Infection...Defintely

[VanquisherR]

Hi. I have a Windows 7 32 bit computer.

I got the Malware Protection Virus even though i had Avira free running. I installed Malwarebytes Anti-Malware after uninstalling avira and it seemed to fix all my problems, but then my svchost.exe -netsvcs started taking like 200,000 memory and high cpu usage. I ran various anti viral programs, such as ComboFix and Stinger which doesn't fix the problem. Then, i started getting BSODs when i start my computer, and when i look at my dump files, it seems that Malwarebytes Anti-Malware has been causing the bluescreens.

I've had a total of 7 bluescreens before i uninstalled malwarebytes antimalware in safe mode. The below are the seven bsod screenshots i obtained from BlueScreenView. (Below the ============== at the bottom are all the files that appear in red in BlueScreenView and is not from the saved logs but added by me.) (The Eigth one was from the bluescreen i got after i reinstalled malwarebytes antimalware.)

The reason that I installed Malwarebytes Anti-malware was because with that antivirus, it blocked my svchost.exe from connecting to some outgoing ip addresses which seemed to be causing my firefox to be randomly redirected, which is another symptom of my infection.

I then followed the steps here: http://forums.malwarebytes.org//index.php?showtopic=9573

Here is the content from DDS.txt

.
DDS (Ver_2011-06-12.02) - NTFSx86 
Internet Explorer: 8.0.7600.16385  BrowserJavaVersion: 1.6.0_22
Run by Jason at 20:24:19 on 2011-06-16
Microsoft Windows 7 Ultimate   6.1.7600.0.1252.61.1033.18.1978.769 [GMT 10:00]
.
AV: AntiVir Desktop *Enabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AntiVir Desktop *Enabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\taskhost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files\Warkeys\AutoWarkey\AutoHotkey\AutoHotkey.exe
C:\Users\Jason\AppData\Local\Temp\RtkBtMnt.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: FlashGetBHO: {b070d3e3-fec0-47d9-8e8a-99d4eeb3d3b0} - c:\users\jason\appdata\roaming\flashgetbho\FlashGetBHO3.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~3\office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\adobearm.exe"
StartupFolder: c:\users\jason\appdata\roaming\micros~1\windows\startm~1\programs\startup\my_aut~1.lnk - c:\program files\warkeys\autowarkey\autohotkey\AutoHotkey.exe
StartupFolder: c:\users\jason\appdata\roaming\micros~1\windows\startm~1\programs\startup\warkey~1.lnk - c:\program files\warkeys\autowarkey\autohotkey\AutoHotkey.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Download all by FlashGet3 - c:\users\jason\appdata\roaming\flashgetbho\GetAllUrl.htm
IE: Download by FlashGet3 - c:\users\jason\appdata\roaming\flashgetbho\GetUrl.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~3\office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
Trusted Zone: kuaiche.com\software
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{7D91DB6B-11E5-4C50-B20F-BC431FF1744A} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{7D91DB6B-11E5-4C50-B20F-BC431FF1744A}\259636B69702 : DhcpNameServer = 192.168.137.1
TCP: Interfaces\{7D91DB6B-11E5-4C50-B20F-BC431FF1744A}\46C696E6B6 : DhcpNameServer = 192.168.0.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\jason\appdata\roaming\mozilla\firefox\profiles\sm3by2pl.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - www.google.com.au
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 55818
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\progra~1\micros~3\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~3\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
.
============= SERVICES / DRIVERS ===============
.
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2010-10-22 189440]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-10-23 1343400]
.
=============== Created Last 30 ================
.
2011-06-16 09:12:33	--------	d-----w-	c:\users\jason\appdata\local\{04083D69-A041-4E5D-AFE3-9EF57F6B33A3}
2011-06-16 05:35:29	--------	d-----w-	c:\users\jason\appdata\roaming\DriverCure
2011-06-16 05:35:27	--------	d-----w-	c:\users\jason\appdata\roaming\ParetoLogic
2011-06-16 05:34:58	--------	d-----w-	c:\programdata\ParetoLogic
2011-06-16 05:27:59	--------	d-----w-	c:\windows\system32\catroot2
2011-06-15 21:11:40	--------	d-----w-	c:\users\jason\appdata\local\{7E9B12B6-9E1F-4DF2-BEE5-7B2B749BF56F}
2011-06-15 13:21:25	90464	----a-w-	c:\windows\system32\drivers\sfi.dat
2011-06-15 13:18:46	1700352	----a-w-	c:\windows\system32\gdiplus.dll
2011-06-15 13:18:46	1060864	----a-w-	c:\windows\system32\mfc71.dll
2011-06-15 10:24:04	--------	d-----w-	c:\programdata\ErrorEND
2011-06-15 09:10:48	--------	d-----w-	c:\users\jason\appdata\local\{54879069-3B7A-4E9A-B495-08717DC2487B}
2011-06-15 04:53:27	--------	d-----w-	c:\program files\Maxthon3
2011-06-15 02:51:34	--------	d-----w-	c:\programdata\Spybot - Search & Destroy
2011-06-15 02:51:34	--------	d-----w-	c:\program files\Spybot - Search & Destroy
2011-06-15 02:10:26	--------	d-sh--w-	C:\$RECYCLE.BIN
2011-06-15 02:05:33	--------	d-----w-	c:\users\jason\appdata\local\temp
2011-06-15 01:47:58	256512	----a-w-	c:\windows\PEV.exe
2011-06-15 01:47:58	208896	----a-w-	c:\windows\MBR.exe
2011-06-15 01:47:57	98816	----a-w-	c:\windows\sed.exe
2011-06-15 01:47:57	518144	----a-w-	c:\windows\SWREG.exe
2011-06-14 21:10:07	--------	d-----w-	c:\users\jason\appdata\local\{79D084E8-00C9-4F4A-9A35-B90990D82123}
2011-06-14 13:18:14	--------	d-----w-	c:\program files\NirSoft
2011-06-14 10:54:46	--------	d-----w-	c:\users\jason\appdata\local\PackageAware
2011-06-14 07:16:49	--------	d-----w-	c:\users\jason\appdata\roaming\Malwarebytes
2011-06-14 07:16:38	--------	d-----w-	c:\programdata\Malwarebytes
2011-06-14 04:37:40	--------	d-----w-	c:\users\jason\appdata\local\{B458470E-A317-4802-90AF-4916C2703A64}
2011-06-13 02:49:39	--------	d-----w-	c:\users\jason\appdata\local\{BB79120F-BB30-49CB-B469-C16363CA84B9}
2011-06-12 14:04:51	--------	d-----w-	c:\users\jason\appdata\local\{80B7FCAD-2CE0-4403-A161-148EFB0FE4C5}
2011-06-12 02:04:02	--------	d-----w-	c:\users\jason\appdata\local\{D297AAF0-2A5B-456B-B38B-B92A9F445F79}
2011-06-11 07:16:01	--------	d-----w-	c:\users\jason\appdata\local\{BD77DDAF-EE2B-455C-975F-7F497D56B767}
2011-06-09 22:48:25	--------	d-----w-	c:\users\jason\appdata\local\{42A02B07-AAC4-4436-8E81-4838B8B55E82}
2011-06-09 07:14:50	--------	d-----w-	c:\users\jason\appdata\local\{277B87BC-1BF3-46F2-AA05-9FDA95B0C458}
2011-06-08 06:51:01	--------	d-----w-	c:\users\jason\appdata\local\{8FD5FBFE-1F84-4B7F-A042-979B496A5EBC}
2011-06-07 07:24:07	--------	d-----w-	c:\users\jason\appdata\local\{A68F6D1A-B683-42D2-B760-213188139F02}
2011-06-06 05:20:04	--------	d-----w-	c:\users\jason\appdata\local\{65C0B4A9-1DE2-4536-B577-FBFFB2FEF93E}
2011-06-05 03:41:57	--------	d-----w-	c:\users\jason\appdata\local\{8D3A1500-204A-4475-BFB7-87A3BAC2CE7F}
2011-06-04 04:59:14	--------	d-----w-	c:\users\jason\appdata\local\{F244F486-131F-4A6F-81EE-275C1D07A3E7}
2011-06-03 05:26:40	--------	d-----w-	c:\users\jason\appdata\local\{72B42737-A449-49FC-9BA6-7FC0448AE8D7}
2011-06-02 06:26:30	--------	d-----w-	c:\users\jason\appdata\local\{4605421F-7A8C-44DB-8856-70F4544EE585}
2011-06-01 06:37:13	--------	d-----w-	c:\users\jason\appdata\local\{176E379E-7C1D-4576-9FF1-799BFA83DA46}
2011-05-31 10:50:06	--------	d-----w-	c:\users\jason\appdata\local\{7D2EA15C-C7E3-4C51-852A-28FE4438F820}
2011-05-30 06:43:40	--------	d-----w-	c:\users\jason\appdata\local\{61A2B353-B068-42B4-8648-5876907B47F7}
2011-05-29 09:52:24	--------	d--h--w-	c:\windows\PIF
2011-05-29 04:30:59	--------	d-----w-	c:\users\jason\appdata\local\{80DC44AD-BD32-4D1B-8BB9-BA709733262B}
2011-05-27 05:49:00	--------	d-----w-	c:\users\jason\appdata\local\{D86C8AA0-26B5-4B98-9C45-1454DB17E956}
2011-05-26 06:06:43	--------	d-----w-	c:\users\jason\appdata\local\{BA2F4A08-1E24-43C4-A080-836FD08076D0}
2011-05-25 04:44:17	26496	----a-w-	c:\windows\system32\drivers\Diskdump.sys
2011-05-25 04:40:22	--------	d-----w-	c:\users\jason\appdata\local\{DF85B5F6-2706-4CD7-B592-26EE3A5E843C}
2011-05-24 05:27:05	--------	d-----w-	c:\users\jason\appdata\local\{488F4001-D9AC-48A3-B073-C9F5D814B2E1}
2011-05-24 05:24:04	123904	----a-w-	c:\windows\system32\poqexec.exe
2011-05-23 08:47:35	--------	d-----w-	c:\users\jason\appdata\local\{0C14CED7-EE15-4D98-B312-865EE522AD1A}
2011-05-22 14:17:22	--------	d-----w-	c:\users\jason\appdata\roaming\Mumble
2011-05-22 08:48:07	--------	d-----w-	c:\users\jason\appdata\local\{42F282D4-97C9-434C-8270-4993CB00B88A}
2011-05-22 03:23:32	--------	d-----w-	c:\users\jason\appdata\local\{2AAE3C1C-3EA2-4013-A305-8FAEC9E48BAF}
2011-05-21 00:25:55	--------	d-----w-	c:\users\jason\appdata\local\{8EFC44EC-0EC7-4647-A3FB-217AF48F9F8B}
2011-05-20 13:17:05	--------	d-----w-	c:\program files\Mumble
2011-05-20 06:09:29	--------	d-----w-	c:\users\jason\appdata\local\{373F9F3E-448E-4D4E-8031-CDA13E82F0A7}
2011-05-19 06:13:51	--------	d-----w-	c:\users\jason\appdata\local\{36696E39-D7A0-4710-848F-E541AA740B77}
2011-05-18 07:46:08	--------	d-----w-	c:\users\jason\appdata\local\{53980433-D6D5-43BA-A4DA-4B806FFEE3AE}
.
==================== Find3M  ====================
.
2011-04-09 06:13:06	3957632	----a-w-	c:\windows\system32\ntkrnlpa.exe
2011-04-09 06:13:06	3901824	----a-w-	c:\windows\system32\ntoskrnl.exe
2011-03-25 03:06:46	258560	----a-w-	c:\windows\system32\drivers\usbhub.sys
2011-03-25 03:06:25	284160	----a-w-	c:\windows\system32\drivers\usbport.sys
2011-03-25 03:06:23	75776	----a-w-	c:\windows\system32\drivers\usbccgp.sys
2011-03-25 03:06:12	43008	----a-w-	c:\windows\system32\drivers\usbehci.sys
2011-03-25 03:06:11	20480	----a-w-	c:\windows\system32\drivers\usbohci.sys
2011-03-25 03:06:10	24064	----a-w-	c:\windows\system32\drivers\usbuhci.sys
2011-03-25 03:06:06	5888	----a-w-	c:\windows\system32\drivers\usbd.sys
2011-03-22 05:35:16	472808	----a-w-	c:\windows\system32\deployJava1.dll
2011-03-21 12:18:59	224016	----a-w-	c:\windows\system32\TABCTL32.OCX
2011-03-21 12:18:59	124688	----a-w-	c:\windows\system32\Mswinsck.ocx
.
============= FINISH: 20:24:48.85 ===============

[VanquisherR]

I then proceeded with the GMER Rootkit scanner and here is my ark.txt

It is too big to be posted in the thread so i uploaded it once again.

http://www.mediafire.com/?qrei0j2f3ln4ltf

Hope somebody can get back to me soon =]

[VanquisherR]

I narrowed down the services under netscvs by stopping the ones i can. The ones that i can't are

Winmgmt - Windows Management Instrumentation

ShellHWDetection - Shell Hardware Detection

Schedule - Task Scheduler

MMCSS - Multimedia Class Scheduler

gpsvc - Group Policy Client

EapHost - Extensible Authentication Protocol

One or some of them is causing my problems, but i can't find out which one. Any ideas?

[VanquisherR]

Well i have figured out on myself how to fix the problem. I had several rootkits and was removed after using like 3 different tools. Then, i updated windows and everything's dandy now. Gl to everybody out there who has a problem and death to the hackers!

[screen317]

Hi and welcome to Malwarebytes,

Do you still need help?

[screen317]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!