Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Random shut off - Multicast address' NtOpenMutant - Multiple issues


  • This topic is locked This topic is locked
21 replies to this topic

#1 truckin2001

truckin2001

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:36 AM

Posted 16 September 2014 - 11:06 AM

DDS locked my machine up for about 60 seconds when I tried to run it. I posted under "am I infected" [Win 7 HP Laptop Shuts down when running virus scan AND intermittently]

on Sept 4th out of desperation (as my machine was getting worse) - before I read how to properly post. I've tried to post since but my machine wont run long enough - until I ran various tools following various threads with similar issues. The machine shuts down  after 65% when running a virus scan. Recently it started skipping to 57% during the Security Descriptor part of chkdsk.  I found I have 3-4 multicasts going on (255.255.255.255). I've disabled IPV6, but still have 2.

I found Indexing was changed to "internet explorer temp files... I had it start to index C drive, and noticed it was turning folders I use on my desktop into "Hidden AND Read only" with the hidden attrib unchangable.In the last 3 days - My video has been randomly going crazy before the machine shuts off. I've got an Intel Core i3 CPU (dual or quad core I believe) 2.53Ghz with 4 Gigs of ram

Below the DDS report, I pasted a piece of my GMER log from Sept 8 - hopefully someone with experience with infections will recognise the scary things under the "USER Code" section - as there are 20+ more entrys just like it (they are still there as of 2 days ago).  

I hope thats enough info to figure something out... I'm afraid the machine will shut off before I hit the post button (Again)! Please HELP!

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.17280  BrowserJavaVersion: 10.67.2
Run by Owner at 10:53:29 on 2014-09-16
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3894.2395 [GMT -4:00]
.
AV: Emsisoft Anti-Malware *Disabled/Updated* {8504DEEF-CC04-1F76-2137-F1A5F4A659DA}
AV: avast! Antivirus *Enabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Emsisoft Anti-Malware *Disabled/Updated* {3E653F0B-EA3E-10F8-1B87-CAD78F211367}
SP: avast! Antivirus *Enabled/Updated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
FW: Privatefirewall *Enabled* {16337F50-A853-219F-6DEC-E7BDA0A7E8E7}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\IDT\WDM\STacSV64.exe
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe
C:\Program Files (x86)\Privacyware\Privatefirewall 7.0\pfsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe
C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files\AVAST Software\Avast\avastui.exe
C:\Program Files (x86)\Emsisoft Anti-Malware\a2guard.exe
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Privacyware\Privatefirewall 7.0\PFGUI.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\sysWOW64\wbem\wmiprvse.exe
C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
C:\Windows\System32\WUDFHost.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
BHO: Skype Click to Call for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun: [AvastUI.exe] "C:\Program Files\AVAST Software\Avast\AvastUI.exe" /nogui
mRun: [emsisoft anti-malware] "c:\program files (x86)\emsisoft anti-malware\a2guard.exe" /d=60
mRun: [Privatefirewall] C:\Program Files (x86)\Privacyware\Privatefirewall 7.0\PFGUI.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
TCP: NameServer = 192.168.1.155
TCP: Interfaces\{E1E3A70D-C166-48AD-B14F-E2F87F2E568E} : DHCPNameServer = 192.168.1.155
TCP: Interfaces\{E1E3A70D-C166-48AD-B14F-E2F87F2E568E}\B636F6D6 : DHCPNameServer = 192.168.0.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\37.0.2062.120\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
x64-BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - <orphaned>
x64-BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Skype Click to Call for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - <orphaned>
x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-RunOnce: [NCPluginUpdater] "C:\Program Files (x86)\Hewlett-Packard\HP Health Check\ActiveCheck\product_line\NCPluginUpdater.exe" Update
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
x64-IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
.
INFO: x64-HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
x64-SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\d45iagnj.default-1406769917778\
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Windows\SysWOW64\Adobe\Director\np32dsw_1205146.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_15_0_0_152.dll
.
============= SERVICES / DRIVERS ===============
.
R0 aswRvrt;avast! Revert;C:\Windows\System32\drivers\aswRvrt.sys [2013-12-22 65776]
R0 aswVmm;avast! VM Monitor;C:\Windows\System32\drivers\aswVmm.sys [2013-12-22 224896]
R0 NBVol;Nero Backup Volume Filter Driver;C:\Windows\System32\drivers\NBVol.sys [2013-11-14 72240]
R0 NBVolUp;Nero Backup Volume Upper Filter Driver;C:\Windows\System32\drivers\NBVolUp.sys [2013-11-14 15920]
R1 A2DDA;A2 Direct Disk Access Support Driver;C:\Program Files (x86)\Emsisoft Anti-Malware\a2ddax64.sys [2014-9-9 26176]
R1 a2injectiondriver;a2injectiondriver;C:\Program Files (x86)\Emsisoft Anti-Malware\a2dix64.sys [2014-9-9 45208]
R1 a2util;a-squared Malware-IDS utility driver;C:\Program Files (x86)\Emsisoft Anti-Malware\a2util64.sys [2014-9-9 23088]
R1 aswSnx;aswSnx;C:\Windows\System32\drivers\aswSnx.sys [2013-12-22 1041168]
R1 aswSP;aswSP;C:\Windows\System32\drivers\aswsp.sys [2013-12-22 427360]
R1 pwipf6;Privacyware Filter Driver;C:\Windows\System32\drivers\pwipf6.sys [2014-9-16 133152]
R2 a2AntiMalware;Emsisoft Protection Service;C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe [2014-9-9 4784144]
R2 aswHwid;avast! HardwareID;C:\Windows\System32\drivers\aswHwid.sys [2014-7-25 29208]
R2 aswMonFlt;aswMonFlt;C:\Windows\System32\drivers\aswMonFlt.sys [2013-12-22 79184]
R2 aswStm;aswStm;C:\Windows\System32\drivers\aswstm.sys [2013-12-22 92008]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2014-7-25 50344]
R2 HP Wireless Assistant Service;HP Wireless Assistant Service;C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [2010-7-21 103992]
R2 HPClientSvc;HP Client Services;C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe [2010-8-5 291896]
R2 HPSupportSolutionsFrameworkService;HP Support Solutions Framework Service;C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe [2014-7-7 72992]
R2 HPWMISVC;HPWMISVC;C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2010-11-9 26680]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-3-28 13336]
R2 PFNet;Privacyware network service;C:\Program Files (x86)\Privacyware\Privatefirewall 7.0\pfsvc.exe [2013-12-17 374600]
R2 UNS;Intel® Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-3-28 2320920]
R3 a2acc;a2acc;C:\Program Files (x86)\Emsisoft Anti-Malware\a2accx64.sys [2014-9-9 71472]
R3 cleanhlp;cleanhlp;C:\Program Files (x86)\Emsisoft Anti-Malware\cleanhlp64.sys [2014-9-9 57024]
R3 clwvd;CyberLink WebCam Virtual Driver;C:\Windows\System32\drivers\clwvd.sys [2012-8-3 40432]
R3 HECIx64;Intel® Management Engine Interface;C:\Windows\System32\drivers\HECIx64.sys [2009-9-17 56344]
R3 Impcd;Impcd;C:\Windows\System32\drivers\Impcd.sys [2010-12-8 158976]
R3 IntcDAud;Intel® Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2010-12-8 317440]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2014-7-22 565352]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2013-9-12 105144]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2013-9-11 124088]
S3 AndNetDiag;LGE AndroidNet USB Serial Port;C:\Windows\System32\drivers\lgandnetdiag64.sys [2014-1-16 29184]
S3 ANDNetModem;LGE AndroidNet USB Modem;C:\Windows\System32\drivers\lgandnetmodem64.sys [2014-1-16 36352]
S3 bcbtums;Bluetooth USB LD Filter;C:\Windows\System32\drivers\bcbtums.sys [2013-10-28 170712]
S3 btwampfl;btwampfl;C:\Windows\System32\drivers\btwampfl.sys [2013-10-28 166104]
S3 btwl2cap;Bluetooth L2CAP Service;C:\Windows\System32\drivers\btwl2cap.sys [2011-3-28 39464]
S3 btwsecfl;Bluetooth USB Security Filter;C:\Windows\System32\drivers\btwsecfl.sys [2011-3-28 72232]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2014-9-11 111616]
S3 MBAMSwissArmy;MBAMSwissArmy;C:\Windows\System32\drivers\MBAMSwissArmy.sys [2014-7-26 122584]
S3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\System32\drivers\netw5v64.sys [2009-6-10 5434368]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2013-11-15 19456]
S3 RSPCIESTOR;Realtek PCIE CardReader Driver;C:\Windows\System32\drivers\RtsPStor.sys [2014-7-24 339048]
S3 SrvHsfHDA;SrvHsfHDA;C:\Windows\System32\drivers\VSTAZL6.SYS [2009-7-13 292864]
S3 SrvHsfV92;SrvHsfV92;C:\Windows\System32\drivers\VSTDPV6.SYS [2009-7-13 1485312]
S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\System32\drivers\VSTCNXT6.SYS [2009-7-13 740864]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2013-11-15 56832]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2013-12-28 1255736]
S3 X86BDA;OEM Capture;C:\Windows\System32\drivers\OEMDrv.sys [2014-7-1 268416]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\System32\drivers\yk62x64.sys [2009-6-10 389120]
S4 BcmBtRSupport;Bluetooth Driver Management Service;C:\Windows\System32\BtwRSupportService.exe [2013-10-28 2255064]
S4 c2cautoupdatesvc;Skype Click to Call Updater;C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [2014-7-14 1390176]
S4 c2cpnrsvc;Skype Click to Call PNR Service;C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [2014-7-14 1767520]
S4 IconMan_R;IconMan_R;C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe [2014-7-24 2425960]
S4 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-9-5 171680]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2014-09-16 12:55:56    133152    ----a-w-    C:\Windows\System32\drivers\pwipf6.sys
2014-09-16 06:05:00    75888    ----a-w-    C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{26D8A93C-B5AE-409F-A064-71A0C7DE9CF7}\offreg.dll
2014-09-16 06:03:37    11578928    ----a-w-    C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{26D8A93C-B5AE-409F-A064-71A0C7DE9CF7}\mpengine.dll
2014-09-16 02:30:07    53770    ----a-w-    C:\cc_20140915_223001.reg
2014-09-15 23:19:07    --------    d-----w-    C:\Program Files (x86)\ESET
2014-09-15 15:35:07    --------    d-----w-    C:\Program Files (x86)\Runtime Software
2014-09-14 04:46:17    --------    d-sh--w-    C:\$RECYCLE.BIN
2014-09-13 18:31:20    175528    ----a-w-    C:\Windows\System32\drivers\tmcomm.sys
2014-09-12 01:26:39    --------    d-----w-    C:\Users\Owner\AppData\Local\Privatefirewall
2014-09-12 01:17:22    --------    d-----w-    C:\ProgramData\Privacyware
2014-09-12 01:17:20    --------    d-----w-    C:\Program Files (x86)\Privacyware
2014-09-11 15:15:37    --------    d-----w-    C:\Program Files (x86)\RegTweaker
2014-09-10 09:08:55    728064    ----a-w-    C:\Windows\System32\kerberos.dll
2014-09-10 09:08:54    550912    ----a-w-    C:\Windows\SysWow64\kerberos.dll
2014-09-10 09:08:53    1460736    ----a-w-    C:\Windows\System32\lsasrv.dll
2014-09-10 09:08:51    22016    ----a-w-    C:\Windows\SysWow64\secur32.dll
2014-09-10 09:08:50    96768    ----a-w-    C:\Windows\SysWow64\sspicli.dll
2014-09-09 14:27:20    --------    d-----w-    C:\ProgramData\Emsisoft
2014-09-09 12:29:27    --------    d-----w-    C:\Program Files (x86)\Emsisoft Anti-Malware
2014-09-09 09:13:34    --------    d-----w-    C:\Users\Owner\AppData\Roaming\Safer Networking
2014-09-09 09:11:54    --------    d-----w-    C:\Program Files (x86)\Safer Networking
2014-09-09 08:05:08    189666    ----a-w-    C:\cc_20140909_040402.reg
2014-09-09 03:36:45    --------    d-----w-    C:\ProgramData\Spybot - Search & Destroy
2014-09-09 03:36:45    --------    d-----w-    C:\Program Files (x86)\Spybot - Search & Destroy
2014-09-08 03:34:06    --------    d-----w-    C:\TDSSKiller_Quarantine
2014-09-07 04:54:05    --------    d-----w-    C:\FRST
2014-09-06 23:45:50    --------    d-----w-    C:\Users\Owner\AppData\Roaming\ZumoDrive
2014-09-06 19:50:55    63704    ----a-w-    C:\Windows\System32\drivers\mwac.sys
2014-09-06 19:50:55    25816    ----a-w-    C:\Windows\System32\drivers\mbam.sys
2014-09-06 19:50:55    --------    d-----w-    C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-09-04 22:00:09    --------    d-----w-    C:\Users\Owner\AppData\Local\Logitech-LS
2014-09-04 21:57:38    65536    ----a-w-    C:\Windows\SysWow64\MFC71DEU.DLL
2014-09-04 21:57:38    61440    ----a-w-    C:\Windows\SysWow64\MFC71ITA.DLL
2014-09-04 21:57:38    61440    ----a-w-    C:\Windows\SysWow64\MFC71ESP.DLL
2014-09-04 21:57:38    57344    ----a-w-    C:\Windows\SysWow64\MFC71ENU.DLL
2014-09-04 21:57:38    49152    ----a-w-    C:\Windows\SysWow64\MFC71KOR.DLL
2014-09-04 21:57:38    49152    ----a-w-    C:\Windows\SysWow64\MFC71JPN.DLL
2014-09-04 21:57:38    45056    ----a-w-    C:\Windows\SysWow64\MFC71CHT.DLL
2014-09-04 21:57:38    40960    ----a-w-    C:\Windows\SysWow64\MFC71CHS.DLL
2014-09-04 21:50:34    --------    d-----w-    C:\Users\Owner\AppData\Local\{B1B591EA-789E-4E0B-B383-702E4DE809E9}
2014-09-04 21:50:34    --------    d-----w-    C:\Users\Owner\AppData\Local\{629188C2-B604-44C4-B62A-3D1045CE4FFC}
2014-09-04 02:56:32    0    ----a-w-    C:\Windows\System32\igd10umd32.dll
2014-09-03 00:25:04    --------    d---a-w-    C:\Program Files (x86)\Sophos
2014-09-02 04:20:48    --------    d---a-w-    C:\Users\Owner\AppData\Roaming\Roxio Log Files
2014-08-30 13:51:31    3163648    ----a-w-    C:\Windows\System32\win32k.sys
2014-08-30 13:51:30    404480    ----a-w-    C:\Windows\System32\gdi32.dll
2014-08-30 13:51:30    311808    ----a-w-    C:\Windows\SysWow64\gdi32.dll
2014-08-26 23:31:40    2620928    ----a-w-    C:\Windows\System32\wucltux.dll
2014-08-26 23:31:15    97792    ----a-w-    C:\Windows\System32\wudriver.dll
2014-08-26 23:31:15    92672    ----a-w-    C:\Windows\SysWow64\wudriver.dll
2014-08-26 23:30:48    179656    ----a-w-    C:\Windows\SysWow64\wuwebv.dll
2014-08-26 23:30:47    33792    ----a-w-    C:\Windows\SysWow64\wuapp.exe
2014-08-26 23:30:46    198600    ----a-w-    C:\Windows\System32\wuwebv.dll
2014-08-26 23:30:44    36864    ----a-w-    C:\Windows\System32\wuapp.exe
2014-08-24 02:29:07    --------    d---a-w-    C:\Users\Owner\AppData\Local\Windows Live
2014-08-24 02:28:41    --------    d-----w-    C:\Users\Owner\AppData\Local\{FA878469-EDEB-4B67-9DF5-7B54F12238A3}
2014-08-24 02:28:41    --------    d-----w-    C:\Users\Owner\AppData\Local\{0BB71CED-72A9-431B-9C26-C1DBC8978DF5}
.
==================== Find3M  ====================
.
2014-09-15 13:13:06    71344    ----a-w-    C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2014-09-15 13:13:06    701104    ----a-w-    C:\Windows\SysWow64\FlashPlayerApp.exe
2014-09-14 08:06:34    33512    ----a-w-    C:\Windows\SysWow64\drivers\TrueSight.sys
2014-09-14 02:14:53    122584    ----a-w-    C:\Windows\System32\drivers\MBAMSwissArmy.sys
2014-09-11 23:59:32    92888    ----a-w-    C:\Windows\System32\drivers\mbamchameleon.sys
2014-08-25 10:53:42    270496    ------w-    C:\Windows\System32\MpSigStub.exe
2014-08-18 22:29:49    2724864    ----a-w-    C:\Windows\System32\mshtml.tlb
2014-08-18 22:29:35    4096    ----a-w-    C:\Windows\System32\ieetwcollectorres.dll
2014-08-18 22:19:53    5833728    ----a-w-    C:\Windows\System32\jscript9.dll
2014-08-18 22:15:34    547328    ----a-w-    C:\Windows\System32\vbscript.dll
2014-08-18 22:15:09    66048    ----a-w-    C:\Windows\System32\iesetup.dll
2014-08-18 22:14:38    48640    ----a-w-    C:\Windows\System32\ieetwproxystub.dll
2014-08-18 22:14:10    83968    ----a-w-    C:\Windows\System32\MshtmlDac.dll
2014-08-18 22:08:55    4232704    ----a-w-    C:\Windows\SysWow64\jscript9.dll
2014-08-18 22:03:47    139264    ----a-w-    C:\Windows\System32\ieUnatt.exe
2014-08-18 22:03:37    111616    ----a-w-    C:\Windows\System32\ieetwcollector.exe
2014-08-18 22:03:01    758272    ----a-w-    C:\Windows\System32\jscript9diag.dll
2014-08-18 21:57:44    2724864    ----a-w-    C:\Windows\SysWow64\mshtml.tlb
2014-08-18 21:56:17    940032    ----a-w-    C:\Windows\System32\MsSpellCheckingFacility.exe
2014-08-18 21:46:26    454656    ----a-w-    C:\Windows\SysWow64\vbscript.dll
2014-08-18 21:45:23    61952    ----a-w-    C:\Windows\SysWow64\iesetup.dll
2014-08-18 21:45:12    72704    ----a-w-    C:\Windows\System32\JavaScriptCollectionAgent.dll
2014-08-18 21:44:44    51200    ----a-w-    C:\Windows\SysWow64\ieetwproxystub.dll
2014-08-18 21:44:09    61952    ----a-w-    C:\Windows\SysWow64\MshtmlDac.dll
2014-08-18 21:36:07    112128    ----a-w-    C:\Windows\SysWow64\ieUnatt.exe
2014-08-18 21:35:24    597504    ----a-w-    C:\Windows\SysWow64\jscript9diag.dll
2014-08-18 21:23:17    2104832    ----a-w-    C:\Windows\System32\inetcpl.cpl
2014-08-18 21:23:16    1249280    ----a-w-    C:\Windows\System32\mshtmlmedia.dll
2014-08-18 21:22:48    60416    ----a-w-    C:\Windows\SysWow64\JavaScriptCollectionAgent.dll
2014-08-18 21:15:13    2310656    ----a-w-    C:\Windows\System32\wininet.dll
2014-08-18 21:08:54    2014208    ----a-w-    C:\Windows\SysWow64\inetcpl.cpl
2014-08-18 21:07:44    1068032    ----a-w-    C:\Windows\SysWow64\mshtmlmedia.dll
2014-08-18 20:46:48    1812992    ----a-w-    C:\Windows\SysWow64\wininet.dll
2014-08-17 00:42:13    98216    ----a-w-    C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2014-07-25 06:35:46    875688    ----a-w-    C:\Windows\SysWow64\msvcr120_clr0400.dll
2014-07-25 05:00:31    92008    ----a-w-    C:\Windows\System32\drivers\aswstm.sys
2014-07-25 05:00:30    79184    ----a-w-    C:\Windows\System32\drivers\aswMonFlt.sys
2014-07-25 05:00:30    65776    ----a-w-    C:\Windows\System32\drivers\aswRvrt.sys
2014-07-25 05:00:30    224896    ----a-w-    C:\Windows\System32\drivers\aswVmm.sys
2014-07-25 05:00:30    1041168    ----a-w-    C:\Windows\System32\drivers\aswSnx.sys
2014-07-25 05:00:29    93568    ----a-w-    C:\Windows\System32\drivers\aswRdr2.sys
2014-07-25 05:00:29    29208    ----a-w-    C:\Windows\System32\drivers\aswHwid.sys
2014-07-25 05:00:26    43152    ----a-w-    C:\Windows\avastSS.scr
2014-07-25 03:47:06    869544    ----a-w-    C:\Windows\System32\msvcr120_clr0400.dll
2014-07-22 15:39:04    74272    ----a-w-    C:\Windows\System32\RtNicProp64.dll
2014-07-22 15:39:04    565352    ----a-w-    C:\Windows\System32\drivers\Rt64win7.sys
2014-07-22 15:39:04    107552    ----a-w-    C:\Windows\System32\RTNUninst64.dll
2014-07-16 12:19:15    0    ----a-w-    C:\Windows\System32\sirenacm.dll
2014-07-16 03:23:41    2048    ----a-w-    C:\Windows\System32\tzres.dll
2014-07-16 02:46:02    2048    ----a-w-    C:\Windows\SysWow64\tzres.dll
2014-07-14 02:02:45    1216000    ----a-w-    C:\Windows\System32\rpcrt4.dll
2014-07-14 01:40:58    664064    ----a-w-    C:\Windows\SysWow64\rpcrt4.dll
2014-06-30 22:24:50    8856    ----a-w-    C:\Windows\System32\icardres.dll
2014-06-30 22:14:53    8856    ----a-w-    C:\Windows\SysWow64\icardres.dll
2014-06-27 18:00:00    127488    ----a-w-    C:\Windows\System32\ff_vfw.dll
2014-06-27 18:00:00    112640    ----a-w-    C:\Windows\SysWow64\ff_vfw.dll
.
============= FINISH: 10:54:24.58 ===============

GMER 2.1.19357 - http://www.gmer.net
Rootkit scan 2014-09-08 10:34:45
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD50 rev.02.0 465.76GB
Running: 2ub23s4q.exe; Driver: C:\Users\Owner\AppData\Local\Temp\kgtiapow.sys
---- Kernel code sections - GMER 2.1 ----
INITKDBG  C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528                                    
                                          fffff800031b0000 45 bytes [00, 00, 15, 02, 46, 69, 6C, ...]
INITKDBG  C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 575                                    
 
                                          fffff800031b002f 16 bytes [00, 00, 00, 00, 00, 00, 00, ...]
---- User code sections - GMER 2.1 ----
.text     C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort               
                                          0000000076d31360 5 bytes JMP 0000000149a60460
.text     C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                        
 
                                          0000000076d313b0 5 bytes JMP 0000000149a60450
.text     C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                        
                                          0000000076d31510 5 bytes JMP 0000000149a60370
.text     C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx             
 
                                          0000000076d31560 5 bytes JMP 0000000149a60470
.text     C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                   
                                          0000000076d31570 5 bytes JMP 0000000149a603e0
.text     C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                        
 
                                          0000000076d31620 5 bytes JMP 0000000149a60320
.text     C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                 
                                          0000000076d31650 5 bytes JMP 0000000149a603b0
.text     C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                    
 
                                          0000000076d31670 5 bytes JMP 0000000149a60390
.text     C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                          
                                          0000000076d316b0 5 bytes JMP 0000000149a602e0
.text     C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                        
 
                                          0000000076d31730 5 bytes JMP 0000000149a602d0
.text     C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                      
                                          0000000076d31750 5 bytes JMP 0000000149a60310
.text     C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                       
 
                                          0000000076d31790 5 bytes JMP 0000000149a603c0
.text     C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                    
                                          0000000076d317e0 5 bytes JMP 0000000149a603f0
.text     C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                       
 
                                          0000000076d31940 5 bytes JMP 0000000149a60230
.text     C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort            
                                          0000000076d31b00 5 bytes JMP 0000000149a60480
.text     C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject           
 
                                          0000000076d31b30 5 bytes JMP 0000000149a603a0
.text     C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                    
                                          0000000076d31c10 5 bytes JMP 0000000149a602f0
.text     C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                 
 
                                          0000000076d31c20 5 bytes JMP 0000000149a60350
.text     C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                       
                                          0000000076d31c80 5 bytes JMP 0000000149a60290
.text     C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                    
 
                                          0000000076d31d10 5 bytes JMP 0000000149a602b0
.text     C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                     
                                          0000000076d31d30 5 bytes JMP 0000000149a603d0
.text     C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                        
 
                                          0000000076d31d40 5 bytes JMP 0000000149a60330
.text     C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                 
                                          0000000076d31db0 5 bytes JMP 0000000149a60410
.text     C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                    
 
                                          0000000076d31de0 5 bytes JMP 0000000149a60240
.text     C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                         
                                          0000000076d320a0 5 bytes JMP 0000000149a601e0
.text     C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                    
 
                                          0000000076d32160 5 bytes JMP 0000000149a60250
.text     C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                    
                                          0000000076d32190 5 bytes JMP 0000000149a60490
.text     C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys           
 
                                          0000000076d321a0 5 bytes JMP 0000000149a604a0
.text     C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                      
                                          0000000076d321d0 5 bytes JMP 0000000149a60300
.text     C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                   
 
                                          0000000076d321e0 5 bytes JMP 0000000149a60360
.text     C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                         
                                          0000000076d32240 5 bytes JMP 0000000149a602a0
.text     C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                      
 
                                          0000000076d32290 5 bytes JMP 0000000149a602c0
.text     C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                         
                                          0000000076d322c0 5 bytes JMP 0000000149a60380
.text     C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                          
 
                                          0000000076d322d0 5 bytes JMP 0000000149a60340
.text     C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                   
                                          0000000076d325c0 5 bytes JMP 0000000149a60440
.text     C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                  
 
                                          0000000076d327c0 5 bytes JMP 0000000149a60260
.text     C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                     
                                          0000000076d327d0 5 bytes JMP 0000000149a60270
.text     C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                   
 
                                          0000000076d327e0 5 bytes JMP 0000000149a60400
.text     C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation               
                                          0000000076d329a0 5 bytes JMP 0000000149a601f0
.text     C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                
 
                                          0000000076d329b0 5 bytes JMP 0000000149a60210
.text     C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                     
                                          0000000076d32a20 5 bytes JMP 0000000149a60200
.text     C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                     
 
                                          0000000076d32a80 5 bytes JMP 0000000149a60420
.text     C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                      
                                          0000000076d32a90 5 bytes JMP 0000000149a60430
.text     C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                 
 
                                          0000000076d32aa0 5 bytes JMP 0000000149a60220
.text     C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                         
                                          0000000076d32b80 5 bytes JMP 0000000149a60280
.text     C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:36 AM

Posted 21 September 2014 - 11:10 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/548563 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 truckin2001

truckin2001
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:36 AM

Posted 22 September 2014 - 01:49 AM

I no longer have internet access on my machine, only on my phone. I don't have the Windows7 DVD, but have a factory image copy on drive D although my operating system does not recognize it(0 bytes). I can access it (at least see its still there) using Hirens boot CD v10.6. I don't think I can say anything more descriptive than the difference between the two dds logs. my machine says my antivirus is disabled (not disabled by me)but dds says its running. when it would run 2 days ago, it would shut the machine down at about 60%. the same with Malwarebytes or any antivirus I tried to run. I can't seem to get the attached. Text log to attach.
DDS (Ver_2012-11-20.01) - NTFS_AMD64 Internet Explorer: 11.0.9600.17280 BrowserJavaVersion: 10.67.2 Run by Owner at 0:20:31 on 2014-09-22 Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3894.2367 [GMT -4:00] . AV: Emsisoft Anti-Malware *Enabled/Outdated* {8504DEEF-CC04-1F76-2137-F1A5F4A659DA} AV: avast! Antivirus *Enabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B} SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} SP: Emsisoft Anti-Malware *Enabled/Outdated* {3E653F0B-EA3E-10F8-1B87-CAD78F211367} SP: avast! Antivirus *Enabled/Updated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736} FW: Privatefirewall *Enabled* {16337F50-A853-219F-6DEC-E7BDA0A7E8E7} . ============== Running Processes =============== . C:\Windows\system32\lsm.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Windows\system32\svchost.exe -k RPCSS C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\svchost.exe -k netsvcs C:\Program Files\IDT\WDM\STacSV64.exe C:\Windows\system32\svchost.exe -k GPSvcGroup C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe C:\Program Files (x86)\Privacyware\Privatefirewall 7.0\pfsvc.exe C:\Windows\system32\svchost.exe -k NetworkService C:\Program Files\AVAST Software\Avast\AvastSvc.exe C:\Windows\system32\WLANExt.exe C:\Windows\System32\spoolsv.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe C:\Windows\System32\svchost.exe -k secsvcs C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted C:\Windows\System32\WUDFHost.exe C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\wbem\wmiprvse.exe C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe C:\Windows\system32\wbem\wmiprvse.exe C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Windows\system32\svchost.exe -k bthsvcs C:\Program Files\Windows Media Player\wmpnetwk.exe C:\Windows\system32\SearchProtocolHost.exe C:\Windows\system32\taskhost.exe C:\Windows\system32\taskeng.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Windows\System32\hkcmd.exe C:\Windows\System32\igfxpers.exe C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe C:\Program Files\AVAST Software\Avast\avastui.exe C:\Program Files (x86)\Privacyware\Privatefirewall 7.0\PFGUI.exe C:\Program Files (x86)\Emsisoft Anti-Malware\a2guard.exe C:\Windows\system32\wbem\unsecapp.exe C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE C:\Windows\sysWOW64\wbem\wmiprvse.exe C:\Windows\system32\taskeng.exe C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe C:\Windows\system32\wbem\WmiApSrv.exe C:\Windows\system32\SearchFilterHost.exe C:\Windows\system32\igfxsrvc.exe C:\Windows\System32\cscript.exe . ============== Pseudo HJT Report =============== . uStart Page = hxxp://www.yahoo.com/ uProxyOverride = BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe mRun: [AvastUI.exe] "C:\Program Files\AVAST Software\Avast\AvastUI.exe" /nogui mRun: [Privatefirewall] C:\Program Files (x86)\Privacyware\Privatefirewall 7.0\PFGUI.exe mRun: [emsisoft anti-malware] "c:\program files (x86)\emsisoft anti-malware\a2guard.exe" /d=60 uPolicies-Explorer: NoDriveTypeAutoRun = dword:145 uPolicies-Explorer: NoDrives = dword:0 mPolicies-Explorer: NoDrives = dword:0 mPolicies-System: ConsentPromptBehaviorAdmin = dword:5 mPolicies-System: ConsentPromptBehaviorUser = dword:3 mPolicies-System: EnableUIADesktopToggle = dword:0 . INFO: HKCU has more than 50 listed domains. If you wish to scan all of them, select the 'Force scan all domains' option. . . INFO: HKLM has more than 50 listed domains. If you wish to scan all of them, select the 'Force scan all domains' option. . DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab TCP: NameServer = 192.168.1.155 TCP: Interfaces\{261BC2BD-47CE-4809-A440-9215ECAF2369} : DHCPNameServer = 192.168.1.155 TCP: Interfaces\{E1E3A70D-C166-48AD-B14F-E2F87F2E568E} : DHCPNameServer = 192.168.1.155 TCP: Interfaces\{E1E3A70D-C166-48AD-B14F-E2F87F2E568E}\B636F6D6 : DHCPNameServer = 192.168.0.1 Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL SSODL: WebCheck - SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe" mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\37.0.2062.120\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome x64-BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL x64-BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - x64-BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL x64-BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe x64-RunOnce: [NCPluginUpdater] "C:\Program Files (x86)\Hewlett-Packard\HP Health Check\ActiveCheck\product_line\NCPluginUpdater.exe" Update x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll x64-IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm . INFO: x64-HKLM has more than 50 listed domains. If you wish to scan all of them, select the 'Force scan all domains' option. . x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL x64-Notify: igfxcui - igfxdev.dll x64-SSODL: WebCheck - x64-SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL . ================= FIREFOX =================== . FF - ProfilePath - C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\d45iagnj.default-1406769917778\ FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL FF - plugin: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll FF - plugin: C:\Program Files (x86)\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll FF - plugin: C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll FF - plugin: C:\Program Files (x86)\Java\jre7\bin\dtplugin\npdeployJava1.dll FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll FF - plugin: C:\Windows\SysWOW64\Adobe\Director\np32dsw_1205146.dll FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_15_0_0_152.dll . ============= SERVICES / DRIVERS =============== . R0 aswRvrt;avast! Revert;C:\Windows\System32\drivers\aswRvrt.sys [2013-12-22 65776] R0 aswVmm;avast! VM Monitor;C:\Windows\System32\drivers\aswVmm.sys [2013-12-22 224896] R0 NBVol;Nero Backup Volume Filter Driver;C:\Windows\System32\drivers\NBVol.sys [2013-11-14 72240] R0 NBVolUp;Nero Backup Volume Upper Filter Driver;C:\Windows\System32\drivers\NBVolUp.sys [2013-11-14 15920] R1 A2DDA;A2 Direct Disk Access Support Driver;C:\Program Files (x86)\Emsisoft Anti-Malware\a2ddax64.sys [2014-9-17 26176] R1 a2injectiondriver;a2injectiondriver;C:\Program Files (x86)\Emsisoft Anti-Malware\a2dix64.sys [2014-9-17 45208] R1 a2util;a-squared Malware-IDS utility driver;C:\Program Files (x86)\Emsisoft Anti-Malware\a2util64.sys [2014-9-17 23088] R1 aswSnx;aswSnx;C:\Windows\System32\drivers\aswSnx.sys [2013-12-22 1041168] R1 aswSP;aswSP;C:\Windows\System32\drivers\aswsp.sys [2013-12-22 427360] R1 pwipf6;Privacyware Filter Driver;C:\Windows\System32\drivers\pwipf6.sys [2014-9-16 133152] R2 a2AntiMalware;Emsisoft Protection Service;C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe [2014-9-17 4784144] R2 aswHwid;avast! HardwareID;C:\Windows\System32\drivers\aswHwid.sys [2014-7-25 29208] R2 aswMonFlt;aswMonFlt;C:\Windows\System32\drivers\aswMonFlt.sys [2013-12-22 79184] R2 aswStm;aswStm;C:\Windows\System32\drivers\aswstm.sys [2013-12-22 92008] R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2014-7-25 50344] R2 HP Wireless Assistant Service;HP Wireless Assistant Service;C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [2010-7-21 103992] R2 HPClientSvc;HP Client Services;C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe [2010-8-5 291896] R2 HPWMISVC;HPWMISVC;C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2010-11-9 26680] R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-3-28 13336] R2 PFNet;Privacyware network service;C:\Program Files (x86)\Privacyware\Privatefirewall 7.0\pfsvc.exe [2013-12-17 374600] R3 a2acc;a2acc;C:\Program Files (x86)\Emsisoft Anti-Malware\a2accx64.sys [2014-9-17 71472] R3 cleanhlp;cleanhlp;C:\Program Files (x86)\Emsisoft Anti-Malware\cleanhlp64.sys [2014-9-17 57024] R3 clwvd;CyberLink WebCam Virtual Driver;C:\Windows\System32\drivers\clwvd.sys [2010-12-10 31088] R3 HECIx64;Intel® Management Engine Interface;C:\Windows\System32\drivers\HECIx64.sys [2009-9-17 56344] R3 Impcd;Impcd;C:\Windows\System32\drivers\Impcd.sys [2010-12-8 158976] R3 IntcDAud;Intel® Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2010-12-8 317440] R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2014-7-22 565352] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2013-9-12 105144] S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2013-9-11 124088] S2 UNS;Intel® Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-3-28 2320920] S3 AndNetDiag;LGE AndroidNet USB Serial Port;C:\Windows\System32\drivers\lgandnetdiag64.sys [2014-1-16 29184] S3 ANDNetModem;LGE AndroidNet USB Modem;C:\Windows\System32\drivers\lgandnetmodem64.sys [2014-1-16 36352] S3 bcbtums;Bluetooth USB LD Filter;C:\Windows\System32\drivers\bcbtums.sys [2013-10-28 170712] S3 btwampfl;btwampfl;C:\Windows\System32\drivers\btwampfl.sys [2013-10-28 166104] S3 btwl2cap;Bluetooth L2CAP Service;C:\Windows\System32\drivers\btwl2cap.sys [2011-3-28 39464] S3 btwsecfl;Bluetooth USB Security Filter;C:\Windows\System32\drivers\btwsecfl.sys [2011-3-28 72232] S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2014-9-11 111616] S3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\System32\drivers\netw5v64.sys [2009-6-10 5434368] S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2013-11-15 19456] S3 RSPCIESTOR;Realtek PCIE CardReader Driver;C:\Windows\System32\drivers\RtsPStor.sys [2014-7-24 339048] S3 SrvHsfHDA;SrvHsfHDA;C:\Windows\System32\drivers\VSTAZL6.SYS [2009-7-13 292864] S3 SrvHsfV92;SrvHsfV92;C:\Windows\System32\drivers\VSTDPV6.SYS [2009-7-13 1485312] S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\System32\drivers\VSTCNXT6.SYS [2009-7-13 740864] S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2013-11-15 56832] S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2013-12-28 1255736] S3 X86BDA;OEM Capture;C:\Windows\System32\drivers\OEMDrv.sys [2014-7-1 268416] S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\System32\drivers\yk62x64.sys [2009-6-10 389120] S4 BcmBtRSupport;Bluetooth Driver Management Service;C:\Windows\System32\BtwRSupportService.exe [2013-10-28 2255064] S4 IconMan_R;IconMan_R;C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe [2014-7-24 2425960] S4 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-9-5 171680] S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184] . =============== Created Last 30 ================ . 2014-09-22 01:34:26 -------- d--h--w- C:\_Exception1 2014-09-20 13:39:44 2777088 ----a-w- C:\Windows\System32\msmpeg2vdec.dll 2014-09-20 13:39:44 2285056 ----a-w- C:\Windows\SysWow64\msmpeg2vdec.dll 2014-09-20 01:43:14 -------- d-----w- C:\Users\Owner\AppData\Roaming\GlarySoft 2014-09-19 06:39:18 11578928 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{079CB26D-7912-4D40-BE97-8E97409BB89E}\mpengine.dll 2014-09-19 04:38:56 -------- d-----w- C:\ProgramData\SecTaskMan 2014-09-19 04:38:48 -------- d-----w- C:\Program Files (x86)\Security Task Manager 2014-09-17 02:13:17 -------- d-sh--w- C:\$RECYCLE.BIN 2014-09-16 12:55:56 133152 ----a-w- C:\Windows\System32\drivers\pwipf6.sys 2014-09-16 02:30:07 53770 ----a-w- C:\cc_20140915_223001.reg 2014-09-15 23:19:07 -------- d-----w- C:\Program Files (x86)\ESET 2014-09-15 15:35:07 -------- d-----w- C:\Program Files (x86)\Runtime Software 2014-09-13 18:31:20 175528 ----a-w- C:\Windows\System32\drivers\tmcomm.sys 2014-09-12 01:26:39 -------- d-----w- C:\Users\Owner\AppData\Local\Privatefirewall 2014-09-12 01:17:22 -------- d-----w- C:\ProgramData\Privacyware 2014-09-12 01:17:20 -------- d-----w- C:\Program Files (x86)\Privacyware 2014-09-11 15:15:37 -------- d-----w- C:\Program Files (x86)\RegTweaker 2014-09-10 09:08:55 728064 ----a-w- C:\Windows\System32\kerberos.dll 2014-09-10 09:08:54 550912 ----a-w- C:\Windows\SysWow64\kerberos.dll 2014-09-10 09:08:53 1460736 ----a-w- C:\Windows\System32\lsasrv.dll 2014-09-10 09:08:51 22016 ----a-w- C:\Windows\SysWow64\secur32.dll 2014-09-10 09:08:50 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll 2014-09-09 14:27:20 -------- d-----w- C:\ProgramData\Emsisoft 2014-09-09 12:29:27 -------- d-----w- C:\Program Files (x86)\Emsisoft Anti-Malware 2014-09-09 09:13:34 -------- d-----w- C:\Users\Owner\AppData\Roaming\Safer Networking 2014-09-09 09:11:54 -------- d-----w- C:\Program Files (x86)\Safer Networking 2014-09-09 08:05:08 189666 ----a-w- C:\cc_20140909_040402.reg 2014-09-09 03:36:45 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy 2014-09-09 03:36:45 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy 2014-09-08 03:34:06 -------- d-----w- C:\TDSSKiller_Quarantine 2014-09-07 04:54:05 -------- d-----w- C:\FRST 2014-09-06 23:45:50 -------- d-----w- C:\Users\Owner\AppData\Roaming\ZumoDrive 2014-09-06 19:50:55 63704 ----a-w- C:\Windows\System32\drivers\mwac.sys 2014-09-06 19:50:55 25816 ----a-w- C:\Windows\System32\drivers\mbam.sys 2014-09-06 19:50:55 -------- d-----w- C:\Program Files (x86)\Malwarebytes Anti-Malware 2014-09-04 21:57:38 65536 ----a-w- C:\Windows\SysWow64\MFC71DEU.DLL 2014-09-04 21:57:38 61440 ----a-w- C:\Windows\SysWow64\MFC71ITA.DLL 2014-09-04 21:57:38 61440 ----a-w- C:\Windows\SysWow64\MFC71ESP.DLL 2014-09-04 21:57:38 57344 ----a-w- C:\Windows\SysWow64\MFC71ENU.DLL 2014-09-04 21:57:38 49152 ----a-w- C:\Windows\SysWow64\MFC71KOR.DLL 2014-09-04 21:57:38 49152 ----a-w- C:\Windows\SysWow64\MFC71JPN.DLL 2014-09-04 21:57:38 45056 ----a-w- C:\Windows\SysWow64\MFC71CHT.DLL 2014-09-04 21:57:38 40960 ----a-w- C:\Windows\SysWow64\MFC71CHS.DLL 2014-09-04 02:56:32 0 ----a-w- C:\Windows\System32\igd10umd32.dll 2014-09-03 00:25:04 -------- d---a-w- C:\Program Files (x86)\Sophos 2014-09-02 04:20:48 -------- d---a-w- C:\Users\Owner\AppData\Roaming\Roxio Log Files 2014-08-30 13:51:31 3163648 ----a-w- C:\Windows\System32\win32k.sys 2014-08-30 13:51:30 404480 ----a-w- C:\Windows\System32\gdi32.dll 2014-08-30 13:51:30 311808 ----a-w- C:\Windows\SysWow64\gdi32.dll 2014-08-26 23:31:40 2620928 ----a-w- C:\Windows\System32\wucltux.dll 2014-08-26 23:31:15 97792 ----a-w- C:\Windows\System32\wudriver.dll 2014-08-26 23:31:15 92672 ----a-w- C:\Windows\SysWow64\wudriver.dll 2014-08-26 23:30:48 179656 ----a-w- C:\Windows\SysWow64\wuwebv.dll 2014-08-26 23:30:47 33792 ----a-w- C:\Windows\SysWow64\wuapp.exe 2014-08-26 23:30:46 198600 ----a-w- C:\Windows\System32\wuwebv.dll 2014-08-26 23:30:44 36864 ----a-w- C:\Windows\System32\wuapp.exe 2014-08-24 02:29:07 -------- d---a-w- C:\Users\Owner\AppData\Local\Windows Live 2014-08-24 02:28:41 -------- d-----w- C:\Users\Owner\AppData\Local\{0BB71CED-72A9-431B-9C26-C1DBC8978DF5} . ==================== Find3M ==================== . 2014-09-20 12:51:36 128728 ----a-w- C:\Windows\System32\drivers\MBAMSwissArmy.sys 2014-09-20 12:51:02 92888 ----a-w- C:\Windows\System32\drivers\mbamchameleon.sys 2014-09-17 01:41:53 29160 ----a-w- C:\Windows\SysWow64\drivers\TrueSight.sys 2014-09-15 13:13:06 71344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl 2014-09-15 13:13:06 701104 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe 2014-08-25 10:53:42 270496 ------w- C:\Windows\System32\MpSigStub.exe 2014-08-18 22:29:49 2724864 ----a-w- C:\Windows\System32\mshtml.tlb 2014-08-18 22:29:35 4096 ----a-w- C:\Windows\System32\ieetwcollectorres.dll 2014-08-18 22:19:53 5833728 ----a-w- C:\Windows\System32\jscript9.dll 2014-08-18 22:15:34 547328 ----a-w- C:\Windows\System32\vbscript.dll 2014-08-18 22:15:09 66048 ----a-w- C:\Windows\System32\iesetup.dll 2014-08-18 22:14:38 48640 ----a-w- C:\Windows\System32\ieetwproxystub.dll 2014-08-18 22:14:10 83968 ----a-w- C:\Windows\System32\MshtmlDac.dll 2014-08-18 22:08:55 4232704 ----a-w- C:\Windows\SysWow64\jscript9.dll 2014-08-18 22:03:47 139264 ----a-w- C:\Windows\System32\ieUnatt.exe 2014-08-18 22:03:37 111616 ----a-w- C:\Windows\System32\ieetwcollector.exe 2014-08-18 22:03:01 758272 ----a-w- C:\Windows\System32\jscript9diag.dll 2014-08-18 21:57:44 2724864 ----a-w- C:\Windows\SysWow64\mshtml.tlb 2014-08-18 21:56:17 940032 ----a-w- C:\Windows\System32\MsSpellCheckingFacility.exe 2014-08-18 21:46:26 454656 ----a-w- C:\Windows\SysWow64\vbscript.dll 2014-08-18 21:45:23 61952 ----a-w- C:\Windows\SysWow64\iesetup.dll 2014-08-18 21:45:12 72704 ----a-w- C:\Windows\System32\JavaScriptCollectionAgent.dll 2014-08-18 21:44:44 51200 ----a-w- C:\Windows\SysWow64\ieetwproxystub.dll 2014-08-18 21:44:09 61952 ----a-w- C:\Windows\SysWow64\MshtmlDac.dll 2014-08-18 21:36:07 112128 ----a-w- C:\Windows\SysWow64\ieUnatt.exe 2014-08-18 21:35:24 597504 ----a-w- C:\Windows\SysWow64\jscript9diag.dll 2014-08-18 21:23:17 2104832 ----a-w- C:\Windows\System32\inetcpl.cpl 2014-08-18 21:23:16 1249280 ----a-w- C:\Windows\System32\mshtmlmedia.dll 2014-08-18 21:22:48 60416 ----a-w- C:\Windows\SysWow64\JavaScriptCollectionAgent.dll 2014-08-18 21:15:13 2310656 ----a-w- C:\Windows\System32\wininet.dll 2014-08-18 21:08:54 2014208 ----a-w- C:\Windows\SysWow64\inetcpl.cpl 2014-08-18 21:07:44 1068032 ----a-w- C:\Windows\SysWow64\mshtmlmedia.dll 2014-08-18 20:46:48 1812992 ----a-w- C:\Windows\SysWow64\wininet.dll 2014-08-17 00:42:13 98216 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll 2014-07-25 06:35:46 875688 ----a-w- C:\Windows\SysWow64\msvcr120_clr0400.dll 2014-07-25 05:00:31 92008 ----a-w- C:\Windows\System32\drivers\aswstm.sys 2014-07-25 05:00:30 79184 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys 2014-07-25 05:00:30 65776 ----a-w- C:\Windows\System32\drivers\aswRvrt.sys 2014-07-25 05:00:30 224896 ----a-w- C:\Windows\System32\drivers\aswVmm.sys 2014-07-25 05:00:30 1041168 ----a-w- C:\Windows\System32\drivers\aswSnx.sys 2014-07-25 05:00:29 93568 ----a-w- C:\Windows\System32\drivers\aswRdr2.sys 2014-07-25 05:00:29 29208 ----a-w- C:\Windows\System32\drivers\aswHwid.sys 2014-07-25 05:00:26 43152 ----a-w- C:\Windows\avastSS.scr 2014-07-25 03:47:06 869544 ----a-w- C:\Windows\System32\msvcr120_clr0400.dll 2014-07-22 15:39:04 74272 ----a-w- C:\Windows\System32\RtNicProp64.dll 2014-07-22 15:39:04 565352 ----a-w- C:\Windows\System32\drivers\Rt64win7.sys 2014-07-22 15:39:04 107552 ----a-w- C:\Windows\System32\RTNUninst64.dll 2014-07-16 12:19:15 0 ----a-w- C:\Windows\System32\sirenacm.dll 2014-07-16 03:23:41 2048 ----a-w- C:\Windows\System32\tzres.dll 2014-07-16 02:46:02 2048 ----a-w- C:\Windows\SysWow64\tzres.dll 2014-07-14 02:02:45 1216000 ----a-w- C:\Windows\System32\rpcrt4.dll 2014-07-14 01:40:58 664064 ----a-w- C:\Windows\SysWow64\rpcrt4.dll 2014-06-30 22:24:50 8856 ----a-w- C:\Windows\System32\icardres.dll 2014-06-30 22:14:53 8856 ----a-w- C:\Windows\SysWow64\icardres.dll 2014-06-27 18:00:00 127488 ----a-w- C:\Windows\System32\ff_vfw.dll 2014-06-27 18:00:00 112640 ----a-w- C:\Windows\SysWow64\ff_vfw.dll . ============= FINISH: 0:21:43.03 ===============

#4 truckin2001

truckin2001
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:36 AM

Posted 22 September 2014 - 10:43 AM

Sorry for the double post... its difficult working with my phone... I got my XP machine to run for now.
I ran the following programs at some point in the last week, and was able to run virus/malware scanners for a day (which found nothing)
BootkitRemoval_x64.exe, Combofix, cureit, FRST, FSS, LSPfix, MBAR, MBAM, Minitoolbox, Roguekiller, HijackThis, Housecall
I have `22 instances of svchost running... below is
the port tracking log from my firewall if you think it might be useful
there is no remote address since i cant get online.

Application Protocol Local Address Remote Address
svchost.exe TCP 0.0.0.0:135 (epmap) Listening for connections
System TCP 0.0.0.0:445 (microsoft-ds) Listening for connections
wininit.exe TCP 0.0.0.0:49152 Listening for connections
svchost.exe TCP 0.0.0.0:49153 Listening for connections
svchost.exe TCP 0.0.0.0:49154 Listening for connections
lsass.exe TCP 0.0.0.0:49155 Listening for connections
services.exe TCP 0.0.0.0:49156 Listening for connections
spoolsv.exe TCP 0.0.0.0:49157 Listening for connections
svchost.exe TCP 0.0.0.0:49158 Listening for connections
System TCP 192.168.56.1:139 (netbios-ssn) Listening for connections
svchost.exe TCP [0:0:0:0:0:0:0:0]:135 (epmap) Listening for connections
System TCP [0:0:0:0:0:0:0:0]:445 (microsoft-ds) Listening for connections
wininit.exe TCP [0:0:0:0:0:0:0:0]:49152 Listening for connections
TCP [0:0:0:0:0:0:0:0]:49153 Listening for connections
svchost.exe TCP [0:0:0:0:0:0:0:0]:49154 Listening for connections
lsass.exe TCP [0:0:0:0:0:0:0:0]:49155 Listening for connections
services.exe TCP [0:0:0:0:0:0:0:0]:49156 Listening for connections
spoolsv.exe TCP [0:0:0:0:0:0:0:0]:49157 Listening for connections
svchost.exe TCP [0:0:0:0:0:0:0:0]:49158 Listening for connections
UDP [0:0:0:0:0:0:0:0]:500 (isakmp) Listening for packets
svchost.exe UDP [0:0:0:0:0:0:0:0]:4500 Listening for packets
svchost.exe UDP [0:0:0:0:0:0:0:0]:5355 Listening for packets
svchost.exe UDP [0:0:0:0:0:0:0:1]:1900 (UPnP) Listening for packets
svchost.exe UDP [0:0:0:0:0:0:0:1]:54816 Listening for packets
svchost.exe UDP [fe80:0:0:0:29f8:6a6c:32f1:f24]:546 (dhcpv6-client) Listening for packets
svchost.exe UDP [fe80:0:0:0:29f8:6a6c:32f1:f24]:1900 (UPnP) Listening for packets
svchost.exe UDP [fe80:0:0:0:29f8:6a6c:32f1:f24]:54815 Listening for packets
svchost.exe UDP 0.0.0.0:500 (isakmp) Listening for packets
svchost.exe UDP 0.0.0.0:4500 Listening for packets
svchost.exe UDP 0.0.0.0:5355 Listening for packets
System UDP 192.168.56.1:137 (netbios-ns) Listening for packets
System UDP 192.168.56.1:138 (netbios-dgm) Listening for packets
svchost.exe UDP 192.168.56.1:1900 (UPnP) Listening for packets
svchost.exe UDP 192.168.56.1:54817 Listening for packets

#5 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 38,160 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:36 PM

Posted 03 October 2014 - 08:33 AM

Greetings truckin2001 and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that. :thumbup2:

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. :)
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • When you post your reply, use the Replytopic.jpg button instead.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
  • Now let's get started :thumbup2:
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far.

Can you provide a very brief update for me regarding your current conditions? I am a bit confused because the DDS report indicates a Windows 7 opearting system yet in your last post you say your XP machine is running now.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#6 truckin2001

truckin2001
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:36 AM

Posted 03 October 2014 - 12:49 PM

Glad to meet you Gary... Im Larry. I'll be as brief as possible, but alot to tell you. I replaced my XP machine with the 64 bit Win7 machine in Jan. Which is what we're dealing with here. It would no longer boot (10 seconds of vertical reddish lines for video and shut off), so I was using my XP machine, which has a similar (same?) Problem, but not as severe. Before it quit booting, i couldnt connect to the internet (wireless or wired), but it showed as connected. After sitting 3 days i hit the power button, and it booted. It was back to no boot the next day. When it still ran, i was following steps in other threads with similar issues, and the machine would shut off while running any type of removal tool. I believe i have a memory resident virus. And believe my router is infected, as a scan while hardwired listed 3 files on "external device" as infected.
I hope the above isnt overkill, but i wanted to be thorough! I'll continue to experiment on my XP machine on my own! :)
THANK YOU VERY MUCH for your help.

#7 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 38,160 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:36 PM

Posted 03 October 2014 - 12:56 PM

Hi Larry,

Thank you for the information.

When you say the Windows 7 computer won't boot can you describe exactly how far it progresses and what you see on the screen. Have you tried booting into Safe Mode?
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#8 truckin2001

truckin2001
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:36 AM

Posted 03 October 2014 - 03:09 PM

After it Posts i get the horizontal (i think i said vertical before oops) scrambled colors (Lines)- it shuts down About 10 seconds after hitting the power button to turn it on. I could get to safe mode before it started doing this. I was so surprized it booted the other day, i let it go to normal boot. So i backed up files via USB for about 2 hrs and shut it down before going to bed.the next morning it wouldn't boot again. if I remember correctly from my A+ certification in 2000 it's loading RAM at that point. its been sitting idle for a couple days I'm guessing (hoping) it will boot for me next time i try it.

#9 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 38,160 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:36 PM

Posted 03 October 2014 - 03:34 PM

Thank you,

Please attempt this.

===================================================

Farbar's Recovery Scan Tool in Recovery Environment

--------------------

For this step you will need a USB flash drive and start on a clean computer.
  • Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
===================================================

Entering into the System Recovery Options

Option #1

To enter System Recovery Options in Windows 8:Option #2

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
Option #3

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next
===================================================

Running Farbar's Recovery Scan Tool in System Recovery
  • Once you are in the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

  • Select Command Prompt
  • In the command window type in Notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select Computer and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter Note: Replace letter e with the drive letter of your flash drive.[/b]
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • FRST log

Edited by Oh My!, 03 October 2014 - 04:19 PM.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#10 truckin2001

truckin2001
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:36 AM

Posted 05 October 2014 - 11:56 AM

Hey Gary...
I got a new flash drive and a fresh copy of farbar using a friends new machine. When I tried to boot the machine, it started the video issue when loading the bios (pic attached). I noticed about 6 successful boots ago. The num lock light was on (I never seen a bios get infected before!?!). Tried to reboot _all I got on screen was the backlight (blank). So I pulled the battery and held the power button down for 20 seconds+/- and got the attached pic.
Im at a loss!

Attached Files


Edited by truckin2001, 05 October 2014 - 12:12 PM.


#11 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 38,160 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:36 PM

Posted 05 October 2014 - 12:08 PM

Sorry, no picture attached.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#12 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 38,160 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:36 PM

Posted 05 October 2014 - 12:15 PM

Thanks,

Please remove the memory stick(s), use an eraser to clean the contacts and reseat the memory. Attempt to boot again.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#13 truckin2001

truckin2001
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:36 AM

Posted 08 October 2014 - 11:21 AM

Well that didnt get me far. I also swapped slots with the ram sticks. All to no avail.  I did make it up to the language screen before the video became unreadable.



#14 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 38,160 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:36 PM

Posted 08 October 2014 - 11:32 AM

OK, thanks for trying that. Please do this now.

===================================================

Using Low Resolution Video From Advanced Startup Options Screen - Windows 7/Vista

--------------------
  • Restart your computer
  • Press F8 until you are presented with the Advanced Startup Options menu
  • Using the down arrow select Enable low resolution video and press Enter
  • Attempt to boot your computer into Normal Mode
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Any difference?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#15 truckin2001

truckin2001
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:36 AM

Posted 11 October 2014 - 04:00 PM

 

 

Didnt get much further with low resolution video....   I have all the necessary cables to pull the hard drive and plug it in via usb = if theres anything I can do going that route. Im at a loss.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users