Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unable to Open/Run AV/AM software; 'Windows cannot find ....exe. Make sure...'


  • This topic is locked This topic is locked
17 replies to this topic

#1 Peanutpanda

Peanutpanda

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 29 December 2013 - 10:39 PM

I am unable to open presumably any anti-virus or anti-malware .exe's.  I get a Windows cannot find 'C:\Program Files\...\....exe'. Make sure you typed the name correctly, and then try again, even when I go to the actual file location and open or run as administrator from there.  

 

All other .exe files run fine.  I have tried uninstalling/re-installing Microsoft Security Essentials but got different errors repeatedly.  With MSE Uninstalled from my computer, I cannot turn on Windows Defender either.  When I try to start it from the action center I get this error: "Action Center cannot turn on Windows Defender at this time.  Please try again later."

 

I have also tried installing Malwarebytes Anti-malware and received the same error when trying to run it.  I also tried using RKill before running them but I got the same error.

 

I have tried doing a system restore to a previous date when I think everything was working correctly, but I was not paying attention to the Action Center, so I don't know exactly how long MSE has been disabled.  

 

My google-fu has netted me information about the old swen worm that prevented any .exe from opening, but results for my search string net generic anti-virus product pages.

 

Any help would be greatly appreciated!  Thank you in advance!  Here's my DDS log:

 

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 9.0.8112.16526  BrowserJavaVersion: 10.45.2
Run by John at 19:24:34 on 2013-12-29
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.16337.13976 [GMT -8:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Disabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\iCLS Client\HeciServer.exe
C:\Windows\system32\IProsetMonitor.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
D:\Play Memories\PMBDeviceInfoProvider.exe
C:\Program Files\Cyberlink\Shared files\RichVideo64.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\taskhost.exe
C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe
C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
E:\Program Files\iTunesHelper.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\ProgramData\{$1284-9213-2940-1289$}\msconfig.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\SysWOW64\WScript.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT3220468
uURLSearchHooks: {7473b6bd-4691-4744-a82b-7854eb3d70b6} - <orphaned>
uWindows: Load = C:\ProgramData\{$1284-9213-2940-1289$}\msconfig.exe
mWinlogon: Userinit = userinit.exe
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
BHO: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
uRun: [AdobeBridge] <no file>
mRun: [USB3MON] "C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe"
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIconLaunch.exe "C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" 60
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
mRun: [AdobeCS6ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe" -launchedbylogin
mRun: [iTunesHelper] "E:\Program Files\iTunesHelper.exe"
StartupFolder: C:\Users\John\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.ini.url
StartupFolder: C:\Users\John\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.vbs
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
TCP: NameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{E6620D7F-DF97-41A9-8716-3AC301BB96AB} : DHCPNameServer = 75.75.75.75 75.75.76.76
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\31.0.1650.63\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
IFEO: avcenter.exe - nsjw.exe
IFEO: avguard.exe - nsjw.exe
IFEO: avp.exe - nsjw.exe
IFEO: bdagent.exe - nsjw.exe
IFEO: ccuac.exe - nsjw.exe
x64-Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
x64-Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe -s
x64-Run: [Nvtmru] "C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\nvtmru.exe"
x64-Run: [ShadowPlay] C:\Windows\System32\rundll32.exe C:\Windows\System32\nvspcap64.dll,ShadowPlayOnSystemStart
x64-Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
x64-Run: [NvBackend] "C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe"
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
x64-IFEO: avcenter.exe - nsjw.exe
x64-IFEO: avguard.exe - nsjw.exe
x64-IFEO: avp.exe - nsjw.exe
x64-IFEO: bdagent.exe - nsjw.exe
x64-IFEO: ccuac.exe - nsjw.exe
.
Note: multiple IFEO entries found. Please refer to Attach.txt
.
============= SERVICES / DRIVERS ===============
.
R0 asahci64;asahci64;C:\Windows\System32\drivers\asahci64.sys [2012-1-6 49760]
R0 iusb3hcs;Intel® USB 3.0 Host Controller Switch Driver;C:\Windows\System32\drivers\iusb3hcs.sys [2012-10-10 19224]
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2013-9-27 248240]
R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2013-11-8 56208]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\System32\drivers\dtsoftbus01.sys [2013-3-5 283200]
R2 cpuz135;cpuz135;C:\Windows\System32\drivers\cpuz135_x64.sys [2012-10-10 23816]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2012-10-10 13592]
R2 Intel® Capability Licensing Service Interface;Intel® Capability Licensing Service Interface;C:\Program Files\Intel\iCLS Client\HeciServer.exe [2012-2-2 628448]
R2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;C:\Windows\System32\IPROSetMonitor.exe [2012-6-5 190824]
R2 jhi_service;Intel® Dynamic Application Loader Host Interface Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe [2012-10-10 161560]
R2 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2012-8-30 134944]
R2 NvNetworkService;NVIDIA Network Service;C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [2013-12-4 1370912]
R2 NvStreamSvc;NVIDIA Streamer Service;C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [2013-8-28 15128352]
R2 PMBDeviceInfoProvider;PMBDeviceInfoProvider;D:\Play Memories\PMBDeviceInfoProvider.exe [2013-7-26 483864]
R2 RichVideo64;Cyberlink RichVideo64 Service(CRVS);C:\Program Files\Cyberlink\Shared files\RichVideo64.exe [2013-10-8 390672]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2013-10-23 414496]
R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2012-10-10 363800]
R3 asmthub3;ASMedia USB3 Hub Service;C:\Windows\System32\drivers\asmthub3.sys [2011-11-3 130536]
R3 asmtxhci;ASMEDIA XHCI Service;C:\Windows\System32\drivers\asmtxhci.sys [2011-11-3 395752]
R3 iusb3hub;Intel® USB 3.0 Hub Driver;C:\Windows\System32\drivers\iusb3hub.sys [2012-10-10 356632]
R3 iusb3xhc;Intel® USB 3.0 eXtensible Host Controller Driver;C:\Windows\System32\drivers\iusb3xhc.sys [2012-10-10 789272]
R3 nvvad_WaveExtensible;NVIDIA Virtual Audio Device (Wave Extensible) (WDM);C:\Windows\System32\drivers\nvvad64v.sys [2013-12-4 39200]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 libusb0;Jawbone LibUsb-Win32 - Kernel Driver 09/22/2011,1.2.5.0;C:\Windows\System32\drivers\libusb0.sys [2013-3-14 52320]
S3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;C:\Windows\System32\drivers\MijXfilt.sys [2013-3-5 115272]
S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2013-10-23 348376]
S3 SwitchBoard;Adobe SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-12-13 54784]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-10-10 1255736]
S4 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-10-19 160944]
.
=============== File Associations ===============
.
FileExt: .js: jsfile="E:\Program Files\Adobe Dreamweaver CS6\Dreamweaver.exe","%1"
ShellExec: dreamweaver.exe: Open="E:\Program Files\Adobe Dreamweaver CS6\dreamweaver.exe", "%1"
.
=============== Created Last 30 ================
.
2013-12-30 02:49:38 81408 ----a-w- C:\Windows\System32\imagehlp.dll
2013-12-29 15:44:32 -------- d-----w- C:\ProgramData\Malwarebytes
2013-12-29 15:21:54 -------- d-----w- C:\MATS
2013-12-29 15:03:11 -------- d-----w- C:\Users\John\AppData\Local\ElevatedDiagnostics
2013-12-16 10:38:31 -------- d-----w- C:\Users\John\AppData\Roaming\MPC-HC
2013-12-16 10:11:52 10285968 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{612CA134-141E-456E-BE72-5017E605E21B}\mpengine.dll
2013-12-12 08:34:52 10285968 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-12-12 08:20:32 -------- d-sh--w- C:\ProgramData\{$1284-9213-2940-1289$}
2013-12-09 08:35:21 965000 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{7C6A04D7-3206-40A5-8AF1-0B284E69E921}\gapaengine.dll
2013-12-05 07:30:07 -------- d-----w- C:\Users\John\AppData\Local\NVIDIA Corporation
2013-12-05 07:29:27 39200 ----a-w- C:\Windows\System32\drivers\nvvad64v.sys
2013-12-05 07:29:27 32544 ----a-w- C:\Windows\SysWow64\nvaudcap32v.dll
2013-12-05 07:23:19 -------- d-----w- C:\Windows\pss
2013-12-02 15:33:32 -------- d-----w- C:\Users\John\AppData\Roaming\Logs
2013-12-02 15:32:33 152 ----a-w- C:\Users\John\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.vbs
2013-12-02 15:32:33 -------- d-----w- C:\Users\John\AppData\Roaming\WIN
2013-12-02 15:26:59 -------- d-----w- C:\Users\John\AppData\Roaming\install
2013-12-02 15:23:58 154283 ---h--w- C:\Users\John\AppData\Roaming\John-wchelper.dll
2013-12-02 15:23:58 -------- d-----w- C:\Users\John\AppData\Roaming\WinDir
.
==================== Find3M  ====================
.
2013-11-29 16:56:58 1096480 ----a-w- C:\Windows\System32\nvspcap64.dll
2013-11-29 16:56:57 979744 ----a-w- C:\Windows\SysWow64\nvspcap.dll
2013-11-23 07:41:59 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-11-23 07:41:59 692616 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2013-11-19 10:21:41 267936 ------w- C:\Windows\System32\MpSigStub.exe
2013-11-15 01:37:29 2334720 ----a-w- C:\Windows\System32\jscript9.dll
2013-11-15 01:29:03 1392128 ----a-w- C:\Windows\System32\wininet.dll
2013-11-15 01:28:41 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
2013-11-15 01:22:21 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
2013-11-15 01:20:47 599040 ----a-w- C:\Windows\System32\vbscript.dll
2013-11-15 01:18:03 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2013-11-14 22:50:50 1806848 ----a-w- C:\Windows\SysWow64\jscript9.dll
2013-11-14 22:42:41 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2013-11-14 22:42:32 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2013-11-14 22:38:54 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2013-11-14 22:38:16 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll
2013-11-14 22:35:52 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2013-11-12 02:23:09 2048 ----a-w- C:\Windows\System32\tzres.dll
2013-11-12 02:07:29 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2013-10-30 17:59:08 890368 ----a-w- C:\Windows\SysWow64\twitchsdk_32_release.dll
2013-10-30 17:58:18 109144 ----a-w- C:\Windows\SysWow64\OpenAL32.dll
2013-10-30 17:57:29 89600 ----a-w- C:\Windows\SysWow64\vorbisfile.dll
2013-10-30 17:57:13 316184 ----a-w- C:\Windows\SysWow64\Client.exe
2013-10-30 17:55:45 16196504 ----a-w- C:\Windows\SysWow64\libmfxsw32.dll
2013-10-30 17:53:46 113171 ----a-w- C:\Windows\SysWow64\swresample-ttv-0.dll
2013-10-30 17:53:14 394810 ----a-w- C:\Windows\SysWow64\libmp3lame-ttv.dll
2013-10-30 17:51:47 298776 ----a-w- C:\Windows\SysWow64\CrashUpload.exe
2013-10-30 17:50:37 1237504 ----a-w- C:\Windows\SysWow64\vorbis.dll
2013-10-30 17:49:54 246332 ----a-w- C:\Windows\SysWow64\avutil-ttv-51.dll
2013-10-30 17:44:28 918617 ----a-w- C:\Windows\SysWow64\libx264-128.dll
2013-10-30 17:42:37 9052440 ----a-w- C:\Windows\SysWow64\PathOfExile.exe
2013-10-30 17:42:24 50688 ----a-w- C:\Windows\SysWow64\ogg.dll
2013-10-30 17:41:02 85784 ----a-w- C:\Windows\SysWow64\PackCheck.exe
2013-10-30 17:40:16 445016 ----a-w- C:\Windows\SysWow64\wrap_oal.dll
2013-10-30 17:02:58 35104 ----a-w- C:\Windows\System32\nvaudcap64v.dll
2013-10-30 01:24:31 3155968 ----a-w- C:\Windows\System32\win32k.sys
2013-10-23 10:02:36 589600 ----a-w- C:\Windows\SysWow64\nvStreaming.exe
2013-10-23 08:20:08 6669600 ----a-w- C:\Windows\System32\nvcpl.dll
2013-10-23 08:20:07 3489568 ----a-w- C:\Windows\System32\nvsvc64.dll
2013-10-23 08:20:05 922912 ----a-w- C:\Windows\System32\nvvsvc.exe
2013-10-23 08:20:05 63776 ----a-w- C:\Windows\System32\nvshext.dll
2013-10-23 08:20:05 219424 ----a-w- C:\Windows\System32\nvmctray.dll
2013-10-23 08:20:03 3426956 ----a-w- C:\Windows\System32\nvcoproc.bin
2013-10-19 01:36:59 159232 ----a-w- C:\Windows\SysWow64\imagehlp.dll
2013-10-16 00:48:05 1884448 ----a-w- C:\Windows\System32\nvdispco6433158.dll
2013-10-16 00:48:05 1511712 ----a-w- C:\Windows\System32\nvdispgenco6433158.dll
2013-10-12 02:32:04 150016 ----a-w- C:\Windows\System32\wshom.ocx
2013-10-12 02:31:04 202752 ----a-w- C:\Windows\System32\scrrun.dll
2013-10-12 02:30:42 830464 ----a-w- C:\Windows\System32\nshwfp.dll
2013-10-12 02:29:21 859648 ----a-w- C:\Windows\System32\IKEEXT.DLL
2013-10-12 02:29:08 324096 ----a-w- C:\Windows\System32\FWPUCLNT.DLL
2013-10-12 02:04:36 121856 ----a-w- C:\Windows\SysWow64\wshom.ocx
2013-10-12 02:03:31 163840 ----a-w- C:\Windows\SysWow64\scrrun.dll
2013-10-12 02:03:08 656896 ----a-w- C:\Windows\SysWow64\nshwfp.dll
2013-10-12 02:01:25 216576 ----a-w- C:\Windows\SysWow64\FWPUCLNT.DLL
2013-10-12 01:33:39 156160 ----a-w- C:\Windows\System32\cscript.exe
2013-10-12 01:33:26 168960 ----a-w- C:\Windows\System32\wscript.exe
2013-10-12 01:15:48 141824 ----a-w- C:\Windows\SysWow64\wscript.exe
2013-10-12 01:15:48 126976 ----a-w- C:\Windows\SysWow64\cscript.exe
2013-10-08 14:50:37 96168 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2013-10-05 20:25:35 1474048 ----a-w- C:\Windows\System32\crypt32.dll
2013-10-05 19:57:25 1168384 ----a-w- C:\Windows\SysWow64\crypt32.dll
2013-10-04 02:16:30 116736 ----a-w- C:\Windows\System32\drivers\drmk.sys
2013-10-04 01:36:04 230400 ----a-w- C:\Windows\System32\drivers\portcls.sys
2013-10-03 02:23:48 404480 ----a-w- C:\Windows\System32\gdi32.dll
2013-10-03 02:00:44 311808 ----a-w- C:\Windows\SysWow64\gdi32.dll
.
============= FINISH: 19:24:40.52 ===============
 

Attached Files



BC AdBot (Login to Remove)

 


#2 Peanutpanda

Peanutpanda
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 01 January 2014 - 09:43 AM

New symptom: After copying photos from an SD card via USB SD Card reader, my computer got really slow.  When I checked my task manager I saw two instances of "cvtres.exe *32" running sucking up 50% of my cpu each.  After ending process tree on both, one continues to re-open and eat up 75% of my cpu resources.  However, it only takes up 75% of my cpu resources while connected to the internet.  Please help soon, thanks in advance!



#3 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:07 AM

Posted 02 January 2014 - 08:52 PM

Please download Farbar Recovery Scan Tool and save it to your desktop.

 

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.

  • Press Scan button.

  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.

  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.


Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#4 Peanutpanda

Peanutpanda
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 05 January 2014 - 09:16 AM

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 04-01-2014
Ran by John (administrator) on PANDADDY on 05-01-2014 06:14:20
Running from D:\Downloads
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Windows\System32\IPROSetMonitor.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(Sony Corporation) D:\Play Memories\PMBDeviceInfoProvider.exe
() C:\Program Files\Cyberlink\Shared files\RichVideo64.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Apple Inc.) E:\Program Files\iTunesHelper.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
() C:\ProgramData\{$1284-9213-2940-1289$}\msconfig.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
(Microsoft Corporation) C:\Windows\SysWOW64\wscript.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(MPC-HC Team) D:\Program Files\MPC-HC\mpc-hc64.exe
(Microsoft Corporation) C:\Windows\System32\taskmgr.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [MSC] - C:\Program Files\Microsoft Security Client\msseces.exe [1266912 2013-10-23] (Microsoft Corporation)
HKLM\...\Run: [RTHDVCPL] - C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [6548112 2012-06-12] (Realtek Semiconductor)
HKLM\...\Run: [Nvtmru] - C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe [1028384 2013-10-17] (NVIDIA Corporation)
HKLM\...\Run: [ShadowPlay] - C:\Windows\system32\rundll32.exe C:\Windows\system32\nvspcap64.dll,ShadowPlayOnSystemStart
HKLM\...\Run: [AdobeAAMUpdater-1.0] - C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [446392 2012-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [NvBackend] - C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2273056 2013-11-29] (NVIDIA Corporation)
HKLM-x32\...\Run: [USB3MON] - C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [291608 2012-03-27] (Intel Corporation)
HKLM-x32\...\Run: [IAStorIcon] - C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284440 2012-02-01] (Intel Corporation)
HKLM-x32\...\Run: [SunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
HKLM-x32\...\Run: [SwitchBoard] - C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AdobeCS6ServiceManager] - C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe [1073312 2012-03-09] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [] - [x]
HKLM-x32\...\Run: [iTunesHelper] - E:\Program Files\iTunesHelper.exe [152392 2013-11-02] (Apple Inc.)
HKCU\...\Run: [AdobeBridge] - [x]
HKCU\...\Run: [uTorrent] - C:\Users\John\AppData\Roaming\uTorrent\uTorrent.exe [900440 2013-11-15] (BitTorrent Inc.)
HKCU\...\CurrentVersion\Windows: [Load] C:\ProgramData\{$1284-9213-2940-1289$}\msconfig.exe <===== ATTENTION
MountPoints2: {e575e8f4-13cf-11e2-ad36-806e6f6e6963} - D:\.\Bin\ASSETUP.exe
IFEO\avcenter.exe: [Debugger] nsjw.exe
IFEO\avguard.exe: [Debugger] nsjw.exe
IFEO\avp.exe: [Debugger] nsjw.exe
IFEO\bdagent.exe: [Debugger] nsjw.exe
IFEO\ccuac.exe: [Debugger] nsjw.exe
IFEO\ComboFix.exe: [Debugger] nsjw.exe
IFEO\egui.exe: [Debugger] nsjw.exe
IFEO\hijackthis.exe: [Debugger] nsjw.exe
IFEO\keyscrambler.exe: [Debugger] nsjw.exe
IFEO\mbam.exe: [Debugger] nsjw.exe
IFEO\MpCmdRun.exe: [Debugger] nsjw.exe
IFEO\MSASCui.exe: [Debugger] nsjw.exe
IFEO\MsMpEng.exe: [Debugger] nsjw.exe
IFEO\msseces.exe: [Debugger] nsjw.exe
IFEO\NisSrv.exe: [Debugger] nsjw.exe
IFEO\spybotsd.exe: [Debugger] nsjw.exe
IFEO\wireshark.exe: [Debugger] nsjw.exe
IFEO\zlclient.exe: [Debugger] nsjw.exe
Startup: C:\Users\John\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.ini.url ()
Startup: C:\Users\John\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.vbs ()
 
==================== Internet (Whitelisted) ====================
 
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com?SearchSource=10&ctid=CT3220468
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0x13DC43AB6AA7CD01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
URLSearchHook: HKCU - (No Name) - {7473b6bd-4691-4744-a82b-7854eb3d70b6} - No File
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
BHO-x32: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO-x32: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO-x32: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: SmartSelect Class - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKLM-x32 - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76
 
Chrome: 
=======
CHR HomePage: hxxp://search.conduit.com/?ctid=CT3220468&SearchSource=48
CHR RestoreOnStartup: "hxxp://google.com/"
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\31.0.1650.63\PepperFlash\pepflashplayer.dll ()
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\31.0.1650.63\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\31.0.1650.63\pdf.dll ()
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll No File
CHR Plugin: (Windows Activation Technologies) - C:\Windows\system32\Wat\npWatWeb.dll (Microsoft Corporation)
CHR Extension: (Google Drive) - C:\Users\John\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.3_0
CHR Extension: (YouTube) - C:\Users\John\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0
CHR Extension: (Google Search) - C:\Users\John\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0
CHR Extension: (AdBlock) - C:\Users\John\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom\2.6.16_0
CHR Extension: (Google Wallet) - C:\Users\John\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.6.0_0
CHR Extension: (Gmail) - C:\Users\John\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_1
CHR HKLM-x32\...\Chrome\Extension: [ejpbbhjlbipncjklfjjaedaieimbmdda] - C:\Users\John\AppData\Local\CRE\ejpbbhjlbipncjklfjjaedaieimbmdda.crx
 
==================== Services (Whitelisted) =================
 
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [161560 2012-02-07] (Intel Corporation)
S2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2013-10-23] (Microsoft Corporation)
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [348376 2013-10-23] (Microsoft Corporation)
R2 NvNetworkService; C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1370912 2013-11-29] (NVIDIA Corporation)
R2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [15128352 2013-11-29] (NVIDIA Corporation)
R2 PMBDeviceInfoProvider; D:\Play Memories\PMBDeviceInfoProvider.exe [483864 2013-04-24] (Sony Corporation)
R2 RichVideo64; C:\Program Files\Cyberlink\Shared files\RichVideo64.exe [390672 2012-12-21] ()
 
==================== Drivers (Whitelisted) ====================
 
R0 asahci64; C:\Windows\System32\DRIVERS\asahci64.sys [49760 2012-01-06] (Asmedia Technology)
R1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [283200 2013-03-05] (DT Soft Ltd)
S3 libusb0; C:\Windows\System32\DRIVERS\libusb0.sys [52320 2013-03-14] (http://libusb-win32.sourceforge.net)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [248240 2013-09-27] (Microsoft Corporation)
R2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [134944 2013-09-27] (Microsoft Corporation)
R3 nvvad_WaveExtensible; C:\Windows\System32\drivers\nvvad64v.sys [39200 2013-10-30] (NVIDIA Corporation)
R0 sptd; C:\Windows\System32\Drivers\sptd.sys [564824 2013-02-20] (Duplex Secure Ltd.)
U3 aw06wery; C:\Windows\System32\Drivers\aw06wery.sys [0 ] (Asmedia Technology)
S3 GPU-Z; \??\C:\Users\John\AppData\Local\Temp\GPU-Z.sys [x]
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2014-01-05 06:14 - 2014-01-05 06:14 - 00000000 ____D C:\FRST
2013-12-29 19:24 - 2013-12-29 19:24 - 00018528 _____ C:\Users\John\Desktop\dds.txt
2013-12-29 19:24 - 2013-12-29 19:24 - 00007795 _____ C:\Users\John\Desktop\attach.txt
2013-12-29 18:50 - 2013-11-14 18:09 - 17847296 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2013-12-29 18:50 - 2013-11-14 17:42 - 10926080 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2013-12-29 18:50 - 2013-11-14 17:37 - 02334720 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2013-12-29 18:50 - 2013-11-14 17:29 - 01392128 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2013-12-29 18:50 - 2013-11-14 17:29 - 01347072 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2013-12-29 18:50 - 2013-11-14 17:28 - 01494528 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2013-12-29 18:50 - 2013-11-14 17:28 - 00237056 _____ (Microsoft Corporation) C:\Windows\system32\url.dll
2013-12-29 18:50 - 2013-11-14 17:25 - 00085504 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2013-12-29 18:50 - 2013-11-14 17:22 - 00173056 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2013-12-29 18:50 - 2013-11-14 17:20 - 00816640 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2013-12-29 18:50 - 2013-11-14 17:20 - 00599040 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2013-12-29 18:50 - 2013-11-14 17:19 - 02147840 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2013-12-29 18:50 - 2013-11-14 17:19 - 00729088 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2013-12-29 18:50 - 2013-11-14 17:18 - 02382848 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2013-12-29 18:50 - 2013-11-14 17:18 - 00096768 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2013-12-29 18:50 - 2013-11-14 17:12 - 00248320 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2013-12-29 18:50 - 2013-11-14 15:13 - 12344320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-12-29 18:50 - 2013-11-14 14:50 - 09739264 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-12-29 18:50 - 2013-11-14 14:50 - 01806848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-12-29 18:50 - 2013-11-14 14:43 - 01105408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-12-29 18:50 - 2013-11-14 14:42 - 01427968 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2013-12-29 18:50 - 2013-11-14 14:42 - 01129472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-12-29 18:50 - 2013-11-14 14:41 - 00231936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2013-12-29 18:50 - 2013-11-14 14:40 - 00065024 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-12-29 18:50 - 2013-11-14 14:38 - 00717824 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-12-29 18:50 - 2013-11-14 14:38 - 00420864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2013-12-29 18:50 - 2013-11-14 14:38 - 00142848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2013-12-29 18:50 - 2013-11-14 14:37 - 00607744 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-12-29 18:50 - 2013-11-14 14:36 - 01796096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-12-29 18:50 - 2013-11-14 14:36 - 00073216 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2013-12-29 18:50 - 2013-11-14 14:35 - 02382848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-12-29 18:50 - 2013-11-14 14:32 - 00176640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-12-29 18:49 - 2013-11-11 18:23 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2013-12-29 18:49 - 2013-11-11 18:07 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2013-12-29 18:49 - 2013-10-29 17:24 - 03155968 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2013-12-29 18:49 - 2013-10-18 18:18 - 00081408 _____ (Microsoft Corporation) C:\Windows\system32\imagehlp.dll
2013-12-29 18:49 - 2013-10-18 17:36 - 00159232 _____ (Microsoft Corporation) C:\Windows\SysWOW64\imagehlp.dll
2013-12-29 18:49 - 2013-10-11 18:32 - 00150016 _____ (Microsoft Corporation) C:\Windows\system32\wshom.ocx
2013-12-29 18:49 - 2013-10-11 18:31 - 00202752 _____ (Microsoft Corporation) C:\Windows\system32\scrrun.dll
2013-12-29 18:49 - 2013-10-11 18:04 - 00121856 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wshom.ocx
2013-12-29 18:49 - 2013-10-11 18:03 - 00163840 _____ (Microsoft Corporation) C:\Windows\SysWOW64\scrrun.dll
2013-12-29 18:49 - 2013-10-11 17:33 - 00168960 _____ (Microsoft Corporation) C:\Windows\system32\wscript.exe
2013-12-29 18:49 - 2013-10-11 17:33 - 00156160 _____ (Microsoft Corporation) C:\Windows\system32\cscript.exe
2013-12-29 18:49 - 2013-10-11 17:15 - 00141824 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wscript.exe
2013-12-29 18:49 - 2013-10-11 17:15 - 00126976 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cscript.exe
2013-12-29 18:49 - 2013-10-03 18:16 - 00116736 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\drmk.sys
2013-12-29 18:49 - 2013-10-03 17:36 - 00230400 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\portcls.sys
2013-12-29 08:20 - 2013-12-29 08:20 - 00000054 _____ C:\Users\John\AppData\Roaming\mbam.context.scan
2013-12-29 08:01 - 2013-12-29 08:01 - 00029966 _____ C:\Users\John\Desktop\CheckResults.txt
2013-12-29 07:52 - 2013-12-29 18:27 - 00000000 ____D C:\Users\John\Desktop\rkill
2013-12-29 07:52 - 2013-12-29 08:08 - 00002358 _____ C:\Users\John\Desktop\Rkill.txt
2013-12-29 07:44 - 2013-12-29 07:44 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-12-29 07:21 - 2013-12-29 07:21 - 00000000 ____D C:\MATS
2013-12-16 02:41 - 2013-12-16 02:41 - 00000927 _____ C:\Users\Public\Desktop\Diablo III.lnk
2013-12-16 02:38 - 2013-12-16 02:38 - 00000000 ____D C:\Users\John\AppData\Roaming\MPC-HC
2013-12-16 02:11 - 2013-12-16 02:11 - 00000000 _____ C:\Users\John\AppData\Roaming\system.ini
2013-12-12 00:20 - 2014-01-05 06:08 - 00000000 __SHD C:\ProgramData\{$1284-9213-2940-1289$}
 
==================== One Month Modified Files and Folders =======
 
2014-01-05 06:14 - 2014-01-05 06:14 - 00000000 ____D C:\FRST
2014-01-05 06:13 - 2012-10-10 07:24 - 01290147 _____ C:\Windows\WindowsUpdate.log
2014-01-05 06:12 - 2009-07-13 21:13 - 00778834 _____ C:\Windows\system32\PerfStringBackup.INI
2014-01-05 06:08 - 2013-12-12 00:20 - 00000000 __SHD C:\ProgramData\{$1284-9213-2940-1289$}
2014-01-05 06:08 - 2012-10-10 07:24 - 00000000 ___RD C:\Users\John\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2014-01-05 06:07 - 2012-10-11 19:20 - 00000000 ____D C:\Users\John\AppData\Roaming\uTorrent
2014-01-05 06:07 - 2012-10-10 20:41 - 00000890 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-01-05 06:06 - 2012-10-10 20:46 - 00000000 ____D C:\ProgramData\NVIDIA
2014-01-05 06:06 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2014-01-05 06:06 - 2009-07-13 20:51 - 00056140 _____ C:\Windows\setupact.log
2014-01-01 17:24 - 2012-10-10 20:41 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-12-31 20:01 - 2009-07-13 20:45 - 00022576 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-12-31 20:01 - 2009-07-13 20:45 - 00022576 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-12-31 19:37 - 2012-10-10 07:24 - 00000000 ____D C:\Users\John
2013-12-31 19:35 - 2013-10-29 20:38 - 00000000 ____D C:\Users\John\AppData\Local\Battle.net
2013-12-31 19:31 - 2012-10-10 20:44 - 00000000 ____D C:\Users\John\AppData\Roaming\.purple
2013-12-29 22:15 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache
2013-12-29 19:24 - 2013-12-29 19:24 - 00018528 _____ C:\Users\John\Desktop\dds.txt
2013-12-29 19:24 - 2013-12-29 19:24 - 00007795 _____ C:\Users\John\Desktop\attach.txt
2013-12-29 18:53 - 2009-07-13 20:45 - 04901976 _____ C:\Windows\system32\FNTCACHE.DAT
2013-12-29 18:50 - 2013-07-25 00:01 - 00000000 ____D C:\Windows\system32\MRT
2013-12-29 18:49 - 2012-10-10 20:06 - 90708896 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2013-12-29 18:28 - 2013-10-29 20:38 - 00000000 ____D C:\Users\John\AppData\Roaming\Battle.net
2013-12-29 18:28 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\security
2013-12-29 18:28 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\AppCompat
2013-12-29 18:27 - 2013-12-29 07:52 - 00000000 ____D C:\Users\John\Desktop\rkill
2013-12-29 18:27 - 2012-10-10 21:08 - 00000000 ____D C:\Program Files\Microsoft Security Client
2013-12-29 18:27 - 2012-10-10 21:08 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2013-12-29 18:27 - 2012-10-10 20:46 - 00000000 ____D C:\Program Files (x86)\NVIDIA Corporation
2013-12-29 18:27 - 2012-10-10 20:45 - 00000000 ____D C:\Program Files\NVIDIA Corporation
2013-12-29 18:27 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration
2013-12-29 18:27 - 2009-07-13 19:20 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared
2013-12-29 08:20 - 2013-12-29 08:20 - 00000054 _____ C:\Users\John\AppData\Roaming\mbam.context.scan
2013-12-29 08:08 - 2013-12-29 07:52 - 00002358 _____ C:\Users\John\Desktop\Rkill.txt
2013-12-29 08:01 - 2013-12-29 08:01 - 00029966 _____ C:\Users\John\Desktop\CheckResults.txt
2013-12-29 07:44 - 2013-12-29 07:44 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-12-29 07:21 - 2013-12-29 07:21 - 00000000 ____D C:\MATS
2013-12-24 05:07 - 2013-01-01 17:03 - 00000000 ____D C:\Users\John\AppData\Roaming\Mumble
2013-12-16 05:14 - 2013-10-29 20:36 - 00000000 ____D C:\ProgramData\Battle.net
2013-12-16 02:41 - 2013-12-16 02:41 - 00000927 _____ C:\Users\Public\Desktop\Diablo III.lnk
2013-12-16 02:38 - 2013-12-16 02:38 - 00000000 ____D C:\Users\John\AppData\Roaming\MPC-HC
2013-12-16 02:38 - 2013-10-24 13:35 - 00000798 _____ C:\Users\John\Desktop\MPC-HC x64.lnk
2013-12-16 02:11 - 2013-12-16 02:11 - 00000000 _____ C:\Users\John\AppData\Roaming\system.ini
2013-12-16 02:11 - 2013-12-02 07:26 - 00000000 ____D C:\Users\John\AppData\Roaming\install
2013-12-12 15:38 - 2005-04-07 18:16 - 00620840 ____H C:\Users\John\AppData\Roaming\Johnlog.dat
2013-12-12 00:00 - 2005-04-07 18:16 - 00000000 ___HD C:\Users\John\AppData\Roaming\08AD05CF
2013-12-09 00:30 - 2013-12-02 07:23 - 00000000 ____D C:\Users\John\AppData\Roaming\WinDir
 
Files to move or delete:
====================
C:\Users\John\AppData\Roaming\system.ini
 
 
Some content of TEMP:
====================
C:\Users\John\AppData\Local\Temp\805865440_rundll32.exe
C:\Users\John\AppData\Local\Temp\806214196_winlogon.exe
C:\Users\John\AppData\Local\Temp\AskSLib.dll
C:\Users\John\AppData\Local\Temp\Foxit Updater.exe
C:\Users\John\AppData\Local\Temp\jre-7u11-windows-i586-iftw.exe
C:\Users\John\AppData\Local\Temp\jre-7u17-windows-i586-iftw.exe
C:\Users\John\AppData\Local\Temp\jre-7u21-windows-i586-iftw.exe
C:\Users\John\AppData\Local\Temp\jre-7u25-windows-i586-iftw.exe
C:\Users\John\AppData\Local\Temp\jre-7u45-windows-i586-iftw.exe
C:\Users\John\AppData\Local\Temp\jre-7u9-windows-i586-iftw.exe
C:\Users\John\AppData\Local\Temp\jucheck.exe
C:\Users\John\AppData\Local\Temp\msconfig.exe
C:\Users\John\AppData\Local\Temp\nvSCPAPI.dll
C:\Users\John\AppData\Local\Temp\nvSCPAPI64.dll
C:\Users\John\AppData\Local\Temp\nvStInst.exe
C:\Users\John\AppData\Local\Temp\rundll32.exe
C:\Users\John\AppData\Local\Temp\swt-win32-3740.dll
C:\Users\John\AppData\Local\Temp\tbedrs.dll
C:\Users\John\AppData\Local\Temp\tbuTor.dll
C:\Users\John\AppData\Local\Temp\uttC239.tmp.exe
C:\Users\John\AppData\Local\Temp\uttE758.tmp.exe
C:\Users\John\AppData\Local\Temp\winlogon.exe
C:\Users\John\AppData\Local\Temp\_is44AD.exe
C:\Users\John\AppData\Local\Temp\_isD5D5.exe
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
 
testsigning: ==> Check for possible unsigned rootkit driver <===== ATTENTION!
 
 
LastRegBack: 2013-12-30 01:04
 
==================== End Of Log ============================

Attached Files



#5 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:07 AM

Posted 05 January 2014 - 04:12 PM

Please do the following:


Download attached fixlist.txt file and save it to the D:\Downloads folder as that is where FRST64.exe is running from.

Attached File  FixList.txt   3.4KB   12 downloads

NOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#6 Peanutpanda

Peanutpanda
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 05 January 2014 - 07:33 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 05-01-2014
Ran by John at 2014-01-05 16:33:00 Run:1
Running from D:\Downloads
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
start
() C:\ProgramData\{$1284-9213-2940-1289$}\msconfig.exe
HKLM-x32\...\Run: [] - [x]
HKCU\...\CurrentVersion\Windows: [Load] C:\ProgramData\{$1284-9213-2940-1289$}\msconfig.exe <===== ATTENTION
IFEO\avcenter.exe: [Debugger] nsjw.exe
IFEO\avguard.exe: [Debugger] nsjw.exe
IFEO\avp.exe: [Debugger] nsjw.exe
IFEO\bdagent.exe: [Debugger] nsjw.exe
IFEO\ccuac.exe: [Debugger] nsjw.exe
IFEO\ComboFix.exe: [Debugger] nsjw.exe
IFEO\egui.exe: [Debugger] nsjw.exe
IFEO\hijackthis.exe: [Debugger] nsjw.exe
IFEO\keyscrambler.exe: [Debugger] nsjw.exe
IFEO\mbam.exe: [Debugger] nsjw.exe
IFEO\MpCmdRun.exe: [Debugger] nsjw.exe
IFEO\MSASCui.exe: [Debugger] nsjw.exe
IFEO\MsMpEng.exe: [Debugger] nsjw.exe
IFEO\msseces.exe: [Debugger] nsjw.exe
IFEO\NisSrv.exe: [Debugger] nsjw.exe
IFEO\spybotsd.exe: [Debugger] nsjw.exe
IFEO\wireshark.exe: [Debugger] nsjw.exe
IFEO\zlclient.exe: [Debugger] nsjw.exe
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com?SearchSource=10&ctid=CT3220468
URLSearchHook: HKCU - (No Name) - {7473b6bd-4691-4744-a82b-7854eb3d70b6} - No File
CHR HomePage: hxxp://search.conduit.com/?ctid=CT3220468&SearchSource=48
CHR HKLM-x32\...\Chrome\Extension: [ejpbbhjlbipncjklfjjaedaieimbmdda] - C:\Users\John\AppData\Local\CRE\ejpbbhjlbipncjklfjjaedaieimbmdda.crx
U3 aw06wery; C:\Windows\System32\Drivers\aw06wery.sys [0 ] (Asmedia Technology)
2013-12-12 00:20 - 2014-01-05 06:08 - 00000000 __SHD C:\ProgramData\{$1284-9213-2940-1289$}
C:\Users\John\AppData\Roaming\system.ini
C:\Users\John\AppData\Local\Temp\805865440_rundll32.exe
C:\Users\John\AppData\Local\Temp\806214196_winlogon.exe
C:\Users\John\AppData\Local\Temp\AskSLib.dll
C:\Users\John\AppData\Local\Temp\Foxit Updater.exe
C:\Users\John\AppData\Local\Temp\jre-7u11-windows-i586-iftw.exe
C:\Users\John\AppData\Local\Temp\jre-7u17-windows-i586-iftw.exe
C:\Users\John\AppData\Local\Temp\jre-7u21-windows-i586-iftw.exe
C:\Users\John\AppData\Local\Temp\jre-7u25-windows-i586-iftw.exe
C:\Users\John\AppData\Local\Temp\jre-7u45-windows-i586-iftw.exe
C:\Users\John\AppData\Local\Temp\jre-7u9-windows-i586-iftw.exe
C:\Users\John\AppData\Local\Temp\jucheck.exe
C:\Users\John\AppData\Local\Temp\msconfig.exe
C:\Users\John\AppData\Local\Temp\nvSCPAPI.dll
C:\Users\John\AppData\Local\Temp\nvSCPAPI64.dll
C:\Users\John\AppData\Local\Temp\nvStInst.exe
C:\Users\John\AppData\Local\Temp\rundll32.exe
C:\Users\John\AppData\Local\Temp\swt-win32-3740.dll
C:\Users\John\AppData\Local\Temp\tbedrs.dll
C:\Users\John\AppData\Local\Temp\tbuTor.dll
C:\Users\John\AppData\Local\Temp\uttC239.tmp.exe
C:\Users\John\AppData\Local\Temp\uttE758.tmp.exe
C:\Users\John\AppData\Local\Temp\winlogon.exe
C:\Users\John\AppData\Local\Temp\_is44AD.exe
C:\Users\John\AppData\Local\Temp\_isD5D5.exe
testsigning: ==> Check for possible unsigned rootkit driver <===== ATTENTION!
StartupFolder: C:\Users\John\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.ini.url
StartupFolder: C:\Users\John\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.vbs
2013-12-02 15:32:33 152 ----a-w- C:\Users\John\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.vbs
AlternateDataStreams: C:\Users\John\Cookies:vOFV0VFISJ3rcfGKke
AlternateDataStreams: C:\Users\John\Cookies:ZhuvJUjJBNQzPGxN1gi6j9VxWWd8H
AlternateDataStreams: C:\Users\John\AppData\Local\Temporary Internet Files:EaIOJNYw2rFPDDD1P7hiK8ff6I
end
 
 
 
 
 
 
 
 
*****************
 
[3804] C:\ProgramData\{$1284-9213-2940-1289$}\msconfig.exe => Process closed successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => Value deleted successfully.
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\\Load => Value was restored successfully.
HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avcenter.exe => Key not found.
HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avguard.exe => Key not found.
HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avp.exe => Key not found.
HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\bdagent.exe => Key not found.
HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\ccuac.exe => Key not found.
HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\ComboFix.exe => Key not found.
HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\egui.exe => Key not found.
HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\hijackthis.exe => Key not found.
HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\keyscrambler.exe => Key not found.
HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\mbam.exe => Key not found.
HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\MpCmdRun.exe => Key not found.
HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\MSASCui.exe => Key not found.
HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\MsMpEng.exe => Key not found.
HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\msseces.exe => Key not found.
HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\NisSrv.exe => Key not found.
HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\spybotsd.exe => Key not found.
HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\wireshark.exe => Key not found.
HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\zlclient.exe => Key not found.
HKCU\Software\Microsoft\Internet Explorer\Main\\Start Page => Value was restored successfully.
HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\\{7473b6bd-4691-4744-a82b-7854eb3d70b6} => Value deleted successfully.
CHR HomePage: hxxp://search.conduit.com/?ctid=CT3220468&SearchSource=48 ==> The Chrome "Settings" can be used to fix the entry.
HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\ejpbbhjlbipncjklfjjaedaieimbmdda => Key deleted successfully.
C:\Users\John\AppData\Local\CRE\ejpbbhjlbipncjklfjjaedaieimbmdda.crx => Moved successfully.
aw06wery => Service not found.
C:\ProgramData\{$1284-9213-2940-1289$} => Moved successfully.
C:\Users\John\AppData\Roaming\system.ini => Moved successfully.
C:\Users\John\AppData\Local\Temp\805865440_rundll32.exe => Moved successfully.
C:\Users\John\AppData\Local\Temp\806214196_winlogon.exe => Moved successfully.
C:\Users\John\AppData\Local\Temp\AskSLib.dll => Moved successfully.
C:\Users\John\AppData\Local\Temp\Foxit Updater.exe => Moved successfully.
C:\Users\John\AppData\Local\Temp\jre-7u11-windows-i586-iftw.exe => Moved successfully.
C:\Users\John\AppData\Local\Temp\jre-7u17-windows-i586-iftw.exe => Moved successfully.
C:\Users\John\AppData\Local\Temp\jre-7u21-windows-i586-iftw.exe => Moved successfully.
C:\Users\John\AppData\Local\Temp\jre-7u25-windows-i586-iftw.exe => Moved successfully.
C:\Users\John\AppData\Local\Temp\jre-7u45-windows-i586-iftw.exe => Moved successfully.
C:\Users\John\AppData\Local\Temp\jre-7u9-windows-i586-iftw.exe => Moved successfully.
C:\Users\John\AppData\Local\Temp\jucheck.exe => Moved successfully.
C:\Users\John\AppData\Local\Temp\msconfig.exe => Moved successfully.
C:\Users\John\AppData\Local\Temp\nvSCPAPI.dll => Moved successfully.
C:\Users\John\AppData\Local\Temp\nvSCPAPI64.dll => Moved successfully.
C:\Users\John\AppData\Local\Temp\nvStInst.exe => Moved successfully.
C:\Users\John\AppData\Local\Temp\rundll32.exe => Moved successfully.
C:\Users\John\AppData\Local\Temp\swt-win32-3740.dll => Moved successfully.
C:\Users\John\AppData\Local\Temp\tbedrs.dll => Moved successfully.
C:\Users\John\AppData\Local\Temp\tbuTor.dll => Moved successfully.
C:\Users\John\AppData\Local\Temp\uttC239.tmp.exe => Moved successfully.
C:\Users\John\AppData\Local\Temp\uttE758.tmp.exe => Moved successfully.
C:\Users\John\AppData\Local\Temp\winlogon.exe => Moved successfully.
C:\Users\John\AppData\Local\Temp\_is44AD.exe => Moved successfully.
C:\Users\John\AppData\Local\Temp\_isD5D5.exe => Moved successfully.
 
The operation completed successfully.
 
========================= StartupFolder: C:\Users\John\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.ini.url ========================
 
Directory Not Found
 
====== End of Folder: ======
 
 
========================= StartupFolder: C:\Users\John\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.vbs ========================
 
Directory Not Found
 
====== End of Folder: ======
 
C:\Users\John\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.vbs => Moved successfully.
"C:\Users\John\Cookies" => ":vOFV0VFISJ3rcfGKke" ADS not found.
"C:\Users\John\Cookies" => ":ZhuvJUjJBNQzPGxN1gi6j9VxWWd8H" ADS not found.
"C:\Users\John\AppData\Local\Temporary Internet Files" => ":EaIOJNYw2rFPDDD1P7hiK8ff6I" ADS not found.
 
==== End of Fixlog ====


#7 Peanutpanda

Peanutpanda
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 05 January 2014 - 07:39 PM

I was able to use end process on cvtres.exe *32 after applying your fix.  It no longer re-opens automatically after closing, so all of my computer resources are now free.

 

When I tried using the action center to "turn on Microsoft Security Essentials (Important)", I got the "Do you want to run this program?  You should only ... trust" pop-up.  When I click "Yes, I trust ..." I get an Action Center error that reads "The program Microsoft Security Essentials provided Windows to fix this issue did not run."



#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:07 AM

Posted 05 January 2014 - 08:48 PM

We still have more work to do,

Please run the following:

Refer to the ComboFix User's Guide
  • Download ComboFix from the following location:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------
NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.



NEXT


Please download Malwarebytes Anti-Rootkit (MBAR) from here http://www.malwarebytes.org/products/mbar/ and save it to your desktop.
Direct link to the file: http://downloads.malwarebytes.org/file/mbar
•Be sure to print out and follow the instructions provided on that same page.
•Caution: This is a beta version so please be sure to read the disclaimer and back up any important data before using.
•Doubleclick on the MBAR file you downloaded.
•Approve the UAC prompt in Vista and newer operating systems.
•Click OK on the next screen, to allow the package to extract the contents of the file to it's own folder, mbar.
•By default, this will be on your desktop, though you can choose another location if you wish. We advise using the default location for simplicity.
•mbar.exe will launch automatically. On some systems, this may take a few extra seconds. Please be patient and wait for the program to open.
•After reading the Introduction, click 'Next' if you agree.
•On the Update Database screen, click on the 'Update' button.
•Once you see 'Success: Database was successfully updated' click on 'Next'.
•Click the 'Scan' button.
A.With some infections, you may see two messages boxes.
1.'Could not load protection driver'. Click 'OK'.
2.'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.
•If malware is found, press the Cleanup button when the scan completes.

~~~~~~~~~~~~~~~~~~~~~~~
Note: <<<< this is an important step >>>>
fixdamage - repair damaged services

If no detections occurred during the MBAR scan, and/or if the issue with Website Blocking remains, please do this next:
Open the Malwarebytes Anti-Rootkit folder.
Locate fixdamage.exe within the \mbar\Plugins folder and double click on it. In Windows Vista and Windows 7, approve the UAC prompt
fixdamage.exe will open a command window.
You will be asked if you want to continue. Type y if you do.
A reboot request may be made after the fix. Type y in the command prompt, and allow the computer to be rebooted.
Even if a reboot request was not made after running FixDamage.exe please restart the computer.

Once back in Windows, please send the following logs as attachments to your reply. These logs are located in the Malwarebytes Anti-Rootkit folder.

mbar-log-2013-xx-xx(xx-xx-xx).txt (where xx-xx(xx-xx-xx) is the date and time of the scan)
system-log.txt

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 Peanutpanda

Peanutpanda
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 06 January 2014 - 05:07 AM

I am unable to run combofix after downloading, I am getting the same error as when I try to run an anti-virus or anti-malware program.



#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:07 AM

Posted 06 January 2014 - 04:15 PM

Please delete the copy of ComboFix that you have on your desktop and download a fresh copy but before saving it, rename it to peanut.com

now see if it will run

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 Peanutpanda

Peanutpanda
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 07 January 2014 - 02:31 AM

It worked!  I feel pretty silly for not trying that earlier.  lol.  currently backing up photos and documents before running mbar.  :)
 
 
ComboFix 14-01-04.03 - John 01/06/2014  19:03:02.1.8 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.16337.12159 [GMT -8:00]
Running from: c:\users\John\Desktop\peanut.com
AV: Microsoft Security Essentials *Disabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Microsoft Security Essentials *Disabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\John\AppData\Roaming\Johnlog.dat
c:\users\John\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.ini.url
c:\users\John\AppData\Roaming\win
c:\users\John\AppData\Roaming\win\winlogon.bat
c:\users\John\AppData\Roaming\win\winlogon.exe
c:\users\John\AppData\Roaming\Windir
c:\users\John\AppData\Roaming\Windir\Svchost.exe
c:\users\John\videos\HelpPanel.exe
c:\users\John\videos\winhelp.exe
c:\windows\SysWow64\logs
c:\windows\SysWow64\logs\Client.txt
J:\Autorun.inf
.
.
(((((((((((((((((((((((((   Files Created from 2013-12-07 to 2014-01-07  )))))))))))))))))))))))))))))))
.
.
2014-01-07 03:04 . 2014-01-07 03:04 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-01-05 14:14 . 2014-01-06 00:32 -------- d-----w- C:\FRST
2013-12-30 02:49 . 2013-10-30 01:24 3155968 ----a-w- c:\windows\system32\win32k.sys
2013-12-29 15:44 . 2013-12-29 15:44 -------- d-----w- c:\programdata\Malwarebytes
2013-12-29 15:21 . 2013-12-29 15:21 -------- d-----w- C:\MATS
2013-12-29 15:03 . 2013-12-29 15:29 -------- d-----w- c:\users\John\AppData\Local\ElevatedDiagnostics
2013-12-16 10:38 . 2013-12-16 10:38 -------- d-----w- c:\users\John\AppData\Roaming\MPC-HC
2013-12-16 10:11 . 2013-11-08 03:12 10285968 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{612CA134-141E-456E-BE72-5017E605E21B}\mpengine.dll
2013-12-12 08:34 . 2013-11-08 03:12 10285968 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-12-09 08:35 . 2013-10-18 02:12 965000 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7C6A04D7-3206-40A5-8AF1-0B284E69E921}\gapaengine.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-12-30 02:49 . 2012-10-11 04:06 90708896 ----a-w- c:\windows\system32\MRT.exe
2013-12-02 15:23 . 2013-12-02 15:23 154283 ---h--w- c:\users\John\AppData\Roaming\John-wchelper.dll
2013-11-29 16:56 . 2013-10-29 03:13 1096480 ----a-w- c:\windows\system32\nvspcap64.dll
2013-11-29 16:56 . 2013-10-29 03:13 979744 ----a-w- c:\windows\SysWow64\nvspcap.dll
2013-11-23 07:41 . 2013-03-07 10:13 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-11-23 07:41 . 2013-03-07 10:13 692616 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-11-19 10:21 . 2010-11-21 03:27 267936 ------w- c:\windows\system32\MpSigStub.exe
2013-10-30 17:59 . 2013-10-30 17:59 890368 ----a-w- c:\windows\SysWow64\twitchsdk_32_release.dll
2013-10-30 17:58 . 2013-10-30 17:58 109144 ----a-w- c:\windows\SysWow64\OpenAL32.dll
2013-10-30 17:57 . 2013-10-30 17:57 89600 ----a-w- c:\windows\SysWow64\vorbisfile.dll
2013-10-30 17:57 . 2013-10-30 17:57 316184 ----a-w- c:\windows\SysWow64\Client.exe
2013-10-30 17:55 . 2013-10-30 17:55 16196504 ----a-w- c:\windows\SysWow64\libmfxsw32.dll
2013-10-30 17:53 . 2013-10-30 17:53 113171 ----a-w- c:\windows\SysWow64\swresample-ttv-0.dll
2013-10-30 17:53 . 2013-10-30 17:53 394810 ----a-w- c:\windows\SysWow64\libmp3lame-ttv.dll
2013-10-30 17:51 . 2013-10-30 17:51 298776 ----a-w- c:\windows\SysWow64\CrashUpload.exe
2013-10-30 17:50 . 2013-10-30 17:50 1237504 ----a-w- c:\windows\SysWow64\vorbis.dll
2013-10-30 17:49 . 2013-10-30 17:49 246332 ----a-w- c:\windows\SysWow64\avutil-ttv-51.dll
2013-10-30 17:44 . 2013-10-30 17:44 918617 ----a-w- c:\windows\SysWow64\libx264-128.dll
2013-10-30 17:42 . 2013-10-30 18:00 9052440 ----a-w- c:\windows\SysWow64\PathOfExile.exe
2013-10-30 17:42 . 2013-10-30 17:42 50688 ----a-w- c:\windows\SysWow64\ogg.dll
2013-10-30 17:41 . 2013-10-30 17:41 85784 ----a-w- c:\windows\SysWow64\PackCheck.exe
2013-10-30 17:40 . 2013-10-30 17:40 445016 ----a-w- c:\windows\SysWow64\wrap_oal.dll
2013-10-30 17:03 . 2013-12-05 07:29 39200 ----a-w- c:\windows\system32\drivers\nvvad64v.sys
2013-10-30 17:02 . 2013-08-28 12:01 35104 ----a-w- c:\windows\system32\nvaudcap64v.dll
2013-10-30 17:02 . 2013-12-05 07:29 32544 ----a-w- c:\windows\SysWow64\nvaudcap32v.dll
2013-10-23 10:30 . 2013-10-30 16:06 9524088 ----a-w- c:\windows\SysWow64\nvcuda.dll
2013-10-23 10:30 . 2013-10-30 16:06 9480328 ----a-w- c:\windows\SysWow64\nvopencl.dll
2013-10-23 10:30 . 2013-10-30 16:06 696096 ----a-w- c:\windows\system32\NvFBC64.dll
2013-10-23 10:30 . 2013-10-30 16:06 655136 ----a-w- c:\windows\system32\NvIFR64.dll
2013-10-23 10:30 . 2013-10-30 16:06 599840 ----a-w- c:\windows\SysWow64\NvFBC.dll
2013-10-23 10:30 . 2013-10-30 16:06 560416 ----a-w- c:\windows\SysWow64\NvIFR.dll
2013-10-23 10:30 . 2013-10-30 16:06 479520 ----a-w- c:\windows\system32\nvEncodeAPI64.dll
2013-10-23 10:30 . 2013-10-30 16:06 405280 ----a-w- c:\windows\SysWow64\nvEncodeAPI.dll
2013-10-23 10:30 . 2013-10-30 16:06 317472 ----a-w- c:\windows\system32\nvoglshim64.dll
2013-10-23 10:30 . 2013-10-30 16:06 3131680 ----a-w- c:\windows\system32\nvcuvid.dll
2013-10-23 10:30 . 2013-10-30 16:06 3124512 ----a-w- c:\windows\system32\nvcuvenc.dll
2013-10-23 10:30 . 2013-10-30 16:06 30344480 ----a-w- c:\windows\system32\nvoglv64.dll
2013-10-23 10:30 . 2013-10-30 16:06 2946848 ----a-w- c:\windows\SysWow64\nvcuvid.dll
2013-10-23 10:30 . 2013-10-30 16:06 2747168 ----a-w- c:\windows\SysWow64\nvcuvenc.dll
2013-10-23 10:30 . 2013-10-30 16:06 266984 ----a-w- c:\windows\SysWow64\nvoglshim32.dll
2013-10-23 10:30 . 2013-10-30 16:06 25257248 ----a-w- c:\windows\system32\nvcompiler.dll
2013-10-23 10:30 . 2013-10-30 16:06 22933792 ----a-w- c:\windows\SysWow64\nvoglv32.dll
2013-10-23 10:30 . 2013-10-30 16:06 1884448 ----a-w- c:\windows\system32\nvdispco6433165.dll
2013-10-23 10:30 . 2013-10-30 16:06 18286416 ----a-w- c:\windows\system32\nvwgf2umx.dll
2013-10-23 10:30 . 2013-10-30 16:06 18199872 ----a-w- c:\windows\system32\nvd3dumx.dll
2013-10-23 10:30 . 2013-10-30 16:06 17560352 ----a-w- c:\windows\SysWow64\nvcompiler.dll
2013-10-23 10:30 . 2013-10-30 16:06 168616 ----a-w- c:\windows\system32\nvinitx.dll
2013-10-23 10:30 . 2013-10-30 16:06 15855568 ----a-w- c:\windows\SysWow64\nvwgf2um.dll
2013-10-23 10:30 . 2013-10-30 16:06 1511712 ----a-w- c:\windows\system32\nvdispgenco6433165.dll
2013-10-23 10:30 . 2013-10-30 16:06 141336 ----a-w- c:\windows\SysWow64\nvinit.dll
2013-10-23 10:30 . 2013-10-30 16:06 12572960 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
2013-10-23 10:30 . 2013-10-30 16:06 1241376 ----a-w- c:\windows\SysWow64\nvumdshim.dll
2013-10-23 10:30 . 2013-10-30 16:06 11426568 ----a-w- c:\windows\system32\nvcuda.dll
2013-10-23 10:30 . 2013-10-30 16:06 11374520 ----a-w- c:\windows\system32\nvopencl.dll
2013-10-23 10:30 . 2013-08-28 12:04 2695200 ----a-w- c:\windows\SysWow64\nvapi.dll
2013-10-23 10:30 . 2012-10-11 04:46 61216 ----a-w- c:\windows\system32\OpenCL.dll
2013-10-23 10:30 . 2012-10-11 04:46 53024 ----a-w- c:\windows\SysWow64\OpenCL.dll
2013-10-23 10:30 . 2012-10-11 04:46 3067560 ----a-w- c:\windows\system32\nvapi64.dll
2013-10-23 10:30 . 2012-10-11 04:46 15212336 ----a-w- c:\windows\SysWow64\nvd3dum.dll
2013-10-23 10:30 . 2012-10-11 04:46 1435504 ----a-w- c:\windows\system32\nvumdshimx.dll
2013-10-23 10:02 . 2013-10-23 10:02 589600 ----a-w- c:\windows\SysWow64\nvStreaming.exe
2013-10-23 08:20 . 2012-10-11 04:46 6669600 ----a-w- c:\windows\system32\nvcpl.dll
2013-10-23 08:20 . 2012-10-11 04:46 3489568 ----a-w- c:\windows\system32\nvsvc64.dll
2013-10-23 08:20 . 2012-10-11 04:46 922912 ----a-w- c:\windows\system32\nvvsvc.exe
2013-10-23 08:20 . 2012-10-11 04:46 63776 ----a-w- c:\windows\system32\nvshext.dll
2013-10-23 08:20 . 2012-10-11 04:46 219424 ----a-w- c:\windows\system32\nvmctray.dll
2013-10-23 08:20 . 2012-10-11 04:46 3426956 ----a-w- c:\windows\system32\nvcoproc.bin
2013-10-18 02:12 . 2012-10-20 03:20 965000 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2013-10-16 00:48 . 2013-10-22 08:27 1884448 ----a-w- c:\windows\system32\nvdispco6433158.dll
2013-10-16 00:48 . 2013-10-22 08:27 1511712 ----a-w- c:\windows\system32\nvdispgenco6433158.dll
2013-10-12 02:30 . 2013-11-22 00:17 830464 ----a-w- c:\windows\system32\nshwfp.dll
2013-10-12 02:29 . 2013-11-22 00:17 859648 ----a-w- c:\windows\system32\IKEEXT.DLL
2013-10-12 02:29 . 2013-11-22 00:17 324096 ----a-w- c:\windows\system32\FWPUCLNT.DLL
2013-10-12 02:03 . 2013-11-22 00:17 656896 ----a-w- c:\windows\SysWow64\nshwfp.dll
2013-10-12 02:01 . 2013-11-22 00:17 216576 ----a-w- c:\windows\SysWow64\FWPUCLNT.DLL
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\users\John\AppData\Roaming\uTorrent\uTorrent.exe" [2013-11-15 900440]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"USB3MON"="c:\program files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe" [2012-03-27 291608]
"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIconLaunch.exe" [2012-02-29 56088]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2013-07-02 254336]
"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS6ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe" [2012-03-10 1073312]
"iTunesHelper"="e:\program files\iTunesHelper.exe" [2013-11-02 152392]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R3 GPU-Z;GPU-Z;c:\users\John\AppData\Local\Temp\GPU-Z.sys;c:\users\John\AppData\Local\Temp\GPU-Z.sys [x]
R3 libusb0;Jawbone LibUsb-Win32 - Kernel Driver 09/22/2011,1.2.5.0;c:\windows\system32\DRIVERS\libusb0.sys;c:\windows\SYSNATIVE\DRIVERS\libusb0.sys [x]
R3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;c:\windows\system32\DRIVERS\MijXfilt.sys;c:\windows\SYSNATIVE\DRIVERS\MijXfilt.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R4 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
S0 asahci64;asahci64;c:\windows\system32\DRIVERS\asahci64.sys;c:\windows\SYSNATIVE\DRIVERS\asahci64.sys [x]
S0 iusb3hcs;Intel® USB 3.0 Host Controller Switch Driver;c:\windows\system32\DRIVERS\iusb3hcs.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3hcs.sys [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys;c:\windows\SYSNATIVE\Drivers\PxHlpa64.sys [x]
S0 sptd;sptd;c:\windows\\SystemRoot\System32\Drivers\sptd.sys;c:\windows\\SystemRoot\System32\Drivers\sptd.sys [x]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys;c:\windows\SYSNATIVE\DRIVERS\dtsoftbus01.sys [x]
S2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x64.sys;c:\windows\SYSNATIVE\drivers\cpuz135_x64.sys [x]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [x]
S2 Intel® Capability Licensing Service Interface;Intel® Capability Licensing Service Interface;c:\program files\Intel\iCLS Client\HeciServer.exe;c:\program files\Intel\iCLS Client\HeciServer.exe [x]
S2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe;c:\windows\SYSNATIVE\IProsetMonitor.exe [x]
S2 jhi_service;Intel® Dynamic Application Loader Host Interface Service;c:\program files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [x]
S2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys;c:\windows\SYSNATIVE\DRIVERS\NisDrvWFP.sys [x]
S2 NvNetworkService;NVIDIA Network Service;c:\program files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe;c:\program files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [x]
S2 NvStreamSvc;NVIDIA Streamer Service;c:\program files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe;c:\program files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [x]
S2 PMBDeviceInfoProvider;PMBDeviceInfoProvider;d:\play memories\PMBDeviceInfoProvider.exe;d:\play memories\PMBDeviceInfoProvider.exe [x]
S2 RichVideo64;Cyberlink RichVideo64 Service(CRVS);c:\program files\Cyberlink\Shared files\RichVideo64.exe;c:\program files\Cyberlink\Shared files\RichVideo64.exe [x]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]
S3 asmthub3;ASMedia USB3 Hub Service;c:\windows\system32\DRIVERS\asmthub3.sys;c:\windows\SYSNATIVE\DRIVERS\asmthub3.sys [x]
S3 asmtxhci;ASMEDIA XHCI Service;c:\windows\system32\DRIVERS\asmtxhci.sys;c:\windows\SYSNATIVE\DRIVERS\asmtxhci.sys [x]
S3 iusb3hub;Intel® USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\iusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3hub.sys [x]
S3 iusb3xhc;Intel® USB 3.0 eXtensible Host Controller Driver;c:\windows\system32\DRIVERS\iusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3xhc.sys [x]
S3 nvvad_WaveExtensible;NVIDIA Virtual Audio Device (Wave Extensible) (WDM);c:\windows\system32\drivers\nvvad64v.sys;c:\windows\SYSNATIVE\drivers\nvvad64v.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-12-05 06:27 1210320 ----a-w- c:\program files (x86)\Google\Chrome\Application\31.0.1650.63\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-01-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-10-11 04:41]
.
2014-01-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-10-11 04:41]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-10-24 1266912]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RtkNGUI64.exe" [2012-06-12 6548112]
"Nvtmru"="c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\nvtmru.exe" [2013-10-18 1028384]
"ShadowPlay"="c:\windows\system32\nvspcap64.dll" [2013-11-29 1096480]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2012-04-04 446392]
"NvBackend"="c:\program files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe" [2013-11-29 2273056]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-AdobeBridge - (no file)
ShellIconOverlayIdentifiers-{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472} - c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll
ShellIconOverlayIdentifiers-{62CCD8E3-9C21-41E1-B55E-1E26DFC68511} - c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll
ShellIconOverlayIdentifiers-{A759AFF6-5851-457D-A540-F4ECED148351} - c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll
ShellIconOverlayIdentifiers-{1574C9EF-7D58-488F-B358-8B78C1538F51} - c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll
.
.
"ImagePath"="\"c:\program files\Cyberlink\Shared files\RichVideo64.exe\"\00Z
[\]^_…\00\00…\00\00\00\00HIJKLMNO\00\00\00\00\00\00\00\00\03\00\00\00|}~…\00\00…\00\00\00\00\00\00\00\00\00\00\00\00‘’“"
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-01-06  19:05:43
ComboFix-quarantined-files.txt  2014-01-07 03:05
.
Pre-Run: 152,331,722,752 bytes free
Post-Run: 154,751,516,672 bytes free
.
- - End Of File - - 398BEA7367A27F26B2EE24922A2B2BDE


#12 Peanutpanda

Peanutpanda
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 07 January 2014 - 07:14 AM

I ran mbar, cleaned up the 2 items it found and restarted.  After restarting I ran it again and nothing was found so I ran the fixdamage and restarted after it completed.  Everything seems back to normal.

 

Is there a name for whatever hit me?  I wanted to look it up and see what the consequences are of it being on my system (were any of my files/passwords/information taken, etc?).

 

Thanks so much for your help!

 

Sending a donation your (?) way via the button in your sig.  :)

Attached Files



#13 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:07 AM

Posted 07 January 2014 - 02:53 PM

Hard to know exactly what type of infection it was other that a trojan, but it shutdown the security programs via IFEO redirect, so pretty sneaky,

I usually recommend changing all passwords as a precaution at the end, but we still have a little more work to do to make sure there are no leftovers and ESET does a pretty good job of identifying the individual infections,

Please do the following:

Please download Junkware Removal Tool to your desktop.
  • Shutdown your antivirus to avoid any conflicts.
  • Right-mouse click JRT.exe and select Run as administrator
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message

NEXT


Download AdwCleaner from here and save it to your desktop.
  • Run AdwCleaner and select Scan
  • If items are found, please select the Clean button
  • Once done it will ask to reboot, allow the reboot
  • On reboot a log will be produced, please attach the content of the log to your next reply
NEXT
  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT

Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, if it shows a screen that says "Threats found!", then click "List of found threats" button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#14 Peanutpanda

Peanutpanda
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 08 January 2014 - 09:45 AM

I had to use the eset smart install version because i'm using chrome (it just said not-IE).  

Attached Files



#15 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:07 AM

Posted 08 January 2014 - 06:47 PM

most of the detections found by ESET are already in quarantine, but I would navigate to the following files and delete them:

 

C:\Users\John\Pictures\HelpPanel.exe   
D:\Downloads\Delete\a\maribellehot\maribellehot\maribelle\Movieon9-23-12at852PM_zps75754754.mp4.scr 

 

NEXT

 

Please advise how the computer is running now and if there are any outstanding issues
 


Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users