Unknown virus/malware

Hi guys,

Unfortunately we recently had an incident where a scammer was able to get remote access to my computer for a while. As soon as I realised, I disabled remote access. He seems to have done something nasty though, because I've been having a lot of troubles since - computer slowdowns, running out of RAM, losing my preferences, etc. I use ZoneAlarm Extreme Security, and occasionally scan with several other antivirus/anti-malware programs, but they don't seem to have helped. As requested, I've put in my latest adwCleaner, Malwarebytes and Security check files. I've also included my Process Explorer output, which shows a whole lot of little AkSVC.exe processes continually starting and being suspended, which I assume is what's eating my memory. If you could help me I'd be very grateful - I'm worried this low-life has put some sort of keylogger on my system and is watching everything I do, or some other such badness. Thanks in advance!

Last edited by Dr Jay on 17th November 2016, 6:28 pm; edited 2 times in total

Hello and welcome to GeekPolice.Net My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*****************************************************************
You have three AV's running on your computer which can certainly cause a lot of the problems. Windows Defender which is the default AV in Windows 10, Adware AV and ZoneAlarm AV. Two of these should be disabled or uninstalled. However, this is the least of your problems. Please read below.
Since you allow remote access to your computer it's quite possible that they have installed some programs on your computer that severely compromises your computer and it can no longer be trusted.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

Read this article: Danger: Remote Access Trojans.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay and forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one! If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach.

I would counsel you to disconnect this PC from the Internet immediately.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall?

We can attempt to clean this machine but i can't guarantee that it will be 100% secure afterwards.

Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post

Hi Dave,
Thanks for the reply, sounds like I'm pretty stuffed! I've already changed my banking and e-mail passwords on a clean computer, but have since used those new passwords on the compromised computer; could the bad guys have found out my new passwords from this? I've been checking my bank details and there's been no suspicious activity yet.

I'd really like you to try to fix the problem if you can - I've got a lot of stuff on my system that would be painful to replace if I did a hard drive wipe. Having said that, I'll be guided by your advice - do you think this particular trojan would present an unacceptable risk even after your best efforts to remove it? If so, is there any safe way I can transfer some of my existing files to a clean drive without risking taking the infection over with them?

Another question - is it only the compromised computer I need to worry about, or are other devices attached to my WiFi home network also in danger? If it's only one computer I need to worry about, I can disconnect it from the internet and access the net through my wife's laptop instead.

Thanks for your help on this Dave - feeling pretty depressed right now but it helps to know I've got an expert to lend me a hand!

Cheers,
Gav

but have since used those new passwords on the compromised computer; could the bad guys have found out my new passwords from this? I've been checking my bank details and there's been no suspicious activity yet.

If you have used these new passwords on the infected computer, your passwords may have been compromised. If you don't want to change them again, keep monitoring your bank accounts.

is it only the compromised computer I need to worry about, or are other devices attached to my WiFi home network also in danger?

I'm quite sure it's only that computer that is affected.

Please download AdwCleaner by Xplode onto your Desktop.

Before starting AdwCleaner, close all open programs and internet browsers, then double-click on the AdwCleaner icon.



If Windows prompts you as to whether or not you wish to run AdwCleaner, please allow it to run.
When the AdwCleaner program will open, click on the Scan button as shown below.



AdwCleaner will now start to search for malicious files that may be installed on your computer.
To remove the files that were detected in the previous step, please click on the Clean button.



AdwCleaner will now prompt you to save any open files or data as the program will need to reboot the computer. Please do so and then click on the OK button. AdwCleaner will now delete all detected adware from your computer. When it is done it will display an alert that explains what PUPs (Potentially Unwanted Programs) and Adware are. Please read through this information and then press the OK button. You will now be presented with an alert that states AdwCleaner needs to reboot your computer.
Please click on the OK button to allow AdwCleaner reboot your computer.A log will be produced. Please copy and paste this log in your next reply.
*********************************************
Please download Malwarebytes Anti-Malware from here.
Double Click mbam-setup.exe to install the application.

• It should update automatically if the computer is connected to the internet.
  
• Click on Threat Scan and click on Scan Now.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete make sure all the infections have "quarantine" selected in the Action box.
  
• Click on "Apply actions" You may be asked to Restart your computer to completely remove the infections.
  
• When disinfection is completed you can click on "Copy to Clipboard".
  
• Paste the log in you next reply (CTRL+ V)
  

*************************************************
Please download Junkware Removal Tool to your desktop.

•Warning! Once the scan is complete JRT will shut down your browser with NO warning.

•Shut down your protection software now to avoid potential conflicts.

•Temporarily disable your Antivirus and any Antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

•Run the tool by double-clicking it. If you are using Windows Vista or Windows 7, right-click JRT and select Run as Administrator

•The tool will open and start scanning your system.

•Please be patient as this can take a while to complete depending on your system's specifications.

•On completion, a log (JRT.txt) is saved to your desktop and will automatically open.

•Copy and Paste the JRT.txt log into your next message.
*****************************************
Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.

Hi Dave, here are the things you asked for:

AdwCleaner:
# AdwCleaner v5.033 - Logfile created 11/02/2016 at 18:25:16
# Updated 07/02/2016 by Xplode
# Database : 2016-02-07.1 [Local]
# Operating system : Windows 10 Pro  (x64)
# Username : Gavin - GAVIN-PC
# Running from : C:\Users\Gavin\Downloads\adwcleaner_5.033 (1).exe
# Option : Cleaning
# Support : http://toolslib.net/forum

***** [ Services ] *****


***** [ Folders ] *****


***** [ Files ] *****


***** [ DLLs ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****

[-] Key Deleted : HKCU\Software\CheckPoint\ISW
[-] Key Deleted : HKCU\Software\AppDataLow\Software\adawarebp
[-] Key Deleted : [x64] HKLM\SOFTWARE\CheckPoint\ISW

***** [ Web browsers ] *****


*************************

:: "Tracing" keys removed
:: Winsock settings cleared

########## EOF - C:\AdwCleaner\AdwCleaner[C3].txt - [824 bytes] ##########

Malwarebytes:
Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 11-Feb-16
Scan Time: 6:39 PM
Logfile: MWB 11-Feb-16.txt
Administrator: Yes

Version: 2.2.0.1024
Malware Database: v2016.02.08.04
Rootkit Database: v2016.01.20.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 10
CPU: x64
File System: NTFS
User: Gavin

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 417806
Time Elapsed: 1 hr, 0 min, 16 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

JRT:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.2 (01.06.2016)
Operating System: Windows 10 Pro x64
Ran by Gavin (Administrator) on 11-Feb-16 at 19:56:44.31
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 12

Successfully deleted: C:\ProgramData\ad-aware browsing protection (Folder)
Successfully deleted: C:\Users\Gavin\AppData\Local\adawarebp (Folder)
Successfully deleted: C:\Users\Gavin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_static.audienceinsights.net_0.localstorage-journal (File)
Successfully deleted: C:\Users\Gavin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_static.audienceinsights.net_0.localstorage (File)
Successfully deleted: C:\Users\Gavin\AppData\Roaming\3909 (Folder)
Successfully deleted: C:\Users\Gavin\AppData\Roaming\system (Folder)
Successfully deleted: C:\Users\Gavin\AppData\Roaming\wyupdate au (Folder)
Successfully deleted: C:\users\Public\Documents\downloaded installers (Folder)
Successfully deleted: C:\WINDOWS\system32\Tasks\0 (Task)
Successfully deleted: C:\WINDOWS\system32\Tasks\PC Optimizer Pro64 startups (Task)
Successfully deleted: C:\WINDOWS\Tasks\PC Optimizer Pro64 startups.job (Task)
Successfully deleted: C:\WINDOWS\prefetch\DRIVERUPDATEUTILITY.EXE-7D7763EC.pf (File)



Registry: 0





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 11-Feb-16 at 20:00:24.76
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

and Security check:
Results of screen317's Security Check version 1.009  
  x64 (UAC is enabled)  
Internet Explorer 11  
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!  
Windows Defender                      
Ad-Aware Antivirus                    
ZoneAlarm Extreme Security Antivirus  
Antivirus out of date! (On Access scanning disabled!)
`````````Anti-malware/Other Utilities Check:`````````
Ad-Aware
Spybot - Search & Destroy
Java 8 Update 45  
Java version 32-bit out of Date!
Adobe Flash Player 20.0.0.286  
Google Chrome (48.0.2564.103)
Google Chrome (48.0.2564.97)
````````Process Check: objlist.exe by Laurent````````  
Ad-Aware AAWService.exe is disabled!
Ad-Aware AAWTray.exe is disabled!
Spybot Teatimer.exe is disabled!
Malwarebytes Anti-Exploit mbae-svc.exe  
Malwarebytes Anti-Exploit mbae64.exe  
Malwarebytes Anti-Exploit mbae.exe  
CheckPoint ZoneAlarm ZaPrivacyService.exe  
iolo Common Lib ioloServiceManager.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:  %
````````````````````End of Log``````````````````````

Thanks a lot!
Gav

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan

•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

• Click on to download the ESET Smart Installer. Save it to your desktop.
  
• Double click on the icon on your desktop.
  

•Check
•Click the button.
•Accept any security warnings from your browser.

• Leave the check mark next to Remove found threats.
  

•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

Hi Dave,

Here is the ESET result; sorry, took longer than I thought!

C:\AdwCleaner\Quarantine\C\Program Files (x86)\Freecorder\freecorder.exe.vir a variant of Win32/Toolbar.Conduit.B potentially unwanted application deleted
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividi.crx.vir Win32/Toolbar.Montiera.AA potentially unwanted application cleaned by deleting
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\uninstall.exe.vir Win32/Toolbar.Montiera.B potentially unwanted application deleted
C:\AdwCleaner\Quarantine\C\Users\Gavin\AppData\Local\Google\Chrome\User Data\Default\Extensions\giacfgjdclhnmkacnfbaljbmpnelflol\1.3_0\chividiplg.dll.vir Win32/Toolbar.Montiera.AA potentially unwanted application cleaned by deleting
C:\AdwCleaner\Quarantine\C\Users\Gavin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kpdhgpkkloealnjnmepfhanpcleldbef\1.0_1\CrmAdpt.dll.vir Win32/Toolbar.Montiera.AA potentially unwanted application cleaned by deleting
C:\AdwCleaner\Quarantine\C\Users\Gavin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kpdhgpkkloealnjnmepfhanpcleldbef\1.0_1\CTB.dll.vir Win32/Toolbar.Montiera.AA potentially unwanted application cleaned by deleting
C:\AdwCleaner\Quarantine\C\Users\Gavin\AppData\Local\TNT2\Profiles\10473\passport.dll.vir a variant of Win32/Toolbar.TNT2.D potentially unwanted application cleaned by deleting
C:\AdwCleaner\Quarantine\C\Users\Gavin\AppData\Local\TNT2\Profiles\10473\passport64.dll.vir a variant of Win32/Toolbar.TNT2.D potentially unwanted application cleaned by deleting
C:\Users\Gavin\Desktop\Program installers\ZASPSetupWeb_102_081_000.exe Win32/Toolbar.Conduit potentially unwanted application deleted
C:\Users\Gavin\Desktop\Program installers\ZASPSetupWeb_120_104_000.exe Win32/Toolbar.Conduit potentially unwanted application deleted
C:\Users\Gavin\Downloads\YTDSetup.exe Win32/Toolbar.Widgi potentially unwanted application deleted
C:\Users\Gavin\Downloads\ZASPSetup_100_250_000_en.exe Win32/Toolbar.Conduit.Y potentially unwanted application deleted
D:\Documents and Settings\All Users\Start Menu\Programs\eBay.url Win32/Adware.ADON potentially unwanted application cleaned by deleting
D:\Documents and Settings\Gavin\Application Data\Microsoft\Internet Explorer\Quick Launch\eBay.url Win32/Adware.ADON potentially unwanted application cleaned by deleting
D:\Program Files\ZoneAlarmSB\bar\1.bin\NPZONESB.DLL Win32/Toolbar.MyWebSearch potentially unwanted application cleaned by deleting
D:\Program Files\ZoneAlarmSB\bar\1.bin\Z4PLUGIN.DLL a variant of Win32/Toolbar.MyWebSearch potentially unwanted application cleaned by deleting

Thanks mate,
Gav

How are things with that computer?

Hi Dave,

Still having problems. When ZoneAlarm is running, it's constantly opening new processes that in Task Manager are called 'ZoneAlarm AntiKeylogger'. Process Explorer calls them AkSVC.exe. These small processes build up until I have thousands of them running and my RAM is clogged. When I shut down ZoneAlarm (after disconnecting that computer from the internet), these excess processes all disappear and my resources are freed up again. When I start up ZoneAlarm, the processes begin building up again.

Windows Defender also appears damaged - it's permanently in 'snooze' mode and I can't wake it up again.

Here is the output for Process Explorer - can you see anything that looks evil? I've only included a few dozen of the AkSVC.exe processes - they go on for pages.

Process CPU Private Bytes Working Set PID Description Company Name
System Idle Process 74.88 0 K 4 K 0
System 0.89 1,776 K 664,820 K 4
Interrupts 1.25 0 K 0 K n/a Hardware Interrupts and DPCs
smss.exe 396 K 960 K 408
csrss.exe 0.06 1,460 K 3,716 K 552
wininit.exe 960 K 4,284 K 660
services.exe 0.06 3,408 K 7,332 K 736
svchost.exe 0.15 7,116 K 10,400 K 844 Host Process for Windows Services Microsoft Corporation
SkypeHost.exe Suspended 4,092 K 240 K 2540 Microsoft Skype Microsoft Corporation
RuntimeBroker.exe 12,200 K 12,808 K 2680 Runtime Broker Microsoft Corporation
ShellExperienceHost.exe 22,472 K 11,968 K 3232 Windows Shell Experience Host Microsoft Corporation
SearchUI.exe Suspended 42,976 K 404 K 508 Search and Cortana application Microsoft Corporation
ApplicationFrameHost.exe 10,324 K 2,820 K 7856 Application Frame Host Microsoft Corporation
SystemSettings.exe Suspended 14,216 K 300 K 8060 Settings Microsoft Corporation
Video.UI.exe Suspended 8,932 K 272 K 488 Video Application Microsoft Corporation
dllhost.exe 0.38 1,776 K 9,644 K 22916 COM Surrogate Microsoft Corporation
svchost.exe 0.14 4,368 K 6,224 K 968 Host Process for Windows Services Microsoft Corporation
svchost.exe 0.20 19,620 K 40,348 K 8 Host Process for Windows Services Microsoft Corporation
taskeng.exe 1,708 K 8,112 K 2256 Task Scheduler Engine Microsoft Corporation
ioloGovernor64.exe 0.99 8,676 K 11,864 K 2364 iolo Process Governor iolo technologies, LLC
sihost.exe 5,040 K 9,912 K 2340 Shell Infrastructure Host Microsoft Corporation
taskhostw.exe < 0.01 5,516 K 5,412 K 4928 Host Process for Windows Tasks Microsoft Corporation
taskeng.exe < 0.01 1,248 K 6,016 K 19516
wermgr.exe 1.30 2,696 K 10,448 K 18856
svchost.exe 0.19 80,836 K 67,136 K 472 Host Process for Windows Services Microsoft Corporation
dasHost.exe 3,756 K 1,528 K 1776
svchost.exe 0.01 3,860 K 4,160 K 1116 Host Process for Windows Services Microsoft Corporation
svchost.exe 0.08 14,828 K 13,492 K 1124 Host Process for Windows Services Microsoft Corporation
audiodg.exe 5,932 K 10,440 K 23548 Windows Audio Device Graph Isolation Microsoft Corporation
svchost.exe 0.01 172,860 K 30,424 K 1132 Host Process for Windows Services Microsoft Corporation
svchost.exe 0.05 9,296 K 9,116 K 1140 Host Process for Windows Services Microsoft Corporation
atiesrxx.exe 1,136 K 940 K 1332 AMD External Events Service Module AMD
atieclxx.exe 1,976 K 1,108 K 1416
svchost.exe 0.01 7,232 K 10,700 K 1368 Host Process for Windows Services Microsoft Corporation
vsmon.exe 2.62 310,328 K 273,328 K 1808 ZoneAlarm Check Point Software Technologies Ltd.
svchost.exe 4,432 K 8,428 K 2548 Host Process for Windows Services Microsoft Corporation
spoolsv.exe 6,020 K 2,332 K 2732 Spooler SubSystem App Microsoft Corporation
svchost.exe 1,336 K 384 K 2944 Host Process for Windows Services Microsoft Corporation
svchost.exe 0.02 8,076 K 17,260 K 2992 Host Process for Windows Services Microsoft Corporation
ASGT.exe 744 K 680 K 3048
armsvc.exe 1,232 K 1,220 K 3068 Adobe Acrobat Update Service Adobe Systems Incorporated
ioloServiceManager.exe 36,632 K 20,888 K 2308 iolo System component iolo technologies, LLC
LiveBoost.exe 0.01 18,088 K 18,868 K 2832 iolo LiveBoost iolo technologies, LLC
mDNSResponder.exe 1,544 K 2,424 K 2316 Bonjour Service Apple Inc.
AppleMobileDeviceService.exe < 0.01 3,228 K 2,080 K 2336 MobileDeviceService Apple Inc.
mbae-svc.exe 0.05 4,172 K 11,748 K 3096 Malwarebytes Anti-Exploit Service Malwarebytes Corporation
mbae64.exe < 0.01 1,360 K 5,092 K 3908
conhost.exe 0.14 1,280 K 1,112 K 3916
AdAwareService.exe 0.01 210,552 K 9,356 K 3108 Ad-Aware service Lavasoft
AdAwareTray.exe 0.02 11,652 K 5,072 K 4376 Ad-Aware tray Lavasoft
PnkBstrA.exe < 0.01 1,260 K 1,120 K 3160
svchost.exe 1,948 K 440 K 3196 Host Process for Windows Services Microsoft Corporation
SDUpdSvc.exe 0.08 8,216 K 2,148 K 3220 Spybot-S&D 2 Background update service Safer-Networking Ltd.
RzKLService.exe 1,196 K 888 K 3308 RzKLService.exe Razer Inc.
SDWSCSvc.exe 0.06 6,160 K 4,136 K 3432 Windows Security Center integration. Safer-Networking Ltd.
Antitheft.exe < 0.01 4,224 K 2,780 K 3440 ZoneAlarm Anti-theft Service Check Point Software Technologies Ltd.
SearchIndexer.exe 0.04 29,424 K 8,284 K 4120 Microsoft Windows Search Indexer Microsoft Corporation
alg.exe 1,108 K 956 K 4428 Application Layer Gateway Service Microsoft Corporation
svchost.exe < 0.01 1,684 K 3,248 K 5216 Host Process for Windows Services Microsoft Corporation
iPodService.exe 0.01 2,128 K 2,252 K 2960 iPodService Module (64-bit) Apple Inc.
GameScannerService.exe 0.29 19,016 K 4,648 K 6708 GameScannerService
svchost.exe 2,188 K 748 K 8008 Host Process for Windows Services Microsoft Corporation
AkSVC.exe 3.68 2,956 K 5,324 K 22692 ZoneAlarm AntiKeylogger Check Point Software Technologies LTD
WerFault.exe 24.72 4,208 K 9,948 K 22116
AkSVC.exe Suspended 168 K 32 K 12984
lsass.exe 0.21 5,064 K 12,228 K 744 Local Security Authority Process Microsoft Corporation
csrss.exe 0.41 5,956 K 7,280 K 676
winlogon.exe 1,884 K 7,740 K 896
dwm.exe 0.30 48,044 K 35,716 K 448
fontdrvhost.exe 788 K 532 K 5080
explorer.exe 0.04 43,236 K 93,316 K 2532 Windows Explorer Microsoft Corporation
LWEMon.exe 0.05 4,040 K 3,000 K 5840 Logitech WingMan Event Monitor Logitech Inc.
iTunesHelper.exe < 0.01 4,152 K 2,672 K 5868 iTunesHelper Apple Inc.
cnext.exe < 0.01 110,780 K 4,648 K 5896 Radeon Settings: Host Application Advanced Micro Devices, Inc.
OneDrive.exe 6,024 K 5,976 K 2392 Microsoft OneDrive Microsoft Corporation
procexp.exe 2,816 K 9,624 K 6620 Sysinternals Process Explorer Sysinternals - www.sysinternals.com
procexp64.exe 14.50 33,940 K 70,848 K 5188 Sysinternals Process Explorer Sysinternals - www.sysinternals.com
AkSA.exe 0.01 3,180 K 3,112 K 2804 ZoneAlarm AntiKeylogger Check Point Software Technologies LTD
AkSVC.exe Suspended 192 K 28 K 5344
AkSVC.exe Suspended 172 K 12 K 5816
AkSVC.exe Suspended 176 K 12 K 6052
AkSVC.exe Suspended 176 K 12 K 3720
mbae.exe 5,288 K 11,820 K 2380 Malwarebytes Anti-Exploit Malwarebytes Corporation
zatray.exe 0.01 52,432 K 6,404 K 5788 ZoneAlarm Check Point Software Technologies Ltd.
SDTray.exe 0.24 11,236 K 6,744 K 5880 Spybot - Search & Destroy tray access Safer-Networking Ltd.
AkSVC.exe Suspended 172 K 12 K 6108
raptr.exe 0.22 94,932 K 16,888 K 316 Raptr Desktop App Raptr, Inc
raptr_im.exe 0.02 13,000 K 7,092 K 6484 Raptr Desktop App Raptr, Inc
raptr_ep64.exe 2,848 K 1,312 K 7772 Elevation Proxy Raptr Inc.
AkSVC.exe Suspended 176 K 12 K 4844
AkSVC.exe Suspended 168 K 12 K 5964
AkSVC.exe Suspended 176 K 12 K 5620
AkSVC.exe Suspended 172 K 12 K 732
AkSVC.exe Suspended 172 K 12 K 1040
AkSVC.exe Suspended 172 K 12 K 6156
AkSVC.exe Suspended 172 K 12 K 7020
AkSVC.exe Suspended 184 K 12 K 7876
AkSVC.exe Suspended 176 K 12 K 8124
AkSVC.exe Suspended 168 K 12 K 7228
AkSVC.exe Suspended 172 K 12 K 6636
AkSVC.exe Suspended 168 K 12 K 7104
AkSVC.exe Suspended 172 K 12 K 7100
AkSVC.exe Suspended 172 K 12 K 7416
AkSVC.exe Suspended 168 K 12 K 7724
AkSVC.exe Suspended 168 K 12 K 8100
AkSVC.exe Suspended 200 K 12 K 7056
AkSVC.exe Suspended 180 K 12 K 5592
AkSVC.exe Suspended 172 K 12 K 7672
AkSVC.exe Suspended 172 K 12 K 3740
AkSVC.exe Suspended 168 K 12 K 5928
AkSVC.exe Suspended 168 K 12 K 7844
AkSVC.exe Suspended 184 K 12 K 8016
AkSVC.exe Suspended 176 K 12 K 2644
AkSVC.exe Suspended 172 K 12 K 6688
AkSVC.exe Suspended 168 K 12 K 7608
AkSVC.exe Suspended 176 K 12 K 7112
AkSVC.exe Suspended 172 K 12 K 7188
AkSVC.exe Suspended 168 K 12 K 7480
AkSVC.exe Suspended 168 K 12 K 6980
AkSVC.exe Suspended 168 K 12 K 7660
AkSVC.exe Suspended 172 K 24 K 5528
AkSVC.exe Suspended 176 K 12 K 3496
AkSVC.exe Suspended 168 K 12 K 4828
AkSVC.exe Suspended 172 K 12 K 2848
AkSVC.exe Suspended 172 K 12 K 7884
AkSVC.exe Suspended 176 K 12 K 7468
AkSVC.exe Suspended 172 K 12 K 7268
AkSVC.exe Suspended 176 K 12 K 7460
AkSVC.exe Suspended 168 K 12 K 3212
AkSVC.exe Suspended 176 K 12 K 8188
AkSVC.exe Suspended 176 K 12 K 256
AkSVC.exe Suspended 168 K 12 K 7380
AkSVC.exe Suspended 200 K 12 K 3076
AkSVC.exe Suspended 168 K 12 K 1032
AkSVC.exe Suspended 172 K 12 K 5472

Thanks,
Gav

Uninstall those other two AV's you have (Ad-Aware Antivirus
ZoneAlarm Extreme Security Antivirus) and run the Security Check and post the log.

Hi Dave, here is the Security Check log:

Results of screen317's Security Check version 1.009
x64 (UAC is enabled)
Internet Explorer 11
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Windows Defender
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
Ad-Aware
Spybot - Search & Destroy
Java 8 Update 45
Java version 32-bit out of Date!
Adobe Flash Player 20.0.0.286
Google Chrome (48.0.2564.103)
Google Chrome (48.0.2564.109)
````````Process Check: objlist.exe by Laurent````````
Windows Defender MSMpEng.exe
Ad-Aware AAWService.exe is disabled!
Ad-Aware AAWTray.exe is disabled!
Spybot Teatimer.exe is disabled!
Malwarebytes Anti-Exploit mbae-svc.exe
Malwarebytes Anti-Exploit mbae64.exe
Malwarebytes Anti-Exploit mbae.exe
iolo Common Lib ioloServiceManager.exe
iolo System Mechanic iologovernor64.exe
iolo System Mechanic LiveBoost.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: %
````````````````````End of Log``````````````````````

Uninstalling ZoneAlarm seems to have done the trick - the AntiKeylogger processes have stopped appearing, and I've been able to turn on and update Windows Defender (in your opinion, is WD adequate for protection? I've been using ZoneAlarm Extreme Security for years, because I was under the impression that WD was a bit crap).

Cheers,
Gav

in your opinion, is WD adequate for protection? I've been using ZoneAlarm Extreme Security for years, because I was under the impression that WD was a bit crap

WD and Windows Security Essentials are as good as any other AV IMO. Most of the crap going around these days zip right by whatever AV you have installed. That's why I always urge users to use a layered approach to security with MBAM.
Let's clean up.

Click Start> Computer> right click the C Drive and choose Properties> enter
Click Disk Cleanup from there.



Click OK on the Disk Cleanup Screen.
Click Yes on the Confirmation screen.



This runs the Disk Cleanup utility along with other selections if you have chosen any. (if you had a lot System Restore points, you will see a significant change in the free space in C drive)
***************************************
This step will remove all cleaning tools we used, it'll reset restore points (so you won't get reinfected by accidentally using some older restore point) and it'll make some other minor adjustments...
This is a very crucial step so make sure you don't skip it.
Download DelFix by Xplode to your desktop. Delfix will delete all the used tools and logfiles.

Double-click Delfix.exe to start the tool.
Make sure the following items are checked:

• Activate UAC (optional; some users prefer to keep it off)
  
• Remove disinfection tools
  
• Create Registry backup
  
• Purge System Restore Points
  
• Re-set system settings
  

Now click "Run" and wait patiently.
Once finished a logfile will be created. You don't have to attach it to your next reply.
********************************************
I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!

That's all done, and I've installed WOT too; thanks so much for your help Dave. Were you able to identify what I was infected by in the end?

Given the dire warnings in your initial post, here's the $64,000 question: in your expert opinion, do you think my computer is now 'safe'? Can I use this machine as I always did, or should I be a bit more careful and no longer use it for, say, banking or online purchases? Or should I go even further and permanently disconnect it from the 'net? What would you do in my position?

I'm planning to build a new computer later this year, and would like to copy across a number of files from this one. If there's a possibility that the trojan had some backdoor functionality and this computer is permanently untrustworthy, can this be done safely? Obviously the last thing I'll want is for something nasty to hitch a ride over to my beautiful new machine! Would appreciate any advice.

Cheers mate, you're a legend!
Gav

Given the dire warnings in your initial post, here's the $64,000 question: in your expert opinion, do you think my computer is now 'safe'? Can I use this machine as I always did, or should I be a bit more careful and no longer use it for, say, banking or online purchases? Or should I go even further and permanently disconnect it from the 'net? What would you do in my position?

I'm planning to build a new computer later this year, and would like to copy across a number of files from this one. If there's a possibility that the trojan had some backdoor functionality and this computer is permanently untrustworthy, can this be done safely? Obviously the last thing I'll want is for something nasty to hitch a ride over to my beautiful new machine! Would appreciate any advice.

There was nothing unusual that showed up in the scans but, given the fact that the hacker has access to the computer, the only way the computer can be trusted again is to do a reformat and re-install the OS. I have no idea what he may have done to it. I'm quite sure that the files you wish to save and transfer to the new computer are safe but do a scan with your AV before putting them on the new computer.

@ghendo Do you want this marked as solved? Need anymore help?

Yes, sorry, it can be marked as solved now - since Dave's awesome help I've had no more problems. Thanks very much once again!

Excellent, I'm glad the Captain was able to help.

=>SOLVED&LOCKED

If you feel you want to contribute or give feedback at any time, see this page.