Jump to content

STDRT.EXE


Recommended Posts

Could not find a topic relating to this, sorry if it is already posted.

Problem: Something depleting my bandwidth. I managed to isolate it as STDRT.EXE only after I have lost 2GB. It might not sound that bad but I'm in South Africa and we don't have cheap internet.

I have Google the file name and it came up as Malware. I've tried all the programs that were suggested but no luck.

STDRT.EXE run from windows\temp\"Random folder name". After each reboot a new folder gets created. I can stop the process and then all is fine till the next reboot.

I've made the temp dir read-only but that has no effect. Network activity starts before I log in. This sounds like a Rootkit but no Rootkit program find anything.

Only ref. in registry is under Direct3D/Mostrecentapplication and directdraw/Mostrecentapplication

The free version of Malwarebytes, not detecting it.

Anny solution that won't cost me money?

DDS LOG following and Attach.txt attached as Attach.zip

=============

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 9.0.8112.16421

Run by Vick at 17:47:58 on 2011-10-18

Microsoft Windows 7 Home Basic 6.1.7601.1.1252.27.1033.18.1789.510 [GMT 2:00]

.

AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}

SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\windows\system32\wininit.exe

C:\windows\system32\lsm.exe

C:\windows\system32\svchost.exe -k DcomLaunch

C:\windows\system32\svchost.exe -k RPCSS

c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe

C:\windows\system32\atiesrxx.exe

C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\windows\system32\svchost.exe -k netsvcs

C:\windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_7b6e808b01435efc\STacSV.exe

C:\windows\system32\svchost.exe -k LocalService

C:\windows\system32\atieclxx.exe

C:\windows\system32\svchost.exe -k NetworkService

C:\windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\windows\System32\spoolsv.exe

C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\windows\TEMP\mrt7454.tmp\stdrt.exe

C:\windows\system32\Dwm.exe

C:\windows\Explorer.EXE

C:\windows\system32\taskhost.exe

C:\Program Files\Hewlett-Packard\HP HotKey Support\QLBController.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\IDT\WDM\sttray.exe

C:\Program Files\Winamp\winampa.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_7b6e808b01435efc\aestsrv.exe

C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe

C:\Program Files\Hewlett-Packard\Shared\HPDrvMntSvc.exe

C:\Program Files\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe

C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

C:\windows\system32\svchost.exe -k imgsvc

C:\windows\system32\wbem\unsecapp.exe

C:\windows\system32\SearchIndexer.exe

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

C:\windows\system32\wbem\wmiprvse.exe

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

C:\Program Files\OpenOffice.org 3\program\soffice.exe

C:\Program Files\OpenOffice.org 3\program\soffice.bin

C:\Program Files\Mozilla Thunderbird\thunderbird.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe

C:\Program Files\Hewlett-Packard\HP Support Framework\hpsa_service.exe

C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Hewlett-Packard\Shared\hpCaslNotification.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\windows\system32\svchost.exe -k SDRSVC

C:\windows\system32\taskmgr.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\windows\system32\ctfmon.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\windows\system32\DllHost.exe

C:\windows\system32\DllHost.exe

C:\windows\system32\conhost.exe

C:\windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.co.za/

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll

BHO: FLVBlaster.FLVBlasterIEAddon: {807ca0aa-7cb3-4f03-bd61-076f618cc82d} - mscoree.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll

TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll

TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File

uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden

uRun: [sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun

uRun: [PC Tools AntiVirus Free] c:\users\vick\desktop\avinstall.exe -min

mRun: [QLBController] c:\program files\hewlett-packard\hp hotkey support\QLBController.exe /start

mRun: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe

mRun: [HPWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\delayedappstarter.exe 120 c:\program files\hewlett-packard\hp wireless assistant\HPWA_Main.exe /hidden

mRun: [sysTrayApp] c:\program files\idt\wdm\sttray.exe

mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"

mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey

mRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

StartupFolder: c:\users\vick\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: Download with FLV Blaster - c:\users\vick\appdata\roaming\flv blaster\internet explorer\script.htm

IE: Download with FLV Blaster\Contexts - 1 (0x1)

IE: Download with FLV Blaster\Flags - 1 (0x1)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html

IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm

IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm

IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm

Trusted Zone: microsoft.com\oas.support

Trusted Zone: microsoft.com\support

Trusted Zone: //about.htm/

Trusted Zone: //Exclude.htm/

Trusted Zone: //FWEvent.htm/

Trusted Zone: //LanguageSelection.htm/

Trusted Zone: //Message.htm/

Trusted Zone: //MyAgttryCmd.htm/

Trusted Zone: //MyAgttryNag.htm/

Trusted Zone: //MyNotification.htm/

Trusted Zone: //NOCLessUpdate.htm/

Trusted Zone: //quarantine.htm/

Trusted Zone: //ScanNow.htm/

Trusted Zone: //strings.vbs/

Trusted Zone: //Template.htm/

Trusted Zone: //Update.htm/

Trusted Zone: //VirFound.htm/

Trusted Zone: mcafee.com\*

Trusted Zone: mcafeeasap.com\betavscan

Trusted Zone: mcafeeasap.com\vs

Trusted Zone: mcafeeasap.com\www

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

TCP: DhcpNameServer = 10.0.0.2

TCP: Interfaces\{2040B0A7-2C2A-445C-8B2A-E6A4E7F87B1B}\C696E6B6379737 : DhcpNameServer = 172.4.1.254

TCP: Interfaces\{BA411212-8E64-4C68-8CE3-86DE9725E8F2} : DhcpNameServer = 10.0.0.2

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

.

============= SERVICES / DRIVERS ===============

.

R0 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2010-5-26 160912]

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 165648]

R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]

R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2011-6-6 64952]

R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_x86_neutral_7b6e808b01435efc\AEstSrv.exe [2010-7-3 81920]

R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-2-4 176128]

R2 HP Support Assistant Service;HP Support Assistant Service;c:\program files\hewlett-packard\hp support framework\HPSA_Service.exe [2011-6-21 85560]

R2 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\hewlett-packard\hp wireless assistant\HPWA_Service.exe [2010-4-5 103992]

R2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files\hewlett-packard\shared\HPDrvMntSvc.exe [2011-3-28 94264]

R2 hpHotkeyMonitor;HP Hotkey Monitor;c:\program files\hewlett-packard\hp hotkey support\hpHotkeyMonitor.exe [2010-3-1 264248]

R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-18 11032]

R2 SSPORT;SSPORT;c:\windows\system32\drivers\SSPORT.SYS [2010-10-2 5120]

R2 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindServiceAE.exe [2009-12-23 370688]

R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atikmdag.sys [2011-2-4 5588480]

R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2011-2-4 210432]

R3 huawei_enumerator;huawei_enumerator;c:\windows\system32\drivers\ew_jubusenum.sys [2010-12-15 70656]

R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2011-6-10 394856]

R4 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-10-13 41272]

RUnknown aswFsBlk;aswFsBlk; [x]

RUnknown aswMonFlt;aswMonFlt; [x]

RUnknown aswSnx;aswSnx; [x]

RUnknown aswSP;aswSP; [x]

S2 Adobe Licensing Console;Adobe Licensing Console;c:\windows\system32\mrvcl32.exe [2011-10-3 819729]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-12-21 136176]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]

S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2010-7-3 29472]

S3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\drivers\ew_hwusbdev.sys [2010-12-15 101504]

S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [2010-12-15 206336]

S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2010-9-15 36608]

S3 GT72NDISIPXP;GT 72 IP NDIS;c:\windows\system32\drivers\Gt51Ip.sys [2010-9-11 95744]

S3 GT72UBUS;GT 72 U BUS;c:\windows\system32\drivers\gt72ubus.sys [2010-9-11 51968]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-12-21 136176]

S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-3-25 43392]

S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 65024]

S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2011-4-27 208944]

S3 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2009-11-23 1120752]

S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-4-21 52224]

S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-14 14336]

.

=============== Created Last 30 ================

.

2011-10-18 14:04:53 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-10-18 14:04:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-10-18 08:54:33 -------- d-----w- c:\programdata\PC Tools

2011-10-18 07:30:58 -------- d-----w- c:\users\vick\appdata\local\Adobe

2011-10-17 21:43:51 -------- d-----w- c:\program files\ESET

2011-10-17 21:04:00 56200 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{3e7f9b54-1aa8-4df2-87d4-2f833bc9bae5}\offreg.dll

2011-10-17 19:36:04 -------- d-sh--w- C:\$RECYCLE.BIN

2011-10-17 18:58:18 -------- d-----w- c:\users\vick\appdata\local\temp

2011-10-17 14:31:00 7269712 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{3e7f9b54-1aa8-4df2-87d4-2f833bc9bae5}\mpengine.dll

2011-10-15 21:45:58 -------- d-----w- c:\users\vick\appdata\local\NPE

2011-10-14 14:00:34 -------- d-----w- c:\programdata\AVAST Software

2011-10-14 14:00:34 -------- d-----w- c:\program files\AVAST Software

2011-10-13 19:25:07 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-10-13 15:46:36 -------- d-----w- c:\users\vick\appdata\roaming\Malwarebytes

2011-10-13 15:46:30 -------- d-----w- c:\programdata\Malwarebytes

2011-10-13 14:24:34 2 --shatr- c:\windows\winstart.bat

2011-10-13 14:24:08 -------- d-----w- c:\program files\UnHackMe

2011-10-13 08:07:42 75776 ----a-w- c:\windows\system32\psisrndr.ax

2011-10-13 08:07:42 465408 ----a-w- c:\windows\system32\psisdecd.dll

2011-10-13 07:32:17 571904 ----a-w- c:\windows\system32\oleaut32.dll

2011-10-13 07:32:17 233472 ----a-w- c:\windows\system32\oleacc.dll

2011-10-13 07:02:57 2334720 ----a-w- c:\windows\system32\win32k.sys

2011-10-12 16:05:11 -------- d-----w- c:\programdata\Spotmau

2011-10-12 16:05:00 -------- d-----w- c:\users\vick\appdata\roaming\spotmau

2011-10-12 16:05:00 -------- d-----w- c:\programdata\pc health check

2011-10-12 16:04:54 -------- d-----w- c:\programdata\TuneUp360

2011-10-12 16:04:44 -------- d-----w- c:\program files\TuneUp360

2011-10-12 08:29:41 703824 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{d26e0012-71cc-4ee9-8eed-aa25fe3d399c}\gapaengine.dll

2011-10-12 07:34:34 -------- d-----w- c:\users\vick\appdata\roaming\PC Cleaners

2011-10-12 07:34:30 5359888 ----a-w- c:\windows\uninst.exe

2011-10-12 07:34:29 -------- d-----w- c:\programdata\PC1Data

2011-10-08 13:06:52 -------- d-----w- c:\users\vick\appdata\roaming\ParetoLogic

2011-10-08 13:06:52 -------- d-----w- c:\users\vick\appdata\roaming\DriverCure

2011-10-08 13:06:41 -------- d-----w- c:\programdata\ParetoLogic

2011-10-07 15:50:02 98816 ----a-w- c:\windows\sed.exe

2011-10-07 15:50:02 518144 ----a-w- c:\windows\SWREG.exe

2011-10-07 15:50:02 256000 ----a-w- c:\windows\PEV.exe

2011-10-07 15:50:02 208896 ----a-w- c:\windows\MBR.exe

2011-10-03 14:26:24 225280 ----a-w- c:\windows\system32\rewire.dll

2011-10-03 14:26:04 1554944 ----a-w- c:\windows\system32\vorbis.acm

2011-10-03 14:25:58 -------- d-----w- c:\program files\Outsim

2011-10-03 14:22:01 819729 ----a-w- c:\windows\system32\mrvcl32.exe

2011-10-02 09:29:54 -------- d-----w- c:\users\vick\appdata\roaming\DAEMON Tools Lite

2011-10-02 09:29:52 -------- d-----w- c:\programdata\DAEMON Tools Lite

2011-09-28 09:44:57 43008 ----a-w- c:\windows\system32\drivers\usbehci.sys

2011-09-28 09:44:57 284672 ----a-w- c:\windows\system32\drivers\usbport.sys

2011-09-28 09:44:57 27008 ----a-w- c:\windows\system32\drivers\Diskdump.sys

2011-09-28 09:44:57 258560 ----a-w- c:\windows\system32\drivers\usbhub.sys

2011-09-28 09:44:56 75776 ----a-w- c:\windows\system32\drivers\usbccgp.sys

2011-09-28 09:44:56 5888 ----a-w- c:\windows\system32\drivers\usbd.sys

2011-09-28 09:44:56 20480 ----a-w- c:\windows\system32\drivers\usbohci.sys

.

==================== Find3M ====================

.

2011-10-17 20:45:40 88 --sh--r- c:\programdata\A05A1AF48D.sys

2011-10-17 20:45:40 5018 --sha-w- c:\programdata\KGyGaAvL.sys

2011-10-02 09:30:28 443448 ----a-w- c:\windows\system32\drivers\sptd.sys

2011-09-27 04:50:59 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-09-01 02:35:59 1798144 ----a-w- c:\windows\system32\jscript9.dll

2011-09-01 02:28:15 1126912 ----a-w- c:\windows\system32\wininet.dll

2011-09-01 02:22:54 2382848 ----a-w- c:\windows\system32\mshtml.tlb

.

============= FINISH: 17:49:00.69 ===============

Attach.zip

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the contents of C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

Link to post
Share on other sites

  • 2 weeks later...
  • 2 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.