Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with unknown virus or malware


  • This topic is locked This topic is locked
9 replies to this topic

#1 plurality

plurality

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:13 AM

Posted 06 October 2012 - 12:04 PM

My system has been having issues on and off for a while now, and while my anti-virus (avast!) has not been able to spot it, I am fairly certain there is a virus on my system. The problem occurring is that my system will ferquently (at least once a day) freeze completely (ctrl-alt-del is not possible, have to hard reboot) while I'm on the web. I previously was running Windows Vista. After a while of this going, eventually it got to where I couldn't even boot the system. I took it into a PC repair place where they diagnosed a virus and their solution was to install Windows 7.

The system seemed to run better for a little, but while looking for my files I noticed that the old OS was still there, so it wasn't a total system wipe. While I was glad for this as there were files I needed to recover, I don't think they did a thorough job as the problems have resurfaced. I have always frequently run full scans with avast! that haven't turned anything up, but on 10/2 it did pick up 2 files that it said were a rootkit. When I attempted to remove them it said the files could not be found and they have not turned up since. I also ran a memory scan that turned up 9 infections of various trojans in the Malwarebytes process. I uninstalled Malwarebytes and have not seen these since. However, the system continues to freeze and I'm sure there's an infection. Please help!

Here is the DDS log. There is no GMER log as I run a x64 bit system

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.7.2
Run by Owner at 11:43:28 on 2012-10-06
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.5887.4234 [GMT -5:00]
.
AV: avast! Internet Security *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Internet Security *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Program Files\AVAST Software\Avast\afwServ.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\LSI SoftModem\agr64svc.exe
C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Users\Owner\AppData\Local\Google\Update\1.3.21.123\GoogleCrashHandler.exe
C:\Users\Owner\AppData\Local\Google\Update\1.3.21.123\GoogleCrashHandler64.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\system32\taskeng.exe
C:\Windows\system32\rundll32.exe
C:\Windows\System32\sdclt.exe
C:\Users\Owner\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Owner\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Owner\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Owner\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Owner\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT3225826
uURLSearchHooks: H - No File
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
{e7df6bff-55a5-4eb7-a673-4ed3e9456d39}
uRun: [Google Update] "C:\Users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe" /c
mRun: [ROC_ROC_NT] "C:\Program Files (x86)\AVG Secure Search\ROC_ROC_NT.exe" / /PROMPT /CMPID=ROC_NT
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [AMD AVT] Cmd.exe /c start "AMD Accelerated Video Transcoding device initialization" /min "C:\Program Files (x86)\AMD AVT\bin\kdbsync.exe" aml
StartupFolder: C:\Users\Owner\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\OPENOF~1.LNK - C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{EFF6A73A-80EE-4E1C-B05B-C654866107D1} : DhcpNameServer = 192.168.1.1
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO-X64: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
TB-X64: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
mRun-x64: [ROC_ROC_NT] "C:\Program Files (x86)\AVG Secure Search\ROC_ROC_NT.exe" / /PROMPT /CMPID=ROC_NT
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [AMD AVT] Cmd.exe /c start "AMD Accelerated Video Transcoding device initialization" /min "C:\Program Files (x86)\AMD AVT\bin\kdbsync.exe" aml
.
============= SERVICES / DRIVERS ===============
.
R0 aswNdis;avast! Firewall NDIS Filter Service;C:\Windows\system32\DRIVERS\aswNdis.sys --> C:\Windows\system32\DRIVERS\aswNdis.sys [?]
R0 aswNdis2;avast! Firewall Core Firewall Service;C:\Windows\system32\drivers\aswNdis2.sys --> C:\Windows\system32\drivers\aswNdis2.sys [?]
R1 aswFW;avast! TDI Firewall driver;C:\Windows\system32\drivers\aswFW.sys --> C:\Windows\system32\drivers\aswFW.sys [?]
R1 aswKbd;aswKbd;C:\Windows\system32\drivers\aswKbd.sys --> C:\Windows\system32\drivers\aswKbd.sys [?]
R1 aswSnx;aswSnx;C:\Windows\system32\drivers\aswSnx.sys --> C:\Windows\system32\drivers\aswSnx.sys [?]
R1 aswSP;aswSP;C:\Windows\system32\drivers\aswSP.sys --> C:\Windows\system32\drivers\aswSP.sys [?]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-6-6 64952]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 AMD FUEL Service;AMD FUEL Service;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2012-7-4 361984]
R2 AODDriver4.1;AODDriver4.1;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\aoddriver2.sys [2012-3-5 53888]
R2 aswFsBlk;aswFsBlk;C:\Windows\system32\drivers\aswFsBlk.sys --> C:\Windows\system32\drivers\aswFsBlk.sys [?]
R2 aswMonFlt;aswMonFlt;\??\C:\Windows\system32\drivers\aswMonFlt.sys --> C:\Windows\system32\drivers\aswMonFlt.sys [?]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2012-9-21 44808]
R2 avast! Firewall;avast! Firewall;C:\Program Files\AVAST Software\Avast\afwServ.exe [2012-9-21 133912]
R2 UMVPFSrv;UMVPFSrv;C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [2012-1-18 450848]
R3 amdiox64;AMD IO Driver;C:\Windows\system32\DRIVERS\amdiox64.sys --> C:\Windows\system32\DRIVERS\amdiox64.sys [?]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW76.sys --> C:\Windows\system32\drivers\AtihdW76.sys [?]
R3 LVRS64;Logitech RightSound Filter Driver;C:\Windows\system32\DRIVERS\lvrs64.sys --> C:\Windows\system32\DRIVERS\lvrs64.sys [?]
R3 LVUVC64;Logitech Webcam 250(UVC);C:\Windows\system32\DRIVERS\lvuvc64.sys --> C:\Windows\system32\DRIVERS\lvuvc64.sys [?]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk62x64.sys --> C:\Windows\system32\DRIVERS\yk62x64.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-9-27 250288]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2012-10-06 11:58:55 69000 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{690033EA-DB9D-4FBC-A329-2EBDA54F5246}\offreg.dll
2012-10-05 14:59:56 9308616 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{690033EA-DB9D-4FBC-A329-2EBDA54F5246}\mpengine.dll
2012-09-28 06:15:25 -------- d-----w- C:\Users\Owner\AppData\Local\Diagnostics
2012-09-27 17:29:37 376688 ----a-w- C:\Windows\System32\drivers\netio.sys
2012-09-27 17:29:37 1913200 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2012-09-27 17:29:36 288624 ----a-w- C:\Windows\System32\drivers\FWPKCLNT.SYS
2012-09-27 17:29:31 950128 ----a-w- C:\Windows\System32\drivers\ndis.sys
2012-09-27 17:29:31 41472 ----a-w- C:\Windows\System32\drivers\RNDISMP.sys
2012-09-27 17:29:29 245760 ----a-w- C:\Windows\System32\OxpsConverter.exe
2012-09-27 17:29:27 514560 ----a-w- C:\Windows\SysWow64\qdvd.dll
2012-09-27 17:29:27 366592 ----a-w- C:\Windows\System32\qdvd.dll
2012-09-27 15:10:49 -------- d-----w- C:\Program Files\LSI SoftModem
2012-09-27 14:56:32 -------- d-----w- C:\Windows\System32\SPReview
2012-09-27 14:55:40 -------- d-----w- C:\Windows\System32\EventProviders
2012-09-27 14:52:22 1139200 ----a-w- C:\Windows\System32\FntCache.dll
2012-09-27 14:52:21 902656 ----a-w- C:\Windows\System32\d2d1.dll
2012-09-27 14:52:21 739840 ----a-w- C:\Windows\SysWow64\d2d1.dll
2012-09-27 14:49:32 73136 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-09-27 14:49:32 696240 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-09-27 08:02:14 -------- d-----w- C:\Windows\SysWow64\Wat
2012-09-27 08:02:12 -------- d-----w- C:\Windows\System32\Wat
2012-09-27 04:50:00 48976 ----a-w- C:\Windows\System32\netfxperf.dll
2012-09-27 04:50:00 1942856 ----a-w- C:\Windows\System32\dfshim.dll
2012-09-27 04:48:59 1646080 ----a-w- C:\Windows\System32\wevtsvc.dll
2012-09-27 04:47:59 342016 ----a-w- C:\Windows\SysWow64\certcli.dll
2012-09-27 04:46:59 630272 ----a-w- C:\Windows\System32\evr.dll
2012-09-27 04:45:59 684032 ----a-w- C:\Windows\System32\TabletPC.cpl
2012-09-27 04:44:59 1547264 ----a-w- C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
2012-09-27 04:43:59 685056 ----a-w- C:\Windows\SysWow64\dsuiext.dll
2012-09-27 04:42:59 85504 ----a-w- C:\Windows\SysWow64\secproc_ssp.dll
2012-09-27 04:41:59 8192 ----a-w- C:\Windows\System32\KBDCZ1.DLL
2012-09-27 04:40:56 4608 ----a-w- C:\Windows\System32\drivers\en-US\kbdclass.sys.mui
2012-09-27 04:40:55 6144 ----a-w- C:\Windows\System32\drivers\en-US\IPMIDrv.sys.mui
2012-09-27 04:40:47 399872 ----a-w- C:\Windows\System32\dpx.dll
2012-09-27 04:40:47 189952 ----a-w- C:\Windows\SysWow64\wdscore.dll
2012-09-27 04:40:33 189952 ----a-w- C:\Windows\SysWow64\sqmapi.dll
2012-09-27 04:40:03 189952 ----a-w- C:\Program Files (x86)\Windows Portable Devices\sqmapi.dll
2012-09-27 04:40:02 606208 ----a-w- C:\Windows\SysWow64\wbem\fastprox.dll
2012-09-27 04:40:02 363008 ----a-w- C:\Windows\SysWow64\wbemcomn.dll
2012-09-27 04:36:18 529408 ----a-w- C:\Windows\System32\wbemcomn.dll
2012-09-27 04:36:18 244736 ----a-w- C:\Program Files\Windows Portable Devices\sqmapi.dll
2012-09-27 04:36:03 244736 ----a-w- C:\Windows\System32\sqmapi.dll
2012-09-27 03:53:07 -------- d-----w- C:\Users\Owner\AppData\Roaming\Nico Mak Computing
2012-09-27 03:53:01 18760 ----a-w- C:\Windows\System32\roboot64.exe
2012-09-27 03:52:55 -------- d-----w- C:\Program Files (x86)\WinZip Registry Optimizer
2012-09-25 08:04:11 9308616 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2012-09-25 08:01:13 -------- d-----w- C:\Program Files (x86)\MSXML 4.0
2012-09-25 02:24:02 -------- d-----w- C:\Users\Owner\AppData\Roaming\OpenOffice.org
2012-09-25 02:20:00 -------- d-----w- C:\Program Files (x86)\OpenOffice.org 3
2012-09-23 08:06:35 81408 ----a-w- C:\Windows\System32\imagehlp.dll
2012-09-23 08:06:35 23408 ----a-w- C:\Windows\System32\drivers\fs_rec.sys
2012-09-23 08:06:35 159232 ----a-w- C:\Windows\SysWow64\imagehlp.dll
2012-09-23 08:06:34 172544 ----a-w- C:\Windows\SysWow64\wintrust.dll
2012-09-23 08:06:33 5120 ----a-w- C:\Windows\SysWow64\wmi.dll
2012-09-23 08:06:33 5120 ----a-w- C:\Windows\System32\wmi.dll
2012-09-23 08:06:33 220672 ----a-w- C:\Windows\System32\wintrust.dll
2012-09-22 23:13:57 -------- d-----w- C:\Users\Owner\AppData\Local\AMD
2012-09-22 23:13:45 -------- d-----w- C:\Users\Owner\AppData\Local\ATI
2012-09-22 23:13:41 -------- d-----w- C:\Program Files (x86)\AMD AVT
2012-09-22 23:13:37 -------- d-----w- C:\Program Files (x86)\AMD APP
2012-09-22 23:13:31 -------- d-----w- C:\Program Files\Common Files\ATI Technologies
2012-09-22 23:13:31 -------- d-----w- C:\Program Files (x86)\Common Files\ATI Technologies
2012-09-22 23:12:28 -------- d-----w- C:\ProgramData\AMD
2012-09-22 23:12:26 46136 ----a-w- C:\Windows\System32\drivers\amdiox64.sys
2012-09-22 23:11:10 -------- d-----w- C:\Program Files (x86)\ATI Technologies
2012-09-22 23:10:54 -------- d-----w- C:\Program Files\ATI Technologies
2012-09-22 23:10:51 -------- d-----w- C:\Program Files\ATI
2012-09-22 23:09:54 -------- d-----w- C:\AMD
2012-09-22 22:52:29 -------- d-----w- C:\Users\Owner\AppData\Roaming\.minecraft
2012-09-22 22:51:49 821736 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll
2012-09-22 22:51:49 746984 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2012-09-22 22:51:40 95208 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2012-09-22 22:31:27 279656 ------w- C:\Windows\System32\MpSigStub.exe
2012-09-22 22:30:46 -------- d-----w- C:\Program Files (x86)\BitTorrent
2012-09-22 22:30:01 -------- d-----w- C:\Users\Owner\AppData\Roaming\BitTorrent
2012-09-22 09:35:56 2871808 ----a-w- C:\Windows\explorer.exe
2012-09-22 09:35:55 2616320 ----a-w- C:\Windows\SysWow64\explorer.exe
2012-09-22 09:35:50 961024 ----a-w- C:\Windows\System32\CPFilters.dll
2012-09-22 09:35:50 642048 ----a-w- C:\Windows\SysWow64\CPFilters.dll
2012-09-22 09:35:49 1118720 ----a-w- C:\Windows\System32\sbe.dll
2012-09-22 09:35:48 850944 ----a-w- C:\Windows\SysWow64\sbe.dll
2012-09-22 09:35:48 259072 ----a-w- C:\Windows\System32\mpg2splt.ax
2012-09-22 09:35:47 199680 ----a-w- C:\Windows\SysWow64\mpg2splt.ax
2012-09-22 09:33:55 288768 ----a-w- C:\Windows\System32\drivers\mrxsmb10.sys
2012-09-22 09:33:55 158208 ----a-w- C:\Windows\System32\drivers\mrxsmb.sys
2012-09-22 09:33:55 128000 ----a-w- C:\Windows\System32\drivers\mrxsmb20.sys
2012-09-22 09:33:49 395776 ----a-w- C:\Windows\System32\webio.dll
2012-09-22 09:33:49 314880 ----a-w- C:\Windows\SysWow64\webio.dll
2012-09-22 09:33:16 1881600 ----a-w- C:\Windows\System32\msxml3.dll
2012-09-22 09:33:15 2004480 ----a-w- C:\Windows\System32\msxml6.dll
2012-09-22 09:33:14 1390080 ----a-w- C:\Windows\SysWow64\msxml6.dll
2012-09-22 09:33:14 1236992 ----a-w- C:\Windows\SysWow64\msxml3.dll
2012-09-22 09:33:13 2048 ----a-w- C:\Windows\SysWow64\msxml3r.dll
2012-09-22 09:33:13 2048 ----a-w- C:\Windows\System32\msxml3r.dll
2012-09-22 09:32:54 43520 ----a-w- C:\Windows\System32\csrsrv.dll
2012-09-22 09:32:46 515584 ----a-w- C:\Windows\System32\timedate.cpl
2012-09-22 09:32:46 478720 ----a-w- C:\Windows\SysWow64\timedate.cpl
2012-09-22 09:32:41 751104 ----a-w- C:\Windows\System32\win32spl.dll
2012-09-22 09:32:41 67072 ----a-w- C:\Windows\splwow64.exe
2012-09-22 09:32:41 559104 ----a-w- C:\Windows\System32\spoolsv.exe
2012-09-22 09:32:41 492032 ----a-w- C:\Windows\SysWow64\win32spl.dll
2012-09-22 09:32:38 476160 ----a-w- C:\Windows\System32\XpsGdiConverter.dll
2012-09-22 09:32:37 288256 ----a-w- C:\Windows\SysWow64\XpsGdiConverter.dll
2012-09-22 09:30:38 340992 ----a-w- C:\Windows\System32\schannel.dll
2012-09-22 09:29:42 27520 ----a-w- C:\Windows\System32\drivers\Diskdump.sys
2012-09-22 09:28:53 467456 ----a-w- C:\Windows\System32\drivers\srv.sys
2012-09-22 09:27:31 642944 ----a-w- C:\Windows\System32\winload.efi
2012-09-22 09:26:25 41984 ----a-w- C:\Windows\SysWow64\browcli.dll
2012-09-22 09:26:24 59392 ----a-w- C:\Windows\System32\browcli.dll
2012-09-22 09:26:24 136704 ----a-w- C:\Windows\System32\browser.dll
2012-09-22 09:24:16 404480 ----a-w- C:\Windows\System32\umpnpmgr.dll
2012-09-22 09:24:16 207872 ----a-w- C:\Windows\System32\cfgmgr32.dll
2012-09-22 09:24:16 145920 ----a-w- C:\Windows\SysWow64\cfgmgr32.dll
2012-09-22 09:24:15 44544 ----a-w- C:\Windows\SysWow64\devrtl.dll
2012-09-22 09:24:15 252928 ----a-w- C:\Windows\SysWow64\drvinst.exe
2012-09-22 09:24:14 64512 ----a-w- C:\Windows\SysWow64\devobj.dll
2012-09-22 09:22:28 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2012-09-22 09:22:28 2048 ----a-w- C:\Windows\System32\tzres.dll
2012-09-22 09:21:21 2164224 ----a-w- C:\Program Files\Windows Journal\Journal.exe
2012-09-22 09:21:20 1732096 ----a-w- C:\Program Files\Windows Journal\NBDoc.DLL
2012-09-22 09:21:19 1367552 ----a-w- C:\Program Files\Common Files\Microsoft Shared\ink\journal.dll
2012-09-22 09:21:17 936960 ----a-w- C:\Program Files (x86)\Common Files\Microsoft Shared\ink\journal.dll
2012-09-22 09:21:16 1393664 ----a-w- C:\Program Files\Windows Journal\JNTFiltr.dll
2012-09-22 09:21:15 1402880 ----a-w- C:\Program Files\Windows Journal\JNWDRV.dll
2012-09-22 08:42:03 77312 ----a-w- C:\Windows\System32\packager.dll
2012-09-22 08:42:00 67072 ----a-w- C:\Windows\SysWow64\packager.dll
2012-09-22 04:47:46 -------- d-----w- C:\Users\Owner\AppData\Roaming\Malwarebytes
2012-09-22 04:47:20 -------- d-----w- C:\ProgramData\Malwarebytes
2012-09-21 17:12:52 -------- d-----w- C:\Users\Owner\AppData\Local\CRE
2012-09-21 17:12:41 -------- d-----w- C:\Program Files (x86)\Conduit
2012-09-21 17:12:38 -------- d-----w- C:\Users\Owner\AppData\Local\Conduit
2012-09-21 17:06:08 -------- d-----w- C:\Users\Owner\AppData\Local\Google
2012-09-21 17:05:56 142128 ----a-w- C:\Windows\System32\drivers\aswFW.sys
2012-09-21 17:05:48 -------- d-----w- C:\Users\Owner\AppData\Local\Deployment
2012-09-21 17:05:48 -------- d-----w- C:\Users\Owner\AppData\Local\Apps
2012-09-21 17:05:35 266776 ----a-w- C:\Windows\System32\drivers\aswNdis2.sys
2012-09-21 17:05:31 12368 ----a-w- C:\Windows\System32\drivers\aswNdis.sys
2012-09-21 17:02:14 54072 ----a-w- C:\Windows\System32\drivers\aswRdr2.sys
2012-09-21 17:02:12 19600 ----a-w- C:\Windows\System32\drivers\aswKbd.sys
2012-09-21 17:02:09 969200 ----a-w- C:\Windows\System32\drivers\aswSnx.sys
2012-09-21 17:02:00 71600 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys
2012-09-21 17:01:11 41224 ----a-w- C:\Windows\avastSS.scr
2012-09-21 17:00:49 -------- d-----w- C:\ProgramData\AVAST Software
2012-09-21 17:00:49 -------- d-----w- C:\Program Files\AVAST Software
2012-09-21 16:54:01 -------- d-----w- C:\Program Files\PeerBlock
2012-09-21 16:41:12 826880 ----a-w- C:\Windows\SysWow64\rdpcore.dll
2012-09-21 16:41:12 1031680 ----a-w- C:\Windows\System32\rdpcore.dll
2012-09-21 16:41:11 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys
2012-09-21 16:40:48 -------- d-----w- C:\Program Files (x86)\Common Files\AnswerWorks 5.0
2012-09-21 16:40:34 4200024 ----a-w- C:\Windows\SysWow64\cdintf400.dll
2012-09-21 16:38:09 -------- d-----w- C:\Program Files (x86)\Common Files\Intuit
2012-09-21 16:38:06 -------- d-----w- C:\Users\Owner\AppData\Roaming\Intuit
2012-09-21 16:38:06 -------- d-----w- C:\Program Files (x86)\Quicken
2012-09-21 16:37:39 -------- d-----w- C:\ProgramData\Intuit
2012-09-21 16:34:49 2622464 ----a-w- C:\Windows\System32\wucltux.dll
2012-09-21 16:34:25 99840 ----a-w- C:\Windows\System32\wudriver.dll
2012-09-21 16:33:37 36864 ----a-w- C:\Windows\System32\wuapp.exe
2012-09-21 16:33:37 186752 ----a-w- C:\Windows\System32\wuwebv.dll
2012-09-19 06:33:57 -------- d-----w- C:\Windows\Panther
2012-09-19 05:43:22 0 ----a-w- C:\Windows\ativpsrm.bin
2012-09-19 05:22:53 -------- d-----w- C:\Windows\PCHEALTH
2012-09-19 05:20:45 -------- d-----w- C:\Program Files (x86)\Microsoft Visual Studio 8
2012-09-19 05:20:06 -------- d-----w- C:\Users\Owner\AppData\Local\Microsoft Help
2012-09-19 05:11:49 -------- d-----w- C:\Program Files (x86)\Common Files\AVG Secure Search
2012-09-19 05:09:52 -------- d-----w- C:\Program Files (x86)\AVG
2012-09-19 05:04:14 -------- d-sh--w- C:\Windows\Installer
2012-09-19 05:04:06 -------- d--h--w- C:\ProgramData\Common Files
2012-09-19 05:03:53 -------- d-----w- C:\ProgramData\MFAData
2012-09-19 05:03:37 165376 ----a-w- C:\Windows\SysWow64\unrar.dll
2012-09-19 05:03:36 839680 ----a-w- C:\Windows\SysWow64\lameACM.acm
2012-09-19 05:03:36 810496 ----a-w- C:\Windows\SysWow64\xvidcore.dll
2012-09-19 05:03:36 80896 ----a-w- C:\Windows\SysWow64\ff_vfw.dll
2012-09-19 05:03:36 237568 ----a-w- C:\Windows\SysWow64\yv12vfw.dll
2012-09-19 05:03:36 183808 ----a-w- C:\Windows\SysWow64\xvidvfw.dll
2012-09-19 05:03:36 151552 ----a-w- C:\Windows\SysWow64\ac3acm.acm
2012-09-19 05:03:33 -------- d-----w- C:\Program Files (x86)\K-Lite Codec Pack
2012-09-19 04:57:17 -------- d-----w- C:\Users\Owner\AppData\Local\VirtualStore
2012-09-19 04:42:58 -------- d-sh--w- C:\Recovery
2012-09-08 18:46:09 -------- d-----w- C:\OutputFolder
.
==================== Find3M ====================
.
2012-09-27 15:08:52 175616 ----a-w- C:\Windows\System32\msclmd.dll
2012-09-27 15:08:52 152576 ----a-w- C:\Windows\SysWow64\msclmd.dll
2012-08-02 17:58:52 574464 ----a-w- C:\Windows\System32\d3d10level9.dll
2012-08-02 16:57:20 490496 ----a-w- C:\Windows\SysWow64\d3d10level9.dll
2012-07-18 18:15:06 3148800 ----a-w- C:\Windows\System32\win32k.sys
.
============= FINISH: 11:45:58.09 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 dev00790

dev00790

    Bleeping Chocoholic


  • Members
  • 5,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:13 PM

Posted 07 October 2012 - 07:55 AM

Hi plurality

My forum name is Dev00790 and I'll be helping you clean up your computer.

I will reply as soon as possible (typically within 24 hours). In turn, I ask that you please respond within 72 hours. If you know you will be away longer than that, I just ask for notice ahead of time.
Please be patient while I assist you.

Some points for you to keep in mind while I am helping you to make things go easier and faster for both of us:

  • Please do NOT run, install or uninstall any programs, unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.

NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Regards, dev00790

---------------------------------------

Marge: "Homer, the plant called. They said if you don't show up tomorrow don't bother showing up on Monday." Homer: "Woo-hoo! Four-day weekend!"I do not reply to Private Messages (PMs) asking for assistance - please use the forums instead. If I have been helping you, and I have not replied to your latest post in 48 hours please send me a PM. My Blog


#3 plurality

plurality
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:13 AM

Posted 08 October 2012 - 10:42 PM

Hi Dev00790,

Thanks for the help. I don't plan on being out of contact any time soon so I should be able to respond quickly. I appreciate the help as I'm about at my wit's end with this.

#4 dev00790

dev00790

    Bleeping Chocoholic


  • Members
  • 5,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:13 PM

Posted 10 October 2012 - 01:53 PM

Hi

:step1:

We need to run Windows Memory Diagnostic

  • Click the Start button.
  • Type Memory in the Start Search box, and then click on Windows Memory Diagnostic.
  • A dialog box named "Windows Memory Diagnostic" should then appear.
  • Click the Restart Now and Check for Problems option.
    - When you do, the dialog box will close and your system will automatically restart.
  • Once the Windows Memory Diagnostic Tool screen appears, the tests will commence.
  • As they run, the Status area will let you know if problems are found. The Windows Memory Diagnostic Tool can identify and avoid using the problem section of the chip. By identifying those sections, the tool will allow Windows 7 to start up normally without crashing.
  • Once Windows restarts and you log on, the test results report will be available from the notification area (on the taskbar).

Obtaining information following the test

  • Click the Start button.
  • Type Event Viewer in the Start Search box, and then click on Event Viewer > Windows Memory Diagnostic.
  • In the left hand pane, under Windows logs > click System Event. Then in the main pane under Source, find MemoryDiagnostics-Results.
  • Please let us know the value of Event ID for the latest entry for MemoryDiagnostics-Results.


:step2:

ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista/Windows 7 users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

  • Please go here to run the scan.

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Posted Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Posted Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Posted Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
Note: Do not forget to re-enable your Anti-Virus application after running the above scan!


:step3:

How is the computer running now?

Regards, dev00790

---------------------------------------

Marge: "Homer, the plant called. They said if you don't show up tomorrow don't bother showing up on Monday." Homer: "Woo-hoo! Four-day weekend!"I do not reply to Private Messages (PMs) asking for assistance - please use the forums instead. If I have been helping you, and I have not replied to your latest post in 48 hours please send me a PM. My Blog


#5 plurality

plurality
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:13 AM

Posted 12 October 2012 - 10:04 AM

1. I ran the Memory Diagnostic and it said there were no memory problems. The EventIDs for the MemoryDiagnotic-Results from the Event log were 1201 and 1101.

2. I ran ESET. Here is the log from that scan. It did say it found 1 infected file.

ESETSmartInstaller@High as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-10-11 05:04:43
# local_time=2012-10-11 12:04:43 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=5893 16776573 100 94 0 101514624 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=127687
# found=1
# cleaned=0
# scan_time=3909
C:\$Recycle.Bin\S-1-5-21-352094372-2663417633-845099840-1000\$RXROQZJ.exe a variant of Win32/OpenInstall application (unable to clean) 00000000000000000000000000000000 I

3. So far the computer seems to be running better. Before there were lots of instances where I could here the CPU fan blowing hard like the computer was doing some intense work, yet I was not running any programs that would need that much resources. Also I have not had any freezes. Of course, the freezes were always intermittent, there was not anything specific that would trigger them. Online videos and my son playing Minecraft tended to make it freeze, but not always. If any freezes happen before you reply I will edit my post and include the situation.

Thanks!

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,440 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:13 PM

Posted 14 October 2012 - 01:54 AM

Because dev00790 will be away until tomorrow evening, I'll work with you until he gets back, I hope thats okay with you. :)

Your problem sounds like a hardware issue. Since you mention a freeze on Minecraft I wonder if not the video card or drivers are bad. What also can't hurt is cleaning the inside of your PC, as dust accumulations can also cause performance problems.

There is no malware present on your computer, although it couldn't hurt to do a reformat/reinstall to get rid of your old windows installation to recover some extra space. Most likely you didn't opt to delete all partitions present on your computer before you did the reinstall (this is an option you have during windows setup).

Finally, if this is indeed a hardware/video problem, and installing new drivers doesn't fix the problem, then there is little you can do about it, except for replacing the card unfortunately.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#7 plurality

plurality
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:13 AM

Posted 14 October 2012 - 11:01 AM

Thanks Elise, I'm not too picky about the help I get as long as I get help.

The hardware issue is definitely something I considered, which is why I cleared all of the dust from the inside and updated video drivers before I had started this process. I also cleared out the previous Windows installation after recovering my pictures and docs. Minecraft wouldn't actually run until I had the most up to date drivers, yet the problem with the system freezing occurred before he started playing it. I mentioned Minecraft because that had seemed to be the most reliable way of making the system freeze. However, at other times it would freeze up during low intensity things like reading web forums in the past.

The main reason I've been thinking it's malware or a virus is that from time to time I get positive scan results on my anti-virus that the logs say they were unable to clean and then I scan again and they're gone. Still, I came here because I could tell there was a lot of expertise on this forum and was sure if anyone would be able to help, it would be you guys.

I'll go ahead and check virus/malware off of the list and see what other options are out there if it keeps happening.

Thanks!

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,440 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:13 PM

Posted 14 October 2012 - 11:18 AM

10/5/2012 10:52:37 AM, Error: Microsoft-Windows-HAL [12] - The platform firmware has corrupted memory across the previous system power transition. Please check for updated firmware for your system.

The best indicator of a hardware problem is this error. Please see this article for more information.

As we are mostly malware experts in this forum the best thing would be to post a topic in the Internal Hardware forum to receive more assistance to troubleshoot this issue. If you do so, please be sure to include a link to this topic to make sure people reading the topic are aware that you received assistance here already.

Please read the following advice on how to prevent reinfecting your PC:
  • Install and update the following programs regularly:
    • an outbound firewall. If you are connected to the internet through a router, you are already behind a hardware firewall and as such you do not need an extra software firewall.
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.
    Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.
Some more links you might find of interest:
Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#9 plurality

plurality
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:13 AM

Posted 14 October 2012 - 11:36 PM

Thanks for pointing this out to me ELise. I will follow up on this/ Thanks again for the help. I'm glad that I know now that it is not a malware issue.

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,440 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:13 PM

Posted 15 October 2012 - 01:53 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users