Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

got hit by newest infection which patches one of system files - rpcss.dll


  • This topic is locked This topic is locked
9 replies to this topic

#1 computerhelp2014

computerhelp2014

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:18 AM

Posted 07 January 2014 - 11:58 AM

You got hit by the newest infection which patches one of system files - rpcss.dll

It'll require elevated help.

 

Please follow the instructions in THIS GUIDE starting at Step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then make a NEW TOPIC and post it HERE. Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

 

 

 

Posting this here as instructed by Broni.

I got hit by the newest infection which patches one of system files - rpcss.dll

Per Broni I require elevated help.

 

My computer is playing audio ads in the bacground and is infected with "Pum.userWload"

 

Link to my original post - http://www.bleepingcomputer.com/forums/t/519533/computer-playing-audio-ads-in-background-and-detection-of-pumuserwload/

 

I have followed all instructions by Broni and logs, details ect are in my initial post linked above.

 

Following is the DDS Log -

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.16428  BrowserJavaVersion: 1.6.0_22
Run by Admin at 10:08:20 on 2014-01-07
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3894.1148 [GMT -6:00]
.
AV: AVG AntiVirus Free Edition 2014 *Enabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AVG AntiVirus Free Edition 2014 *Enabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
.
============== Running Processes ===============
.
C:\PROGRA~2\AVG\AVG2014\avgrsa.exe
C:\Program Files (x86)\AVG\AVG2014\avgcsrva.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\Tablet\Pen\Pen_TouchService.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe
C:\Program Files (x86)\AVG\AVG2014\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RPB.EXE
C:\Windows\system32\svchost.exe -k bthaudiosvc
C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files\Common Files\Nitro PDF\Professional\6.0\NitroPDFDriverServicex64.exe
C:\Windows\SysWOW64\NLSSRV32.EXE
C:\Program Files (x86)\PasswordBox\pbbtnService.exe
C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Tablet\Pen\Pen_Tablet.exe
C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\17.1.3\ToolbarUpdater.exe
C:\Users\FRANKH~1\DOCUME~1\Bitnami\apache2\bin\httpd.exe
C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\17.1.3\loggingserver.exe
C:\Users\Frank HP\Documents\Bitnami\mysql\bin\mysqld.exe
C:\Program Files (x86)\AVG\AVG2014\avgnsa.exe
C:\Program Files (x86)\AVG\AVG2014\avgemca.exe
C:\Users\FRANKH~1\DOCUME~1\Bitnami\apache2\bin\httpd.exe
C:\Windows\system32\taskhost.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Tablet\Pen\Pen_TabletUser.exe
C:\Program Files\Tablet\Pen\Pen_Tablet.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
C:\Program Files (x86)\Realtek\Audio\OSD\RtVOsd64.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe
C:\Users\Frank HP\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
C:\Users\Frank HP\AppData\Roaming\Spotify\spotify.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe
C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
C:\Program Files (x86)\AVG\AVG2014\avgui.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Hewlett-Packard\Shared\hpqToaster.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Internet Download Manager\IDMan.exe
C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe
C:\Program Files\Tablet\Pen\Pen_TouchUser.exe
C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mWinlogon: Userinit = userinit.exe,
BHO: IDM integration (IDMIEHlprObj Class): {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files (x86)\Internet Download Manager\IDMIECC.dll
BHO: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
BHO: ContributeBHO Class: {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files (x86)\Adobe\Adobe Contribute CS5\Plugins\IEPlugin\contributeieplugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: PasswordBox Helper: {5DB69B97-934B-451D-94DB-32EF802A01CD} - C:\Program Files (x86)\PasswordBox\Application\pbbtn.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: AVG SafeGuard toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG SafeGuard toolbar\17.1.3.3\AVG SafeGuard toolbar_toolbar.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Sticky Password Toolbar: {AC02E217-6E13-4F14-9BAC-D7BA27C1E912} - C:\Program Files (x86)\Sticky Password\spIEBho.dll
BHO: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files (x86)\MSN\Toolbar\3.0.0566.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre1.6.0_22\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: Microsoft Live Search Toolbar: {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:\Program Files (x86)\MSN\Toolbar\3.0.0566.0\msneshellx.dll
TB: Contribute Toolbar: {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files (x86)\Adobe\Adobe Contribute CS5\Plugins\IEPlugin\contributeieplugin.dll
TB: Sticky Password Toolbar: {AC02E217-6E13-4F14-9BAC-D7BA27C1E912} - C:\Program Files (x86)\Sticky Password\spIEBho.dll
TB: AVG SafeGuard toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG SafeGuard toolbar\17.1.3.3\AVG SafeGuard toolbar_toolbar.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll
uRun: [TomTomHOME.exe] "C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe"
uRun: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
uRun: [IDMan] C:\Program Files (x86)\Internet Download Manager\IDMan.exe /onboot
mRun: [QlbCtrl.exe] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [WirelessAssistant] C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
mRun: [AdobeCS5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin
mRun: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
mRun: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
mRun: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2014\avgui.exe" /TRAYONLY
mRun: [PrivitizeVPN] C:\Program Files (x86)\PrivitizeVPN\PrivitizeVPN.exe /autorun
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [vProt] "C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe"
mRunOnce: [InnoSetupRegFile.0000000001] "C:\Windows\is-K1AA4.exe" /REG /REGSVRMODE
mRunOnce: [InnoSetupRegFile.0000000002] "C:\Windows\is-LIDEO.exe" /REG /REGSVRMODE
mRunOnce: [InnoSetupRegFile.0000000003] "C:\Windows\is-4VOVD.exe" /REG /REGSVRMODE
mRunOnce: [InnoSetupRegFile.0000000004] "C:\Windows\is-5MOSV.exe" /REG /REGSVRMODE
mRunOnce: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
mRunOnce: [{A37E0C42-EF3A-4A0C-82AD-1CC983B899D7}] cmd.exe /C start /D "C:\Users\Admin\AppData\Local\Temp" /B {A37E0C42-EF3A-4A0C-82AD-1CC983B899D7}.exe -accepteula -accepteulaksn -activeimages -postboot
mRunOnce: [{C9EDC08D-F45F-4B80-B49A-8E29B6934408}] cmd.exe /C start /D "C:\Users\Admin\AppData\Local\Temp" /B {C9EDC08D-F45F-4B80-B49A-8E29B6934408}.exe -accepteula -accepteulaksn -activeimages -postboot
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr/200
IE: Download all links with IDM - C:\Program Files (x86)\Internet Download Manager\IEGetAll.htm
IE: Download with IDM - C:\Program Files (x86)\Internet Download Manager\IEExt.htm
IE: Download with ImTOO iPhone Transfer Platinum - C:\Program Files (x86)\ImTOO\iPhone Transfer Platinum\upod_link.HTM
IE: Sticky Password - C:\Program Files (x86)\Sticky Password\spIEBho.dll/616
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{B7245E3E-8929-4898-85EF-2EB3A76A341C} : DHCPNameServer = 192.168.1.254
TCP: Interfaces\{B7245E3E-8929-4898-85EF-2EB3A76A341C}\D497759602642716E6B637D2940786F6E656D243 : DHCPNameServer = 8.8.8.8
TCP: Interfaces\{CD3564E0-1FBE-450D-A238-0D80DADA7B07} : DHCPNameServer = 8.8.8.8
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - <orphaned>
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\17.1.3\ViProtocol.dll
SSODL: WebCheck - <orphaned>
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\31.0.1650.63\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: IDM integration (IDMIEHlprObj Class): {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll
x64-BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - <orphaned>
x64-BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
x64-Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe -s
x64-Run: [RtkOSD] C:\Program Files (x86)\Realtek\Audio\OSD\RtVOsd64.exe
x64-Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
x64-Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
x64-RunOnce: [MSPCLOCK] rundll32.exe streamci,StreamingDeviceSetup {97ebaacc-95bd-11d0-a3ea-00a0c9223196},{53172480-4791-11D0-A5D6-28DB04C10000},{53172480-4791-11D0-A5D6-28DB04C10000}
x64-RunOnce: [MSPQM] rundll32.exe streamci,StreamingDeviceSetup {DDF4358E-BB2C-11D0-A42F-00A0C9223196},{97EBAACB-95BD-11D0-A3EA-00A0C9223196},{97EBAACB-95BD-11D0-A3EA-00A0C9223196}
x64-RunOnce: [MSKSSRV] rundll32.exe streamci,StreamingDeviceSetup {96E080C7-143C-11D1-B40F-00A0C9223196},{3C0D501A-140B-11D1-B40F-00A0C9223196},{3C0D501A-140B-11D1-B40F-00A0C9223196}
x64-RunOnce: [MSTEE.CxTransform] rundll32.exe streamci,StreamingDeviceSetup {cfd669f1-9bc2-11d0-8299-0000f822fe8a},{CF1DDA2C-9743-11D0-A3EE-00A0C9223196},{CF1DDA2C-9743-11D0-A3EE-00A0C9223196},C:\Windows\inf\ksfilter.inf,MSTEE.Interface.Install
x64-RunOnce: [MSTEE.Splitter] rundll32.exe streamci,StreamingDeviceSetup {cfd669f1-9bc2-11d0-8299-0000f822fe8a},{0A4252A0-7E70-11D0-A5D6-28DB04C10000},{0A4252A0-7E70-11D0-A5D6-28DB04C10000},C:\Windows\inf\ksfilter.inf,MSTEE.Interface.Install
x64-RunOnce: [WDM_DRMKAUD] rundll32.exe streamci,StreamingDeviceSetup {EEC12DB6-AD9C-4168-8658-B03DAEF417FE},{ABD61E00-9350-47e2-A632-4438B90C6641},{FFBB6E3F-CCFE-4D84-90D9-421418B03A8E},C:\Windows\inf\WDMAUDIO.inf,WDM_DRMKAUD.Interface.Install
x64-DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
x64-DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
x64-Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - <orphaned>
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
x64-STS: FencesShlExt Class - {1984DD45-52CF-49cd-AB77-18F378FEA264} - C:\Program Files\Stardock\Fences Pro\FencesMenu64.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\88vcurvy.default\
FF - prefs.js: browser.startup.homepage - hxxp://austin.craigslist.org/zip/|http://www.djjoerendon.com/|http://www.atboyz.com/
FF - prefs.js: network.proxy.type - 0
FF - plugin: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Common Files\AVG Secure Search\SiteSafetyInstaller\17.1.3\npsitesafety.dll
FF - plugin: C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.165\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre1.6.0_22\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre1.6.0_22\bin\new_plugin\npjp2.dll
FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\5.1.20913.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Sticky Password\npSPAutofill.dll
FF - plugin: C:\Program Files (x86)\TabletPlugins\npwacom.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Windows\SysWOW64\Adobe\Director\np32dsw.dll
FF - plugin: C:\Windows\SysWOW64\Adobe\Director\np32dsw_1167637.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_9_900_152.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHA;AVGIDSHA;C:\Windows\System32\drivers\avgidsha.sys [2013-10-24 194872]
R0 Avgloga;AVG Logging Driver;C:\Windows\System32\drivers\avgloga.sys [2013-10-31 294712]
R0 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\System32\drivers\avgmfx64.sys [2013-10-1 123704]
R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\System32\drivers\avgrkx64.sys [2013-9-10 31544]
R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2011-7-8 55280]
R1 Avgdiska;AVG Disk Driver;C:\Windows\System32\drivers\avgdiska.sys [2013-11-5 150808]
R1 AVGIDSDriver;AVGIDSDriver;C:\Windows\System32\drivers\avgidsdrivera.sys [2013-11-4 240920]
R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\System32\drivers\avgldx64.sys [2013-10-31 212280]
R1 Avgtdia;AVG TDI Driver;C:\Windows\System32\drivers\avgtdia.sys [2013-8-1 251192]
R1 avgtp;avgtp;C:\Windows\System32\drivers\avgtpx64.sys [2013-9-9 46368]
R2 IDMWFP;IDMWFP;C:\Windows\System32\drivers\idmwfp.sys [2013-1-29 165112]
R3 HECIx64;Intel® Management Engine Interface;C:\Windows\System32\drivers\HECIx64.sys [2009-9-17 56344]
R3 Impcd;Impcd;C:\Windows\System32\drivers\Impcd.sys [2009-10-26 151936]
R3 IntcDAud;Intel® Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2009-10-30 244736]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2011-6-30 291328]
S3 BthAudioHF;BthAudioHF Service;C:\Windows\System32\drivers\BthAudioHF.sys [2009-12-21 52224]
S3 Netaapl;Apple Mobile Device Ethernet Service;C:\Windows\System32\drivers\netaapl64.sys [2012-9-10 22528]
S3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\System32\drivers\netw5v64.sys [2009-6-10 5434368]
S3 Revoflt;Revoflt;C:\Windows\System32\drivers\revoflt.sys [2012-10-3 31800]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\System32\drivers\RtsUStor.sys [2011-6-30 225280]
S3 SrvHsfHDA;SrvHsfHDA;C:\Windows\System32\drivers\VSTAZL6.SYS [2009-7-13 292864]
S3 SrvHsfV92;SrvHsfV92;C:\Windows\System32\drivers\VSTDPV6.SYS [2009-7-13 1485312]
S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\System32\drivers\VSTCNXT6.SYS [2009-7-13 740864]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2011-7-7 59392]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-12-13 54784]
.
=============== File Associations ===============
.
ShellExec: dreamweaver.exe: Open="C:\Program Files (x86)\Adobe\Adobe Dreamweaver CS5\dreamweaver.exe", "%1"
.
=============== Created Last 30 ================
.
2014-01-06 21:42:57    --------    d-----w-    C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2014-01-06 21:42:56    117464    ----a-w-    C:\Windows\System32\drivers\MBAMSwissArmy.sys
2014-01-06 21:41:49    89304    ----a-w-    C:\Windows\System32\drivers\mbamchameleon.sys
2014-01-02 21:47:06    --------    d-----w-    C:\TDSSKiller_Quarantine
2014-01-02 21:47:04    --------    d-----w-    C:\Users\Admin\AppData\Local\ElevatedDiagnostics
2014-01-02 18:52:31    25928    ----a-w-    C:\Windows\System32\drivers\mbam.sys
2014-01-02 18:52:31    --------    d-----w-    C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-12-23 19:32:50    4558848    ----a-w-    C:\Windows\SysWow64\GPhotos.scr
2013-12-23 19:31:57    --------    d-----w-    C:\Users\Admin\AppData\Roaming\gilisoft
2013-12-23 19:31:55    --------    d-----w-    C:\Program Files (x86)\Gilisoft
2013-12-18 16:29:11    1160504    ----a-w-    C:\Windows\is-5MOSV.exe
2013-12-13 20:53:41    3155968    ----a-w-    C:\Windows\System32\win32k.sys
.
==================== Find3M  ====================
.
2013-12-13 22:26:14    71048    ----a-w-    C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-12-13 22:26:14    692616    ----a-w-    C:\Windows\SysWow64\FlashPlayerApp.exe
2013-11-26 10:19:07    2724864    ----a-w-    C:\Windows\System32\mshtml.tlb
2013-11-26 10:18:23    4096    ----a-w-    C:\Windows\System32\ieetwcollectorres.dll
2013-11-26 09:48:07    66048    ----a-w-    C:\Windows\System32\iesetup.dll
2013-11-26 09:46:25    48640    ----a-w-    C:\Windows\System32\ieetwproxystub.dll
2013-11-26 09:23:02    2724864    ----a-w-    C:\Windows\SysWow64\mshtml.tlb
2013-11-26 09:18:39    139264    ----a-w-    C:\Windows\System32\ieUnatt.exe
2013-11-26 09:18:09    111616    ----a-w-    C:\Windows\System32\ieetwcollector.exe
2013-11-26 09:16:57    708608    ----a-w-    C:\Windows\System32\jscript9diag.dll
2013-11-26 08:35:02    5769216    ----a-w-    C:\Windows\System32\jscript9.dll
2013-11-26 08:28:16    553472    ----a-w-    C:\Windows\SysWow64\jscript9diag.dll
2013-11-26 08:16:12    4243968    ----a-w-    C:\Windows\SysWow64\jscript9.dll
2013-11-26 08:02:16    1995264    ----a-w-    C:\Windows\System32\inetcpl.cpl
2013-11-26 07:32:06    1928192    ----a-w-    C:\Windows\SysWow64\inetcpl.cpl
2013-11-26 07:07:57    2334208    ----a-w-    C:\Windows\System32\wininet.dll
2013-11-26 06:33:33    1820160    ----a-w-    C:\Windows\SysWow64\wininet.dll
2013-11-20 19:12:48    46368    ----a-w-    C:\Windows\System32\drivers\avgtpx64.sys
2013-11-19 19:31:22    878080    ----a-w-    C:\Windows\System32\advapi32.dll
2013-11-19 19:30:51    1887232    ----a-w-    C:\Windows\System32\d3d11.dll
2013-11-19 19:30:51    1505280    ----a-w-    C:\Windows\SysWow64\d3d11.dll
2013-11-12 02:23:09    2048    ----a-w-    C:\Windows\System32\tzres.dll
2013-11-12 02:07:29    2048    ----a-w-    C:\Windows\SysWow64\tzres.dll
2013-11-06 03:55:48    150808    ----a-w-    C:\Windows\System32\drivers\avgdiska.sys
2013-11-05 03:52:42    240920    ----a-w-    C:\Windows\System32\drivers\avgidsdrivera.sys
2013-11-01 05:00:18    212280    ----a-w-    C:\Windows\System32\drivers\avgldx64.sys
2013-11-01 04:49:46    294712    ----a-w-    C:\Windows\System32\drivers\avgloga.sys
2013-10-31 05:45:41    1160504    ----a-w-    C:\Windows\is-4VOVD.exe
2013-10-25 04:25:58    194872    ----a-w-    C:\Windows\System32\drivers\avgidsha.sys
2013-10-19 02:18:57    81408    ----a-w-    C:\Windows\System32\imagehlp.dll
2013-10-19 01:36:59    159232    ----a-w-    C:\Windows\SysWow64\imagehlp.dll
2013-10-12 02:32:04    150016    ----a-w-    C:\Windows\System32\wshom.ocx
2013-10-12 02:31:04    202752    ----a-w-    C:\Windows\System32\scrrun.dll
2013-10-12 02:30:42    830464    ----a-w-    C:\Windows\System32\nshwfp.dll
2013-10-12 02:29:21    859648    ----a-w-    C:\Windows\System32\IKEEXT.DLL
2013-10-12 02:29:08    324096    ----a-w-    C:\Windows\System32\FWPUCLNT.DLL
2013-10-12 02:04:36    121856    ----a-w-    C:\Windows\SysWow64\wshom.ocx
2013-10-12 02:03:31    163840    ----a-w-    C:\Windows\SysWow64\scrrun.dll
2013-10-12 02:03:08    656896    ----a-w-    C:\Windows\SysWow64\nshwfp.dll
2013-10-12 02:01:25    216576    ----a-w-    C:\Windows\SysWow64\FWPUCLNT.DLL
2013-10-12 01:33:39    156160    ----a-w-    C:\Windows\System32\cscript.exe
2013-10-12 01:33:26    168960    ----a-w-    C:\Windows\System32\wscript.exe
2013-10-12 01:15:48    141824    ----a-w-    C:\Windows\SysWow64\wscript.exe
2013-10-12 01:15:48    126976    ----a-w-    C:\Windows\SysWow64\cscript.exe
.
============= FINISH: 10:20:32.08 ===============

[attachment=145702:Attach.txt]



BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:18 AM

Posted 11 January 2014 - 06:52 AM

Hello, computerhelp2014.
My name is etavares and I will be helping you with this log.
 
Here are some guidelines to ensure we are able to get your machine back under your control.
 
  • Please do not run any unsupervised scans, fixes, etc.  We can work against each other and end up in a worse place.
  • Please subscribe to this topic if you have not already done so.  Please check back just in case, as the email system can fail at times.
  • Just because your machine is running better does not mean it is completely cleaned.  Please wait for the 'all clear' from me to say when we are done.
  • Please reply within 3 days to be fair to other people asking for help.
  • When in doubt, please stop and ask first.  There's no harm in asking questions!
  •  
    Please download Farbar Recovery Scan Tool and save it to a flash drive.
     
    Plug the flashdrive into the infected PC.
     
    If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.
     
    If you are using Vista or Windows 7 enter System Recovery Options
     
    To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
  •  
    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
  •  
    On the System Recovery Options menu you will get the following options:
    Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt
     
    Select Command Prompt
     
    Once in the Command Prompt:
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64)  and press Enter 
  • Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
  •  
    etavares


    If I don't respond within 2 days, please feel free to PM me.
    Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

    Posted Image
    Unified Network of Instructors and Trusted Eliminators
     


    #3 computerhelp2014

    computerhelp2014
    • Topic Starter

    • Members
    • 15 posts
    • OFFLINE
    •  
    • Local time:01:18 AM

    Posted 13 January 2014 - 07:15 PM

    etavares,

     

    Thank you for your help.

    Following is the log per your instructions.

    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

     

    Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 13-01-2014 02
    Ran by SYSTEM on MININT-GBJ05UJ on 13-01-2014 17:05:13
    Running from H:\
    Windows 7 Home Premium (X64) OS Language: English(US)
    Internet Explorer Version 11
    Boot Mode: Recovery

    The current controlset is ControlSet001
    ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.


    ==================== Registry (Whitelisted) ==================

    HKLM\...\Run: [SynTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1883432 2009-11-03] (Synaptics Incorporated)
    HKLM\...\Run: [RTHDVCPL] - C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [5977600 2009-12-22] (Realtek Semiconductor)
    HKLM\...\Run: [RtkOSD] - C:\Program Files (x86)\Realtek\Audio\OSD\RtVOsd64.exe [995840 2009-10-13] (Realtek Semiconductor Corp.)
    HKLM\...\Run: [SunJavaUpdateSched] - C:\Program Files\Java\jre6\bin\jusched.exe [172032 2010-01-20] (Sun Microsystems, Inc.)
    HKLM\...\Run: [AdobeAAMUpdater-1.0] - C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [500208 2010-03-06] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [QlbCtrl.exe] - C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe [322104 2009-10-08] ( Hewlett-Packard Development Company, L.P.)
    HKLM-x32\...\Run: [WirelessAssistant] - C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [498744 2009-07-23] (Hewlett-Packard)
    HKLM-x32\...\Run: [AdobeCS5ServiceManager] - C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe [406992 2010-02-22] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [SwitchBoard] - C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [HP Software Update] - C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [49208 2011-05-10] (Hewlett-Packard)
    HKLM-x32\...\Run: [] - [x]
    HKLM-x32\...\Run: [AVG_UI] - C:\Program Files (x86)\AVG\AVG2014\avgui.exe [4956176 2013-11-07] (AVG Technologies CZ, s.r.o.)
    HKLM-x32\...\Run: [PrivitizeVPN] - C:\Program Files (x86)\PrivitizeVPN\PrivitizeVPN.exe [196784 2012-09-10] (OOO Industry)
    HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
    HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2013-02-20] (Apple Inc.)
    HKLM-x32\...\Run: [QuickTime Task] - C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2013-05-01] (Apple Inc.)
    HKLM-x32\...\Run: [vProt] - C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe [2530840 2014-01-11] ()
    HKLM\...\Runonce: [MSPCLOCK] - rundll32.exe streamci,StreamingDeviceSetup {97ebaacc-95bd-11d0-a3ea-00a0c9223196},{53172480-4791-11D0-A5D6-28DB04C10000},{53172480-4791-11D0-A5D6-28DB04C10000}
    HKLM\...\Runonce: [MSPQM] - rundll32.exe streamci,StreamingDeviceSetup {DDF4358E-BB2C-11D0-A42F-00A0C9223196},{97EBAACB-95BD-11D0-A3EA-00A0C9223196},{97EBAACB-95BD-11D0-A3EA-00A0C9223196}
    HKLM\...\Runonce: [MSKSSRV] - rundll32.exe streamci,StreamingDeviceSetup {96E080C7-143C-11D1-B40F-00A0C9223196},{3C0D501A-140B-11D1-B40F-00A0C9223196},{3C0D501A-140B-11D1-B40F-00A0C9223196}
    HKLM\...\Runonce: [MSTEE.CxTransform] - rundll32.exe streamci,StreamingDeviceSetup {cfd669f1-9bc2-11d0-8299-0000f822fe8a},{CF1DDA2C-9743-11D0-A3EE-00A0C9223196},{CF1DDA2C-9743-11D0-A3EE-00A0C9223196},C:\Windows\inf\ksfilter.inf,MSTEE.Interface.Install
    HKLM\...\Runonce: [MSTEE.Splitter] - rundll32.exe streamci,StreamingDeviceSetup {cfd669f1-9bc2-11d0-8299-0000f822fe8a},{0A4252A0-7E70-11D0-A5D6-28DB04C10000},{0A4252A0-7E70-11D0-A5D6-28DB04C10000},C:\Windows\inf\ksfilter.inf,MSTEE.Interface.Install
    HKLM\...\Runonce: [WDM_DRMKAUD] - rundll32.exe streamci,StreamingDeviceSetup {EEC12DB6-AD9C-4168-8658-B03DAEF417FE},{ABD61E00-9350-47e2-A632-4438B90C6641},{FFBB6E3F-CCFE-4D84-90D9-421418B03A8E},C:\Windows\inf\WDMAUDIO.inf,WDM_DRMKAUD.Interface.Install
    HKLM-x32\...\Runonce: [InnoSetupRegFile.0000000001] - "C:\Windows\is-K1AA4.exe" /REG /REGSVRMODE [x]
    HKLM-x32\...\Runonce: [InnoSetupRegFile.0000000002] - "C:\Windows\is-LIDEO.exe" /REG /REGSVRMODE [x]
    HKLM-x32\...\Runonce: [InnoSetupRegFile.0000000003] - "C:\Windows\is-4VOVD.exe" /REG /REGSVRMODE [x]
    HKLM-x32\...\Runonce: [InnoSetupRegFile.0000000004] - "C:\Windows\is-5MOSV.exe" /REG /REGSVRMODE [x]
    HKLM-x32\...\RunOnce: [Malwarebytes Anti-Malware] - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent [532040 2013-04-04] (Malwarebytes Corporation)
    HKLM-x32\...\Runonce: [{A37E0C42-EF3A-4A0C-82AD-1CC983B899D7}] - cmd.exe /C start /D "C:\Users\Admin\AppData\Local\Temp" /B {A37E0C42-EF3A-4A0C-82AD-1CC983B899D7}.exe -accepteula -accepteulaksn -activeimages -postboot [x]
    HKLM-x32\...\Runonce: [{C9EDC08D-F45F-4B80-B49A-8E29B6934408}] - cmd.exe /C start /D "C:\Users\Admin\AppData\Local\Temp" /B {C9EDC08D-F45F-4B80-B49A-8E29B6934408}.exe -accepteula -accepteulaksn -activeimages -postboot [x]
    Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
    HKU\Admin\...\Run: [TomTomHOME.exe] - C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe [247728 2011-04-22] (TomTom)
    HKU\Admin\...\Run: [LightScribe Control Panel] - C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe [2363392 2009-10-16] (Hewlett-Packard Company)
    HKU\Admin\...\Run: [IDMan] - C:\Program Files (x86)\Internet Download Manager\IDMan.exe [3565432 2013-02-13] (Tonec Inc.)
    HKU\Frank HP\...\Run: [LightScribe Control Panel] - C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe [2363392 2009-10-16] (Hewlett-Packard Company)
    HKU\Frank HP\...\Run: [HPADVISOR] - C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe [1685048 2009-09-29] (Hewlett-Packard)
    HKU\Frank HP\...\Run: [TomTomHOME.exe] - C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe [247728 2011-04-22] (TomTom)
    HKU\Frank HP\...\Run: [AdobeBridge] - [x]
    HKU\Frank HP\...\Run: [EPSON Stylus CX3800 Series] - C:\Windows\system32\spool\DRIVERS\x64\3\E_IATIACA.EXE [214528 2007-01-25] (SEIKO EPSON CORPORATION)
    HKU\Frank HP\...\Run: [Spotify Web Helper] - C:\Users\Frank HP\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe [1103768 2013-02-20] (Spotify Ltd)
    HKU\Frank HP\...\Run: [Spotify] - C:\Users\Frank HP\AppData\Roaming\Spotify\spotify.exe [4484504 2013-02-20] (Spotify Ltd)
    HKU\Frank HP\...\Run: [Google Update] - C:\Users\Frank HP\AppData\Local\Google\Update\GoogleUpdate.exe [116648 2013-07-13] (Google Inc.)
    HKU\Frank HP\...\Run: [swg] - C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2011-07-02] (Google Inc.)
    HKU\Frank HP\...\CurrentVersion\Windows: [Load] C:\Users\FRANKH~1\LOCALS~1\Temp\msowtiifb.exe <===== ATTENTION
    Startup: C:\Users\Frank HP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk
    ShortcutTarget: OpenOffice.org 3.3.lnk -> C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe ()

    ==================== Services (Whitelisted) =================

    S2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe [3478544 2013-11-11] (AVG Technologies CZ, s.r.o.)
    S2 avgwd; C:\Program Files (x86)\AVG\AVG2014\avgwdsvc.exe [348008 2013-09-23] (AVG Technologies CZ, s.r.o.)
    S2 NitroDriverReadSpool; C:\Program Files\Common Files\Nitro PDF\Professional\6.0\NitroPDFDriverServicex64.exe [341312 2010-10-01] (Nitro PDF Software)
    S2 PasswordBox; C:\Program Files (x86)\PasswordBox\pbbtnService.exe [67584 2013-11-01] (PasswordBox, Inc.)
    S2 RichVideo; C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe [247152 2009-07-06] ()
    S3 rpcapd; C:\Program Files (x86)\WinPcap\rpcapd.exe [117264 2010-06-25] (CACE Technologies, Inc.)
    S2 vToolbarUpdater17.3.0; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\17.3.0\ToolbarUpdater.exe [1772056 2014-01-11] (AVG Secure Search)
    S2 wordpressApache; C:\Users\Frank HP\Documents\Bitnami\apache2\bin\httpd.exe [20549 2010-10-17] (Apache Software Foundation)
    S2 wordpressMySQL; C:\Users\Frank HP\Documents\Bitnami\mysql\bin\mysqld.exe [6107136 2011-02-11] ()

    ==================== Drivers (Whitelisted) ====================

    S1 Avgdiska; C:\Windows\System32\DRIVERS\avgdiska.sys [150808 2013-11-05] (AVG Technologies CZ, s.r.o.)
    S1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [240920 2013-11-04] (AVG Technologies CZ, s.r.o.)
    S0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [194872 2013-10-24] (AVG Technologies CZ, s.r.o.)
    S1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [212280 2013-10-31] (AVG Technologies CZ, s.r.o.)
    S0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [294712 2013-10-31] (AVG Technologies CZ, s.r.o.)
    S0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [123704 2013-09-30] (AVG Technologies CZ, s.r.o.)
    S0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [31544 2013-09-09] (AVG Technologies CZ, s.r.o.)
    S1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [251192 2013-08-01] (AVG Technologies CZ, s.r.o.)
    S1 avgtp; C:\Windows\system32\drivers\avgtpx64.sys [46368 2013-11-20] (AVG Technologies)
    S2 NPF; C:\Windows\System32\drivers\npf.sys [35344 2010-06-25] (CACE Technologies, Inc.)
    S3 RSUSBSTOR; C:\Windows\SysWOW64\Drivers\RtsUStor.sys [225280 2009-09-22] (Realtek Semiconductor Corp.)

    ==================== NetSvcs (Whitelisted) ===================


    ==================== One Month Created Files and Folders ========

    2014-01-13 17:05 - 2014-01-13 17:05 - 00000000 ____D C:\FRST
    2014-01-07 08:20 - 2014-01-07 08:20 - 00023918 _____ C:\Users\Admin\Desktop\dds.txt
    2014-01-07 08:20 - 2014-01-07 08:20 - 00013195 _____ C:\Users\Admin\Desktop\attach.txt
    2014-01-06 14:48 - 2014-01-06 18:47 - 00001690 _____ C:\Users\Admin\Desktop\Rkill.txt
    2014-01-06 14:48 - 2014-01-06 14:48 - 00000000 ____D C:\Users\Admin\Desktop\rkill
    2014-01-06 13:42 - 2014-01-06 15:03 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
    2014-01-06 13:42 - 2014-01-06 13:42 - 00117464 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\MBAMSwissArmy.sys
    2014-01-06 13:41 - 2014-01-06 15:03 - 00000000 ____D C:\Users\Admin\Desktop\mbar
    2014-01-06 13:41 - 2014-01-06 13:41 - 00089304 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamchameleon.sys
    2014-01-06 08:59 - 2014-01-07 08:02 - 00000000 ____D C:\Users\Frank HP\Desktop\BleepingComputer
    2014-01-02 13:47 - 2014-01-02 13:47 - 00000000 ____D C:\TDSSKiller_Quarantine
    2014-01-02 10:52 - 2014-01-02 10:52 - 00001109 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2014-01-02 10:52 - 2014-01-02 10:52 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2014-01-02 10:52 - 2013-04-04 12:50 - 00025928 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
    2013-12-27 09:13 - 2013-12-27 09:13 - 00000000 ____D C:\Users\Frank HP\AppData\Roaming\TuneUp Software
    2013-12-27 09:07 - 2013-12-27 09:07 - 00125608 _____ C:\Users\Frank HP\AppData\Local\GDIPFONTCACHEV1.DAT
    2013-12-23 11:49 - 2014-01-13 11:25 - 00003594 _____ C:\Windows\setupact.log
    2013-12-23 11:49 - 2013-12-23 11:51 - 05036720 _____ C:\Windows\System32\FNTCACHE.DAT
    2013-12-23 11:49 - 2013-12-23 11:49 - 00000000 _____ C:\Windows\setuperr.log
    2013-12-23 11:32 - 2013-12-23 11:32 - 04558848 _____ (Google Inc.) C:\Windows\SysWOW64\GPhotos.scr
    2013-12-23 11:32 - 2013-12-23 11:32 - 00000000 ____D C:\Users\Frank HP\AppData\Roaming\GiliSoft
    2013-12-23 11:31 - 2013-12-23 11:31 - 00001212 _____ C:\Users\Admin\Desktop\GiliSoft Screen Recorder 4.2.0.lnk
    2013-12-23 11:31 - 2013-12-23 11:31 - 00000000 ____D C:\Users\Admin\AppData\Roaming\gilisoft
    2013-12-23 11:31 - 2013-12-23 11:31 - 00000000 ____D C:\Program Files (x86)\Gilisoft
    2013-12-23 09:03 - 2013-12-23 09:03 - 00000000 ____D C:\Windows\Sun
    2013-12-23 08:29 - 2013-12-23 08:29 - 00037376 _____ C:\Windows\System32\okfea.mug
    2013-12-23 08:07 - 2014-01-13 10:23 - 00000085 _____ C:\Windows\System32\vytltpg.snb
    2013-12-23 07:57 - 2013-12-23 08:29 - 00000098 _____ C:\Windows\System32\lkolsfd.ldg
    2013-12-23 07:57 - 2013-12-23 07:57 - 00000064 _____ C:\Windows\System32\kwhotj.dop
    2013-12-21 09:56 - 2013-12-21 09:56 - 00219314 ____S C:\Windows\System32\odcjsrc.fql
    2013-12-18 08:29 - 2013-12-18 08:29 - 01160504 _____ C:\Windows\is-5MOSV.exe
    2013-12-18 08:29 - 2013-12-18 08:29 - 00020903 _____ C:\Windows\is-5MOSV.msg
    2013-12-18 08:29 - 2013-12-18 08:29 - 00000275 _____ C:\Windows\is-5MOSV.lst
    2013-12-17 14:43 - 2013-12-17 14:46 - 00000000 ____D C:\Users\Frank HP\Desktop\StickyPasswordNEW
    2013-12-15 10:35 - 2013-11-26 02:19 - 02724864 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2013-12-15 10:35 - 2013-11-26 02:18 - 00004096 _____ (Microsoft Corporation) C:\Windows\System32\ieetwcollectorres.dll
    2013-12-15 10:35 - 2013-11-26 01:48 - 00066048 _____ (Microsoft Corporation) C:\Windows\System32\iesetup.dll
    2013-12-15 10:35 - 2013-11-26 01:46 - 00048640 _____ (Microsoft Corporation) C:\Windows\System32\ieetwproxystub.dll
    2013-12-15 10:35 - 2013-11-26 01:29 - 00053760 _____ (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2013-12-15 10:35 - 2013-11-26 01:27 - 00033792 _____ (Microsoft Corporation) C:\Windows\System32\iernonce.dll
    2013-12-15 10:35 - 2013-11-26 01:23 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
    2013-12-15 10:35 - 2013-11-26 01:21 - 00574976 _____ (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2013-12-15 10:35 - 2013-11-26 01:18 - 00139264 _____ (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
    2013-12-15 10:35 - 2013-11-26 01:18 - 00111616 _____ (Microsoft Corporation) C:\Windows\System32\ieetwcollector.exe
    2013-12-15 10:35 - 2013-11-26 00:57 - 00218624 _____ (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
    2013-12-15 10:35 - 2013-11-26 00:38 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
    2013-12-15 10:35 - 2013-11-26 00:32 - 00440832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
    2013-12-15 10:34 - 2013-11-26 03:54 - 23183360 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2013-12-15 10:34 - 2013-11-26 02:11 - 17112576 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
    2013-12-15 10:34 - 2013-11-26 01:41 - 02764288 _____ (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2013-12-15 10:34 - 2013-11-26 01:16 - 00708608 _____ (Microsoft Corporation) C:\Windows\System32\jscript9diag.dll
    2013-12-15 10:34 - 2013-11-26 00:38 - 02166784 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
    2013-12-15 10:34 - 2013-11-26 00:35 - 05769216 _____ (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2013-12-15 10:34 - 2013-11-26 00:28 - 00553472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
    2013-12-15 10:34 - 2013-11-26 00:16 - 04243968 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
    2013-12-15 10:34 - 2013-11-26 00:02 - 01995264 _____ (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2013-12-15 10:34 - 2013-11-25 23:48 - 12996608 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2013-12-15 10:34 - 2013-11-25 23:32 - 01928192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
    2013-12-15 10:34 - 2013-11-25 23:26 - 11221504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
    2013-12-15 10:34 - 2013-11-25 23:07 - 02334208 _____ (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2013-12-15 10:34 - 2013-11-25 22:40 - 01395200 _____ (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2013-12-15 10:34 - 2013-11-25 22:34 - 00817664 _____ (Microsoft Corporation) C:\Windows\System32\ieapfltr.dll
    2013-12-15 10:34 - 2013-11-25 22:34 - 00703488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
    2013-12-15 10:34 - 2013-11-25 22:33 - 01820160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
    2013-12-15 10:34 - 2013-11-25 22:27 - 01157632 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll

    ==================== One Month Modified Files and Folders =======

    2014-01-13 17:05 - 2014-01-13 17:05 - 00000000 ____D C:\FRST
    2014-01-13 14:56 - 2011-06-30 14:31 - 01338073 _____ C:\Windows\WindowsUpdate.log
    2014-01-13 14:55 - 2012-01-17 17:37 - 00000000 ____D C:\Users\Frank HP\AppData\Roaming\DMCache
    2014-01-13 14:48 - 2011-07-02 13:29 - 00000896 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2014-01-13 14:45 - 2013-10-02 08:16 - 00000920 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2041422357-884848210-2116232879-1000UA.job
    2014-01-13 14:40 - 2009-07-13 21:13 - 00779266 _____ C:\Windows\System32\PerfStringBackup.INI
    2014-01-13 14:39 - 2013-02-20 14:00 - 00000000 ____D C:\Users\Frank HP\AppData\Roaming\Spotify
    2014-01-13 14:39 - 2012-04-10 13:32 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
    2014-01-13 14:39 - 2011-07-02 13:29 - 00000892 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2014-01-13 11:32 - 2009-07-13 20:45 - 00023248 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2014-01-13 11:32 - 2009-07-13 20:45 - 00023248 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2014-01-13 11:25 - 2013-12-23 11:49 - 00003594 _____ C:\Windows\setupact.log
    2014-01-13 11:25 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
    2014-01-13 10:23 - 2013-12-23 08:07 - 00000085 _____ C:\Windows\System32\vytltpg.snb
    2014-01-13 09:20 - 2011-06-30 19:09 - 00000000 ____D C:\Users\Frank HP\AppData\Roaming\HpUpdate
    2014-01-13 09:19 - 2011-07-02 10:31 - 00000000 ____D C:\ProgramData\MFAData
    2014-01-12 08:45 - 2013-10-02 08:16 - 00000868 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2041422357-884848210-2116232879-1000Core.job
    2014-01-11 08:24 - 2013-09-09 07:36 - 00003745 _____ C:\Program Files (x86)\Mozilla Firefoxsafeguard-secure-search.xml
    2014-01-11 08:24 - 2013-09-09 07:36 - 00000000 ____D C:\ProgramData\AVG SafeGuard toolbar
    2014-01-11 08:24 - 2013-09-09 07:36 - 00000000 ____D C:\Program Files (x86)\AVG SafeGuard toolbar
    2014-01-07 08:20 - 2014-01-07 08:20 - 00023918 _____ C:\Users\Admin\Desktop\dds.txt
    2014-01-07 08:20 - 2014-01-07 08:20 - 00013195 _____ C:\Users\Admin\Desktop\attach.txt
    2014-01-07 08:02 - 2014-01-06 08:59 - 00000000 ____D C:\Users\Frank HP\Desktop\BleepingComputer
    2014-01-06 18:47 - 2014-01-06 14:48 - 00001690 _____ C:\Users\Admin\Desktop\Rkill.txt
    2014-01-06 15:03 - 2014-01-06 13:42 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
    2014-01-06 15:03 - 2014-01-06 13:41 - 00000000 ____D C:\Users\Admin\Desktop\mbar
    2014-01-06 14:48 - 2014-01-06 14:48 - 00000000 ____D C:\Users\Admin\Desktop\rkill
    2014-01-06 14:42 - 2013-01-11 13:25 - 00000000 ____D C:\Users\Frank HP\Desktop\Anti-Rootkit
    2014-01-06 13:42 - 2014-01-06 13:42 - 00117464 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\MBAMSwissArmy.sys
    2014-01-06 13:41 - 2014-01-06 13:41 - 00089304 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamchameleon.sys
    2014-01-06 11:25 - 2013-11-26 16:06 - 00000000 ____D C:\Users\Frank HP\AppData\Roaming\vlc
    2014-01-03 12:22 - 2013-07-19 12:20 - 00000000 ____D C:\Users\Frank HP\Desktop\delete
    2014-01-02 13:47 - 2014-01-02 13:47 - 00000000 ____D C:\TDSSKiller_Quarantine
    2014-01-02 10:52 - 2014-01-02 10:52 - 00001109 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2014-01-02 10:52 - 2014-01-02 10:52 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2014-01-01 11:07 - 2013-02-25 08:18 - 00000000 ___SD C:\Users\Frank HP\Documents\Sticky Passwords
    2013-12-31 11:07 - 2013-11-20 22:09 - 00000000 ____D C:\Program Files (x86)\PasswordBox
    2013-12-27 09:16 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NDF
    2013-12-27 09:13 - 2013-12-27 09:13 - 00000000 ____D C:\Users\Frank HP\AppData\Roaming\TuneUp Software
    2013-12-27 09:07 - 2013-12-27 09:07 - 00125608 _____ C:\Users\Frank HP\AppData\Local\GDIPFONTCACHEV1.DAT
    2013-12-25 09:49 - 2013-05-29 08:57 - 00000000 ____D C:\Users\Frank HP\Desktop\Los A-T Boyz
    2013-12-23 11:51 - 2013-12-23 11:49 - 05036720 _____ C:\Windows\System32\FNTCACHE.DAT
    2013-12-23 11:49 - 2013-12-23 11:49 - 00000000 _____ C:\Windows\setuperr.log
    2013-12-23 11:37 - 2013-02-27 12:03 - 00000822 _____ C:\Users\Public\Desktop\CCleaner.lnk
    2013-12-23 11:37 - 2013-01-25 08:23 - 00000000 ____D C:\Program Files\CCleaner
    2013-12-23 11:32 - 2013-12-23 11:32 - 04558848 _____ (Google Inc.) C:\Windows\SysWOW64\GPhotos.scr
    2013-12-23 11:32 - 2013-12-23 11:32 - 00000000 ____D C:\Users\Frank HP\AppData\Roaming\GiliSoft
    2013-12-23 11:31 - 2013-12-23 11:31 - 00001212 _____ C:\Users\Admin\Desktop\GiliSoft Screen Recorder 4.2.0.lnk
    2013-12-23 11:31 - 2013-12-23 11:31 - 00000000 ____D C:\Users\Admin\AppData\Roaming\gilisoft
    2013-12-23 11:31 - 2013-12-23 11:31 - 00000000 ____D C:\Program Files (x86)\Gilisoft
    2013-12-23 09:03 - 2013-12-23 09:03 - 00000000 ____D C:\Windows\Sun
    2013-12-23 08:29 - 2013-12-23 08:29 - 00037376 _____ C:\Windows\System32\okfea.mug
    2013-12-23 08:29 - 2013-12-23 07:57 - 00000098 _____ C:\Windows\System32\lkolsfd.ldg
    2013-12-23 07:57 - 2013-12-23 07:57 - 00000064 _____ C:\Windows\System32\kwhotj.dop
    2013-12-23 07:57 - 2012-08-28 13:01 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
    2013-12-22 20:09 - 2013-08-19 12:17 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
    2013-12-21 13:20 - 2012-01-17 17:37 - 00000000 ____D C:\Users\Frank HP\AppData\Roaming\IDM
    2013-12-21 12:35 - 2013-07-22 09:15 - 00000000 ____D C:\Users\Frank HP\Desktop\NEW DOWNLOAD
    2013-12-21 09:56 - 2013-12-21 09:56 - 00219314 ____S C:\Windows\System32\odcjsrc.fql
    2013-12-21 09:56 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\sysprep
    2013-12-19 11:03 - 2011-07-08 11:08 - 00000000 ____D C:\Users\Frank HP\AppData\Roaming\uTorrent
    2013-12-18 09:06 - 2013-02-25 08:40 - 00000000 ____D C:\Program Files (x86)\Sticky Password
    2013-12-18 09:03 - 2011-07-08 16:50 - 00001456 _____ C:\Users\Frank HP\AppData\Local\Adobe Save for Web 12.0 Prefs
    2013-12-18 08:29 - 2013-12-18 08:29 - 01160504 _____ C:\Windows\is-5MOSV.exe
    2013-12-18 08:29 - 2013-12-18 08:29 - 00020903 _____ C:\Windows\is-5MOSV.msg
    2013-12-18 08:29 - 2013-12-18 08:29 - 00000275 _____ C:\Windows\is-5MOSV.lst
    2013-12-17 23:41 - 2013-08-14 07:03 - 00000000 ____D C:\Windows\System32\MRT
    2013-12-17 23:38 - 2012-01-28 09:58 - 90708896 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe
    2013-12-17 14:46 - 2013-12-17 14:43 - 00000000 ____D C:\Users\Frank HP\Desktop\StickyPasswordNEW
    2013-12-17 10:45 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache
    2013-12-15 10:44 - 2011-07-02 13:28 - 00000000 ____D C:\users\Admin
    ZeroAccess:
    C:\Users\Frank HP\AppData\Local\Google\Desktop\Install

    ZeroAccess:
    C:\$Recycle.Bin\S-1-5-21-2041422357-884848210-2116232879-1000\$7cb2d2a7b6efde3aa0500bea76e9ef09

    Files to move or delete:
    ====================
    C:\Users\Frank HP\AppData\Roaming\skype.ini
    C:\Users\Frank HP\lametritonus_en.dll
    C:\Users\Frank HP\lame_enc_en.dll


    Some content of TEMP:
    ====================
    C:\Users\Admin\AppData\Local\Temp\{A37E0C42-EF3A-4A0C-82AD-1CC983B899D7}.exe
    C:\Users\Admin\AppData\Local\Temp\{C9EDC08D-F45F-4B80-B49A-8E29B6934408}.exe
    C:\Users\Frank HP\AppData\Local\Temp\cl75rdsq.dll


    ==================== Known DLLs (Whitelisted) ================


    ==================== Bamital & volsnap Check =================

    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\rpcss.dll
    [2011-07-07 08:52] - [2010-11-20 05:27] - 0512512 ____A (Microsoft Corporation) BF9B8B9F08430C19DAFD87457DACA6E0

    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ==================== Restore Points  =========================


    ==================== Memory info ===========================

    Percentage of memory in use: 18%
    Total physical RAM: 3893.86 MB
    Available physical RAM: 3175.11 MB
    Total Pagefile: 3892.01 MB
    Available Pagefile: 3175.91 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.88 MB

    ==================== Drives ================================

    Drive c: () (Fixed) (Total:452.47 GB) (Free:45.32 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    Drive e: (RECOVERY) (Fixed) (Total:13 GB) (Free:2.13 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    Drive f: (HP_TOOLS) (Fixed) (Total:0.1 GB) (Free:0.09 GB) FAT32
    Drive h: () (Removable) (Total:14.9 GB) (Free:14.75 GB) FAT32
    Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
    Drive y: (SYSTEM) (Fixed) (Total:0.19 GB) (Free:0.16 GB) NTFS ==>[System with boot components (obtained from reading drive)]

    ==================== MBR & Partition Table ==================

    ========================================================
    Disk: 0 (Size: 466 GB) (Disk ID: FAB1DD81)
    Partition 1: (Active) - (Size=199 MB) - (Type=07 NTFS)
    Partition 2: (Not Active) - (Size=452 GB) - (Type=07 NTFS)
    Partition 3: (Not Active) - (Size=13 GB) - (Type=07 NTFS)
    Partition 4: (Not Active) - (Size=103 MB) - (Type=0C)

    ========================================================
    Disk: 1 (Size: 15 GB) (Disk ID: 00000000)
    Partition 1: (Not Active) - (Size=15 GB) - (Type=0C)


    LastRegBack: 2013-12-20 18:36

    ==================== End Of Log ============================



    #4 etavares

    etavares

      Bleepin' Remover


    • Malware Response Team
    • 15,514 posts
    • OFFLINE
    •  
    • Gender:Male
    • Local time:03:18 AM

    Posted 13 January 2014 - 08:37 PM

    Hi,

     

    We need to find a file replacement.  Please boot into FRST, type rpcss.dll into the search box and click Search File(s).  Wait a few minutes until it's done (it can take time depending on the size of your hard drive, the speed of your computer, etc.).  It will save search.txt to the flash drive.  Please copy/paste the contents of that file in your reply.

     

    -etavares



    If I don't respond within 2 days, please feel free to PM me.
    Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

    Posted Image
    Unified Network of Instructors and Trusted Eliminators
     


    #5 computerhelp2014

    computerhelp2014
    • Topic Starter

    • Members
    • 15 posts
    • OFFLINE
    •  
    • Local time:01:18 AM

    Posted 14 January 2014 - 12:04 AM

    Search.txt -

     

    C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_c7f0e16b547f887d\rpcss.dll
    [2011-07-07 08:52] - [2010-11-20 05:27] - 0512000 ____A (Microsoft Corporation) 5C627D1B1138676C0A7AB2C2C190D123

    C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7600.16385_none_c5bfcda3579104e3\rpcss.dll
    [2009-07-13 16:00] - [2009-07-13 17:41] - 0509440 ____A (Microsoft Corporation) 7266972E86890E2B30C0C322E906B027

    C:\Windows\System32\rpcss.dll
    [2011-07-07 08:52] - [2010-11-20 05:27] - 0512512 ____A (Microsoft Corporation) BF9B8B9F08430C19DAFD87457DACA6E0

    X:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7600.16385_none_c5bfcda3579104e3\rpcss.dll
    [2009-07-13 16:00] - [2009-07-13 17:41] - 0509440 ____A (Microsoft Corporation) 7266972E86890E2B30C0C322E906B027

    X:\Windows\System32\rpcss.dll
    [2009-07-13 16:00] - [2009-07-13 17:41] - 0509440 ____A (Microsoft Corporation) 7266972E86890E2B30C0C322E906B027

    ====== End Of Search ======



    #6 etavares

    etavares

      Bleepin' Remover


    • Malware Response Team
    • 15,514 posts
    • OFFLINE
    •  
    • Gender:Male
    • Local time:03:18 AM

    Posted 14 January 2014 - 09:18 AM

    Hello, computerhelp2014.
     
    Backdoor Warning
    One or more of the identified infections is a backdoor trojan.
     
    This allows hackers to remotely control your computer, steal critical system information and download and execute files.
     
    I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
     
    Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
     
     
    We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.  If you do decide to proceed, please continue with the fix below.
     
     
    Step 1
     
    Please open notepad on a working computer and copy/paste the text in the codebox below into notepad.  Save it as fixlist.txt to the FRST flash drive.
     
    Replace: C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_c7f0e16b547f887d\rpcss.dll C:\Windows\System32\rpcss.dll
    2013-12-23 08:29 - 2013-12-23 08:29 - 00037376 _____ C:\Windows\System32\okfea.mug
    2013-12-23 08:07 - 2014-01-13 10:23 - 00000085 _____ C:\Windows\System32\vytltpg.snb
    2013-12-23 07:57 - 2013-12-23 08:29 - 00000098 _____ C:\Windows\System32\lkolsfd.ldg
    2013-12-23 07:57 - 2013-12-23 07:57 - 00000064 _____ C:\Windows\System32\kwhotj.dop
    2013-12-21 09:56 - 2013-12-21 09:56 - 00219314 ____S C:\Windows\System32\odcjsrc.fql
    C:\Users\Frank HP\AppData\Local\Google\Desktop\Install
    C:\$Recycle.Bin\S-1-5-21-2041422357-884848210-2116232879-1000\$7cb2d2a7b6efde3aa0500bea76e9ef09
     
    Boot the infected computer from the FRST flash drive and click Fix once.  It will run.  When done, please copy/paste fixlog.txt here. ALso, boot into Windows from that computer and run a fresh DDS scan.  Please post both DDS.txt and Attach.txt here.
     
    etavares


    If I don't respond within 2 days, please feel free to PM me.
    Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

    Posted Image
    Unified Network of Instructors and Trusted Eliminators
     


    #7 etavares

    etavares

      Bleepin' Remover


    • Malware Response Team
    • 15,514 posts
    • OFFLINE
    •  
    • Gender:Male
    • Local time:03:18 AM

    Posted 21 January 2014 - 08:55 PM

    still there?



    If I don't respond within 2 days, please feel free to PM me.
    Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

    Posted Image
    Unified Network of Instructors and Trusted Eliminators
     


    #8 computerhelp2014

    computerhelp2014
    • Topic Starter

    • Members
    • 15 posts
    • OFFLINE
    •  
    • Local time:01:18 AM

    Posted 21 January 2014 - 11:28 PM

    Yes,

    Sorry for the delay.

    I decided to go ahead and reinstall the operating system.

    Thank you for your assistance.



    #9 etavares

    etavares

      Bleepin' Remover


    • Malware Response Team
    • 15,514 posts
    • OFFLINE
    •  
    • Gender:Male
    • Local time:03:18 AM

    Posted 22 January 2014 - 09:09 PM

    Ok, thanks for letting me know.  That's a good choice, provided you did a complete reinstall not just a repair install.  If you did a repair install, I can help you remove the leftovers.  Just let me know.

     

    -etavares



    If I don't respond within 2 days, please feel free to PM me.
    Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

    Posted Image
    Unified Network of Instructors and Trusted Eliminators
     


    #10 etavares

    etavares

      Bleepin' Remover


    • Malware Response Team
    • 15,514 posts
    • OFFLINE
    •  
    • Gender:Male
    • Local time:03:18 AM

    Posted 01 February 2014 - 03:58 PM

    It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.


    If I don't respond within 2 days, please feel free to PM me.
    Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

    Posted Image
    Unified Network of Instructors and Trusted Eliminators
     





    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users