Jump to content

Possible malware even after reinstall


keruken
 Share

Recommended Posts

Hi guys,

 

Earlier this week, I noticed that the Microsoft Security Essentials icon was red and had the 'X' on it. It reported that it was turned off, and I could not start it back up. I also could not download files with Chrome or IE - they would get to 100%, but just hang. However, I didn't experience any redirects. Also, the network icon also had an 'X', but I was able to connect to the Internet.

 

I booted into Safe Mode, then downloaded and ran TDSSKiller, MBAR, and MBAM, all which did not turn up anything. I ran Rkill which removed the registry entry noactivedesktopchanges, and black screened my user desktop.

 

At that point, I decided to reinstall Windows. I have the OS installed on an SSD, and my data on a hard drive. I wiped the data using hparm on Gparted and thought that would clean out everything. However, I didn't wipe my data drive. After reinstalling Windows, I installed Microsoft Security Essentials again, then ran all security updates. I ran several scans with MSE, then started to install some software. After I installed iTunes 11.1 and and restarted, I saw the red MSE icon and couldn't download as before. I noticed that Task Manager will freeze up too.

 

Reran some scans in Safe Mode again, all of which didn't turn up anything again. I didn't run Rkill this time to preserve my user desktop.

Is this malware or a Windows issue? Could malware have survived the wipe and reinstall? Or do I need to wipe my data drive too?

 

I'm writing this to find out if there is rootkit or some kind of persistent malware on my system.

Link to post
Share on other sites

Welcome to the forum, please start HERE

Post back the 2 logs here.....DDS.txt and Attach.txt

(please don't put logs in code or quotes and use the default font)

P2P/Piracy Warning:

1. If you're using Peer 2 Peer software such uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

2. If you have illegal/cracked software, cracks, keygens, Adobe host file, etc. on the system, please remove or uninstall them now and read the policy on Piracy.

Failure to remove such software will result in your topic being closed and no further assistance being provided.

<====><====><====><====><====><====><====><====>

Next................

Please download and run RogueKiller 32 bit to your desktop.

RogueKiller<---use this one for 64 bit systems

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

(please don't put logs in code or quotes and use the default font)

MrC

Note:

Please read all of my instructions completely including these.

Make sure system restore is turned on and running

Make sure you're subscribed to this topic: Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly

Removing malware can be unpredictable...unlikely but things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive

<+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>The removal of malware isn't instantaneous, please be patient.

<+>When we are done, I'll give to instructions on how to cleanup all the tools and logs

<+>Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that.

------->Your topic will be closed if you haven't replied within 3 days!<--------

(If I don't respond within 24 hours, please send me a PM)

Link to post
Share on other sites

DDS.txt and Attach.txt

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64 NETWORK

Internet Explorer: 10.0.9200.16686
Run by Ryan at 13:20:19 on 2013-09-19
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.1.1033.18.16271.14923 [GMT -10:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Explorer.EXE
C:\Windows\system32\ctfmon.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
mWinlogon: Userinit = userinit.exe
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
mRun: [uSB3MON] "C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe"
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{FF6F5252-4042-46AB-A4A6-2B7F71A185FB} : DHCPNameServer = 192.168.0.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\29.0.1547.76\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [bLEServicesCtrl] C:\Program Files (x86)\Intel\Bluetooth\BleServicesCtrl.exe
x64-Run: [bTMTrayAgent] rundll32.exe "C:\Program Files (x86)\Intel\Bluetooth\btmshell.dll",TrayApp
x64-Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
x64-Run: [igfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 iusb3hcs;Intel® USB 3.0 Host Controller Switch Driver;C:\Windows\System32\drivers\iusb3hcs.sys [2013-9-18 19264]
R3 iusb3hub;Intel® USB 3.0 Hub Driver;C:\Windows\System32\drivers\iusb3hub.sys [2013-9-18 357184]
R3 iusb3xhc;Intel® USB 3.0 eXtensible Host Controller Driver;C:\Windows\System32\drivers\iusb3xhc.sys [2013-9-18 789824]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2013-9-18 646248]
S0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2013-6-18 247216]
S2 Bluetooth Device Monitor;Bluetooth Device Monitor;C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe [2012-3-27 1014096]
S2 Bluetooth OBEX Service;Bluetooth OBEX Service;C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe [2012-3-27 1104208]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 Intel® Capability Licensing Service Interface;Intel® Capability Licensing Service Interface;C:\Program Files\Intel\iCLS Client\HeciServer.exe [2012-4-20 635104]
S2 jhi_service;Intel® Dynamic Application Loader Host Interface Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe [2013-9-18 166720]
S2 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2013-6-18 139616]
S2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2013-9-18 365376]
S3 Bluetooth Media Service;Bluetooth Media Service;C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe [2012-3-27 1304912]
S3 btmaux;Intel Bluetooth Auxiliary Service;C:\Windows\System32\drivers\btmaux.sys [2012-2-13 95232]
S3 btmhsf;btmhsf;C:\Windows\System32\drivers\btmhsf.sys [2012-2-13 747008]
S3 dmvsc;dmvsc;C:\Windows\System32\drivers\dmvsc.sys [2011-4-11 71168]
S3 ibtfltcoex;ibtfltcoex;C:\Windows\System32\drivers\iBtFltCoex.sys [2012-3-21 60928]
S3 IntcDAud;Intel® Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2013-9-18 342528]
S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2013-7-18 366600]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2013-9-18 19456]
S3 Synth3dVsc;Synth3dVsc;C:\Windows\System32\drivers\Synth3dVsc.sys [2011-4-11 88960]
S3 terminpt;Microsoft Remote Desktop Input Driver;C:\Windows\System32\drivers\terminpt.sys [2013-9-18 29696]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2013-9-18 57856]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2013-9-18 30208]
S3 tsusbhub;tsusbhub;C:\Windows\System32\drivers\tsusbhub.sys [2011-4-11 117248]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2013-9-18 1255736]
.
=============== Created Last 30 ================
.
2013-09-19 16:28:40 -------- d-----w- C:\Users\Ryan\AppData\Local\Google
2013-09-19 16:28:34 -------- d-----w- C:\Users\Ryan\AppData\Local\Deployment
2013-09-19 16:28:34 -------- d-----w- C:\Users\Ryan\AppData\Local\Apps
2013-09-19 16:24:02 2560 ----a-w- C:\Windows\System32\drivers\ja-JP\wdf01000.sys.mui
2013-09-19 16:23:58 3072 ----a-w- C:\Windows\System32\drivers\ja-JP\tsusbflt.sys.mui
2013-09-19 16:13:09 9694160 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{37991E43-37BD-48E1-BC1B-F152FA14D50F}\mpengine.dll
2013-09-19 16:09:58 -------- d-----w- C:\Windows\ja-JP
2013-09-19 16:09:53 -------- d-----w- C:\Windows\SysWow64\XPSViewer
2013-09-19 16:09:53 -------- d-----w- C:\Windows\SysWow64\wbem\ja-JP
2013-09-19 16:09:53 -------- d-----w- C:\Windows\SysWow64\ja
2013-09-19 16:09:53 -------- d-----w- C:\Windows\SysWow64\drivers\UMDF\ja-JP
2013-09-19 16:09:53 -------- d-----w- C:\Windows\SysWow64\drivers\ja-JP
2013-09-19 16:09:53 -------- d-----w- C:\Windows\SysWow64\0411
2013-09-19 16:09:48 -------- d-----w- C:\Windows\System32\ja
2013-09-19 16:09:48 -------- d-----w- C:\Windows\System32\drivers\UMDF\ja-JP
2013-09-19 16:09:48 -------- d-----w- C:\Windows\System32\drivers\ja-JP
2013-09-19 16:09:48 -------- d-----w- C:\Windows\System32\0411
2013-09-19 16:09:46 -------- d-----w- C:\Windows\System32\wbem\ja-JP
2013-09-19 16:06:16 9694160 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-09-19 07:56:29 55296 ----a-w- C:\Windows\SysWow64\cero.rs
2013-09-19 07:55:42 30720 ----a-w- C:\Windows\System32\cryptdlg.dll
2013-09-19 07:46:32 80384 ----a-w- C:\Windows\System32\drivers\BTHUSB.SYS
2013-09-19 07:44:03 -------- d-----w- C:\Windows\SysWow64\Wat
2013-09-19 07:44:03 -------- d-----w- C:\Windows\System32\Wat
2013-09-19 07:43:31 1643520 ----a-w- C:\Windows\System32\DWrite.dll
2013-09-19 07:43:31 1247744 ----a-w- C:\Windows\SysWow64\DWrite.dll
2013-09-19 07:33:19 -------- d-----w- C:\Windows\System32\MRT
2013-09-19 07:24:59 89600 ----a-w- C:\Windows\System32\RegisterIEPKEYs.exe
2013-09-19 07:22:27 9728 ---ha-w- C:\Windows\SysWow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2013-09-19 07:21:50 1887232 ----a-w- C:\Windows\System32\d3d11.dll
2013-09-19 07:21:50 1505280 ----a-w- C:\Windows\SysWow64\d3d11.dll
2013-09-19 07:16:15 46080 ----a-w- C:\Windows\System32\atmlib.dll
2013-09-19 07:16:15 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll
2013-09-19 07:16:14 70656 ----a-w- C:\Windows\SysWow64\fontsub.dll
2013-09-19 07:16:14 367616 ----a-w- C:\Windows\System32\atmfd.dll
2013-09-19 07:16:14 295424 ----a-w- C:\Windows\SysWow64\atmfd.dll
2013-09-19 07:16:14 100864 ----a-w- C:\Windows\System32\fontsub.dll
2013-09-19 07:14:37 81408 ----a-w- C:\Windows\System32\imagehlp.dll
2013-09-19 07:14:37 5120 ----a-w- C:\Windows\SysWow64\wmi.dll
2013-09-19 07:14:37 5120 ----a-w- C:\Windows\System32\wmi.dll
2013-09-19 07:14:37 23408 ----a-w- C:\Windows\System32\drivers\fs_rec.sys
2013-09-19 07:14:37 159232 ----a-w- C:\Windows\SysWow64\imagehlp.dll
2013-09-19 07:10:53 751104 ----a-w- C:\Windows\System32\win32spl.dll
2013-09-19 07:09:41 90624 ----a-w- C:\Windows\System32\drivers\bowser.sys
2013-09-19 07:08:38 77312 ----a-w- C:\Windows\System32\packager.dll
2013-09-19 07:08:38 67072 ----a-w- C:\Windows\SysWow64\packager.dll
2013-09-19 06:53:36 -------- d-----w- C:\Windows\PCHEALTH
2013-09-19 06:51:22 -------- d-----w- C:\Program Files (x86)\Microsoft Analysis Services
2013-09-19 06:51:07 -------- d-----w- C:\Users\Ryan\AppData\Local\Microsoft Help
2013-09-19 06:48:27 965008 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{57708170-06C6-4283-B084-D024864E2D6C}\gapaengine.dll
2013-09-19 06:45:43 -------- d-----w- C:\Program Files (x86)\Microsoft Security Client
2013-09-19 06:45:42 -------- d-----w- C:\Program Files\Microsoft Security Client
2013-09-19 06:42:41 826880 ----a-w- C:\Windows\SysWow64\rdpcore.dll
2013-09-19 06:42:41 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys
2013-09-19 06:42:41 1031680 ----a-w- C:\Windows\System32\rdpcore.dll
2013-09-19 06:38:20 2622464 ----a-w- C:\Windows\System32\wucltux.dll
2013-09-19 06:38:19 99840 ----a-w- C:\Windows\System32\wudriver.dll
2013-09-19 06:38:18 36864 ----a-w- C:\Windows\System32\wuapp.exe
2013-09-19 06:38:18 186752 ----a-w- C:\Windows\System32\wuwebv.dll
2013-09-19 06:29:27 41984 ----a-w- C:\Windows\System32\drivers\USB3Ver.dll
2013-09-19 06:29:05 789824 ----a-w- C:\Windows\System32\drivers\iusb3xhc.sys
2013-09-19 06:29:05 357184 ----a-w- C:\Windows\System32\drivers\iusb3hub.sys
2013-09-19 06:29:05 19264 ----a-w- C:\Windows\System32\drivers\iusb3hcs.sys
2013-09-19 06:29:05 1721576 ----a-w- C:\Windows\System32\WdfCoInstaller01009.dll
2013-09-19 06:25:41 56832 ----a-w- C:\Windows\System32\OpenCL.DLL
2013-09-19 06:24:59 94208 ----a-w- C:\Windows\System32\IccLibDll_x64.dll
2013-09-19 06:24:59 110592 ----a-w- C:\Windows\System32\hccutils.dll
2013-09-19 06:20:51 74272 ----a-w- C:\Windows\System32\RtNicProp64.dll
2013-09-19 06:20:51 646248 ----a-w- C:\Windows\System32\drivers\Rt64win7.sys
2013-09-19 06:20:51 107552 ----a-w- C:\Windows\System32\RTNUninst64.dll
2013-09-19 06:20:48 -------- d-----w- C:\Program Files (x86)\Realtek
2013-09-19 06:19:26 15168 ----a-w- C:\Windows\System32\drivers\IntelMEFWVer.dll
2013-09-19 06:19:16 -------- d-sh--w- C:\Windows\Installer
2013-09-19 06:19:13 -------- d-----w- C:\Program Files (x86)\Common Files\postureAgent
2013-09-19 06:19:07 62784 ----a-w- C:\Windows\System32\drivers\HECIx64.sys
2013-09-19 06:14:18 53248 ----a-w- C:\Windows\SysWow64\CSVer.dll
2013-09-19 06:14:08 -------- d-----w- C:\Intel
2013-09-19 03:45:06 -------- d-----w- C:\Windows\Panther
.
==================== Find3M  ====================
.
2013-09-19 07:25:00 719360 ----a-w- C:\Windows\SysWow64\mshtmlmedia.dll
2013-09-19 07:25:00 71680 ----a-w- C:\Windows\SysWow64\RegisterIEPKEYs.exe
2013-09-19 07:25:00 226304 ----a-w- C:\Windows\System32\elshyph.dll
2013-09-19 07:25:00 185344 ----a-w- C:\Windows\SysWow64\elshyph.dll
2013-09-19 07:25:00 1767936 ----a-w- C:\Windows\SysWow64\wininet.dll
2013-09-19 07:25:00 158720 ----a-w- C:\Windows\SysWow64\msls31.dll
2013-09-19 07:25:00 1054720 ----a-w- C:\Windows\System32\MsSpellCheckingFacility.exe
2013-09-19 07:22:27 9728 ---ha-w- C:\Windows\System32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2013-08-08 01:20:43 3155456 ----a-w- C:\Windows\System32\win32k.sys
2013-08-05 02:25:45 155584 ----a-w- C:\Windows\System32\drivers\ataport.sys
2013-08-02 02:23:53 5550528 ----a-w- C:\Windows\System32\ntoskrnl.exe
2013-08-02 02:15:44 1732032 ----a-w- C:\Windows\System32\ntdll.dll
2013-08-02 02:15:03 362496 ----a-w- C:\Windows\System32\wow64win.dll
2013-08-02 02:15:03 243712 ----a-w- C:\Windows\System32\wow64.dll
2013-08-02 02:15:03 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
2013-08-02 02:14:57 215040 ----a-w- C:\Windows\System32\winsrv.dll
2013-08-02 02:14:11 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
2013-08-02 02:13:34 424448 ----a-w- C:\Windows\System32\KernelBase.dll
2013-08-02 01:59:30 3968960 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2013-08-02 01:59:30 3913664 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2013-08-02 01:51:23 1292192 ----a-w- C:\Windows\SysWow64\ntdll.dll
2013-08-02 01:50:42 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
2013-08-02 01:50:42 274944 ----a-w- C:\Windows\SysWow64\KernelBase.dll
2013-08-02 01:09:17 338432 ----a-w- C:\Windows\System32\conhost.exe
2013-08-02 00:59:09 112640 ----a-w- C:\Windows\System32\smss.exe
2013-08-02 00:45:37 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
2013-08-02 00:45:36 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
2013-08-02 00:45:35 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
2013-08-02 00:45:34 2048 ----a-w- C:\Windows\SysWow64\user.exe
2013-08-02 00:43:05 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2013-08-02 00:43:05 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2013-08-02 00:43:05 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2013-08-02 00:43:05 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2013-07-25 09:25:54 1888768 ----a-w- C:\Windows\System32\WMVDECOD.DLL
2013-07-25 08:57:27 1620992 ----a-w- C:\Windows\SysWow64\WMVDECOD.DLL
2013-07-19 01:58:42 2048 ----a-w- C:\Windows\System32\tzres.dll
2013-07-19 01:41:01 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2013-07-09 05:52:52 224256 ----a-w- C:\Windows\System32\wintrust.dll
2013-07-09 05:51:16 1217024 ----a-w- C:\Windows\System32\rpcrt4.dll
2013-07-09 05:46:20 184320 ----a-w- C:\Windows\System32\cryptsvc.dll
2013-07-09 05:46:20 1472512 ----a-w- C:\Windows\System32\crypt32.dll
2013-07-09 05:46:20 139776 ----a-w- C:\Windows\System32\cryptnet.dll
2013-07-09 04:52:33 663552 ----a-w- C:\Windows\SysWow64\rpcrt4.dll
2013-07-09 04:52:10 175104 ----a-w- C:\Windows\SysWow64\wintrust.dll
2013-07-09 04:46:31 140288 ----a-w- C:\Windows\SysWow64\cryptsvc.dll
2013-07-09 04:46:31 1166848 ----a-w- C:\Windows\SysWow64\crypt32.dll
2013-07-09 04:46:31 103936 ----a-w- C:\Windows\SysWow64\cryptnet.dll
2013-07-06 06:03:53 1910208 ----a-w- C:\Windows\System32\drivers\tcpip.sys
.
============= FINISH: 13:20:26.63 ===============
 
 
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Ultimate 
Boot Device: \Device\HarddiskVolume1
Install Date: 9/18/2013 7:48:25 PM
System Uptime: 9/19/2013 1:17:43 PM (0 hours ago)
.
Motherboard: Gigabyte Technology Co., Ltd. |  | H77N-WIFI
Processor: Intel® Core i7-3770S CPU @ 3.10GHz | Intel® Core i7-3770S CPU @ 3.10GHz | 3093/100mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 167 GiB total, 106.518 GiB free.
D: is FIXED (NTFS) - 932 GiB total, 408.366 GiB free.
X: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: 
Description: Network Controller
Device ID: PCI\VEN_8086&DEV_0887&SUBSYS_40628086&REV_C4\4&841E55&0&00E6
Manufacturer: 
Name: Network Controller
PNP Device ID: PCI\VEN_8086&DEV_0887&SUBSYS_40628086&REV_C4\4&841E55&0&00E6
Service: 
.
Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: Security Processor Loader Driver
Device ID: ROOT\LEGACY_SPLDR\0000
Manufacturer: 
Name: Security Processor Loader Driver
PNP Device ID: ROOT\LEGACY_SPLDR\0000
Service: spldr
.
==== System Restore Points ===================
.
RP16: 9/18/2013 9:56:34 PM - Windows Update
RP17: 9/18/2013 10:06:08 PM - Windows Update
RP18: 9/18/2013 10:12:04 PM - Windows Update
RP19: 9/18/2013 10:17:17 PM - Windows Update
RP20: 9/18/2013 10:29:29 PM - Windows Update
RP21: 9/19/2013 6:07:52 AM - Windows Update
RP22: 9/19/2013 6:12:16 AM - Windows Update
RP23: 9/19/2013 6:15:44 AM - Windows Update
RP24: 9/19/2013 6:18:37 AM - Windows Update
RP25: 9/19/2013 6:23:36 AM - Windows Update
RP26: 9/19/2013 6:43:33 AM - Installed iTunes
.
==== Installed Programs ======================
.
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Bonjour
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
Google Chrome
Google Update Helper
Intel® Management Engine Components
Intel® Processor Graphics
Intel® PROSet/Wireless Software for Bluetooth® Technology
Intel® SDK for OpenCL - CPU Only Runtime Package
Intel® USB 3.0 eXtensible Host Controller Driver
Intel® Trusted Connect Service Client
iTunes
Microsoft .NET Framework 4 Client Profile
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Home and Student 2010
Microsoft Office Office 64-bit Components 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared 64-bit MUI (English) 2010
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Single Image 2010
Microsoft Office Word MUI (English) 2010
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
Realtek Ethernet Controller Driver
Realtek High Definition Audio Driver
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2804576)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2835393)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628v2)
Security Update for Microsoft Excel 2010 (KB2760597) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2687423) 32-Bit Edition
Security Update for Microsoft Outlook 2010 (KB2794707) 32-Bit Edition
Security Update for Microsoft Word 2010 (KB2760769) 32-Bit Edition
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939)
Update for Microsoft Access 2010 (KB2553446) 32-Bit Edition
Update for Microsoft Filter Pack 2.0 (KB2810071) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553157) 32-Bit Edition
Update for Microsoft Office 2010 (KB2589298) 32-Bit Edition
Update for Microsoft Office 2010 (KB2589370) 32-Bit Edition
Update for Microsoft Office 2010 (KB2589375) 32-Bit Edition
Update for Microsoft Office 2010 (KB2760598) 32-Bit Edition
Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition
Update for Microsoft Office 2010 (KB2760758) 32-Bit Edition
Update for Microsoft Office 2010 (KB2794737) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2810072) 32-Bit Edition
Update for Microsoft PowerPoint 2010 (KB2553145) 32-Bit Edition
Update for Microsoft Visio Viewer 2010 (KB2810066) 32-Bit Edition
.
==== Event Viewer Messages From Past Week ========
.
9/19/2013 6:38:40 AM, Error: Service Control Manager [7009]  - A timeout was reached (30000 milliseconds) while waiting for the Bluetooth Device Monitor service to connect.
9/19/2013 6:38:40 AM, Error: Service Control Manager [7000]  - The Bluetooth Device Monitor service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.
9/19/2013 6:16:24 AM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x8024200d: Security Update for Microsoft .NET Framework 3.5.1 on Windows 7 and Windows Server 2008 R2 SP1 for x64-based Systems (KB2789645).
9/19/2013 6:16:24 AM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x8024200d: Security Update for Microsoft .NET Framework 3.5.1 on Windows 7 and Windows Server 2008 R2 SP1 for x64-based Systems (KB2756921).
9/19/2013 6:16:24 AM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x8024200d: Security Update for Microsoft .NET Framework 3.5.1 on Windows 7 and Windows Server 2008 R2 SP1 for x64-based Systems (KB2656356).
9/19/2013 6:16:04 AM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x8024200d: Security Update for Microsoft .NET Framework 3.5.1 on Windows 7 and Windows Server 2008 R2 SP1 for x64-based Systems (KB2844286).
9/19/2013 6:15:59 AM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x8024200d: Security Update for Microsoft .NET Framework 3.5.1 on Windows 7 and Windows Server 2008 R2 SP1 for x64-based Systems (KB2729452).
9/19/2013 6:15:59 AM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x8024200d: Security Update for Microsoft .NET Framework 3.5.1 on Windows 7 and Windows Server 2008 R2 SP1 for x64-based Systems (KB2604115).
9/19/2013 6:15:54 AM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x8024200d: Security Update for Microsoft .NET Framework 3.5.1 on Windows 7 and Windows Server 2008 R2 SP1 for x64-based Systems (KB2833946).
9/19/2013 6:15:54 AM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x8024200d: Security Update for Microsoft .NET Framework 3.5.1 on Windows 7 and Windows Server 2008 R2 SP1 for x64-based Systems (KB2804579).
9/19/2013 6:15:54 AM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x8024200d: Security Update for Microsoft .NET Framework 3.5.1 on Windows 7 and Windows Server 2008 R2 SP1 for x64-based Systems (KB2742599).
9/19/2013 1:58:22 AM, Error: Service Control Manager [7023]  - The Superfetch service terminated with the following error:  The service has not been started.
9/19/2013 1:18:18 PM, Error: Service Control Manager [7001]  - The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error:  The dependency service or group failed to start.
9/19/2013 1:18:18 PM, Error: Service Control Manager [7001]  - The Computer Browser service depends on the Server service which failed to start because of the following error:  The dependency service or group failed to start.
9/19/2013 1:18:17 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
9/19/2013 1:18:17 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
9/19/2013 1:18:16 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
9/19/2013 1:18:11 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
9/19/2013 1:17:49 PM, Error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  discache MpFilter spldr Wanarpv6
9/19/2013 1:17:49 PM, Error: Service Control Manager [7001]  - The Microsoft Network Inspection System service depends on the Microsoft Malware Protection Driver service which failed to start because of the following error:  A device attached to the system is not functioning.
9/19/2013 1:16:56 PM, Error: Service Control Manager [7043]  - The Group Policy Client service did not shut down properly after receiving a preshutdown control.
9/18/2013 9:41:53 PM, Error: Service Control Manager [7023]  - 
9/18/2013 9:41:14 PM, Error: Service Control Manager [7034]  - The Intel® Management and Security Application User Notification Service service terminated unexpectedly.  It has done this 1 time(s).
9/18/2013 9:41:14 PM, Error: Service Control Manager [7034]  - The Intel® Dynamic Application Loader Host Interface Service service terminated unexpectedly.  It has done this 1 time(s).
9/18/2013 9:41:14 PM, Error: Service Control Manager [7034]  - The Bluetooth OBEX Service service terminated unexpectedly.  It has done this 1 time(s).
9/18/2013 9:41:14 PM, Error: Service Control Manager [7034]  - The Bluetooth Media Service service terminated unexpectedly.  It has done this 1 time(s).
9/18/2013 9:41:14 PM, Error: Service Control Manager [7031]  - The Intel® Management and Security Application Local Management Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 10000 milliseconds: Restart the service.
.
==== End Of File ===========================
 

 

Link to post
Share on other sites

RogueKiller report:

 

RogueKiller V8.6.12 _x64_ [sep 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Safe mode with network support
User : Ryan [Admin rights]
Mode : Scan -- Date : 09/19/2013 13:28:54
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 0 ¤¤¤
 
¤¤¤ Registry Entries : 2 ¤¤¤
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
 
¤¤¤ Scheduled tasks : 0 ¤¤¤
 
¤¤¤ Startup Entries : 0 ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ Particular Files / Folders: ¤¤¤
 
¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤
 
¤¤¤ External Hives: ¤¤¤
 
¤¤¤ Infection :  ¤¤¤
 
¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts
 
 
 
 
¤¤¤ MBR Check: ¤¤¤
 
+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) (Standard disk drives) - INTEL SSDSC2CW180A3 ATA Device +++++
--- User ---
[MBR] a84dd93b5b19931ceaddbccc47850486
[bSP] df4f83c1f72e36823a12b0dfc7617313 : Empty MBR Code
Partition table:
0 - [XXXXXX] UNKNOWN (0x00) [VISIBLE] Offset (sectors): 1 | Size: 2097152 Mo
User = LL1 ... OK!
User = LL2 ... OK!
 
+++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ IDE) (Standard disk drives) - WDC WD1002FAEX-00Z3A0 ATA Device +++++
--- User ---
[MBR] a84dd93b5b19931ceaddbccc47850486
[bSP] df4f83c1f72e36823a12b0dfc7617313 : Empty MBR Code
Partition table:
0 - [XXXXXX] UNKNOWN (0x00) [VISIBLE] Offset (sectors): 1 | Size: 2097152 Mo
User = LL1 ... OK!
User = LL2 ... OK!
 
Finished : << RKreport[0]_S_09192013_132854.txt >>
RKreport[0]_S_09192013_132646.txt
Link to post
Share on other sites

Not much showing....lets run some scans:

Download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt
To attach a log if needed:

Bottom right corner of this page.

reply1.jpg

New window that comes up.

replyer1.jpg

~~~~~~~~~~~~~~~~~~~~~~~

Note:

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot. It's located in the Plugins folder which is in the MBAR folder.

Just run fixdamage.exe.

Verify that they are now functioning normally.

MrC

Link to post
Share on other sites

MrCharlie,

 

I ran Malwarebytes Anti-Rootkit, but it didn't turn up anything. I attached the mbar-log.txt and system-log.txt. I ran the fixdamage tool, and restarted. However, I still am experiencing the same issues (MSE turned off, can't download, programs won't start) as before when I log in normally.

 

I don't understand what's going on. Safe mode works fine, and I didn't have any problems when I reinstalled Windows. I made sure to install MSE before applying security patches and installing any other programs. After I installed iTunes and restarted, then that's when the problems started - iTunes shouldn't break my system like this. I also thought that something might be hiding on my data hard drive, but one of these tools should have found it, right? 

 

I'm really stuck - I can try reinstall Windows again, but am afraid that I'll get the same issue. Is it possible that it's a hardware issue?

 

Thanks again for your time and help,

 

keruken

mbar-log-2013-09-19 (14-14-19).txt

system-log.txt

Link to post
Share on other sites

OK...Next:

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.