Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

hearing weird mashup of ads/music/news - "Zekos"?


  • This topic is locked This topic is locked
28 replies to this topic

#1 jchico

jchico

  • Members
  • 108 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 11 January 2014 - 09:25 AM

Hello, need some help as we seem to have been "attacked" - when opening IE and connecting, we hear a weird mashup of ads, music, news, etc in the background of whatever we are doing.  No other programs appear to be running and even when we shut all other program we still hear the sounds. 

 

Seems to start as soon as windows as fully booted.  In addition, we get a pop up after 10-15 minutes - Windows must shut down because DCOM process launcher terminated unexpectedly.  That forces system to close and reboot

 

I've restored computer to a previous date with no luck and also run basic scans - "quick" as system will not stay booted for extended period - nothing unusual.

 

Dell Inspiron N7010

Windows 7 Home Premium

IE8

 

Link to original topic:

http://www.bleepingcomputer.com/forums/t/520401/hearing-weird-mashup-of-adsmusicnews/

 

DDS file below and attachment:

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 8.0.7600.17267
Run by Daphne at 9:13:14 on 2014-01-11
Microsoft Windows 7 Home Premium   6.1.7600.0.1252.1.1033.18.2933.559 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Microsoft\BingBar\7.3.124.0\BBSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\dlcccoms.exe
C:\Program Files (x86)\Dell Printers\Printer SSW\Status Monitor\dlm1db.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Nuance\Nuance Cloud Connector\GladFileMonSvc.exe
C:\Program Files (x86)\Nuance\Nuance Cloud Connector\WOSVSSSvr.exe
C:\Program Files (x86)\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Windows\system32\msiexec.exe
C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Dell Printers\PaperPort\PDFProFiltSrvPP.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE
C:\Windows\system32\Dwm.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE
C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files (x86)\Dell Photo AIO Printer 924\dlccmon.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe
C:\Program Files\Dell\DellDock\DellDock.exe
C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe
C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE
C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe
C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe
C:\Program Files (x86)\Nuance\Nuance Cloud Connector\GladinetClient.exe
C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\LeapFrog\LeapFrog Connect\Monitor.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Dell Printers\PaperPort\pptd40nt.exe
C:\Program Files (x86)\Dell Printers\PDFViewer\PdfPro7Hook.exe
C:\Program Files (x86)\Dell Printers\Printer SSW\Launcher\dlm1launcher.exe
C:\Program Files (x86)\Dell Printers\Printer SSW\Status Monitor\dlm1pl.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_9_900_170_ActiveX.exe
C:\Program Files (x86)\Roxio\Roxio Burn\Roxio Burn.exe
C:\Program Files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
C:\Program Files (x86)\Internet Explorer\IELowutil.exe
C:\Windows\system32\sppsvc.exe
c:\Program Files (x86)\Dell Support Center\bin\sprtsvc.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
c:\Program Files\Microsoft Security Client\MpCmdRun.exe
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe
C:\Program Files (x86)\Dell Printers\Dell C1765 Color Multifunction Printer\Status Monitor\dlm1sp.exe
C:\Windows\system32\UI0Detect.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uDefault_Page_URL = g.msn.com/USCON/1
mWinlogon: Userinit = userinit.exe
BHO: Bing Bar Helper: {1dad3af3-ef2f-4f64-ac4b-11789189fcb6} - C:\Program Files (x86)\Microsoft\BingBar\7.3.124.0\BingExt.dll
BHO: Lync Browser Helper: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\office15\OCHelper.dll
BHO: PlusIEEventHelper Class: {551A852F-39A6-44A7-9C13-AFBEC9185A9D} - C:\Program Files (x86)\Dell Printers\PDFViewer\bin\PlusIEContextMenu.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Skype Plug-In: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.9012.1008\swg.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office 15\root\office15\URLREDIR.DLL
BHO: Microsoft SkyDrive Pro Browser Helper: {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files\Microsoft Office 15\root\office15\GROOVEEX.DLL
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: Bing Bar: {eec0f710-38b5-4aba-99bf-ec87564a4e13} - C:\Program Files (x86)\Microsoft\BingBar\7.3.124.0\BingExt.dll
uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
uRun: [ISUSPM] C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe -scheduler
mRun: [Dell DataSafe Online] "C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe" /m
mRun: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe"
mRun: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2
mRun: [DellSupportCenter] "c:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [Monitor] "C:\Program Files (x86)\LeapFrog\LeapFrog Connect\Monitor.exe"
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [ISUSPM] C:\ProgramData\FLEXnet\Connect\11\\isuspm.exe -scheduler
mRun: [PaperPort PTD] "C:\Program Files (x86)\Dell Printers\PaperPort\pptd40nt.exe"
mRun: [IndexSearch] "C:\Program Files (x86)\Dell Printers\PaperPort\IndexSearch.exe"
mRun: [PDFProHook] C:\Program Files (x86)\Dell Printers\PDFViewer\pdfpro7hook.exe
mRun: [LauncherC1765nf] "C:\Program Files (x86)\Dell Printers\Printer SSW\Launcher\dlm1launcher.exe" /S Dell C1765nf Color MFP
mRun: [StatusAutoRunC1765nf] "C:\Program Files (x86)\Dell Printers\Printer SSW\Status Monitor\dlm1pl.exe" RUNSTART
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRunOnce: ["C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"] "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"
StartupFolder: C:\Users\Daphne\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\DELLDO~1.LNK - C:\Program Files\Dell\DellDock\DellDock.exe
StartupFolder: C:\Users\Daphne\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\SENDTO~1.LNK - C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\NUANCE~1.LNK - C:\Program Files (x86)\Nuance\Nuance Cloud Connector\GladLauncher.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE/3000
IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: Open with PDF Viewer 7 - C:\Program Files (x86)\Dell Printers\PDFViewer\Bin\PlusIEContextMenu.dll/PlusIEContextMenu.htm
IE: Se&nd to OneNote - C:\Program Files\Microsoft Office 15\Root\Office15\ONBttnIE.dll/105
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office 15\root\office15\ONBttnIE.dll
IE: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\office15\OCHelper.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office 15\root\office15\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{86CC7D7F-2BD0-4B67-B426-574E09BACA62} : DHCPNameServer = 192.168.0.1
TCP: Interfaces\{F61ED247-A5CD-4402-AC6A-210F7BDC9F30} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{F61ED247-A5CD-4402-AC6A-210F7BDC9F30}\16D656 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{F61ED247-A5CD-4402-AC6A-210F7BDC9F30}\E45647765616275313 : DHCPNameServer = 192.168.1.1
Handler: cozi - {5356518D-FE9C-4E08-9C1F-1E872ECD367F} - C:\Program Files (x86)\Cozi Express\CoziProtocolHandler.dll
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\office15\MSOSB.DLL
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
x64-BHO: Bing Bar Helper: {1dad3af3-ef2f-4f64-ac4b-11789189fcb6} - C:\Program Files (x86)\Microsoft\BingBar\7.3.124.0\amd64\BingExt.dll
x64-BHO: Lync Browser Helper: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.9012.1008\swg64.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\URLREDIR.DLL
x64-BHO: Microsoft SkyDrive Pro Browser Helper: {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL
x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} -
x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-TB: Bing Bar: {eec0f710-38b5-4aba-99bf-ec87564a4e13} -
x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe
x64-Run: [DLCCCATS] rundll32 C:\Windows\System32\spool\DRIVERS\x64\3\DLCCtime.dll,RunDLLEntry
x64-Run: [dlccmon.exe] "C:\Program Files (x86)\Dell Photo AIO Printer 924\dlccmon.exe"
x64-Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\ONBttnIE.dll
x64-IE: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\ONBttnIELinkedNotes.dll
x64-Handler: cozi - {5356518D-FE9C-4E08-9C1F-1E872ECD367F} - <orphaned>
x64-Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - <orphaned>
x64-Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - <orphaned>
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Notify: GoToAssist - C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2013-9-27 248240]
R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2010-8-25 55280]
R2 AERTFilters;Andrea RT Filters Service;C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe [2010-8-25 98208]
R2 BBSvc;BingBar Service;C:\Program Files (x86)\Microsoft\BingBar\7.3.124.0\BBSvc.EXE [2013-12-16 193696]
R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2013-4-22 822504]
R2 DLNBDB;Dell Status Monitor Database;C:\Program Files (x86)\Dell Printers\Printer SSW\Status Monitor\dlm1db.exe [2013-2-6 244712]
R2 DockLoginService;Dock Login Service;C:\Program Files\Dell\DellDock\DockLogin.exe [2009-6-9 155648]
R2 GladFileMonSvc;GladFileMonSvc;C:\Program Files (x86)\Nuance\Nuance Cloud Connector\GladFileMonSvc.exe [2011-9-29 29552]
R2 IntuitUpdateServiceV4;Intuit Update Service v4;C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [2012-8-23 13672]
R2 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2013-6-18 134944]
R2 OfficeSvc;Microsoft Office Service;C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe [2013-1-31 1907896]
R2 PDFProFiltSrvPP;PDFProFiltSrvPP;C:\Program Files (x86)\Dell Printers\PaperPort\PDFProFiltSrvPP.exe [2012-6-21 219536]
R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2013-6-26 523944]
R2 SftService;SoftThinks Agent Service;C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe [2010-8-25 1692480]
R2 UNS;Intel® Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-8-25 2320920]
R3 BcmVWL;Broadcom Virtual Wireless;C:\Windows\System32\drivers\bcmvwl64.sys [2010-8-25 20984]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;C:\Windows\System32\drivers\CtClsFlt.sys [2010-8-25 172704]
R3 HECIx64;Intel® Management Engine Interface;C:\Windows\System32\drivers\HECIx64.sys [2010-8-25 56344]
R3 Impcd;Impcd;C:\Windows\System32\drivers\Impcd.sys [2010-8-25 158976]
R3 IntcDAud;Intel® Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2010-8-25 271872]
R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;C:\Windows\System32\drivers\L1C62x64.sys [2010-8-25 74280]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2013-10-23 348376]
R3 Sftfs;Sftfs;C:\Windows\System32\drivers\Sftfslh.sys [2013-6-26 767144]
R3 Sftplay;Sftplay;C:\Windows\System32\drivers\Sftplaylh.sys [2013-6-26 273576]
R3 Sftredir;Sftredir;C:\Windows\System32\drivers\Sftredirlh.sys [2013-6-26 28840]
R3 Sftvol;Sftvol;C:\Windows\System32\drivers\Sftvollh.sys [2013-6-26 23208]
R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2013-6-26 207528]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-7-13 160944]
S3 BBUpdate;BBUpdate;C:\Program Files (x86)\Microsoft\BingBar\7.3.124.0\SeaPort.EXE [2013-12-16 247968]
S3 BVRPMPR5a64;BVRPMPR5a64 NDIS Protocol Driver;C:\Windows\System32\drivers\BVRPMPR5a64.SYS [2011-7-26 35840]
S3 FlyUsb;FLY Fusion;C:\Windows\System32\drivers\FlyUsb.sys [2007-6-19 24576]
S3 LVRS64;Logitech RightSound Filter Driver;C:\Windows\System32\drivers\lvrs64.sys [2010-7-27 339040]
S3 LVUVC64;QuickCam Pro for Notebooks(UVC);C:\Windows\System32\drivers\lvuvc64.sys [2010-7-27 6465632]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\System32\drivers\RtsUStor.sys [2010-8-25 245792]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-7-9 52736]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-9-6 1255736]
.
=============== Created Last 30 ================
.
2014-01-11 14:06:24 -------- d-----w- C:\Users\Daphne\AppData\Local\{C3633021-0D4E-4C30-8A2C-0F57686860B3}
2014-01-11 02:55:44 75888 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{AFA718B5-CDEC-4A2D-92B1-37CBB499C18A}\offreg.dll
2014-01-10 20:46:35 10315576 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{AFA718B5-CDEC-4A2D-92B1-37CBB499C18A}\mpengine.dll
2014-01-10 20:35:34 -------- d-----w- C:\Users\Daphne\AppData\Local\{8A391C90-A05B-4378-86AE-1B2A0311EA85}
2014-01-09 23:13:09 -------- d-----w- C:\Users\Daphne\AppData\Local\{A8ABC305-A468-47A5-95FF-310742333BB0}
2014-01-09 02:37:16 10315576 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2014-01-09 02:28:08 -------- d-----w- C:\Users\Daphne\AppData\Local\{B5851D83-F777-4516-8115-462025B1F518}
2014-01-07 04:40:31 -------- d-----w- C:\Users\Daphne\AppData\Local\{49CADE3A-EFB7-4C4D-AD09-5BCD83EE9091}
2014-01-05 02:27:40 -------- d-----w- C:\Users\Daphne\AppData\Local\{8D397F5E-6DD0-4757-840C-4A167AA0EB0E}
2014-01-04 02:31:47 -------- d-----w- C:\Users\Daphne\AppData\Local\{CB88B72A-AF62-49B2-AE05-986A30E7BD5C}
2014-01-03 00:31:11 -------- d-----w- C:\Users\Daphne\AppData\Local\{0B634392-097F-41C6-8295-9EF4FCDCC76A}
2014-01-02 05:39:50 -------- d-----w- C:\Users\Daphne\AppData\Local\{9E531112-A376-4261-B2DA-A39089F39C9C}
2013-12-31 18:26:19 -------- d-----w- C:\Users\Daphne\AppData\Local\{D59B6B98-7830-4419-8EDE-047C78561755}
2013-12-30 14:47:25 -------- d-----w- C:\Users\Daphne\AppData\Local\{AF9CAFC2-9E6B-476E-8B5B-55AA9B6B6E24}
2013-12-30 00:26:55 -------- d-----w- C:\Users\Daphne\AppData\Local\{3DF14CAB-A065-4326-BE68-9A08FD15C73F}
2013-12-29 04:51:19 -------- d-----w- C:\Users\Daphne\AppData\Local\{0E987C0F-72F8-4FF4-933C-BDA1AE760C45}
2013-12-27 04:10:32 -------- d-----w- C:\Program Files\iPod
2013-12-27 04:10:16 -------- d-----w- C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2013-12-27 04:10:16 -------- d-----w- C:\Program Files\iTunes
2013-12-27 04:10:16 -------- d-----w- C:\Program Files (x86)\iTunes
2013-12-27 01:40:51 -------- d-----w- C:\Users\Daphne\AppData\Local\{0329234A-1C70-4F7E-8D8C-2EFDE9C3DFB4}
2013-12-26 04:05:22 -------- d-----w- C:\Users\Daphne\AppData\Local\{09E82228-C1C2-44E3-99E9-8C595AB3002E}
2013-12-24 22:58:52 -------- d-----w- C:\Users\Daphne\AppData\Local\{6D00C3A8-6254-4923-9B7B-C552AEAE1EDA}
2013-12-23 20:58:29 -------- d-----w- C:\Users\Daphne\AppData\Local\{9D3068C0-5F77-49AF-BA09-4BB76EB18DBE}
2013-12-22 20:58:58 -------- d-----w- C:\Users\Daphne\AppData\Local\{55C7C4F1-11B1-4EEC-86C7-3C62429CE821}
2013-12-21 21:52:27 -------- d-----w- C:\Users\Daphne\AppData\Local\{57D5CB76-B77A-4A20-9550-41FBC5B10944}
2013-12-21 21:13:29 -------- d-----w- C:\Users\Daphne\AppData\Local\{8E0BE4E4-A86B-47EA-AFEF-39BC36C0B0C1}
2013-12-19 18:25:24 -------- d-----w- C:\Users\Daphne\AppData\Local\{CB375F30-12B4-488E-970C-8C16F1EC1AEA}
2013-12-18 22:14:45 -------- d-----w- C:\Users\Daphne\AppData\Local\{69E8312C-3D62-47C3-B806-5FF3B952C1F2}
2013-12-17 19:58:31 -------- d-----w- C:\Users\Daphne\AppData\Local\{22F5D203-F052-4B17-9046-DF4444FBD252}
2013-12-17 04:44:01 -------- d-----w- C:\Users\Daphne\AppData\Local\{10D31E75-1A0F-49AD-AC33-9E79FCF061C2}
2013-12-16 00:36:53 -------- d-----w- C:\Users\Daphne\AppData\Local\{BEF2A93F-2AD9-4A46-A33F-ADEB034D9B05}
2013-12-15 02:51:58 -------- d-----w- C:\Users\Daphne\AppData\Local\{739D4AEC-280E-4288-8BA0-5A692399109C}
2013-12-14 05:16:11 -------- d-----w- C:\Users\Daphne\AppData\Local\{DEB1B79D-CE9B-4367-A783-C05F588BB48F}
2013-12-13 02:26:28 -------- d-----w- C:\Users\Daphne\AppData\Local\{5F5A035B-021B-4F15-A753-1F45E615BBCB}
.
==================== Find3M  ====================
.
2013-12-11 01:27:54 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-12-11 01:27:54 692616 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2013-11-19 10:21:41 267936 ------w- C:\Windows\System32\MpSigStub.exe
.
============= FINISH:  9:17:17.12 ===============
 

 

Thanks in advance

 

Attached Files



BC AdBot (Login to Remove)

 


#2 seedy21

seedy21

  • Malware Response Team
  • 742 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Yorkshire, UK
  • Local time:07:29 AM

Posted 14 January 2014 - 03:08 PM

Hi jchico and Welcome to BleepingComputer.

I am currently looking though your logs and will advice you on what to do in my next reply.

“It's only after we've lost everything that we're free to do anything.”
― Chuck Palahniuk, Fight Club

unite_blue.png


#3 seedy21

seedy21

  • Malware Response Team
  • 742 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Yorkshire, UK
  • Local time:07:29 AM

Posted 14 January 2014 - 03:22 PM

Hello jchico

I'm Seedy21 and I will be helping you with your issues.

Please note the following information about the malware forum:

  • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by me
  • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
  • Please reply within 48 hours, if you are going to be away for longer please let us know or the topic will be closed for been inactive
  • If you are using Cracked or Illegal software your thread will be closed
  • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close.

Step 1


Please download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc.
    If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:


    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

Step 2

While still in FRST, type rpcss.dll in the search box and click Search File(s). Post the resulting log (search.txt) that will be in the same location as FRST.
 


“It's only after we've lost everything that we're free to do anything.”
― Chuck Palahniuk, Fight Club

unite_blue.png


#4 jchico

jchico
  • Topic Starter

  • Members
  • 108 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 14 January 2014 - 06:59 PM

Thank you for your help!  Here are the logs:

 

 

FRST -

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 15-01-2014
Ran by SYSTEM on MININT-1N6ONON on 14-01-2014 17:37:18
Running from E:\
Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.

The only official downoad link fo FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [SynTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2122536 2010-05-07] (Synaptics Incorporated)
HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [10144288 2010-04-13] (Realtek Semiconductor)
HKLM\...\Run: [QuickSet] - C:\Program Files\Dell\QuickSet\QuickSet.exe [3203440 2010-04-06] (Dell Inc.)
HKLM\...\Run: [DLCCCATS] - C:\Windows\system32\spool\DRIVERS\x64\3\DLCCtime.dll [28672 2006-02-24] ()
HKLM\...\Run: [dlccmon.exe] - C:\Program Files (x86)\Dell Photo AIO Printer 924\dlccmon.exe [431600 2007-01-30] (Dell)
HKLM\...\Run: [MSC] - c:\Program Files\Microsoft Security Client\msseces.exe [1266912 2013-10-23] (Microsoft Corporation)
HKLM-x32\...\Run: [Dell DataSafe Online] - C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe [1807680 2010-02-09] ()
HKLM-x32\...\Run: [Desktop Disc Tool] - C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe [498160 2009-10-15] ()
HKLM-x32\...\Run: [Dell Webcam Central] - C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe [409744 2009-06-24] (Creative Technology Ltd)
HKLM-x32\...\Run: [DellSupportCenter] - c:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe [206064 2009-05-21] (SupportSoft, Inc.)
HKLM-x32\...\Run: [QuickTime Task] - C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2010-11-29] (Apple Inc.)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Monitor] - C:\Program Files (x86)\LeapFrog\LeapFrog Connect\Monitor.exe [268640 2011-11-12] (LeapFrog Enterprises, Inc.)
HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-09-13] (Apple Inc.)
HKLM-x32\...\Run: [ISUSPM] - C:\ProgramData\FLEXnet\Connect\11\\isuspm.exe [324976 2010-05-21] (Flexera Software, Inc.)
HKLM-x32\...\Run: [PaperPort PTD] - C:\Program Files (x86)\Dell Printers\PaperPort\pptd40nt.exe [38848 2011-11-17] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [IndexSearch] - C:\Program Files (x86)\Dell Printers\PaperPort\IndexSearch.exe [51136 2011-11-17] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [PDFProHook] - C:\Program Files (x86)\Dell Printers\PDFViewer\pdfpro7hook.exe [607632 2012-05-30] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [LauncherC1765nf] - C:\Program Files (x86)\Dell Printers\Printer SSW\Launcher\dlm1launcher.exe [2471928 2013-02-06] (Dell Inc.)
HKLM-x32\...\Run: [StatusAutoRunC1765nf] - C:\Program Files (x86)\Dell Printers\Printer SSW\Status Monitor\dlm1pl.exe [3850216 2013-02-06] (Dell Inc.)
HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2013-11-01] (Apple Inc.)
HKLM-x32\...\RunOnce: ["C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"] - "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe" [559616 2011-10-08] (Dell)
Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll [X]
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKU\Daphne\...\Run: [msnmsgr] - C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe [4240760 2010-11-10] (Microsoft Corporation)
HKU\Daphne\...\Run: [Skype] - C:\Program Files (x86)\Skype\Phone\Skype.exe [17418928 2012-07-13] (Skype Technologies S.A.)
HKU\Daphne\...\Run: [swg] - C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2011-04-13] (Google Inc.)
HKU\Daphne\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path)
HKU\Daphne\...\Run: [ISUSPM] - C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe [324976 2010-05-21] (Flexera Software, Inc.)
Startup: C:\Users\Daphne\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnk
ShortcutTarget: Dell Dock.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Daphne\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk
ShortcutTarget: Send to OneNote.lnk -> C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE (Microsoft Corporation)
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)

==================== Services (Whitelisted) =================

S2 dlcc_device; C:\Windows\system32\dlcccoms.exe [566768 2007-01-30] ( )
S2 dlcc_device; C:\Windows\SysWOW64\dlcccoms.exe [538096 2007-01-30] ( )
S2 DLNBDB; C:\Program Files (x86)\Dell Printers\Printer SSW\Status Monitor\dlm1db.exe [244712 2013-02-06] ()
S2 GladFileMonSvc; C:\Program Files (x86)\Nuance\Nuance Cloud Connector\GladFileMonSvc.exe [29552 2011-09-29] (Gladinet, INC)
S2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2013-10-23] (Microsoft Corporation)
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [348376 2013-10-23] (Microsoft Corporation)
S2 OfficeSvc; C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe [1907896 2013-11-01] (Microsoft Corporation)
S2 PDFProFiltSrvPP; C:\Program Files (x86)\Dell Printers\PaperPort\PDFProFiltSrvPP.exe [219536 2012-06-21] (Nuance Communications, Inc.)
S4 *etadpug; "C:\Program Files (x86)\Google\Desktop\Install\{c614d3bf-243a-3fd7-a4fd-36cd3756874b}\   \...\???\{c614d3bf-243a-3fd7-a4fd-36cd3756874b}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)

==================== Drivers (Whitelisted) ====================

S3 FlyUsb; C:\Windows\System32\DRIVERS\FlyUsb.sys [24576 2007-06-19] (LeapFrog)
S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [248240 2013-09-27] (Microsoft Corporation)
S2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [134944 2013-09-27] (Microsoft Corporation)
S1 tstjmpom; \??\C:\Windows\system32\drivers\tstjmpom.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2014-01-14 17:30 - 2014-01-14 17:30 - 00001895 _____ C:\Users\Daphne\Desktop\1.txt
2014-01-14 17:21 - 2014-01-14 17:21 - 00000000 ____D C:\Users\Daphne\AppData\Local\{EA731C6E-3C4D-4788-B8F9-E488ACF7AF87}
2014-01-11 08:18 - 2014-01-11 08:18 - 00024449 _____ C:\Users\Daphne\Desktop\DDS1.txt
2014-01-11 08:17 - 2014-01-11 08:18 - 00013257 _____ C:\Users\Daphne\Desktop\attach.txt
2014-01-11 08:17 - 2014-01-11 08:17 - 00024449 _____ C:\Users\Daphne\Desktop\dds.txt
2014-01-11 08:12 - 2014-01-11 08:12 - 00688992 ____R (Swearware) C:\Users\Daphne\Desktop\dds.com
2014-01-11 08:06 - 2014-01-11 08:06 - 00000000 ____D C:\Users\Daphne\AppData\Local\{C3633021-0D4E-4C30-8A2C-0F57686860B3}
2014-01-10 20:22 - 2014-01-10 20:22 - 00037376 _____ C:\Windows\System32\vccd.jfs
2014-01-10 20:12 - 2014-01-14 17:20 - 00000080 _____ C:\Windows\System32\fawtgg.uxx
2014-01-10 20:12 - 2014-01-10 20:22 - 00000097 _____ C:\Windows\System32\rouj.wvc
2014-01-10 20:12 - 2014-01-10 20:12 - 00000064 _____ C:\Windows\System32\hvydzpb.oxu
2014-01-10 15:36 - 2014-01-10 15:36 - 00219314 ____S C:\Windows\System32\xxrgpgn.kef
2014-01-10 14:35 - 2014-01-10 14:35 - 00000000 ____D C:\Users\Daphne\AppData\Local\{8A391C90-A05B-4378-86AE-1B2A0311EA85}
2014-01-09 17:13 - 2014-01-09 17:13 - 00000000 ____D C:\Users\Daphne\AppData\Local\{A8ABC305-A468-47A5-95FF-310742333BB0}
2014-01-08 20:28 - 2014-01-08 20:28 - 00000000 ____D C:\Users\Daphne\AppData\Local\{B5851D83-F777-4516-8115-462025B1F518}
2014-01-06 22:40 - 2014-01-06 22:40 - 00000000 ____D C:\Users\Daphne\AppData\Local\{49CADE3A-EFB7-4C4D-AD09-5BCD83EE9091}
2014-01-04 20:27 - 2014-01-04 20:27 - 00000000 ____D C:\Users\Daphne\AppData\Local\{8D397F5E-6DD0-4757-840C-4A167AA0EB0E}
2014-01-03 20:31 - 2014-01-03 20:32 - 00000000 ____D C:\Users\Daphne\AppData\Local\{CB88B72A-AF62-49B2-AE05-986A30E7BD5C}
2014-01-02 18:31 - 2014-01-02 18:31 - 00000000 ____D C:\Users\Daphne\AppData\Local\{0B634392-097F-41C6-8295-9EF4FCDCC76A}
2014-01-01 23:39 - 2014-01-01 23:40 - 00000000 ____D C:\Users\Daphne\AppData\Local\{9E531112-A376-4261-B2DA-A39089F39C9C}
2013-12-31 12:26 - 2013-12-31 12:26 - 00000000 ____D C:\Users\Daphne\AppData\Local\{D59B6B98-7830-4419-8EDE-047C78561755}
2013-12-30 08:47 - 2013-12-30 08:47 - 00000000 ____D C:\Users\Daphne\AppData\Local\{AF9CAFC2-9E6B-476E-8B5B-55AA9B6B6E24}
2013-12-29 18:26 - 2013-12-29 18:27 - 00000000 ____D C:\Users\Daphne\AppData\Local\{3DF14CAB-A065-4326-BE68-9A08FD15C73F}
2013-12-28 22:51 - 2013-12-28 22:51 - 00000000 ____D C:\Users\Daphne\AppData\Local\{0E987C0F-72F8-4FF4-933C-BDA1AE760C45}
2013-12-26 22:11 - 2013-12-26 22:11 - 00001785 _____ C:\Users\Public\Desktop\iTunes.lnk
2013-12-26 22:11 - 2013-12-26 22:11 - 00001785 _____ C:\ProgramData\Desktop\iTunes.lnk
2013-12-26 22:10 - 2013-12-26 22:11 - 00000000 ____D C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2013-12-26 22:10 - 2013-12-26 22:11 - 00000000 ____D C:\Program Files\iTunes
2013-12-26 22:10 - 2013-12-26 22:11 - 00000000 ____D C:\Program Files (x86)\iTunes
2013-12-26 22:10 - 2013-12-26 22:10 - 00000000 ____D C:\Program Files\iPod
2013-12-26 19:40 - 2013-12-26 19:41 - 00000000 ____D C:\Users\Daphne\AppData\Local\{0329234A-1C70-4F7E-8D8C-2EFDE9C3DFB4}
2013-12-25 22:05 - 2013-12-25 22:05 - 00000000 ____D C:\Users\Daphne\AppData\Local\{09E82228-C1C2-44E3-99E9-8C595AB3002E}
2013-12-24 16:58 - 2013-12-24 16:59 - 00000000 ____D C:\Users\Daphne\AppData\Local\{6D00C3A8-6254-4923-9B7B-C552AEAE1EDA}
2013-12-23 14:58 - 2013-12-23 14:58 - 00000000 ____D C:\Users\Daphne\AppData\Local\{9D3068C0-5F77-49AF-BA09-4BB76EB18DBE}
2013-12-22 14:58 - 2013-12-22 14:59 - 00000000 ____D C:\Users\Daphne\AppData\Local\{55C7C4F1-11B1-4EEC-86C7-3C62429CE821}
2013-12-21 20:02 - 2013-12-21 20:02 - 00000000 ____D C:\Users\Daphne\Documents\OneNote Notebooks
2013-12-21 15:52 - 2013-12-21 15:52 - 00000000 ____D C:\Users\Daphne\AppData\Local\{57D5CB76-B77A-4A20-9550-41FBC5B10944}
2013-12-21 15:13 - 2013-12-21 15:13 - 00000000 ____D C:\Users\Daphne\AppData\Local\{8E0BE4E4-A86B-47EA-AFEF-39BC36C0B0C1}
2013-12-19 12:25 - 2013-12-19 12:25 - 00000000 ____D C:\Users\Daphne\AppData\Local\{CB375F30-12B4-488E-970C-8C16F1EC1AEA}
2013-12-18 16:14 - 2013-12-18 16:14 - 00000000 ____D C:\Users\Daphne\AppData\Local\{69E8312C-3D62-47C3-B806-5FF3B952C1F2}
2013-12-17 13:58 - 2013-12-17 13:58 - 00000000 ____D C:\Users\Daphne\AppData\Local\{22F5D203-F052-4B17-9046-DF4444FBD252}
2013-12-16 22:44 - 2013-12-16 22:44 - 00000000 ____D C:\Users\Daphne\AppData\Local\{10D31E75-1A0F-49AD-AC33-9E79FCF061C2}
2013-12-15 18:36 - 2013-12-15 18:37 - 00000000 ____D C:\Users\Daphne\AppData\Local\{BEF2A93F-2AD9-4A46-A33F-ADEB034D9B05}

==================== One Month Modified Files and Folders =======

2014-01-14 17:31 - 2010-09-06 08:37 - 63373574 _____ C:\dlcc.log
2014-01-14 17:31 - 2009-07-13 23:10 - 01154399 _____ C:\Windows\WindowsUpdate.log
2014-01-14 17:31 - 2009-07-13 22:45 - 00014240 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-01-14 17:31 - 2009-07-13 22:45 - 00014240 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-01-14 17:30 - 2014-01-14 17:30 - 00001895 _____ C:\Users\Daphne\Desktop\1.txt
2014-01-14 17:29 - 2009-07-13 23:13 - 00780006 _____ C:\Windows\System32\PerfStringBackup.INI
2014-01-14 17:27 - 2013-10-30 13:25 - 00004982 _____ C:\Windows\System32\Tasks\Microsoft Office 15 Sync Maintenance for Daphne-PC-Daphne Daphne-PC
2014-01-14 17:27 - 2012-12-25 07:16 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-01-14 17:26 - 2011-06-07 19:49 - 00003934 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{D316BD78-B617-46B0-909C-3AD3ECFAB365}
2014-01-14 17:23 - 2013-10-24 19:36 - 00000000 ____D C:\Users\Daphne\AppData\Local\gladinet
2014-01-14 17:21 - 2014-01-14 17:21 - 00000000 ____D C:\Users\Daphne\AppData\Local\{EA731C6E-3C4D-4788-B8F9-E488ACF7AF87}
2014-01-14 17:21 - 2011-07-05 16:09 - 00000000 ____D C:\Users\Daphne\AppData\Local\Windows Live
2014-01-14 17:21 - 2010-10-14 17:56 - 00000000 ____D C:\Users\Daphne\Tracing
2014-01-14 17:20 - 2014-01-10 20:12 - 00000080 _____ C:\Windows\System32\fawtgg.uxx
2014-01-14 17:20 - 2011-04-13 14:00 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-01-14 17:20 - 2010-09-04 07:56 - 00000000 ____D C:\Users\Default\AppData\Local\SoftThinks
2014-01-14 17:20 - 2010-09-04 07:56 - 00000000 ____D C:\Users\Default User\AppData\Local\SoftThinks
2014-01-14 17:20 - 2010-08-25 20:23 - 00000000 ____D C:\Program Files (x86)\Dell DataSafe Local Backup
2014-01-14 17:20 - 2009-07-13 23:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2014-01-14 17:20 - 2009-07-13 22:51 - 00187415 _____ C:\Windows\setupact.log
2014-01-11 08:18 - 2014-01-11 08:18 - 00024449 _____ C:\Users\Daphne\Desktop\DDS1.txt
2014-01-11 08:18 - 2014-01-11 08:17 - 00013257 _____ C:\Users\Daphne\Desktop\attach.txt
2014-01-11 08:17 - 2014-01-11 08:17 - 00024449 _____ C:\Users\Daphne\Desktop\dds.txt
2014-01-11 08:12 - 2014-01-11 08:12 - 00688992 ____R (Swearware) C:\Users\Daphne\Desktop\dds.com
2014-01-11 08:06 - 2014-01-11 08:06 - 00000000 ____D C:\Users\Daphne\AppData\Local\{C3633021-0D4E-4C30-8A2C-0F57686860B3}
2014-01-10 21:41 - 2011-04-13 14:00 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-01-10 21:33 - 2011-01-14 21:22 - 00000000 ____D C:\Users\Daphne\AppData\Roaming\SoftGrid Client
2014-01-10 20:34 - 2010-11-20 16:50 - 00000000 ____D C:\Users\Daphne\AppData\Roaming\Skype
2014-01-10 20:22 - 2014-01-10 20:22 - 00037376 _____ C:\Windows\System32\vccd.jfs
2014-01-10 20:22 - 2014-01-10 20:12 - 00000097 _____ C:\Windows\System32\rouj.wvc
2014-01-10 20:12 - 2014-01-10 20:12 - 00000064 _____ C:\Windows\System32\hvydzpb.oxu
2014-01-10 15:36 - 2014-01-10 15:36 - 00219314 ____S C:\Windows\System32\xxrgpgn.kef
2014-01-10 14:35 - 2014-01-10 14:35 - 00000000 ____D C:\Users\Daphne\AppData\Local\{8A391C90-A05B-4378-86AE-1B2A0311EA85}
2014-01-09 17:13 - 2014-01-09 17:13 - 00000000 ____D C:\Users\Daphne\AppData\Local\{A8ABC305-A468-47A5-95FF-310742333BB0}
2014-01-08 20:28 - 2014-01-08 20:28 - 00000000 ____D C:\Users\Daphne\AppData\Local\{B5851D83-F777-4516-8115-462025B1F518}
2014-01-06 22:40 - 2014-01-06 22:40 - 00000000 ____D C:\Users\Daphne\AppData\Local\{49CADE3A-EFB7-4C4D-AD09-5BCD83EE9091}
2014-01-04 20:27 - 2014-01-04 20:27 - 00000000 ____D C:\Users\Daphne\AppData\Local\{8D397F5E-6DD0-4757-840C-4A167AA0EB0E}
2014-01-03 20:32 - 2014-01-03 20:31 - 00000000 ____D C:\Users\Daphne\AppData\Local\{CB88B72A-AF62-49B2-AE05-986A30E7BD5C}
2014-01-03 20:30 - 2010-09-06 09:03 - 00000000 ____D C:\Program Files\Dl_cats
2014-01-02 18:31 - 2014-01-02 18:31 - 00000000 ____D C:\Users\Daphne\AppData\Local\{0B634392-097F-41C6-8295-9EF4FCDCC76A}
2014-01-01 23:40 - 2014-01-01 23:39 - 00000000 ____D C:\Users\Daphne\AppData\Local\{9E531112-A376-4261-B2DA-A39089F39C9C}
2013-12-31 12:26 - 2013-12-31 12:26 - 00000000 ____D C:\Users\Daphne\AppData\Local\{D59B6B98-7830-4419-8EDE-047C78561755}
2013-12-30 08:47 - 2013-12-30 08:47 - 00000000 ____D C:\Users\Daphne\AppData\Local\{AF9CAFC2-9E6B-476E-8B5B-55AA9B6B6E24}
2013-12-29 18:27 - 2013-12-29 18:26 - 00000000 ____D C:\Users\Daphne\AppData\Local\{3DF14CAB-A065-4326-BE68-9A08FD15C73F}
2013-12-28 22:51 - 2013-12-28 22:51 - 00000000 ____D C:\Users\Daphne\AppData\Local\{0E987C0F-72F8-4FF4-933C-BDA1AE760C45}
2013-12-26 22:50 - 2011-01-28 21:13 - 00000000 ____D C:\Users\Daphne\AppData\Roaming\Apple Computer
2013-12-26 22:46 - 2011-01-28 21:13 - 00000000 ____D C:\Users\Daphne\AppData\Local\Apple Computer
2013-12-26 22:11 - 2013-12-26 22:11 - 00001785 _____ C:\Users\Public\Desktop\iTunes.lnk
2013-12-26 22:11 - 2013-12-26 22:11 - 00001785 _____ C:\ProgramData\Desktop\iTunes.lnk
2013-12-26 22:11 - 2013-12-26 22:10 - 00000000 ____D C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2013-12-26 22:11 - 2013-12-26 22:10 - 00000000 ____D C:\Program Files\iTunes
2013-12-26 22:11 - 2013-12-26 22:10 - 00000000 ____D C:\Program Files (x86)\iTunes
2013-12-26 22:10 - 2013-12-26 22:10 - 00000000 ____D C:\Program Files\iPod
2013-12-26 19:41 - 2013-12-26 19:40 - 00000000 ____D C:\Users\Daphne\AppData\Local\{0329234A-1C70-4F7E-8D8C-2EFDE9C3DFB4}
2013-12-25 22:05 - 2013-12-25 22:05 - 00000000 ____D C:\Users\Daphne\AppData\Local\{09E82228-C1C2-44E3-99E9-8C595AB3002E}
2013-12-24 16:59 - 2013-12-24 16:58 - 00000000 ____D C:\Users\Daphne\AppData\Local\{6D00C3A8-6254-4923-9B7B-C552AEAE1EDA}
2013-12-23 14:58 - 2013-12-23 14:58 - 00000000 ____D C:\Users\Daphne\AppData\Local\{9D3068C0-5F77-49AF-BA09-4BB76EB18DBE}
2013-12-22 14:59 - 2013-12-22 14:58 - 00000000 ____D C:\Users\Daphne\AppData\Local\{55C7C4F1-11B1-4EEC-86C7-3C62429CE821}
2013-12-21 20:02 - 2013-12-21 20:02 - 00000000 ____D C:\Users\Daphne\Documents\OneNote Notebooks
2013-12-21 15:52 - 2013-12-21 15:52 - 00000000 ____D C:\Users\Daphne\AppData\Local\{57D5CB76-B77A-4A20-9550-41FBC5B10944}
2013-12-21 15:13 - 2013-12-21 15:13 - 00000000 ____D C:\Users\Daphne\AppData\Local\{8E0BE4E4-A86B-47EA-AFEF-39BC36C0B0C1}
2013-12-19 12:25 - 2013-12-19 12:25 - 00000000 ____D C:\Users\Daphne\AppData\Local\{CB375F30-12B4-488E-970C-8C16F1EC1AEA}
2013-12-18 16:14 - 2013-12-18 16:14 - 00000000 ____D C:\Users\Daphne\AppData\Local\{69E8312C-3D62-47C3-B806-5FF3B952C1F2}
2013-12-17 13:58 - 2013-12-17 13:58 - 00000000 ____D C:\Users\Daphne\AppData\Local\{22F5D203-F052-4B17-9046-DF4444FBD252}
2013-12-16 22:44 - 2013-12-16 22:44 - 00000000 ____D C:\Users\Daphne\AppData\Local\{10D31E75-1A0F-49AD-AC33-9E79FCF061C2}
2013-12-15 18:37 - 2013-12-15 18:36 - 00000000 ____D C:\Users\Daphne\AppData\Local\{BEF2A93F-2AD9-4A46-A33F-ADEB034D9B05}
ZeroAccess:
C:\Users\Daphne\AppData\Local\Google\Desktop\Install
ZeroAccess:
C:\Program Files (x86)\Google\Desktop\Install

Some content of TEMP:
====================
C:\Users\Daphne\AppData\Local\Temp\dlm1AnotherRegister.exe
C:\Users\Daphne\AppData\Local\Temp\ezGameXN.dll
C:\Users\Daphne\AppData\Local\Temp\GameXNGO.exe
C:\Users\Daphne\AppData\Local\Temp\InstallFlashPlayer.exe
C:\Users\Daphne\AppData\Local\Temp\jre-6u21-windows-i586-iftw-rv.exe
C:\Users\Daphne\AppData\Local\Temp\jre-6u22-windows-i586-iftw-rv.exe
C:\Users\Daphne\AppData\Local\Temp\jre-6u24-windows-i586-iftw-rv.exe
C:\Users\Daphne\AppData\Local\Temp\jre-6u26-windows-i586-iftw-rv.exe
C:\Users\Daphne\AppData\Local\Temp\jre-6u30-windows-i586-iftw-rv.exe
C:\Users\Daphne\AppData\Local\Temp\jre-6u32-windows-i586-iftw.exe
C:\Users\Daphne\AppData\Local\Temp\jre-6u37-windows-i586-iftw.exe
C:\Users\Daphne\AppData\Local\Temp\OfficeSetup.exe
C:\Users\Daphne\AppData\Local\Temp\Refresh.exe
C:\Users\Daphne\AppData\Local\Temp\tempmessage.bfg

==================== Known DLLs (Whitelisted) ================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll
[2009-07-13 18:00] - [2009-07-13 19:41] - 0510464 ____A (Microsoft Corporation) 4A6FBA0B8E139C1E9DD05A37939EBCC3

 ATTENTION ======> If the system is having audio adware rpcss.dll is pathced. Google the MD5, if the MD5 is unique the file is infected.
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2013-11-22 16:05:00
Restore point made on: 2013-11-25 19:24:40
Restore point made on: 2013-11-29 19:31:09
Restore point made on: 2013-12-04 11:34:30
Restore point made on: 2013-12-08 08:11:04
Restore point made on: 2013-12-11 20:38:25
Restore point made on: 2013-12-11 21:46:41
Restore point made on: 2013-12-14 21:32:58
Restore point made on: 2013-12-18 16:24:47
Restore point made on: 2013-12-21 21:00:02
Restore point made on: 2013-12-25 22:15:30
Restore point made on: 2013-12-26 22:05:32
Restore point made on: 2013-12-26 22:36:03
Restore point made on: 2013-12-28 23:01:18
Restore point made on: 2014-01-01 23:50:12
Restore point made on: 2014-01-06 22:50:58
Restore point made on: 2014-01-10 14:45:59
Restore point made on: 2014-01-10 20:46:15

==================== Memory info ===========================

Percentage of memory in use: 20%
Total physical RAM: 2932.52 MB
Available physical RAM: 2329 MB
Total Pagefile: 2930.67 MB
Available Pagefile: 2363.02 MB
Total Virtual: 8192 MB
Available Virtual: 8191.87 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:283.34 GB) (Free:209.45 GB) NTFS
Drive e: () (Removable) (Total:1.97 GB) (Free:1.41 GB) FAT
Drive f: (RECOVERY) (Fixed) (Total:14.65 GB) (Free:4.24 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298 GB) (Disk ID: F6996217)
Partition 1: (Not Active) - (Size=100 MB) - (Type=DE)
Partition 2: (Active) - (Size=15 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=283 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 2 GB) (Disk ID: 00238591)
Partition 1: (Active) - (Size=2 GB) - (Type=06)

LastRegBack: 2014-01-09 19:55

==================== End Of Log ============================

 

 

Search.txt

Farbar Recovery Scan Tool (x64) Version: 15-01-2014
Ran by SYSTEM at 2014-01-14 17:42:57
Running from E:\
Boot Mode: Recovery

================== Search: "rpcss.dll" ===================

C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7600.16385_none_c5bfcda3579104e3\rpcss.dll
[2009-07-13 18:00] - [2009-07-13 19:41] - 0509440 ____A (Microsoft Corporation) 7266972E86890E2B30C0C322E906B027

C:\Windows\System32\rpcss.dll
[2009-07-13 18:00] - [2009-07-13 19:41] - 0510464 ____A (Microsoft Corporation) 4A6FBA0B8E139C1E9DD05A37939EBCC3

X:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7600.16385_none_c5bfcda3579104e3\rpcss.dll
[2009-07-13 18:00] - [2009-07-13 19:41] - 0509440 ____A (Microsoft Corporation) 7266972E86890E2B30C0C322E906B027

X:\Windows\System32\rpcss.dll
[2009-07-13 18:00] - [2009-07-13 19:41] - 0509440 ____A (Microsoft Corporation) 7266972E86890E2B30C0C322E906B027

====== End Of Search ======



#5 seedy21

seedy21

  • Malware Response Team
  • 742 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Yorkshire, UK
  • Local time:07:29 AM

Posted 15 January 2014 - 02:32 PM

Hello jchico

Step 1

Open notepad. Please copy the contents of the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
Save it on the flashdrive as fixlist.txt

HKU\Daphne\...\Run: [Google Update*] - 
S4 *etadpug; "C:\Program Files (x86)\Google\Desktop\Install\{c614d3bf-243a-3fd7-a4fd-36cd3756874b}\   \...\???\{c614d3bf-243a-3fd7-a4fd-36cd3756874b}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)
C:\Program Files (x86)\Google\Desktop\Install\{c614d3bf-243a-3fd7-a4fd-36cd3756874b}\   \...\???\{c614d3bf-243a-3fd7-a4fd-36cd3756874b}\GoogleUpdate.exe
S1 tstjmpom; \??\C:\Windows\system32\drivers\tstjmpom.sys 
C:\Windows\system32\drivers\tstjmpom.sys
C:\Windows\System32\vccd.jfs
C:\Windows\System32\fawtgg.uxx
C:\Windows\System32\rouj.wvc
C:\Windows\System32\hvydzpb.oxu
C:\Windows\System32\xxrgpgn.kef
C:\Users\Daphne\AppData\Local\{EA731C6E-3C4D-4788-B8F9-E488ACF7AF87}
C:\Users\Daphne\AppData\Local\{C3633021-0D4E-4C30-8A2C-0F57686860B3}
C:\Users\Daphne\AppData\Local\{8A391C90-A05B-4378-86AE-1B2A0311EA85}
C:\Users\Daphne\AppData\Local\{A8ABC305-A468-47A5-95FF-310742333BB0}
C:\Users\Daphne\AppData\Local\{B5851D83-F777-4516-8115-462025B1F518}
C:\Users\Daphne\AppData\Local\{49CADE3A-EFB7-4C4D-AD09-5BCD83EE9091}
C:\Users\Daphne\AppData\Local\{8D397F5E-6DD0-4757-840C-4A167AA0EB0E}
C:\Users\Daphne\AppData\Local\{CB88B72A-AF62-49B2-AE05-986A30E7BD5C}
C:\Users\Daphne\AppData\Local\{0B634392-097F-41C6-8295-9EF4FCDCC76A}
C:\Users\Daphne\AppData\Local\{9E531112-A376-4261-B2DA-A39089F39C9C}
C:\Users\Daphne\AppData\Local\{D59B6B98-7830-4419-8EDE-047C78561755}
C:\Users\Daphne\AppData\Local\{AF9CAFC2-9E6B-476E-8B5B-55AA9B6B6E24}
C:\Users\Daphne\AppData\Local\{3DF14CAB-A065-4326-BE68-9A08FD15C73F}
C:\Users\Daphne\AppData\Local\{0E987C0F-72F8-4FF4-933C-BDA1AE760C45}
C:\Users\Daphne\AppData\Local\{0329234A-1C70-4F7E-8D8C-2EFDE9C3DFB4}
C:\Users\Daphne\AppData\Local\{09E82228-C1C2-44E3-99E9-8C595AB3002E}
C:\Users\Daphne\AppData\Local\{6D00C3A8-6254-4923-9B7B-C552AEAE1EDA}
C:\Users\Daphne\AppData\Local\{9D3068C0-5F77-49AF-BA09-4BB76EB18DBE}
C:\Users\Daphne\AppData\Local\{55C7C4F1-11B1-4EEC-86C7-3C62429CE821}
C:\Users\Daphne\AppData\Local\{57D5CB76-B77A-4A20-9550-41FBC5B10944}
C:\Users\Daphne\AppData\Local\{8E0BE4E4-A86B-47EA-AFEF-39BC36C0B0C1}
C:\Users\Daphne\AppData\Local\{CB375F30-12B4-488E-970C-8C16F1EC1AEA}
C:\Users\Daphne\AppData\Local\{69E8312C-3D62-47C3-B806-5FF3B952C1F2}
C:\Users\Daphne\AppData\Local\{22F5D203-F052-4B17-9046-DF4444FBD252}
C:\Users\Daphne\AppData\Local\{10D31E75-1A0F-49AD-AC33-9E79FCF061C2} 
C:\Users\Daphne\AppData\Local\{BEF2A93F-2AD9-4A46-A33F-ADEB034D9B05}
C:\Users\Daphne\AppData\Local\Google\Desktop\Install
C:\Program Files (x86)\Google\Desktop\Install
C:\Users\Daphne\AppData\Local\Temp\dlm1AnotherRegister.exe
C:\Users\Daphne\AppData\Local\Temp\ezGameXN.dll
C:\Users\Daphne\AppData\Local\Temp\GameXNGO.exe
C:\Users\Daphne\AppData\Local\Temp\InstallFlashPlayer.exe
C:\Users\Daphne\AppData\Local\Temp\jre-6u21-windows-i586-iftw-rv.exe
C:\Users\Daphne\AppData\Local\Temp\jre-6u22-windows-i586-iftw-rv.exe
C:\Users\Daphne\AppData\Local\Temp\jre-6u24-windows-i586-iftw-rv.exe
C:\Users\Daphne\AppData\Local\Temp\jre-6u26-windows-i586-iftw-rv.exe
C:\Users\Daphne\AppData\Local\Temp\jre-6u30-windows-i586-iftw-rv.exe
C:\Users\Daphne\AppData\Local\Temp\jre-6u32-windows-i586-iftw.exe
C:\Users\Daphne\AppData\Local\Temp\jre-6u37-windows-i586-iftw.exe
C:\Users\Daphne\AppData\Local\Temp\OfficeSetup.exe
C:\Users\Daphne\AppData\Local\Temp\Refresh.exe
C:\Users\Daphne\AppData\Local\Temp\tempmessage.bfg
Replace: C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7600.16385_none_c5bfcda3579104e3\rpcss.dll C:\Windows\System32\rpcss.dll


NOTICE: This script was written specifically for this user, for use on that particular machine.
Running this on another machine may cause damage to your operating system


On Vista or Windows 7: Now please enter System Recovery Options.
On Windows XP: Now please boot into the BartPE CD.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Step 2

1. Download Malwarebytes Anti-Rootkit from this link http://www.malwarebytes.org/products/mbar/
2. Unzip the File to a convenient location. (Recommend the Desktop)
3. Open the folder where the contents were unzipped to run mbar.exe

Image1.png

4. Double-click on the mbar.exe file, you may receive a User Account Control prompt asking if you are sure you wish to allow the program to run. Please allow the program to run and MBAR will now start to install any necessary drivers that are required for the program to operate correctly. If a rootkit is interfering with the installation of the drivers you will see a message that states that the DDA driver was not installed and that you should reboot your computer to install it. You will see this image:

mbarwm.png

5. If you receive this message, please click on the Yes button and Malwarebytes Anti-Rootkit will now restart your computer. Once the computer is rebooted and you login, MBAR will automatically start and you will now be at the start screen. (If no Rootkit warning you will go from step 4 to 6.)

6. The following image opens, select Next.

Image2.png

7. The following image opens, select Update

Image3.png

8. When the Update completes, select Next

Image4.png

9. In the following window ensure "Targets" are ticked. Then select "Scan"

Image5.png

10. If an infection/s is found the "Cleanup Button" to remove threats will be available. A list of infected files will be listed like the following example:

MBAntiRKclean.png

11. Do not select the "Clean up Button" select the "Exit" button, there will be a warning as follows:

MBAntiRKclean1.png

12. Select "Yes" to close down the program. If NO infections were found you will see the following image:

Image6.png

13. Select "Exit" to close down.
14. Copy and paste the two following logs from the mbar folder:

System - log
Mbar - log   Date and time of scan will also be shown

Image10.png


Post those two logs in your reply.

Edited by seedy21, 15 January 2014 - 02:33 PM.

“It's only after we've lost everything that we're free to do anything.”
― Chuck Palahniuk, Fight Club

unite_blue.png


#6 jchico

jchico
  • Topic Starter

  • Members
  • 108 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 15 January 2014 - 10:25 PM

Hi Seedy....here are the logs! Thanks for your detailed instructions -

 

Fixlog:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 15-01-2014
Ran by SYSTEM at 2014-01-15 18:37:14 Run:3
Running from E:\
Boot Mode: Recovery
==============================================

Content of fixlist:
*****************
HKU\Daphne\...\Run: [Google Update*] -
S4 *etadpug; "C:\Program Files (x86)\Google\Desktop\Install\{c614d3bf-243a-3fd7-a4fd-36cd3756874b}\   \...\???\{c614d3bf-243a-3fd7-a4fd-36cd3756874b}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)
C:\Program Files (x86)\Google\Desktop\Install\{c614d3bf-243a-3fd7-a4fd-36cd3756874b}\   \...\???\{c614d3bf-243a-3fd7-a4fd-36cd3756874b}\GoogleUpdate.exe
S1 tstjmpom; \??\C:\Windows\system32\drivers\tstjmpom.sys
C:\Windows\system32\drivers\tstjmpom.sys
C:\Windows\System32\vccd.jfs
C:\Windows\System32\fawtgg.uxx
C:\Windows\System32\rouj.wvc
C:\Windows\System32\hvydzpb.oxu
C:\Windows\System32\xxrgpgn.kef
C:\Users\Daphne\AppData\Local\{EA731C6E-3C4D-4788-B8F9-E488ACF7AF87}
C:\Users\Daphne\AppData\Local\{C3633021-0D4E-4C30-8A2C-0F57686860B3}
C:\Users\Daphne\AppData\Local\{8A391C90-A05B-4378-86AE-1B2A0311EA85}
C:\Users\Daphne\AppData\Local\{A8ABC305-A468-47A5-95FF-310742333BB0}
C:\Users\Daphne\AppData\Local\{B5851D83-F777-4516-8115-462025B1F518}
C:\Users\Daphne\AppData\Local\{49CADE3A-EFB7-4C4D-AD09-5BCD83EE9091}
C:\Users\Daphne\AppData\Local\{8D397F5E-6DD0-4757-840C-4A167AA0EB0E}
C:\Users\Daphne\AppData\Local\{CB88B72A-AF62-49B2-AE05-986A30E7BD5C}
C:\Users\Daphne\AppData\Local\{0B634392-097F-41C6-8295-9EF4FCDCC76A}
C:\Users\Daphne\AppData\Local\{9E531112-A376-4261-B2DA-A39089F39C9C}
C:\Users\Daphne\AppData\Local\{D59B6B98-7830-4419-8EDE-047C78561755}
C:\Users\Daphne\AppData\Local\{AF9CAFC2-9E6B-476E-8B5B-55AA9B6B6E24}
C:\Users\Daphne\AppData\Local\{3DF14CAB-A065-4326-BE68-9A08FD15C73F}
C:\Users\Daphne\AppData\Local\{0E987C0F-72F8-4FF4-933C-BDA1AE760C45}
C:\Users\Daphne\AppData\Local\{0329234A-1C70-4F7E-8D8C-2EFDE9C3DFB4}
C:\Users\Daphne\AppData\Local\{09E82228-C1C2-44E3-99E9-8C595AB3002E}
C:\Users\Daphne\AppData\Local\{6D00C3A8-6254-4923-9B7B-C552AEAE1EDA}
C:\Users\Daphne\AppData\Local\{9D3068C0-5F77-49AF-BA09-4BB76EB18DBE}
C:\Users\Daphne\AppData\Local\{55C7C4F1-11B1-4EEC-86C7-3C62429CE821}
C:\Users\Daphne\AppData\Local\{57D5CB76-B77A-4A20-9550-41FBC5B10944}
C:\Users\Daphne\AppData\Local\{8E0BE4E4-A86B-47EA-AFEF-39BC36C0B0C1}
C:\Users\Daphne\AppData\Local\{CB375F30-12B4-488E-970C-8C16F1EC1AEA}
C:\Users\Daphne\AppData\Local\{69E8312C-3D62-47C3-B806-5FF3B952C1F2}
C:\Users\Daphne\AppData\Local\{22F5D203-F052-4B17-9046-DF4444FBD252}
C:\Users\Daphne\AppData\Local\{10D31E75-1A0F-49AD-AC33-9E79FCF061C2}
C:\Users\Daphne\AppData\Local\{BEF2A93F-2AD9-4A46-A33F-ADEB034D9B05}
C:\Users\Daphne\AppData\Local\Google\Desktop\Install
C:\Program Files (x86)\Google\Desktop\Install
C:\Users\Daphne\AppData\Local\Temp\dlm1AnotherRegister.exe
C:\Users\Daphne\AppData\Local\Temp\ezGameXN.dll
C:\Users\Daphne\AppData\Local\Temp\GameXNGO.exe
C:\Users\Daphne\AppData\Local\Temp\InstallFlashPlayer.exe
C:\Users\Daphne\AppData\Local\Temp\jre-6u21-windows-i586-iftw-rv.exe
C:\Users\Daphne\AppData\Local\Temp\jre-6u22-windows-i586-iftw-rv.exe
C:\Users\Daphne\AppData\Local\Temp\jre-6u24-windows-i586-iftw-rv.exe
C:\Users\Daphne\AppData\Local\Temp\jre-6u26-windows-i586-iftw-rv.exe
C:\Users\Daphne\AppData\Local\Temp\jre-6u30-windows-i586-iftw-rv.exe
C:\Users\Daphne\AppData\Local\Temp\jre-6u32-windows-i586-iftw.exe
C:\Users\Daphne\AppData\Local\Temp\jre-6u37-windows-i586-iftw.exe
C:\Users\Daphne\AppData\Local\Temp\OfficeSetup.exe
C:\Users\Daphne\AppData\Local\Temp\Refresh.exe
C:\Users\Daphne\AppData\Local\Temp\tempmessage.bfg
Replace: C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7600.16385_none_c5bfcda3579104e3\rpcss.dll C:\Windows\System32\rpcss.dll

*****************

HKU\Daphne\Software\Microsoft\Windows\CurrentVersion\Run\\HKU\Daphne\...\Run: [Google Update*] - => Value deleted successfully.
*etadpug => Service deleted successfully.
"C:\Program Files (x86)\Google\Desktop\Install\{c614d3bf-243a-3fd7-a4fd-36cd3756874b}\   \...\???\{c614d3bf-243a-3fd7-a4fd-36cd3756874b}\GoogleUpdate.exe" => File/Directory not found.
tstjmpom => Service deleted successfully.
"C:\Windows\system32\drivers\tstjmpom.sys" => File/Directory not found.
C:\Windows\System32\vccd.jfs => Moved successfully.
C:\Windows\System32\fawtgg.uxx => Moved successfully.
C:\Windows\System32\rouj.wvc => Moved successfully.
C:\Windows\System32\hvydzpb.oxu => Moved successfully.
C:\Windows\System32\xxrgpgn.kef => Moved successfully.
C:\Users\Daphne\AppData\Local\{EA731C6E-3C4D-4788-B8F9-E488ACF7AF87} => Moved successfully.
C:\Users\Daphne\AppData\Local\{C3633021-0D4E-4C30-8A2C-0F57686860B3} => Moved successfully.
C:\Users\Daphne\AppData\Local\{8A391C90-A05B-4378-86AE-1B2A0311EA85} => Moved successfully.
C:\Users\Daphne\AppData\Local\{A8ABC305-A468-47A5-95FF-310742333BB0} => Moved successfully.
C:\Users\Daphne\AppData\Local\{B5851D83-F777-4516-8115-462025B1F518} => Moved successfully.
C:\Users\Daphne\AppData\Local\{49CADE3A-EFB7-4C4D-AD09-5BCD83EE9091} => Moved successfully.
C:\Users\Daphne\AppData\Local\{8D397F5E-6DD0-4757-840C-4A167AA0EB0E} => Moved successfully.
C:\Users\Daphne\AppData\Local\{CB88B72A-AF62-49B2-AE05-986A30E7BD5C} => Moved successfully.
C:\Users\Daphne\AppData\Local\{0B634392-097F-41C6-8295-9EF4FCDCC76A} => Moved successfully.
C:\Users\Daphne\AppData\Local\{9E531112-A376-4261-B2DA-A39089F39C9C} => Moved successfully.
C:\Users\Daphne\AppData\Local\{D59B6B98-7830-4419-8EDE-047C78561755} => Moved successfully.
C:\Users\Daphne\AppData\Local\{AF9CAFC2-9E6B-476E-8B5B-55AA9B6B6E24} => Moved successfully.
C:\Users\Daphne\AppData\Local\{3DF14CAB-A065-4326-BE68-9A08FD15C73F} => Moved successfully.
C:\Users\Daphne\AppData\Local\{0E987C0F-72F8-4FF4-933C-BDA1AE760C45} => Moved successfully.
C:\Users\Daphne\AppData\Local\{0329234A-1C70-4F7E-8D8C-2EFDE9C3DFB4} => Moved successfully.
C:\Users\Daphne\AppData\Local\{09E82228-C1C2-44E3-99E9-8C595AB3002E} => Moved successfully.
C:\Users\Daphne\AppData\Local\{6D00C3A8-6254-4923-9B7B-C552AEAE1EDA} => Moved successfully.
C:\Users\Daphne\AppData\Local\{9D3068C0-5F77-49AF-BA09-4BB76EB18DBE} => Moved successfully.
C:\Users\Daphne\AppData\Local\{55C7C4F1-11B1-4EEC-86C7-3C62429CE821} => Moved successfully.
C:\Users\Daphne\AppData\Local\{57D5CB76-B77A-4A20-9550-41FBC5B10944} => Moved successfully.
C:\Users\Daphne\AppData\Local\{8E0BE4E4-A86B-47EA-AFEF-39BC36C0B0C1} => Moved successfully.
C:\Users\Daphne\AppData\Local\{CB375F30-12B4-488E-970C-8C16F1EC1AEA} => Moved successfully.
C:\Users\Daphne\AppData\Local\{69E8312C-3D62-47C3-B806-5FF3B952C1F2} => Moved successfully.
C:\Users\Daphne\AppData\Local\{22F5D203-F052-4B17-9046-DF4444FBD252} => Moved successfully.
C:\Users\Daphne\AppData\Local\{10D31E75-1A0F-49AD-AC33-9E79FCF061C2} => Moved successfully.
C:\Users\Daphne\AppData\Local\{BEF2A93F-2AD9-4A46-A33F-ADEB034D9B05} => Moved successfully.
C:\Users\Daphne\AppData\Local\Google\Desktop\Install => Moved successfully.
C:\Program Files (x86)\Google\Desktop\Install => Moved successfully.
C:\Users\Daphne\AppData\Local\Temp\dlm1AnotherRegister.exe => Moved successfully.
C:\Users\Daphne\AppData\Local\Temp\ezGameXN.dll => Moved successfully.
C:\Users\Daphne\AppData\Local\Temp\GameXNGO.exe => Moved successfully.
C:\Users\Daphne\AppData\Local\Temp\InstallFlashPlayer.exe => Moved successfully.
C:\Users\Daphne\AppData\Local\Temp\jre-6u21-windows-i586-iftw-rv.exe => Moved successfully.
C:\Users\Daphne\AppData\Local\Temp\jre-6u22-windows-i586-iftw-rv.exe => Moved successfully.
C:\Users\Daphne\AppData\Local\Temp\jre-6u24-windows-i586-iftw-rv.exe => Moved successfully.
C:\Users\Daphne\AppData\Local\Temp\jre-6u26-windows-i586-iftw-rv.exe => Moved successfully.
C:\Users\Daphne\AppData\Local\Temp\jre-6u30-windows-i586-iftw-rv.exe => Moved successfully.
C:\Users\Daphne\AppData\Local\Temp\jre-6u32-windows-i586-iftw.exe => Moved successfully.
C:\Users\Daphne\AppData\Local\Temp\jre-6u37-windows-i586-iftw.exe => Moved successfully.
C:\Users\Daphne\AppData\Local\Temp\OfficeSetup.exe => Moved successfully.
C:\Users\Daphne\AppData\Local\Temp\Refresh.exe => Moved successfully.
C:\Users\Daphne\AppData\Local\Temp\tempmessage.bfg => Moved successfully.
C:\Windows\System32\rpcss.dll => Moved successfully.
C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7600.16385_none_c5bfcda3579104e3\rpcss.dll copied successfully to C:\Windows\System32\rpcss.dll

==== End of Fixlog ====

 

 

MBAR Log

Malwarebytes Anti-Rootkit BETA 1.07.0.1008
www.malwarebytes.org

Database version: v2014.01.15.11

Windows 7 x64 NTFS
Internet Explorer 8.0.7600.16385
Daphne :: DAPHNE-PC [administrator]

1/15/2014 6:46:04 PM
mbar-log-2014-01-15 (18-46-04).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 252162
Time elapsed: 1 hour(s), 32 minute(s), 28 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 2
HKCU\SOFTWARE\CLASSES\CLSID\{42AEDC87-2188-41FD-B9A3-0C966FEABEC1}\INPROCSERVER32 (Trojan.Zaccess) -> No action taken.
HKCU\SOFTWARE\CLASSES\CLSID\{42AEDC87-2188-41FD-B9A3-0C966FEABEC1} (Trojan.Zaccess) -> No action taken.

Registry Values Detected: 1
HKCU\SOFTWARE\CLASSES\CLSID\{42AEDC87-2188-41FD-B9A3-0C966FEABEC1}\INPROCSERVER32| (Trojan.Zaccess) -> Data: C:\Users\Daphne\AppData\Local\{c614d3bf-243a-3fd7-a4fd-36cd3756874b}\n. -> No action taken.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\Users\Daphne\AppData\Local\Temp\Low\rad55B2E.tmp.exe (Spyware.Zbot.ED) -> No action taken.
C:\Users\Daphne\AppData\Local\Temp\Low\rad71F91.tmp.exe (Spyware.Zbot.ED) -> No action taken.

Physical Sectors Detected: 0
(No malicious items detected)

(end)

 

System log:

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1008

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7600 Windows 7 x64

Account is Administrative

Internet Explorer version: 8.0.7600.16385

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, Q:\ DRIVE_FIXED
CPU speed: 2.261000 GHz
Memory total: 3074973696, free: 1021640704

Downloaded database version: v2014.01.15.11
Downloaded database version: v2013.12.18.01
Initializing...
======================
------------ Kernel report ------------
     01/15/2014 18:45:58
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\DRIVERS\ACPI.sys
\SystemRoot\system32\DRIVERS\WMILIB.SYS
\SystemRoot\system32\DRIVERS\msisadrv.sys
\SystemRoot\system32\DRIVERS\pci.sys
\SystemRoot\system32\DRIVERS\vdrvroot.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\DRIVERS\compbatt.sys
\SystemRoot\system32\DRIVERS\BATTC.SYS
\SystemRoot\system32\DRIVERS\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\DRIVERS\iaStor.sys
\SystemRoot\system32\drivers\amdxata.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\system32\DRIVERS\MpFilter.sys
\SystemRoot\System32\Drivers\PxHlpa64.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\DRIVERS\disk.sys
\SystemRoot\system32\DRIVERS\CLASSPNP.SYS
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\vwififlt.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\blbdrive.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\igdkmd64.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\system32\DRIVERS\HECIx64.sys
\SystemRoot\system32\drivers\usbehci.sys
\SystemRoot\system32\drivers\USBPORT.SYS
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\bcmwl664.sys
\SystemRoot\system32\DRIVERS\vwifibus.sys
\SystemRoot\system32\DRIVERS\L1C62x64.sys
\SystemRoot\system32\DRIVERS\i8042prt.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\SynTP.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
\SystemRoot\system32\DRIVERS\Impcd.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\wmiacpi.sys
\SystemRoot\system32\DRIVERS\CmBatt.sys
\SystemRoot\system32\DRIVERS\CompositeBus.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\bcmvwl64.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\RTKVHD64.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\ksthunk.sys
\SystemRoot\system32\DRIVERS\IntcDAud.sys
\SystemRoot\system32\DRIVERS\cdfs.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_iaStor.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\System32\Drivers\usbvideo.sys
\SystemRoot\system32\DRIVERS\CtClsFlt.sys
\SystemRoot\system32\DRIVERS\USBSTOR.SYS
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\DRIVERS\Sftvollh.sys
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\System32\Drivers\fastfat.SYS
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\vwifimp.sys
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\drivers\mrxdav.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\system32\DRIVERS\Sftfslh.sys
\SystemRoot\system32\DRIVERS\Sftplaylh.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\system32\DRIVERS\Sftredirlh.sys
\SystemRoot\system32\DRIVERS\WUDFRd.sys
\SystemRoot\system32\DRIVERS\NisDrvWFP.sys
\SystemRoot\system32\drivers\spsys.sys
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\MBAMSwissArmy.sys
\Windows\System32\ntdll.dll
\Windows\System32\smss.exe
\Windows\System32\apisetschema.dll
\Windows\System32\autochk.exe
\Windows\System32\urlmon.dll
\Windows\System32\Wldap32.dll
\Windows\System32\psapi.dll
\Windows\System32\imagehlp.dll
\Windows\System32\difxapi.dll
\Windows\System32\oleaut32.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk1\DR1
Upper Device Object: 0xfffffa80057373e0
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\00000077\
Lower Device Object: 0xfffffa8005fb3b60
Lower Device Driver Name: \Driver\USBSTOR\
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xfffffa80033c7060
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IAAStorageDevice-1\
Lower Device Object: 0xfffffa80030e8050
Lower Device Driver Name: \Driver\iaStor\
<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xfffffa80033c7060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa80033c7b90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa80033c7060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa80030e8050, DeviceName: \Device\Ide\IAAStorageDevice-1\, DriverName: \Driver\iaStor\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: F6996217

Partition information:

    Partition 0 type is Other (0xde)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 2048  Numsec = 204800

    Partition 1 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 206848  Numsec = 30720000
    Partition file system is NTFS
    Partition is bootable

    Partition 2 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 30926848  Numsec = 594213552

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

Disk Size: 320072933376 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-2047-625122448-625142448)...
Done!
Physical Sector Size: 512
Drive: 1, DevicePointer: 0xfffffa80057373e0, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa8005fb4b90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa80057373e0, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa8005fb3b60, DeviceName: \Device\00000077\, DriverName: \Driver\USBSTOR\
------------ End ----------
Alternate DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
Drive 1
Scanning MBR on drive 1...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 238591

Partition information:

    Partition 0 type is Other (0x6)
    Partition is ACTIVE.
    Partition starts at LBA: 32  Numsec = 4135904
    Partition file system is FAT
    Partition is not bootable

    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

Disk Size: 2117599232 bytes
Sector size: 512 bytes

Done!
Infected: C:\Users\Daphne\AppData\Local\Temp\Low\rad55B2E.tmp.exe --> [Spyware.Zbot.ED]
Infected: C:\Users\Daphne\AppData\Local\Temp\Low\rad71F91.tmp.exe --> [Spyware.Zbot.ED]
Infected: HKCU\SOFTWARE\CLASSES\CLSID\{42AEDC87-2188-41FD-B9A3-0C966FEABEC1}\INPROCSERVER32| --> [Trojan.Zaccess]
Infected: HKCU\SOFTWARE\CLASSES\CLSID\{42AEDC87-2188-41FD-B9A3-0C966FEABEC1}\INPROCSERVER32 --> [Trojan.Zaccess]
Infected: HKCU\SOFTWARE\CLASSES\CLSID\{42AEDC87-2188-41FD-B9A3-0C966FEABEC1} --> [Trojan.Zaccess]
Scan finished
=======================================

Removal queue found; removal started
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR_0_i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\Bootstrap_0_1_206848_i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR_0_r.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR_1_i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\Bootstrap_1_0_32_i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR_1_r.mbam...
Removal finished



#7 jchico

jchico
  • Topic Starter

  • Members
  • 108 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 15 January 2014 - 10:52 PM

Seedy - when I was shutting down after the above post, Windows starting an automatic update.  I pulled the battery and think I halted it...but not sure.  Does that cause any problems?  Thank you



#8 seedy21

seedy21

  • Malware Response Team
  • 742 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Yorkshire, UK
  • Local time:07:29 AM

Posted 16 January 2014 - 02:57 PM

Hi Jchico

Please start up your computer normally and let me know if you are having any problems. I don't think it will cause any problems and that we will make sure Windows Updates install properly before closing this topic.

Step 1

We need to re-run Malwarebytes Anti-Rootkit Tool


1. Open the folder where the contents were unzipped to run mbar.exe

Image1.png

2. Double-click on the mbar.exe file, you may receive a User Account Control prompt asking if you are sure you wish to allow the program to run. Please allow the program to run and MBAR will now start to install any necessary drivers that are required for the program to operate correctly. If a rootkit is interfering with the installation of the drivers you will see a message that states that the DDA driver was not installed and that you should reboot your computer to install it. You will see this image:

mbarwm.png

3. If you receive this message, please click on the Yes button and Malwarebytes Anti-Rootkit will now restart your computer. Once the computer is rebooted and you login, MBAR will automatically start and you will now be at the start screen.

4. The following image opens, select Next.

Image4.png

5. In the following window ensure "Targets" are ticked. Then select "Scan"

Image5.png

6. If an infection is found select the "Cleanup Button" to remove threats, Reboot if prompted. Wait while the system shuts down and the cleanup process is performed.

7. Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click "Cleanup Button" once more and repeat the process.
8. If no threats were found you will see the following image, Select Exit:

Image6.png

9. Verify that your system is now running normally, making sure that the following items are functional:
 
[list]

  • Internet access
  • Windows Update

Windows Firewall

10. If there are additional problems with your system, such as any of those listed above or other system issues, then run the 'fixdamage' tool included within Malwarebytes Anti-Rootkit folder.

Image7.png

11. The following Window will open, Select "Y" from your Keyboard, tap Enter.

Image8.png

12. The fix will be applied, select any key to Exit.

Image9.png

13. Let me know how your system now responds. Copy and paste the two following logs from the mbar folder:

System - log
Mbar - log Date and time of scan will also be shown

Image10.png

Step 2

Perform an Online Antivirus Scan with ESET:


Note:ESET recommends disabling your resident antivirus's active protection component BEFORE scanning , how to do so can be read here. Use Internet Explorer to navigate to the scanner website because you must approve install an ActiveX add-on to complete the scan. If you are using Vista or Windows 7 or 8, launch Internet Explorer by right-clicking the Start Menu icon & selecting "Run as Administrator".

  • Please go here then click on Run ESET ONLINE SCANNER
  • Select the option YES, I accept the Terms of Use then click on START
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is checked.
  • Now click on Advanced Settings and select the following:

     
  • Scan for potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology
  • Now click on START
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
    When the scan is complete,

    If no threats were found:
  • Check in "Uninstall application on close"
  • Close program
    If threats were found:
     
  • Select "list of threats found"
  • Select "Export to Text File" & Save the Report to your Desktop as ESETScanLog"
  • Select Back
  • Place a checkmark in "Uninstall application on close"
  • Select Finish & Exit the program
  • Copy and paste ESETScanLog.txt in your next reply

Edited by seedy21, 16 January 2014 - 02:59 PM.

“It's only after we've lost everything that we're free to do anything.”
― Chuck Palahniuk, Fight Club

unite_blue.png


#9 jchico

jchico
  • Topic Starter

  • Members
  • 108 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 16 January 2014 - 11:06 PM

Continued thanks Seedy.  I just finished second scan and all looks ok so far.  I'll finish your steps and post logs tomorrow evening...  Thank you for your help!



#10 jchico

jchico
  • Topic Starter

  • Members
  • 108 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 17 January 2014 - 08:22 PM

OK Seedy - here are the multiple logs per your request: 

MBAR Log

 

Malwarebytes Anti-Rootkit BETA 1.07.0.1008
www.malwarebytes.org

Database version: v2014.01.15.11

Windows 7 x64 NTFS
Internet Explorer 8.0.7600.16385
Daphne :: DAPHNE-PC [administrator]

1/16/2014 7:35:57 PM
mbar-log-2014-01-16 (19-35-57).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 251593
Time elapsed: 1 hour(s), 24 minute(s), 37 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)

 

 

System Log

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1008

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7600 Windows 7 x64

Account is Administrative

Internet Explorer version: 8.0.7600.16385

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, Q:\ DRIVE_FIXED
CPU speed: 2.261000 GHz
Memory total: 3074973696, free: 1021640704

Downloaded database version: v2014.01.15.11
Downloaded database version: v2013.12.18.01
Initializing...
======================
------------ Kernel report ------------
     01/15/2014 18:45:58
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\DRIVERS\ACPI.sys
\SystemRoot\system32\DRIVERS\WMILIB.SYS
\SystemRoot\system32\DRIVERS\msisadrv.sys
\SystemRoot\system32\DRIVERS\pci.sys
\SystemRoot\system32\DRIVERS\vdrvroot.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\DRIVERS\compbatt.sys
\SystemRoot\system32\DRIVERS\BATTC.SYS
\SystemRoot\system32\DRIVERS\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\DRIVERS\iaStor.sys
\SystemRoot\system32\drivers\amdxata.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\system32\DRIVERS\MpFilter.sys
\SystemRoot\System32\Drivers\PxHlpa64.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\DRIVERS\disk.sys
\SystemRoot\system32\DRIVERS\CLASSPNP.SYS
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\vwififlt.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\blbdrive.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\igdkmd64.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\system32\DRIVERS\HECIx64.sys
\SystemRoot\system32\drivers\usbehci.sys
\SystemRoot\system32\drivers\USBPORT.SYS
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\bcmwl664.sys
\SystemRoot\system32\DRIVERS\vwifibus.sys
\SystemRoot\system32\DRIVERS\L1C62x64.sys
\SystemRoot\system32\DRIVERS\i8042prt.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\SynTP.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
\SystemRoot\system32\DRIVERS\Impcd.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\wmiacpi.sys
\SystemRoot\system32\DRIVERS\CmBatt.sys
\SystemRoot\system32\DRIVERS\CompositeBus.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\bcmvwl64.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\RTKVHD64.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\ksthunk.sys
\SystemRoot\system32\DRIVERS\IntcDAud.sys
\SystemRoot\system32\DRIVERS\cdfs.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_iaStor.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\System32\Drivers\usbvideo.sys
\SystemRoot\system32\DRIVERS\CtClsFlt.sys
\SystemRoot\system32\DRIVERS\USBSTOR.SYS
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\DRIVERS\Sftvollh.sys
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\System32\Drivers\fastfat.SYS
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\vwifimp.sys
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\drivers\mrxdav.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\system32\DRIVERS\Sftfslh.sys
\SystemRoot\system32\DRIVERS\Sftplaylh.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\system32\DRIVERS\Sftredirlh.sys
\SystemRoot\system32\DRIVERS\WUDFRd.sys
\SystemRoot\system32\DRIVERS\NisDrvWFP.sys
\SystemRoot\system32\drivers\spsys.sys
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\MBAMSwissArmy.sys
\Windows\System32\ntdll.dll
\Windows\System32\smss.exe
\Windows\System32\apisetschema.dll
\Windows\System32\autochk.exe
\Windows\System32\urlmon.dll
\Windows\System32\Wldap32.dll
\Windows\System32\psapi.dll
\Windows\System32\imagehlp.dll
\Windows\System32\difxapi.dll
\Windows\System32\oleaut32.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk1\DR1
Upper Device Object: 0xfffffa80057373e0
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\00000077\
Lower Device Object: 0xfffffa8005fb3b60
Lower Device Driver Name: \Driver\USBSTOR\
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xfffffa80033c7060
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IAAStorageDevice-1\
Lower Device Object: 0xfffffa80030e8050
Lower Device Driver Name: \Driver\iaStor\
<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xfffffa80033c7060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa80033c7b90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa80033c7060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa80030e8050, DeviceName: \Device\Ide\IAAStorageDevice-1\, DriverName: \Driver\iaStor\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: F6996217

Partition information:

    Partition 0 type is Other (0xde)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 2048  Numsec = 204800

    Partition 1 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 206848  Numsec = 30720000
    Partition file system is NTFS
    Partition is bootable

    Partition 2 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 30926848  Numsec = 594213552

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

Disk Size: 320072933376 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-2047-625122448-625142448)...
Done!
Physical Sector Size: 512
Drive: 1, DevicePointer: 0xfffffa80057373e0, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa8005fb4b90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa80057373e0, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa8005fb3b60, DeviceName: \Device\00000077\, DriverName: \Driver\USBSTOR\
------------ End ----------
Alternate DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
Drive 1
Scanning MBR on drive 1...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 238591

Partition information:

    Partition 0 type is Other (0x6)
    Partition is ACTIVE.
    Partition starts at LBA: 32  Numsec = 4135904
    Partition file system is FAT
    Partition is not bootable

    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

Disk Size: 2117599232 bytes
Sector size: 512 bytes

Done!
Infected: C:\Users\Daphne\AppData\Local\Temp\Low\rad55B2E.tmp.exe --> [Spyware.Zbot.ED]
Infected: C:\Users\Daphne\AppData\Local\Temp\Low\rad71F91.tmp.exe --> [Spyware.Zbot.ED]
Infected: HKCU\SOFTWARE\CLASSES\CLSID\{42AEDC87-2188-41FD-B9A3-0C966FEABEC1}\INPROCSERVER32| --> [Trojan.Zaccess]
Infected: HKCU\SOFTWARE\CLASSES\CLSID\{42AEDC87-2188-41FD-B9A3-0C966FEABEC1}\INPROCSERVER32 --> [Trojan.Zaccess]
Infected: HKCU\SOFTWARE\CLASSES\CLSID\{42AEDC87-2188-41FD-B9A3-0C966FEABEC1} --> [Trojan.Zaccess]
Scan finished
=======================================

Removal queue found; removal started
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR_0_i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\Bootstrap_0_1_206848_i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR_0_r.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR_1_i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\Bootstrap_1_0_32_i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR_1_r.mbam...
Removal finished
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1008

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7600 Windows 7 x64

Account is Administrative

Internet Explorer version: 8.0.7600.16385

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, Q:\ DRIVE_FIXED
CPU speed: 2.261000 GHz
Memory total: 3074973696, free: 1547763712

=======================================
Initializing...
------------ Kernel report ------------
     01/16/2014 17:55:23
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\DRIVERS\ACPI.sys
\SystemRoot\system32\DRIVERS\WMILIB.SYS
\SystemRoot\system32\DRIVERS\msisadrv.sys
\SystemRoot\system32\DRIVERS\pci.sys
\SystemRoot\system32\DRIVERS\vdrvroot.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\DRIVERS\compbatt.sys
\SystemRoot\system32\DRIVERS\BATTC.SYS
\SystemRoot\system32\DRIVERS\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\DRIVERS\iaStor.sys
\SystemRoot\system32\drivers\amdxata.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\system32\DRIVERS\MpFilter.sys
\SystemRoot\System32\Drivers\PxHlpa64.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\DRIVERS\disk.sys
\SystemRoot\system32\DRIVERS\CLASSPNP.SYS
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\vwififlt.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\blbdrive.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\igdkmd64.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\system32\DRIVERS\HECIx64.sys
\SystemRoot\system32\drivers\usbehci.sys
\SystemRoot\system32\drivers\USBPORT.SYS
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\bcmwl664.sys
\SystemRoot\system32\DRIVERS\vwifibus.sys
\SystemRoot\system32\DRIVERS\L1C62x64.sys
\SystemRoot\system32\DRIVERS\i8042prt.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\SynTP.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
\SystemRoot\system32\DRIVERS\Impcd.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\wmiacpi.sys
\SystemRoot\system32\DRIVERS\CmBatt.sys
\SystemRoot\system32\DRIVERS\CompositeBus.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\bcmvwl64.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\RTKVHD64.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\ksthunk.sys
\SystemRoot\system32\DRIVERS\IntcDAud.sys
\SystemRoot\system32\DRIVERS\cdfs.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_iaStor.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\System32\Drivers\usbvideo.sys
\SystemRoot\system32\DRIVERS\CtClsFlt.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\DRIVERS\Sftvollh.sys
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\DRIVERS\vwifimp.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\drivers\mrxdav.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\system32\DRIVERS\Sftfslh.sys
\SystemRoot\system32\DRIVERS\Sftplaylh.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\system32\DRIVERS\Sftredirlh.sys
\SystemRoot\System32\Drivers\fastfat.SYS
\SystemRoot\system32\DRIVERS\NisDrvWFP.sys
\SystemRoot\system32\drivers\spsys.sys
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\MBAMSwissArmy.sys
\Windows\System32\ntdll.dll
\Windows\System32\smss.exe
\Windows\System32\apisetschema.dll
\Windows\System32\autochk.exe
\Windows\System32\oleaut32.dll
\Windows\System32\ole32.dll
\Windows\System32\urlmon.dll
\Windows\System32\Wldap32.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xfffffa80033e0060
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IAAStorageDevice-1\
Lower Device Object: 0xfffffa8003155050
Lower Device Driver Name: \Driver\iaStor\
<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xfffffa80033e0060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa80033e0b90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa80033e0060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa8003155050, DeviceName: \Device\Ide\IAAStorageDevice-1\, DriverName: \Driver\iaStor\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: F6996217

Partition information:

    Partition 0 type is Other (0xde)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 2048  Numsec = 204800

    Partition 1 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 206848  Numsec = 30720000
    Partition file system is NTFS
    Partition is bootable

    Partition 2 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 30926848  Numsec = 594213552

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

Disk Size: 320072933376 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-2047-625122448-625142448)...
Done!
Infected: HKCU\SOFTWARE\CLASSES\CLSID\{42AEDC87-2188-41FD-B9A3-0C966FEABEC1}\INPROCSERVER32| --> [Trojan.Zaccess]
Infected: HKCU\SOFTWARE\CLASSES\CLSID\{42AEDC87-2188-41FD-B9A3-0C966FEABEC1}\INPROCSERVER32 --> [Trojan.Zaccess]
Infected: HKCU\SOFTWARE\CLASSES\CLSID\{42AEDC87-2188-41FD-B9A3-0C966FEABEC1} --> [Trojan.Zaccess]
Scan finished
Creating System Restore point...
Cleaning up...
Executing an action fixdamage.exe...
Success!
Queuing an action fixdamage.exe
Removal scheduling successful. System shutdown needed.
System shutdown occurred
=======================================

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1008

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7600 Windows 7 x64

Account is Administrative

Internet Explorer version: 8.0.7600.16385

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, Q:\ DRIVE_FIXED
CPU speed: 2.261000 GHz
Memory total: 3074973696, free: 2056847360

=======================================
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1008

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7600 Windows 7 x64

Account is Administrative

Internet Explorer version: 8.0.7600.16385

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, Q:\ DRIVE_FIXED
CPU speed: 2.261000 GHz
Memory total: 3074973696, free: 1607659520

=======================================
Initializing...
------------ Kernel report ------------
     01/16/2014 19:35:46
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\CLASSPNP.SYS
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\DRIVERS\ACPI.sys
\SystemRoot\system32\DRIVERS\WMILIB.SYS
\SystemRoot\system32\DRIVERS\msisadrv.sys
\SystemRoot\system32\DRIVERS\pci.sys
\SystemRoot\system32\DRIVERS\vdrvroot.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\DRIVERS\compbatt.sys
\SystemRoot\system32\DRIVERS\BATTC.SYS
\SystemRoot\system32\DRIVERS\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\DRIVERS\iaStor.sys
\SystemRoot\system32\drivers\amdxata.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\system32\DRIVERS\MpFilter.sys
\SystemRoot\System32\Drivers\PxHlpa64.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\DRIVERS\disk.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\vwififlt.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\blbdrive.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\igdkmd64.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\system32\DRIVERS\HECIx64.sys
\SystemRoot\system32\drivers\usbehci.sys
\SystemRoot\system32\drivers\USBPORT.SYS
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\bcmwl664.sys
\SystemRoot\system32\DRIVERS\vwifibus.sys
\SystemRoot\system32\DRIVERS\L1C62x64.sys
\SystemRoot\system32\DRIVERS\i8042prt.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\SynTP.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
\SystemRoot\system32\DRIVERS\Impcd.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\wmiacpi.sys
\SystemRoot\system32\DRIVERS\CmBatt.sys
\SystemRoot\system32\DRIVERS\CompositeBus.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\bcmvwl64.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\RTKVHD64.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\ksthunk.sys
\SystemRoot\system32\DRIVERS\IntcDAud.sys
\SystemRoot\system32\DRIVERS\cdfs.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_iaStor.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\System32\Drivers\usbvideo.sys
\SystemRoot\system32\DRIVERS\CtClsFlt.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\DRIVERS\Sftvollh.sys
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\DRIVERS\vwifimp.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\drivers\mrxdav.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\system32\DRIVERS\Sftfslh.sys
\SystemRoot\system32\DRIVERS\Sftplaylh.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\system32\DRIVERS\Sftredirlh.sys
\SystemRoot\System32\Drivers\fastfat.SYS
\SystemRoot\system32\DRIVERS\NisDrvWFP.sys
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\MBAMSwissArmy.sys
\Windows\System32\ntdll.dll
\Windows\System32\smss.exe
\Windows\System32\apisetschema.dll
\Windows\System32\autochk.exe
\Windows\System32\iertutil.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xfffffa80033c0060
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IAAStorageDevice-1\
Lower Device Object: 0xfffffa8003102050
Lower Device Driver Name: \Driver\iaStor\
<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xfffffa80033c0060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa80033c0b90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa80033c0060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa8003102050, DeviceName: \Device\Ide\IAAStorageDevice-1\, DriverName: \Driver\iaStor\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: F6996217

Partition information:

    Partition 0 type is Other (0xde)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 2048  Numsec = 204800

    Partition 1 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 206848  Numsec = 30720000
    Partition file system is NTFS
    Partition is bootable

    Partition 2 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 30926848  Numsec = 594213552

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

Disk Size: 320072933376 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-2047-625122448-625142448)...
Done!
Scan finished
=======================================

Removal queue found; removal started
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR_0_i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\Bootstrap_0_1_206848_i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR_0_r.mbam...
Removal finished

 

 

ESET Scan Log

C:\FRST\Quarantine\rpcss.dll Win64/Patched.H trojan deleted - quarantined
 

 

Thank you for your help!!!



#11 seedy21

seedy21

  • Malware Response Team
  • 742 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Yorkshire, UK
  • Local time:07:29 AM

Posted 18 January 2014 - 04:37 PM

Hi jchico

Step 1
  • Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe. If you run Windows Vista or 7, right click and choose 'Run as Administrator'.
  • If you are asked by Windows to run this program or not, please click 'Yes' or 'Run'.
  • When you see a console window, press any key to continue scanning.
  • Wait while it scans.
  • If your firewall alerts you of Security Check, please press 'Allow' or similar.

“It's only after we've lost everything that we're free to do anything.”
― Chuck Palahniuk, Fight Club

unite_blue.png


#12 jchico

jchico
  • Topic Starter

  • Members
  • 108 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 19 January 2014 - 12:39 PM

Hi Seedy21 -

I ran Security Check. You don't mention posting the log, but I assume I should, so it is pasted below.  Thanks as always for your help!

 

 Results of screen317's Security Check version 0.99.79 
 Windows 7  x64 (UAC is enabled) 
 Out of date service pack!!
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled! 
Microsoft Security Essentials  
  (On Access scanning disabled!)
`````````Anti-malware/Other Utilities Check:`````````
 Adobe Flash Player 11.9.900.170 
 Adobe Reader 10.1.9 Adobe Reader out of Date! 
````````Process Check: objlist.exe by Laurent```````` 
 Microsoft Security Essentials MSMpEng.exe
 Microsoft Security Essentials msseces.exe
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 4%
````````````````````End of Log``````````````````````
 



#13 seedy21

seedy21

  • Malware Response Team
  • 742 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Yorkshire, UK
  • Local time:07:29 AM

Posted 20 January 2014 - 08:29 AM

Hi jchico

You don't mention posting the log, but I assume I should, so it is pasted below


Thank you for telling me this, I will get this corrected.



Step 1

We need to update your machine Operating System to the latest version.
You should use Internet Explorer for this.
Click ...Start ... All Programs ... Windows Updates.
Let it check your system for any updates.
When the list comes up.... click on Express Install, to install the updates.
It may ask you to reboot your system when it finishes.
When completed... go back and check for more updates, keep doing this until it says there is no available updates for your system.
It may not give them all to you the first time.

Note:Please do not have any other programs running or use your pc whilst downloading the updates.

Step 2

Run updates to Adobe Reader:

Close all programs and windows.

Open Adobe Reader (click on "Start".  Click on "All Programs".  Click on "Adobe Reader").  When Adobe Reader is loaded, click on "Help".  Click on "Check for updates now" (or "Updates").

You will see available updates in the left window.  Select all updates or critical items in the left window and click the "Add" icon between the windows.  click on the "Update" icon at the bottom.  The system will start processing the update.  If there are more that 2 or more updates, you will probably have to reboot between updates.


Step 3

We need to re-run SecurityCheck
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please copy and paste the contents of that document in your next reply.
Do you have any more issues with your machine?

“It's only after we've lost everything that we're free to do anything.”
― Chuck Palahniuk, Fight Club

unite_blue.png


#14 jchico

jchico
  • Topic Starter

  • Members
  • 108 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 20 January 2014 - 02:32 PM

Hi and thank you.  I'm glad putting the text in was correct - always concerned about making assumptions!  So I did the updates and re ran the security check.  Below it the file.  It still says Adobe Reader is out of date, despite Adobe telling me there were no updates to install.  I'll check that again when I reboot.  All else seems to be working fine - no more "background noise".  Thanks

 

 Results of screen317's Security Check version 0.99.79 
 Windows 7  x64 (UAC is enabled) 
 Out of date service pack!!
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled! 
Microsoft Security Essentials  
  (On Access scanning disabled!)
`````````Anti-malware/Other Utilities Check:`````````
 Adobe Flash Player 11.9.900.170 
 Adobe Reader 10.1.9 Adobe Reader out of Date! 
````````Process Check: objlist.exe by Laurent```````` 
 Microsoft Security Essentials MSMpEng.exe
 Microsoft Security Essentials msseces.exe
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 4%
````````````````````End of Log``````````````````````
 



#15 seedy21

seedy21

  • Malware Response Team
  • 742 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Yorkshire, UK
  • Local time:07:29 AM

Posted 20 January 2014 - 05:02 PM

Hi jchico

Download this tool.

1. Double click on MGADiag.exe to run it.
2. Click Continue.
3. The program will run. It takes a while to finish the diagnosis, please be patient.
Please post the results as a reply to this thread.

“It's only after we've lost everything that we're free to do anything.”
― Chuck Palahniuk, Fight Club

unite_blue.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users