Need Some Help w/ Virus or Rootkit

F

Fred Garvin

Sysnative Staff
Staff member
Joined
Feb 22, 2012
Posts
205
I need a little help with a possible virus or rootkit that I can't seem to find. This is a domain computer and the infection seems to be isolated to one or a couple users. It's being run from Windows\syswow64\dllhost.exe and is trying to load web pages. Win 7 SP1, x64, GPT hard drive. Any help is appreciated.

DDS (Ver_2012-10-14.05) - NTFS_AMD64
Internet Explorer: 9.11.9600.17501
Run by Administrator at 23:28:09 on 2014-12-14
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.6028.1334 [GMT -5:00]
.
AV: avast! Antivirus *Enabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: avast! Antivirus *Enabled/Updated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
.


============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\FBAgent.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Intel\iCLS Client\HeciServer.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe
C:\Windows\SysWOW64\srvany.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe
C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe
C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe
C:\Program Files\AVAST Software\Avast\ng\ngservice.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe
C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\system32\taskeng.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\wbengine.exe
C:\Windows\System32\vds.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Desktop.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
c:\program files (x86)\teamviewer\version8\TeamViewer.exe
C:\Windows\Explorer.EXE
C:\Program Files\Elantech\ETDCtrl.exe
C:\Program Files (x86)\TeamViewer\Version8\tv_w32.exe
C:\Program Files\AVAST Software\Avast\avastui.exe
C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Elantech\ETDCtrlHelper.exe
C:\Program Files\Elantech\ETDGesture.exe
C:\Windows\syswow64\dllhost.exe
C:\Windows\syswow64\dllhost.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Windows\system32\notepad.exe
C:\Windows\syswow64\systray.exe
C:\Windows\syswow64\napstat.exe
C:\Windows\syswow64\svchost.exe
C:\Windows\syswow64\rundll32.exe
C:\Windows\syswow64\systray.exe
C:\Windows\syswow64\logagent.exe
C:\Windows\syswow64\cmmon32.exe
C:\Windows\syswow64\rundll32.exe
C:\Windows\syswow64\logagent.exe
C:\Windows\syswow64\logagent.exe
C:\Windows\system32\DllHost.exe
C:\Windows\syswow64\dvdupgrd.exe
C:\Windows\syswow64\dllhost.exe
C:\Windows\syswow64\logagent.exe
C:\Windows\syswow64\logagent.exe
C:\Windows\syswow64\ctfmon.exe
C:\Windows\system32\conhost.exe
C:\Windows\syswow64\dllhst3g.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://google.com/
uDefault_Page_URL = hxxp://asus.msn.com
mWinlogon: Userinit = userinit.exe,
BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
mRun: [AvastUI.exe] "C:\Program Files\AVAST Software\Avast\AvastUI.exe" /nogui
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-Explorer: NoWelcomeScreen = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} - hxxp://support.asus.com/select/asusTek_sys_ctrl3.cab
TCP: NameServer = 192.168.75.10
TCP: Interfaces\{70068C75-E47B-4FB8-9DD5-39C1C41931E2} : DHCPNameServer = 192.168.75.10
TCP: Interfaces\{70068C75-E47B-4FB8-9DD5-39C1C41931E2}\35573716E6255747475627 : DHCPNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{70068C75-E47B-4FB8-9DD5-39C1C41931E2}\751627779636B6 : DHCPNameServer = 172.20.200.38 172.20.200.219
TCP: Interfaces\{70068C75-E47B-4FB8-9DD5-39C1C41931E2}\86F6D65627E65647 : DHCPNameServer = 192.168.123.1
TCP: Interfaces\{70068C75-E47B-4FB8-9DD5-39C1C41931E2}\9445 : DHCPNameServer = 71.243.0.14 71.250.0.14
TCP: Interfaces\{70068C75-E47B-4FB8-9DD5-39C1C41931E2}\E4 : DHCPNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
TCP: Interfaces\{D2B7308A-4BC9-4F23-ADE6-B6081BE466CB} : DHCPNameServer = 192.168.75.10
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\39.0.2171.95\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
x64-BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices
x64-Run: [ETDCtrl] C:\Program Files (x86)\Elantech\ETDCtrl.exe
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
x64-SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
.
============= SERVICES / DRIVERS ===============
.
R0 aswRvrt;avast! Revert;C:\Windows\System32\drivers\aswRvrt.sys [2013-3-22 65776]
R0 aswVmm;avast! VM Monitor;C:\Windows\System32\drivers\aswVmm.sys [2013-3-22 267632]
R0 iusb3hcs;Intel(R) USB 3.0 Host Controller Switch Driver;C:\Windows\System32\drivers\iusb3hcs.sys [2012-3-11 16152]
R1 aswSnx;aswSnx;C:\Windows\System32\drivers\aswsnx.sys [2013-2-18 1050432]
R1 aswSP;aswSP;C:\Windows\System32\drivers\aswSP.sys [2013-2-18 436624]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\System32\drivers\vwififlt.sys [2009-7-13 59904]
R2 aswHwid;avast! HardwareID;C:\Windows\System32\drivers\aswHwid.sys [2014-12-11 29208]
R2 aswMonFlt;aswMonFlt;C:\Windows\System32\drivers\aswMonFlt.sys [2013-2-18 83280]
R2 aswStm;aswStm;C:\Windows\System32\drivers\aswStm.sys [2014-12-11 116728]
R3 AMPPAL;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Virtual Adapter;C:\Windows\System32\drivers\AmpPal.sys [2011-12-5 195584]
R3 btmaux;Intel Bluetooth Auxiliary Service;C:\Windows\System32\drivers\btmaux.sys [2011-11-30 94720]
R3 btmhsf;btmhsf;C:\Windows\System32\drivers\btmhsf.sys [2011-11-30 747008]
R3 ETD;ELAN PS/2 Port Input Device;C:\Windows\System32\drivers\ETD.sys [2012-3-11 200488]
R3 ibtfltcoex;ibtfltcoex;C:\Windows\System32\drivers\iBtFltCoex.sys [2012-2-14 60928]
R3 IntcDAud;Intel(R) Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2012-3-11 331264]
R3 iusb3hub;Intel(R) USB 3.0 Hub Driver;C:\Windows\System32\drivers\iusb3hub.sys [2012-3-11 356120]
R3 iusb3xhc;Intel(R) USB 3.0 eXtensible Host Controller Driver;C:\Windows\System32\drivers\iusb3xhc.sys [2012-3-11 787736]
R3 iwdbus;IWD Bus Enumerator;C:\Windows\System32\drivers\iwdbus.sys [2011-12-20 25496]
R3 MEIx64;Intel(R) Management Engine Interface ;C:\Windows\System32\drivers\HECIx64.sys [2012-7-17 62784]
R3 NETwNs64;___ Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\Windows\System32\drivers\NETwNs64.sys [2011-12-2 11417088]
R3 RSBASTOR;Realtek PCIE CardReader Driver - BA;C:\Windows\System32\drivers\RtsBaStor.sys [2012-5-4 292968]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2012-5-4 565352]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\System32\drivers\vwifimp.sys [2009-7-13 17920]
S3 AMPPALP;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Protocol;C:\Windows\System32\drivers\AmpPal.sys [2011-12-5 195584]
S3 AsusVBus;AsusVBus;C:\Windows\System32\drivers\AsusVBus.sys [2011-12-21 35968]
S3 AsusVTouch;AsusVTouch;C:\Windows\System32\drivers\AsusVTouch.sys [2011-11-7 16512]
S3 intaud_WaveExtensible;Intel WiDi Audio Device;C:\Windows\System32\drivers\intelaud.sys [2011-12-20 34200]
S3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);C:\Windows\System32\drivers\L1C62x64.sys [2009-6-10 57344]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2013-3-26 19456]
S3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;C:\Windows\System32\drivers\SiSG664.sys [2009-6-10 56832]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2013-3-26 57856]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2013-3-26 30208]
S3 WSDPrintDevice;WSD Print Support via UMB;C:\Windows\System32\drivers\WSDPrint.sys [2009-7-13 23040]
.
=============== Created Last 30 ================
.
2014-12-14 08:19:36 75888 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{021D3AEB-6718-49ED-9347-ED0C2F9E1607}\offreg.dll
2014-12-13 03:07:31 -------- d-----w- C:\Fred
2014-12-12 20:41:13 -------- d-sh--w- C:\Users\administrator\AppData\Local\EmieUserList
2014-12-12 20:41:13 -------- d-sh--w- C:\Users\administrator\AppData\Local\EmieSiteList
2014-12-12 20:41:13 -------- d-sh--w- C:\Users\administrator\AppData\Local\EmieBrowserModeList
2014-12-12 20:07:04 -------- d-----w- C:\Users\administrator\AppData\Roaming\AVAST Software
2014-12-12 19:33:40 -------- d-----w- C:\AdwCleaner
2014-12-12 09:02:27 11632448 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{021D3AEB-6718-49ED-9347-ED0C2F9E1607}\mpengine.dll
2014-12-12 04:20:53 129752 ----a-w- C:\Windows\System32\drivers\MBAMSwissArmy.sys
2014-12-12 04:20:19 93400 ----a-w- C:\Windows\System32\drivers\mbamchameleon.sys
2014-12-12 04:20:18 63704 ----a-w- C:\Windows\System32\drivers\mwac.sys
2014-12-12 04:20:17 25816 ----a-w- C:\Windows\System32\drivers\mbam.sys
2014-12-12 04:20:16 -------- d-----w- C:\ProgramData\Malwarebytes
2014-12-12 04:20:16 -------- d-----w- C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-12-12 04:15:15 -------- d-----w- C:\Windows\SysWow64\vbox
2014-12-12 04:15:15 -------- d-----w- C:\Windows\System32\vbox
2014-12-12 03:46:33 116728 ----a-w- C:\Windows\System32\drivers\aswStm.sys
2014-12-12 03:46:32 29208 ----a-w- C:\Windows\System32\drivers\aswHwid.sys
2014-12-12 03:46:25 43152 ----a-w- C:\Windows\avastSS.scr
2014-12-11 21:30:18 -------- d-----w- C:\Windows\System32\appraiser
2014-12-11 16:56:34 2048 ----a-w- C:\Windows\SysWow64\mferror.dll
2014-12-11 16:56:34 2048 ----a-w- C:\Windows\System32\mferror.dll
2014-12-11 16:56:33 55808 ----a-w- C:\Windows\System32\rrinstaller.exe
2014-12-11 16:56:33 24576 ----a-w- C:\Windows\System32\mfpmp.exe
2014-12-11 16:56:32 50176 ----a-w- C:\Windows\SysWow64\rrinstaller.exe
2014-12-11 16:56:32 23040 ----a-w- C:\Windows\SysWow64\mfpmp.exe
2014-12-11 16:56:32 206848 ----a-w- C:\Windows\System32\mfps.dll
2014-12-11 16:56:32 103424 ----a-w- C:\Windows\SysWow64\mfps.dll
2014-12-11 16:56:31 3209728 ----a-w- C:\Windows\SysWow64\mf.dll
2014-12-11 16:56:29 4121600 ----a-w- C:\Windows\System32\mf.dll
2014-12-10 20:07:05 762400 ------w- C:\Windows\System32\HPDiscoPM7012.dll
2014-12-10 17:12:59 10949120 ----a-w- C:\Program Files\Internet Explorer\F12Resources.dll
2014-12-01 15:58:32 3817136 ----a-w- C:\Windows\SysWow64\FlashPlayerInstaller.exe
2014-11-25 19:24:28 24294072 ----a-w- C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSO.DLL
2014-11-25 18:59:38 18638520 ----a-w- C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSO.DLL
2014-11-19 18:00:57 728064 ----a-w- C:\Windows\System32\kerberos.dll
2014-11-19 18:00:57 241152 ----a-w- C:\Windows\System32\pku2u.dll
2014-11-19 18:00:57 186880 ----a-w- C:\Windows\SysWow64\pku2u.dll
2014-11-19 18:00:56 550912 ----a-w- C:\Windows\SysWow64\kerberos.dll
2014-11-19 09:26:34 1614504 ----a-w- C:\Windows\System32\FM20.DLL
.
==================== Find3M ====================
.
2014-12-12 04:22:03 71344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2014-12-12 04:22:03 701616 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2014-12-12 04:20:41 1050432 ----a-w- C:\Windows\System32\drivers\aswsnx.sys
2014-12-12 03:46:25 93568 ----a-w- C:\Windows\System32\drivers\aswRdr2.sys
2014-12-12 03:46:25 83280 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys
2014-12-12 03:46:25 65776 ----a-w- C:\Windows\System32\drivers\aswRvrt.sys
2014-12-12 03:46:25 267632 ----a-w- C:\Windows\System32\drivers\aswVmm.sys
2014-12-04 02:50:55 413184 ----a-w- C:\Windows\System32\generaltel.dll
2014-12-04 02:50:45 741376 ----a-w- C:\Windows\System32\invagent.dll
2014-12-04 02:50:40 396800 ----a-w- C:\Windows\System32\devinv.dll
2014-12-04 02:50:38 830976 ----a-w- C:\Windows\System32\appraiser.dll
2014-12-04 02:50:37 227328 ----a-w- C:\Windows\System32\aepdu.dll
2014-12-04 02:50:37 192000 ----a-w- C:\Windows\System32\aepic.dll
2014-12-04 02:44:48 1083392 ----a-w- C:\Windows\System32\aeinv.dll
2014-12-01 23:28:44 1232040 ----a-w- C:\Windows\System32\aitstatic.exe
2014-11-22 03:06:23 2724864 ----a-w- C:\Windows\System32\mshtml.tlb
2014-11-22 03:06:11 4096 ----a-w- C:\Windows\System32\ieetwcollectorres.dll
2014-11-22 02:50:39 66560 ----a-w- C:\Windows\System32\iesetup.dll
2014-11-22 02:50:10 580096 ----a-w- C:\Windows\System32\vbscript.dll
2014-11-22 02:49:54 48640 ----a-w- C:\Windows\System32\ieetwproxystub.dll
2014-11-22 02:48:20 88064 ----a-w- C:\Windows\System32\MshtmlDac.dll
2014-11-22 02:35:43 144384 ----a-w- C:\Windows\System32\ieUnatt.exe
2014-11-22 02:35:29 114688 ----a-w- C:\Windows\System32\ieetwcollector.exe
2014-11-22 02:34:51 814080 ----a-w- C:\Windows\System32\jscript9diag.dll
2014-11-22 02:34:07 6039552 ----a-w- C:\Windows\System32\jscript9.dll
2014-11-22 02:26:31 968704 ----a-w- C:\Windows\System32\MsSpellCheckingFacility.exe
2014-11-22 02:20:44 2724864 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2014-11-22 02:14:16 77824 ----a-w- C:\Windows\System32\JavaScriptCollectionAgent.dll
2014-11-22 02:07:43 501248 ----a-w- C:\Windows\SysWow64\vbscript.dll
2014-11-22 02:07:17 62464 ----a-w- C:\Windows\SysWow64\iesetup.dll
2014-11-22 02:06:32 47616 ----a-w- C:\Windows\SysWow64\ieetwproxystub.dll
2014-11-22 02:05:02 64000 ----a-w- C:\Windows\SysWow64\MshtmlDac.dll
2014-11-22 01:55:16 115712 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2014-11-22 01:54:30 620032 ----a-w- C:\Windows\SysWow64\jscript9diag.dll
2014-11-22 01:47:10 1359360 ----a-w- C:\Windows\System32\mshtmlmedia.dll
2014-11-22 01:46:58 2125312 ----a-w- C:\Windows\System32\inetcpl.cpl
2014-11-22 01:40:04 60416 ----a-w- C:\Windows\SysWow64\JavaScriptCollectionAgent.dll
2014-11-22 01:29:26 4299264 ----a-w- C:\Windows\SysWow64\jscript9.dll
2014-11-22 01:28:21 2358272 ----a-w- C:\Windows\System32\wininet.dll
2014-11-22 01:22:49 2052096 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2014-11-22 01:21:57 1155072 ----a-w- C:\Windows\SysWow64\mshtmlmedia.dll
2014-11-22 01:00:20 1888256 ----a-w- C:\Windows\SysWow64\wininet.dll
2014-11-11 03:09:06 1424384 ----a-w- C:\Windows\System32\WindowsCodecs.dll
2014-11-11 02:44:45 1230336 ----a-w- C:\Windows\SysWow64\WindowsCodecs.dll
2014-11-11 01:46:26 119296 ----a-w- C:\Windows\System32\drivers\tdx.sys
2014-11-08 03:16:08 2048 ----a-w- C:\Windows\System32\tzres.dll
2014-11-08 02:45:09 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2014-11-04 19:30:58 275080 ------w- C:\Windows\System32\MpSigStub.exe
2014-10-30 02:03:43 165888 ----a-w- C:\Windows\System32\charmap.exe
2014-10-30 01:45:43 155136 ----a-w- C:\Windows\SysWow64\charmap.exe
2014-10-25 01:57:59 77824 ----a-w- C:\Windows\System32\packager.dll
2014-10-25 01:32:37 67584 ----a-w- C:\Windows\SysWow64\packager.dll
2014-10-18 02:05:23 861696 ----a-w- C:\Windows\System32\oleaut32.dll
2014-10-18 01:33:18 571904 ----a-w- C:\Windows\SysWow64\oleaut32.dll
2014-10-14 02:16:37 155064 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
2014-10-14 02:13:06 683520 ----a-w- C:\Windows\System32\termsrv.dll
2014-10-14 02:13:00 3241984 ----a-w- C:\Windows\System32\msi.dll
2014-10-14 02:12:57 1460736 ----a-w- C:\Windows\System32\lsasrv.dll
2014-10-14 02:09:31 146432 ----a-w- C:\Windows\System32\msaudite.dll
2014-10-14 02:07:31 681984 ----a-w- C:\Windows\System32\adtschema.dll
2014-10-14 01:50:47 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
2014-10-14 01:50:41 2363904 ----a-w- C:\Windows\SysWow64\msi.dll
2014-10-14 01:49:38 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
2014-10-14 01:47:30 146432 ----a-w- C:\Windows\SysWow64\msaudite.dll
2014-10-14 01:46:02 681984 ----a-w- C:\Windows\SysWow64\adtschema.dll
2014-10-10 00:57:42 3198976 ----a-w- C:\Windows\System32\win32k.sys
2014-10-03 02:12:23 310272 ----a-w- C:\Windows\System32\WsmWmiPl.dll
2014-10-03 02:12:23 2020352 ----a-w- C:\Windows\System32\WsmSvc.dll
2014-10-03 02:12:22 346624 ----a-w- C:\Windows\System32\WSManMigrationPlugin.dll
2014-10-03 02:12:22 181248 ----a-w- C:\Windows\System32\WsmAuto.dll
2014-10-03 02:12:00 500224 ----a-w- C:\Windows\System32\AUDIOKSE.dll
2014-10-03 02:11:54 284672 ----a-w- C:\Windows\System32\EncDump.dll
2014-10-03 02:11:51 680960 ----a-w- C:\Windows\System32\audiosrv.dll
2014-10-03 02:11:51 440832 ----a-w- C:\Windows\System32\AudioEng.dll
2014-10-03 02:11:51 296448 ----a-w- C:\Windows\System32\AudioSes.dll
2014-10-03 02:11:49 266240 ----a-w- C:\Windows\System32\WSManHTTPConfig.exe
2014-10-03 01:45:03 248832 ----a-w- C:\Windows\SysWow64\WSManMigrationPlugin.dll
2014-10-03 01:45:03 214016 ----a-w- C:\Windows\SysWow64\WsmWmiPl.dll
2014-10-03 01:45:03 145920 ----a-w- C:\Windows\SysWow64\WsmAuto.dll
2014-10-03 01:45:03 1177088 ----a-w- C:\Windows\SysWow64\WsmSvc.dll
2014-10-03 01:44:42 442880 ----a-w- C:\Windows\SysWow64\AUDIOKSE.dll
2014-10-03 01:44:26 374784 ----a-w- C:\Windows\SysWow64\AudioEng.dll
2014-10-03 01:44:26 195584 ----a-w- C:\Windows\SysWow64\AudioSes.dll
2014-10-03 01:44:25 198656 ----a-w- C:\Windows\SysWow64\WSManHTTPConfig.exe
2014-09-25 02:08:38 371712 ----a-w- C:\Windows\System32\qdvd.dll
2014-09-25 01:40:50 519680 ----a-w- C:\Windows\SysWow64\qdvd.dll
2014-09-19 09:42:52 210944 ----a-w- C:\Windows\System32\wdigest.dll
2014-09-19 09:42:51 86528 ----a-w- C:\Windows\System32\TSpkg.dll
2014-09-19 09:42:49 342016 ----a-w- C:\Windows\System32\schannel.dll
2014-09-19 09:42:47 314880 ----a-w- C:\Windows\System32\msv1_0.dll
2014-09-19 09:42:47 309760 ----a-w- C:\Windows\System32\ncrypt.dll
2014-09-19 09:42:41 22016 ----a-w- C:\Windows\System32\credssp.dll
2014-09-19 09:23:55 172032 ----a-w- C:\Windows\SysWow64\wdigest.dll
2014-09-19 09:23:52 65536 ----a-w- C:\Windows\SysWow64\TSpkg.dll
2014-09-19 09:23:49 248832 ----a-w- C:\Windows\SysWow64\schannel.dll
2014-09-19 09:23:46 221184 ----a-w- C:\Windows\SysWow64\ncrypt.dll
2014-09-19 09:23:45 259584 ----a-w- C:\Windows\SysWow64\msv1_0.dll
2014-09-19 09:23:36 17408 ----a-w- C:\Windows\SysWow64\credssp.dll
.
============= FINISH: 23:33:07.50 ===============

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-10-14.05)
.
Microsoft Windows 7 Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 9/10/2012 12:49:18 PM
System Uptime: 12/13/2014 3:09:58 PM (32 hours ago)
.
Motherboard: ASUSTeK COMPUTER INC. | | K55A
Processor: Intel(R) Core(TM) i5-2450M CPU @ 2.50GHz | SOCKET 0 | 2501/100mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 673 GiB total, 584.148 GiB free.
F: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP320: 12/8/2014 11:59:17 AM - Windows Update
RP321: 12/8/2014 12:04:39 PM - Windows Backup
RP322: 12/11/2014 11:48:59 AM - Windows Update
RP323: 12/11/2014 10:41:19 PM - avast! antivirus system restore point
RP324: 12/11/2014 10:49:51 PM - Windows Update
RP325: 12/11/2014 10:59:09 PM - Removed HP Officejet Pro 8600 Basic Device Software
RP326: 12/11/2014 11:25:55 PM - Removed HP Officejet Pro 8600 Basic Device Software
RP327: 12/12/2014 3:00:39 AM - Windows Update
RP328: 12/13/2014 12:52:00 AM - Removed Skype Click to Call
RP329: 12/14/2014 7:00:27 PM - Windows Backup
.
==== Installed Programs ======================
.
7-Zip 9.20 (x64 edition)
Adobe Flash Player 16 ActiveX
Adobe Reader XI (11.0.09)
ASUS AI Recovery
ASUS Splendid Video Enhancement Technology
Avast Free Antivirus
Citrix Online Launcher
CutePDF Writer 3.0
CyberLink Media Suite
Definition Update for Microsoft Office 2010 (KB2910899) 64-Bit Edition
ETDWare PS/2-X64 10.5.9.0
Fast Boot
Google Chrome
Google Toolbar for Internet Explorer
Google Update Helper
HP Officejet Pro 8620 Basic Device Software
HP Officejet Pro 8620 Help
inSSIDer 3
Intel PROSet Wireless
Intel(R) Manageability Engine Firmware Recovery Agent
Intel(R) Management Engine Components
Intel(R) OpenCL CPU Runtime
Intel(R) Processor Graphics
Intel(R) PROSet/Wireless for Bluetooth(R) 3.0 + High Speed
Intel(R) PROSet/Wireless Software for Bluetooth(R) Technology
Intel(R) USB 3.0 eXtensible Host Controller Driver
Intel(R) WiDi
Intel(R) Wireless Display
Intel® PROSet/Wireless WiFi Software
Intel® Trusted Connect Service Client
Malwarebytes Anti-Malware version 2.0.4.1028
Microsoft .NET Framework 4.5.1
Microsoft Office 2010
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Groove MUI (English) 2010
Microsoft Office InfoPath MUI (English) 2010
Microsoft Office Office 32-bit Components 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Professional Plus 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared 32-bit MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Word MUI (English) 2010
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.30319
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
Realtek Ethernet Controller Driver
Realtek High Definition Audio Driver
Realtek PCIE Card Reader
Security Update for Microsoft .NET Framework 4.5.1 (KB2894854v2)
Security Update for Microsoft .NET Framework 4.5.1 (KB2898869)
Security Update for Microsoft .NET Framework 4.5.1 (KB2901126)
Security Update for Microsoft .NET Framework 4.5.1 (KB2931368)
Security Update for Microsoft .NET Framework 4.5.1 (KB2972107)
Security Update for Microsoft .NET Framework 4.5.1 (KB2972216)
Security Update for Microsoft .NET Framework 4.5.1 (KB2978128)
Security Update for Microsoft .NET Framework 4.5.1 (KB2979578v2)
Security Update for Microsoft Excel 2010 (KB2910902) 64-Bit Edition
Security Update for Microsoft Office 2010 (KB2553154) 64-Bit Edition
Security Update for Microsoft Office 2010 (KB2553284) 64-Bit Edition
Security Update for Microsoft Office 2010 (KB2687423) 64-Bit Edition
Security Update for Microsoft Office 2010 (KB2850016) 64-Bit Edition
Security Update for Microsoft Office 2010 (KB2880971) 64-Bit Edition
Security Update for Microsoft Office 2010 (KB2881071) 64-Bit Edition
Security Update for Microsoft Word 2010 (KB2899519) 64-Bit Edition
Service Pack 2 for Microsoft Office 2010 (KB2687455) 64-Bit Edition
Skype™ 6.11
TeamViewer 8
Update for Microsoft Access 2010 (KB2553446) 64-Bit Edition
Update for Microsoft Excel 2010 (KB2589348) 64-Bit Edition
Update for Microsoft Filter Pack 2.0 (KB2878281) 64-Bit Edition
Update for Microsoft InfoPath 2010 (KB2817369) 64-Bit Edition
Update for Microsoft InfoPath 2010 (KB2817396) 64-Bit Edition
Update for Microsoft Office 2010 (KB2553140) 64-Bit Edition
Update for Microsoft Office 2010 (KB2589298) 64-Bit Edition
Update for Microsoft Office 2010 (KB2589352) 64-Bit Edition
Update for Microsoft Office 2010 (KB2589375) 64-Bit Edition
Update for Microsoft Office 2010 (KB2589386) 64-Bit Edition
Update for Microsoft Office 2010 (KB2597087) 64-Bit Edition
Update for Microsoft Office 2010 (KB2597089) 64-Bit Edition
Update for Microsoft Office 2010 (KB2687275) 64-Bit Edition
Update for Microsoft Office 2010 (KB2760631) 64-Bit Edition
Update for Microsoft Office 2010 (KB2794737) 64-Bit Edition
Update for Microsoft Office 2010 (KB2825635) 64-Bit Edition
Update for Microsoft Office 2010 (KB2825640) 64-Bit Edition
Update for Microsoft Office 2010 (KB2837581) 64-Bit Edition
Update for Microsoft Office 2010 (KB2837602) 64-Bit Edition
Update for Microsoft Office 2010 (KB2837606) 64-Bit Edition
Update for Microsoft Office 2010 (KB2883019) 64-Bit Edition
Update for Microsoft Office 2010 (KB2889818) 64-Bit Edition
Update for Microsoft Office 2010 (KB2889828) 64-Bit Edition
Update for Microsoft Office 2010 (KB2910896) 64-Bit Edition
Update for Microsoft OneNote 2010 (KB2597088) 64-Bit Edition
Update for Microsoft Outlook 2010 (KB2687567) 64-Bit Edition
Update for Microsoft PowerPoint 2010 (KB2880517) 64-Bit Edition
Update for Microsoft SharePoint Workspace 2010 (KB2760601) 64-Bit Edition
Update for Microsoft Visio 2010 (KB2880526) 64-Bit Edition
Update for Microsoft Visio Viewer 2010 (KB2837587) 64-Bit Edition
WinFlash
.
==== Event Viewer Messages From Past Week ========
.
12/14/2014 12:18:59 AM, Error: Schannel [36887] - The following fatal alert was received: 20.
12/13/2014 9:38:14 PM, Error: Schannel [36888] - The following fatal alert was generated: 40. The internal error state is 252.
12/13/2014 3:10:42 PM, Error: Service Control Manager [7006] - The ScRegSetValueExW call failed for Type with the following error: Access is denied.
12/13/2014 3:10:32 PM, Error: Microsoft-Windows-GroupPolicy [1129] - The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.
12/13/2014 3:10:30 PM, Error: NETLOGON [5719] - This computer was not able to set up a secure session with a domain controller in domain WELLRES due to the following: There are currently no logon servers available to service the logon request. This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator. ADDITIONAL INFO If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.
12/13/2014 1:50:28 AM, Error: Microsoft-Windows-DistributedCOM [10000] - Unable to start a DCOM Server: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}. The error: "5" Happened while starting this command: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
12/12/2014 11:52:50 PM, Error: Microsoft-Windows-GroupPolicy [1055] - The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following: a) Name Resolution failure on the current domain controller. b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).
.
==== End Of File ===========================

Results of screen317's Security Check version 0.99.93
Windows 7 Service Pack 1 x64 (UAC is enabled)
Internet Explorer 11
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
avast! Antivirus
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Adobe Reader XI
Google Chrome (39.0.2171.71)
Google Chrome (39.0.2171.95)
````````Process Check: objlist.exe by Laurent````````
AVAST Software Avast AvastSvc.exe
AVAST Software Avast ng vbox\AvastVBoxSVC.exe
AVAST Software Avast ng ngservice.exe
AVAST Software Avast avastui.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 3%
````````````````````End of Log``````````````````````

aswMBR version 1.0.1.2252 Copyright(c) 2014 AVAST Software
Run date: 2014-12-13 01:04:57
-----------------------------
01:04:57.155 OS Version: Windows x64 6.1.7601 Service Pack 1
01:04:57.155 Number of processors: 4 586 0x2A07
01:04:57.168 ComputerName: WR05 UserName:
01:05:09.332 Initialize success
01:05:09.350 VM: initialized successfully
01:05:09.355 VM: Intel CPU supported virtualized
01:05:13.574 VM: supported disk I/O iaStor.sys
01:05:18.015 AVAST engine defs: 14121201
01:05:33.330 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
01:05:33.335 Disk 0 Vendor: Hitachi_ JE4O Size: 715404MB BusType: 3
01:05:34.199 VM: Disk 0 MBR read successfully
01:05:34.201 Disk 0 MBR scan
01:05:34.209 Disk 0 unknown MBR code
01:05:34.214 Disk 0 Partition 1 00 EE GPT 715404 MB offset 1
01:05:34.493 Disk 0 scanning C:\Windows\system32\drivers
01:05:59.821 Service scanning
01:06:41.667 Modules scanning
01:06:41.674 Disk 0 trace - called modules:
01:06:41.707 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys iaStor.sys hal.dll
01:06:41.732 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8006028060]
01:06:41.754 3 CLASSPNP.SYS[fffff88001cbf43f] -> nt!IofCallDriver -> [0xfffffa8005b66570]
01:06:41.762 5 ACPI.sys[fffff88000f097a1] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8005da5050]
01:06:46.833 AVAST engine scan C:\Windows
01:07:02.782 AVAST engine scan C:\Windows\system32
01:18:35.447 AVAST engine scan C:\Windows\system32\drivers
01:19:53.745 AVAST engine scan C:\Users\administrator
01:21:30.931 AVAST engine scan C:\ProgramData
01:23:55.135 Disk 0 statistics 3709178/0/5 @ 2.09 MB/s
01:23:55.166 Scan finished successfully
01:28:20.734 Disk 0 MBR has been saved successfully to "C:\Fred\MBR.dat"
01:28:20.739 The log file has been saved successfully to "C:\Fred\aswMBR.txt"
 
Last edited by a moderator:
Hi, Fred.

I've may have found what you are looking for. The correct location for dllhst3g.exe is C:\WINDOWS\system32\dllcache\dllhst3g.exe, normal size 4,608 bytes. However, the location of the rather old Bckdr-QQX trojan is not in the dllcache subfolder:

C:\Windows\syswow64\dllhst3g.exe (See SystemLookup - DllHst and DllHst - dllhst3g.exe - Program Information. Sophos description: Troj/Bckdr-QQX)

That said, because the information I'm finding is old, I suggest you scan the file.

At Jotti: Jotti's malware scan, upload the filepath shown below into the "File to upload & scan" box at the upper left: C:\Windows\syswow64\dllhst3g.exe

At VirusTotal, http://www.virustotal.com/ you can do the same thing. However, you may prefer to use the Virus Total Uploader, here. Once it is installed on the 64-bit system, you just navigate to the file, right click on the file and choose Virus Total from the right click menu. When the analysis is complete a VT page will open with the results
 
Hi Corrine, thanks for taking a look. This is a Windows 7 machine so there is no system32\dllcache\ folder. I uploaded dllhst3g.exe to both scanners and they came back clean. I also checked that file on another machine. Both computers have the dllhst3g.exe file in the Syswow64 folder.
 
I warned you, Fred, that what I found searching was old. I posted that awaiting response to the PM I sent you rather than asking you to run a different scan. However, this is interesting and involves dllhost.exe: How to remove the Poweliks Trojan (Removal Guide)

I gather neither Avast nor AdwCleaner were helpful. However, if you suspect a rootkit or trojan that you believe is isolated to one or two computers, the first thing is that they need to be disconnected from the LAN. If you haven't done that yet, it needs to be done ASAP. Do you have a separate IT department? With a suspected rootkit, most corporations/businesses would immediately flatten and reinstall. With this a business environment, I cannot take responsibility for computers that you do not personally own.
 
Last edited:
No problem, Corrine. Thanks for taking a look anyway. I am the IT dept and the computer's already been changed out, no worries. We'll have to get some Sysnative release forms around here.
 
You're welcome, Fred. The best action for a business computer is to flatten it. If you are going to work on it. you may want to try the ESET tool I linked to in my previous post.
 
You must log in or register to reply here.

Has Sysnative Forums helped you? Please consider donating to help us support the site!

Back
Top