Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I think I have some sort of malware..


  • This topic is locked This topic is locked
2 replies to this topic

#1 LOSTTARDIS

LOSTTARDIS

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:00 PM

Posted 25 September 2013 - 09:58 PM

I think I have some sort of malware because my internet speeds have fallen drastically in the past week and i've changed out my network card and tried a couple different usb adapters to wifi and all of the other pc's in my house work fine..

 

Here's the log from DDS

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 9.0.8112.16470  BrowserJavaVersion: 10.25.2
Run by Carson at 22:50:48 on 2013-09-25
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.4095.2222 [GMT -4:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Program Files\Logitech\SolarApp\L4301_Solar.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe
C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe
C:\Program Files\Microsoft LifeCam\MSCamS64.exe
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Program Files (x86)\INTELLINET\Common\RaRegistry.exe
C:\Program Files (x86)\INTELLINET\Common\RaRegistry64.exe
C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\alg.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\System32\rundll32.exe
C:\Windows\vVX3000.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe
C:\Program Files (x86)\INTELLINET\Common\INTELLINET_UI.exe
C:\Program Files (x86)\McAfee Security Scan\2.1.121\SSScheduler.exe
C:\Users\Carson\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files (x86)\Steam\Steam.exe
C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe
C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe
C:\Program Files (x86)\Common Files\Steam\SteamService.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Internet Explorer\IELowutil.exe
C:\Users\Carson\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Carson\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Carson\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Carson\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Carson\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Carson\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Carson\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Carson\Desktop\HijackThis.exe
C:\Windows\notepad.exe
C:\Windows\system32\taskeng.exe
C:\Users\Carson\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Carson\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
mStart Page = hxxp://start.sweetpacks.com/?src=10&st=12&crg=3.5000006.10045&barid={0E475240-E85A-11E2-A89C-4487FC4F3C74}
uURLSearchHooks: {da51d4f6-3e7e-4ef8-b400-9198e0874606} - <orphaned>
mURLSearchHooks: {da51d4f6-3e7e-4ef8-b400-9198e0874606} - <orphaned>
mWinlogon: Userinit = userinit.exe
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
BHO: LyricsSing: {F2D7DFB7-6D91-4BD7-846E-BEF9BC3BD81A} - 
uRun: [Google Update] "C:\Users\Carson\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [HydraVisionDesktopManager] "C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [LifeCam] "C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [LogMeIn Hamachi Ui] "C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe" --auto-start
StartupFolder: C:\Users\Carson\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\Carson\AppData\Roaming\Dropbox\bin\Dropbox.exe
StartupFolder: C:\Users\Carson\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Steam.lnk - C:\Program Files (x86)\Steam\Steam.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\INTELL~1.LNK - C:\Program Files (x86)\INTELLINET\Common\INTELLINET_UI.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\MCAFEE~1.LNK - C:\Program Files (x86)\McAfee Security Scan\2.1.121\SSScheduler.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{11FB9330-5FDE-46CD-83A1-FE61E3265EE4} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{3CAA6F94-3408-434F-BD3C-6B9A463E5CFF} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{3CAA6F94-3408-434F-BD3C-6B9A463E5CFF}\241636B65766 : DHCPNameServer = 24.178.162.3 66.189.0.100 24.217.201.67
TCP: Interfaces\{3CAA6F94-3408-434F-BD3C-6B9A463E5CFF}\C696E6B6379737 : DHCPNameServer = 24.178.162.3 66.189.0.100 24.217.201.67
TCP: Interfaces\{5C12B775-A845-49A4-AB53-84101F9364A5} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{DEC2F08F-A2DD-40D0-8CB4-B844E70EECBB} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{FF8A0003-E4DB-4610-AE9E-65A19177E823} : DHCPNameServer = 192.168.1.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
SSODL: WebCheck - <orphaned>
x64-BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Skype add-on for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
x64-Run: [Logitech Download Assistant] C:\Windows\System32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
x64-Run: [VX3000] C:\Windows\vVX3000.exe
x64-IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
P2 HiPatchService;Hi-Rez Studios Authenticate and Update Service;C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe [2012-9-18 8704]
R1 avkmgr;avkmgr;C:\Windows\System32\drivers\avkmgr.sys [2013-3-27 28600]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2012-12-19 240640]
R2 avgntflt;avgntflt;C:\Windows\System32\drivers\avgntflt.sys [2013-3-27 100712]
R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe [2013-6-28 2470736]
R2 L4301_Solar;Logitech Solar Keyboard Service;C:\Program Files\Logitech\SolarApp\L4301_Solar.exe [2010-10-26 403536]
R2 RalinkRegistryWriter;Ralink Registry Writer;C:\Program Files (x86)\INTELLINET\Common\RaRegistry.exe [2013-9-12 185632]
R2 RalinkRegistryWriter64;Ralink Registry Writer 64;C:\Program Files (x86)\INTELLINET\Common\RaRegistry64.exe [2013-9-12 212256]
R2 Skype C2C Service;Skype C2C Service;C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2013-8-14 3291008]
R2 TeamViewer8;TeamViewer 8;C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe [2012-12-30 4150112]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\System32\drivers\AtihdW76.sys [2012-11-6 96256]
R3 netr28x;INTELLINET 802.11n Extensible Wireless Driver;C:\Windows\System32\drivers\netr28x.sys [2013-9-12 737792]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2009-6-10 187392]
S2 AntiVirSchedulerService;Avira Scheduler;"C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe" --> C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [?]
S2 AntiVirService;Avira Real-Time Protection;"C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe" --> C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-6-21 162408]
S3 McComponentHostService;McAfee Security Scan Component Host Service;C:\Program Files (x86)\McAfee Security Scan\2.1.121\McCHSvc.exe [2010-9-3 227232]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-6-18 1255736]
S3 WinRing0_1_2_0;WinRing0_1_2_0;C:\Program Files (x86)\IObit\Game Booster 3\Driver\WinRing0x64.sys [2012-6-18 14544]
.
=============== Created Last 30 ================
.
2013-09-24 09:34:26 9694160 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{DF11A0BD-4045-4B91-8875-91EC86DF5902}\mpengine.dll
2013-09-13 02:53:36 -------- d-----w- C:\ProgramData\Ralink
2013-09-13 02:52:15 737792 ----a-w- C:\Windows\System32\drivers\netr28x.sys
2013-09-13 02:52:15 305152 ----a-w- C:\Windows\System32\RaCoInstx.dll
2013-09-13 02:52:15 -------- d-----w- C:\ProgramData\INTELLINET Driver
2013-09-13 02:52:00 -------- d-----w- C:\Program Files (x86)\Cisco
2013-09-13 02:51:49 1055232 ----a-w- C:\Windows\System32\RAIHV.dll
2013-09-13 02:51:48 2056192 ----a-w- C:\Windows\System32\RaCertMgr.dll
2013-09-13 02:51:48 1585152 ----a-w- C:\Windows\SysWow64\RaCertMgr.dll
2013-09-13 02:51:48 1055232 ----a-w- C:\Windows\SysWow64\RAIHV.dll
2013-09-13 02:51:48 104448 ----a-w- C:\Windows\SysWow64\RAEXTUI.dll
2013-09-13 02:51:48 104448 ----a-w- C:\Windows\System32\RAEXTUI.dll
2013-09-13 02:51:47 -------- d-----w- C:\Program Files (x86)\INTELLINET
2013-09-11 01:00:06 95544 ----a-w- C:\Windows\System32\bcmwlcoi.dll
2013-09-11 01:00:05 3900928 ----a-w- C:\Windows\System32\bcmihvsrv64.dll
2013-09-11 01:00:05 3566592 ----a-w- C:\Windows\System32\bcmihvui64.dll
2013-09-11 01:00:05 1721576 ----a-w- C:\Windows\System32\WdfCoInstaller01009.dll
2013-09-11 01:00:02 25056 ----a-w- C:\Windows\System32\drivers\SCMNdisP.sys
2013-09-04 03:05:34 -------- d-----w- C:\Program Files (x86)\LogMeIn Hamachi
2013-09-03 13:53:52 187248 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\nppdf32.dll
2013-09-02 02:55:34 -------- d-----w- C:\Program Files (x86)\NVIDIA Corporation
.
==================== Find3M  ====================
.
2013-09-20 00:26:14 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-09-20 00:26:14 692616 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2013-08-07 08:22:02 278800 ------w- C:\Windows\System32\MpSigStub.exe
2013-07-09 05:42:06 33958 ----a-w- C:\ProgramData\uninstaller.exe
.
============= FINISH: 22:51:15.09 ===============
 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:00 PM

Posted 26 September 2013 - 04:32 PM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

 

Scan with Gmer rootkit scanner

Please download Gmer from here by clicking on the "Download EXE" Button.

  • Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Show All ( should be unchecked by default )
  • Leave everything else as it is.
  • Close all other running programs as well as your Browser.
  • Click the Scan button & wait for it to finish.
  • Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop.
  • Please post the content of the ark.txt here.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:00 PM

Posted 30 September 2013 - 07:51 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users