Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.

Windows 7: think I have bad Malware

20 Apr 2011   #11

Windows 7 Ultimate 64 bit

Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt
  • Save both reports to your desktop.

Please post both reports in your next reply (no attachments please).

My System SpecsSystem Spec
20 Apr 2011   #12
darren loyden

windows 7 Home Premium 32 bit.

DDS (Ver_11-03-05.01) - NTFSx86
Run by Darren at 13:04:22.40 on 20/04/2011
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_24
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.3003.1818 [GMT 1:00]
AV: AntiVir Desktop *Enabled/Outdated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AntiVir Desktop *Enabled/Outdated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
============== Running Processes ===============
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.Exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\ 3\program\soffice.exe
C:\Program Files\ 3\program\soffice.bin
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Hewlett-Packard\Shared\HPDrvMntSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~4\office12\GR469A~1.DLL
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [Google Update] "c:\users\darren\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [SandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe"
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IAStorIcon] c:\program files\intel\intel(r) rapid storage technology\IAStorIcon.exe
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [SysTrayApp] c:\program files\idt\wdm\sttray.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [SpywareTerminator] "c:\program files\spyware terminator\SpywareTerminatorShield.exe"
mRun: [EKIJ5000StatusMonitor] c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
dRunOnce: [KodakHomeCenter] "c:\program files\kodak\aio\center\AiOHomeCenter.exe"
StartupFolder: c:\users\darren\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\ 3\program\quickstart.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
Trusted Zone:
Trusted Zone:
Trusted Zone:
Trusted Zone:
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~4\office12\GRA32A~1.DLL
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~4\office12\GR469A~1.DLL
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
============= SERVICES / DRIVERS ===============
R1 SASDIFSV;SASDIFSV;c:\users\darren\appdata\local\temp\sas_selfextract\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\users\darren\appdata\local\temp\sas_selfextract\saskutil.sys [2010-5-10 67656]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2011-2-20 142592]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_x86_neutral_9691412ff1876250\AEstSr v.exe [2009-3-2 81920]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-2-20 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-2-20 269480]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-2-20 61960]
R2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files\hewlett-packard\shared\HPDrvMntSvc.exe [2010-10-14 92216]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2011-2-20 227896]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2010-3-15 127488]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2011-2-20 328808]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2011-1-12 125672]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files\intel\intel(r) rapid storage technology\IAStorDataMgrSvc.exe [2011-2-20 13336]
S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\kodak\aio\center\EKAiOHostService.exe [2011-3-9 366000]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2011-2-20 174592]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-2-20 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-3-8 1343400]
=============== Created Last 30 ================
2011-04-19 18:52:40 33104 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\msonpppr.dll
2011-04-19 18:52:40 32592 ----a-w- c:\windows\system32\msonpmon.dll
2011-04-19 18:47:21 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2011-04-19 18:45:30 -------- d-----w- c:\users\darren\appdata\local\Microsoft Help
2011-04-19 18:39:45 -------- d-----w- c:\users\darren\appdata\local\{B1A4F74C-4668-44F7-BE28-0012032EB9C9}
2011-04-19 16:53:23 -------- d-----w- c:\users\darren\appdata\local\{46F7BE74-6F9E-470D-A47D-1960370430B9}
2011-04-11 10:42:18 -------- d-----w- c:\users\darren\appdata\local\{27F0E6CB-1CE7-4B75-8CE6-C750AA089576}
2011-04-11 09:13:57 -------- d-----w- c:\users\darren\appdata\local\{EE7E03C5-55C0-4828-AFA1-E0023CEAE468}
2011-04-09 17:32:15 -------- d-----w- c:\users\darren\appdata\local\{D5E9809B-8280-45BB-A9DD-DCA842450C65}
2011-04-09 12:37:13 -------- d-----w- c:\users\darren\appdata\local\{8E59E928-9355-4A41-BFD9-186CEE737FAB}
2011-04-05 07:15:03 -------- d-----w- c:\users\darren\appdata\local\{21786894-F745-42FE-B611-ACC627C38E09}
2011-04-04 16:08:17 -------- d-----w- c:\program files\CCleaner
2011-04-04 11:20:06 -------- d-----w- c:\users\darren\appdata\local\{AA2B77FE-3CC7-4008-826B-AD12F808952A}
2011-03-30 21:33:43 -------- d-----w- c:\program files\AutoHotkey
2011-03-29 19:03:36 -------- d-----w- c:\users\darren\appdata\local\{B28E043C-FF49-4EC0-80DF-581F6013358E}
2011-03-27 14:01:31 -------- d-----w- C:\BraCa Soft
2011-03-23 17:10:36 196608 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\EKIJ5000PPR.dll
2011-03-23 10:37:50 -------- d-sh--w- c:\windows\system32\%APPDATA%
==================== Find3M ====================
2011-03-16 10:31:18 138056 ----a-w- c:\users\darren\appdata\roaming\PnkBstrK.sys
2011-03-16 10:31:04 189248 ----a-w- c:\windows\system32\PnkBstrB.exe
2011-03-16 10:31:00 189248 ----a-w- c:\windows\system32\PnkBstrB.ex0
2011-03-16 10:30:56 75136 ----a-w- c:\windows\system32\PnkBstrA.exe
2011-03-03 07:49:02 131072 ----a-w- c:\windows\system32\EKIJCOINST12.dll
2011-03-03 07:45:02 425984 ----a-w- c:\windows\system32\EKIJ5000MON.dll
2011-02-20 20:39:42 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-20 12:29:31 152576 ----a-w- c:\windows\system32\msclmd.dll
2011-02-19 06:30:54 805376 ----a-w- c:\windows\system32\FntCache.dll
2011-02-19 06:30:51 1076736 ----a-w- c:\windows\system32\DWrite.dll
2011-02-19 06:30:50 739840 ----a-w- c:\windows\system32\d2d1.dll
2011-02-07 17:45:52 80896 ----a-w- c:\windows\system32\ff_vfw.dll
2011-02-07 17:39:02 4166551 ----a-w- c:\windows\system32\ffmpeg.dll
2011-02-02 17:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
============= FINISH: 13:05:20.79 ===============

DDS (Ver_11-03-05.01)
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 20/02/2011 11:57:01
System Uptime: 20/04/2011 12:59:27 (1 hours ago)
Motherboard: Hewlett-Packard | | 3069
Processor: Celeron(R) Dual-Core CPU T3100 @ 1.90GHz | CPU | 1895/800mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 298 GiB total, 274.779 GiB free.
D: is CDROM ()
E: is Removable
==== Disabled Device Manager Items =============
==== System Restore Points ===================
RP56: 20/04/2011 00:45:21 - test
==== Installed Programs ======================
ActiveCheck component for HP Active Support Library
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader X (10.0.1)
Adobe Shockwave Player 11.5
Atheros Driver Installation Program
Avira AntiVir Personal - Free Antivirus
Battlefield Heroes
CyberLink YouCam
ERUNT 1.1j
Football Manager 2011
Google Chrome
HP DVD Play 3.7
HP Quick Launch Buttons
HPAsset component for HP Active Support Library
Intel(R) Graphics Media Accelerator Driver
Intel(R) Rapid Storage Technology
Java Auto Updater
Java(TM) 6 Update 22
Java(TM) 6 Update 24
Junk Mail filter update
Kodak AIO Printer
KODAK AiO Software
LightScribe System Software
Malwarebytes' Anti-Malware
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft IntelliPoint 8.0
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox (3.6.13)
Nero Burning ROM 10
Nero BurningROM 10 Help (CHM)
Nero BurnRights 10 Help (CHM)
Nero Control Center 10
Nero ControlCenter 10 Help (CHM)
Nero Core Components 10
NVIDIA PhysX v8.09.04
ocr 3.3
PunkBuster Services
Realtek Ethernet Controller Driver
Realtek USB 2.0 Card Reader
Sandboxie 3.52
Spyware Terminator
Synaptics Pointing Device Driver
Veetle TV 0.9.18
Windows 7 Codec Pack 2.9.0
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Mail
Windows Live Messenger
Windows Live MIME IFilter
Windows Live Photo Common
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
WinRAR archiver
==== End Of File ===========================
My System SpecsSystem Spec
20 Apr 2011   #13

Windows 7 Ultimate 64 bit

Avira (and Windows Defender) malware definitions files are outdated. No surprise, the computer was offline for more than a week.

Let's try scanning your computer using a Avira AntiVir Rescue Disk

Instructions are available at this link:
Avira AntiVir Rescue Disk Download to clean Virus and Malware

If you have any problems running the Avira Rescue Disk, please give F-Secure a try.
Free F-Secure Rescue Bootable CD to Clean Virus and Malware
My System SpecsSystem Spec

20 Apr 2011   #14
darren loyden

windows 7 Home Premium 32 bit.

Ok i will follow these steps and report back, downloading the file on another computer now and i will burn to disk. thanks so much for your help thus far.
My System SpecsSystem Spec
20 Apr 2011   #15

Windows 7 Ultimate 64 bit

You're welcome. :)

Keep us posted
My System SpecsSystem Spec
20 Apr 2011   #16
darren loyden

windows 7 Home Premium 32 bit.

A quick question, Ive downloaded the ISO, do i need to download both files? ie ISO and SFX? also, once downloaded and extracted to desktop, do i simply burn the folder to disk? thanks and apologies for my lack of ability
My System SpecsSystem Spec
20 Apr 2011   #17

Windows 7 Ultimate 64 bit

You only need to download the ISO.

Detailed instructions for burning an ISO in Windows 7 can be found here
Burn Disc Image - ISO or IMG file
My System SpecsSystem Spec
20 Apr 2011   #18
darren loyden

windows 7 Home Premium 32 bit.

I've just finished running Avira rescue disk and it has come back with no viruses. The only thing it found where registry files and missing files. Im at a loss with what to do, is a windows reinstall the only option i now have? Thanks!
My System SpecsSystem Spec
20 Apr 2011   #19

Windows 7 Professional 64 Bit SP1

Since you seem to have done many advanced virus/malware checks, have you tried this out: SFC /SCANNOW Command - System File Checker ? (option #2 is the most convenient.) I used this a couple of months ago to fix my guest computer's loss of connectivity.

Quote   Quote: Originally Posted by darren loyden View Post
I've just finished running Avira rescue disk and it has come back with no viruses. The only thing it found where registry files and missing files. Im at a loss with what to do, is a windows reinstall the only option i now have? Thanks!
My System SpecsSystem Spec
20 Apr 2011   #20

Windows 7 Ultimate 64 bit

Before doing anything else, backup any important files/folders. Don't skip the backup.

As Fayla suggested, you can try sfc /scannow

If that doesn't resolve the issues...

This is what I would try, if it were my computer:

1. I would download SP1 using another computer and save it to a Flash Drive.

2. Uninstall Spyware Terminator, SuperAntispyware and Avira. Disable Windows Defender. This step is to keep those drivers and services from running.

3. Next, I would uninstall all the Windows updates going back to and including SP1.

4. Clean out any temp files (you have ccleaner installed).

5. Disable Windows Firewall.

6. Defrag the hard drive.

7. And as a last step, install SP1 using the Flash Drive (in the hopes that the missing files will be replaced and registry errors repaired).

If this does not work, then you will have to do either a repair install or clean install - so backup anything you care about first!
My System SpecsSystem Spec

 think I have bad Malware

Thread Tools

Similar help and support threads
Thread Forum
possible malware
hi,i had a problem with my pc,lost home page,un,pw's did a restore and got it up and running,but still have the following in the lower right corner of pc above the task bar. Intruder detected! Do not enter personal data or bank online i have run numerous scans but can not make it go away do not...
System Security
Changing File Decription for link to Malware Bytes Anti-Malware
Have been using Win 7 Ultimate x64 for quite a while but tonight ran into a small problem. I like to keep the titles for links very short and want to rename "Malwarebytes Anti-Malware" (I am a registered, paid user) to simply "Malwarebytes". I am listed as an Administrator and I used LockHunter to...
System Security
Malware Removal Guide 2011: How to Get Rid of All The Latest Malware
Read more at: Maximum PC | Malware Removal Guide 2011: How to Get Rid of All The Latest Malware
Security Basics

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 16:52.
Twitter Facebook Google+