzOvlMon.exe [2013-4-18 31448]

R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2013-1-18 383264]

R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2012-11-26 363800]

R2 WTabletServiceCon;Wacom Consumer Service;C:\Program Files\Tablet\Pen\WTabletServiceCon.exe [2012-12-11 619904]

R3 cmudaxp;ASUS Xonar DX Audio Interface;C:\Windows\System32\drivers\cmudaxp.sys [2013-1-9 2733568]

R3 iusb3hub;Intel® USB 3.0 Hub Driver;C:\Windows\System32\drivers\iusb3hub.sys [2012-11-26 356632]

R3 iusb3xhc;Intel® USB 3.0 eXtensible Host Controller Driver;C:\Windows\System32\drivers\iusb3xhc.sys [2012-11-26 789272]

R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2013-5-4 25928]

R3 MBfilt;MBfilt;C:\Windows\System32\drivers\MBfilt64.sys [2012-12-26 32344]

R3 NTIOLib_1_0_3;NTIOLib_1_0_3;C:\Program Files (x86)\MSI\Super-Charger\NTIOLib_X64.sys [2012-11-26 14136]

R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2012-11-26 676968]

R3 RzDxgk;RzDxgk;C:\Windows\System32\drivers\RzDxgk.sys [2013-4-22 128728]

R3 rzendpt;rzendpt;C:\Windows\System32\drivers\rzendpt.sys [2012-11-7 22016]

R3 rzudd;Razer Mouse Driver;C:\Windows\System32\drivers\rzudd.sys [2012-11-7 113664]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-2-28 161384]

S3 Futuremark SystemInfo Service;Futuremark SystemInfo Service;C:\Program Files (x86)\Futuremark\Futuremark SystemInfo\FMSISvc.exe [2012-11-26 135584]

S3 hidkmdf;KMDF Driver;C:\Windows\System32\drivers\hidkmdf.sys [2012-12-11 13728]

S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2013-1-23 19456]

S3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;C:\Windows\System32\drivers\rtl8192Ce.sys [2012-12-3 876136]

S3 SwitchBoard;Adobe SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]

S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2013-1-23 57856]

S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2013-1-23 30208]

S3 USBPNPA;USB PnP Sound Device Interface;C:\Windows\System32\drivers\CM10864.sys [2012-12-26 1310720]

S3 WacHidRouter;Wacom Hid Router;C:\Windows\System32\drivers\wachidrouter.sys [2012-12-11 81312]

S3 wacomrouterfilter;Wacom Router Filter Driver;C:\Windows\System32\drivers\wacomrouterfilter.sys [2012-12-11 15776]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-12-4 1255736]


=============== Created Last 30 ================


2013-05-05 04:25:08 796248 ----a-w- C:\Windows\System32\drivers\N360x64\1403010.016\srtsp64.sys

2013-05-05 04:25:08 493656 ----a-w- C:\Windows\System32\drivers\N360x64\1403010.016\symds64.sys

2013-05-05 04:25:08 432800 ----a-w- C:\Windows\System32\drivers\N360x64\1403010.016\symnets.sys

2013-05-05 04:25:08 36952 ----a-w- C:\Windows\System32\drivers\N360x64\1403010.016\srtspx64.sys

2013-05-05 04:25:08 23448 ----a-r- C:\Windows\System32\drivers\N360x64\1403010.016\symelam.sys

2013-05-05 04:25:08 224416 ----a-w- C:\Windows\System32\drivers\N360x64\1403010.016\ironx64.sys

2013-05-05 04:25:08 168096 ----a-w- C:\Windows\System32\drivers\N360x64\1403010.016\ccsetx64.sys

2013-05-05 04:25:08 1139800 ----a-w- C:\Windows\System32\drivers\N360x64\1403010.016\symefa64.sys

2013-05-05 04:25:04 -------- d-----w- C:\Windows\System32\drivers\N360x64\1403010.016

2013-05-05 04:21:50 -------- d-----w- C:\Program Files (x86)\Common Files\Symantec Shared

2013-05-05 04:19:41 177312 ----a-w- C:\Windows\System32\drivers\SYMEVENT64x86.SYS

2013-05-05 04:19:41 -------- d-----w- C:\Program Files\Symantec

2013-05-05 04:19:41 -------- d-----w- C:\Program Files\Common Files\Symantec Shared

2013-05-05 04:18:58 -------- d-----w- C:\Windows\System32\drivers\N360x64

2013-05-05 04:18:56 -------- d-----w- C:\ProgramData\Norton

2013-05-05 04:18:56 -------- d-----w- C:\Program Files (x86)\Norton 360

2013-05-05 04:17:11 -------- d-----w- C:\ProgramData\NortonInstaller

2013-05-05 04:17:11 -------- d-----w- C:\Program Files (x86)\NortonInstaller

2013-05-05 04:11:11 -------- d-----w- C:\Program Files (x86)\Tweaking.com

2013-05-05 03:05:30 -------- d-----w- C:\Users\Shaun\AppData\Local\SvchostViewer

2013-05-05 03:02:24 -------- d-----w- C:\Users\Shaun\AppData\Roaming\Malwarebytes

2013-05-05 03:02:18 -------- d-----w- C:\ProgramData\Malwarebytes

2013-05-05 03:02:17 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys

2013-05-05 03:02:17 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware

2013-04-30 03:39:44 -------- d-----w- C:\Users\Shaun\AppData\Local\Temporary Projects

2013-04-30 03:37:49 -------- d-----w- C:\Program Files (x86)\Microsoft SQL Server

2013-04-30 03:37:34 -------- d-----w- C:\Program Files\Microsoft Synchronization Services

2013-04-30 03:37:34 -------- d-----w- C:\Program Files\Microsoft SQL Server Compact Edition

2013-04-30 03:37:25 -------- d-----w- C:\Program Files (x86)\Microsoft Synchronization Services

2013-04-30 03:37:25 -------- d-----w- C:\Program Files (x86)\Microsoft SQL Server Compact Edition

2013-04-30 03:36:56 188128 ----a-w- C:\ProgramData\Microsoft\VCSExpress\10.0\1033\ResourceCache.dll

2013-04-30 03:36:12 -------- d-----w- C:\Program Files (x86)\Microsoft Visual Studio 10.0

2013-04-30 03:35:46 -------- d-----w- C:\Program Files\Microsoft Visual Studio 10.0

2013-04-30 03:35:45 -------- d-----w- C:\Program Files\Microsoft Help Viewer

2013-04-27 16:50:51 -------- d-----w- C:\Program Files (x86)\Microsoft XNA

2013-04-25 19:09:54 -------- d-----w- C:\Program Files (x86)\DisplayFusion

2013-04-24 11:49:36 1656680 ----a-w- C:\Windows\System32\drivers\ntfs.sys

2013-04-23 02:02:24 73944 ----a-w- C:\Windows\System32\drivers\RzFilter.sys

2013-04-23 02:02:23 128728 ----a-w- C:\Windows\System32\drivers\RzDxgk.sys

2013-04-23 02:01:55 -------- d-----w- C:\Windows\Razer Core

2013-04-13 08:02:24 2558240 ----a-w- C:\Windows\System32\nvsvcr.dll

2013-04-12 00:51:51 -------- d-----w- C:\Riot Games

2013-04-12 00:28:02 -------- d-----w- C:\Users\Shaun\league

2013-04-10 08:02:12 3153408 ----a-w- C:\Windows\System32\win32k.sys

2013-04-10 08:02:03 223752 ----a-w- C:\Windows\System32\drivers\fvevol.sys

2013-04-10 08:01:59 5550424 ----a-w- C:\Windows\System32\ntoskrnl.exe

2013-04-10 08:01:58 3913560 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe

2013-04-10 08:01:57 6656 ----a-w- C:\Windows\SysWow64\apisetschema.dll

2013-04-10 08:01:57 43520 ----a-w- C:\Windows\System32\csrsrv.dll

2013-04-10 08:01:57 3968856 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe

2013-04-10 08:01:57 112640 ----a-w- C:\Windows\System32\smss.exe


==================== Find3M ====================


2013-04-14 21:06:07 76888 ----a-w- C:\Windows\SysWow64\PnkBstrA.exe

2013-04-14 21:05:56 281688 ----a-w- C:\Windows\SysWow64\PnkBstrB.xtr

2013-04-14 21:05:56 281688 ----a-w- C:\Windows\SysWow64\PnkBstrB.exe

2013-03-28 04:15:54 189248 ----a-w- C:\Windows\SysWow64\PnkBstrB.ex0

2013-03-13 01:17:51 73432 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2013-03-13 01:17:51 693976 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe

2013-02-12 05:45:24 135168 ----a-w- C:\Windows\apppatch\AppPatch64\AcXtrnal.dll

2013-02-12 05:45:22 350208 ----a-w- C:\Windows\apppatch\AppPatch64\AcLayers.dll

2013-02-12 05:45:22 308736 ----a-w- C:\Windows\apppatch\AppPatch64\AcGenral.dll

2013-02-12 05:45:22 111104 ----a-w- C:\Windows\apppatch\AppPatch64\acspecfc.dll

2013-02-12 04:48:31 474112 ----a-w- C:\Windows\apppatch\AcSpecfc.dll

2013-02-12 04:48:26 2176512 ----a-w- C:\Windows\apppatch\AcGenral.dll

2013-02-12 04:12:05 19968 ----a-w- C:\Windows\System32\drivers\usb8023.sys


============= FINISH: 23:53:43.21 ===============

Link to post
Share on other sites






DDS (Ver_2012-11-20.01)


Microsoft Windows 7 Home Premium

Boot Device: \Device\HarddiskVolume1

Install Date: 03/12/2012 11:30:08 AM

System Uptime: 04/05/2013 11:05:25 PM (0 hours ago)


Motherboard: MSI | | Z77A-G45 (MS-7752)

Processor: Intel® Core i5-3570K CPU @ 3.40GHz | SOCKET 0 | 4301/100mhz


==== Disk Partitions =========================


C: is FIXED (NTFS) - 466 GiB total, 53.648 GiB free.

D: is CDROM ()

E: is CDROM ()


==== Disabled Device Manager Items =============


==== System Restore Points ===================


RP106: 01/05/2013 3:00:11 AM - Windows Update

RP107: 04/05/2013 12:25:45 AM - Installed DirectX

RP108: 04/05/2013 9:54:01 PM - Installed NetLimiter 3

RP109: 04/05/2013 11:17:07 PM - Removed AVG 2013

RP110: 04/05/2013 11:18:13 PM - Removed AVG 2013


==== Installed Programs ======================


3DMark 11

Adobe After Effects CS6

Adobe AIR

Adobe Flash Player 11 ActiveX

Adobe Flash Player 11 Plugin

Adobe Help Manager

Adobe Photoshop CS5.1

Adobe Premiere Pro CS6

Adobe Reader XI (11.0.02)


Apple Application Support

Apple Mobile Device Support

Apple Software Update


Arma 2: DayZ Mod

ARMA 2: Operation Arrowhead

Assassin's Creed ® III

ASUS PCE-N15 WLAN Card Utilities & Driver


Audacity 2.0.2

Autodesk SketchBookPro 2011



Battlefield 3™

Battlelog Web Plugins

BattlEye for OA Uninstall

BioShock Infinite




Borderlands 2

Call of Duty: Black Ops II

Call of Duty: Black Ops II - Multiplayer

Call of Duty: Black Ops II - Zombies

Castle Crashers


Cisco EAP-FAST Module

Cisco LEAP Module

Cisco PEAP Module

Core Temp 1.0 RC4

Counter-Strike: Global Offensive

Counter-Strike: Source


CPUID HWMonitor 1.21

DayZ Commander

Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition

DisplayFusion 3.3.1


ESN Sonar

Far Cry 3

FileZilla Client

Fraps (remove only)

Futuremark SystemInfo

Garry's Mod


Google Chrome

Google Update Helper

Grand Theft Auto IV

Guild Wars 2


Intel® Control Center

Intel® Management Engine Components

Intel® Rapid Storage Technology

Intel® USB 3.0 eXtensible Host Controller Driver

Intel® Trusted Connect Service Client


Java 7 Update 9

Java 7 Update 9 (64-bit)

Java Auto Updater


Jungle Timer

League of Legends




Malwarebytes Anti-Malware version

Mathematica Extras 9.0 (3942197)


Microsoft .NET Framework 4 Client Profile

Microsoft .NET Framework 4 Extended

Microsoft .NET Framework 4 Multi-Targeting Pack

Microsoft Application Error Reporting

Microsoft Games for Windows - LIVE

Microsoft Games for Windows - LIVE Redistributable

Microsoft Help Viewer 1.0

Microsoft Mathematics (64-bit)

Microsoft Office Access MUI (English) 2010

Microsoft Office Access Setup Metadata MUI (English) 2010

Microsoft Office Excel MUI (English) 2010

Microsoft Office Groove MUI (English) 2010

Microsoft Office InfoPath MUI (English) 2010

Microsoft Office Office 64-bit Components 2010

Microsoft Office OneNote MUI (English) 2010

Microsoft Office Outlook MUI (English) 2010

Microsoft Office PowerPoint MUI (English) 2010

Microsoft Office Professional Plus 2010

Microsoft Office Proof (English) 2010

Microsoft Office Proof (French) 2010

Microsoft Office Proof (Spanish) 2010

Microsoft Office Proofing (English) 2010

Microsoft Office Publisher MUI (English) 2010

Microsoft Office Shared 64-bit MUI (English) 2010

Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010

Microsoft Office Shared MUI (English) 2010

Microsoft Office Shared Setup Metadata MUI (English) 2010

Microsoft Office Word MUI (English) 2010

Microsoft Silverlight

Microsoft SQL Server 2008 R2 Management Objects

Microsoft SQL Server Compact 3.5 SP2 ENU

Microsoft SQL Server Compact 3.5 SP2 x64 ENU

Microsoft SQL Server System CLR Types

Microsoft Visual C# 2010 Express - ENU

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - x64 9.0.21022

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161

Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219

Microsoft Visual C++ 2010 x64 Runtime - 10.0.30319

Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219

Microsoft Visual Studio 2010 ADO.NET Entity Framework Tools

Microsoft Visual Studio 2010 Express Prerequisites x64 - ENU

Microsoft Xbox 360 Accessories 1.2

Microsoft XNA Framework Redistributable 3.1
















Mozilla Maintenance Service

MSI Afterburner 2.3.0

MSVCRT Redists

My Game Long Name


Norton 360


NovaBench 3.0.4

NVIDIA 3D Vision Controller Driver 310.90

NVIDIA 3D Vision Driver 311.06

NVIDIA Control Panel 311.06

NVIDIA Graphics Driver 311.06

NVIDIA HD Audio Driver

NVIDIA Install Application


NVIDIA PhysX System Software 9.12.1031

NVIDIA Stereoscopic 3D Driver

NVIDIA Update 1.11.3

NVIDIA Update Components

Open Broadcaster Software


OpenVPN 2.2.2


Pando Media Booster


PDF Settings CS5


Portal 2

PunkBuster Services


Razer Comms

Razer Core

Razer Synapse 2.0

Realtek Ethernet Controller Driver

Realtek High Definition Audio Driver

RescueTime 2.8.0

Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2736428)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)

Security Update for Microsoft .NET Framework 4 Extended (KB2487367)

Security Update for Microsoft .NET Framework 4 Extended (KB2656351)

Security Update for Microsoft .NET Framework 4 Extended (KB2736428)

Security Update for Microsoft .NET Framework 4 Extended (KB2742595)

Security Update for Microsoft Visual C# 2010 Express - ENU (KB2251489)


Skype™ 6.3



Super Meat Boy

Team Fortress 2

TeamSpeak 3 Client

TechPowerUp GPU-Z

Tweaking.com - Windows Repair (All in One)


UNi Xonar Audio Driver

Unity Web Player

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Microsoft .NET Framework 4 Client Profile (KB2600217)

Update for Microsoft .NET Framework 4 Extended (KB2468871)

Update for Microsoft .NET Framework 4 Extended (KB2533523)

Update for Microsoft .NET Framework 4 Extended (KB2600217)

Update for Microsoft Office 2010 (KB2494150)

Update for Microsoft Office 2010 (KB2553092)

Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition


USB PnP Sound Device

Vegas Pro 12.0 (64-bit)


Visual Studio 2010 Tools for SQL Server Compact 3.5 SP2 ENU

Visual Studio 2010 x64 Redistributables

VLC media player 2.0.5

WampServer 2.2

WebTablet FB Plugin 32 bit

WebTablet FB Plugin 64 bit

WebTablet IE Plugin

WebTablet Netscape Plugin

Windows Live ID Sign-in Assistant

WinRAR 4.20 (64-bit)

Wolfram CDF Player (M-WIN-D 9.0.0 3942419)



==== Event Viewer Messages From Past Week ========


04/05/2013 6:25:39 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1005] - Unable to produce a minidump file from the full dump file.

04/05/2013 6:25:39 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x00000101 (0x0000000000000031, 0x0000000000000000, 0xfffff880009ed180, 0x0000000000000001). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: .

04/05/2013 11:08:16 PM, Error: Service Control Manager [7038] - The nvUpdatusService service was unable to log on as .\UpdatusUser with the currently configured password due to the following error: Logon failure: the specified account password has expired. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).

04/05/2013 11:08:16 PM, Error: Service Control Manager [7000] - The NVIDIA Update Service Daemon service failed to start due to the following error: The service did not start due to a logon failure.

04/05/2013 11:07:26 PM, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {C97FCC79-E628-407D-AE68-A06AD6D8B4D1} and APPID {344ED43D-D086-4961-86A6-1106F4ACAD9B} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

04/05/2013 11:05:57 PM, Error: Service Control Manager [7006] - The ScRegSetValueExW call failed for FailureActions with the following error: Access is denied.

04/05/2013 10:09:49 PM, Error: Microsoft-Windows-WMPNSS-Service [14332] - Service 'WMPNetworkSvc' did not start correctly because CoCreateInstance(CLSID_UPnPDeviceFinder) encountered error '0x80004005'. Verify that the UPnPHost service is running and that the UPnPHost component of Windows is installed properly.


==== End Of File ===========================

Link to post
Share on other sites

Welcome to the forum.

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller 32 Bit to your desktop.

RogueKiller 64 Bit <---use this one for 64 bit systems

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

(please don't put logs in code or quotes)

P2P Warning:

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.



Make sure you're subscribed to this topic:
Click on the
Follow This Topic Button
(at the top right of this page), make sure that the
Receive notification
box is checked and that it is set to

Removing malware can be unpredictable
...things can go very wrong!
any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive

Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>The removal of malware isn't instantaneous, please be patient.

Please stick with me until I give you the "all clear".

------->Your topic will be closed if you haven't replied within 3 days!<--------

(If I don't respond within 24 hours, please send me a PM)

Link to post
Share on other sites

RogueKiller V8.5.4 _x64_ [Mar 18 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User : Shaun [Admin rights]

Mode : Scan -- Date : 05/05/2013 13:09:58

| ARK || FAK || MBR |

¤¤¤ Bad processes : 1 ¤¤¤

[sVCHOST] svchost.exe -- C:\Users\Shaun\AppData\Local\Temp\svchost.exe [x] -> KILLED [TermProc]

¤¤¤ Registry Entries : 4 ¤¤¤

[RUN][bLACKLISTDLL] HKLM\[...]\Run : Cmaudio8788 (C:\Windows\syswow64\RunDll32.exe C:\Windows\Syswow64\cmicnfgp.dll,CMICtrlWnd) -> FOUND

[RUN][sUSP PATH] HKLM\[...]\Wow6432Node\Run : Adobe (C:\Users\Shaun\AppData\Roaming\Adobe\color.vbe) [-] -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts localhost 3dns.adobe.com 3dns-1.adobe.com 3dns-2.adobe.com 3dns-3.adobe.com 3dns-4.adobe.com activate.adobe.com activate-sea.adobe.com activate-sjc0.adobe.com activate.wip.adobe.com activate.wip1.adobe.com activate.wip2.adobe.com activate.wip3.adobe.com activate.wip4.adobe.com adobe-dns.adobe.com adobe-dns-1.adobe.com adobe-dns-2.adobe.com adobe-dns-3.adobe.com adobe-dns-4.adobe.com adobeereg.com practivate.adobe practivate.adobe.com practivate.adobe.newoa practivate.adobe.ntp practivate.adobe.ipp ereg.adobe.com ereg.wip.adobe.com ereg.wip1.adobe.com ereg.wip2.adobe.com ereg.wip3.adobe.com ereg.wip4.adobe.com hl2rcv.adobe.com wip.adobe.com wip1.adobe.com wip2.adobe.com wip3.adobe.com wip4.adobe.com www.adobeereg.com wwis-dubc1-vip60.adobe.com www.wip.adobe.com www.wip1.adobe.com www.wip2.adobe.com www.wip3.adobe.com www.wip4.adobe.com wwis-dubc1-vip60.adobe.com crl.verisign.net CRL.VERISIGN.NET ood.opsource.net localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ATA WDC WD5000AAKX-0 SCSI Disk Device +++++

--- User ---

[MBR] 91395f95f0625d961c0e9084196c49cd

[bSP] 0ae39f651a7f454127601df4ebd3cc45 : Windows 7/8 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 476838 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1]_S_05052013_02d1309.txt >>


Link to post
Share on other sites

Run RogueKiller again and click Scan

When the scan completes > click on the Registry tab

Put a check next to all of these and uncheck the rest: (if found)

[RUN][bLACKLISTDLL] HKLM\[...]\Run : Cmaudio8788 (C:\Windows\syswow64\RunDll32.exe C:\Windows\Syswow64\cmicnfgp.dll,CMICtrlWnd) -> FOUND

[RUN][sUSP PATH] HKLM\[...]\Wow6432Node\Run : Adobe (C:\Users\Shaun\AppData\Roaming\Adobe\color.vbe) [-] -> FOUND

Now click Delete on the right hand column under Options



Download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt

To attach a log if needed:

Bottom right corner of this page.


New window that comes up.




If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot. It's located in the Plugins folder which is in the MBAR folder.

Just run fixdamage.exe.

Verify that your system is now functioning normally.


Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.