Jump to content

svchost.exe Trojan infection


Recommended Posts

Help! I ran a malawarebytes scan and I keep getting pings for multiple svchost.exe Trojan infections. Not sure what to do so I googled it and came across this topic on your forum:

 

https://forums.malwarebytes.org/index.php?showtopic=121839

 

It seems to have helped the guy so I followed the instructions and did the first step. Please tell me what to do next. I'd really appreciate the help. Below are the reports from my scans:

 

 

DDS.txt:

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 8.0.7600.16700
Run by Talha at 0:18:35 on 2013-10-09
Microsoft Windows 7 Home Premium   6.1.7600.0.1252.1.1033.18.3835.2325 [GMT -4:00]
.
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\WINDOWS\SYSTEM32\LSM.EXE
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\WINDOWS\SYSTEM32\ATIESRXX.EXE
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\PROGRAM FILES\IDT\WDM\STACSV64.EXE
C:\Windows\system32\svchost.exe -k LocalService
C:\WINDOWS\SYSTEM32\ATIECLXX.EXE
C:\WINDOWS\SYSTEM32\HPSERVICE.EXE
C:\Windows\system32\svchost.exe -k NetworkService
C:\WINDOWS\SYSTEM32\WLANEXT.EXE
C:\WINDOWS\SYSTEM32\SPOOLSV.EXE
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\PROGRAM FILES\IDT\WDM\AESTSR64.EXE
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe
C:\SWSETUP\HPQWMM\QUICKWEB\QW.SYS\CONFIG\DVMEXPORTSERVICE.EXE
C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
C:\PROGRAM FILES (X86)\HEWLETT-PACKARD\HP QUICK LAUNCH\HPWMISVC.EXE
C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\WINDOWS\SYSTEM32\DWM.EXE
C:\WINDOWS\SYSTEM32\TASKHOST.EXE
C:\WINDOWS\SYSTEM32\TASKENG.EXE
C:\WINDOWS\EXPLORER.EXE
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\PROGRAM FILES (X86)\SYMANTEC\NORTON ONLINE BACKUP\NOBUAGENT.EXE
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\PROGRAM FILES (X86)\AMICOSINGLUN\AMICOSINGLUN64.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP MEDIASMART\SMARTMENU.EXE
C:\PROGRAM FILES (X86)\MICROSOFT\SEARCH ENHANCEMENT PACK\SEAPORT\SEAPORT.EXE
C:\PROGRAM FILES\IDT\WDM\STTRAY64.EXE
C:\Program Files (x86)\Spyware Terminator\SpywareTerminatorUpdate.exe
C:\PROGRAM FILES (X86)\HEWLETT-PACKARD\HP ADVISOR\DOCK\HPADVISORDOCK.EXE
C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\USERS\TALHA\APPDATA\ROAMING\OCTOSHAPE\OCTOSHAPE STREAMING SERVICES\OCTOSHAPECLIENT.EXE
C:\WINDOWS\SYSTEM32\RUNDLL32.EXE
C:\Program Files (x86)\Hewlett-Packard\Media\Webcam\YCMMirage.exe
C:\Windows\SysWOW64\rundll32.exe
C:\PROGRAM FILES (X86)\MSN TOOLBAR\PLATFORM\5.0.1438.0\MSWINEXT.EXE
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\PROGRAM FILES (X86)\ITUNES\ITUNESHELPER.EXE
C:\PROGRAM FILES (X86)\HEWLETT-PACKARD\HP QUICK LAUNCH\HPMSGSVC.EXE
C:\Windows\system32\svchost.exe -k imgsvc
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WINDOWS LIVE\WLIDSVC.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WINDOWS LIVE\WLIDSVCM.EXE
C:\WINDOWS\SYSTEM32\SEARCHINDEXER.EXE
C:\PROGRAM FILES\IPOD\BIN\IPODSERVICE.EXE
-netsvcs
-netsvcs
-netsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\PROGRAM FILES (X86)\MOZILLA FIREFOX\FIREFOX.EXE
C:\WINDOWS\SYSTEM32\WBEM\WMIPRVSE.EXE
C:\PROGRAM FILES (X86)\SPYWARE TERMINATOR\SPYWARETERMINATORSHIELD.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP WIRELESS ASSISTANT\HPWA_MAIN.EXE
C:\PROGRAM FILES (X86)\ATI TECHNOLOGIES\ATI.ACE\CORE-STATIC\MOM.EXE
C:\PROGRAM FILES (X86)\HEWLETT-PACKARD\SHARED\HPQWMIEX.EXE
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpCaslNotification.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.

mWinlogon: Userinit = userinit.exe
BHO: vShare Toolbar: {043C5167-00BB-4324-AF7E-62013FAEDACF} - C:\Program Files (x86)\vshare\vshare_toolbar.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Search Helper: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.8313.1002\swg.dll
BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\MSN Toolbar\Platform\5.0.1438.0\npwinext.dll
BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: vShare Toolbar: {043C5167-00BB-4324-AF7E-62013FAEDACF} - C:\Program Files (x86)\vshare\vshare_toolbar.dll
TB: @C:\Program Files (x86)\MSN Toolbar\Platform\5.0.1438.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\MSN Toolbar\Platform\5.0.1438.0\npwinext.dll
TB: vShare Toolbar: {043C5167-00BB-4324-AF7E-62013FAEDACF} - C:\Program Files (x86)\vshare\vshare_toolbar.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
uRun: [HPAdvisorDock] "C:\Program Files (x86)\Hewlett-Packard\HP Advisor\Dock\HPAdvisorDock.exe"
uRun: [LightScribe Control Panel] "C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" -hidden
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
uRun: [Google Update] "C:\Users\Talha\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [Octoshape Streaming Services] "C:\Users\Talha\AppData\Roaming\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe" -inv:bootrun
uRun: [Facebook Update] "C:\Users\Talha\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver
uRun: [AppleData] rundll32.exe "C:\Users\Talha\AppData\Local\Apple Computer\AppleData\Appledata.DLL",DllRegisterServer
uRun: [DirectxOnlineTray] rundll32.exe "C:\ProgramData\DirectxOnlineTray.dll",DllRegisterServer
uRun: [Norton Update] rundll32 "C:\Users\Talha\AppData\Local\Apple Computer\AppleUpdate\Appleupdt32.DLL",DllRegisterServer
uRun: [0.1296702428766643fdrgs] \\?\globalroot\Device\HarddiskVolume2\Users\Talha\AppData\Local\Temp\0.1296702428766643fdrgs.exe
uRun: [skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
mRun: [bing Bar] "C:\Program Files (x86)\MSN Toolbar\Platform\5.0.1438.0\mswinext.exe"
mRun: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
mRun: [Norton Online Backup] "C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [HP Quick Launch] "C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe"
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~3\Office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}



TCP: NameServer = 192.168.5.1
TCP: Interfaces\{3A6FB9C2-7249-46D9-9A93-F3F4BBEAFAE9} : DHCPNameServer = 192.168.5.1
TCP: Interfaces\{3A6FB9C2-7249-46D9-9A93-F3F4BBEAFAE9}\530353 : DHCPNameServer = 208.59.247.45 208.59.247.46
TCP: Interfaces\{3A6FB9C2-7249-46D9-9A93-F3F4BBEAFAE9}\838455E443 : DHCPNameServer = 192.168.1.1 71.242.0.12
TCP: Interfaces\{3A6FB9C2-7249-46D9-9A93-F3F4BBEAFAE9}\D4A44544D27657563747 : DHCPNameServer = 208.59.247.45 208.59.247.46
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
Handler: vsharechrome - {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} - C:\Program Files (x86)\vshare\vshare_toolbar.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.8313.1002\swg64.dll
x64-BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-Run: [synTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
x64-Run: [AmIcoSinglun64] "C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe"
x64-Run: [smartMenu] "C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe" /background
x64-Run: [HPWirelessAssistant] "C:\Program Files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe" 120 C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe /hidden
x64-Run: [sysTrayApp] "C:\Program Files\IDT\WDM\sttray64.exe"
x64-Run: [spywareTerminatorShield] C:\Program Files (x86)\Spyware Terminator\SpywareTerminatorShield.exe
x64-Run: [spywareTerminatorUpdater] C:\Program Files (x86)\Spyware Terminator\SpywareTerminatorUpdate.exe



x64-Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - <orphaned>
x64-Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - <orphaned>
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Handler: vsharechrome - {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Talha\AppData\Roaming\Mozilla\Firefox\Profiles\etsf3p4d.default\
FF - component: C:\Program Files (x86)\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}\components\SkypeFfComponent.dll
FF - component: C:\Users\Talha\AppData\Roaming\Mozilla\Firefox\Profiles\etsf3p4d.default\extensions\vshare@toolbar\components\toolbarhomewmp.dll
FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.153\npGoogleUpdate3.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\MSN Toolbar\Platform\5.0.1438.0\npwinext.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Users\Talha\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll
FF - plugin: C:\Users\Talha\AppData\Local\Google\Update\1.3.21.153\npGoogleUpdate3.dll
FF - plugin: C:\Users\Talha\AppData\Local\HuluDesktop\instances\0.9.14.1\nphdplg.dll
FF - plugin: C:\Users\Talha\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - plugin: C:\Users\Talha\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: C:\Users\Talha\AppData\Roaming\Mozilla\plugins\npo1d.dll
FF - plugin: C:\Users\Talha\AppData\Roaming\Mozilla\plugins\npoctoshape.dll
FF - plugin: C:\Windows\SysWOW64\Adobe\Director\np32dsw.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_5_502_110.dll
.
============= SERVICES / DRIVERS ===============
.
R1 DVMIO;DeviceVM IO Service;C:\Windows\System32\drivers\dvmio.sys [2009-11-11 20056]
R2 AESTFilters;Andrea ST Filters Service;C:\Program Files\IDT\WDM\AESTSr64.exe [2011-6-2 89600]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2011-2-4 203264]
R2 CinemaNow Service;CinemaNow Service;C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CinemaNowSvc.exe [2010-6-12 400368]
R2 DvmMDES;DeviceVM Meta Data Export Service;C:\SwSetup\HPQWMM\QuickWeb\QW.SYS\config\DVMExportService.exe [2010-6-25 338168]
R2 HP Support Assistant Service;HP Support Assistant Service;C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe [2011-6-21 85560]
R2 HP Wireless Assistant Service;HP Wireless Assistant Service;C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [2010-6-18 103992]
R2 HPDrvMntSvc.exe;HP Quick Synchronization Service;C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-3-28 94264]
R2 hpsrv;HP Service;C:\Windows\System32\hpservice.exe [2009-7-8 30520]
R2 HPWMISVC;HPWMISVC;C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2011-6-14 26680]
R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-10-8 418376]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2013-10-8 701512]
R2 NOBU;Norton Online Backup;C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe [2010-6-1 2804568]
R2 sp_rsdrv2;Spyware Terminator Driver Filter;C:\Windows\System32\drivers\stflt.sys [2013-10-8 51496]
R3 clwvd;HP Webcam Splitter;C:\Windows\System32\drivers\clwvd.sys [2010-6-25 32880]
R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2013-10-8 25928]
R3 usbfilter;AMD USB Filter Driver;C:\Windows\System32\drivers\usbfilter.sys [2010-10-14 38528]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-7-25 162672]
S2 ST2012_Svc;Spyware Terminator 2012 Realtime Shield Service;C:\Program Files (x86)\Spyware Terminator\st_rsser64.exe [2013-10-8 1149104]
S3 Netaapl;Apple Mobile Device Ethernet Service;C:\Windows\System32\drivers\netaapl64.sys [2010-4-19 22528]
S3 netr28x;Ralink 802.11n Wireless Driver for Windows Vista;C:\Windows\System32\drivers\netr28x.sys [2009-6-10 620544]
S3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\System32\drivers\netw5v64.sys [2009-6-10 5434368]
S3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2010-10-14 346144]
S3 SrvHsfHDA;SrvHsfHDA;C:\Windows\System32\drivers\VSTAZL6.SYS [2009-7-13 292864]
S3 SrvHsfV92;SrvHsfV92;C:\Windows\System32\drivers\VSTDPV6.SYS [2009-7-13 1485312]
S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\System32\drivers\VSTCNXT6.SYS [2009-7-13 740864]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2011-2-18 51712]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-12-21 1255736]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\System32\drivers\yk62x64.sys [2009-6-10 389120]
.
=============== Created Last 30 ================
.
2013-10-09 04:04:44    20480    ----a-w-    C:\Windows\svchost.exe
2013-10-09 02:07:01    --------    d-----w-    C:\Users\Talha\AppData\Local\{01E4D43C-2346-4679-87C1-44E8D6C0B9FE}
2013-10-08 20:05:45    51496    ----a-w-    C:\Windows\System32\drivers\stflt.sys
2013-10-08 20:05:44    --------    d-----w-    C:\Users\Talha\AppData\Roaming\Spyware Terminator
2013-10-08 20:05:44    --------    d-----w-    C:\ProgramData\Spyware Terminator
2013-10-08 20:05:39    --------    d-----w-    C:\Program Files (x86)\Spyware Terminator
2013-10-08 20:01:09    --------    d-----w-    C:\Users\Talha\AppData\Roaming\Malwarebytes
2013-10-08 20:00:32    25928    ----a-w-    C:\Windows\System32\drivers\mbam.sys
2013-10-08 20:00:32    --------    d-----w-    C:\ProgramData\Malwarebytes
2013-10-08 20:00:32    --------    d-----w-    C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-10-08 19:59:55    --------    d-----w-    C:\Users\Talha\AppData\Local\Programs
2013-10-08 19:55:17    --------    d-----w-    C:\Users\Talha\AppData\Local\{55A0CA5D-60A9-41AC-AE57-1E2A6E2D7BA8}
2013-10-08 19:39:18    --------    d-----w-    C:\Users\Talha\AppData\Local\{52059718-EA65-4EEC-A191-6F908B35D017}
2013-10-03 01:52:50    --------    d-----w-    C:\Users\Talha\AppData\Local\{414E01DE-2030-47C2-86F2-F48B5BA94EFA}
2013-10-01 20:28:56    --------    d-----w-    C:\Users\Talha\AppData\Local\{1F41FDF3-EBED-407C-A49E-D8FF277142DA}
.
==================== Find3M  ====================
.
.
============= FINISH:  0:19:11.06 ===============
 

 

Attach.txt:

 

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 12/20/2010 2:24:01 AM
System Uptime: 10/9/2013 12:04:24 AM (0 hours ago)
.
Motherboard: Hewlett-Packard |  | 144E
Processor: AMD Turion II P540 Dual-Core Processor | Socket S1G4 | 2400/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 448 GiB total, 392.729 GiB free.
D: is FIXED (NTFS) - 18 GiB total, 2.549 GiB free.
E: is CDROM ()
F: is FIXED (FAT32) - 0 GiB total, 0.087 GiB free.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP103: 9/3/2012 8:03:09 PM - Scheduled Checkpoint
RP104: 9/14/2012 9:36:12 PM - Scheduled Checkpoint
RP106: 9/23/2012 6:18:03 PM - Windows Defender Checkpoint
RP107: 10/20/2012 7:52:57 PM - Scheduled Checkpoint
RP108: 10/21/2012 1:22:37 AM - HPSF Restore Point
RP109: 11/25/2012 4:52:48 PM - Scheduled Checkpoint
RP110: 2/1/2013 5:28:21 PM - Scheduled Checkpoint
RP111: 2/1/2013 6:06:56 PM - HPSF Restore Point
RP112: 5/5/2013 8:57:34 PM - Scheduled Checkpoint
RP113: 6/1/2013 2:37:00 PM - HPSF Restore Point
RP114: 8/29/2013 5:27:31 PM - Scheduled Checkpoint
.
==== Installed Programs ======================
.
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader 9.5.2 MUI
Adobe Shockwave Player 11.5
Alcor Micro USB Card Reader
Amazon Kindle For PC
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Atheros Driver Installation Program
ATI Catalyst Install Manager
Bejeweled 2 Deluxe
Bing Bar
Bing Bar Platform
Blackhawk Striker 2
Bonjour
Build-a-lot 2
Catalyst Control Center - Branding
Catalyst Control Center Graphics Previews Common
Catalyst Control Center Graphics Previews Vista
Catalyst Control Center InstallProxy
Catalyst Control Center Localization All
ccc-core-static
ccc-utility64
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
Chuzzle Deluxe
CinemaNow Media Manager
Cisco EAP-FAST Module
Cisco LEAP Module
Cisco PEAP Module
CyberLink DVD Suite
D3DX10
Diner Dash 2 Restaurant Rescue
DivX Web Player
Dora's Carnival Adventure
Dropbox
DVD Menu Pack for HP MediaSmart Video
Energy Star Digital Logo
Escape Rosecliff Island
ESU for Microsoft Windows 7
Facebook Video Calling 1.2.0.287
FATE
Final Drive Nitro
Google Talk Plugin
Google Toolbar for Internet Explorer
Google Update Helper
Heroes of Hellas 2 - Olympia
Hewlett-Packard ACLM.NET v1.1.1.0
HP 3D DriveGuard
HP Advisor
HP Customer Experience Enhancements
HP Documentation
HP Game Console
HP Games
HP MediaSmart CinemaNow 2.0
HP MediaSmart DVD
HP MediaSmart Movies and TV
HP MediaSmart Music
HP MediaSmart Photo
HP MediaSmart SmartMenu
HP MediaSmart Video
HP MediaSmart Webcam
HP MediaSmart/TouchSmart Netflix
HP Photo Creations
HP Power Manager
HP Quick Launch
HP QuickWeb Installer
HP Setup
HP Software Framework
HP Support Assistant
HP Wireless Assistant
Hulu Desktop
IDT Audio
iTunes
Java Auto Updater
Java 6 Update 20
Java 6 Update 20 (64-bit)
Jewel Quest 3
Jewel Quest Solitaire 2
Junk Mail filter update
LabelPrint
LightScribe System Software
Malwarebytes Anti-Malware version 1.75.0.1300
Microsoft Application Error Reporting
Microsoft Default Manager
Microsoft Office 2010
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Office 64-bit Components 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared 64-bit MUI (English) 2007
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable (x64)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft WSE 3.0 Runtime
Movie Theme Pack for HP MediaSmart Video
Mozilla Firefox 24.0 (x86 en-US)
Mozilla Maintenance Service
MSVCRT
MSVCRT_amd64
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Norton Online Backup
Octoshape Streaming Services
Penguins!
PhotoNow!
Plants vs. Zombies
Poker Superstars III
Polar Bowler
Polar Golfer
Power2Go
PowerDirector
PrimoPDF
QuickTime
Realtek Ethernet Controller Driver For Windows 7
Recovery Manager
Roxio CinemaNow 2.0
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Skype Click to Call
Skype™ 6.7
Spyware Terminator 2012
Synaptics Pointing Device Driver
Times Reader
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Outlook 2007 Junk Email Filter (KB2466076)
VC80CRTRedist - 8.0.50727.762
Virtual Families
Virtual Villagers - The Secret City
vShare Toolbar
Wheel of Fortune 2
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Language Selector
Windows Live Mail
Windows Live Messenger
Windows Live MIME IFilter
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live Sync
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
Zuma Deluxe
.
==== Event Viewer Messages From Past Week ========
.
10/9/2013 12:07:52 AM, Error: Service Control Manager [7034]  - The Spyware Terminator 2012 Realtime Shield Service service terminated unexpectedly.  It has done this 1 time(s).
10/9/2013 12:07:23 AM, Error: Service Control Manager [7011]  - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the HPWMISVC service.
10/9/2013 12:06:18 AM, Error: Service Control Manager [7009]  - A timeout was reached (30000 milliseconds) while waiting for the Skype Updater service to connect.
10/8/2013 3:55:21 PM, Error: Service Control Manager [7009]  - A timeout was reached (30000 milliseconds) while waiting for the HP Software Framework Service service to connect.
10/8/2013 3:55:21 PM, Error: Service Control Manager [7000]  - The HP Software Framework Service service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.
10/8/2013 3:54:51 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1053" attempting to start the service hpqwmiex with arguments "" in order to run the server: {F5539356-2F02-40D4-999E-FA61F45FE12E}
10/8/2013 3:53:44 PM, Error: Service Control Manager [7009]  - A timeout was reached (30000 milliseconds) while waiting for the SeaPort service to connect.
10/8/2013 3:53:44 PM, Error: Service Control Manager [7000]  - The SeaPort service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.
10/8/2013 3:37:01 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001]  - The computer has rebooted from a bugcheck.  The bugcheck was: 0x0000000a (0x00000000000000dc, 0x0000000000000002, 0x0000000000000001, 0xfffff80002ca9045). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 100813-33867-01.
10/8/2013 3:35:52 PM, Error: Service Control Manager [7009]  - A timeout was reached (30000 milliseconds) while waiting for the HP Quick Synchronization Service service to connect.
10/8/2013 3:35:52 PM, Error: Service Control Manager [7000]  - The HP Quick Synchronization Service service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.
.
==== End Of File ===========================
 

 

 

RogueKiller report:

 

RogueKiller V8.7.1 [Oct  3 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7600 ) 64 bits version
Started in : Normal mode
User : Talha [Admin rights]
Mode : Scan -- Date : 10/09/2013 00:29:21
| ARK || FAK || MBR |

¤¤¤ Bad processes : 5 ¤¤¤
[sUSP PATH][DLL] rundll32.exe -- C:\Users\Talha\AppData\Local\Apple Computer\AppleData\Appledata.DLL [-] -> rundll32.exe KILLED [TermProc]
[sUSP PATH][DLL] rundll32.exe -- C:\Users\Talha\AppData\Local\Apple Computer\AppleData\Appledata.DLL [-] -> rundll32.exe KILLED [TermProc]
[sVCHOST] svchost.exe -- C:\Windows\\svchost.exe [-] -> KILLED [TermProc]
[sVCHOST] svchost.exe -- C:\Windows\\svchost.exe [-] -> KILLED [TermProc]
[sVCHOST] svchost.exe -- C:\Windows\\svchost.exe [-] -> KILLED [TermProc]

¤¤¤ Registry Entries : 10 ¤¤¤
[RUN][sUSP PATH] HKCU\[...]\Run : AppleData (rundll32.exe "C:\Users\Talha\AppData\Local\Apple Computer\AppleData\Appledata.DLL",DllRegisterServer [x][-][x]) -> FOUND
[RUN][sUSP PATH] HKCU\[...]\Run : DirectxOnlineTray (rundll32.exe "C:\ProgramData\DirectxOnlineTray.dll",DllRegisterServer [x][x][x]) -> FOUND
[RUN][sUSP PATH] HKCU\[...]\Run : Norton Update (rundll32 "C:\Users\Talha\AppData\Local\Apple Computer\AppleUpdate\Appleupdt32.DLL",DllRegisterServer [x][x][x]) -> FOUND
[RUN][Rans.Gendarm] HKCU\[...]\Run : 0.1296702428766643fdrgs (\\?\globalroot\Device\HarddiskVolume2\Users\Talha\AppData\Local\Temp\0.1296702428766643fdrgs.exe [x]) -> FOUND
[RUN][sUSP PATH] HKUS\S-1-5-21-1951603019-2725492067-280931949-1001\[...]\Run : AppleData (rundll32.exe "C:\Users\Talha\AppData\Local\Apple Computer\AppleData\Appledata.DLL",DllRegisterServer [x][-][x]) -> FOUND
[RUN][sUSP PATH] HKUS\S-1-5-21-1951603019-2725492067-280931949-1001\[...]\Run : DirectxOnlineTray (rundll32.exe "C:\ProgramData\DirectxOnlineTray.dll",DllRegisterServer [x][x][x]) -> FOUND
[RUN][sUSP PATH] HKUS\S-1-5-21-1951603019-2725492067-280931949-1001\[...]\Run : Norton Update (rundll32 "C:\Users\Talha\AppData\Local\Apple Computer\AppleUpdate\Appleupdt32.DLL",DllRegisterServer [x][x][x]) -> FOUND
[RUN][Rans.Gendarm] HKUS\S-1-5-21-1951603019-2725492067-280931949-1001\[...]\Run : 0.1296702428766643fdrgs (\\?\globalroot\Device\HarddiskVolume2\Users\Talha\AppData\Local\Temp\0.1296702428766643fdrgs.exe [x]) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 3 ¤¤¤
[V2][Rans.Gendarm] 0.1296702428766643fdrgs : \\?\globalroot\Device\HarddiskVolume2\Users\Talha\AppData\Local\Temp\0.1296702428766643fdrgs.exe [x] -> FOUND
[V2][ROGUE ST] 1611958544 : \\?\globalroot\Device\HarddiskVolume2\Users\Talha\AppData\Local\Temp\0.1296702428766643fdrgs.exe -> FOUND
[V2][ROGUE ST] 1951987520 : \\?\globalroot\Device\HarddiskVolume2\Users\Talha\AppData\Local\Temp\0.1296702428766643fdrgs.exe -> FOUND

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : Rans.Gendarm|Root.MBR ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts




¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) (Standard disk drives) - WDC WD5000BEVT-60A0RT0 ATA Device +++++
--- User ---
[MBR] 111f2b8023295293ad0da793b1eee2f7
[bSP] 37e479bd55f7d5c8f9052a10a6f5a939 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 199 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 409600 | Size: 458603 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 939628544 | Size: 18033 Mo
3 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 976560128 | Size: 103 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] 977ae6b2a4211cd9176af8b583791efe
[bSP] 9b4d85b6175d97151c85e8677a97e311 : PiHar MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 199 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 409600 | Size: 458603 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 939628544 | Size: 18033 Mo
3 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 976560128 | Size: 103 Mo

Finished : << RKreport[0]_S_10092013_002921.txt >>

 

Link to post
Share on other sites

  • Root Admin

One or more of the identified infections is related to a nasty rootkit component which is difficult to remove. Rootkits and backdoor Trojans are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums from a CLEAN COMPUTER.  You should consider them to be compromised. You should change each password by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, delete the partition, reformat and reinstall the Operating System.

Please read:

 

 


Should you decide not to follow this advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. If you wish to proceed, disinfection will require more time and more advanced tools.

Please let us know how you would like to proceed.

 



Message borrowed from quietman7 with minor wording and link changes

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.