Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

vvsvc, csrsss & WinLogon Virus attack?


  • This topic is locked This topic is locked
18 replies to this topic

#1 WSK

WSK

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Cambridgeshire
  • Local time:02:25 PM

Posted 26 May 2013 - 04:30 PM

Please help ... again!

 

I am running Win 7 Pro on a home network with a Netgear DGN1000 Router with all Incoming blocked. Six weeks ago I was infected with Zero Access Trojan from a drive-by.  I was assisted by Gringo and went through the process of ridding the infection till I received the all clear. Since then, I admit I have become very paranoid about my machine but have avoided a total re-build in favour of implementing new security measures following the all clear. I am now running the following:

 

MSE / Windows Firewall

WinPatrol Free

MBAM Pro

Secunia PSI

KeePass 2

Zemana Anti-Logger

TinyWall

 

These last two I installed recently so as to access internet banking as I’ve been too afraid to do it until I have more security in place! I logged into my banking accounts for the first time since the infection today and all seemed to go well, no alerts from Zemana. However, afterwards I viewed the logs via TinyWall and was confused and alarmed to see that even though I’d only opened one tab in Chrome to my bank site, there were loads and loads of TCP (and some UDP, IGMP and ICMPv6) connections showing Established (some blocked, some SynSent and some LastAck) to destination Ports 80, 443 and 161. To cut a long story short, I experimented with both Chrome and IE10 and every time I had just one page or two open I was getting huge amounts of traffic. I looked up some of the IP addresses and felt that there was something very amiss. I then opened Task Manager and noticed that NVVSVC (I do have NVIDIA card), WinLogon and CSRSS were showing as not signed. They would not allow me to see the destination file nor properties when right clicked. This rang alarm bells. Googling revealed an exploit in the NVIDIA driver and I immediately downloaded the latest version. As soon as that was done, all three processes changed and now show with the user name of SYSTEM and a full description. They also now open with properties on right click.

 

From the moment my PC caught the Zero Access, it has shown no signs of redirects, slow functioning, update blocking, or remote control but on the initial infection my Sound Card was knocked out and came back after the removal of the infection. If it was not for me trying to understand more about networking and security I would never have noticed this huge increase in traffic or the unsigned processes. I have also turned on reports from my Router and was horrified when I got 270 DOS attack alerts in a 15 minute period on Monday. (Example of one report: [DoS attack]from source:95.73.89.131, destination source:92.20.248.89 LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=20653 DF PROTO=TCP SPT:45375 DPT:6881 WINDOW=14600 RES=0x00 SYN URGP=0). I researched this to the best of my ability and felt that this was perhaps just typical pot-luck probing that was blocked by my router but this, combined with all the traffic I’m seeing via Tiny Wall has gotten me very concerned. Needless to say, I’m not very savvy when it comes to the whole networking side of computers and have spent days researching what I could, but I am still not at all sure what is normal and what isn't.

 

I’ve run all manner of scans including Rootkit checks and all comes up clear. So… my question is, have I had a secondary infection via this NVIDIA exploit all this time following the Zero Access attack? If so, how do I clean this out please? What damage could this have done to my system and could my files and folders have been compromised? Should I just bite the bullet and do a complete re-build of my computer? Thanks so much for any advice offered.

 

 



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:25 AM

Posted 31 May 2013 - 04:35 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/495990 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 WSK

WSK
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Cambridgeshire
  • Local time:02:25 PM

Posted 04 June 2013 - 05:34 AM

DDS Log as requested above:

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.16576  BrowserJavaVersion: 10.21.2
Run by WSK at 11:30:05 on 2013-06-04
Microsoft Windows 7 Professional   6.1.7601.1.1252.44.1033.18.8174.5712 [GMT 1:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe
C:\Windows\system32\dlbxcoms.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe
C:\Program Files (x86)\Secunia\PSI\PSIA.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\TinyWall\TinyWall.exe
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files (x86)\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files (x86)\TinyWall\TinyWall.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe
C:\Program Files (x86)\Browny02\BrYNSvc.exe
C:\Program Files (x86)\AntiLogger\AntiLogger.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Windows\splwow64.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
BHO: PlusIEEventHelper Class: {551A852F-39A6-44A7-9C13-AFBEC9185A9D} - C:\Program Files (x86)\Nuance\PDF Viewer Plus\bin\PlusIEContextMenu.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun: [BrStsMon00] C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe /AUTORUN
mRun: [KeePass 2 PreLoad] "C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe" --preload
mRun: [WinPatrol] C:\Program Files (x86)\BillP Studios\WinPatrol\winpatrol.exe -expressboot
mRun: [AntiLogger] "C:\Program Files (x86)\AntiLogger\AntiLogger.exe" /minimized
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Open with PDF Viewer Plus - C:\Program Files (x86)\Nuance\PDF Viewer Plus\Bin\PlusIEContextMenu.dll/PlusIEContextMenu.htm
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
IE: {FB858B22-55E2-413f-87F5-30ADC5552151} - C:\Program Files (x86)\PlotSoft\PDFill\DownloadPDF.exe
DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} - hxxp://magnet.2020.net/virtualplanner/Core/Player/2020PlayerAX_Win32.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {D4B68B83-8710-488B-A692-D74B50BA558E} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab
DPF: {E705A591-DA3C-4228-B0D5-A356DBA42FBF} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/20015/CTSUEng.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/110926/CTPID.cab
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{68B353AF-9673-46DF-9C4B-34538800A4D3} : DHCPNameServer = 192.168.0.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
x64-BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Skype add-on for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - <orphaned>
x64-Run: [DLBXCATS] rundll32 C:\Windows\System32\spool\DRIVERS\x64\3\DLBXtime.dll,RunDLLEntry
x64-Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
x64-Run: [WinPatrol] C:\Program Files (x86)\BillP Studios\WinPatrol\WinPatrol.exe -expressboot
x64-Run: [TinyWall Controller] C:\Program Files (x86)\TinyWall\TinyWall.exe
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
x64-IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-IE: {ED93D107-B43A-490e-AA5C-C5578BAAF479} - C:\Program Files (x86)\PlotSoft\PDFill\DownloadPDF.exe
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
x64-SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Wendy Keen\AppData\Roaming\Mozilla\Firefox\Profiles\8bsvy5np.default\
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.145\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\5.1.20125.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Users\Wendy Keen\AppData\Local\Google\Update\1.3.21.145\npGoogleUpdate3.dll
FF - plugin: C:\Windows\SysWOW64\npdeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
FF - ExtSQL: 2013-05-31 17:43; {73a6fe31-595d-460b-a920-fcc0f8843232}; C:\Users\Wendy Keen\AppData\Roaming\Mozilla\Firefox\Profiles\8bsvy5np.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2013-1-20 230320]
R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2011-6-21 55856]
R1 AntiLog32;AntiLog32;C:\Windows\System32\drivers\AntiLog64.sys [2013-5-25 49240]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [2011-7-19 140672]
R2 DevoloNetworkService;devolo Network Service;C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe [2012-2-28 3128856]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-6-21 13336]
R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-11-10 418376]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-7-5 701512]
R2 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2013-1-20 130008]
R2 PDFProFiltSrvPP;PDFProFiltSrvPP;C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe [2010-3-9 144672]
R2 Secunia PSI Agent;Secunia PSI Agent;C:\Program Files (x86)\Secunia\PSI\psia.exe [2013-2-7 1223704]
R2 TinyWall;TinyWall Service;C:\Program Files (x86)\TinyWall\TinyWall.exe [2012-6-22 623272]
R2 UMVPFSrv;UMVPFSrv;C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [2011-4-1 428640]
R3 BrYNSvc;BrYNSvc;C:\Program Files (x86)\Browny02\BrYNSvc.exe [2013-2-20 245760]
R3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;C:\Windows\System32\drivers\k57nd60a.sys [2011-6-22 406056]
R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2011-7-5 25928]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2013-1-27 379360]
R3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;C:\Windows\System32\drivers\nusb3hub.sys [2011-6-22 75264]
R3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;C:\Windows\System32\drivers\nusb3xhc.sys [2011-6-22 176640]
R3 PSI;PSI;C:\Windows\System32\drivers\psi_mf_amd64.sys [2013-2-7 18456]
R3 t3;Sound Blaster X-Fi Xtreme Audio;C:\Windows\System32\drivers\t3.sys [2011-6-21 639512]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 RoxWatch12;Roxio Hard Drive Watcher 12;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-11-25 219632]
S2 Secunia Update Agent;Secunia Update Agent;C:\Program Files (x86)\Secunia\PSI\sua.exe [2013-2-7 660504]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-2-28 161384]
S3 BthAvrcp;Bluetooth AVRCP Profile;C:\Windows\System32\drivers\BthAvrcp.sys [2009-8-13 29184]
S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2012-9-4 79360]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2011-6-21 79360]
S3 Creative Media Toolbox 6 Licensing Service;Creative Media Toolbox 6 Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\MT6Licensing.exe [2012-9-4 79360]
S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);C:\Windows\System32\drivers\ssudbus.sys [2013-1-30 102368]
S3 dmvsc;dmvsc;C:\Windows\System32\drivers\dmvsc.sys [2010-11-21 71168]
S3 Impcd;Impcd;C:\Windows\System32\drivers\Impcd.sys [2011-6-22 158976]
S3 LVRS64;Logitech RightSound Filter Driver;C:\Windows\System32\drivers\lvrs64.sys [2011-4-1 341856]
S3 LVUVC64;Logitech Webcam 250(UVC);C:\Windows\System32\drivers\lvuvc64.sys [2011-4-1 4184672]
S3 netvsc;netvsc;C:\Windows\System32\drivers\netvsc60.sys [2010-11-21 168448]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2012-11-15 19456]
S3 RoxMediaDB12OEM;RoxMediaDB12OEM;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-11-25 1116656]
S3 ssudmdm;SAMSUNG  Mobile USB Modem Drivers (DEVGURU Ver.);C:\Windows\System32\drivers\ssudmdm.sys [2013-1-30 203104]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 27136]
S3 SynthVid;SynthVid;C:\Windows\System32\drivers\VMBusVideoM.sys [2010-11-21 22528]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2012-11-15 57856]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2012-11-15 30208]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-6-27 1255736]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2013-06-03 11:26:41 9460464 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{87B515A0-8CF4-4158-BDA3-30ED45965998}\mpengine.dll
2013-06-02 11:11:31 9460464 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-06-02 08:18:13 -------- dc-h--w- C:\ProgramData\{3D3D405B-A26F-46DE-8E42-8BCC08AC2C4B}
2013-05-26 13:32:26 -------- d-----w- C:\Users\Wendy Keen\AppData\Roaming\TinyWall
2013-05-26 13:32:12 -------- d-----w- C:\ProgramData\TinyWall
2013-05-26 13:32:12 -------- d-----w- C:\Program Files (x86)\TinyWall
2013-05-25 11:25:44 49240 ----a-w- C:\Windows\System32\drivers\AntiLog64.sys
2013-05-25 11:25:44 -------- d-----w- C:\Users\Wendy Keen\AppData\Local\Zemana
2013-05-25 11:25:41 -------- d-----w- C:\Program Files (x86)\AntiLogger
2013-05-22 14:06:44 -------- d-----w- C:\ProgramData\PC-Doctor for Windows
2013-05-22 14:06:34 -------- d-----w- C:\Program Files\My Dell
2013-05-21 11:57:12 964552 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{F64AE986-C1A0-43D8-8B25-B735FB1D2DF8}\gapaengine.dll
2013-05-16 19:19:00 6656 ----a-w- C:\Windows\System32\drivers\beep.sys_old
2013-05-15 11:43:28 983400 ----a-w- C:\Windows\System32\drivers\dxgkrnl.sys
2013-05-15 11:43:28 265064 ----a-w- C:\Windows\System32\drivers\dxgmms1.sys
2013-05-15 11:43:28 144384 ----a-w- C:\Windows\System32\cdd.dll
2013-05-15 11:43:10 1930752 ----a-w- C:\Windows\System32\authui.dll
2013-05-15 11:43:04 70144 ----a-w- C:\Windows\System32\appinfo.dll
2013-05-15 11:43:04 1796096 ----a-w- C:\Windows\SysWow64\authui.dll
2013-05-15 11:43:04 111448 ----a-w- C:\Windows\System32\consent.exe
2013-05-15 11:43:02 230400 ----a-w- C:\Windows\System32\wwansvc.dll
2013-05-15 11:43:01 48640 ----a-w- C:\Windows\System32\wwanprotdim.dll
2013-05-15 11:42:59 3153920 ----a-w- C:\Windows\System32\win32k.sys
2013-05-10 19:51:20 -------- d-----w- C:\Program Files (x86)\Sweet Home 3D
2013-05-10 19:30:56 95648 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
.
==================== Find3M  ====================
.
2013-05-14 21:13:26 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-05-14 21:13:26 692104 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2013-05-10 19:30:45 866720 ----a-w- C:\Windows\SysWow64\npdeployJava1.dll
2013-05-02 15:29:56 278800 ------w- C:\Windows\System32\MpSigStub.exe
2013-04-13 05:49:23 135168 ----a-w- C:\Windows\apppatch\AppPatch64\AcXtrnal.dll
2013-04-13 05:49:19 350208 ----a-w- C:\Windows\apppatch\AppPatch64\AcLayers.dll
2013-04-13 05:49:19 308736 ----a-w- C:\Windows\apppatch\AppPatch64\AcGenral.dll
2013-04-13 05:49:19 111104 ----a-w- C:\Windows\apppatch\AppPatch64\acspecfc.dll
2013-04-13 04:45:16 474624 ----a-w- C:\Windows\apppatch\AcSpecfc.dll
2013-04-13 04:45:15 2176512 ----a-w- C:\Windows\apppatch\AcGenral.dll
2013-04-12 14:45:08 1656680 ----a-w- C:\Windows\System32\drivers\ntfs.sys
2013-04-05 06:52:14 2242048 ----a-w- C:\Windows\System32\wininet.dll
2013-04-05 06:50:36 3958784 ----a-w- C:\Windows\System32\jscript9.dll
2013-04-05 06:50:31 67072 ----a-w- C:\Windows\System32\iesetup.dll
2013-04-05 06:50:31 136704 ----a-w- C:\Windows\System32\iesysprep.dll
2013-04-05 05:28:24 1767424 ----a-w- C:\Windows\SysWow64\wininet.dll
2013-04-05 05:26:26 2877440 ----a-w- C:\Windows\SysWow64\jscript9.dll
2013-04-05 05:26:21 61440 ----a-w- C:\Windows\SysWow64\iesetup.dll
2013-04-05 05:26:21 109056 ----a-w- C:\Windows\SysWow64\iesysprep.dll
2013-04-05 04:43:00 2706432 ----a-w- C:\Windows\System32\mshtml.tlb
2013-04-05 04:29:45 2706432 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2013-04-05 03:51:11 89600 ----a-w- C:\Windows\System32\RegisterIEPKEYs.exe
2013-04-05 03:38:25 71680 ----a-w- C:\Windows\SysWow64\RegisterIEPKEYs.exe
2013-04-04 13:50:32 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
2013-03-19 06:04:06 5550424 ----a-w- C:\Windows\System32\ntoskrnl.exe
2013-03-19 05:46:56 43520 ----a-w- C:\Windows\System32\csrsrv.dll
2013-03-19 05:04:13 3968856 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2013-03-19 05:04:10 3913560 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2013-03-19 04:47:50 6656 ----a-w- C:\Windows\SysWow64\apisetschema.dll
2013-03-19 03:06:33 112640 ----a-w- C:\Windows\System32\smss.exe
.
============= FINISH: 11:30:28.10 ===============
 



#4 whoabuddy

whoabuddy

    Bleepin' Verbose


  • Malware Response Instructor
  • 2,053 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cottonwood, AZ
  • Local time:06:25 AM

Posted 05 June 2013 - 12:54 PM

Hello WSK,

:welcome: to Bleeping Computer!

My name is whoabuddy and I will be assisting you today. Before we get started, please keep the following in mind while I am helping you to make things go easier and faster for both of us.


Please do not run any tools unless instructed to do so.

We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.

Please do not attach logs or use code boxes, just copy and paste the text.

Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.

Please read every post completely before doing anything.

Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process. Also watch for items italicized or in green[/i], these entries are notes to help explain the process or common occurrences.

Please provide feedback about your experience as we go.

A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.

NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of headaches as we go along. For more information about backing up your system, please review the links in the first item of the Malware Removal Preparation Guide.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Please respond and acknowledge that you have read my introduction and I will begin reviewing your logs so we can get started!

Best Regards,
whoabuddy
Meditate. Elevate. Appreciate. | "Life is a journey, love is the destination, happiness is the path!"
If I am helping you and have not responded within 48 hours, please send me a PM.
Vi Veri Universum Vivus Vici (VVVVV)
Excellent Security Advice
Proud member of UNITE

#5 WSK

WSK
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Cambridgeshire
  • Local time:02:25 PM

Posted 05 June 2013 - 01:20 PM

Hi Whodabuddy,

 

I've read your reply and confirm I understand what is required. I back up every night so data loss is not an issue. I await your next instruction. Thanks, ;o)



#6 whoabuddy

whoabuddy

    Bleepin' Verbose


  • Malware Response Instructor
  • 2,053 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cottonwood, AZ
  • Local time:06:25 AM

Posted 06 June 2013 - 12:22 PM

Hello WSK,

First off, I have good news, looking over that DDS log I do not see any malware on your computer :) I understand that after having a trojan infection like this one it can be hard to trust your system again, but reviewing your old post it looks like the work was very thorough and nothing was left on your PC from what I can see from the old logs and new DDS scan. The programs you have installed are a great way to protect yourself, let me try to answer your questions as best as I can.

These last two I installed recently so as to access internet banking as Ive been too afraid to do it until I have more security in place! I logged into my banking accounts for the first time since the infection today and all seemed to go well, no alerts from Zemana. However, afterwards I viewed the logs via TinyWall and was confused and alarmed to see that even though Id only opened one tab in Chrome to my bank site, there were loads and loads of TCP (and some UDP, IGMP and ICMPv6) connections showing Established (some blocked, some SynSent and some LastAck) to destination Ports 80, 443 and 161.

I believe what you are seeing here is normal, the Transmission Control Protocol / Internet Protocol (TCP/IP) sends a lot more data back and forth than the average user is aware of, which explains some of the terminology in your log. For example, when you open your banking website, a few different things load: the login form (typically secured with SSL), the page itself (sometimes delivered unsecured), and advertisements (unsecure). Depending on how the website is setup in the code, you will see different requests through your firewall, and nothing you've reported sounds like an issue.

The Established bit makes sense too, TCP uses a 3-way handshake:
  • Host A sends SYNchronize packet to Host B
  • Host B recieves SYNchronize packet from Host A
  • Host B sends SYNchronize-ACKnowledge packet to Host A
  • Host A receives SYNchronize-ACKnowledge packet from Host B
  • Host A sends ACKnowledge packet to Host B
  • Host B receives ACKnowledge packet from Host A
  • TCP socket connection is ESTABLISHED between Host A and Host B
source / more info: http://www.inetdaemon.com/tutorials/internet/tcp/3-way_handshake.shtml

To cut a long story short, I experimented with both Chrome and IE10 and every time I had just one page or two open I was getting huge amounts of traffic. I looked up some of the IP addresses and felt that there was something very amiss. I then opened Task Manager and noticed that NVVSVC (I do have NVIDIA card), WinLogon and CSRSS were showing as not signed. They would not allow me to see the destination file nor properties when right clicked. This rang alarm bells. Googling revealed an exploit in the NVIDIA driver and I immediately downloaded the latest version. As soon as that was done, all three processes changed and now show with the user name of SYSTEM and a full description. They also now open with properties on right click.

We had a mantra during our training and it's something that definitely resounds here - unsigned files are not always malware! I would suspect that since you could update / replace the driver that easily the original files were not malware, anything that is more sophisticated and trying to run as a service or driver would typically try to protect itself. The fact that the files are reporting correctly now is a good sign, but we can do an extra file search at the end for that extra peace of mind :)

From the moment my PC caught the Zero Access, it has shown no signs of redirects, slow functioning, update blocking, or remote control but on the initial infection my Sound Card was knocked out and came back after the removal of the infection.

This is normal with ZeroAccess infections, variants of the virus can hijack a service or driver, and in doing so cause other dependencies on that service or driver to fail. The fact that the sound card is operational shows that it is functioning normally and scanning clean.

If it was not for me trying to understand more about networking and security I would never have noticed this huge increase in traffic or the unsigned processes. I have also turned on reports from my Router and was horrified when I got 270 DOS attack alerts in a 15 minute period on Monday. (Example of one report: [DoS attack]from source:95.73.89.131, destination source:92.20.248.89 LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=20653 DF PROTO=TCP SPT:45375 DPT:6881 WINDOW=14600 RES=0x00 SYN URGP=0). I researched this to the best of my ability and felt that this was perhaps just typical pot-luck probing that was blocked by my router but this, combined with all the traffic Im seeing via Tiny Wall has gotten me very concerned. Needless to say, Im not very savvy when it comes to the whole networking side of computers and have spent days researching what I could, but I am still not at all sure what is normal and what isn't.

You've definitely done some reading! I understand the concern with the DoS entry in the log but the good news it doesn't line up with the ports you were talking about earlier, so I believe these are unrelated issues.

From TinyWall: destination Ports 80, 443 and 161
- port 80 is for web traffic, port 443 for SSL, and port 161 UDP/SNMP (normal network traffic, nothing suspicious)

From Router: PROTO=TCP SPT:45375 DPT:6881
- contact over TCP, server port 45375, destination port 6881 (trying to contact port 6881 on your machine from 45375)

Since you have your router acting as a firewall (and blocking this), and the Windows Firewall w/ Tiny Firewall configured on your PC (which would block it again), you are safe from what you are seeing in these logs. Some additional research shows that source IP of 92.20.248.89 as a malware-related mail server and dictionary attacker. That makes me suspect it is random probing, but if it was related to your previous infection you have the counter-measures in place that prevent them from getting a reponse, let alone seeing your system on the Internet.

Source: http://www.projecthoneypot.org/ip_92.20.248.89

Ive run all manner of scans including Rootkit checks and all comes up clear. So my question is, have I had a secondary infection via this NVIDIA exploit all this time following the Zero Access attack? If so, how do I clean this out please? What damage could this have done to my system and could my files and folders have been compromised? Should I just bite the bullet and do a complete re-build of my computer? Thanks so much for any advice offered.

The good news is if all of the scans are coming back clean, then your machine is most likely clean, but let's take a closer look to be sure :busy:

We need to run a scan with FRST:

Please download Farbar Recovery Scan Tool and save it to your desktop.
Note: You need to run the version compatibale with your system, which in this case will be FRST 64-bit
  • Double-click FRST64.exe to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
We need to search for some files with FRST:
  • Double-click on FRST64.exe to run it. When the tool opens click Yes to disclaimer.
  • Copy and paste the following text into the box after "Search:"
    winlogon.exe;nvvsvc.exe;csrss.exe
    Note: The file names should be separated by semicolon (;)
  • Click the Search button and post the log (Search.txt) it makes to your reply.
We need to run a scan with aswMBR:

Please download aswMBR ( 4.5MB ) to your desktop.
  • Double click the aswMBR.exe icon, and click Run.
  • When asked if you'd like to "download the latest Avast! virus definitions", click Yes.
  • Click the Scan button to start the scan.
  • On completion of the scan, click the save log button, save it to your desktop, then copy and paste it in your next reply.
In your next post I need the following:
  • FRST.txt, Addition.txt, and Search.txt from FRST
  • aswMbr.txt log from aswMbr
  • status update - how is your computer running now? do you have any performance issues? any pop-ups? any unexpected behaviour?
Best Regards,
whoabuddy
Meditate. Elevate. Appreciate. | "Life is a journey, love is the destination, happiness is the path!"
If I am helping you and have not responded within 48 hours, please send me a PM.
Vi Veri Universum Vivus Vici (VVVVV)
Excellent Security Advice
Proud member of UNITE

#7 WSK

WSK
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Cambridgeshire
  • Local time:02:25 PM

Posted 06 June 2013 - 02:49 PM

Hi Whoabuddy,

 

Thanks for your insight into the networking logs and for taking the time to answer my questions. I am doing my very best to learn everything I can since the original Trojan infection to ensure I avoid a reoccurrence and to make my overall computing practice tighter and safer. It's very hard not to be uncontrollably paranoid and the learning curve is steep and often alarming along the way, so your support in this is greatly appreciated.

 

I have run the required scans and have pasted them below. I can advise that my PC is not showing any signs of odd, slow or unexpected behaviour. I have noticed something kooky regarding the Task Manager and that is when first opened, the three processes in questions (NVVSVC, CSRSS & WinLogon) don't show as signed, but once the show all users is selected and unselected, they do! I guessing this just a quirk, but at least I know now what to do to see the details of the processes if they are missing! Anyhow.. here are the logs:

 

FRST Log

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 05-06-2013 01
Ran by WSK   (administrator) on 06-06-2013 20:30:58
Running from D:\WSK  \Desktop
Windows 7 Professional Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Normal

==================== Processes (Whitelisted) =================

(NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe
(Logitech Inc.) C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
(Creative Technology Ltd) C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
(NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
(devolo AG) C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe
( ) C:\Windows\system32\dlbxcoms.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
(Nuance Communications, Inc.) C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe
(Secunia) C:\Program Files (x86)\Secunia\PSI\PSIA.exe
(Károly Pados) C:\Program Files (x86)\TinyWall\TinyWall.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
(Microsoft Corporation) c:\Program Files\Microsoft Security Client\NisSrv.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(BillP Studios) C:\Program Files (x86)\BillP Studios\WinPatrol\WinPatrol.exe
(Károly Pados) C:\Program Files (x86)\TinyWall\TinyWall.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\Browny02\BrYNSvc.exe
(Zemana Ltd.) C:\Program Files (x86)\AntiLogger\AntiLogger.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Dominik Reichl) C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Microsoft Corporation) C:\Windows\System32\MsSpellCheckingFacility.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [DLBXCATS] rundll32 C:\Windows\system32\spool\DRIVERS\x64\3\DLBXtime.dll,RunDLLEntry [28672 2007-02-12] ()
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1281512 2013-01-27] (Microsoft Corporation)
HKLM\...\Run: [WinPatrol] C:\Program Files (x86)\BillP Studios\WinPatrol\WinPatrol.exe -expressboot [422632 2013-04-17] (BillP Studios)
HKLM\...\Run: [TinyWall Controller] C:\Program Files (x86)\TinyWall\TinyWall.exe [623272 2012-06-22] (Károly Pados)
HKLM-x32\...\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [283160 2010-09-13] (Intel Corporation)
HKLM-x32\...\Run: [BrStsMon00] C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe /AUTORUN [2629632 2011-10-07] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [KeePass 2 PreLoad] "C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe" --preload [1960448 2013-04-05] (Dominik Reichl)
HKLM-x32\...\Run: [WinPatrol] C:\Program Files (x86)\BillP Studios\WinPatrol\winpatrol.exe -expressboot [422632 2013-04-17] (BillP Studios)
HKLM-x32\...\Run: [AntiLogger] "C:\Program Files (x86)\AntiLogger\AntiLogger.exe" /minimized [16866728 2013-05-29] (Zemana Ltd.)
HKU\Guest\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [x]
HKU\Guest\...\Run: [Google Update] "C:\Users\WSK  \AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2011-06-30] (Google Inc.)
HKU\Guest\...\Run: [] C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe [844144 2013-01-10] (Samsung)
HKU\Guest\...\Run: [ISUSPM] C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe -scheduler [222496 2009-05-05] (Acresso Corporation)
HKU\Guest\...\RunOnce: [CTAutoUpdate] "C:\Program Files (x86)\Creative\Shared Files\Software Update\AutoUpdate.exe" /RunFromInstaller [623416 2009-06-19] (Creative Technology Ltd)
HKU\Guest\...\RunOnce: [StartMSu] "C:\Program Files (x86)\Creative\MediaSource5\Startmsu.exe" /s [81920 2009-04-29] (Creative Technology Ltd)
HKU\Guest\...\RunOnce: [InetReg] "C:\Program Files (x86)\Creative\Product Registration\English\InetReg.exe" /PreProcess=RegFlash.exe /Delay=6 [x]

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU SearchScopes: DefaultScope {7F3C59F1-E456-44C7-8E34-5567A08A72E6} URL = http://www.google.co.uk/search?hl=en&q={searchTerms}&meta=&rlz=
SearchScopes: HKCU - {49606DC7-976D-4030-A74E-9FB5C842FA68} URL =
SearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
SearchScopes: HKCU - {7F3C59F1-E456-44C7-8E34-5567A08A72E6} URL = http://www.google.co.uk/search?hl=en&q={searchTerms}&meta=&rlz=
BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~1\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Skype add-on for Internet Explorer - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Skype Technologies S.A.)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~1\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: No Name - {DBC80044-A445-435b-BC74-9C25C1C588A9} -  No File
BHO-x32: PlusIEEventHelper Class - {551A852F-39A6-44A7-9C13-AFBEC9185A9D} - C:\Program Files (x86)\Nuance\PDF Viewer Plus\Bin\PlusIEContextMenu.dll (Zeon Corporation)
BHO-x32: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Skype Browser Helper - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
BHO-x32: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKCU - No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
PDF: HKLM-x32 {1C11B948-582A-433F-A98D-A8C4D5CC64F2} http://magnet.2020.net/virtualplanner/Core/Player/2020PlayerAX_Win32.cab
PDF: HKLM-x32 {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab
PDF: HKLM-x32 {D4B68B83-8710-488B-A692-D74B50BA558E} http://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab
PDF: HKLM-x32 {E705A591-DA3C-4228-B0D5-A356DBA42FBF} http://ccfiles.creative.com/Web/softwareupdate/su2/ocx/20015/CTSUEng.cab
PDF: HKLM-x32 {F6ACF75C-C32C-447B-9BEF-46B766368D29} http://ccfiles.creative.com/Web/softwareupdate/ocx/110926/CTPID.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Skype Technologies S.A.)
Handler-x32: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1

FireFox:
========
FF ProfilePath: C:\Users\WSK  \AppData\Roaming\Mozilla\Firefox\Profiles\8bsvy5np.default
FF Plugin: @microsoft.com/GENUINE - disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - C:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @Google.com/GoogleEarthPlugin - C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin-x32: @java.com/DTPlugin,version=10.21.2 - C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.21.2 - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE - disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - C:\Program Files (x86)\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 - C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 - C:\Program Files (x86)\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 - C:\Program Files (x86)\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Extension: No Name - C:\Users\WSK  \AppData\Roaming\Mozilla\Firefox\Profiles\8bsvy5np.default\Extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi

Chrome:
=======
CHR HomePage: hxxp://www.google.com
CHR RestoreOnStartup: "hxxp://www.google.com"
CHR DefaultSearchURL: (Google) - {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}ie={inputEncoding}
CHR DefaultSuggestURL: (Google) - {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&q={searchTerms}&{google:cursorPosition}sugkey={google:suggestAPIKeyParameter}
CHR Plugin: (Remoting Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Users\WSK  \AppData\Local\Google\Chrome\Application\27.0.1453.94\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Users\WSK  \AppData\Local\Google\Chrome\Application\27.0.1453.94\pdf.dll ()
CHR Plugin: (Shockwave Flash) - C:\Users\WSK  \AppData\Local\Google\Chrome\Application\27.0.1453.94\gcswf32.dll No File
CHR Plugin: (Skype Toolbars) - C:\Users\WSK  \AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl\5.6.0.8442_0\npSkypeChromePlugin.dll No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll No File
CHR Plugin: (Java Deployment Toolkit 6.0.290.11) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll No File
CHR Plugin: (Java™ Platform SE 6 U29) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll No File
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
CHR Plugin: (RIM Handheld Application Loader) - C:\Program Files (x86)\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll No File
CHR Plugin: (Google Earth Plugin) - C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll No File
CHR Plugin: (Silverlight Plug-In) - C:\Program Files (x86)\Microsoft Silverlight\5.0.61118.0\npctrl.dll No File
CHR Plugin: (Windows Live Photo Gallery) - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
CHR Extension: (YouTube) - C:\Users\WSK  \AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0
CHR Extension: (Google Search) - C:\Users\WSK  \AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0
CHR Extension: (Skype Click to Call) - C:\Users\WSK  \AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl\6.7.0.12055_0
CHR Extension: (Gmail) - C:\Users\WSK  \AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_1

==================== Services (Whitelisted) =================

R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [140672 2012-11-10] (SUPERAntiSpyware.com)
R2 DevoloNetworkService; C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe [3128856 2012-02-28] (devolo AG)
R2 dlbx_device; C:\Windows\system32\dlbxcoms.exe [567280 2007-02-28] ( )
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22056 2013-01-27] (Microsoft Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [379360 2013-01-27] (Microsoft Corporation)
R2 PDFProFiltSrvPP; C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe [144672 2010-03-09] (Nuance Communications, Inc.)
R2 Secunia PSI Agent; C:\Program Files (x86)\Secunia\PSI\PSIA.exe [1223704 2013-02-07] (Secunia)
S2 Secunia Update Agent; C:\Program Files (x86)\Secunia\PSI\sua.exe [660504 2013-02-07] (Secunia)
R2 TinyWall; C:\Program Files (x86)\TinyWall\TinyWall.exe [623272 2012-06-22] (Károly Pados)

==================== Drivers (Whitelisted) ====================

R1 AntiLog32; C:\Windows\system32\drivers\AntiLog64.sys [49240 2013-06-02] (Zemana Ltd.)
S3 BthAvrcp; C:\Windows\System32\DRIVERS\BthAvrcp.sys [29184 2009-08-13] (CSR, plc)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [230320 2013-01-20] (Microsoft Corporation)
R2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [130008 2013-01-20] (Microsoft Corporation)
R3 PSI; C:\Windows\System32\DRIVERS\psi_mf_amd64.sys [18456 2013-02-07] (Secunia)
S3 RimVSerPort; C:\Windows\System32\DRIVERS\RimSerial_AMD64.sys [31744 2009-01-09] (Research in Motion Ltd)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R2 NPF_devolo; \SystemRoot\sysWOW64\drivers\npf_devolo.sys [x]
S3 RimUsb; System32\Drivers\RimUsb_AMD64.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-06-06 20:30 - 2013-06-06 20:30 - 00000000 ____D C:\FRST
2013-06-02 09:18 - 2013-06-02 09:18 - 00000000 __HDC C:\ProgramData\{3D3D405B-A26F-46DE-8E42-8BCC08AC2C4B}
2013-05-31 17:21 - 2013-05-31 17:21 - 00000000 ____D C:\Users\WSK  \AppData\Local\Mozilla
2013-05-31 17:21 - 2013-05-31 17:21 - 00000000 ____D C:\ProgramData\Mozilla
2013-05-31 17:21 - 2013-05-31 17:21 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2013-05-31 17:21 - 2013-05-31 17:21 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-05-27 21:31 - 2013-05-27 21:31 - 00462208 ____A C:\Windows\System32\FNTCACHE.DAT
2013-05-26 22:41 - 2013-05-26 22:41 - 00126624 ____A C:\Users\WSK  \AppData\Local\GDIPFONTCACHEV1.DAT
2013-05-26 21:29 - 2013-06-06 09:18 - 00000972 ____A C:\Windows\setupact.log
2013-05-26 21:29 - 2013-05-26 21:29 - 00000000 ____A C:\Windows\setuperr.log
2013-05-26 14:32 - 2013-05-26 14:37 - 00000000 ____D C:\Users\WSK  \AppData\Roaming\TinyWall
2013-05-26 14:32 - 2013-05-26 14:33 - 00000000 ____D C:\ProgramData\TinyWall
2013-05-26 14:32 - 2013-05-26 14:32 - 00000628 ____A C:\Windows\System32\InstallUtil.InstallLog
2013-05-26 14:32 - 2013-05-26 14:32 - 00000000 ____D C:\Program Files (x86)\TinyWall
2013-05-25 12:25 - 2013-06-02 09:18 - 00049240 ____A (Zemana Ltd.) C:\Windows\System32\Drivers\AntiLog64.sys
2013-05-25 12:25 - 2013-06-02 09:18 - 00000000 ____D C:\Program Files (x86)\AntiLogger
2013-05-25 12:25 - 2013-05-25 12:25 - 00000000 ____D C:\Users\WSK  \AppData\Local\Zemana
2013-05-25 12:12 - 2013-05-25 12:12 - 00000000 ____D C:\Users\Vostro\Documents\Fax
2013-05-25 12:10 - 2013-05-25 12:10 - 00000000 ____D C:\Users\Vostro\AppData\Roaming\KeePass
2013-05-25 11:52 - 2013-05-25 11:52 - 00000000 ____D C:\Users\Vostro\AppData\Local\Secunia PSI
2013-05-25 11:32 - 2013-05-25 11:32 - 00000000 ____D C:\Users\Vostro\AppData\Roaming\WinPatrol
2013-05-25 11:31 - 2013-05-25 11:31 - 00126624 ____A C:\Users\Vostro\AppData\Local\GDIPFONTCACHEV1.DAT
2013-05-25 11:31 - 2013-05-25 11:31 - 00000000 ____D C:\Users\Vostro\AppData\Roaming\Intel Corporation
2013-05-25 11:31 - 2013-05-25 11:31 - 00000000 ____D C:\Users\Vostro\AppData\Roaming\Adobe
2013-05-25 11:31 - 2013-05-25 11:31 - 00000000 ____D C:\Users\Vostro\AppData\Local\VirtualStore
2013-05-25 11:30 - 2013-05-25 11:31 - 00000000 ____D C:\users\Vostro
2013-05-25 11:30 - 2013-05-25 11:30 - 00000020 __ASH C:\Users\Vostro\ntuser.ini
2013-05-25 11:30 - 2012-06-12 15:27 - 00000000 ____D C:\Users\Vostro\AppData\Roaming\Macromedia
2013-05-25 11:30 - 2011-06-30 12:28 - 00000000 ____D C:\Users\Vostro\AppData\Local\Microsoft Help
2013-05-22 15:06 - 2013-05-22 15:06 - 00000000 ____D C:\Program Files\My Dell
2013-05-16 20:19 - 2009-07-14 01:00 - 00006656 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\beep.sys_old
2013-05-15 22:59 - 2013-04-05 07:52 - 02242048 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-05-15 22:59 - 2013-04-05 07:52 - 01365504 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-05-15 22:59 - 2013-04-05 07:52 - 00051712 ____A (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2013-05-15 22:59 - 2013-04-05 07:50 - 19231232 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-05-15 22:59 - 2013-04-05 07:50 - 15404032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-05-15 22:59 - 2013-04-05 07:50 - 03958784 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-05-15 22:59 - 2013-04-05 07:50 - 02647552 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-05-15 22:59 - 2013-04-05 07:50 - 00855552 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-05-15 22:59 - 2013-04-05 07:50 - 00603136 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-05-15 22:59 - 2013-04-05 07:50 - 00526336 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-05-15 22:59 - 2013-04-05 07:50 - 00136704 ____A (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2013-05-15 22:59 - 2013-04-05 07:50 - 00067072 ____A (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2013-05-15 22:59 - 2013-04-05 07:50 - 00053248 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-05-15 22:59 - 2013-04-05 07:50 - 00039936 ____A (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2013-05-15 22:59 - 2013-04-05 06:28 - 01767424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-05-15 22:59 - 2013-04-05 06:28 - 01130496 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-05-15 22:59 - 2013-04-05 06:26 - 14323712 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-05-15 22:59 - 2013-04-05 06:26 - 13760512 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-05-15 22:59 - 2013-04-05 06:26 - 02877440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-05-15 22:59 - 2013-04-05 06:26 - 02046976 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-05-15 22:59 - 2013-04-05 06:26 - 00690688 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-05-15 22:59 - 2013-04-05 06:26 - 00493056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-05-15 22:59 - 2013-04-05 06:26 - 00391168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-05-15 22:59 - 2013-04-05 06:26 - 00109056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2013-05-15 22:59 - 2013-04-05 06:26 - 00061440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2013-05-15 22:59 - 2013-04-05 06:26 - 00039424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-05-15 22:59 - 2013-04-05 06:26 - 00033280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2013-05-15 22:59 - 2013-04-05 05:43 - 02706432 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-05-15 22:59 - 2013-04-05 05:29 - 02706432 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-05-15 22:59 - 2013-04-05 04:51 - 00089600 ____A (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
2013-05-15 22:59 - 2013-04-05 04:38 - 00071680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2013-05-15 12:43 - 2013-04-10 07:01 - 00983400 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgkrnl.sys
2013-05-15 12:43 - 2013-04-10 07:01 - 00265064 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgmms1.sys
2013-05-15 12:43 - 2013-03-19 06:53 - 00230400 ____A (Microsoft Corporation) C:\Windows\System32\wwansvc.dll
2013-05-15 12:43 - 2013-03-19 06:53 - 00048640 ____A (Microsoft Corporation) C:\Windows\System32\wwanprotdim.dll
2013-05-15 12:43 - 2013-02-27 07:02 - 00111448 ____A (Microsoft Corporation) C:\Windows\System32\consent.exe
2013-05-15 12:43 - 2013-02-27 06:52 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2013-05-15 12:43 - 2013-02-27 06:52 - 00197120 ____A (Microsoft Corporation) C:\Windows\System32\shdocvw.dll
2013-05-15 12:43 - 2013-02-27 06:48 - 01930752 ____A (Microsoft Corporation) C:\Windows\System32\authui.dll
2013-05-15 12:43 - 2013-02-27 06:47 - 00070144 ____A (Microsoft Corporation) C:\Windows\System32\appinfo.dll
2013-05-15 12:43 - 2013-02-27 05:55 - 12872704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2013-05-15 12:43 - 2013-02-27 05:55 - 00180224 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shdocvw.dll
2013-05-15 12:43 - 2013-02-27 05:49 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\authui.dll
2013-05-15 12:43 - 2011-02-03 12:25 - 00144384 ____A (Microsoft Corporation) C:\Windows\System32\cdd.dll
2013-05-15 12:42 - 2013-04-10 04:30 - 03153920 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2013-05-10 20:51 - 2013-05-10 20:51 - 00000000 ____D C:\Program Files (x86)\Sweet Home 3D
2013-05-10 20:30 - 2013-05-10 20:30 - 00263584 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2013-05-10 20:30 - 2013-05-10 20:30 - 00174496 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2013-05-10 20:30 - 2013-05-10 20:30 - 00174496 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2013-05-10 20:30 - 2013-05-10 20:30 - 00095648 ____A (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2013-05-10 20:30 - 2013-05-10 20:30 - 00000000 ____D C:\Program Files (x86)\Java

==================== One Month Modified Files and Folders =======

2013-06-06 20:30 - 2013-06-06 20:30 - 00000000 ____D C:\FRST
2013-06-06 20:27 - 2011-07-04 12:15 - 00000906 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-06-06 20:17 - 2011-06-30 12:02 - 00000928 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-318033163-591066331-638044572-1000UA.job
2013-06-06 20:12 - 2013-01-26 11:40 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-06-06 16:17 - 2011-06-30 12:02 - 00000876 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-318033163-591066331-638044572-1000Core.job
2013-06-06 11:44 - 2012-04-27 08:40 - 01748608 ____A C:\Windows\WindowsUpdate.log
2013-06-06 09:26 - 2009-07-14 05:45 - 00021312 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-06-06 09:26 - 2009-07-14 05:45 - 00021312 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-06-06 09:19 - 2011-07-04 12:15 - 00000902 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-06-06 09:18 - 2013-05-26 21:29 - 00000972 ____A C:\Windows\setupact.log
2013-06-06 09:18 - 2009-07-14 06:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-06-05 23:40 - 2013-04-21 11:47 - 00000000 ____D C:\Users\WSK  \AppData\Roaming\KeePass
2013-06-02 09:18 - 2013-06-02 09:18 - 00000000 __HDC C:\ProgramData\{3D3D405B-A26F-46DE-8E42-8BCC08AC2C4B}
2013-06-02 09:18 - 2013-05-25 12:25 - 00049240 ____A (Zemana Ltd.) C:\Windows\System32\Drivers\AntiLog64.sys
2013-06-02 09:18 - 2013-05-25 12:25 - 00000000 ____D C:\Program Files (x86)\AntiLogger
2013-05-31 17:22 - 2011-06-27 11:28 - 00000000 ____D C:\Users\WSK  \AppData\Roaming\Mozilla
2013-05-31 17:21 - 2013-05-31 17:21 - 00000000 ____D C:\Users\WSK  \AppData\Local\Mozilla
2013-05-31 17:21 - 2013-05-31 17:21 - 00000000 ____D C:\ProgramData\Mozilla
2013-05-31 17:21 - 2013-05-31 17:21 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2013-05-31 17:21 - 2013-05-31 17:21 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-05-27 21:31 - 2013-05-27 21:31 - 00462208 ____A C:\Windows\System32\FNTCACHE.DAT
2013-05-26 22:41 - 2013-05-26 22:41 - 00126624 ____A C:\Users\WSK  \AppData\Local\GDIPFONTCACHEV1.DAT
2013-05-26 21:29 - 2013-05-26 21:29 - 00000000 ____A C:\Windows\setuperr.log
2013-05-26 21:29 - 2011-06-22 03:37 - 00000000 ____D C:\Program Files\NVIDIA Corporation
2013-05-26 17:33 - 2011-07-05 08:59 - 00000000 ____D C:\Program Files\CCleaner
2013-05-26 17:32 - 2011-02-10 15:25 - 00000000 ____D C:\Windows\panther
2013-05-26 15:30 - 2009-07-14 04:20 - 00000000 ____D C:\Windows\system
2013-05-26 15:18 - 2009-07-14 04:20 - 00000000 ____D C:\Windows\System32\NDF
2013-05-26 14:37 - 2013-05-26 14:32 - 00000000 ____D C:\Users\WSK  \AppData\Roaming\TinyWall
2013-05-26 14:33 - 2013-05-26 14:32 - 00000000 ____D C:\ProgramData\TinyWall
2013-05-26 14:32 - 2013-05-26 14:32 - 00000628 ____A C:\Windows\System32\InstallUtil.InstallLog
2013-05-26 14:32 - 2013-05-26 14:32 - 00000000 ____D C:\Program Files (x86)\TinyWall
2013-05-25 12:25 - 2013-05-25 12:25 - 00000000 ____D C:\Users\WSK  \AppData\Local\Zemana
2013-05-25 12:12 - 2013-05-25 12:12 - 00000000 ____D C:\Users\Vostro\Documents\Fax
2013-05-25 12:10 - 2013-05-25 12:10 - 00000000 ____D C:\Users\Vostro\AppData\Roaming\KeePass
2013-05-25 12:01 - 2011-06-21 18:58 - 00000000 ____D C:\Program Files (x86)\Adobe
2013-05-25 11:52 - 2013-05-25 11:52 - 00000000 ____D C:\Users\Vostro\AppData\Local\Secunia PSI
2013-05-25 11:32 - 2013-05-25 11:32 - 00000000 ____D C:\Users\Vostro\AppData\Roaming\WinPatrol
2013-05-25 11:31 - 2013-05-25 11:31 - 00126624 ____A C:\Users\Vostro\AppData\Local\GDIPFONTCACHEV1.DAT
2013-05-25 11:31 - 2013-05-25 11:31 - 00000000 ____D C:\Users\Vostro\AppData\Roaming\Intel Corporation
2013-05-25 11:31 - 2013-05-25 11:31 - 00000000 ____D C:\Users\Vostro\AppData\Roaming\Adobe
2013-05-25 11:31 - 2013-05-25 11:31 - 00000000 ____D C:\Users\Vostro\AppData\Local\VirtualStore
2013-05-25 11:31 - 2013-05-25 11:30 - 00000000 ____D C:\users\Vostro
2013-05-25 11:30 - 2013-05-25 11:30 - 00000020 __ASH C:\Users\Vostro\ntuser.ini
2013-05-22 15:06 - 2013-05-22 15:06 - 00000000 ____D C:\Program Files\My Dell
2013-05-22 15:06 - 2011-06-28 10:00 - 00000000 ____D C:\ProgramData\PCDr
2013-05-22 15:06 - 2011-06-21 18:51 - 00000000 ____D C:\Program Files\Dell Support Center
2013-05-19 19:31 - 2009-07-14 06:13 - 01174694 ____A C:\Windows\System32\PerfStringBackup.INI
2013-05-17 14:46 - 2011-06-21 18:46 - 00000000 ____D C:\ProgramData\Creative
2013-05-16 19:08 - 2009-07-14 04:20 - 00000000 ____D C:\Windows\rescache
2013-05-15 23:04 - 2011-06-27 20:47 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-05-15 23:02 - 2011-06-27 18:35 - 75016696 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-05-14 22:13 - 2012-05-10 10:01 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-05-14 22:13 - 2011-07-04 14:43 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-05-14 10:21 - 2011-10-21 18:55 - 00000000 ____D C:\Program Files\Dl_cats
2013-05-10 20:51 - 2013-05-10 20:51 - 00000000 ____D C:\Program Files (x86)\Sweet Home 3D
2013-05-10 20:30 - 2013-05-10 20:30 - 00263584 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2013-05-10 20:30 - 2013-05-10 20:30 - 00174496 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2013-05-10 20:30 - 2013-05-10 20:30 - 00174496 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2013-05-10 20:30 - 2013-05-10 20:30 - 00095648 ____A (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2013-05-10 20:30 - 2013-05-10 20:30 - 00000000 ____D C:\Program Files (x86)\Java
2013-05-10 20:30 - 2012-07-14 18:56 - 00866720 ____A (Oracle Corporation) C:\Windows\SysWOW64\npdeployJava1.dll
2013-05-10 12:24 - 2009-07-14 06:32 - 00000000 ____D C:\Windows\System32\FxsTmp

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

Last Boot: 2013-06-03 09:24

==================== End Of Log ============================



#8 WSK

WSK
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Cambridgeshire
  • Local time:02:25 PM

Posted 06 June 2013 - 02:50 PM

Addition Log

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 05-06-2013 01
Ran by WSK   at 2013-06-06 20:31:26 Run:
Running from D:\WSK  \Desktop
Boot Mode: Normal
==========================================================

==================== Installed Programs =======================

Adobe AIR (Version: 3.7.0.1860)
Adobe Flash Player 11 ActiveX (Version: 11.7.700.202)
Adobe Reader XI (11.0.03) (Version: 11.0.03)
Amazon MP3 Downloader 1.0.9
AntiLogger
AntiLogger (Version: 1.9.3.454)
Brother MFL-Pro Suite MFC-J6910DW (Version: 1.0.27.0)
CameraHelperMsi (Version: 13.25.1010.0)
CCleaner (Version: 4.01)
Creative ALchemy (Version: 1.41)
Creative Audio Control Panel (Version: 3.00)
Creative Diagnostics (Version: 5.11)
Creative Media Toolbox 6 (Shared Components) (Version: 2.80.12)
Creative Media Toolbox 6 (Version: 6.02)
Creative MediaSource 5 (Version: 5.26)
Creative Software AutoUpdate (Version: 1.40)
Creative Sound Blaster Properties x64 Edition
D3DX10 (Version: 15.4.2368.0902)
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
Defraggler (Version: 2.13)
Dell Backup and Recovery Manager (Version: 1.3.1)
Dell Edoc Viewer (Version: 1.0.0)
Dell Photo AIO Printer 962
DesignPro 5 (Version: 5.5.708)
Desktop Restore (Version: 1.6.3)
devolo dLAN Cockpit (Version: 3.2.0.0)
devolo dLAN Configuration Wizard (Version: 20.0.0.0)
devolo Informer (Version: 28.0.0.0)
DirectX 9 Runtime (Version: 1.00.0000)
dLAN Cockpit (Version: 3.2.28)
erLT (Version: 1.20.138.34)
FreeFileSync 5.15 (Version: 5.15)
GIMP 2.6.11 (Version: 2.6.11)
Google Chrome (Version: 27.0.1453.94)
Google Earth Plug-in (Version: 7.0.3.8542)
Google Update Helper (Version: 1.3.21.145)
HiJackThis (Version: 1.0.0)
Host OpenAL (Version: 1.00)
Intel® Rapid Storage Technology (Version: 10.0.0.1046)
Java 7 Update 21 (Version: 7.0.210)
Java Auto Updater (Version: 2.1.9.5)
Junk Mail filter update (Version: 15.4.3502.0922)
KeePass Password Safe 2.22
Logitech Vid HD (Version: 7.2 (7248))
Logitech Webcam Software (Version: 2.0)
LWS Facebook (Version: 13.20.1166.0)
LWS Gallery (Version: 13.20.1166.0)
LWS Help_main (Version: 13.25.1016.0)
LWS Launcher (Version: 13.20.1166.0)
LWS Motion Detection (Version: 13.20.1176.0)
LWS Pictures And Video (Version: 13.25.1010.0)
LWS Twitter (Version: 13.20.1166.0)
LWS Video Mask Maker (Version: 13.10.1216.0)
LWS VideoEffects (Version: 13.25.1005.0)
LWS Webcam Software (Version: 13.20.1168.0)
LWS WLM Plugin (Version: 1.20.1166.0)
LWS YouTube Plugin (Version: 13.20.1166.0)
Malwarebytes Anti-Malware version 1.75.0.1300 (Version: 1.75.0.1300)
Mesh Runtime (Version: 15.4.5722.2)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30320)
Microsoft .NET Framework 4 Extended (Version: 4.0.30320)
Microsoft Application Error Reporting (Version: 12.0.6015.5000)
Microsoft Office 2010 Service Pack 1 (SP1)
Microsoft Office Access MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Groove MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office InfoPath MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Office 64-bit Components 2010 (Version: 14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Professional Plus 2010 (Version: 14.0.6029.1000)
Microsoft Office Proof (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Proof (French) 2010 (Version: 14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (Version: 14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Shared 64-bit MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Security Client (Version: 4.2.0223.1)
Microsoft Security Essentials (Version: 4.2.223.1)
Microsoft Silverlight (Version: 5.1.20125.0)
Microsoft SQL Server 2005 Compact Edition [ENU] (Version: 3.1.0000)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.59192)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.61000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (Version: 9.0.21022)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Mozilla Firefox 21.0 (x86 en-US) (Version: 21.0)
Mozilla Maintenance Service (Version: 21.0)
MSVCRT (Version: 15.4.2862.0708)
MSVCRT_amd64 (Version: 15.4.2862.0708)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MSXML 4.0 SP3 Parser (KB2758694) (Version: 4.30.2117.0)
MSXML 4.0 SP3 Parser (Version: 4.30.2100.0)
My Dell (Version: 3.3.6261.27)
MyFreeCodec
Nuance PaperPort 12 (Version: 12.1.0000)
Nuance PDF Viewer Plus (Version: 5.30.3290)
NVIDIA Display Control Panel (Version: 6.14.12.5915)
NVIDIA Drivers (Version: 1.10.62.40)
NVIDIA HD Audio Driver 1.3.18.0 (Version: 1.3.18.0)
NVIDIA Install Application (Version: 2.1002.109.718)
PaperPort Image Printer 64-bit (Version: 1.00.0001)
PDFill PDF Editor with FREE Writer and FREE Tools (Version: 10.0)
PhotoShowExpress (Version: 2.0.063)
RBVirtualFolder64Inst (Version: 1.00.0000)
Revo Uninstaller 1.94 (Version: 1.94)
Roxio Activation Module (Version: 1.0)
Roxio BackOnTrack (Version: 1.3.3)
Roxio Burn (Version: 1.8)
Roxio Creator Starter (Version: 1.0.439)
Roxio Creator Starter (Version: 12.1.77.0)
Roxio Creator Starter (Version: 5.0.0)
Roxio Express Labeler 3 (Version: 3.2.2)
Roxio File Backup (Version: 1.3.2)
Samsung Kies (Version: 2.1.0.11112_41)
Samsung Mobile phone USB driver Drive Software
Samsung PC Studio 3 USB Driver Installer (Version: 3.2.0.70701)
SAMSUNG USB Driver for Mobile Phones (Version: 1.5.16.0)
Scansoft PDF Professional
Secunia PSI (3.0.0.6005) (Version: 3.0.0.6005)
SketchUp 8 (Version: 3.0.16846)
Skype Click to Call (Version: 6.7.12055)
Skype™ 6.3 (Version: 6.3.105)
Sonic CinePlayer Decoder Pack (Version: 4.3.0)
Sound Blaster X-Fi (Version: 1.0)
Speccy (Version: 1.21)
Steam (Version: 1.0.0.0)
SUPERAntiSpyware (Version: 5.0.1108)
Sweet Home 3D version 4.0
Team Fortress 2
TinyWall (Version: 2.0.1.0)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2473228) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2533523) (Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2600217) (Version: 1)
Update for Microsoft Office 2010 (KB2494150)
Update for Microsoft Office 2010 (KB2553065)
Update for Microsoft Office 2010 (KB2553092)
Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553267) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553378) 32-Bit Edition
Update for Microsoft Office 2010 (KB2566458)
Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition
Update for Microsoft Office 2010 (KB2598242) 32-Bit Edition
Update for Microsoft Office 2010 (KB2687503) 32-Bit Edition
Update for Microsoft Office 2010 (KB2687509) 32-Bit Edition
Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition
Update for Microsoft Office 2010 (KB2767886) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition
Update for Microsoft Outlook 2010 (KB2597090) 32-Bit Edition
Update for Microsoft Outlook 2010 (KB2687623) 32-Bit Edition
Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition
Update for Microsoft PowerPoint 2010 (KB2598240) 32-Bit Edition
Update for Microsoft SharePoint Workspace 2010 (KB2589371) 32-Bit Edition
Windows Live Communications Platform (Version: 15.4.3502.0922)
Windows Live Essentials (Version: 15.4.3502.0922)
Windows Live Essentials (Version: 15.4.3508.1109)
Windows Live ID Sign-in Assistant (Version: 7.250.4225.0)
Windows Live Installer (Version: 15.4.3502.0922)
Windows Live Language Selector (Version: 15.4.3508.1109)
Windows Live Mail (Version: 15.4.3502.0922)
Windows Live Mesh (Version: 15.4.3502.0922)
Windows Live Mesh ActiveX Control for Remote Connections (Version: 15.4.5722.2)
Windows Live Messenger (Version: 15.4.3502.0922)
Windows Live MIME IFilter (Version: 15.4.3502.0922)
Windows Live Movie Maker (Version: 15.4.3502.0922)
Windows Live Photo Common (Version: 15.4.3502.0922)
Windows Live Photo Gallery (Version: 15.4.3502.0922)
Windows Live PIMT Platform (Version: 15.4.3508.1109)
Windows Live Remote Client (Version: 15.4.5722.2)
Windows Live Remote Client Resources (Version: 15.4.5722.2)
Windows Live Remote Service (Version: 15.4.5722.2)
Windows Live Remote Service Resources (Version: 15.4.5722.2)
Windows Live SOXE (Version: 15.4.3502.0922)
Windows Live SOXE Definitions (Version: 15.4.3502.0922)
Windows Live UX Platform (Version: 15.4.3502.0922)
Windows Live UX Platform Language Pack (Version: 15.4.3508.1109)
Windows Live Writer (Version: 15.4.3502.0922)
Windows Live Writer Resources (Version: 15.4.3502.0922)
Windows Mobile Device Center (Version: 6.1.6965.0)
WinPatrol (Version: 28.0.2013.0)
Yahoo! Detect

==================== Restore Points  =========================

19-05-2013 11:30:31 Windows Update
19-05-2013 15:53:06 Prior to MBAR install
23-05-2013 10:45:40 Windows Update
25-05-2013 11:17:58 Prior to Zemana
26-05-2013 12:41:05 Windows Backup
26-05-2013 13:29:21 Prior to TinyWall install
26-05-2013 13:32:00 Installed TinyWall
26-05-2013 14:23:06 Windows Update
26-05-2013 20:28:42 Windows Update
30-05-2013 11:00:55 Windows Update
31-05-2013 16:18:54 Prior to Firefox install
02-06-2013 11:11:11 Windows Update
06-06-2013 10:43:56 Windows Update

==================== Faulty Device Manager Devices =============

==================== Event log errors: =========================

Application errors:
==================
Error: (06/06/2013 09:20:15 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (06/05/2013 10:31:01 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (06/04/2013 09:26:18 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (06/03/2013 06:54:00 PM) (Source: Application Error) (User: )
Description: Faulting application name: EXCEL.EXE, version: 14.0.6126.5003, time stamp: 0x505b0834
Faulting module name: mso.dll, version: 14.0.6129.5000, time stamp: 0x5082efbe
Exception code: 0xc0000005
Fault offset: 0x0004a150
Faulting process id: 0x200
Faulting application start time: 0xEXCEL.EXE0
Faulting application path: EXCEL.EXE1
Faulting module path: EXCEL.EXE2
Report Id: EXCEL.EXE3

Error: (06/03/2013 08:47:42 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (06/02/2013 08:23:36 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (05/31/2013 07:45:13 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (05/30/2013 09:37:33 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (05/29/2013 00:03:16 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (05/28/2013 07:47:28 PM) (Source: Application Error) (User: )
Description: Faulting application name: spoolsv.exe, version: 6.1.7601.17777, time stamp: 0x4f35fc1d
Faulting module name: msvcrt.dll, version: 7.0.7601.17744, time stamp: 0x4eeb033f
Exception code: 0x40000015
Fault offset: 0x000000000002a84e
Faulting process id: 0x714
Faulting application start time: 0xspoolsv.exe0
Faulting application path: spoolsv.exe1
Faulting module path: spoolsv.exe2
Report Id: spoolsv.exe3

System errors:
=============
Error: (06/06/2013 09:19:55 AM) (Source: DCOM) (User: NT AUTHORITY)
Description: application-specificLocalLaunch{C97FCC79-E628-407D-AE68-A06AD6D8B4D1}{344ED43D-D086-4961-86A6-1106F4ACAD9B}NT AUTHORITYSYSTEMS-1-5-18LocalHost (Using LRPC)

Error: (06/05/2013 10:30:30 AM) (Source: DCOM) (User: NT AUTHORITY)
Description: application-specificLocalLaunch{C97FCC79-E628-407D-AE68-A06AD6D8B4D1}{344ED43D-D086-4961-86A6-1106F4ACAD9B}NT AUTHORITYSYSTEMS-1-5-18LocalHost (Using LRPC)

Error: (06/04/2013 09:25:53 AM) (Source: DCOM) (User: NT AUTHORITY)
Description: application-specificLocalLaunch{C97FCC79-E628-407D-AE68-A06AD6D8B4D1}{344ED43D-D086-4961-86A6-1106F4ACAD9B}NT AUTHORITYSYSTEMS-1-5-18LocalHost (Using LRPC)

Error: (06/03/2013 06:42:25 PM) (Source: Disk) (User: )
Description: The driver detected a controller error on \Device\Harddisk2\DR2.

Error: (06/03/2013 06:42:25 PM) (Source: Disk) (User: )
Description: The driver detected a controller error on \Device\Harddisk2\DR2.

Error: (06/03/2013 06:42:24 PM) (Source: Disk) (User: )
Description: The driver detected a controller error on \Device\Harddisk2\DR2.

Error: (06/03/2013 06:42:23 PM) (Source: Disk) (User: )
Description: The driver detected a controller error on \Device\Harddisk2\DR2.

Error: (06/03/2013 08:47:15 AM) (Source: DCOM) (User: NT AUTHORITY)
Description: application-specificLocalLaunch{C97FCC79-E628-407D-AE68-A06AD6D8B4D1}{344ED43D-D086-4961-86A6-1106F4ACAD9B}NT AUTHORITYSYSTEMS-1-5-18LocalHost (Using LRPC)

Error: (06/02/2013 08:58:15 AM) (Source: Disk) (User: )
Description: The driver detected a controller error on \Device\Harddisk2\DR2.

Error: (06/02/2013 08:58:15 AM) (Source: Disk) (User: )
Description: The driver detected a controller error on \Device\Harddisk2\DR2.

Microsoft Office Sessions:
=========================
Error: (06/06/2013 09:20:15 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (06/05/2013 10:31:01 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (06/04/2013 09:26:18 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (06/03/2013 06:54:00 PM) (Source: Application Error)(User: )
Description: EXCEL.EXE14.0.6126.5003505b0834mso.dll14.0.6129.50005082efbec00000050004a15020001ce604a4c6b50b8C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXEC:\Program Files (x86)\Common Files\Microsoft Shared\office14\mso.dll917e5455-cc76-11e2-8fd0-782bcb9cbe76

Error: (06/03/2013 08:47:42 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (06/02/2013 08:23:36 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (05/31/2013 07:45:13 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (05/30/2013 09:37:33 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (05/29/2013 00:03:16 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (05/28/2013 07:47:28 PM) (Source: Application Error)(User: )
Description: spoolsv.exe6.1.7601.177774f35fc1dmsvcrt.dll7.0.7601.177444eeb033f40000015000000000002a84e71401ce5bb5acfe3dffC:\Windows\System32\spoolsv.exeC:\Windows\system32\msvcrt.dll0b55d4fe-c7c7-11e2-b8d5-782bcb9cbe76

CodeIntegrity Errors:
===================================
  Date: 2013-06-05 19:47:20.381
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

  Date: 2013-06-05 19:13:59.702
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

  Date: 2013-06-05 18:44:02.926
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

  Date: 2013-06-05 17:43:39.268
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

  Date: 2013-06-05 17:13:32.944
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

  Date: 2013-06-05 16:43:21.395
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

  Date: 2013-06-05 16:12:59.866
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

  Date: 2013-06-05 15:12:41.897
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

  Date: 2013-06-05 14:17:34.210
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

  Date: 2013-06-05 13:05:45.117
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

==================== Memory info ===========================

Percentage of memory in use: 29%
Total physical RAM: 8174.45 MB
Available physical RAM: 5747.79 MB
Total Pagefile: 16347.07 MB
Available Pagefile: 13455.25 MB
Total Virtual: 8192 MB
Available Virtual: 8191.81 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:919.2 GB) (Free:847.87 GB) NTFS (Disk=0 Partition=3)
Drive d: (Data) (Fixed) (Total:931.51 GB) (Free:850.68 GB) NTFS (Disk=1 Partition=1)
Drive f: (FreeCom) (Fixed) (Total:372.61 GB) (Free:95.05 GB) NTFS (Disk=2 Partition=1)

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 932 GB) (Disk ID: 20000000)
Partition 1: (Not Active) - (Size=165 MB) - (Type=DE)
Partition 2: (Active) - (Size=12 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=919 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 932 GB) (Disk ID: 1DB303F4)
Partition 1: (Not Active) - (Size=932 GB) - (Type=07 NTFS)

========================================================
Disk: 2 (Size: 373 GB) (Disk ID: 55151156)
Partition 1: (Not Active) - (Size=373 GB) - (Type=07 NTFS)

==================== End Of Log ============================



#9 WSK

WSK
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Cambridgeshire
  • Local time:02:25 PM

Posted 06 June 2013 - 02:53 PM

Search Log

Farbar Recovery Scan Tool (x64) Version: 05-06-2013 01
Ran by WSK   at 2013-06-06 20:32:31
Running from D:\WSK  \Desktop
Boot Mode: Normal

================== Search: "winlogon.exe;nvvsvc.exe;csrss.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7601.17514_none_cde90685eb910636\winlogon.exe
[2010-11-21 04:24] - [2010-11-21 04:24] - 0390656 ____A (Microsoft Corporation) 1151B1BAA6F350B1DB6598E0FEA7C457

C:\Windows\winsxs\amd64_microsoft-windows-csrss_31bf3856ad364e35_6.1.7600.16385_none_b4d8d57efdc6b4f3\csrss.exe
[2009-07-14 00:19] - [2009-07-14 02:39] - 0007680 ____A (Microsoft Corporation) 60C2862B4BF0FD9F582EF344C2B1EC72

C:\Windows\System32\csrss.exe
[2009-07-14 00:19] - [2009-07-14 02:39] - 0007680 ____A (Microsoft Corporation) 60C2862B4BF0FD9F582EF344C2B1EC72

C:\Windows\System32\nvvsvc.exe
[2010-07-28 09:41] - [2010-07-28 09:41] - 0159336 ____A (NVIDIA Corporation) 361DA0BAA15E48349AEEF0A3BA2EBEEC

C:\Windows\System32\winlogon.exe
[2010-11-21 04:24] - [2010-11-21 04:24] - 0390656 ____A (Microsoft Corporation) 1151B1BAA6F350B1DB6598E0FEA7C457

C:\Windows\erdnt\cache64\winlogon.exe
[2013-04-16 06:34] - [2010-11-21 04:24] - 0390656 ____A (Microsoft Corporation) 1151B1BAA6F350B1DB6598E0FEA7C457

C:\Program Files (x86)\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe
[2012-04-18 22:01] - [2013-04-04 14:50] - 0218184 ____A () B4C6E3889BB310CA7E974A04EC6E46AC

====== End Of Search ======

 

 

 

 

 

 

 



#10 WSK

WSK
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Cambridgeshire
  • Local time:02:25 PM

Posted 06 June 2013 - 03:04 PM

aswMBR Log

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-06-06 20:52:42
-----------------------------
20:52:42.214    OS Version: Windows x64 6.1.7601 Service Pack 1
20:52:42.214    Number of processors: 8 586 0x2A07
20:52:42.214    ComputerName: VOSTRO  UserName:
20:52:45.054    Initialize success
20:52:52.284    AVAST engine defs: 13060600
20:52:56.874    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
20:52:56.884    Disk 0 Vendor: ST310005 CC49 Size: 953869MB BusType: 3
20:52:56.884    Disk 1  \Device\Harddisk1\DR1 -> \Device\Ide\IAAStorageDevice-2
20:52:56.884    Disk 1 Vendor: ST310005 CC49 Size: 953869MB BusType: 3
20:52:56.984    Disk 0 MBR read successfully
20:52:56.984    Disk 0 MBR scan
20:52:57.044    Disk 0 Windows 7 default MBR code
20:52:57.044    Disk 0 Partition 1 00     DE Dell Utility Dell 8.0      164 MB offset 63
20:52:57.054    Disk 0 Partition 2 80 (A) 07    HPFS/NTFS NTFS        12442 MB offset 337920
20:52:57.064    Disk 0 Partition 3 00     07    HPFS/NTFS NTFS       941261 MB offset 25819136
20:52:57.104    Disk 0 scanning C:\Windows\system32\drivers
20:53:09.532    Service scanning
20:53:34.942    Modules scanning
20:53:34.952    Disk 0 trace - called modules:
20:53:34.982    ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
20:53:34.992    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8009062790]
20:53:34.992    3 CLASSPNP.SYS[fffff880011d143f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa80071e2050]
20:53:40.379    AVAST engine scan C:\Windows
20:53:43.459    AVAST engine scan C:\Windows\system32
20:57:05.784    AVAST engine scan C:\Windows\system32\drivers
20:57:20.914    AVAST engine scan C:\Users\WSK 
20:58:56.735    AVAST engine scan C:\ProgramData
21:02:11.920    Scan finished successfully
21:02:41.402    Disk 0 MBR has been saved successfully to "D:\WSK  \Desktop\MBR.dat"
21:02:41.432    The log file has been saved successfully to "D:\WSK  \Desktop\aswMBR.txt"

 



#11 whoabuddy

whoabuddy

    Bleepin' Verbose


  • Malware Response Instructor
  • 2,053 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cottonwood, AZ
  • Local time:06:25 AM

Posted 07 June 2013 - 09:04 AM

Hi WSK,

Thank you for those logs, I will reply with our next instructions as soon as I review everything and put them together :)

Best Regards,
whoabuddy
Meditate. Elevate. Appreciate. | "Life is a journey, love is the destination, happiness is the path!"
If I am helping you and have not responded within 48 hours, please send me a PM.
Vi Veri Universum Vivus Vici (VVVVV)
Excellent Security Advice
Proud member of UNITE

#12 whoabuddy

whoabuddy

    Bleepin' Verbose


  • Malware Response Instructor
  • 2,053 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cottonwood, AZ
  • Local time:06:25 AM

Posted 08 June 2013 - 02:17 PM

Hello WSK,

Thanks for your insight into the networking logs and for taking the time to answer my questions. I am doing my very best to learn everything I can since the original Trojan infection to ensure I avoid a reoccurrence and to make my overall computing practice tighter and safer. It's very hard not to be uncontrollably paranoid and the learning curve is steep and often alarming along the way, so your support in this is greatly appreciated.


No problem! I am happy to help people learn more about their computers, and as I said earlier you are definitely taking some good steps to protect yourself with the extra software.

I have run the required scans and have pasted them below. I can advise that my PC is not showing any signs of odd, slow or unexpected behaviour.


The logs show the PC is squeaky clean as well, and there are just a few "orphaned" entries to clean up.

We need to run a fix with Farbar's Recovery Scan Tool:

Please erase any copy of FRST.exe that you have now and download the latest version here and save it to your Desktop

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system.
  • Click on the Start Orb, in the search box type: notepad
  • Click on Notepad, a blank text document will appear, copy and paste the entire text below into the document:
    HKU\Guest\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [x]
    HKU\Guest\...\RunOnce: [InetReg] "C:\Program Files (x86)\Creative\Product Registration\English\InetReg.exe" /PreProcess=RegFlash.exe /Delay=6 [x]
    SearchScopes: HKCU - {49606DC7-976D-4030-A74E-9FB5C842FA68} URL =
    SearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
    BHO: No Name - {DBC80044-A445-435b-BC74-9C25C1C588A9} -  No File
    Toolbar: HKCU - No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
    Folder: C:\ProgramData\{3D3D405B-A26F-46DE-8E42-8BCC08AC2C4B}
  • Click on File then Save As..., navigate to your Desktop
  • For the file name, enter: fixlist.txt and save the file
    Note: It is important that the file is named fixlist.txt so the tool will run, and it's also important that both files, FRST.exe and fixlist.txt are in the same location or the fix will not work
  • Run FRST/FRST64 and press the Fix button just once and wait
  • If the tool needs a restart please make sure you let the system to restart normally and let the tool completes its run after restart
  • The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply
Note: If the tool warned you about the outdated version please download and run the updated version.

I have noticed something kooky regarding the Task Manager and that is when first opened, the three processes in questions (NVVSVC, CSRSS & WinLogon) don't show as signed, but once the show all users is selected and unselected, they do! I guessing this just a quirk, but at least I know now what to do to see the details of the processes if they are missing!


Actually you are correct, I am not sure if it is a "quirk" or just an intended design in newer versions of Windows, but when you initially open the Task Manager it is opened as a Standard User with limited rights. Clicking the Show processes from all users button re-opens the Task Manager as an Administrator, which allows you to interact and change more of the system-related settings. Basically what I am trying to say is you may not be able to view the signatures of system files (such as NVVSVC, CSRSS & WinLogon) unless you are an administrator :)

You can also see from the log entries below that the files are definitely signed, and I researched each one to make sure it was clean:

FRST Search Log

Farbar Recovery Scan Tool (x64) Version: 05-06-2013 01
Ran by WSK at 2013-06-06 20:32:31
Running from D:\WSK \Desktop
Boot Mode: Normal

================== Search: "winlogon.exe;nvvsvc.exe;csrss.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7601.17514_none_cde90685eb910636\winlogon.exe
[2010-11-21 04:24] - [2010-11-21 04:24] - 0390656 ____A (Microsoft Corporation) 1151B1BAA6F350B1DB6598E0FEA7C457
- md5 clean: https://www.virustotal.com/en/file/b1506e0a7e826eff0f5252ef5026070c46e2235438403a9a24d73ee69c0b8a49/analysis/

C:\Windows\winsxs\amd64_microsoft-windows-csrss_31bf3856ad364e35_6.1.7600.16385_none_b4d8d57efdc6b4f3\csrss.exe
[2009-07-14 00:19] - [2009-07-14 02:39] - 0007680 ____A (Microsoft Corporation) 60C2862B4BF0FD9F582EF344C2B1EC72
- md5 clean: https://www.virustotal.com/en/file/cb1c6018fc5c15483ac5bb96e5c2e2e115bb0c0e1314837d77201bab37e8c03a/analysis/

C:\Windows\System32\csrss.exe
[2009-07-14 00:19] - [2009-07-14 02:39] - 0007680 ____A (Microsoft Corporation) 60C2862B4BF0FD9F582EF344C2B1EC72
- clean, same md5 as above

C:\Windows\System32\nvvsvc.exe
[2010-07-28 09:41] - [2010-07-28 09:41] - 0159336 ____A (NVIDIA Corporation) 361DA0BAA15E48349AEEF0A3BA2EBEEC
- not verifiable on VirusTotal (nobody uploaded it yet), but it is shown as a "known" or "clean" MD5 according to TDSSKiller

C:\Windows\System32\winlogon.exe
[2010-11-21 04:24] - [2010-11-21 04:24] - 0390656 ____A (Microsoft Corporation) 1151B1BAA6F350B1DB6598E0FEA7C457
- md5 clean: https://www.virustotal.com/en/file/b1506e0a7e826eff0f5252ef5026070c46e2235438403a9a24d73ee69c0b8a49/analysis/1321753968/

C:\Windows\erdnt\cache64\winlogon.exe
[2013-04-16 06:34] - [2010-11-21 04:24] - 0390656 ____A (Microsoft Corporation) 1151B1BAA6F350B1DB6598E0FEA7C457
- clean, same md5 as above

C:\Program Files (x86)\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe
[2012-04-18 22:01] - [2013-04-04 14:50] - 0218184 ____A () B4C6E3889BB310CA7E974A04EC6E46AC
- clean, but not an actual windows file: https://www.virustotal.com/en/analisis//file/522f2d5aec8707d071a1f95c90efc5ee87755dbf41461fb0e8b14f4b989c046f/analysis/

====== End Of Search ======

The blue entries represent the file's signature, and we can see that all of the files here are signed except for the last one, which is expected since it is a special executable to launch MBAM.

The red entries represent the MD5 hash of the file, which is a method we use to uniquely identify a file for research. (It's used for much much much more than that, reference here)

In your next post I need the following:
  • fixlog.txt from FRST Fix
  • status update - do you have any other questions at this time?
Best Regards,
whoabuddy
Meditate. Elevate. Appreciate. | "Life is a journey, love is the destination, happiness is the path!"
If I am helping you and have not responded within 48 hours, please send me a PM.
Vi Veri Universum Vivus Vici (VVVVV)
Excellent Security Advice
Proud member of UNITE

#13 whoabuddy

whoabuddy

    Bleepin' Verbose


  • Malware Response Instructor
  • 2,053 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cottonwood, AZ
  • Local time:06:25 AM

Posted 10 June 2013 - 07:35 AM

Hi WSK,

Just checking in, were you able to review my post and follow the instructions?

Best Regards,
whoabuddy
Meditate. Elevate. Appreciate. | "Life is a journey, love is the destination, happiness is the path!"
If I am helping you and have not responded within 48 hours, please send me a PM.
Vi Veri Universum Vivus Vici (VVVVV)
Excellent Security Advice
Proud member of UNITE

#14 WSK

WSK
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Cambridgeshire
  • Local time:02:25 PM

Posted 10 June 2013 - 07:41 PM

Hi Whoabuddy,

 

Sorry for the delay in response. Not been very well! Here is the Fixlog as requested:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 11-06-2013
Ran by WSK at 2013-06-11 01:18:14 Run:1
Running from D:\WSK \Desktop
Boot Mode: Normal
==============================================

HKU\Guest\Software\Microsoft\Windows\CurrentVersion\Run\\swg => Value deleted successfully.
HKU\Guest\Software\Microsoft\Windows\CurrentVersion\RunOnce\\InetReg => Value deleted successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\ => Key deleted successfully.
HKCR\CLSID\ => Unable to delete key
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\ => Key not found.
HKCR\CLSID\ => Unable to delete key
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9} => Key deleted successfully.
HKCR\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9} => Key not found.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} => Value deleted successfully.
HKCR\CLSID\{47833539-D0C5-4125-9FA8-0819E2EAAC93} => Key not found.

========================= Folder: C:\ProgramData\{3D3D405B-A26F-46DE-8E42-8BCC08AC2C4B} ========================

2013-06-02 09:18 - 2013-06-02 09:18 - 0000092 ___AC () C:\ProgramData\{3D3D405B-A26F-46DE-8E42-8BCC08AC2C4B}\instance.dat
2013-06-02 09:18 - 2013-05-29 14:00 - 0579156 ___AC () C:\ProgramData\{3D3D405B-A26F-46DE-8E42-8BCC08AC2C4B}\mia.lib
2013-06-02 09:18 - 2013-06-02 09:18 - 0000258 ___AC () C:\ProgramData\{3D3D405B-A26F-46DE-8E42-8BCC08AC2C4B}\Setup.dat
2013-06-02 09:18 - 2013-05-29 14:00 - 2690280 ___AC (Zemana Ltd.                                                                                                                                                                                                                                                                                                 ) C:\ProgramData\{3D3D405B-A26F-46DE-8E42-8BCC08AC2C4B}\Setup.exe
2013-06-02 09:18 - 2013-06-02 09:18 - 0000009 ___AC () C:\ProgramData\{3D3D405B-A26F-46DE-8E42-8BCC08AC2C4B}\Setup.lan
2013-06-02 09:18 - 2013-05-29 14:00 - 0434176 ___AC () C:\ProgramData\{3D3D405B-A26F-46DE-8E42-8BCC08AC2C4B}\Setup.msi
2013-06-02 09:18 - 2013-06-02 09:18 - 0003882 ___AC () C:\ProgramData\{3D3D405B-A26F-46DE-8E42-8BCC08AC2C4B}\Setup.par
2013-06-02 09:18 - 2013-05-29 14:00 - 23581345 ___AC () C:\ProgramData\{3D3D405B-A26F-46DE-8E42-8BCC08AC2C4B}\Setup.res

====== End of Folder: ======

==== End of Fixlog ====

 

 

My computer seems to be working absolutely fine. There are only two slightly quirky things I have noticed since the initial Zero Access Trojan infection. The first is that the refresh of folders seems to have altered. For example, if I move some documents from one folder to another, they still show as present in the original folder until I come out and go back into that folder and then you can see that they have moved. It is almost as if there is a lag in refreshing the view of a modified folder. The other is that when I first go into the format menu in excel via right click, it takes a good 5 seconds to load. Subsequent launches of this menu are instant, but it is just that first instance in a new spreadsheet. Both these things are odd as ordinarily my system is lightening quick. Are either of these things significant at all or could they be hardware related? I do period health checks on my system and nothing is showing as problematic, but you never know!

 

Thank you so much for all the investigation you have carried out and the time you have taken to do this. :hug: It is much appreciated and very reassuring to know that my PC is not a liability!

 

I am determined to avoid a repeat of the utter nightmare an infection such as the Zero Day Trojan causes. My plan therefore is to get my computer into a totally clean and running perfectly state so that I can do a system image, with the intention of keeping that up to date anytime I alter settings or software so that if I do happen to get such an infection again despite all the protection I am putting in place, I can simply re-build my system using the last system image. I would welcome your thoughts on this as a method of avoiding downtime as a result of a Virus / Trojan infection and I am very open to any other suggestions you may have.

 

Kindest regards, WSK



#15 whoabuddy

whoabuddy

    Bleepin' Verbose


  • Malware Response Instructor
  • 2,053 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cottonwood, AZ
  • Local time:06:25 AM

Posted 11 June 2013 - 02:30 PM

Hello WSK,

Sorry for the delay in response. Not been very well!

No problem, I was just checking in and I am sorry to hear you are not doing well. Hopefully it turns around quick! Good news (again) is everything looks clean. The orphaned values were removed successfully, and the folder I wanted to review actually belongs to the Anti-Logger software from Zemana, so it is safe as well.

The first is that the refresh of folders seems to have altered. For example, if I move some documents from one folder to another, they still show as present in the original folder until I come out and go back into that folder and then you can see that they have moved. It is almost as if there is a lag in refreshing the view of a modified folder.

Those symptoms typically indicate an issue with the process explorer.exe, however based on the scans we have run I did not see anything suspicious about this process. Let's take a closer look just to be sure:

We need to search for some files with FRST:
  • Double-click on FRST64.exe to run it. When the tool opens click Yes to disclaimer.
  • Copy and paste the following text into the box after "Search:"
    explorer.exe
  • Click the Search button and post the log (Search.txt) it makes to your reply.

The other is that when I first go into the format menu in excel via right click, it takes a good 5 seconds to load. Subsequent launches of this menu are instant, but it is just that first instance in a new spreadsheet. Both these things are odd as ordinarily my system is lightening quick.

This one is a little more difficult to answer, and based on your description it reminds me of how a lot of things operate on a computer - the first time it loads generally takes the longest. After going through an experience like that Trojan you begin to pay closer attention to your computer and its actions, however this can also make you worry about things that were normal or happening before. Granted 5 literal seconds sounds like too long. I would address this after the explorer refresh issue just to make sure they are not related, then maybe try a repair install of Microsoft Office.

Are either of these things significant at all or could they be hardware related? I do period health checks on my system and nothing is showing as problematic, but you never know!

Based on your descriptions it doesn't sound like a hardware issue, and testing your system from time to time is a great idea :) What kind of health checks do you do? Do you check the health of your hard drive or read anything called SMART data?

Thank you so much for all the investigation you have carried out and the time you have taken to do this. :hug: It is much appreciated and very reassuring to know that my PC is not a liability!

I am happy to help! :thumbup2: I have worked in this field for some time and my goal is to have people truly understand their computers, their capabilities, and how to avoid these catastrophes :wink:

I am determined to avoid a repeat of the utter nightmare an infection such as the Zero Day Trojan causes. My plan therefore is to get my computer into a totally clean and running perfectly state so that I can do a system image, with the intention of keeping that up to date anytime I alter settings or software so that if I do happen to get such an infection again despite all the protection I am putting in place, I can simply re-build my system using the last system image. I would welcome your thoughts on this as a method of avoiding downtime as a result of a Virus / Trojan infection and I am very open to any other suggestions you may have.

Depending on your comfort level, clonezilla or ddrescue (as opposed to DD just in case there are bad blocks) are excellent tools for making system images. I believe CloneZilla is available in a bootable CD called Parted Magic, and there may be some free Windows options as well. I have found that using a bootable CD with Linux makes the cloning process much easier though, and there is plenty of documentation and screenshots available online.

In your next post I need the following:
  • search.txt from FRST Search
  • status update - do you have any other questions at this time?
Best Regards,
whoabuddy
Meditate. Elevate. Appreciate. | "Life is a journey, love is the destination, happiness is the path!"
If I am helping you and have not responded within 48 hours, please send me a PM.
Vi Veri Universum Vivus Vici (VVVVV)
Excellent Security Advice
Proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users