Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smitfraud-C.gp, Rootkit.Boot.Pihar.b, and Google Redirects


  • This topic is locked This topic is locked
25 replies to this topic

#1 DaMongoose

DaMongoose

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:11 AM

Posted 07 November 2011 - 10:46 PM

Hello,
I am reposting this thread in this forum as suggested here.

I am using Windows 7 64-bit Home Edition. I noticed last night that when I used IE and did google searches, sometimes it would send me to wrong webpages. I thought perhaps I had some spyware, so I used Spybot Search & Destroy, and besides the normal cookies that popped up, this time it showed there was a file. It says this is Smitfraud-C.gp. I tried to google it to figure out how to get rid of it, and it seems many links lead to this website. I saw someone recommend tdsskiller.exe, so I downloaded that and ran it, and it said I had Rootkit.Boot.Pihar.b, it selected cure, and restarted my computer, and scanned again, and nothing had changed, it still said the rootkit was there. Also this time, the cmd prompt console kept opening and closing on my screen very fast. I opened up Process Explorer to look at why that was happening, and apparently conhost.exe was opening and closing over and over and over. Also an svchost.exe was opening and closing over and over. I tried to run the tdsskiller.exe one more time and restarted my computer again. Still nothing changed, still said it had the rootkit. This time in process explorer rather than conhost.exe opening over and over, there was just 7 instances of it open. Also, in my taskbar there is what looks like an open program, it has no icon, if you hover over it the title of it is L, and if I right click it, it says it is winsrcmde. Now I am flustered and decided to create this post, and here we are.

This is what the Spybot S&D log said.
Smitfraud-C.gp: [SBI $8E7F06B8] Executable (File, nothing done)
C:\Windows\svchost.exe
Properties.size=20480
Properties.md5=2CEFF13ACE25A40BD8D97654944297CD
Properties.filedate=1247534086
Properties.filedatetext=2009-07-13 17:14:45


I have posted the main DDS log below, and also attached the DDS attach.txt, and the TDSSKiller Log.

Please help me! I will be eternally grateful!
Thank you for your time and assistance,
Austin


EDIT: I have noticed that Amazonup.dll is being run all the time through rundll32.exe, and google literally has no idea what this is. I'm guessing this is bad. Also randomly this advertisement appears at the very bottom of my screen, it doesn't show much of it, its like a partially hidden video or something, but it had an X to close it in the upper left corner so I did. It stayed there even when I closed Chrome too, really weird. I haven't seen it appear when I dont have chrome open, but I'll keep an eye out for it.

EDIT 2: I ran Amazonup.dll through Virustotal.com, these three scanners thinks its a trojan. Did I managed to aquire a brand new trojan most scanners don't know about yet? I haven't seen any popups for the last many hours, but I'm exclusively using Chrome now. I noticed that a thread of svchost.exe was running between 30-75% of my cpu power. I would kill the process, and 5 minutes later it would come back and be sucking up all my cpu power again. I killed it about 5-7 times, and now I'm not seeing it come back. The svchost.exe said it was running winsrcmde.

Kaspersky --- HEUR:Trojan.Win32.Generic
Rising --- Suspicious
Sophos --- Troj/Agent-TYK


EDIT 3: Ok, so wow this thing really decided to infest. I noticed another DLL that was running called MouseBackupUpdate.dll, this one in the ProgramData folder. I also noticed that this dll and Amazonup.dll were created at exactly the same time, 11/7/2011 1:16AM. So I decided to search my computer to see if anything else has that modified time. I found srrstr.dll in my C:\Windows\SysWOW64 folder, and also uploaded this to virus total along with mousebackupdate.dll. They also return the same trojan warnings, but even more interesting, mouse and srrstr have the exact same hash, they are the same file, just renamed and in different spots. I also found many cookies were created at this time, as well as Securityx86_x64.dll, and some random crap about flash player, quicktime, and something about meviomusicvideos.mevio.xml. I think now I know how I got in this spot of trouble, I stupidly visited a random funny video site I was linked to from I don't know where, and it probably did it through the flash player it used. How freaking annoying. Oh, also noticed that autoruns had two new listings to run on login you guessed it, Amazonup.dll, and MouseBackupUpdate.dll. I told autoruns to prevent those from running at startup. I doubt that setting will stick though. I'm just disgusted at how without me installing anything I picked up this nasty crap.





.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by Mongoose at 19:36:38 on 2011-11-07
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.8190.4028 [GMT -8:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\MSI Afterburner\MSIAfterburner.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\vssvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Logitech Gaming Software\LCore.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Windows\System32\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Program Files\Fraps\fraps.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
-netsvcs
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\Creative\Volume Panel\VolPanlu.exe
C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Windows\SysWOW64\Ctxfihlp.exe
C:\Windows\SysWOW64\CTXFISPI.EXE
C:\Program Files\Logitech\SetPointG\SetPointII.exe
C:\Program Files\Logitech Gaming Software\plugins\LCDAppletsMono-8.01.067\Applets\x64\LCDClock.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Program Files\Fraps\fraps64.dat
C:\Windows\system32\taskhost.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\PROGRAM FILES (X86)\SYSINTERNALS\PROCESS EXPLORER\PROCEXP.EXE
C:\PROGRAM FILES (X86)\SYSINTERNALS\PROCESS EXPLORER\PROCEXP64.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:Tabs
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=c:\windows\syswow64\userinit.exe,
BHO: {15e815a1-83c3-4663-bdda-b27d3a7364ff} - C:\Users\Mongoose\AppData\Local\Securityx86_x64.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - No File
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - No File
BHO: InvisibleHand Extension: {d17b46f2-99a5-462c-b92c-209285e2e2b4} - C:\Users\Mongoose\AppData\Local\InvisibleHand\InvisibleHand.005.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
uRun: [Google Update] "C:\Users\Mongoose\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [MouseBackupUpdate] rundll32.exe "C:\ProgramData\MouseBackupUpdate.dll",DllRegisterServer
uRun: [Logitech Update] rundll32 "C:\Users\Mongoose\AppData\Local\Amazon\AmazonUpdate\Amazonup.DLL",DllRegisterServer
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun: [VolPanel] "C:\Program Files (x86)\Creative\Volume Panel\VolPanlu.exe" /r
mRun: [VirtualCloneDrive] "C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
mRun: [CTxfiHlp] CTXFIHLP.EXE
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~1\MICROS~2\Office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
IE: {A3D9E1A6-5D6F-40DE-AC2A-87BBF3508387} - {A3D9E1A6-5D6F-40DE-AC2A-87BBF3508387} - C:\Users\Mongoose\AppData\Local\InvisibleHand\InvisibleHand.005.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} - hxxp://ccfiles.creative.com/Web/softwareupdate/su/ocx/15101/CTSUEng.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {A31EA702-5C82-4142-8E25-6A26DC67B9F7} - hxxps://training.futuresoldiers.com/gameControl/AxFSTSGameScenario.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D4B68B83-8710-488B-A692-D74B50BA558E} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E705A591-DA3C-4228-B0D5-A356DBA42FBF} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/20015/CTSUEng.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/110926/CTPID.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{30545359-B394-46F1-9DC0-A2B0327F65F7} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{A7DD0004-2110-4B3C-88CE-437CDBFC1614} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{B31182B7-6F6C-4D77-B470-BCE7DCB33F82} : DhcpNameServer = 192.168.0.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
SEH: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - No File
IFEO: taskmgr.exe - "C:\PROGRAM FILES (X86)\SYSINTERNALS\PROCESS EXPLORER\PROCEXP.EXE"
C:\Users\Mongoose\AppData\Local\Securityx86_x64.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO-X64: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - No File
BHO-X64: URLRedirectionBHO - No File
BHO-X64: InvisibleHand Extension: {D17B46F2-99A5-462C-B92C-209285E2E2B4} - C:\Users\Mongoose\AppData\Local\InvisibleHand\InvisibleHand.005.dll
BHO-X64: InvisibleHand - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
mRun-x64: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun-x64: [VolPanel] "C:\Program Files (x86)\Creative\Volume Panel\VolPanlu.exe" /r
mRun-x64: [VirtualCloneDrive] "C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
mRun-x64: [CTxfiHlp] CTXFIHLP.EXE
SEH-X64: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - No File
IFEO-X64: taskmgr.exe - "C:\PROGRAM FILES (X86)\SYSINTERNALS\PROCESS EXPLORER\PROCEXP.EXE"
.
============= SERVICES / DRIVERS ===============
.
R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 cpuz133;cpuz133;\??\C:\Windows\system32\drivers\cpuz133_x64.sys --> C:\Windows\system32\drivers\cpuz133_x64.sys [?]
R2 cpuz135;cpuz135;\??\C:\Windows\system32\drivers\cpuz135_x64.sys --> C:\Windows\system32\drivers\cpuz135_x64.sys [?]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-3-24 13336]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2010-7-25 1153368]
R3 CT20XUT.SYS;CT20XUT.SYS;C:\Windows\system32\drivers\CT20XUT.SYS --> C:\Windows\system32\drivers\CT20XUT.SYS [?]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;C:\Windows\system32\drivers\CTEXFIFX.SYS --> C:\Windows\system32\drivers\CTEXFIFX.SYS [?]
R3 CTHWIUT.SYS;CTHWIUT.SYS;C:\Windows\system32\drivers\CTHWIUT.SYS --> C:\Windows\system32\drivers\CTHWIUT.SYS [?]
R3 DKRtWrt;DKRtWrt;C:\Windows\system32\DRIVERS\DKRtWrt.sys --> C:\Windows\system32\DRIVERS\DKRtWrt.sys [?]
R3 ha20x22k;Creative 20X2 HAL Driver;C:\Windows\system32\drivers\ha20x22k.sys --> C:\Windows\system32\drivers\ha20x22k.sys [?]
R3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;C:\Windows\system32\drivers\LGBusEnum.sys --> C:\Windows\system32\drivers\LGBusEnum.sys [?]
R3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;C:\Windows\system32\drivers\LGVirHid.sys --> C:\Windows\system32\drivers\LGVirHid.sys [?]
R3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys --> C:\Windows\system32\DRIVERS\MpNWMon.sys [?]
R3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-4-27 288272]
R3 RTCore64;RTCore64;C:\Program Files (x86)\MSI Afterburner\RTCore64.sys [2011-10-2 13368]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 Amazon Download Agent;Amazon Download Agent;C:\Program Files (x86)\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [2010-12-23 401920]
S3 cpudrv64;cpudrv64;C:\Program Files (x86)\SystemRequirementsLab\cpudrv64.sys [2009-12-18 17864]
S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2011-1-26 79360]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2011-1-26 79360]
S3 CT20XUT;CT20XUT;C:\Windows\system32\drivers\CT20XUT.SYS --> C:\Windows\system32\drivers\CT20XUT.SYS [?]
S3 CTEXFIFX;CTEXFIFX;C:\Windows\system32\drivers\CTEXFIFX.SYS --> C:\Windows\system32\drivers\CTEXFIFX.SYS [?]
S3 CTHWIUT;CTHWIUT;C:\Windows\system32\drivers\CTHWIUT.SYS --> C:\Windows\system32\drivers\CTHWIUT.SYS [?]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;C:\Program Files (x86)\Dragon Age\bin_ship\daupdatersvc.service.exe [2011-11-5 25832]
S3 etdrv;etdrv;C:\Windows\etdrv.sys [2011-6-1 25640]
S3 GVTDrv64;GVTDrv64;C:\Windows\GVTDrv64.sys [2011-6-1 30528]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;C:\Program Files\Microsoft Office\Office14\GROOVE.EXE [2010-1-21 51445112]
S3 ose64;Office 64 Source Engine;C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-1-9 174440]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2011-11-08 03:32:57 69000 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{A67ED5EF-A2F1-4613-AFF3-F41433440E33}\offreg.dll
2011-11-08 02:27:11 20480 ----a-w- C:\Windows\svchost.exe
2011-11-08 02:22:36 111408 ----a-w- C:\Windows\System32\drivers\26499731.sys
2011-11-08 01:56:44 -------- d-----w- C:\ProgramData\STOPzilla!
2011-11-08 01:20:31 103424 ----a-w- C:\Windows\SysWow64\srrstr.dll
2011-11-08 01:19:34 8570192 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{A67ED5EF-A2F1-4613-AFF3-F41433440E33}\mpengine.dll
2011-11-07 09:15:58 271360 ----a-w- C:\Users\Mongoose\AppData\Local\Securityx86_x64.dll
2011-11-07 09:15:58 103424 ----a-w- C:\ProgramData\MouseBackupUpdate.dll
2011-11-07 08:22:01 91743 ----a-w- C:\E026.tmp
2011-11-07 08:22:01 90665 ----a-w- C:\DF6A.tmp
2011-11-07 08:22:01 87482 ----a-w- C:\E111.tmp
2011-11-06 13:39:25 40960 ----a-r- C:\Users\Mongoose\AppData\Roaming\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\NewShortcut1_9559F7CA5E344237A2D9D856464AD727.exe
2011-11-06 13:39:25 40960 ----a-r- C:\Users\Mongoose\AppData\Roaming\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\ARPPRODUCTICON.exe
2011-11-01 05:41:59 -------- d-----w- C:\Users\Mongoose\AppData\Roaming\Voxatron
2011-11-01 00:40:13 -------- d--h--w- C:\Program Files (x86)\Zero G Registry
2011-11-01 00:39:26 -------- d--h--w- C:\Users\Mongoose\InstallAnywhere
2011-10-29 03:14:36 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin7.dll
2011-10-29 03:14:36 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin6.dll
2011-10-29 03:14:36 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin5.dll
2011-10-29 03:14:36 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin4.dll
2011-10-29 03:14:36 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin3.dll
2011-10-29 03:14:36 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin2.dll
2011-10-29 03:14:36 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin.dll
2011-10-24 21:29:02 94208 ----a-w- C:\Windows\SysWow64\QuickTimeVR.qtx
2011-10-24 21:29:02 69632 ----a-w- C:\Windows\SysWow64\QuickTime.qts
2011-10-23 21:46:32 -------- d-----w- C:\Users\Mongoose\AppData\Roaming\Elluminate
2011-10-23 06:28:36 -------- d-----w- C:\Users\Mongoose\AppData\Local\id software
2011-10-23 00:53:53 53248 ----a-r- C:\Users\Mongoose\AppData\Roaming\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
2011-10-20 11:21:20 -------- d-----w- C:\Users\Mongoose\AppData\Roaming\2012IGFPIRATEKART
2011-10-17 08:08:43 -------- d-----w- C:\Users\Mongoose\AppData\Local\ElevatedDiagnostics
2011-10-15 03:13:58 -------- d-----w- C:\Users\Mongoose\AppData\Local\FOMM
2011-10-15 03:08:16 -------- d-----w- C:\Users\Mongoose\AppData\Local\Fallout3
2011-10-12 13:09:59 331776 ----a-w- C:\Windows\System32\oleacc.dll
2011-10-12 13:09:59 3138048 ----a-w- C:\Windows\System32\win32k.sys
2011-10-12 13:09:59 233472 ----a-w- C:\Windows\SysWow64\oleacc.dll
2011-10-12 13:09:58 861696 ----a-w- C:\Windows\System32\oleaut32.dll
2011-10-12 13:09:58 75776 ----a-w- C:\Windows\SysWow64\psisrndr.ax
2011-10-12 13:09:58 613888 ----a-w- C:\Windows\System32\psisdecd.dll
2011-10-12 13:09:58 571904 ----a-w- C:\Windows\SysWow64\oleaut32.dll
2011-10-12 13:09:57 465408 ----a-w- C:\Windows\SysWow64\psisdecd.dll
2011-10-12 13:09:57 108032 ----a-w- C:\Windows\System32\psisrndr.ax
2011-10-12 08:57:27 -------- d-----w- C:\Program Files\iTunes
2011-10-12 08:57:27 -------- d-----w- C:\Program Files\iPod
2011-10-12 08:57:27 -------- d-----w- C:\Program Files (x86)\iTunes
2011-10-12 08:56:40 -------- d-----w- C:\Program Files\Bonjour
2011-10-12 08:56:40 -------- d-----w- C:\Program Files (x86)\Bonjour
2011-10-11 23:27:29 917840 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{1ADDF0DD-B553-4F14-A22B-93D33FB0F085}\gapaengine.dll
2011-10-09 23:40:02 -------- d-----w- C:\Users\Mongoose\AppData\Roaming\Red Alert 3
2011-10-09 23:11:33 -------- d-----w- C:\Users\Mongoose\AppData\Roaming\Capcom
2011-10-09 22:22:30 -------- d-----we C:\Program Files (x86)\CAPCOM
.
==================== Find3M ====================
.
2011-11-08 02:05:32 151552 ----a-w- C:\Windows\KMSEmulator.exe
2011-10-28 13:28:52 423656 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2011-10-23 05:10:50 466520 ----a-w- C:\Windows\System32\wrap_oal.dll
2011-10-23 05:10:50 445016 ----a-w- C:\Windows\SysWow64\wrap_oal.dll
2011-10-23 05:10:50 123480 ----a-w- C:\Windows\System32\OpenAL32.dll
2011-10-23 05:10:50 109144 ----a-w- C:\Windows\SysWow64\OpenAL32.dll
2011-10-23 00:53:43 18960 ----a-w- C:\Windows\System32\drivers\LNonPnP.sys
2011-10-12 09:18:07 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-10-12 07:55:33 280736 ----a-w- C:\Windows\SysWow64\PnkBstrB.xtr
2011-10-12 07:55:33 280736 ----a-w- C:\Windows\SysWow64\PnkBstrB.exe
2011-10-12 06:57:25 280736 ----a-w- C:\Windows\SysWow64\PnkBstrB.ex0
2011-10-02 10:48:43 75136 ----a-w- C:\Windows\SysWow64\PnkBstrA.exe
2011-09-19 13:03:40 45056 ----a-w- C:\Windows\SysWow64\rtvcvfw32.dll
2011-09-02 06:30:46 55064 ----a-w- C:\Windows\System32\LMouFiltCoInst.dll
2011-09-02 06:30:36 60696 ----a-w- C:\Windows\System32\drivers\LMouFilt.Sys
2011-09-02 06:30:36 1845528 ----a-w- C:\Windows\System32\LkmdfCoInst.dll
2011-09-02 06:30:24 66840 ----a-w- C:\Windows\System32\drivers\LHidFilt.Sys
2011-09-01 05:24:07 2309120 ----a-w- C:\Windows\System32\jscript9.dll
2011-09-01 05:17:57 1389056 ----a-w- C:\Windows\System32\wininet.dll
2011-09-01 05:12:04 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2011-09-01 02:35:59 1798144 ----a-w- C:\Windows\SysWow64\jscript9.dll
2011-09-01 02:28:15 1126912 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-09-01 02:22:54 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-08-31 06:05:32 96104 ----a-w- C:\Windows\System32\dns-sd.exe
2011-08-31 06:05:32 85864 ----a-w- C:\Windows\System32\dnssd.dll
2011-08-31 06:05:04 83816 ----a-w- C:\Windows\SysWow64\dns-sd.exe
2011-08-31 06:05:04 73064 ----a-w- C:\Windows\SysWow64\dnssd.dll
2011-08-25 07:43:26 45056 ----a-w- C:\Windows\System32\rtvcvfw32.dll
2011-08-12 01:50:28 2011736 ----a-w- C:\Windows\System32\drivers\ct20xflt.sys
2011-08-12 01:50:16 16472 ----a-w- C:\Windows\System32\drivers\pfmodnt.sys
2011-08-12 01:50:04 1613400 ----a-w- C:\Windows\System32\drivers\ha20x22k.sys
2011-08-12 01:49:50 1568344 ----a-w- C:\Windows\System32\drivers\ha20x2k.sys
2011-08-12 01:49:40 118360 ----a-w- C:\Windows\System32\drivers\emupia2k.sys
2011-08-12 01:49:28 213080 ----a-w- C:\Windows\System32\drivers\ctsfm2k.sys
2011-08-12 01:49:18 15960 ----a-w- C:\Windows\System32\drivers\ctprxy2k.sys
2011-08-12 01:49:06 179288 ----a-w- C:\Windows\System32\drivers\ctoss2k.sys
2011-08-12 01:48:56 700632 ----a-w- C:\Windows\System32\drivers\ctaud2k.sys
2011-08-12 01:48:46 580696 ----a-w- C:\Windows\System32\drivers\ctac32k.sys
2011-08-12 01:48:34 1445976 ----a-w- C:\Windows\System32\drivers\CTEXFIFX.sys
2011-08-12 01:48:22 95320 ----a-w- C:\Windows\System32\drivers\CTHWIUT.sys
2011-08-12 01:48:12 230488 ----a-w- C:\Windows\System32\drivers\CT20XUT.sys
2011-08-12 01:37:10 12288 ----a-w- C:\Windows\System32\INRES.DLL
2011-08-12 01:37:06 218112 ----a-w- C:\Windows\System32\ctdvinst.dll
2011-08-12 01:37:04 73728 ----a-w- C:\Windows\System32\ctcoinst.dll
2011-08-12 01:07:48 55808 ----a-w- C:\Windows\System32\ctasio64.dll
2011-08-12 01:07:44 67584 ----a-w- C:\Windows\System32\ctdpxy64.dll
2011-08-12 01:04:02 89088 ----a-w- C:\Windows\System32\ctosur64.dll
2011-08-12 01:03:34 18432 ----a-w- C:\Windows\System32\regplib.exe
2011-08-12 00:08:38 11776 ----a-w- C:\Windows\SysWow64\INRES.DLL
2011-08-12 00:05:04 14336 ----a-w- C:\Windows\SysWow64\a3d.dll
2011-08-12 00:02:34 13312 ----a-w- C:\Windows\SysWow64\ac3api.dll
2011-08-12 00:00:42 2560 ----a-w- C:\Windows\SysWow64\CtxfiRes.dll
2011-08-12 00:00:42 2560 ----a-w- C:\Windows\System32\CtxfiRes.dll
2011-08-12 00:00:40 42496 ----a-w- C:\Windows\SysWow64\CTxfiBtn.dll
2011-08-12 00:00:38 39424 ----a-w- C:\Windows\SysWow64\CTxfiSpk.dll
2011-08-12 00:00:38 24576 ----a-w- C:\Windows\SysWow64\Ctxfihlp.exe
2011-08-11 23:54:30 47104 ----a-w- C:\Windows\SysWow64\CTxfiReg.exe
2011-08-11 23:54:28 15360 ----a-w- C:\Windows\SysWow64\Ct20xspi.dll
2011-08-11 23:54:20 1268224 ----a-w- C:\Windows\SysWow64\CTxfispi.exe
2011-08-11 23:47:26 51787 ----a-w- C:\Windows\System32\SET8A95.tmp
2011-08-11 23:47:26 384647 ----a-w- C:\Windows\System32\SET8AB5.tmp
2011-08-11 23:46:38 201216 ----a-w- C:\Windows\SysWow64\ctemupia.dll
2011-08-11 23:42:48 193024 ----a-w- C:\Windows\SysWow64\ct_oal.dll
2011-08-11 23:42:46 51712 ----a-w- C:\Windows\SysWow64\ctasio.dll
2011-08-11 23:42:42 61952 ----a-w- C:\Windows\SysWow64\ctdproxy.dll
2011-08-11 23:41:20 74240 ----a-w- C:\Windows\SysWow64\ctosuser.dll
2011-08-11 23:41:18 10240 ----a-w- C:\Windows\SysWow64\sfman32.dll
2011-08-11 23:41:16 137216 ----a-w- C:\Windows\SysWow64\sfms32.dll
2011-08-11 23:41:04 80896 ----a-w- C:\Windows\SysWow64\piaproxy.dll
2011-08-11 23:37:20 7680 ----a-w- C:\Windows\SysWow64\enlocstr.exe
2011-08-11 23:37:14 12800 ----a-w- C:\Windows\SysWow64\killapps.exe
2011-08-11 23:36:42 36864 ----a-w- C:\Windows\SysWow64\devreg.dll
.
============= FINISH: 19:37:04.52 ===============

Attached Files


Edited by DaMongoose, 08 November 2011 - 10:17 AM.


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,699 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:11 AM

Posted 12 November 2011 - 10:50 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/426846 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 DaMongoose

DaMongoose
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:11 AM

Posted 14 November 2011 - 03:34 AM

Hello, replying to this topic as Helperbot informed.
I still need assistance. I have been leaving everything alone as much as I possibly could. When I logon though, I make sure I suspend two processes that I know are part of this virus. I suspend conhost.exe and svchost.exe, which has a command line of -netsvcs, and a path of "\\. \globalroot\systemroot\svchost.exe". If I tried to kill them, they would immediatly start back up, but suspending them seems to keep the mischief they do to a minimum. I have also noticed a file called "xakgykwpwm.tmp" keeps being created occasionaly on my desktop, with the hidden file attritbute. It is 0 bytes though, other than a name and attribute I don't believe it has any data. I delete it, and a few hours later it reappears.

I have attached a new DDS log, and skipped the GMER log as I use 64-bit Windows 7.
I do still have my original Windows DVD.

Thank you for your time and efforts into solving my problems,
Austin



.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by Mongoose at 0:31:09 on 2011-11-14
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.8190.901 [GMT -8:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\WUDFHost.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\MSI Afterburner\MSIAfterburner.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Logitech Gaming Software\LCore.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Fraps\fraps.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
-netsvcs
C:\Windows\system32\conhost.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\Creative\Volume Panel\VolPanlu.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Windows\SysWOW64\Ctxfihlp.exe
C:\Program Files\Logitech\SetPointG\SetPointII.exe
C:\Windows\SysWOW64\CTXFISPI.EXE
C:\Program Files\Logitech Gaming Software\plugins\LCDAppletsMono-8.01.067\Applets\x64\LCDClock.exe
C:\Program Files\Fraps\fraps64.dat
C:\Windows\system32\taskhost.exe
C:\Program Files\PeerBlock\peerblock.exe
C:\PROGRAM FILES (X86)\SYSINTERNALS\PROCESS EXPLORER\PROCEXP.EXE
C:\PROGRAM FILES (X86)\SYSINTERNALS\PROCESS EXPLORER\PROCEXP64.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files (x86)\uTorrent\uTorrent.exe
C:\Windows\explorer.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Program Files (x86)\Steam\Steam.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
D:\Games\League of Legends\League of Legends\RADS\system\rads_user_kernel.exe
D:\Games\League of Legends\League of Legends\RADS\projects\lol_launcher\releases\0.0.0.35\deploy\LoLLauncher.exe
D:\Games\League of Legends\League of Legends\RADS\projects\lol_air_client\releases\0.0.0.100\deploy\LolClient.exe
C:\Users\Mongoose\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:Tabs
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=c:\windows\syswow64\userinit.exe,
BHO: {15e815a1-83c3-4663-bdda-b27d3a7364ff} - C:\Users\Mongoose\AppData\Local\Securityx86_x64.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - No File
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - No File
BHO: InvisibleHand Extension: {d17b46f2-99a5-462c-b92c-209285e2e2b4} - C:\Users\Mongoose\AppData\Local\InvisibleHand\InvisibleHand.005.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
uRun: [Google Update] "C:\Users\Mongoose\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRunOnce: [FlashPlayerUpdate] C:\Windows\SysWOW64\Macromed\Flash\FlashUtil11c_ActiveX.exe -update activex
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun: [VolPanel] "C:\Program Files (x86)\Creative\Volume Panel\VolPanlu.exe" /r
mRun: [VirtualCloneDrive] "C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~1\MICROS~2\Office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
IE: {A3D9E1A6-5D6F-40DE-AC2A-87BBF3508387} - {A3D9E1A6-5D6F-40DE-AC2A-87BBF3508387} - C:\Users\Mongoose\AppData\Local\InvisibleHand\InvisibleHand.005.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} - hxxp://ccfiles.creative.com/Web/softwareupdate/su/ocx/15101/CTSUEng.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {A31EA702-5C82-4142-8E25-6A26DC67B9F7} - hxxps://training.futuresoldiers.com/gameControl/AxFSTSGameScenario.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {D4B68B83-8710-488B-A692-D74B50BA558E} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E705A591-DA3C-4228-B0D5-A356DBA42FBF} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/20015/CTSUEng.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/110926/CTPID.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{30545359-B394-46F1-9DC0-A2B0327F65F7} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{A7DD0004-2110-4B3C-88CE-437CDBFC1614} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{B31182B7-6F6C-4D77-B470-BCE7DCB33F82} : DhcpNameServer = 192.168.0.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
SEH: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - No File
IFEO: taskmgr.exe - "C:\PROGRAM FILES (X86)\SYSINTERNALS\PROCESS EXPLORER\PROCEXP.EXE"
C:\Users\Mongoose\AppData\Local\Securityx86_x64.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO-X64: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - No File
BHO-X64: URLRedirectionBHO - No File
BHO-X64: InvisibleHand Extension: {D17B46F2-99A5-462C-B92C-209285E2E2B4} - C:\Users\Mongoose\AppData\Local\InvisibleHand\InvisibleHand.005.dll
BHO-X64: InvisibleHand - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
mRun-x64: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun-x64: [VolPanel] "C:\Program Files (x86)\Creative\Volume Panel\VolPanlu.exe" /r
mRun-x64: [VirtualCloneDrive] "C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
SEH-X64: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - No File
IFEO-X64: taskmgr.exe - "C:\PROGRAM FILES (X86)\SYSINTERNALS\PROCESS EXPLORER\PROCEXP.EXE"
.
============= SERVICES / DRIVERS ===============
.
R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 cpuz133;cpuz133;\??\C:\Windows\system32\drivers\cpuz133_x64.sys --> C:\Windows\system32\drivers\cpuz133_x64.sys [?]
R2 cpuz135;cpuz135;\??\C:\Windows\system32\drivers\cpuz135_x64.sys --> C:\Windows\system32\drivers\cpuz135_x64.sys [?]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-3-24 13336]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2010-7-25 1153368]
R3 CT20XUT.SYS;CT20XUT.SYS;C:\Windows\system32\drivers\CT20XUT.SYS --> C:\Windows\system32\drivers\CT20XUT.SYS [?]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;C:\Windows\system32\drivers\CTEXFIFX.SYS --> C:\Windows\system32\drivers\CTEXFIFX.SYS [?]
R3 CTHWIUT.SYS;CTHWIUT.SYS;C:\Windows\system32\drivers\CTHWIUT.SYS --> C:\Windows\system32\drivers\CTHWIUT.SYS [?]
R3 DKRtWrt;DKRtWrt;C:\Windows\system32\DRIVERS\DKRtWrt.sys --> C:\Windows\system32\DRIVERS\DKRtWrt.sys [?]
R3 ha20x22k;Creative 20X2 HAL Driver;C:\Windows\system32\drivers\ha20x22k.sys --> C:\Windows\system32\drivers\ha20x22k.sys [?]
R3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;C:\Windows\system32\drivers\LGBusEnum.sys --> C:\Windows\system32\drivers\LGBusEnum.sys [?]
R3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;C:\Windows\system32\drivers\LGVirHid.sys --> C:\Windows\system32\drivers\LGVirHid.sys [?]
R3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys --> C:\Windows\system32\DRIVERS\MpNWMon.sys [?]
R3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-4-27 288272]
R3 ose64;Office 64 Source Engine;C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-1-9 174440]
R3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
R3 pbfilter;pbfilter;C:\Program Files\PeerBlock\pbfilter.sys [2011-5-2 24176]
R3 RTCore64;RTCore64;C:\Program Files (x86)\MSI Afterburner\RTCore64.sys [2011-10-2 13368]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 Amazon Download Agent;Amazon Download Agent;C:\Program Files (x86)\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [2010-12-23 401920]
S3 cpudrv64;cpudrv64;C:\Program Files (x86)\SystemRequirementsLab\cpudrv64.sys [2009-12-18 17864]
S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2011-1-26 79360]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2011-1-26 79360]
S3 CT20XUT;CT20XUT;C:\Windows\system32\drivers\CT20XUT.SYS --> C:\Windows\system32\drivers\CT20XUT.SYS [?]
S3 CTEXFIFX;CTEXFIFX;C:\Windows\system32\drivers\CTEXFIFX.SYS --> C:\Windows\system32\drivers\CTEXFIFX.SYS [?]
S3 CTHWIUT;CTHWIUT;C:\Windows\system32\drivers\CTHWIUT.SYS --> C:\Windows\system32\drivers\CTHWIUT.SYS [?]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;C:\Program Files (x86)\Dragon Age\bin_ship\daupdatersvc.service.exe [2011-11-5 25832]
S3 etdrv;etdrv;C:\Windows\etdrv.sys [2011-6-1 25640]
S3 GVTDrv64;GVTDrv64;C:\Windows\GVTDrv64.sys [2011-6-1 30528]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;C:\Program Files\Microsoft Office\Office14\GROOVE.EXE [2010-1-21 51445112]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2011-11-14 03:48:50 69000 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{96B350A7-D5E1-4693-AE15-6FBCB53ADFC0}\offreg.dll
2011-11-14 03:48:49 8570192 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{96B350A7-D5E1-4693-AE15-6FBCB53ADFC0}\mpengine.dll
2011-11-09 01:19:45 0 ----a-w- C:\Windows\SysWow64\0.25825881577389087.exe
2011-11-08 22:34:36 886784 ----a-w- C:\Program Files\Common Files\System\wab32.dll
2011-11-08 22:34:36 708608 ----a-w- C:\Program Files (x86)\Common Files\System\wab32.dll
2011-11-08 22:34:36 1923952 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2011-11-08 22:34:35 3144704 ----a-w- C:\Windows\System32\win32k.sys
2011-11-08 02:27:11 20480 ----a-w- C:\Windows\svchost.exe
2011-11-08 02:22:36 111408 ----a-w- C:\Windows\System32\drivers\26499731.sys
2011-11-08 01:56:44 -------- d-----w- C:\ProgramData\STOPzilla!
2011-11-08 01:20:31 103424 ----a-w- C:\Windows\SysWow64\srrstr.dll
2011-11-07 09:15:58 271360 ----a-w- C:\Users\Mongoose\AppData\Local\Securityx86_x64.dll
2011-11-07 09:15:58 103424 ----a-w- C:\ProgramData\MouseBackupUpdate.dll
2011-11-07 08:22:01 91743 ----a-w- C:\E026.tmp
2011-11-07 08:22:01 90665 ----a-w- C:\DF6A.tmp
2011-11-07 08:22:01 87482 ----a-w- C:\E111.tmp
2011-11-06 13:39:25 40960 ----a-r- C:\Users\Mongoose\AppData\Roaming\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\NewShortcut1_9559F7CA5E344237A2D9D856464AD727.exe
2011-11-06 13:39:25 40960 ----a-r- C:\Users\Mongoose\AppData\Roaming\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\ARPPRODUCTICON.exe
2011-11-01 05:41:59 -------- d-----w- C:\Users\Mongoose\AppData\Roaming\Voxatron
2011-11-01 00:40:13 -------- d--h--w- C:\Program Files (x86)\Zero G Registry
2011-11-01 00:39:26 -------- d--h--w- C:\Users\Mongoose\InstallAnywhere
2011-10-29 03:14:36 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin7.dll
2011-10-29 03:14:36 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin6.dll
2011-10-29 03:14:36 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin5.dll
2011-10-29 03:14:36 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin4.dll
2011-10-29 03:14:36 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin3.dll
2011-10-29 03:14:36 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin2.dll
2011-10-29 03:14:36 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin.dll
2011-10-24 21:29:02 94208 ----a-w- C:\Windows\SysWow64\QuickTimeVR.qtx
2011-10-24 21:29:02 69632 ----a-w- C:\Windows\SysWow64\QuickTime.qts
2011-10-23 21:46:32 -------- d-----w- C:\Users\Mongoose\AppData\Roaming\Elluminate
2011-10-23 06:28:36 -------- d-----w- C:\Users\Mongoose\AppData\Local\id software
2011-10-23 00:53:53 53248 ----a-r- C:\Users\Mongoose\AppData\Roaming\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
2011-10-20 11:21:20 -------- d-----w- C:\Users\Mongoose\AppData\Roaming\2012IGFPIRATEKART
2011-10-17 08:08:43 -------- d-----w- C:\Users\Mongoose\AppData\Local\ElevatedDiagnostics
.
==================== Find3M ====================
.
2011-11-08 02:05:32 151552 ----a-w- C:\Windows\KMSEmulator.exe
2011-10-23 05:10:50 466520 ----a-w- C:\Windows\System32\wrap_oal.dll
2011-10-23 05:10:50 445016 ----a-w- C:\Windows\SysWow64\wrap_oal.dll
2011-10-23 05:10:50 123480 ----a-w- C:\Windows\System32\OpenAL32.dll
2011-10-23 05:10:50 109144 ----a-w- C:\Windows\SysWow64\OpenAL32.dll
2011-10-23 00:53:43 18960 ----a-w- C:\Windows\System32\drivers\LNonPnP.sys
2011-10-12 09:18:07 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-10-12 07:55:33 280736 ----a-w- C:\Windows\SysWow64\PnkBstrB.xtr
2011-10-12 07:55:33 280736 ----a-w- C:\Windows\SysWow64\PnkBstrB.exe
2011-10-12 06:57:25 280736 ----a-w- C:\Windows\SysWow64\PnkBstrB.ex0
2011-10-03 13:06:03 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2011-10-02 10:48:43 75136 ----a-w- C:\Windows\SysWow64\PnkBstrA.exe
2011-09-19 13:03:40 45056 ----a-w- C:\Windows\SysWow64\rtvcvfw32.dll
2011-09-02 06:30:46 55064 ----a-w- C:\Windows\System32\LMouFiltCoInst.dll
2011-09-02 06:30:36 60696 ----a-w- C:\Windows\System32\drivers\LMouFilt.Sys
2011-09-02 06:30:36 1845528 ----a-w- C:\Windows\System32\LkmdfCoInst.dll
2011-09-02 06:30:24 66840 ----a-w- C:\Windows\System32\drivers\LHidFilt.Sys
2011-09-01 05:24:07 2309120 ----a-w- C:\Windows\System32\jscript9.dll
2011-09-01 05:17:57 1389056 ----a-w- C:\Windows\System32\wininet.dll
2011-09-01 05:12:04 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2011-09-01 02:35:59 1798144 ----a-w- C:\Windows\SysWow64\jscript9.dll
2011-09-01 02:28:15 1126912 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-09-01 02:22:54 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-08-31 06:05:32 96104 ----a-w- C:\Windows\System32\dns-sd.exe
2011-08-31 06:05:32 85864 ----a-w- C:\Windows\System32\dnssd.dll
2011-08-31 06:05:04 83816 ----a-w- C:\Windows\SysWow64\dns-sd.exe
2011-08-31 06:05:04 73064 ----a-w- C:\Windows\SysWow64\dnssd.dll
2011-08-27 05:37:49 861696 ----a-w- C:\Windows\System32\oleaut32.dll
2011-08-27 05:37:48 331776 ----a-w- C:\Windows\System32\oleacc.dll
2011-08-27 04:26:27 571904 ----a-w- C:\Windows\SysWow64\oleaut32.dll
2011-08-27 04:26:27 233472 ----a-w- C:\Windows\SysWow64\oleacc.dll
2011-08-25 07:43:26 45056 ----a-w- C:\Windows\System32\rtvcvfw32.dll
2011-08-17 05:26:46 613888 ----a-w- C:\Windows\System32\psisdecd.dll
2011-08-17 05:25:08 108032 ----a-w- C:\Windows\System32\psisrndr.ax
2011-08-17 04:24:12 465408 ----a-w- C:\Windows\SysWow64\psisdecd.dll
2011-08-17 04:19:27 75776 ----a-w- C:\Windows\SysWow64\psisrndr.ax
.
============= FINISH: 0:31:37.21 ===============

Attached Files



#4 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:11 PM

Posted 14 November 2011 - 11:00 AM

Hi,

uTorrent

Above listed ones are P2P file sharing programs. P2P downloads are nowadays one of those things that most likely bring infection into the system. My recommendation is to uninstall these (and other if present) P2P file sharing programs.



Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:

  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  • Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#5 DaMongoose

DaMongoose
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:11 AM

Posted 14 November 2011 - 06:06 PM

Thank you for taking the time to help me out. I have ran Combofix, and I am attaching the log it produced, as well as a new DDS log.
The computer still has the virus, the same infected processes started up again.

Thanks again,
Austin

Attached Files



#6 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:11 PM

Posted 15 November 2011 - 12:59 AM

Hi,

1. Download TDSSKiller and extract its contents into a folder in desired location (i.e. c:\tdsskiller).
2. Execute the file TDSSKiller.exe.
3. Click Start Scan. If threats are found, select skip and click Continue (tool may prompt for a reboot).
4. Post back contents of log file in c: drive root (name should be in UtilityName.Version_Date_Time_log.txt format)

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#7 DaMongoose

DaMongoose
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:11 AM

Posted 15 November 2011 - 01:26 AM

Hello, I have done as asked, and attached the TDSS log.

Thanks,
Austin

Attached Files


Edited by DaMongoose, 15 November 2011 - 01:26 AM.


#8 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:11 PM

Posted 15 November 2011 - 01:28 AM

Hi,

Please run TDSSKiller again and this time select cure option. Re-run ComboFix and post back its log + fresh dds logs.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#9 DaMongoose

DaMongoose
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:11 AM

Posted 15 November 2011 - 01:51 AM

Ok, ran TDSS Killer again, selected cure, it rebooted, ran it again, and it still says the problem is there, so I am posting the log when I cured and the log after I rebooted. I reran combofix, it also restarted my computer, when it came back it popped up the log file. For some reason every but now for some reason anything I click on in windows explorer, complains "Illegal operation attempted on a registry key that has been marked for deletion." This happens for anything that I click on using windows explorer. If I have it on my desktop and click it, it does not complain this. I tried running DDS copying it to my desktop, and it started, but now it is hanging and will not complete. I'm going to post the logs I have, restart, and try to run DDS again.

Thanks,
Austin

Attached Files



#10 DaMongoose

DaMongoose
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:11 AM

Posted 15 November 2011 - 01:56 AM

Ok,a restart fixed those issues, ran DDS, here is the log.

Thanks!

Attached Files



#11 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:11 PM

Posted 15 November 2011 - 08:58 AM

Hi,

Open notepad and copy/paste the text in the quotebox below into it:

http://www.bleepingcomputer.com/forums/topic426846.html
Suspect::[76]
C:\Windows\System32\drivers\26499731.sys
C:\E026.tmp
C:\DF6A.tmp
C:\E111.tmp


Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Posted Image

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe (let the tool to update itself if prompted).
Then post the resultant log.


* Go here to run an online scanner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is UNchecked and the option Scan unwanted applications is checkmarked.
  • Click Scan
  • Wait for the scan to finish. Copy-paste results (if anything found).

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#12 DaMongoose

DaMongoose
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:11 AM

Posted 15 November 2011 - 03:02 PM

I ran ComboFix using the script, but it asked to update and I said yes, and after it updated it reran itself. Does it still use the script the 2nd time after it updated itself? Ok, I'm posting the log, and I am running ESET right now, and will update this post accordingly.

Attached Files


Edited by DaMongoose, 15 November 2011 - 03:02 PM.


#13 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:11 PM

Posted 15 November 2011 - 03:42 PM

Hi,

Correct ComboFix log got posted.

Download aswMBR to your desktop. Double click the aswMBR.exe to run it
Click the Scan button to start scan

On completion of the scan click save log, save it to your desktop and post in your next reply.

Edited by Blade81, 15 November 2011 - 03:43 PM.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#14 DaMongoose

DaMongoose
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:11 AM

Posted 15 November 2011 - 06:29 PM

ESET ran for 3 hours, and stalled when it got to memory scanning. I'm rerunning it and excluding all my external drives where I know theres not a problem. I tried to run aswMBR, every time I hit scan, I would get a BSOD, and the computer would restart. I also tried to run it in safe mode, it still instantly would give me a BSOD.

EDIT: ESET ran much faster that time, here are the resultss.

C:\Program Files\Diskeeper Corporation\Diskeeper\Diskeeper 2010 Patcher v1.1.exe Win32/Packed.Autoit.C.Gen application
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgp.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgp1.zip Win32/Bagle.gen.zip worm
C:\Qoobox\Quarantine\C\ProgramData\MouseBackupUpdate.dll.vir a variant of Win32/Kryptik.VEF trojan
C:\Qoobox\Quarantine\C\users\Mongoose\AppData\Local\Securityx86_x64.dll.vir a variant of Win32/Kryptik.VEF trojan
C:\users\Mongoose\AppData\Local\Amazon\AmazonUpdate\Amazonup.dll a variant of Win32/Kryptik.VEF trojan
C:\Windows\KMSEmulator.exe a variant of Win32/HackKMS.A application
C:\Windows\System32\srrstr.dll a variant of Win32/Kryptik.VEF trojan
C:\Windows\SysWOW64\srrstr.dll a variant of Win32/Kryptik.VEF trojan

Edited by DaMongoose, 15 November 2011 - 06:39 PM.


#15 DaMongoose

DaMongoose
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:11 AM

Posted 16 November 2011 - 12:37 AM

So what should I do next? Do I let ESET try to fix the problems it finds?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users