Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Potential Bot infection - Windows 7 can't boot

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Potential Bot infection - Windows 7 can't boot

Unread postby Davvy » July 29th, 2015, 9:27 am

Hello all,

My rig is a Pentium i7 machine, running Win 7 Professional. For the last 3 months or so, I've been advised by my ISP Comcast that I may have a bot.

I've run several scans using Malwarebytes Antimalware, ESET, MS Security Essentials, without any detection of malware. However the machine started to crash more and more often, especially while I play an online game, World of Warcraft. I did several chdsk to find out and repair any disk error but that didn't seem to help either. Finally it crashed to blue screen a couple days ago, and has since been unable to boot, giving me 2 options each time: Repair computer or Boot normally. I've tried doing the Repair computer route several times, and it's told me it's repaired a corrupted file system, but when I try restarting, it would fail to boot again normally. I've gone back to the original Windows installation disk, with similar results. Essentially I'm stuck in an endless loop of "Repair my computer", without any apparent hope of breaking out of this.

I would be very thankful if you can help me with this problem. I've looked through the website here but have not found any specific thread addressing this problem yet. If there is such.

Thank you very much for your help!

Davvy
Davvy
Regular Member
 
Posts: 22
Joined: June 6th, 2012, 11:59 pm
Advertisement
Register to Remove

Re: Potential Bot infection - Windows 7 can't boot

Unread postby Gary R » July 29th, 2015, 11:20 am

User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Potential Bot infection - Windows 7 can't boot

Unread postby Davvy » July 29th, 2015, 8:33 pm

No I was not able to do either. I believe the drive has crashed. I've pulled it out and going to try to retrieve important data from it. I'll give a report here as soon as I find out more, thank you very much for your quick response.

Davvy
Davvy
Regular Member
 
Posts: 22
Joined: June 6th, 2012, 11:59 pm

Re: Potential Bot infection - Windows 7 can't boot

Unread postby Gary R » July 30th, 2015, 1:13 am

You might also be able to get your info off your drive using a Linux Distro .... viewtopic.php?p=618146#p618146

Good luck.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Potential Bot infection - Windows 7 can't boot

Unread postby Davvy » July 30th, 2015, 1:53 am

Thanks again, Gary! I will follow your instructions tomorrow, and hope that they will work out.

Today I took the drive to a computer repair shop, they did what they called a Level 1 recovery attempt, which failed. They then went on to a Level 2 scan, and after about 3 hours told me that they now believe they can recover up to 95% of the data. However it may be very expensive if I agree to let them do it. I will go get my drive back tomorrow, take it home and try out the Linux method. I actually have PC that's got a dual XP/Ubuntu OS. Would that work also? I'm still going to try your Puppy Linux method though, it's sounds really interesting.

Well, I shall definitely give you a report, thanks again Gary.

Davy
Davvy
Regular Member
 
Posts: 22
Joined: June 6th, 2012, 11:59 pm

Re: Potential Bot infection - Windows 7 can't boot

Unread postby Gary R » July 30th, 2015, 4:30 am

I don't know whether slaving your drive to your XP/Ubuntu machine would work, I've never tried to do that, but I do know that the Puppy method works in a great many cases.

Hope it's successful for you, and that you can avoid the expense of a shop recovery.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Potential Bot infection - Windows 7 can't boot

Unread postby Davvy » July 31st, 2015, 11:20 pm

Ah, luck! I have been able to read the drive, using a boot Ubuntu DVD-ROM. I tried the Puppy Linux on a USB flash drive, but for some reason it did not boot, even after I checked everything, the downloaded ISO file, how to burn it onto the stick, verifying that I had set the boot loading sequence right on the PC I was using. I then pulled out an old Ubuntu 14.04 boot disk I'd made last year, popped it in the optical drive, and bang, it loaded, and had no trouble reading the drive. So I have been busy for the last day or so copying as many of my files on the crashed drive to a new, external USB drive as possible. As far as I can tell, a lot of them are good, i.e. I can look at photos, read my text docs, view videos, etc. I just don't know about the Windows system files or the ones needed for booting up the Windows 7 OS..

I still have a few questions, if you wouldn't mind answering them:

1. Would it be useful to copy the Program Files, Program Files (x86), Program Data folders? Would they help, or speed up a repopulating of a new drive with the programs I've been running?
2. If the crash was caused by a virus, can I still reformat the drive, using a low-level format, and be safe to re-install Windows on it?

If there is any way I can safely reformat the drive and use it again, that would be great (it's a 1TB WD drive, about 3 years old). But if you recommend against it, I will wait and get a new one.

Thank you again for your kind help, Gary!

Davvy
Davvy
Regular Member
 
Posts: 22
Joined: June 6th, 2012, 11:59 pm

Re: Potential Bot infection - Windows 7 can't boot

Unread postby Gary R » August 1st, 2015, 1:18 am

You're welcome. :)

I'm glad to hear that you had luck with the Ubuntu disk. Sorry Puppy didn't work, I can only presume your computer had hardware that Puppy isn't compatible with. That's the only trouble with Linux, you need to find a version that's compatible with your own machine. Personally, I'd love to have a play with Ubuntu, but it just doesn't run on my machine.

OK, in answer to your questions.

1. No, there's no point in copying the Program Files etc, since you won't have the corresponding Registry information to launch the programs stored in them, and it's impossible to know exactly what registry keys you'd need to back up to go with each of the programs. The only thing you can do, is make a list of the programs currently installed in both the Program Files and Program Files (X86) folders, so that you know what you need to re-install to get things back to "normal" (or as near to that as possible).

In any case, if you did have an infection, it's much more likely to be found in the executable files found in those 2 folders, than anywhere else, so you don't want to re-introduce them after you've formatted your drive. The only files you want to re-introduce to your newly formatted machine, are the non-executable data files that contain all your personal data (such as pictures, music, films, word processor documents, databases, spreadsheets, bookmarks etc. etc.)

2. If you reformat your drive, no infection will survive the process. The only way it can re-infect you is if you re-introduce it after the reformat, and if you only re-introduce data files, that's not likely to happen (if it does, come back here, and we'll see what we can do about it). Theoretically it is possible to make an infection that does survive a format, but in 10 years of dealing with infections I've never yet seen one. So go ahead and reformat, and you should be fine.

Hope that answers things for you, if not get back to me.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Potential Bot infection - Windows 7 can't boot

Unread postby Davvy » August 1st, 2015, 4:10 am

Alright, thanks again Gary! One last question: should I do a low-level format, i.e zero out the drive, or just a quick format, before reinstalling Windows? I need to put Win 7 back on, then will upgrade to Win 10 later.

Davvy
Davvy
Regular Member
 
Posts: 22
Joined: June 6th, 2012, 11:59 pm

Re: Potential Bot infection - Windows 7 can't boot

Unread postby Gary R » August 1st, 2015, 1:11 pm

Quick format should do it.

Personally I would not upgrade to W10 until they change a number of things with that OS

http://www.forbes.com/sites/gordonkelly ... r=yahootix
http://www.rt.com/usa/311304-new-window ... cy-issues/
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Potential Bot infection - Windows 7 can't boot

Unread postby Davvy » August 2nd, 2015, 3:08 pm

Hello again, Gary.

I have reformatted the drive's partitions (one main big one, one tiny one reserved by system), deleted them, and reinstalled Windows 7 Professional on the drive. After working through and re-installing all the drivers I needed, it was great to once again be able to use the machine. I re-installed a few programs, including iTunes, and everything seemed to be humming along fine. However that same day I got another warning message from Comcast telling me they've again detected a bot on my network. There are 3 computers on our home network, mine is the most heavily used, and this warning came on right after I'd been able to get my PC back in working order. I've also done extensive malware scanning on the other two machines in the recent past, so I'm going to assume that is it my PC which somehow is still infected.

I wanted to test for this, so I re-installed the game that had given me the most visible signs of something not going well with my machine: World of Warcraft. It took some time, but I did that. I started playing the game, not doing much, just hanging around town with one of my characters and sorting through my bank items. Bang, I crashed after less than 30 minutes. I tried several more times, and gave up after having crashed 4 times in a row, each time within 10, 15 minutes. Since WoW is a 10 year old game, its graphics requirements have never been a problem for my machine (it's an i7 processor with a GTX 570 NVidia graphics card, plenty of RAM), so something is definitely still wrong.

Following the instructions on this board, I am going to run a DDS scan on the machine next, and will post the logs for you to look at here. Hopefully you'll be able to guide me thru this process and somehow find a way to eradicate this problem once and for all.

Thanks again Gary!
Davvy
Regular Member
 
Posts: 22
Joined: June 6th, 2012, 11:59 pm

Re: Potential Bot infection - Windows 7 can't boot

Unread postby Davvy » August 3rd, 2015, 2:42 am

DDS.txt:
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.17840
Run by Davvy at 23:00:23 on 2015-08-02
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.8169.5680 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {B7ECF8CD-0188-6703-DBA4-AA65C6ACFB0A}
SP: Microsoft Security Essentials *Enabled/Updated* {0C8D1929-27B2-688D-E114-9117BD2BB1B7}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\SysWOW64\WebUpdateSvc4.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\Windows\system32\sppsvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Users\Davvy\AppData\Local\Apps\2.0\7K674MMT.9EO\XLJMY6J7.BY1\curs..tion_9e9e83ddf3ed3ead_0005.0001_fb8944c2684f5b6c\CurseClient.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
mWinlogon: Userinit = userinit.exe
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
StartupFolder: C:\Users\Davvy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CurseClientStartup.ccip
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{8934B15D-8737-4849-9BAC-E6E803F45964} : DHCPNameServer = 192.168.0.1
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\44.0.2403.125\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Davvy\AppData\Roaming\Mozilla\Firefox\Profiles\imq1jxmk.default\
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.28.5\npGoogleUpdate3.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.40620.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2015-3-4 280376]
R2 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2015-3-4 124568]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-5-15 382272]
R2 WebUpdate4;Web Update Wizard Service V4;C:\Windows\SysWOW64\WebUpdateSvc4.exe [2008-9-15 262360]
R3 asmthub3;ASMedia USB3 Hub Service;C:\Windows\System32\drivers\asmthub3.sys [2010-11-15 121832]
R3 asmtxhci;ASMEDIA XHCI Service;C:\Windows\System32\drivers\asmtxhci.sys [2010-11-15 364520]
R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2015-8-1 25816]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2015-4-30 366544]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2015-8-1 986368]
S2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [2015-8-1 1133880]
S3 dmvsc;dmvsc;C:\Windows\System32\drivers\dmvsc.sys [2011-4-12 71168]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2015-8-2 114688]
S3 MBAMWebAccessControl;MBAMWebAccessControl;C:\Windows\System32\drivers\mwac.sys [2015-8-1 63704]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2015-8-1 1255736]
.
=============== Created Last 30 ================
.
2015-08-02 21:37:06 1647104 ----a-w- C:\Windows\System32\DWrite.dll
2015-08-02 21:37:06 1250816 ----a-w- C:\Windows\SysWow64\DWrite.dll
2015-08-02 21:37:06 1179136 ----a-w- C:\Windows\System32\FntCache.dll
2015-08-02 21:37:05 1424896 ----a-w- C:\Windows\System32\WindowsCodecs.dll
2015-08-02 21:37:05 1230848 ----a-w- C:\Windows\SysWow64\WindowsCodecs.dll
2015-08-02 21:36:58 465920 ----a-w- C:\Windows\System32\WMPhoto.dll
2015-08-02 21:36:58 417792 ----a-w- C:\Windows\SysWow64\WMPhoto.dll
2015-08-02 21:23:57 878080 ----a-w- C:\Windows\System32\advapi32.dll
2015-08-02 21:22:21 1887232 ----a-w- C:\Windows\System32\d3d11.dll
2015-08-02 21:22:21 1505280 ----a-w- C:\Windows\SysWow64\d3d11.dll
2015-08-02 21:20:08 99480 ----a-w- C:\Windows\SysWow64\infocardapi.dll
2015-08-02 21:20:08 619672 ----a-w- C:\Windows\SysWow64\icardagt.exe
2015-08-02 21:20:08 171160 ----a-w- C:\Windows\System32\infocardapi.dll
2015-08-02 21:20:08 1389208 ----a-w- C:\Windows\System32\icardagt.exe
2015-08-02 21:20:07 8856 ----a-w- C:\Windows\SysWow64\icardres.dll
2015-08-02 21:20:07 8856 ----a-w- C:\Windows\System32\icardres.dll
2015-08-02 21:19:57 35480 ----a-w- C:\Windows\SysWow64\TsWpfWrp.exe
2015-08-02 21:19:57 35480 ----a-w- C:\Windows\System32\TsWpfWrp.exe
2015-08-02 20:19:18 47633 ----a-w- C:\Windows\SysWow64\wuwuninst.exe
2015-08-02 20:19:16 -------- d-----w- C:\Program Files (x86)\SplashData
2015-08-02 18:28:32 3722240 ----a-w- C:\Windows\System32\mstscax.dll
2015-08-02 18:28:32 3221504 ----a-w- C:\Windows\SysWow64\mstscax.dll
2015-08-02 18:28:32 235520 ----a-w- C:\Windows\System32\winsta.dll
2015-08-02 18:28:32 1118720 ----a-w- C:\Windows\System32\mstsc.exe
2015-08-02 18:28:32 1051136 ----a-w- C:\Windows\SysWow64\mstsc.exe
2015-08-02 18:28:31 455168 ----a-w- C:\Windows\System32\winlogon.exe
2015-08-02 18:28:31 39936 ----a-w- C:\Windows\System32\drivers\tssecsrv.sys
2015-08-02 18:28:31 212480 ----a-w- C:\Windows\System32\drivers\rdpwd.sys
2015-08-02 18:28:31 157696 ----a-w- C:\Windows\SysWow64\winsta.dll
2015-08-02 18:28:31 150528 ----a-w- C:\Windows\System32\rdpcorekmts.dll
2015-08-02 18:28:31 131584 ----a-w- C:\Windows\SysWow64\aaclient.dll
2015-08-02 07:25:11 -------- d-----w- C:\Users\Davvy\AppData\Roaming\Curse Advertising
2015-08-02 04:55:16 -------- d-----w- C:\Users\Davvy\AppData\Local\Apple Computer
2015-08-02 04:55:09 33240 ----a-w- C:\Windows\System32\drivers\GEARAspiWDM.sys
2015-08-02 04:54:20 -------- d-----w- C:\Program Files\iPod
2015-08-02 04:54:19 -------- d-----w- C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2015-08-02 04:54:19 -------- d-----w- C:\Program Files\iTunes
2015-08-02 04:54:19 -------- d-----w- C:\Program Files (x86)\iTunes
2015-08-02 04:50:16 -------- d-----w- C:\Program Files\Bonjour
2015-08-02 04:50:16 -------- d-----w- C:\Program Files (x86)\Bonjour
2015-08-02 03:20:44 -------- d-----w- C:\Users\Davvy\AppData\Roaming\NVIDIA
2015-08-02 03:20:42 -------- d-----w- C:\Users\Davvy\AppData\Local\Blizzard Entertainment
2015-08-02 03:20:36 -------- d-----w- C:\Users\Davvy\AppData\Roaming\Battle.net
2015-08-02 03:20:36 -------- d-----w- C:\Users\Davvy\AppData\Local\Battle.net
2015-08-02 03:20:24 -------- d-----w- C:\ProgramData\Blizzard Entertainment
2015-08-02 03:17:53 -------- d-----w- C:\ProgramData\Battle.net
2015-08-02 03:15:41 -------- d-----w- C:\GAMES
2015-08-02 03:12:29 -------- d-----w- C:\$WINDOWS.~BT
2015-08-02 03:11:30 -------- d--h--w- C:\$Windows.~WS
2015-08-02 02:22:41 113880 ----a-w- C:\Windows\System32\drivers\MBAMSwissArmy.sys
2015-08-02 02:22:25 109272 ----a-w- C:\Windows\System32\drivers\mbamchameleon.sys
2015-08-02 02:22:24 63704 ----a-w- C:\Windows\System32\drivers\mwac.sys
2015-08-02 02:22:24 -------- d-----w- C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-08-02 02:22:09 -------- d-----w- C:\Users\Davvy\AppData\Local\Programs
2015-08-02 02:21:46 -------- d-----w- C:\Users\Davvy\AppData\Roaming\Malwarebytes
2015-08-02 02:18:22 25816 ----a-w- C:\Windows\System32\drivers\mbam.sys
2015-08-02 02:18:22 -------- d-----w- C:\ProgramData\Malwarebytes
2015-08-02 02:18:21 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2015-08-02 02:11:05 -------- d-----w- C:\Users\Davvy\AppData\Local\Mozilla
2015-08-02 02:00:58 -------- d-----w- C:\Users\Davvy\AppData\Roaming\uTorrent
2015-08-02 01:33:55 -------- d-----w- C:\Program Files\VideoLAN
2015-08-02 00:42:47 -------- d-----w- C:\Windows\SysWow64\Wat
2015-08-02 00:42:47 -------- d-----w- C:\Windows\System32\Wat
2015-08-01 23:59:36 124112 ----a-w- C:\Windows\System32\PresentationCFFRasterizerNative_v0300.dll
2015-08-01 23:59:36 102608 ----a-w- C:\Windows\SysWow64\PresentationCFFRasterizerNative_v0300.dll
2015-08-01 23:58:28 23408 ----a-w- C:\Windows\System32\drivers\fs_rec.sys
2015-08-01 23:58:27 5120 ----a-w- C:\Windows\SysWow64\wmi.dll
2015-08-01 23:58:27 5120 ----a-w- C:\Windows\System32\wmi.dll
2015-08-01 22:19:38 -------- d-----w- C:\Program Files (x86)\ASM104xUSB3
2015-08-01 22:16:40 801280 ----a-w- C:\Windows\System32\usp10.dll
2015-08-01 22:15:58 376768 ----a-w- C:\Windows\System32\drivers\netio.sys
2015-08-01 22:14:59 9216 ----a-w- C:\Windows\System32\rdrmemptylst.exe
2015-08-01 22:13:56 424960 ----a-w- C:\Windows\System32\KernelBase.dll
2015-08-01 22:12:56 956928 ----a-w- C:\Windows\System32\localspl.dll
2015-08-01 22:12:54 90624 ----a-w- C:\Windows\System32\drivers\bowser.sys
2015-08-01 22:12:53 723456 ----a-w- C:\Windows\System32\EncDec.dll
2015-08-01 22:12:53 331776 ----a-w- C:\Windows\System32\oleacc.dll
2015-08-01 22:12:53 233472 ----a-w- C:\Windows\SysWow64\oleacc.dll
2015-08-01 22:12:52 79360 ----a-w- C:\Windows\System32\clfsw32.dll
2015-08-01 22:12:52 58880 ----a-w- C:\Windows\SysWow64\clfsw32.dll
2015-08-01 22:12:52 534528 ----a-w- C:\Windows\SysWow64\EncDec.dll
2015-08-01 22:12:52 367552 ----a-w- C:\Windows\System32\clfs.sys
2015-08-01 22:12:51 861696 ----a-w- C:\Windows\System32\oleaut32.dll
2015-08-01 22:12:51 571904 ----a-w- C:\Windows\SysWow64\oleaut32.dll
2015-08-01 21:35:50 1190000 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{8871D16B-61C3-4B63-9A50-AD3A34AB0F49}\gapaengine.dll
2015-08-01 21:35:46 12222168 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{D8FDDDD6-691F-4660-AFC7-9C7600A8E55A}\mpengine.dll
2015-08-01 21:34:59 826880 ----a-w- C:\Windows\SysWow64\rdpcore.dll
2015-08-01 21:34:59 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys
2015-08-01 21:34:59 1031680 ----a-w- C:\Windows\System32\rdpcore.dll
2015-08-01 21:33:42 -------- d-----w- C:\Program Files (x86)\Microsoft Security Client
2015-08-01 21:33:39 -------- d-----w- C:\Program Files\Microsoft Security Client
2015-08-01 21:02:11 2620928 ----a-w- C:\Windows\System32\wucltux.dll
2015-08-01 21:02:08 97792 ----a-w- C:\Windows\System32\wudriver.dll
2015-08-01 21:02:08 92672 ----a-w- C:\Windows\SysWow64\wudriver.dll
2015-08-01 21:01:46 36864 ----a-w- C:\Windows\System32\wuapp.exe
2015-08-01 21:01:46 33792 ----a-w- C:\Windows\SysWow64\wuapp.exe
2015-08-01 21:01:46 198600 ----a-w- C:\Windows\System32\wuwebv.dll
2015-08-01 21:01:46 179656 ----a-w- C:\Windows\SysWow64\wuwebv.dll
2015-08-01 21:00:08 -------- d-----w- C:\Windows\Panther
2015-08-01 21:00:05 986368 ----a-w- C:\Windows\System32\drivers\Rt64win7.sys
2015-08-01 21:00:05 82544 ----a-w- C:\Windows\System32\RtNicProp64.dll
2015-08-01 21:00:05 116304 ----a-w- C:\Windows\System32\RTNUninst64.dll
2015-08-01 21:00:01 -------- d-----w- C:\Program Files (x86)\Realtek
2015-08-01 20:58:09 -------- d-sh--w- C:\Windows\Installer
2015-08-01 20:54:21 -------- d-----w- C:\UTILITIES
2015-08-01 20:16:19 -------- d-----w- C:\Users\Davvy\AppData\Local\Diagnostics
.
==================== Find3M ====================
.
2015-08-02 21:23:57 859648 ----a-w- C:\Windows\System32\tdh.dll
2015-07-15 03:19:54 41984 ----a-w- C:\Windows\System32\lpk.dll
2015-07-15 03:19:50 100864 ----a-w- C:\Windows\System32\fontsub.dll
2015-07-15 03:19:46 14336 ----a-w- C:\Windows\System32\dciman32.dll
2015-07-15 03:19:45 46080 ----a-w- C:\Windows\System32\atmlib.dll
2015-07-15 02:55:37 70656 ----a-w- C:\Windows\SysWow64\fontsub.dll
2015-07-15 02:55:35 10240 ----a-w- C:\Windows\SysWow64\dciman32.dll
2015-07-15 02:55:32 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll
2015-07-15 02:54:33 25600 ----a-w- C:\Windows\SysWow64\lpk.dll
2015-07-15 01:59:42 372224 ----a-w- C:\Windows\System32\atmfd.dll
2015-07-15 01:52:35 299008 ----a-w- C:\Windows\SysWow64\atmfd.dll
2015-07-05 10:08:23 300704 ------w- C:\Windows\System32\MpSigStub.exe
2015-07-04 18:07:11 2087424 ----a-w- C:\Windows\System32\ole32.dll
2015-07-04 17:48:36 1414656 ----a-w- C:\Windows\SysWow64\ole32.dll
2015-07-01 20:56:03 95680 ----a-w- C:\Windows\System32\drivers\ksecdd.sys
2015-07-01 20:56:03 155584 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
2015-07-01 20:49:53 210944 ----a-w- C:\Windows\System32\wdigest.dll
2015-07-01 20:49:47 86528 ----a-w- C:\Windows\System32\TSpkg.dll
2015-07-01 20:49:45 29184 ----a-w- C:\Windows\System32\sspisrv.dll
2015-07-01 20:49:45 136192 ----a-w- C:\Windows\System32\sspicli.dll
2015-07-01 20:49:42 342016 ----a-w- C:\Windows\System32\schannel.dll
2015-07-01 20:49:42 28160 ----a-w- C:\Windows\System32\secur32.dll
2015-07-01 20:49:41 1216512 ----a-w- C:\Windows\System32\rpcrt4.dll
2015-07-01 20:49:23 309760 ----a-w- C:\Windows\System32\ncrypt.dll
2015-07-01 20:49:22 315392 ----a-w- C:\Windows\System32\msv1_0.dll
2015-07-01 20:49:11 729088 ----a-w- C:\Windows\System32\kerberos.dll
2015-07-01 20:49:11 1461760 ----a-w- C:\Windows\System32\lsasrv.dll
2015-07-01 20:48:34 44032 ----a-w- C:\Windows\System32\cryptbase.dll
2015-07-01 20:48:34 22016 ----a-w- C:\Windows\System32\credssp.dll
2015-07-01 20:47:38 31232 ----a-w- C:\Windows\System32\lsass.exe
2015-07-01 20:47:18 64000 ----a-w- C:\Windows\System32\auditpol.exe
2015-07-01 20:43:51 60416 ----a-w- C:\Windows\System32\msobjs.dll
2015-07-01 20:43:37 146432 ----a-w- C:\Windows\System32\msaudite.dll
2015-07-01 20:39:24 686080 ----a-w- C:\Windows\System32\adtschema.dll
2015-07-01 20:30:43 172032 ----a-w- C:\Windows\SysWow64\wdigest.dll
2015-07-01 20:30:40 65536 ----a-w- C:\Windows\SysWow64\TSpkg.dll
2015-07-01 20:30:37 248832 ----a-w- C:\Windows\SysWow64\schannel.dll
2015-07-01 20:30:37 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
2015-07-01 20:30:33 221184 ----a-w- C:\Windows\SysWow64\ncrypt.dll
2015-07-01 20:30:32 259584 ----a-w- C:\Windows\SysWow64\msv1_0.dll
2015-07-01 20:30:27 552960 ----a-w- C:\Windows\SysWow64\kerberos.dll
2015-07-01 20:30:21 36864 ----a-w- C:\Windows\SysWow64\cryptbase.dll
2015-07-01 20:30:21 17408 ----a-w- C:\Windows\SysWow64\credssp.dll
2015-07-01 20:29:46 50176 ----a-w- C:\Windows\SysWow64\auditpol.exe
2015-07-01 20:29:34 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
2015-07-01 20:29:34 665088 ----a-w- C:\Windows\SysWow64\rpcrt4.dll
2015-07-01 20:27:04 60416 ----a-w- C:\Windows\SysWow64\msobjs.dll
2015-07-01 20:26:52 146432 ----a-w- C:\Windows\SysWow64\msaudite.dll
2015-07-01 20:24:59 686080 ----a-w- C:\Windows\SysWow64\adtschema.dll
2015-07-01 19:27:34 159232 ----a-w- C:\Windows\System32\drivers\mrxsmb.sys
2015-07-01 19:26:43 290816 ----a-w- C:\Windows\System32\drivers\mrxsmb10.sys
2015-07-01 19:26:37 129024 ----a-w- C:\Windows\System32\drivers\mrxsmb20.sys
2015-06-25 08:57:44 3207168 ----a-w- C:\Windows\System32\win32k.sys
2015-06-17 17:47:05 404992 ----a-w- C:\Windows\System32\gdi32.dll
2015-06-17 17:37:03 312320 ----a-w- C:\Windows\SysWow64\gdi32.dll
2015-06-15 21:50:42 112064 ----a-w- C:\Windows\System32\consent.exe
2015-06-15 21:45:42 504320 ----a-w- C:\Windows\System32\msihnd.dll
2015-06-15 21:45:42 3242496 ----a-w- C:\Windows\System32\msi.dll
2015-06-15 21:45:34 70656 ----a-w- C:\Windows\System32\appinfo.dll
2015-06-15 21:45:34 1941504 ----a-w- C:\Windows\System32\authui.dll
2015-06-15 21:44:47 128000 ----a-w- C:\Windows\System32\msiexec.exe
2015-06-15 21:43:35 337408 ----a-w- C:\Windows\SysWow64\msihnd.dll
2015-06-15 21:43:35 2364416 ----a-w- C:\Windows\SysWow64\msi.dll
2015-06-15 21:43:24 1805824 ----a-w- C:\Windows\SysWow64\authui.dll
2015-06-15 21:42:49 73216 ----a-w- C:\Windows\SysWow64\msiexec.exe
2015-06-15 21:42:46 25088 ----a-w- C:\Windows\System32\msimsg.dll
2015-06-15 21:37:15 25088 ----a-w- C:\Windows\SysWow64\msimsg.dll
2015-06-03 20:17:13 459336 ----a-w- C:\Windows\System32\drivers\cng.sys
2015-06-02 00:07:15 254976 ----a-w- C:\Windows\System32\cewmdm.dll
2015-06-01 23:47:09 210432 ----a-w- C:\Windows\SysWow64\cewmdm.dll
2015-05-09 03:27:34 362496 ----a-w- C:\Windows\System32\wow64win.dll
2015-05-09 03:27:34 243712 ----a-w- C:\Windows\System32\wow64.dll
2015-05-09 03:27:34 215040 ----a-w- C:\Windows\System32\winsrv.dll
2015-05-09 03:27:34 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
2015-05-09 03:26:40 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
2015-05-09 03:25:47 338432 ----a-w- C:\Windows\System32\conhost.exe
2015-05-09 03:13:47 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
2015-05-09 03:13:33 44032 ----a-w- C:\Windows\apppatch\acwow64.dll
2015-05-09 03:13:18 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
2015-05-09 03:12:45 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
2015-05-09 03:12:44 274944 ----a-w- C:\Windows\SysWow64\KernelBase.dll
2015-05-09 02:01:54 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
2015-05-09 02:01:53 2048 ----a-w- C:\Windows\SysWow64\user.exe
2015-05-09 01:59:25 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2015-05-09 01:59:25 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2015-05-09 01:59:25 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2015-05-09 01:59:25 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
.
============= FINISH: 23:01:06.62 ===============

Attach.txt:
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 8/1/2015 1:14:09 PM
System Uptime: 8/2/2015 10:53:44 PM (1 hours ago)
.
Motherboard: ASUSTeK Computer INC. | | P8P67 REV 3.1
Processor: Intel(R) Core(TM) i7-2600K CPU @ 3.40GHz | LGA1155 | 2482/100mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 931 GiB total, 864.948 GiB free.
D: is CDROM ()
E: is CDROM (UDF)
Y: is FIXED (NTFS) - 932 GiB total, 50.887 GiB free.
Z: is FIXED (NTFS) - 932 GiB total, 445.563 GiB free.
.
==== Disabled Device Manager Items =============
.
Class GUID:
Description:
Device ID: USB\VID_0CF3&PID_3000\6&DF2EE03&0&7
Manufacturer:
Name:
PNP Device ID: USB\VID_0CF3&PID_3000\6&DF2EE03&0&7
Service:
.
Class GUID:
Description: PCI Simple Communications Controller
Device ID: PCI\VEN_8086&DEV_1C3A&SUBSYS_844D1043&REV_04\3&11583659&0&B0
Manufacturer:
Name: PCI Simple Communications Controller
PNP Device ID: PCI\VEN_8086&DEV_1C3A&SUBSYS_844D1043&REV_04\3&11583659&0&B0
Service:
.
Class GUID:
Description: SM Bus Controller
Device ID: PCI\VEN_8086&DEV_1C22&SUBSYS_844D1043&REV_05\3&11583659&0&FB
Manufacturer:
Name: SM Bus Controller
PNP Device ID: PCI\VEN_8086&DEV_1C22&SUBSYS_844D1043&REV_05\3&11583659&0&FB
Service:
.
==== System Restore Points ===================
.
RP3: 8/1/2015 1:59:56 PM - Installed Realtek Ethernet Controller Driver
RP4: 8/1/2015 2:00:58 PM - Windows Update
RP5: 8/1/2015 2:35:30 PM - Windows Update
RP6: 8/1/2015 3:19:29 PM - Installed Asmedia ASM104x USB 3.0 Host Controller Driver.
RP7: 8/1/2015 3:25:10 PM - Installed Suite
RP8: 8/1/2015 3:25:56 PM - Installed Suite
RP9: 8/1/2015 4:36:32 PM - Installed Suite
RP10: 8/1/2015 4:54:33 PM - Windows Update
RP11: 8/1/2015 9:49:47 PM - Installed Bonjour
RP12: 8/1/2015 9:50:51 PM - Installed Apple Application Support
RP13: 8/1/2015 9:52:11 PM - Installed Apple Mobile Device Support
RP14: 8/1/2015 9:53:58 PM - Installed iTunes
RP15: 8/2/2015 2:19:03 PM - Windows Update
RP16: 8/2/2015 2:38:52 PM - Windows Update
.
==== Installed Programs ======================
.
Apple Application Support
Apple Mobile Device Support
Asmedia ASM104x USB 3.0 Host Controller Driver
Battle.net
Bonjour
Curse Client
Google Chrome
Google Update Helper
iTunes
Malwarebytes Anti-Malware version 2.1.8.1057
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Mozilla Firefox 39.0 (x86 en-US)
Mozilla Maintenance Service
NVIDIA 3D Vision Controller Driver 301.42
NVIDIA 3D Vision Driver 301.42
NVIDIA Control Panel 301.42
NVIDIA Graphics Driver 301.42
NVIDIA HD Audio Driver 1.3.16.0
NVIDIA Install Application
NVIDIA PhysX
NVIDIA PhysX System Software 9.12.0213
NVIDIA Stereoscopic 3D Driver
NVIDIA Update 1.8.15
NVIDIA Update Components
Realtek Ethernet Controller Driver
Software Update Wizard (Redistributable) 4.5
SplashID Safe 6.2
SplashShopper Desktop 3.1.0
VLC media player
World of Warcraft
.
==== Event Viewer Messages From Past Week ========
.
8/2/2015 2:55:04 PM, Error: Service Control Manager [7006] - The ScRegSetValueExW call failed for Start with the following error: Access is denied.
8/2/2015 2:55:04 PM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Network Inspection System Error Code: 0x80070005 Error description: Access is denied. Reason: The system is missing updates that are required for running Network Inspection System. Install the required updates and restart the computer.
8/2/2015 2:47:35 PM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Network Inspection System Error Code: 0x80070005 Error description: Access is denied. Reason: The system is missing updates that are required for running Network Inspection System. Install the required updates and restart the computer.
8/2/2015 2:29:22 PM, Error: Service Control Manager [7024] - The Superfetch service terminated with service-specific error The operation completed successfully..
8/2/2015 10:41:46 AM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk4\DR5.
8/2/2015 10:35:01 AM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk2\DR2.
8/2/2015 1:19:18 PM, Error: Service Control Manager [7030] - The Web Update Wizard Service V4 service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
8/1/2015 5:51:03 PM, Error: Service Control Manager [7023] -
8/1/2015 5:43:31 PM, Error: Service Control Manager [7034] - The NVIDIA Update Service Daemon service terminated unexpectedly. It has done this 1 time(s).
8/1/2015 5:43:30 PM, Error: Service Control Manager [7034] - The NVIDIA Stereoscopic 3D Driver Service service terminated unexpectedly. It has done this 1 time(s).
8/1/2015 5:43:11 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Google Update Service (gupdate) service to connect.
8/1/2015 5:43:11 PM, Error: Service Control Manager [7000] - The Google Update Service (gupdate) service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
8/1/2015 5:43:10 PM, Error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
8/1/2015 5:43:10 PM, Error: Service Control Manager [7023] - The Windows Font Cache Service service terminated with the following error: The process cannot access the file because it is being used by another process.
.
==== End Of File ===========================
Davvy
Regular Member
 
Posts: 22
Joined: June 6th, 2012, 11:59 pm

Re: Potential Bot infection - Windows 7 can't boot

Unread postby Gary R » August 3rd, 2015, 3:55 am

Nothing of any concern showing in your DDS logs from a Malware standpoint, but the following lines indicate you may have potential hard drive problems (or the start of potential hard drive problems) ...

8/2/2015 10:41:46 AM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk4\DR5.
8/2/2015 10:35:01 AM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk2\DR2.


... DDS doesn't really show how your drive is partitioned, so it's not clear whether DR5 and DR2 are separate drives, or different partitions on the same drive. If the latter, then it looks like your hard drive needs checking out properly.

That's outside the scope of this forum, we specialise in Malware problems, however the following forums all have hardware support sections, where they can help you with any drive problems you might have ...

http://www.bleepingcomputer.com/forums/ ... -hardware/
http://www.geekstogo.com/forum/forum/9- ... ripherals/
http://forums.whatthetech.com/index.php ... wforum=126
http://www.techsupportforum.com/forums/f16/

... they're in no order of preference, and the quality of help given at each is usually very good.

Please feel free to refer them to this topic if necessary.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Potential Bot infection - Windows 7 can't boot

Unread postby Davvy » August 3rd, 2015, 2:45 pm

After browsing some of the posts on bleepingcomputer, I downloaded CrystalDiskInfo and did a scan of my drives. Indeed there is a problem. The software tells me that my main drive, the WDC 1TB on which Win 7 is installed, has a lot of unrecoverable sectors, and is rated "Caution". The 2nd, 2TB Hitachi drive is OK. I will therefore be cautious and store all new data onto the second drive, and try to replace the main drive as soon as I can.

I still have a problem, I think, in that Comcast keeps on sending me notices that they detect a bot on my network. I have 2 more desktop PCs that are on the network. Does running a DDS scan on a PC truly allow you to eliminate the possibility of an infection? I've been told before that Comcast sometimes sends out these notices, and all they are are falso alarms. Have you come across such incidents? I would like to do scans of my other 2 PCs and submit them as well, for you or someone else here to help me determine if they're infected. Should I create another topic for each of them, or post the logs for both machines on this thread?

I realize that I've taken up a lot of your time already, again I'm very grateful for your patient and kind assistance!

Davvy
Davvy
Regular Member
 
Posts: 22
Joined: June 6th, 2012, 11:59 pm

Re: Potential Bot infection - Windows 7 can't boot

Unread postby Gary R » August 3rd, 2015, 5:20 pm

DDS is by no means exhaustive, it just gives me a look at a number of locations that are commonly used to launch malware. There are a number of other things we can do to check your machine, but as you've just formatted your drive, my gut feeling is that we're not going to find any signs of infection on your machine.

I'm happy to look through scans of any other machines that you have on your network, so that we can eliminate them as a source of problem, and if we're going to do that, I'd prefer to deal with them one machine at a time.

So, rather than use DDS, I'd prefer it if you run a scan on the first of the other machines using a tool called FRST.

  • Download FRST to your Desktop (for 32 bit systems).
  • Download FRST64 to your Desktop (for 64 bit systems).
  • Double click Frst.exe to launch it.
  • FRST will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press the Scan button.
    • When finished scanning 2 logs will open on your Desktop, FRST.txt and Addition.txt
    • Please post them in your next reply.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 124 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware