Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

After (Failed?) repair attempt, No more Win 8?


  • Please log in to reply
7 replies to this topic

#1 everseeker

everseeker

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:31 PM

Posted 26 June 2013 - 11:58 PM

Here's what happened, and where we are:
OK, in a different thread (http://www.bleepingcomputer.com/forums/t/498735/i-know-i-have-a-ransomware-but-the-tutorial-is-not-helping/ ) I was guided thru the process of removing Ramsomware from my Win 8 system.
The guidance was a little vague (Well, ok... That may be a kind term)
In the end, it involved me loading Linux mint (never heard of that flavor before) and rummaging around my file system, looking for something "hinky", I found, and zipped (gz) what I thought might be the culprit
At the same time, I noted that, there was a folder in App Data called... Application Data... this seemed to be some odd self-nesting thing. (Every time I clicked it, I got a copy of the current file tree, but 1 level "deeper"
Since THAT seemed to qualify as "Hinky", I renamed it to something like Application Data XYZ
Rebooted...
Black screen....
Flickering...
Nope. Black screen.
Tried Alt-Cntl-Del... It worked!
Ran msconfig, set it to safe boot, EVERYTHING turned off, no services, nothing
Rebooted...
Black screen....
Flickering...
Nope. Black screen.
Alt-Cntl-Del, launched MBAM
It found the virus (Well, oddly enough, it found something with the same NAME as the thing I zipped/tarred, but in an odd .Trash-999 folder...) Killed it.
Ran it 3x, rebooting and "alt/Cntl/del"ing each time
When done.... Msconfig - normal boot, load regular services, etc... etc... etc...
Boot
Blank screen (!!! ARGH!!!)
Thought... perhaps I need to change that nesting folder back... and it might be nice to get the title of the virus for you all
Booted to Mint
Clicked on the C drive folder
Read the following message:
The NTFS partition is in an unsafe state. Please resume and shutdown windows fully (no hibernation or fast restarting) or mount the volume "read only" with the /ro mount option
PANIC!
But, OK... back to the reboot thing:
Booted to Win 8, Alt-Cntl-Del. Ran explorer (works)... found the .Trash-999 folder (Thought MBAM killed that?) and the "probably-the-virus" is called hfof2. A collection of .reg entries, batch files, and rundll32.exe
Ran shut down (alt-Cntl-del, shutdown, wait for computer to go silent)
Booted to Mint
Clicked on the C drive folder
Read the following message:
The NTFS partition is in an unsafe state. Please resume and shutdown windows fully (no hibernation or fast restarting) or mount the volume "read only" with the /ro mount option
Slowly banged head on keyboard... q349fjm 205f98j015 5467 asrtv srmio5v7
And stepped away for a couple days.
 
 
 Came back to find that my story seems to have gotten some higher level attention...
 
All I want is my Win 8 filesystem back :)
 
(I know, and demons want ice, eskimoos want fire, etc...etc...etc...)


Well, Boopme asked me to post here... As I have ...
So, what is supposed to happen now?
 
(REALLY hoping the reply is not .... Sorry, It's Dead)

Edited by Queen-Evie, 28 June 2013 - 07:13 AM.
merged 2 posts into this one


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,761 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:31 PM

Posted 02 July 2013 - 12:00 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/499347 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 everseeker

everseeker
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:31 PM

Posted 02 July 2013 - 01:46 AM

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
    • Think I have done so. Followed instructions provided (Linux -> Delete anything Hinky ->MBAM)
    • Have system that boots to black screen. Need to alt-cntl-del to get to task manager, then can launch explorer, firefox, etc...   NO more desktop :(
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Done
  • Please tell us if you have your original Windows CD/DVD available.
    • I did an online upgrade to Win 8. Also got the Media Center upgrade. I had to re-use the installer (On my thumb drive) to make the #^&@!* Linux Distro. However, I am pretty sure it's on my "desktop" ..
    • (checks)
    • Yup, 2.98GB .iso labeled "Windows"

-----------

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.16537  BrowserJavaVersion: 10.17.2
Run by Everseeker at 2:31:46 on 2013-07-02
#Option Extended Search is enabled.
Microsoft Windows 8 Pro with Media Center  6.2.9200.0.1252.1.1033.18.8159.6252 [GMT -4:00]
.
AV: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\WINDOWS\system32\svchost.exe -k RPCSS
C:\WINDOWS\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\System32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\WINDOWS\system32\svchost.exe -k apphost
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\ASUS\AXSP\1.00.14\atkexComSvc.exe
C:\Program Files (x86)\ASUS\AAHM\1.00.14\aaHMSvc.exe
C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.11\AsSysCtrlService.exe
C:\WINDOWS\system32\AdminService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\SysWOW64\svchost.exe -k hpdevmgmt
C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe
C:\WINDOWS\SysWOW64\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe
C:\WINDOWS\system32\svchost.exe -k iissvcs
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
C:\WINDOWS\system32\dashost.exe
C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
C:\WINDOWS\system32\svchost.exe -k HPService
C:\WINDOWS\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\WINDOWS\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\WINDOWS\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Microsoft\BingBar\7.1.355.0\SeaPort.exe
C:\WINDOWS\System32\LogonUI.exe
C:\WINDOWS\System32\dwm.exe
C:\WINDOWS\system32\dwm.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\WINDOWS\system32\nvvsvc.exe
C:\WINDOWS\system32\taskhostex.exe
C:\Program Files (x86)\TeamViewer\Version7\TeamViewer.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files (x86)\TeamViewer\Version7\tv_w32.exe
C:\Program Files (x86)\TeamViewer\Version7\tv_x64.exe
C:\WINDOWS\system32\taskeng.exe
C:\Program Files (x86)\ASUS\AI Suite II\AsRoutineController.exe
C:\Program Files (x86)\ASUS\AI Suite II\DIGI+ VRM\VRMHelp.exe
C:\Program Files (x86)\ASUS\AI Suite II\USB 3.0 Boost\U3BoostSvr64.exe
C:\Program Files (x86)\ASUS\AI Suite II\ASUS Mobilink\iPhone Simulator\pnSvc.exe
C:\Program Files (x86)\ASUS\AI Suite II\TurboV EVO\TurboVHelp.exe
C:\Program Files (x86)\ASUS\AI Suite II\EPU\EPUHelp.exe
C:\Program Files (x86)\ASUS\AI Suite II\AI Suite II.exe
C:\Program Files (x86)\ASUS\AI Suite II\Sensor\AlertHelper\AlertHelper.exe
C:\WINDOWS\System32\Taskmgr.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\taskeng.exe
C:\WINDOWS\system32\vssvc.exe
C:\WINDOWS\System32\svchost.exe -k swprv
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:Tabs
mWinlogon: Userinit = userinit.exe,
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Lync Browser Helper: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX86\Microsoft Office\Office15\OCHelper.dll
BHO: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX86\Microsoft Office\Office15\URLREDIR.DLL
BHO: Microsoft SkyDrive Pro Browser Helper: {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX86\Microsoft Office\Office15\GROOVEEX.DLL
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\Microsoft\BingBar\7.1.355.0\BingExt.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} -
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
EB: Developer Tools: {1A6FE369-F28C-4AD9-A3E6-2BCB50807CF1} - C:\Program Files (x86)\Internet Explorer\iedvtool.dll
EB: <No Name>: {555D4D79-4BD2-4094-A395-CFC534424A05} - LocalServer32 - <no file>
EB: <No Name>: {555D4D79-4BD2-4094-A395-CFC534424A05} - LocalServer32 - <no file>
uRun: [EVEMon] "C:\Program Files (x86)\EVEMon\EVEMon.exe" -startMinimized
uRun: [Google Update] "C:\Users\Everseeker\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
uRun: [Steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
uRun: [ViStart] C:\Program Files (x86)\ViStart\ViStart.exe
uRun: [ViUpdater] C:\Program Files (x86)\ViUpdater\ViUpdater.exe
uRun: [ctfmon32.exe] C:\PROGRA~3\rundll32.exe C:\PROGRA~3\2fofh.dat,XFG00
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [ASUS ShellProcess Execute] C:\Program Files (x86)\ASUS\AI Suite II\ASUS Mobilink\Simulator\AsShellProcess.exe
mRun: [CitrixReceiver] "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Citrix\Receiver Updater.lnk"
mRun: [ConnectionCenter] "C:\Program Files (x86)\Citrix\ICA Client\concentr.exe" /startup
mRun: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRunOnce: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
mRunOnce: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript
StartupFolder: C:\Users\EVERSE~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\Everseeker\AppData\Roaming\Dropbox\bin\Dropbox.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\StartUp\HPDIGI~1.LNK - C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\StartUp\SNAGIT~1.LNK - C:\Program Files (x86)\TechSmith\Snagit 11\Snagit32.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-System: PromptOnSecureDesktop = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
IE: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\Program Files\Microsoft Office 15\Root\Office15\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX86\Microsoft Office\Office15\ONBttnIE.dll
IE: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX86\Microsoft Office\Office15\OCHelper.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX86\Microsoft Office\Office15\ONBttnIELinkedNotes.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {A4E4C162-7EE3-47E1-A9B4-8BED1233616F} - hxxps://mypc.humana.com/prx/000/http/localhost/tcs/global/DesktopDirect/DesktopDirectTCS.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
TCP: NameServer = 192.168.2.1
TCP: Interfaces\{3DD23C9E-BF8F-4E12-AA04-94A5CE941718} : DHCPNameServer = 192.168.2.1
TCP: Interfaces\{693D5A3E-DB42-4226-9492-48858619F601} : DHCPNameServer = 192.168.2.1
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX86\Microsoft Office\Office15\MSOSB.DLL
AppInit_DLLs= C:\PROGRA~2\NVIDIA~1\3DVISI~1\nvStInit.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\27.0.1453.116\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-mWinlogon: Shell = C:\PROGRA~3\hfof2.bat
x64-BHO: Lync Browser Helper: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\office15\OCHelper.dll
x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office 15\root\office15\URLREDIR.DLL
x64-BHO: Microsoft SkyDrive Pro Browser Helper: {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files\Microsoft Office 15\root\office15\GROOVEEX.DLL
x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [Launch LCore] C:\Program Files\Logitech Gaming Software\LCore.exe /minimized
x64-Run: [boincmgr] "C:\Program Files\BOINC\boincmgr.exe" /a /s
x64-Run: [boinctray] "C:\Program Files\BOINC\boinctray.exe"
x64-mPolicies-System: PromptOnSecureDesktop = dword:0
x64-mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office 15\root\office15\ONBttnIE.dll
x64-IE: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\office15\OCHelper.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office 15\root\office15\ONBttnIELinkedNotes.dll
x64-Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\office15\MSOSB.DLL
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Everseeker\AppData\Roaming\Mozilla\Firefox\Profiles\y8lz716a.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=greentree_ff1&type=937811&ilc=12&p=
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Battlelog Web Plugins\2.1.2\npesnlaunch.dll
FF - plugin: C:\Program Files (x86)\Battlelog Web Plugins\2.1.3\npesnlaunch.dll
FF - plugin: C:\Program Files (x86)\Battlelog Web Plugins\Sonar\0.70.4\npesnsonar.dll
FF - plugin: C:\Program Files (x86)\Citrix\ICA Client\npicaN.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.145\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
FF - plugin: C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Microsoft Office\Office15\NPSPWRAP.DLL
FF - plugin: C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Mozilla Firefox\plugins\npMeetingJoinPluginOC.dll
FF - plugin: C:\Users\Everseeker\AppData\Local\Google\Update\1.3.21.145\npGoogleUpdate3.dll
FF - plugin: C:\Users\Everseeker\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - plugin: C:\Users\Everseeker\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: C:\Users\Everseeker\AppData\Roaming\Mozilla\plugins\npo1d.dll
FF - plugin: C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_224.dll
FF - plugin: C:\WINDOWS\SysWOW64\npdeployJava1.dll
FF - plugin: C:\WINDOWS\SysWOW64\npmproxy.dll
.
============= SERVICES / DRIVERS ===============
.
R0 PxHlpa64;PxHlpa64;C:\WINDOWS\System32\Drivers\PxHlpa64.sys [2012-7-21 55856]
R1 ctxusbm;Citrix USB Monitor Driver;C:\WINDOWS\System32\Drivers\ctxusbm.sys [2012-4-25 93272]
R2 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;C:\Program Files (x86)\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [2009-9-6 169312]
R2 asComSvc;ASUS Com Service;C:\Program Files (x86)\ASUS\AXSP\1.00.14\atkexComSvc.exe [2012-3-31 922240]
R2 asHmComSvc;ASUS HM Com Service;C:\Program Files (x86)\ASUS\AAHM\1.00.14\aaHMSvc.exe [2012-3-31 915584]
R2 AsSysCtrlService;ASUS System Control Service;C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.11\AsSysCtrlService.exe [2012-3-31 586880]
R2 AtherosSvc;AtherosSvc;C:\WINDOWS\System32\AdminService.exe [2012-8-29 208384]
R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-2-19 418376]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2013-2-19 701512]
R2 OfficeSvc;Microsoft Office Service;C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe [2013-5-9 1900728]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2013-3-14 383264]
R2 TeamViewer7;TeamViewer 7;C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe [2012-7-16 2673064]
R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2012-3-31 2656280]
R3 AVMNgBasM780;AVerMedia M780 Base Driver;C:\WINDOWS\System32\Drivers\AVerBas.sys [2009-6-11 72448]
R3 AVMNgCapM780;AVerMedia M780 Audio/Video Capture Driver;C:\WINDOWS\System32\Drivers\AVerCap.sys [2009-6-11 442368]
R3 AVMNgTunM780;AVerMedia M780 TVTuner Driver;C:\WINDOWS\System32\Drivers\AVerTun.sys [2009-6-11 240768]
R3 BBUpdate;BBUpdate;C:\Program Files (x86)\Microsoft\BingBar\7.1.355.0\SeaPort.EXE [2012-1-25 240408]
R3 BtFilter;BtFilter;C:\WINDOWS\System32\Drivers\btfilter.sys [2012-8-29 565760]
R3 BTHprint;Microsoft Bluetooth Printer Class;C:\WINDOWS\System32\Drivers\BTHPRINT.SYS [2012-7-25 61952]
R3 ICCWDT;Intel® Watchdog Timer Driver (Intel® WDT);C:\WINDOWS\System32\Drivers\ICCWDT.sys [2010-8-18 26136]
R3 MBAMProtector;MBAMProtector;C:\WINDOWS\System32\Drivers\mbam.sys [2013-2-19 25928]
S2 BBSvc;BingBar Service;C:\Program Files (x86)\Microsoft\BingBar\7.1.355.0\BBSvc.EXE [2012-1-25 192792]
S3 ATHDFU;Atheros Valkyrie USB BootROM;C:\WINDOWS\System32\Drivers\AthDfu.sys [2012-8-22 55336]
S3 CompFilter64;UVCCompositeFilter;C:\WINDOWS\System32\Drivers\lvbflt64.sys [2012-10-26 26784]
S3 LVRS64;Logitech RightSound Filter Driver;C:\WINDOWS\System32\Drivers\lvrs64.sys [2012-10-26 351520]
S3 LVUVC64;@oem45.inf,%PID_0826_DD%(UVC);Logitech HD Webcam C525(UVC);C:\WINDOWS\System32\Drivers\lvuvc64.sys [2012-10-26 4758176]
S3 ose64;Office 64 Source Engine;C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE [2013-3-27 178760]
S3 vmbusr;Virtual Machine Bus Provider;C:\WINDOWS\System32\Drivers\vmbusr.sys [2012-7-25 117248]
S3 WinRing0_1_2_0;WinRing0_1_2_0;C:\Program Files\Crucial\Ballistix MOD Utility\WinRing0x64.sys [2012-2-3 14544]
S3 WUDFWpdMtp;WUDFWpdMtp;C:\WINDOWS\System32\Drivers\WUDFRd.sys [2012-7-25 198656]
.
=============== File Associations ===============
.
FileExt: .txt: UltraEdit.txt="C:\Program Files (x86)\IDM Computer Solutions\UltraEdit\Uedit32.exe" "%1" [UserChoice]
FileExt: .ini: UltraEdit.ini="C:\Program Files (x86)\IDM Computer Solutions\UltraEdit\Uedit32.exe" "%1" [UserChoice]
FileExt: .js: UltraEdit.js="C:\Program Files (x86)\IDM Computer Solutions\UltraEdit\Uedit32.exe" "%1" [UserChoice]
.
=============== Created Last 60 ================
.
2013-07-02 06:28:45    --------    d-----w-    C:\DDS
2013-07-02 06:17:21    9552976    ----a-w-    C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{36D819DC-0673-4FB7-8EAA-37B91B18777E}\mpengine.dll
2013-06-27 04:38:19    9552976    ----a-w-    C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2013-06-27 04:35:44    243888    ----a-w-    C:\Program Files\Windows Defender\en-US\systemprofile\AppData\Local\Microsoft\Windows\Sqm\Manifest\Sqm10208.bin
2013-06-24 07:05:32    --------    d-----w-    C:\WINDOWS\pss
2013-06-24 06:57:03    --------    d-----w-    C:\Users\Everseeker\AppData\Local\Temp
2013-06-24 06:43:23    --------    d---a-w-    C:\.Trash-999
2013-06-20 18:25:35    253104    ----a-w-    C:\ProgramData\Microsoft\Windows\Sqm\Manifest\Sqm10207.bin
2013-06-15 08:00:14    1300992    ----a-w-    C:\WINDOWS\System32\gdi32.dll
2013-06-15 08:00:14    1022464    ----a-w-    C:\WINDOWS\SysWow64\gdi32.dll
2013-06-15 06:08:44    888320    ----a-w-    C:\WINDOWS\System32\autochk.exe
2013-06-15 06:08:43    793088    ----a-w-    C:\WINDOWS\SysWow64\autochk.exe
2013-06-15 06:08:43    542208    ----a-w-    C:\WINDOWS\System32\untfs.dll
2013-06-15 06:08:43    482816    ----a-w-    C:\WINDOWS\SysWow64\untfs.dll
2013-06-12 16:56:08    17271808    ----a-w-    C:\Program Files\Common Files\Microsoft Shared\Microsoft Camera Codec Pack\MicrosoftRawCodec.dll
2013-06-12 16:56:08    16642560    ----a-w-    C:\Program Files (x86)\Common Files\Microsoft Shared\Microsoft Camera Codec Pack\MicrosoftRawCodec.dll
2013-06-12 16:32:15    2233600    ----a-w-    C:\WINDOWS\System32\drivers\tcpip.sys
2013-06-12 14:35:00    1889280    ----a-w-    C:\WINDOWS\System32\crypt32.dll
2013-06-12 14:34:59    68096    ----a-w-    C:\WINDOWS\System32\cryptsvc.dll
2013-06-12 14:34:59    1569792    ----a-w-    C:\WINDOWS\SysWow64\crypt32.dll
2013-06-12 14:34:59    141312    ----a-w-    C:\WINDOWS\System32\cryptnet.dll
2013-06-12 14:34:59    1255936    ----a-w-    C:\WINDOWS\System32\certutil.exe
2013-06-12 14:34:59    109056    ----a-w-    C:\WINDOWS\SysWow64\cryptnet.dll
2013-06-12 14:34:59    1013248    ----a-w-    C:\WINDOWS\SysWow64\certutil.exe
2013-06-12 14:14:31    733184    ----a-w-    C:\WINDOWS\System32\win32spl.dll
2013-06-12 12:54:56    30720    ----a-w-    C:\WINDOWS\System32\cryptdlg.dll
2013-06-12 12:54:56    25088    ----a-w-    C:\WINDOWS\SysWow64\cryptdlg.dll
2013-06-02 00:51:56    84736    ----a-w-    C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll
2013-05-23 09:52:49    262552    ----a-w-    C:\Program Files (x86)\Mozilla Firefox\browser\components\browsercomps.dll
2013-05-19 08:17:47    --------    d-----w-    C:\Program Files\iPod
2013-05-19 08:17:46    --------    d-----w-    C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2013-05-19 08:17:46    --------    d-----w-    C:\Program Files\iTunes
2013-05-19 08:17:46    --------    d-----w-    C:\Program Files (x86)\iTunes
2013-05-19 07:20:36    78200    ----a-w-    C:\WINDOWS\SysWow64\FlashPlayerCPLApp.cpl
2013-05-19 07:20:36    693112    ----a-w-    C:\WINDOWS\SysWow64\FlashPlayerApp.exe
2013-05-16 21:59:21    861184    ----a-w-    C:\WINDOWS\System32\drivers\http.sys
2013-05-16 12:55:13    1455368    ----a-w-    C:\WINDOWS\System32\drivers\dxgkrnl.sys
2013-05-16 07:03:39    70144    ----a-w-    C:\WINDOWS\System32\appinfo.dll
2013-05-16 07:03:39    112872    ----a-w-    C:\WINDOWS\System32\consent.exe
2013-05-16 06:35:15    2851840    ----a-w-    C:\WINDOWS\System32\esent.dll
2013-05-16 06:35:15    2382336    ----a-w-    C:\WINDOWS\SysWow64\esent.dll
2013-05-16 05:17:48    6987528    ----a-w-    C:\WINDOWS\System32\ntoskrnl.exe
2013-05-10 04:24:46    --------    d-----w-    C:\Program Files (x86)\Microsoft
2013-05-10 04:24:42    --------    d-----w-    C:\Users\Everseeker\AppData\Roaming\HpUpdate
2013-05-10 04:24:23    --------    d-----w-    C:\ProgramData\HP Photo Creations
2013-05-10 04:24:23    --------    d-----w-    C:\Program Files (x86)\HP Photo Creations
2013-05-10 04:24:00    --------    d-----w-    C:\WINDOWS\SysWow64\spool
2013-05-10 04:23:27    --------    d-----w-    C:\Program Files (x86)\Common Files\HP
2013-05-10 04:20:41    861184    ----a-w-    C:\WINDOWS\System32\hpowiav1.dll
2013-05-10 04:20:41    498176    ----a-w-    C:\WINDOWS\System32\hpovst01.dll
2013-05-10 04:20:40    1421312    ----a-w-    C:\WINDOWS\System32\hpotiop1.dll
2013-05-09 07:04:58    812240    ----a-w-    C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe
2013-05-09 06:56:58    --------    d-----w-    C:\Program Files\Microsoft Office 15
.
==================== Find6M  ====================
.
2013-05-15 22:37:03    44032    ----a-w-    C:\WINDOWS\SysWow64\UXInit.dll
2013-05-15 22:35:49    53760    ----a-w-    C:\WINDOWS\System32\UXInit.dll
2013-05-14 13:14:01    2706432    ----a-w-    C:\WINDOWS\System32\mshtml.tlb
2013-05-14 09:23:31    2706432    ----a-w-    C:\WINDOWS\SysWow64\mshtml.tlb
2013-05-04 07:58:17    120736    ----a-w-    C:\WINDOWS\System32\AuthHost.exe
2013-05-04 07:34:17    446720    ----a-w-    C:\WINDOWS\System32\drivers\USBHUB3.SYS
2013-05-04 07:34:17    213248    ----a-w-    C:\WINDOWS\System32\drivers\UCX01000.SYS
2013-05-04 07:34:15    284416    ----a-w-    C:\WINDOWS\System32\drivers\spaceport.sys
2013-05-04 06:59:56    39424    ----a-w-    C:\WINDOWS\System32\wuapp.exe
2013-05-04 06:59:51    1483776    ----a-w-    C:\WINDOWS\System32\VSSVC.exe
2013-05-04 06:59:36    812544    ----a-w-    C:\WINDOWS\System32\Magnify.exe
2013-05-04 06:59:25    98304    ----a-w-    C:\WINDOWS\System32\wudriver.dll
2013-05-04 06:59:25    251904    ----a-w-    C:\WINDOWS\System32\WUSettingsProvider.dll
2013-05-04 06:59:25    141824    ----a-w-    C:\WINDOWS\System32\wuwebv.dll
2013-05-04 06:59:24    1619968    ----a-w-    C:\WINDOWS\System32\wucltux.dll
2013-05-04 06:59:08    13644288    ----a-w-    C:\WINDOWS\System32\Windows.UI.Xaml.dll
2013-05-04 06:58:54    328192    ----a-w-    C:\WINDOWS\System32\ubpm.dll
2013-05-04 06:58:54    10116096    ----a-w-    C:\WINDOWS\System32\twinui.dll
2013-05-04 06:58:49    173568    ----a-w-    C:\WINDOWS\System32\storewuauth.dll
2013-05-04 06:58:49    1332736    ----a-w-    C:\WINDOWS\System32\sysmain.dll
2013-05-04 06:58:48    330240    ----a-w-    C:\WINDOWS\System32\stobject.dll
2013-05-04 06:58:28    93696    ----a-w-    C:\WINDOWS\System32\psmsrv.dll
2013-05-04 06:58:02    470528    ----a-w-    C:\WINDOWS\System32\netprofmsvc.dll
2013-05-04 06:58:02    151552    ----a-w-    C:\WINDOWS\System32\netprofm.dll
2013-05-04 06:58:01    169984    ----a-w-    C:\WINDOWS\System32\netplwiz.dll
2013-05-04 06:57:59    17408    ----a-w-    C:\WINDOWS\System32\muifontsetup.dll
2013-05-04 06:57:46    560640    ----a-w-    C:\WINDOWS\System32\mfmp4srcsnk.dll
2013-05-04 06:57:31    820736    ----a-w-    C:\WINDOWS\System32\gpprefcl.dll
2013-05-04 06:57:15    501760    ----a-w-    C:\WINDOWS\System32\DevicePairing.dll
2013-05-04 06:57:05    179712    ----a-w-    C:\WINDOWS\System32\bisrv.dll
2013-05-04 06:57:05    122368    ----a-w-    C:\WINDOWS\System32\biwinrt.dll
2013-05-04 06:57:04    389120    ----a-w-    C:\WINDOWS\System32\BCP47Langs.dll
2013-05-04 06:57:04    2305024    ----a-w-    C:\WINDOWS\System32\authui.dll
2013-05-04 06:57:00    708096    ----a-w-    C:\WINDOWS\System32\AppXDeploymentExtensions.dll
2013-05-04 06:57:00    1131520    ----a-w-    C:\WINDOWS\System32\AppXDeploymentServer.dll
2013-05-04 06:56:53    419840    ----a-w-    C:\WINDOWS\System32\intl.cpl
2013-05-04 04:58:34    34304    ----a-w-    C:\WINDOWS\SysWow64\wuapp.exe
2013-05-04 04:58:14    758784    ----a-w-    C:\WINDOWS\SysWow64\Magnify.exe
2013-05-04 04:58:02    83968    ----a-w-    C:\WINDOWS\SysWow64\wudriver.dll
2013-05-04 04:58:02    125952    ----a-w-    C:\WINDOWS\SysWow64\wuwebv.dll
2013-05-04 04:57:49    10788864    ----a-w-    C:\WINDOWS\SysWow64\Windows.UI.Xaml.dll
2013-05-04 04:57:39    8857088    ----a-w-    C:\WINDOWS\SysWow64\twinui.dll
2013-05-04 04:57:39    247296    ----a-w-    C:\WINDOWS\SysWow64\ubpm.dll
2013-05-04 04:57:35    303616    ----a-w-    C:\WINDOWS\SysWow64\stobject.dll
2013-05-04 04:57:16    18432    ----a-w-    C:\WINDOWS\SysWow64\npmproxy.dll
2013-05-04 04:57:04    151040    ----a-w-    C:\WINDOWS\SysWow64\netplwiz.dll
2013-05-04 04:57:04    115712    ----a-w-    C:\WINDOWS\SysWow64\netprofm.dll
2013-05-04 04:57:02    14336    ----a-w-    C:\WINDOWS\SysWow64\muifontsetup.dll
2013-05-04 04:56:48    411136    ----a-w-    C:\WINDOWS\SysWow64\mfmp4srcsnk.dll
2013-05-04 04:56:35    582144    ----a-w-    C:\WINDOWS\SysWow64\gpprefcl.dll
2013-05-04 04:56:14    449536    ----a-w-    C:\WINDOWS\SysWow64\DevicePairing.dll
2013-05-04 04:56:06    92160    ----a-w-    C:\WINDOWS\SysWow64\biwinrt.dll
2013-05-04 04:56:05    309760    ----a-w-    C:\WINDOWS\SysWow64\BCP47Langs.dll
2013-05-04 04:56:05    2035712    ----a-w-    C:\WINDOWS\SysWow64\authui.dll
2013-05-04 04:55:58    389632    ----a-w-    C:\WINDOWS\SysWow64\intl.cpl
2013-05-04 04:51:38    14848    ----a-w-    C:\WINDOWS\System32\rars.rs
2013-05-04 04:48:33    83968    ----a-w-    C:\WINDOWS\System32\drivers\hidclass.sys
2013-05-04 04:48:26    27648    ----a-w-    C:\WINDOWS\System32\drivers\hidusb.sys
2013-05-04 04:47:02    427520    ----a-w-    C:\WINDOWS\System32\drivers\rdbss.sys
2013-05-04 04:10:47    14848    ----a-w-    C:\WINDOWS\SysWow64\rars.rs
2013-05-02 15:29:56    278800    ------w-    C:\WINDOWS\System32\MpSigStub.exe
2013-04-28 22:30:55    1767936    ----a-w-    C:\WINDOWS\SysWow64\wininet.dll
2013-04-28 22:30:12    2877440    ----a-w-    C:\WINDOWS\SysWow64\jscript9.dll
2013-04-28 22:28:33    2241024    ----a-w-    C:\WINDOWS\System32\wininet.dll
2013-04-28 22:28:29    915968    ----a-w-    C:\WINDOWS\System32\uxtheme.dll
2013-04-28 22:28:00    3958784    ----a-w-    C:\WINDOWS\System32\jscript9.dll
2013-04-16 04:57:04    291088    ----a-w-    C:\WINDOWS\SysWow64\PnkBstrB.xtr
2013-04-16 04:57:04    291088    ----a-w-    C:\WINDOWS\SysWow64\PnkBstrB.exe
2013-04-16 04:56:52    281520    ----a-w-    C:\WINDOWS\SysWow64\PnkBstrB.ex0
2013-04-13 05:56:35    444416    ----a-w-    C:\WINDOWS\apppatch\AcSpecfc.dll
2013-04-09 05:33:02    489576    ----a-w-    C:\WINDOWS\System32\AudioEng.dll
2013-04-09 05:33:02    446792    ----a-w-    C:\WINDOWS\System32\AudioSes.dll
2013-04-09 05:33:02    253544    ----a-w-    C:\WINDOWS\System32\audiodg.exe
2013-04-09 05:20:02    86280    ----a-w-    C:\WINDOWS\System32\kdnet.dll
2013-04-09 05:20:02    306952    ----a-w-    C:\WINDOWS\System32\kd_02_10ec.dll
2013-04-09 05:18:05    77960    ----a-w-    C:\WINDOWS\System32\kdvm.dll
2013-04-09 05:17:57    1829408    ----a-w-    C:\WINDOWS\System32\ntdll.dll
2013-04-09 04:52:07    816128    ----a-w-    C:\WINDOWS\System32\SearchIndexer.exe
2013-04-09 04:52:07    373760    ----a-w-    C:\WINDOWS\System32\SearchProtocolHost.exe
2013-04-09 04:52:07    197120    ----a-w-    C:\WINDOWS\System32\SearchFilterHost.exe
2013-04-09 04:52:07    126464    ----a-w-    C:\WINDOWS\System32\Robocopy.exe
2013-04-09 04:52:06    804352    ----a-w-    C:\WINDOWS\System32\RecoveryDrive.exe
2013-04-09 04:51:51    367616    ----a-w-    C:\WINDOWS\System32\conhost.exe
2013-04-09 04:51:45    523264    ----a-w-    C:\WINDOWS\System32\XpsGdiConverter.dll
2013-04-09 04:51:41    99840    ----a-w-    C:\WINDOWS\System32\wscsvc.dll
2013-04-09 04:51:41    456704    ----a-w-    C:\WINDOWS\System32\wpncore.dll
2013-04-09 04:51:17    595456    ----a-w-    C:\WINDOWS\System32\Windows.Networking.dll
2013-04-09 04:51:17    391168    ----a-w-    C:\WINDOWS\System32\Windows.Networking.BackgroundTransfer.dll
2013-04-09 04:51:03    3552768    ----a-w-    C:\WINDOWS\System32\tquery.dll
2013-04-09 04:50:53    414720    ----a-w-    C:\WINDOWS\System32\GenuineCenter.dll
2013-04-09 04:50:39    422400    ----a-w-    C:\WINDOWS\System32\schannel.dll
2013-04-09 04:50:39    1285632    ----a-w-    C:\WINDOWS\System32\schedsvc.dll
2013-04-09 04:50:03    96256    ----a-w-    C:\WINDOWS\System32\mssprxy.dll
2013-04-09 04:50:03    745984    ----a-w-    C:\WINDOWS\System32\mssvp.dll
2013-04-09 04:50:03    2107904    ----a-w-    C:\WINDOWS\System32\mssrch.dll
2013-04-09 04:50:02    65024    ----a-w-    C:\WINDOWS\System32\msscntrs.dll
2013-04-09 04:50:02    435200    ----a-w-    C:\WINDOWS\System32\mssph.dll
2013-04-09 04:50:02    13824    ----a-w-    C:\WINDOWS\System32\msshooks.dll
2013-04-09 04:49:54    1444864    ----a-w-    C:\WINDOWS\System32\MSAudDecMFT.dll
2013-04-09 04:49:45    468992    ----a-w-    C:\WINDOWS\System32\MFMediaEngine.dll
.
============= FINISH:  2:31:55.19 ===============
 

 

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:31 PM

Posted 02 July 2013 - 07:44 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===
These are the culprit.

uRun: [ctfmon32.exe] C:\PROGRA~3\rundll32.exe C:\PROGRA~3\2fofh.dat,XFG00
x64-mWinlogon: Shell = C:\PROGRA~3\hfof2.bat


--RogueKiller--
  • Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+


  • I also need to know the exact location of this file in bold.
    C:\PROGRA~3\

    rundll32.exe

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2


    If your operating system is 64 bit download this tool:
    SystemLook_x64.exe
  • Double-click SystemLook.exe to run it.
  • Copy and paste the content of the following bold text into the main textfield:
    :filefind
    rundll32.exe
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.Note: The log can also be found on your Desktop entitled SystemLook.txt

    Please post the logs and let me know what problem persists.


#5 everseeker

everseeker
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:31 PM

Posted 04 July 2013 - 06:26 PM

Thanks for the assist...

OK: Step 1 complete... posting:

(found 2 reports...)

RogueKiller V8.6.2 _x64_ [Jul  2 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : hxxp://www.adlice.com/forum/
Website : hxxp://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 8 (6.2.9200 ) 64 bits version
Started in : Normal mode
User : Everseeker [Admin rights]
Mode : Scan -- Date : 07/04/2013 19:17:39
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 8 ¤¤¤
[RUN][Rans.Gendarm] HKCU\[...]\Run : ctfmon32.exe (C:\PROGRA~3\rundll32.exe C:\PROGRA~3\2fofh.dat,XFG00) -> FOUND
[RUN][Rans.Gendarm] HKUS\S-1-5-21-3505057325-4185842258-3277213766-1000\[...]\Run : ctfmon32.exe (C:\PROGRA~3\rundll32.exe C:\PROGRA~3\2fofh.dat,XFG00) -> FOUND
[RUN][SUSP PATH] HKLM\[...]\Wow6432Node\[...]\RunOnce : Malwarebytes Anti-Malware (cleanup) (rundll32.exe "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript [x][7][x]) -> FOUND
[SHELL][SUSP PATH] HKLM\[...]\Winlogon : shell (C:\PROGRA~3\hfof2.bat [x]) -> FOUND
[HJ POL] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ POL] HKLM\[...]\Wow6432Node\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][Junction] en-US : C:\Program Files\Windows Defender\en-US >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] SymSrv.yes : C:\Program Files\Windows Defender\SymSrv.yes >> \systemroot\system32\config [-] --> FOUND

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : Rans.Gendarm|ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts




¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST2000DL003-9VT166 +++++
--- User ---
[MBR] 09e49fde83cd075b876a9ea5e31b297e
[BSP] 503f98e61465e9aef87c25e36da5757b : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 1907627 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_07042013_191739.txt >>

and

 

RogueKiller V8.6.2 _x64_ [Jul  2 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : hxxp://www.adlice.com/forum/
Website : hxxp://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 8 (6.2.9200 ) 64 bits version
Started in : Normal mode
User : Everseeker [Admin rights]
Mode : Remove -- Date : 07/04/2013 19:18:37
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 8 ¤¤¤
[RUN][Rans.Gendarm] HKCU\[...]\Run : ctfmon32.exe (C:\PROGRA~3\rundll32.exe C:\PROGRA~3\2fofh.dat,XFG00) -> DELETED
[RUN][Rans.Gendarm] HKUS\S-1-5-21-3505057325-4185842258-3277213766-1000\[...]\Run : ctfmon32.exe (C:\PROGRA~3\rundll32.exe C:\PROGRA~3\2fofh.dat,XFG00) -> [0x2] The system cannot find the file specified.
[RUN][SUSP PATH] HKLM\[...]\Wow6432Node\[...]\RunOnce : Malwarebytes Anti-Malware (cleanup) (rundll32.exe "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript [x][7][x]) -> DELETED
[SHELL][SUSP PATH] HKLM\[...]\Winlogon : shell (C:\PROGRA~3\hfof2.bat [x]) -> REPLACED (explorer.exe)
[HJ POL] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> REPLACED (2)
[HJ POL] HKLM\[...]\Wow6432Node\[...]\System : ConsentPromptBehaviorAdmin (0) -> REPLACED (2)
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][Junction] en-US : C:\Program Files\Windows Defender\en-US >> \systemroot\system32\config [-] --> Junction DELETED
[ZeroAccess][Junction] SymSrv.yes : C:\Program Files\Windows Defender\SymSrv.yes >> \systemroot\system32\config [-] --> Junction DELETED

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : Rans.Gendarm|ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts




¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST2000DL003-9VT166 +++++
--- User ---
[MBR] 09e49fde83cd075b876a9ea5e31b297e
[BSP] 503f98e61465e9aef87c25e36da5757b : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 1907627 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_D_07042013_191837.txt >>
RKreport[0]_S_07042013_191739.txt


 



#6 everseeker

everseeker
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:31 PM

Posted 04 July 2013 - 06:31 PM

Part 2:

 

SystemLook 30.07.11 by jpshortstuff
Log created at 19:28 on 04/07/2013 by Everseeker
Administrator - Elevation successful

========== filefind ==========

Searching for "rundll32.exe"
C:\.Trash-999\files\rundll32.exe    --a---- 48640 bytes    [10:27 20/06/2013]    [10:27 20/06/2013] 224F6B374852153C8C24BED141AE3A20
C:\Program Files (x86)\Malwarebytes' Anti-Malware\Chameleon\rundll32.exe    --a---- 218184 bytes    [09:42 19/02/2013]    [18:50 04/04/2013] B4C6E3889BB310CA7E974A04EC6E46AC
C:\Windows\System32\rundll32.exe    --a---- 51712 bytes    [01:26 26/07/2012]    [03:08 26/07/2012] 3A6209AC494296C24C2065CB4392B5F4
C:\Windows\SysWOW64\rundll32.exe    --a---- 48640 bytes    [01:33 26/07/2012]    [03:20 26/07/2012] 224F6B374852153C8C24BED141AE3A20
C:\Windows\WinSxS\amd64_microsoft-windows-rundll32_31bf3856ad364e35_6.2.9200.16384_none_30cef8f434aec8db\rundll32.exe    --a---- 51712 bytes    [01:26 26/07/2012]    [03:08 26/07/2012] 3A6209AC494296C24C2065CB4392B5F4
C:\Windows\WinSxS\x86_microsoft-windows-rundll32_31bf3856ad364e35_6.2.9200.16384_none_d4b05d707c5157a5\rundll32.exe    --a---- 48640 bytes    [01:33 26/07/2012]    [03:20 26/07/2012] 224F6B374852153C8C24BED141AE3A20

-= EOF =-



#7 everseeker

everseeker
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:31 PM

Posted 04 July 2013 - 07:47 PM

Part 3 - What do I now see:

 

 

1. YEA! I see my desktop

2. Ummm... about that....

 

3. Is there any way to get MY desktop back? The current one is a kind of "default"

I mean, all my files are still here, and the Standard desktop is fine, but the Win 8 pane is only populated with "stock" icons. I can re-create, is I must...

 

 

4. So, now what?

(Itching to run Malware Bytes/set up anti virus/etc... but will not touch ANY thing until the word is given...)

 



#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:31 PM

Posted 05 July 2013 - 07:39 AM

Can this file be required by a Linux program
C:\.Trash-999\files\rundll32.exe
Your call if you want to keep it.
Source: http://answers.microsoft.com/fr-fr/windows/forum/windows_8-performance/a-quoi-sert-le-dossier-trash-999/a1ad4550-b0a8-4c2c-9f46-e1a254bb94b5?msgId=b975d1e3-2973-4f6f-8e82-da76b5a11adc
<<<>>>

Malwarebytes is ready for Windows 8. You should run it just in case some malware is still lurking around.

===

As for the Desktop issue with Windows 8 I suggest you start a new topic in the Windows 8 Forum
http://www.bleepingcomputer.com/forums/f/209/windows-8/

I'm not familiar with this Operating system and do not want make a call on something I never seen.

Any other remaining issues with this computer?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users