Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

30+ Dllhost.exe (as I end them, They Reproduce)


  • This topic is locked This topic is locked
10 replies to this topic

#1 jasonmbrown

jasonmbrown

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:05 AM

Posted 04 April 2014 - 08:48 PM

Im hoping Im posting correctly, Usually I don't have virus issues. Rarely do I get something like this!

 

Every few seconds malwarebytes anti malware is blocking Connections to the same couple IP Address's (I haven't written them down fast enough). My programs are crashing like nuts with Unable to access Memory, and then giving me the address's it cant access (This is games, Chrome, Music/video players). 

 

I also have 5-50 dllhost.exe files In my taskmanager, That if I end Restart once i get down too a few of them, I am able to suspend and end them with process explorer, However One of them always has restricted access when I attempt to end it. And If I Un-suspend it or wait long enough They all pop back up. I did Try fixing the issue myself but, Am not really sure how to read these logs =). I ran all the log programs already, Although I couldn't see anything that gave me any suspicions to look more into it.

I forgot to mention, Alot of sites tell me the security certificate is invalid. *league of legends especially spams me with warnings*

*Found site from this person who seemed to be having a similiar issue http://www.bleepingcomputer.com/forums/t/514186/30-dllhostexe32-com-surrogate-processes-are-running/*

 

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer:   BrowserJavaVersion: 10.21.2
Run by HaXoR_DB at 18:42:21 on 2014-04-04
Microsoft Windows 7 Ultimate   6.1.7600.0.932.81.1033.18.12286.7834 [GMT -7:00]
.
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Spybot - Search and Destroy *Enabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\AUDIODG.EXE
C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\System32\msdtc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Program Files (x86)\Logitech\G35\G35.exe
C:\Windows\SysWOW64\Ctxfihlp.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\SysWOW64\CTXFISPI.EXE
C:\Program Files (x86)\IObit\Game Booster 3\gbtray.exe
C:\Users\HaXoR_DB\AppData\Roaming\uTorrent\uTorrent.exe
Z:\Steam\Steam.exe
C:\Windows\system32\taskmgr.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Users\HaXoR_DB\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\system32\notepad.exe
C:\Windows\system32\notepad.exe
C:\Users\HaXoR_DB\Downloads\OTL.exe
C:\Windows\notepad.exe
C:\Windows\syswow64\dllhost.exe
C:\Windows\syswow64\dllhost.exe
C:\Windows\syswow64\dllhost.exe
C:\Windows\syswow64\dllhost.exe
C:\Windows\syswow64\dllhost.exe
C:\Windows\syswow64\dllhost.exe
C:\Windows\syswow64\dllhost.exe
C:\Windows\syswow64\dllhost.exe
C:\Windows\syswow64\dllhost.exe
C:\Windows\syswow64\dllhost.exe
C:\Windows\syswow64\dllhost.exe
C:\Windows\syswow64\dllhost.exe
C:\Windows\syswow64\dllhost.exe
C:\Windows\syswow64\dllhost.exe
C:\Windows\syswow64\dllhost.exe
C:\Windows\syswow64\dllhost.exe
C:\Windows\syswow64\dllhost.exe
C:\Windows\syswow64\dllhost.exe
C:\Windows\syswow64\dllhost.exe
C:\Windows\syswow64\dllhost.exe
C:\Windows\syswow64\dllhost.exe
C:\Windows\syswow64\dllhost.exe
C:\Windows\syswow64\dllhost.exe
C:\Windows\syswow64\dllhost.exe
C:\Windows\syswow64\dllhost.exe
C:\Windows\syswow64\dllhost.exe
C:\Windows\syswow64\dllhost.exe
C:\Windows\syswow64\dllhost.exe
C:\Windows\syswow64\dllhost.exe
C:\Windows\syswow64\dllhost.exe
C:\Windows\syswow64\dllhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
mStart Page = about:blank
uProxyServer = localhost:21320
uProxyOverride = <local>
mWinlogon: Userinit = userinit.exe,
BHO: AutorunsDisabled - <orphaned>
uRun: [Google Update] "C:\Users\HaXoR_DB\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
uRun: [Reasonable NoClone] <no file>
mRun: [Logitech G35] C:\Program Files (x86)\Logitech\G35\G35.exe
mRun: [amd_dc_opt] C:\Program Files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe" MSRun
mRun: [CTxfiHlp] CTXFIHLP.EXE
dRunOnce: [AOD] H:\Catalyst\ATI.ACE\Fuel\Fuel.Service.exe AutoTune
uPolicies-Explorer: NoRecentDocsNetHood = dword:1
uPolicies-Explorer: NoDriveTypeAutoRun = dword:0
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-Explorer: NoRecentDocsNetHood = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:255
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:0
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableSecureUIAPaths = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
mPolicies-System: FilterAdministratorToken = dword:1
LSP: %SystemRoot%\system32\PrxerDrv.dll
LSP: G:\VMware\vsocklib.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {D4B68B83-8710-488B-A692-D74B50BA558E} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/130321/CTPID.cab
TCP: NameServer = 64.59.160.13 64.59.161.68
TCP: Interfaces\{04159895-BD3B-41D6-8B1B-F79B748A0B60} : NameServer = 94.242.222.66,8.8.8.8,8.8.8.8,8.8.4.4
TCP: Interfaces\{136BB807-061E-4297-AD1A-3FEDEE5A1C8E} : NameServer = 94.242.222.66,8.8.8.8
TCP: Interfaces\{136BB807-061E-4297-AD1A-3FEDEE5A1C8E} : DHCPNameServer = 64.59.160.13 64.59.161.68
TCP: Interfaces\{4EBB11B7-FE58-4190-AE7A-70DBDA015C60} : NameServer = 94.242.222.66,8.8.8.8
TCP: Interfaces\{730F9EF4-2C36-49DF-BE01-38EBAAFBB231} : NameServer = 94.242.222.66,8.8.8.8
TCP: Interfaces\{9E4DCE88-4DAF-42BD-8C4D-C8AE6FC04790} : NameServer = 94.242.222.66,8.8.8.8
TCP: Interfaces\{BC72EDA5-069A-4238-847C-8815C9A5D1CA} : NameServer = 94.242.222.66,8.8.8.8
TCP: Interfaces\{C20812BD-5EE7-42D0-9852-FC0AFA869F53} : NameServer = 94.242.222.66,8.8.8.8
TCP: Interfaces\{C20812BD-5EE7-42D0-9852-FC0AFA869F53} : DHCPNameServer = 192.168.42.129
TCP: Interfaces\{C9F5EB17-8425-412A-B2BA-4A94D11CAB2E} : NameServer = 94.242.222.66,8.8.8.8
TCP: Interfaces\{E242624B-F2BE-47C1-AC9C-CF23958EDA69} : NameServer = 94.242.222.66,8.8.8.8
TCP: Interfaces\{E91A7F41-45F5-468B-B008-C7B0FDAB5DAA} : NameServer = 94.242.222.66,8.8.8.8
TCP: Interfaces\{E91A7F41-45F5-468B-B008-C7B0FDAB5DAA} : DHCPNameServer = 64.59.160.13 64.59.161.68
TCP: Interfaces\{E91A7F41-45F5-468B-B008-C7B0FDAB5DAA}\4554C4553523236343 : DHCPNameServer = 192.168.1.254 75.153.176.9
TCP: Interfaces\{E94EBE9A-1847-4D62-BF73-599B292B5824} : NameServer = 94.242.222.66,8.8.8.8
TCP: Interfaces\{FD603664-9EE2-4756-AD4E-6B6A0E986BD3} : NameServer = 94.242.222.66,8.8.8.8
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
Notify: SDWinLogon - SDWinLogon.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.154\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-mStart Page = about:blank
x64-BHO: AutorunsDisabled - <orphaned>
x64-Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
.
INFO: x64-HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
x64-STS: CThemeResourceChangerObject Class - {F791A188-699D-4FD4-955A-EB59E89B1907} - \Program Files\Theme Resource Changer\ThemeResourceChanger.dll
Hosts: 79.142.66.242 www.google-analytics.com.
Hosts: 79.142.66.242 google-analytics.com.
Hosts: 79.142.66.242 connect.facebook.net.
Hosts: 79.142.66.242 bing.com.
Hosts: 79.142.66.242 www.bing.com.
.
Note: multiple HOSTS entries found. Please refer to Attach.txt
.
============= SERVICES / DRIVERS ===============
.
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\System32\drivers\dtsoftbus01.sys [2013-2-9 283200]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2013-12-6 239616]
R2 AMD FUEL Service;AMD FUEL Service;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2013-12-6 344064]
R2 AODDriver4.2.0;AODDriver4.2.0;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\aoddriver2.sys [2013-9-20 59648]
R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2014-1-7 418376]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2014-1-7 701512]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\System32\drivers\AtihdW76.sys [2013-2-14 96768]
R3 CT20XUT.SYS;CT20XUT.SYS;C:\Windows\System32\drivers\CT20XUT.sys [2012-12-18 232880]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;C:\Windows\System32\drivers\CTEXFIFX.sys [2012-12-18 1448368]
R3 CTHWIUT.SYS;CTHWIUT.SYS;C:\Windows\System32\drivers\CTHWIUT.sys [2012-12-18 97712]
R3 EuMusDesignVirtualAudioCableWdm;Virtual Audio Cable (WDM);C:\Windows\System32\drivers\vrtaucbl.sys [2014-2-6 90624]
R3 ha20x22k;Creative 20X2 HAL Driver;C:\Windows\System32\drivers\ha20x22k.sys [2012-12-18 1617328]
R3 LADF_DHP2;G35 DHP2 Filter Driver;C:\Windows\System32\drivers\ladfDHP2amd64.sys [2009-5-28 61712]
R3 LADF_SBVM;G35 SBVM Filter Driver;C:\Windows\System32\drivers\ladfSBVMamd64.sys [2009-5-28 376848]
R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2014-1-7 25928]
R3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;C:\Windows\System32\drivers\MijXfilt.sys [2013-3-22 121416]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2011-6-10 539240]
R3 SbieDrv;SbieDrv;C:\Program Files\Sandboxie\SbieDrv.sys [2014-1-17 202600]
R3 WDC_SAM;WD SCSI Pass Thru driver;C:\Windows\System32\drivers\wdcsam64.sys [2008-5-6 14464]
R3 WinRing0_1_2_0;WinRing0_1_2_0;C:\Program Files (x86)\IObit\Game Booster 3\Driver\WinRing0x64.sys [2013-2-10 14544]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2013-9-11 124088]
S2 SDScannerService;Spybot-S&D 2 Scanner Service;Z:\Installed Programs\Spybot\SDFSSvc.exe [2013-12-20 3921880]
S2 SDUpdateService;Spybot-S&D 2 Updating Service;Z:\Installed Programs\Spybot\SDUpdSvc.exe [2013-12-20 1042272]
S2 SDWSCService;Spybot-S&D 2 Security Center Service;Z:\Installed Programs\Spybot\SDWSCSvc.exe [2013-12-20 171416]
S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2014-2-6 79360]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2014-2-6 79360]
S3 CT20XUT;CT20XUT;C:\Windows\System32\drivers\CT20XUT.sys [2012-12-18 232880]
S3 CTEXFIFX;CTEXFIFX;C:\Windows\System32\drivers\CTEXFIFX.sys [2012-12-18 1448368]
S3 CTHWIUT;CTHWIUT;C:\Windows\System32\drivers\CTHWIUT.sys [2012-12-18 97712]
S3 EvolveVirtualAdapter;Evolve Virtual Miniport Driver;C:\Windows\System32\drivers\evolve.sys [2013-10-30 21656]
S3 EvoSvc;Evolve Service;C:\Program Files\Echobit\Evolve\EvoSvc.exe [2013-10-30 1579424]
S3 MacroExpertDirectIo;MacroExpertDirectIo;Z:\Installed Programs\Macro Expert\MacroExpertIo.sys [2008-7-4 5120]
S3 mbamchameleon;mbamchameleon;C:\Windows\System32\drivers\mbamchameleon.sys [2014-1-7 91352]
S3 P0620VID;Creative WebCam Instant;C:\Windows\System32\drivers\P0620Vid.sys [2013-3-14 126848]
S3 pneteth;PdaNet Broadband;C:\Windows\System32\drivers\pneteth.sys [2013-4-22 15360]
S3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;C:\Windows\System32\drivers\RTL8192su.sys [2010-11-25 694888]
S4 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;Z:\Installed Programs\Hamachi\hamachi-2.exe [2013-10-1 2746704]
S4 HiPatchService;Hi-Rez Studios Authenticate and Update Service;H:\Smite\HiPatchService.exe [2013-5-17 9216]
S4 Macro Expert;Macro Expert;Z:\Installed Programs\Macro Expert\MacroService.exe [2011-11-10 374272]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;C:\Program Files\Microsoft SQL Server\100\Shared\sqladhlp.exe [2009-7-22 61976]
S4 npggsvc;nProtect GameGuard Service;C:\Windows\System32\GameMon.des -service --> C:\Windows\System32\GameMon.des -service [?]
S4 Realtek11nSU;Realtek11nSU;C:\Program Files (x86)\RNX-N150UBE\11n USB Wireless LAN Utility\RtlService.exe [2013-2-9 40960]
S4 RsFx0103;RsFx0103 Driver;C:\Windows\System32\drivers\RsFx0103.sys [2009-3-30 311656]
S4 RtlService;RtlService;C:\Program Files (x86)\RNX-N150UBE\11n USB Wireless LAN Utility\RtlService.exe [2013-2-9 40960]
S4 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-9-5 171680]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2009-3-30 427880]
S4 SwitchBoard;Adobe SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
S4 VMUSBArbService;VMware USB Arbitration Service;C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator.exe [2010-11-11 539248]
S4 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2013-2-9 1255736]
.
=============== File Associations ===============
.
FileExt: .txt: textfile="C:\Program Files (x86)\Windows NT\Accessories\WORDPAD.EXE" "%1" [UserChoice]
FileExt: .js: jsfile="C:\Program Files (x86)\Adobe\Adobe Dreamweaver CS6\Dreamweaver.exe","%1"
ShellExec: dreamweaver.exe: Open="C:\Program Files (x86)\Adobe\Adobe Dreamweaver CS6\dreamweaver.exe", "%1"
.
=============== Created Last 30 ================
.
2014-04-05 01:07:06 -------- d-----w- C:\Users\HaXoR_DB\AppData\Local\CrashDumps
2014-04-02 01:41:10 -------- d-----w- C:\Users\HaXoR_DB\AppData\Roaming\SpinTires
2014-04-01 16:36:49 -------- d-----w- C:\Users\HaXoR_DB\AppData\Local\Driftmoon
2014-04-01 15:51:32 -------- d-----w- C:\Program Files\Sandboxie
2014-03-29 03:04:23 -------- d-----w- C:\Program Files (x86)\GUM5D51.tmp
2014-03-27 10:38:56 -------- d-----w- C:\Program Files (x86)\GUMCD83.tmp
2014-03-26 16:07:38 -------- d-----w- C:\Program Files (x86)\PFPortChecker
2014-03-25 08:22:53 -------- d-----w- C:\Users\HaXoR_DB\AppData\Roaming\Image-Line
2014-03-25 07:20:27 -------- d-----w- C:\Users\HaXoR_DB\AppData\Roaming\Flash
2014-03-24 11:49:50 -------- d-----w- C:\Users\HaXoR_DB\AppData\Roaming\RenPy
2014-03-23 17:04:37 -------- d-----w- C:\Users\HaXoR_DB\AppData\Local\Reasonable_Software_House
2014-03-23 17:04:16 -------- d-----w- C:\Users\HaXoR_DB\AppData\Roaming\Reasonable Software House Ltd
2014-03-23 17:01:49 -------- d-----w- C:\Program Files (x86)\Reasonable NoClone 2013
2014-03-23 05:28:56 -------- d-----w- C:\Users\HaXoR_DB\AppData\Roaming\FairyBloomRe
2014-03-21 02:09:08 -------- d-----w- C:\Users\HaXoR_DB\AppData\Roaming\ArcaneWorlds
2014-03-20 06:18:49 -------- d-----w- C:\Program Files (x86)\VisiPics
2014-03-20 05:12:48 -------- d-----w- C:\Users\HaXoR_DB\Grabber
2014-03-20 05:12:46 -------- d-----w- C:\Program Files (x86)\Grabber
2014-03-18 23:13:08 -------- d-----w- C:\Users\HaXoR_DB\AppData\Local\.distlib
2014-03-18 23:12:33 -------- d-----w- C:\Python34
2014-03-18 22:42:15 -------- d-----w- C:\Program Files (x86)\Desura
2014-03-18 09:14:12 -------- d-----w- C:\Users\HaXoR_DB\AppData\Local\Hero_Siege
2014-03-18 07:59:28 -------- d-----w- C:\Users\HaXoR_DB\AppData\Local\CastleMinerZ
2014-03-18 07:59:11 -------- d-----w- C:\Users\HaXoR_DB\AppData\Local\DigitalDNA Games
2014-03-17 22:25:37 -------- d-----w- C:\Users\HaXoR_DB\AppData\Local\BridgeProject
2014-03-17 21:18:36 -------- d-----w- C:\ProgramData\ManiaPlanet
2014-03-17 02:25:26 4044800 ----a-w- C:\Windows\System32\python34.dll
2014-03-17 02:23:12 102400 ----a-w- C:\Windows\py.exe
2014-03-17 02:23:02 102912 ----a-w- C:\Windows\pyw.exe
2014-03-12 02:42:16 -------- d-----w- C:\Users\HaXoR_DB\AppData\Roaming\MMFApplications
2014-03-11 02:19:38 -------- d-----w- C:\Users\HaXoR_DB\AppData\Local\Home_GMS_v14x
2014-03-10 16:31:34 -------- d-----w- C:\Program Files\StudioCompiler
2014-03-08 02:47:09 -------- d-----w- C:\Users\HaXoR_DB\AppData\Roaming\Lonely Troops
2014-03-06 23:12:14 -------- d-----w- C:\Users\HaXoR_DB\AppData\Roaming\PopCapv100131
2014-03-06 23:10:48 -------- d-----w- C:\Program Files (x86)\Origin Games
2014-03-06 22:54:03 -------- d-----w- C:\Users\HaXoR_DB\AppData\Local\Origin
2014-03-06 22:22:23 -------- d-----w- C:\Program Files (x86)\Origin
.
==================== Find3M  ====================
.
2014-02-13 13:36:57 111016 ----a-w- C:\Windows\System32\WindowsAccessBridge-64.dll
2014-02-09 22:59:10 466520 ----a-w- C:\Windows\System32\wrap_oal.dll
2014-02-09 22:59:10 445016 ----a-w- C:\Windows\SysWow64\wrap_oal.dll
2014-02-09 22:59:10 123480 ----a-w- C:\Windows\System32\OpenAL32.dll
2014-02-09 22:59:10 109144 ----a-w- C:\Windows\SysWow64\OpenAL32.dll
2014-02-06 15:56:24 90624 ----a-w- C:\Windows\System32\drivers\vrtaucbl.sys
2014-02-06 12:43:46 16896 ----a-w- C:\Windows\AsTaskSched.dll
2014-02-03 09:34:49 91352 ----a-w- C:\Windows\System32\drivers\mbamchameleon.sys
2014-01-09 12:48:29 362029 ----a-w- C:\Windows\SysWow64\sqlite3.dll
.
============= FINISH: 18:42:40.27 ===============

Attached Files


Edited by jasonmbrown, 04 April 2014 - 09:02 PM.


BC AdBot (Login to Remove)

 


#2 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:05 PM

Posted 05 April 2014 - 07:05 AM

Hi there,

please run the following scans:


Step 1

Please download TDSSKiller and save it to your Desktop.
  • Start tdsskiller.exe with administrator privileges.
  • Accept the EULA and the KSN Statement.
  • Click on Change parameters.
  • Make sure that all available options (except "Loaded modules") are checked and click OK.
  • Click on Start scan.
  • If any threats are found don't delete them but choose the Skip option for all of them.
  • Click on Report to open the log file. (It is also saved at C:\TDSSKiller.<version_date_time>_log.txt).
    Copy and paste its contents in your next reply.


Step 2

Please download Farbar Recovery Scan Tool and save it to your Desktop.
  • Start FRST with administator privileges.
  • Make sure the option Addition.txt is checked and press the Scan button.
  • When finished, FRST will produce two logs (FRST.txt and Addition.txt) in the same directory the tool was run from.
  • Please copy and paste these logs in your next reply.


#3 jasonmbrown

jasonmbrown
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:05 AM

Posted 05 April 2014 - 10:40 AM

Im having trouble Posting for some reason I keep getting Permission Errors, As such I have posted them all to pastebin With an expiry time of 1month
http://pastebin.com/8rynaYet [Kaspersky TDSSKiller Report]

http://pastebin.com/H1TZYdju [FRST.txt]

http://pastebin.com/HKHq3sax [Addition.txt]

 

I hope this isnt an issue, As I was unable to Post them to the forums *I tried Many different things but I kept getting permission errors*.


Edited by jasonmbrown, 05 April 2014 - 10:41 AM.


#4 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:05 PM

Posted 05 April 2014 - 11:39 AM

I don't know what the problem with the permission errors might be. But Pastebin is fine for me too.


Step 1

Please download this attached Attached File  fixlist.txt   3.54KB   21 downloads and save it in the same directory as FRST.
  • Start FRST with Administrator privileges.
  • Press the Fix button. Allow a reboot if requested.
  • When finished, a log file (Fixlog.txt) pops up and is saved to the same location the tool was run from.
    Please copy and paste its contents in your next reply.


Step 2

I don't see a running anti-virus program on your computer. I highly recommend that you download and install one anti-virus software (e.g. avast or MSE).
Then run a full scan with this newly installed antivirus program and post the log.



Step 3

Start FRST with administator privileges.
  • Press the Scan button.
  • When finished, FRST will produce a log (FRST.txt) in the same directory the tool was run from.
    Please copy and paste this log in your next reply.


#5 jasonmbrown

jasonmbrown
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:05 AM

Posted 05 April 2014 - 12:01 PM

Im Running *Paid* MalwareBytes, Since im sorta against A/V's *They tend to cripple everythings loadtimes and run speeds, and make it VERY Annoying to host anything* Usually I flash/quick scan daily and a full scan once every 1-2 weeks with malwarebytes, and spybot search and destroy. If you know of a lightweight antivirus let me know? for a while I used bitdefender, And it worked moderately well. Usually I notice within a few minutes if somethings on my pc thats not supposed to be there, and I get rid of it by hand. At least for the simpler stuff, after which I scan with malwarebytes and spybot search and destroy. Usually they do a good job of getting anything that I missed. *I might be bitdefender again*

Anyway here's the logs.
 

 
PS: It didn't ask me if i wanted to restart It just restarted...not that its an issue just suprised me a little bit. *Full scans take upwords of 9 hours on my pc so I usually run them while im asleep, And it rarely picks up anything aside from my bitcoin wallets, and winject*

If you still want me to do a full scan I can but, Id prefer to do it with a liteweight Antivirus, So I would probably download and install bitdefender if that works? Let me know please

Edited by jasonmbrown, 05 April 2014 - 12:16 PM.


#6 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:05 PM

Posted 05 April 2014 - 01:28 PM

Let's do a scan with ESET Online Scanner then:


Please download the ESET Online Scanner and save it to your Desktop.
  • Disable the realtime-protection of your antivirus and anti-malware programs because they might interfere with the scan.
  • Start esetsmartinstaller_enu.exe with administartor privileges.
  • Select the option Yes, I accept the Terms of Use and click on Start.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click on Start. The virus signature database will begin to download. This may take some time.
  • When completed the Online Scan will begin automatically.
    Note: This scan might take a long time! Please be patient.
  • When completed select Uninstall application on close if you so wish, but make sure you copy the logfile first!
  • Now click on Finish
  • A log file is created at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
    Copy and paste the content of this log file in your next reply.
Note: Do not forget to re-enable your antivirus application after running the above scan!

#7 jasonmbrown

jasonmbrown
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:05 AM

Posted 05 April 2014 - 03:25 PM

Just thought I would let you know Ive been running It since about 10 minutes after you messaged me and its at 9% and has found 25 potential threats. Its going to be a day or so before i can post the next log. (about 4.5% an hour)


Edited by jasonmbrown, 05 April 2014 - 03:25 PM.


#8 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:05 PM

Posted 05 April 2014 - 03:33 PM

Yes it's normal that the ESET scan takes a long time. Thanks for letting me know anyway. :)
But we need this thorough inspection because your computer was severely infected (multiple different malware running).

#9 jasonmbrown

jasonmbrown
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:05 AM

Posted 06 April 2014 - 02:16 AM

Hey it finished about 10 minutes ago YAY VIRUS's 129 results :(.

 

http://pastebin.com/fa5c4yRj [ESET log.txt]

http://pastebin.com/FNAweif3 [ESET Report] Not sure if you need this one, Might just be same info as above

 

Also im on 64bit sooo the eset log was in program files (x86) not that it matters heh :)

Hopefully you can help me get rid of all that garbage...I'm not sure how long I will be up tonight, But i would like to remove it all before I sleep if possible.

Also would you personally recommend Eset Av as a Lightweight non interfering Antivirus? (Is it going to block everything that sends and outgoing or incoming connection?)

 

Im getting issues now with my bitcoin related accounts being poorly logged into, in otherwords someone has my username but not the passwords. Worries me a little bit.

EDIT: Just Thought Id let you know Im going To sleep Now =), I Really Appreciate the help, Il do whatever I need to when i wake back up if you post.

PS: Also mentioning, I dont need any of the Bitcoin Mining related stuff anymore, Since I dont mine with this pc or hardware and I noticed quite a few of the things picked up by Eset were bitcoin mining variants, I DO HOWEVER STILL NEED MY WALLETS! However I will probably notice if you send me something that will remove them. 

Again Thank you for the help!!!

 

Edit: [10:24am pst] K im awake now =) Just waiting to hear back from you so I can get to work removing all these virus's/malware. If you don't mind letting me know, how long it will take :) I like to know when to expect things *rough estimate is fine?*


Edited by jasonmbrown, 06 April 2014 - 12:27 PM.


#10 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:05 PM

Posted 06 April 2014 - 01:58 PM

Hi there,

this looks much worse than it actually is. No more active malware has been found. There are only a few exes that you better not open and that we should delete now. The rest is just stuff that ESET finds because it could potentially be abused (e.g. the bitcoinminer) but as you use it deliberately it's no problem there.


Please download this attached Attached File  fixlist.txt   8.22KB   9 downloads and save it in the same directory as FRST.
  • Start FRST with Administrator privileges.
  • Press the Fix button.
  • I don't need the log.


That's it! Your logs look clean to me at the moment.
We're gonna clean up everything now, close security holes on your computer and in the end I'll provide you with a list of security tips so you hopefully will not need our help anymore in the future.


My help is free for everybody.
If you want to support me fighting against malware or buy me a beer for the assistance you received, then you can consider a donation: btn_donate_SM.gif.
Thank you!



Clean Up

Now we remove all the tools we used (including their logs and quarantine folders), restore your settings and delete old and infected system restorepoints:
  • You can uninstall programs that you had to install (e.g. MBAM or ESET Onlinescanner) in the control panel if you so wish.
  • Download DelFix (by Xplode) and save it to your Desktop.
    • Close all running programs and start delfix.exe.
    • Make sure that all available options are checked.
    • Click on Run
    • DelFix should remove all our tools and delete itself afterwards. I don't need the log file.
  • If there is still something left you can delete it manually.


Closing security holes

Many infections happen via drive-by downloads that run unnoticed in the background while the user visits an infected website. To achieve this malware exploits security holes in installed software (e.g. browser or its plugins). Older versions of such software often have lots of known exploitable holes. Therefor it's very important to always keep your software up-to-date.
The following software is outdated. Make sure you remove all old versions and install the current one instead if you need the program:

Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader XI (11.0.02)
Java 7 Update 21
Internet Explorer Version 8
Download and install Service Pack 1 for Windows 7.




Tips

I recommend to read and follow the "16 simple and easy ways to keep your computer safe and secure on the Internet" (Link) by Lawrence Abrams.

Edited by aharonov, 06 April 2014 - 01:58 PM.


#11 jasonmbrown

jasonmbrown
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:05 AM

Posted 06 April 2014 - 03:00 PM

I got a bit paranoid after I saw the how_decrypt text files everywhere, But they didnt hit anything important, Seems like they barely got started. Killed off my elderscrolls online files. And a bunch of worthless .txt's. Looks fine for the moment :) So Thank you again for the help.
Id still like a way to easily clean up anything they ruined however if it exists, If not i might make a vb program that searches for the "How_Decrypt.txt" file, then scans all the headers of the file in that directory. And from there logs and Gives option to remove it.

Im not able to install the Windows 7 sp1 though, Windows update always errors and I cant find the manual updater. If possible could you tell me the offline updaters file name so i can go find it...


Edited by jasonmbrown, 07 April 2014 - 05:20 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users