1. #1

    Need Some Help w/ Virus or Rootkit

    I need a little help with a possible virus or rootkit that I can't seem to find. This is a domain computer and the infection seems to be isolated to one or a couple users. It's being run from Windows\syswow64\dllhost.exe and is trying to load web pages. Win 7 SP1, x64, GPT hard drive. Any help is appreciated.

    DDS (Ver_2012-10-14.05) - NTFS_AMD64
    Internet Explorer: 9.11.9600.17501
    Run by Administrator at 23:28:09 on 2014-12-14
    Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.6028.1334 [GMT -5:00]
    .
    AV: avast! Antivirus *Enabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: avast! Antivirus *Enabled/Updated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
    .


    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\FBAgent.exe
    C:\Windows\system32\WLANExt.exe
    C:\Windows\system32\conhost.exe
    C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
    C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe
    C:\Windows\system32\svchost.exe -k bthsvcs
    C:\Program Files\Intel\WiFi\bin\EvtEng.exe
    C:\Program Files\Intel\iCLS Client\HeciServer.exe
    C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe
    C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe
    C:\Windows\SysWOW64\srvany.exe
    C:\Windows\system32\conhost.exe
    C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
    C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe
    C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe
    C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe
    C:\Program Files\AVAST Software\Avast\ng\ngservice.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe
    C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe
    C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
    C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
    C:\Windows\system32\svchost.exe -k SDRSVC
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\rundll32.exe
    C:\Windows\system32\vssvc.exe
    C:\Windows\System32\svchost.exe -k swprv
    C:\Windows\system32\wbengine.exe
    C:\Windows\System32\vds.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Desktop.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\Dwm.exe
    c:\program files (x86)\teamviewer\version8\TeamViewer.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Elantech\ETDCtrl.exe
    C:\Program Files (x86)\TeamViewer\Version8\tv_w32.exe
    C:\Program Files\AVAST Software\Avast\avastui.exe
    C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Program Files\Elantech\ETDCtrlHelper.exe
    C:\Program Files\Elantech\ETDGesture.exe
    C:\Windows\syswow64\dllhost.exe
    C:\Windows\syswow64\dllhost.exe
    C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    C:\Windows\system32\notepad.exe
    C:\Windows\syswow64\systray.exe
    C:\Windows\syswow64\napstat.exe
    C:\Windows\syswow64\svchost.exe
    C:\Windows\syswow64\rundll32.exe
    C:\Windows\syswow64\systray.exe
    C:\Windows\syswow64\logagent.exe
    C:\Windows\syswow64\cmmon32.exe
    C:\Windows\syswow64\rundll32.exe
    C:\Windows\syswow64\logagent.exe
    C:\Windows\syswow64\logagent.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\syswow64\dvdupgrd.exe
    C:\Windows\syswow64\dllhost.exe
    C:\Windows\syswow64\logagent.exe
    C:\Windows\syswow64\logagent.exe
    C:\Windows\syswow64\ctfmon.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\syswow64\dllhst3g.exe
    C:\Windows\System32\cscript.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://google.com/
    uDefault_Page_URL = hxxp://asus.msn.com
    mWinlogon: Userinit = userinit.exe,
    BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
    BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
    BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
    TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
    TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
    uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
    mRun: [AvastUI.exe] "C:\Program Files\AVAST Software\Avast\AvastUI.exe" /nogui
    mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
    mPolicies-Explorer: NoActiveDesktop = dword:1
    mPolicies-Explorer: NoActiveDesktopChanges = dword:1
    mPolicies-Explorer: NoWelcomeScreen = dword:1
    mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
    mPolicies-System: ConsentPromptBehaviorUser = dword:3
    mPolicies-System: EnableUIADesktopToggle = dword:0
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
    IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
    DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} - hxxp://support.asus.com/select/asusTek_sys_ctrl3.cab
    TCP: NameServer = 192.168.75.10
    TCP: Interfaces\{70068C75-E47B-4FB8-9DD5-39C1C41931E2} : DHCPNameServer = 192.168.75.10
    TCP: Interfaces\{70068C75-E47B-4FB8-9DD5-39C1C41931E2}\35573716E6255747475627 : DHCPNameServer = 75.75.75.75 75.75.76.76
    TCP: Interfaces\{70068C75-E47B-4FB8-9DD5-39C1C41931E2}\751627779636B6 : DHCPNameServer = 172.20.200.38 172.20.200.219
    TCP: Interfaces\{70068C75-E47B-4FB8-9DD5-39C1C41931E2}\86F6D65627E65647 : DHCPNameServer = 192.168.123.1
    TCP: Interfaces\{70068C75-E47B-4FB8-9DD5-39C1C41931E2}\9445 : DHCPNameServer = 71.243.0.14 71.250.0.14
    TCP: Interfaces\{70068C75-E47B-4FB8-9DD5-39C1C41931E2}\E4 : DHCPNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
    TCP: Interfaces\{D2B7308A-4BC9-4F23-ADE6-B6081BE466CB} : DHCPNameServer = 192.168.75.10
    Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
    SSODL: WebCheck - <orphaned>
    mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\39.0.2171.95\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
    x64-BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
    x64-BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
    x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
    x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
    x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
    x64-Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices
    x64-Run: [ETDCtrl] C:\Program Files (x86)\Elantech\ETDCtrl.exe
    x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
    x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
    x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
    x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
    x64-SSODL: WebCheck - <orphaned>
    x64-SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 aswRvrt;avast! Revert;C:\Windows\System32\drivers\aswRvrt.sys [2013-3-22 65776]
    R0 aswVmm;avast! VM Monitor;C:\Windows\System32\drivers\aswVmm.sys [2013-3-22 267632]
    R0 iusb3hcs;Intel(R) USB 3.0 Host Controller Switch Driver;C:\Windows\System32\drivers\iusb3hcs.sys [2012-3-11 16152]
    R1 aswSnx;aswSnx;C:\Windows\System32\drivers\aswsnx.sys [2013-2-18 1050432]
    R1 aswSP;aswSP;C:\Windows\System32\drivers\aswSP.sys [2013-2-18 436624]
    R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\System32\drivers\vwififlt.sys [2009-7-13 59904]
    R2 aswHwid;avast! HardwareID;C:\Windows\System32\drivers\aswHwid.sys [2014-12-11 29208]
    R2 aswMonFlt;aswMonFlt;C:\Windows\System32\drivers\aswMonFlt.sys [2013-2-18 83280]
    R2 aswStm;aswStm;C:\Windows\System32\drivers\aswStm.sys [2014-12-11 116728]
    R3 AMPPAL;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Virtual Adapter;C:\Windows\System32\drivers\AmpPal.sys [2011-12-5 195584]
    R3 btmaux;Intel Bluetooth Auxiliary Service;C:\Windows\System32\drivers\btmaux.sys [2011-11-30 94720]
    R3 btmhsf;btmhsf;C:\Windows\System32\drivers\btmhsf.sys [2011-11-30 747008]
    R3 ETD;ELAN PS/2 Port Input Device;C:\Windows\System32\drivers\ETD.sys [2012-3-11 200488]
    R3 ibtfltcoex;ibtfltcoex;C:\Windows\System32\drivers\iBtFltCoex.sys [2012-2-14 60928]
    R3 IntcDAud;Intel(R) Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2012-3-11 331264]
    R3 iusb3hub;Intel(R) USB 3.0 Hub Driver;C:\Windows\System32\drivers\iusb3hub.sys [2012-3-11 356120]
    R3 iusb3xhc;Intel(R) USB 3.0 eXtensible Host Controller Driver;C:\Windows\System32\drivers\iusb3xhc.sys [2012-3-11 787736]
    R3 iwdbus;IWD Bus Enumerator;C:\Windows\System32\drivers\iwdbus.sys [2011-12-20 25496]
    R3 MEIx64;Intel(R) Management Engine Interface ;C:\Windows\System32\drivers\HECIx64.sys [2012-7-17 62784]
    R3 NETwNs64;___ Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\Windows\System32\drivers\NETwNs64.sys [2011-12-2 11417088]
    R3 RSBASTOR;Realtek PCIE CardReader Driver - BA;C:\Windows\System32\drivers\RtsBaStor.sys [2012-5-4 292968]
    R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2012-5-4 565352]
    R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\System32\drivers\vwifimp.sys [2009-7-13 17920]
    S3 AMPPALP;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Protocol;C:\Windows\System32\drivers\AmpPal.sys [2011-12-5 195584]
    S3 AsusVBus;AsusVBus;C:\Windows\System32\drivers\AsusVBus.sys [2011-12-21 35968]
    S3 AsusVTouch;AsusVTouch;C:\Windows\System32\drivers\AsusVTouch.sys [2011-11-7 16512]
    S3 intaud_WaveExtensible;Intel WiDi Audio Device;C:\Windows\System32\drivers\intelaud.sys [2011-12-20 34200]
    S3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);C:\Windows\System32\drivers\L1C62x64.sys [2009-6-10 57344]
    S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2013-3-26 19456]
    S3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;C:\Windows\System32\drivers\SiSG664.sys [2009-6-10 56832]
    S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2013-3-26 57856]
    S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2013-3-26 30208]
    S3 WSDPrintDevice;WSD Print Support via UMB;C:\Windows\System32\drivers\WSDPrint.sys [2009-7-13 23040]
    .
    =============== Created Last 30 ================
    .
    2014-12-14 08:19:36 75888 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{021D3AEB-6718-49ED-9347-ED0C2F9E1607}\offreg.dll
    2014-12-13 03:07:31 -------- d-----w- C:\Fred
    2014-12-12 20:41:13 -------- d-sh--w- C:\Users\administrator\AppData\Local\EmieUserList
    2014-12-12 20:41:13 -------- d-sh--w- C:\Users\administrator\AppData\Local\EmieSiteList
    2014-12-12 20:41:13 -------- d-sh--w- C:\Users\administrator\AppData\Local\EmieBrowserModeList
    2014-12-12 20:07:04 -------- d-----w- C:\Users\administrator\AppData\Roaming\AVAST Software
    2014-12-12 19:33:40 -------- d-----w- C:\AdwCleaner
    2014-12-12 09:02:27 11632448 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{021D3AEB-6718-49ED-9347-ED0C2F9E1607}\mpengine.dll
    2014-12-12 04:20:53 129752 ----a-w- C:\Windows\System32\drivers\MBAMSwissArmy.sys
    2014-12-12 04:20:19 93400 ----a-w- C:\Windows\System32\drivers\mbamchameleon.sys
    2014-12-12 04:20:18 63704 ----a-w- C:\Windows\System32\drivers\mwac.sys
    2014-12-12 04:20:17 25816 ----a-w- C:\Windows\System32\drivers\mbam.sys
    2014-12-12 04:20:16 -------- d-----w- C:\ProgramData\Malwarebytes
    2014-12-12 04:20:16 -------- d-----w- C:\Program Files (x86)\Malwarebytes Anti-Malware
    2014-12-12 04:15:15 -------- d-----w- C:\Windows\SysWow64\vbox
    2014-12-12 04:15:15 -------- d-----w- C:\Windows\System32\vbox
    2014-12-12 03:46:33 116728 ----a-w- C:\Windows\System32\drivers\aswStm.sys
    2014-12-12 03:46:32 29208 ----a-w- C:\Windows\System32\drivers\aswHwid.sys
    2014-12-12 03:46:25 43152 ----a-w- C:\Windows\avastSS.scr
    2014-12-11 21:30:18 -------- d-----w- C:\Windows\System32\appraiser
    2014-12-11 16:56:34 2048 ----a-w- C:\Windows\SysWow64\mferror.dll
    2014-12-11 16:56:34 2048 ----a-w- C:\Windows\System32\mferror.dll
    2014-12-11 16:56:33 55808 ----a-w- C:\Windows\System32\rrinstaller.exe
    2014-12-11 16:56:33 24576 ----a-w- C:\Windows\System32\mfpmp.exe
    2014-12-11 16:56:32 50176 ----a-w- C:\Windows\SysWow64\rrinstaller.exe
    2014-12-11 16:56:32 23040 ----a-w- C:\Windows\SysWow64\mfpmp.exe
    2014-12-11 16:56:32 206848 ----a-w- C:\Windows\System32\mfps.dll
    2014-12-11 16:56:32 103424 ----a-w- C:\Windows\SysWow64\mfps.dll
    2014-12-11 16:56:31 3209728 ----a-w- C:\Windows\SysWow64\mf.dll
    2014-12-11 16:56:29 4121600 ----a-w- C:\Windows\System32\mf.dll
    2014-12-10 20:07:05 762400 ------w- C:\Windows\System32\HPDiscoPM7012.dll
    2014-12-10 17:12:59 10949120 ----a-w- C:\Program Files\Internet Explorer\F12Resources.dll
    2014-12-01 15:58:32 3817136 ----a-w- C:\Windows\SysWow64\FlashPlayerInstaller.exe
    2014-11-25 19:24:28 24294072 ----a-w- C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSO.DLL
    2014-11-25 18:59:38 18638520 ----a-w- C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSO.DLL
    2014-11-19 18:00:57 728064 ----a-w- C:\Windows\System32\kerberos.dll
    2014-11-19 18:00:57 241152 ----a-w- C:\Windows\System32\pku2u.dll
    2014-11-19 18:00:57 186880 ----a-w- C:\Windows\SysWow64\pku2u.dll
    2014-11-19 18:00:56 550912 ----a-w- C:\Windows\SysWow64\kerberos.dll
    2014-11-19 09:26:34 1614504 ----a-w- C:\Windows\System32\FM20.DLL
    .
    ==================== Find3M ====================
    .
    2014-12-12 04:22:03 71344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
    2014-12-12 04:22:03 701616 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
    2014-12-12 04:20:41 1050432 ----a-w- C:\Windows\System32\drivers\aswsnx.sys
    2014-12-12 03:46:25 93568 ----a-w- C:\Windows\System32\drivers\aswRdr2.sys
    2014-12-12 03:46:25 83280 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys
    2014-12-12 03:46:25 65776 ----a-w- C:\Windows\System32\drivers\aswRvrt.sys
    2014-12-12 03:46:25 267632 ----a-w- C:\Windows\System32\drivers\aswVmm.sys
    2014-12-04 02:50:55 413184 ----a-w- C:\Windows\System32\generaltel.dll
    2014-12-04 02:50:45 741376 ----a-w- C:\Windows\System32\invagent.dll
    2014-12-04 02:50:40 396800 ----a-w- C:\Windows\System32\devinv.dll
    2014-12-04 02:50:38 830976 ----a-w- C:\Windows\System32\appraiser.dll
    2014-12-04 02:50:37 227328 ----a-w- C:\Windows\System32\aepdu.dll
    2014-12-04 02:50:37 192000 ----a-w- C:\Windows\System32\aepic.dll
    2014-12-04 02:44:48 1083392 ----a-w- C:\Windows\System32\aeinv.dll
    2014-12-01 23:28:44 1232040 ----a-w- C:\Windows\System32\aitstatic.exe
    2014-11-22 03:06:23 2724864 ----a-w- C:\Windows\System32\mshtml.tlb
    2014-11-22 03:06:11 4096 ----a-w- C:\Windows\System32\ieetwcollectorres.dll
    2014-11-22 02:50:39 66560 ----a-w- C:\Windows\System32\iesetup.dll
    2014-11-22 02:50:10 580096 ----a-w- C:\Windows\System32\vbscript.dll
    2014-11-22 02:49:54 48640 ----a-w- C:\Windows\System32\ieetwproxystub.dll
    2014-11-22 02:48:20 88064 ----a-w- C:\Windows\System32\MshtmlDac.dll
    2014-11-22 02:35:43 144384 ----a-w- C:\Windows\System32\ieUnatt.exe
    2014-11-22 02:35:29 114688 ----a-w- C:\Windows\System32\ieetwcollector.exe
    2014-11-22 02:34:51 814080 ----a-w- C:\Windows\System32\jscript9diag.dll
    2014-11-22 02:34:07 6039552 ----a-w- C:\Windows\System32\jscript9.dll
    2014-11-22 02:26:31 968704 ----a-w- C:\Windows\System32\MsSpellCheckingFacility.exe
    2014-11-22 02:20:44 2724864 ----a-w- C:\Windows\SysWow64\mshtml.tlb
    2014-11-22 02:14:16 77824 ----a-w- C:\Windows\System32\JavaScriptCollectionAgent.dll
    2014-11-22 02:07:43 501248 ----a-w- C:\Windows\SysWow64\vbscript.dll
    2014-11-22 02:07:17 62464 ----a-w- C:\Windows\SysWow64\iesetup.dll
    2014-11-22 02:06:32 47616 ----a-w- C:\Windows\SysWow64\ieetwproxystub.dll
    2014-11-22 02:05:02 64000 ----a-w- C:\Windows\SysWow64\MshtmlDac.dll
    2014-11-22 01:55:16 115712 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
    2014-11-22 01:54:30 620032 ----a-w- C:\Windows\SysWow64\jscript9diag.dll
    2014-11-22 01:47:10 1359360 ----a-w- C:\Windows\System32\mshtmlmedia.dll
    2014-11-22 01:46:58 2125312 ----a-w- C:\Windows\System32\inetcpl.cpl
    2014-11-22 01:40:04 60416 ----a-w- C:\Windows\SysWow64\JavaScriptCollectionAgent.dll
    2014-11-22 01:29:26 4299264 ----a-w- C:\Windows\SysWow64\jscript9.dll
    2014-11-22 01:28:21 2358272 ----a-w- C:\Windows\System32\wininet.dll
    2014-11-22 01:22:49 2052096 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
    2014-11-22 01:21:57 1155072 ----a-w- C:\Windows\SysWow64\mshtmlmedia.dll
    2014-11-22 01:00:20 1888256 ----a-w- C:\Windows\SysWow64\wininet.dll
    2014-11-11 03:09:06 1424384 ----a-w- C:\Windows\System32\WindowsCodecs.dll
    2014-11-11 02:44:45 1230336 ----a-w- C:\Windows\SysWow64\WindowsCodecs.dll
    2014-11-11 01:46:26 119296 ----a-w- C:\Windows\System32\drivers\tdx.sys
    2014-11-08 03:16:08 2048 ----a-w- C:\Windows\System32\tzres.dll
    2014-11-08 02:45:09 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
    2014-11-04 19:30:58 275080 ------w- C:\Windows\System32\MpSigStub.exe
    2014-10-30 02:03:43 165888 ----a-w- C:\Windows\System32\charmap.exe
    2014-10-30 01:45:43 155136 ----a-w- C:\Windows\SysWow64\charmap.exe
    2014-10-25 01:57:59 77824 ----a-w- C:\Windows\System32\packager.dll
    2014-10-25 01:32:37 67584 ----a-w- C:\Windows\SysWow64\packager.dll
    2014-10-18 02:05:23 861696 ----a-w- C:\Windows\System32\oleaut32.dll
    2014-10-18 01:33:18 571904 ----a-w- C:\Windows\SysWow64\oleaut32.dll
    2014-10-14 02:16:37 155064 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
    2014-10-14 02:13:06 683520 ----a-w- C:\Windows\System32\termsrv.dll
    2014-10-14 02:13:00 3241984 ----a-w- C:\Windows\System32\msi.dll
    2014-10-14 02:12:57 1460736 ----a-w- C:\Windows\System32\lsasrv.dll
    2014-10-14 02:09:31 146432 ----a-w- C:\Windows\System32\msaudite.dll
    2014-10-14 02:07:31 681984 ----a-w- C:\Windows\System32\adtschema.dll
    2014-10-14 01:50:47 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
    2014-10-14 01:50:41 2363904 ----a-w- C:\Windows\SysWow64\msi.dll
    2014-10-14 01:49:38 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
    2014-10-14 01:47:30 146432 ----a-w- C:\Windows\SysWow64\msaudite.dll
    2014-10-14 01:46:02 681984 ----a-w- C:\Windows\SysWow64\adtschema.dll
    2014-10-10 00:57:42 3198976 ----a-w- C:\Windows\System32\win32k.sys
    2014-10-03 02:12:23 310272 ----a-w- C:\Windows\System32\WsmWmiPl.dll
    2014-10-03 02:12:23 2020352 ----a-w- C:\Windows\System32\WsmSvc.dll
    2014-10-03 02:12:22 346624 ----a-w- C:\Windows\System32\WSManMigrationPlugin.dll
    2014-10-03 02:12:22 181248 ----a-w- C:\Windows\System32\WsmAuto.dll
    2014-10-03 02:12:00 500224 ----a-w- C:\Windows\System32\AUDIOKSE.dll
    2014-10-03 02:11:54 284672 ----a-w- C:\Windows\System32\EncDump.dll
    2014-10-03 02:11:51 680960 ----a-w- C:\Windows\System32\audiosrv.dll
    2014-10-03 02:11:51 440832 ----a-w- C:\Windows\System32\AudioEng.dll
    2014-10-03 02:11:51 296448 ----a-w- C:\Windows\System32\AudioSes.dll
    2014-10-03 02:11:49 266240 ----a-w- C:\Windows\System32\WSManHTTPConfig.exe
    2014-10-03 01:45:03 248832 ----a-w- C:\Windows\SysWow64\WSManMigrationPlugin.dll
    2014-10-03 01:45:03 214016 ----a-w- C:\Windows\SysWow64\WsmWmiPl.dll
    2014-10-03 01:45:03 145920 ----a-w- C:\Windows\SysWow64\WsmAuto.dll
    2014-10-03 01:45:03 1177088 ----a-w- C:\Windows\SysWow64\WsmSvc.dll
    2014-10-03 01:44:42 442880 ----a-w- C:\Windows\SysWow64\AUDIOKSE.dll
    2014-10-03 01:44:26 374784 ----a-w- C:\Windows\SysWow64\AudioEng.dll
    2014-10-03 01:44:26 195584 ----a-w- C:\Windows\SysWow64\AudioSes.dll
    2014-10-03 01:44:25 198656 ----a-w- C:\Windows\SysWow64\WSManHTTPConfig.exe
    2014-09-25 02:08:38 371712 ----a-w- C:\Windows\System32\qdvd.dll
    2014-09-25 01:40:50 519680 ----a-w- C:\Windows\SysWow64\qdvd.dll
    2014-09-19 09:42:52 210944 ----a-w- C:\Windows\System32\wdigest.dll
    2014-09-19 09:42:51 86528 ----a-w- C:\Windows\System32\TSpkg.dll
    2014-09-19 09:42:49 342016 ----a-w- C:\Windows\System32\schannel.dll
    2014-09-19 09:42:47 314880 ----a-w- C:\Windows\System32\msv1_0.dll
    2014-09-19 09:42:47 309760 ----a-w- C:\Windows\System32\ncrypt.dll
    2014-09-19 09:42:41 22016 ----a-w- C:\Windows\System32\credssp.dll
    2014-09-19 09:23:55 172032 ----a-w- C:\Windows\SysWow64\wdigest.dll
    2014-09-19 09:23:52 65536 ----a-w- C:\Windows\SysWow64\TSpkg.dll
    2014-09-19 09:23:49 248832 ----a-w- C:\Windows\SysWow64\schannel.dll
    2014-09-19 09:23:46 221184 ----a-w- C:\Windows\SysWow64\ncrypt.dll
    2014-09-19 09:23:45 259584 ----a-w- C:\Windows\SysWow64\msv1_0.dll
    2014-09-19 09:23:36 17408 ----a-w- C:\Windows\SysWow64\credssp.dll
    .
    ============= FINISH: 23:33:07.50 ===============

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2012-10-14.05)
    .
    Microsoft Windows 7 Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 9/10/2012 12:49:18 PM
    System Uptime: 12/13/2014 3:09:58 PM (32 hours ago)
    .
    Motherboard: ASUSTeK COMPUTER INC. | | K55A
    Processor: Intel(R) Core(TM) i5-2450M CPU @ 2.50GHz | SOCKET 0 | 2501/100mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 673 GiB total, 584.148 GiB free.
    F: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP320: 12/8/2014 11:59:17 AM - Windows Update
    RP321: 12/8/2014 12:04:39 PM - Windows Backup
    RP322: 12/11/2014 11:48:59 AM - Windows Update
    RP323: 12/11/2014 10:41:19 PM - avast! antivirus system restore point
    RP324: 12/11/2014 10:49:51 PM - Windows Update
    RP325: 12/11/2014 10:59:09 PM - Removed HP Officejet Pro 8600 Basic Device Software
    RP326: 12/11/2014 11:25:55 PM - Removed HP Officejet Pro 8600 Basic Device Software
    RP327: 12/12/2014 3:00:39 AM - Windows Update
    RP328: 12/13/2014 12:52:00 AM - Removed Skype Click to Call
    RP329: 12/14/2014 7:00:27 PM - Windows Backup
    .
    ==== Installed Programs ======================
    .
    7-Zip 9.20 (x64 edition)
    Adobe Flash Player 16 ActiveX
    Adobe Reader XI (11.0.09)
    ASUS AI Recovery
    ASUS Splendid Video Enhancement Technology
    Avast Free Antivirus
    Citrix Online Launcher
    CutePDF Writer 3.0
    CyberLink Media Suite
    Definition Update for Microsoft Office 2010 (KB2910899) 64-Bit Edition
    ETDWare PS/2-X64 10.5.9.0
    Fast Boot
    Google Chrome
    Google Toolbar for Internet Explorer
    Google Update Helper
    HP Officejet Pro 8620 Basic Device Software
    HP Officejet Pro 8620 Help
    inSSIDer 3
    Intel PROSet Wireless
    Intel(R) Manageability Engine Firmware Recovery Agent
    Intel(R) Management Engine Components
    Intel(R) OpenCL CPU Runtime
    Intel(R) Processor Graphics
    Intel(R) PROSet/Wireless for Bluetooth(R) 3.0 + High Speed
    Intel(R) PROSet/Wireless Software for Bluetooth(R) Technology
    Intel(R) USB 3.0 eXtensible Host Controller Driver
    Intel(R) WiDi
    Intel(R) Wireless Display
    Intel® PROSet/Wireless WiFi Software
    Intel® Trusted Connect Service Client
    Malwarebytes Anti-Malware version 2.0.4.1028
    Microsoft .NET Framework 4.5.1
    Microsoft Office 2010
    Microsoft Office Access MUI (English) 2010
    Microsoft Office Access Setup Metadata MUI (English) 2010
    Microsoft Office Excel MUI (English) 2010
    Microsoft Office Groove MUI (English) 2010
    Microsoft Office InfoPath MUI (English) 2010
    Microsoft Office Office 32-bit Components 2010
    Microsoft Office OneNote MUI (English) 2010
    Microsoft Office Outlook MUI (English) 2010
    Microsoft Office PowerPoint MUI (English) 2010
    Microsoft Office Professional Plus 2010
    Microsoft Office Proof (English) 2010
    Microsoft Office Proof (French) 2010
    Microsoft Office Proof (Spanish) 2010
    Microsoft Office Proofing (English) 2010
    Microsoft Office Publisher MUI (English) 2010
    Microsoft Office Shared 32-bit MUI (English) 2010
    Microsoft Office Shared MUI (English) 2010
    Microsoft Office Shared Setup Metadata MUI (English) 2010
    Microsoft Office Word MUI (English) 2010
    Microsoft Silverlight
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Visual C++ 2010 x64 Redistributable - 10.0.30319
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
    Realtek Ethernet Controller Driver
    Realtek High Definition Audio Driver
    Realtek PCIE Card Reader
    Security Update for Microsoft .NET Framework 4.5.1 (KB2894854v2)
    Security Update for Microsoft .NET Framework 4.5.1 (KB2898869)
    Security Update for Microsoft .NET Framework 4.5.1 (KB2901126)
    Security Update for Microsoft .NET Framework 4.5.1 (KB2931368)
    Security Update for Microsoft .NET Framework 4.5.1 (KB2972107)
    Security Update for Microsoft .NET Framework 4.5.1 (KB2972216)
    Security Update for Microsoft .NET Framework 4.5.1 (KB2978128)
    Security Update for Microsoft .NET Framework 4.5.1 (KB2979578v2)
    Security Update for Microsoft Excel 2010 (KB2910902) 64-Bit Edition
    Security Update for Microsoft Office 2010 (KB2553154) 64-Bit Edition
    Security Update for Microsoft Office 2010 (KB2553284) 64-Bit Edition
    Security Update for Microsoft Office 2010 (KB2687423) 64-Bit Edition
    Security Update for Microsoft Office 2010 (KB2850016) 64-Bit Edition
    Security Update for Microsoft Office 2010 (KB2880971) 64-Bit Edition
    Security Update for Microsoft Office 2010 (KB2881071) 64-Bit Edition
    Security Update for Microsoft Word 2010 (KB2899519) 64-Bit Edition
    Service Pack 2 for Microsoft Office 2010 (KB2687455) 64-Bit Edition
    Skype™ 6.11
    TeamViewer 8
    Update for Microsoft Access 2010 (KB2553446) 64-Bit Edition
    Update for Microsoft Excel 2010 (KB2589348) 64-Bit Edition
    Update for Microsoft Filter Pack 2.0 (KB2878281) 64-Bit Edition
    Update for Microsoft InfoPath 2010 (KB2817369) 64-Bit Edition
    Update for Microsoft InfoPath 2010 (KB2817396) 64-Bit Edition
    Update for Microsoft Office 2010 (KB2553140) 64-Bit Edition
    Update for Microsoft Office 2010 (KB2589298) 64-Bit Edition
    Update for Microsoft Office 2010 (KB2589352) 64-Bit Edition
    Update for Microsoft Office 2010 (KB2589375) 64-Bit Edition
    Update for Microsoft Office 2010 (KB2589386) 64-Bit Edition
    Update for Microsoft Office 2010 (KB2597087) 64-Bit Edition
    Update for Microsoft Office 2010 (KB2597089) 64-Bit Edition
    Update for Microsoft Office 2010 (KB2687275) 64-Bit Edition
    Update for Microsoft Office 2010 (KB2760631) 64-Bit Edition
    Update for Microsoft Office 2010 (KB2794737) 64-Bit Edition
    Update for Microsoft Office 2010 (KB2825635) 64-Bit Edition
    Update for Microsoft Office 2010 (KB2825640) 64-Bit Edition
    Update for Microsoft Office 2010 (KB2837581) 64-Bit Edition
    Update for Microsoft Office 2010 (KB2837602) 64-Bit Edition
    Update for Microsoft Office 2010 (KB2837606) 64-Bit Edition
    Update for Microsoft Office 2010 (KB2883019) 64-Bit Edition
    Update for Microsoft Office 2010 (KB2889818) 64-Bit Edition
    Update for Microsoft Office 2010 (KB2889828) 64-Bit Edition
    Update for Microsoft Office 2010 (KB2910896) 64-Bit Edition
    Update for Microsoft OneNote 2010 (KB2597088) 64-Bit Edition
    Update for Microsoft Outlook 2010 (KB2687567) 64-Bit Edition
    Update for Microsoft PowerPoint 2010 (KB2880517) 64-Bit Edition
    Update for Microsoft SharePoint Workspace 2010 (KB2760601) 64-Bit Edition
    Update for Microsoft Visio 2010 (KB2880526) 64-Bit Edition
    Update for Microsoft Visio Viewer 2010 (KB2837587) 64-Bit Edition
    WinFlash
    .
    ==== Event Viewer Messages From Past Week ========
    .
    12/14/2014 12:18:59 AM, Error: Schannel [36887] - The following fatal alert was received: 20.
    12/13/2014 9:38:14 PM, Error: Schannel [36888] - The following fatal alert was generated: 40. The internal error state is 252.
    12/13/2014 3:10:42 PM, Error: Service Control Manager [7006] - The ScRegSetValueExW call failed for Type with the following error: Access is denied.
    12/13/2014 3:10:32 PM, Error: Microsoft-Windows-GroupPolicy [1129] - The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.
    12/13/2014 3:10:30 PM, Error: NETLOGON [5719] - This computer was not able to set up a secure session with a domain controller in domain WELLRES due to the following: There are currently no logon servers available to service the logon request. This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator. ADDITIONAL INFO If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.
    12/13/2014 1:50:28 AM, Error: Microsoft-Windows-DistributedCOM [10000] - Unable to start a DCOM Server: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}. The error: "5" Happened while starting this command: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
    12/12/2014 11:52:50 PM, Error: Microsoft-Windows-GroupPolicy [1055] - The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following: a) Name Resolution failure on the current domain controller. b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).
    .
    ==== End Of File ===========================

    Results of screen317's Security Check version 0.99.93
    Windows 7 Service Pack 1 x64 (UAC is enabled)
    Internet Explorer 11
    ``````````````Antivirus/Firewall Check:``````````````
    Windows Firewall Enabled!
    avast! Antivirus
    Antivirus up to date!
    `````````Anti-malware/Other Utilities Check:`````````
    Adobe Reader XI
    Google Chrome (39.0.2171.71)
    Google Chrome (39.0.2171.95)
    ````````Process Check: objlist.exe by Laurent````````
    AVAST Software Avast AvastSvc.exe
    AVAST Software Avast ng vbox\AvastVBoxSVC.exe
    AVAST Software Avast ng ngservice.exe
    AVAST Software Avast avastui.exe
    `````````````````System Health check`````````````````
    Total Fragmentation on Drive C: 3%
    ````````````````````End of Log``````````````````````

    aswMBR version 1.0.1.2252 Copyright(c) 2014 AVAST Software
    Run date: 2014-12-13 01:04:57
    -----------------------------
    01:04:57.155 OS Version: Windows x64 6.1.7601 Service Pack 1
    01:04:57.155 Number of processors: 4 586 0x2A07
    01:04:57.168 ComputerName: WR05 UserName:
    01:05:09.332 Initialize success
    01:05:09.350 VM: initialized successfully
    01:05:09.355 VM: Intel CPU supported virtualized
    01:05:13.574 VM: supported disk I/O iaStor.sys
    01:05:18.015 AVAST engine defs: 14121201
    01:05:33.330 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
    01:05:33.335 Disk 0 Vendor: Hitachi_ JE4O Size: 715404MB BusType: 3
    01:05:34.199 VM: Disk 0 MBR read successfully
    01:05:34.201 Disk 0 MBR scan
    01:05:34.209 Disk 0 unknown MBR code
    01:05:34.214 Disk 0 Partition 1 00 EE GPT 715404 MB offset 1
    01:05:34.493 Disk 0 scanning C:\Windows\system32\drivers
    01:05:59.821 Service scanning
    01:06:41.667 Modules scanning
    01:06:41.674 Disk 0 trace - called modules:
    01:06:41.707 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys iaStor.sys hal.dll
    01:06:41.732 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8006028060]
    01:06:41.754 3 CLASSPNP.SYS[fffff88001cbf43f] -> nt!IofCallDriver -> [0xfffffa8005b66570]
    01:06:41.762 5 ACPI.sys[fffff88000f097a1] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8005da5050]
    01:06:46.833 AVAST engine scan C:\Windows
    01:07:02.782 AVAST engine scan C:\Windows\system32
    01:18:35.447 AVAST engine scan C:\Windows\system32\drivers
    01:19:53.745 AVAST engine scan C:\Users\administrator
    01:21:30.931 AVAST engine scan C:\ProgramData
    01:23:55.135 Disk 0 statistics 3709178/0/5 @ 2.09 MB/s
    01:23:55.166 Scan finished successfully
    01:28:20.734 Disk 0 MBR has been saved successfully to "C:\Fred\MBR.dat"
    01:28:20.739 The log file has been saved successfully to "C:\Fred\aswMBR.txt"
    Last edited by Corrine; 12-16-2014 at 07:26 PM. Reason: Removed Code


    • Ad Bot

      advertising
      Beep.

        
       

  2. #2
    Corrine's Avatar
    Join Date
    Feb 2012
    Location
    Upstate, NY
    Posts
    8,983

    Re: Need Some Help w/ Virus or Rootkit

    Hi, Fred.

    I've may have found what you are looking for. The correct location for dllhst3g.exe is C:\WINDOWS\system32\dllcache\dllhst3g.exe, normal size 4,608 bytes. However, the location of the rather old Bckdr-QQX trojan is not in the dllcache subfolder:

    C:\Windows\syswow64\dllhst3g.exe (See SystemLookup - DllHst and DllHst - dllhst3g.exe - Program Information. Sophos description: Troj/Bckdr-QQX)

    That said, because the information I'm finding is old, I suggest you scan the file.

    At Jotti: Jotti's malware scan, upload the filepath shown below into the "File to upload & scan" box at the upper left: C:\Windows\syswow64\dllhst3g.exe

    At VirusTotal, http://www.virustotal.com/ you can do the same thing. However, you may prefer to use the Virus Total Uploader, here. Once it is installed on the 64-bit system, you just navigate to the file, right click on the file and choose Virus Total from the right click menu. When the analysis is complete a VT page will open with the results


    Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

    Remember - A day without laughter is a day wasted.
    May the wind sing to you and the sun rise in your heart.

  3. #3

    Re: Need Some Help w/ Virus or Rootkit

    Hi Corrine, thanks for taking a look. This is a Windows 7 machine so there is no system32\dllcache\ folder. I uploaded dllhst3g.exe to both scanners and they came back clean. I also checked that file on another machine. Both computers have the dllhst3g.exe file in the Syswow64 folder.

  4. #4
    Corrine's Avatar
    Join Date
    Feb 2012
    Location
    Upstate, NY
    Posts
    8,983

    Re: Need Some Help w/ Virus or Rootkit

    I warned you, Fred, that what I found searching was old. I posted that awaiting response to the PM I sent you rather than asking you to run a different scan. However, this is interesting and involves dllhost.exe: How to remove the Poweliks Trojan (Removal Guide)

    I gather neither Avast nor AdwCleaner were helpful. However, if you suspect a rootkit or trojan that you believe is isolated to one or two computers, the first thing is that they need to be disconnected from the LAN. If you haven't done that yet, it needs to be done ASAP. Do you have a separate IT department? With a suspected rootkit, most corporations/businesses would immediately flatten and reinstall. With this a business environment, I cannot take responsibility for computers that you do not personally own.
    Last edited by Corrine; 12-16-2014 at 11:31 PM.


    Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

    Remember - A day without laughter is a day wasted.
    May the wind sing to you and the sun rise in your heart.

  5. #5

    Re: Need Some Help w/ Virus or Rootkit

    No problem, Corrine. Thanks for taking a look anyway. I am the IT dept and the computer's already been changed out, no worries. We'll have to get some Sysnative release forms around here.

  6. #6
    Corrine's Avatar
    Join Date
    Feb 2012
    Location
    Upstate, NY
    Posts
    8,983

    Re: Need Some Help w/ Virus or Rootkit

    You're welcome, Fred. The best action for a business computer is to flatten it. If you are going to work on it. you may want to try the ESET tool I linked to in my previous post.


    Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

    Remember - A day without laughter is a day wasted.
    May the wind sing to you and the sun rise in your heart.

Similar Threads

  1. Rootkit Debugging - SYSTEM_SERVICE_EXCEPTION (3b), KERNEL_DATA_INPAGE_ERROR (7a)
    By Patrick in forum BSOD Kernel Dump Analysis Debugging Information
    Replies: 5
    Last Post: 11-06-2014, 02:19 PM
  2. Did I miss anything with this rootkit infestation?
    By LilBambi in forum Security Arena
    Replies: 4
    Last Post: 09-08-2013, 01:51 AM
  3. Replies: 0
    Last Post: 03-19-2013, 10:24 PM
  4. New TDL4 rootkit successfully hiding from AV
    By JMH in forum Security News
    Replies: 0
    Last Post: 10-10-2012, 01:34 AM

Log in

Log in