Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

rpcss.dll infected with Win64/Patched.H trojan


  • This topic is locked This topic is locked
26 replies to this topic

#1 IMFisher

IMFisher

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:39 AM

Posted 14 January 2014 - 01:37 PM

Hello,

 

I have the nasty.  ESET continues to pop up warnings that my system 32/rcpss.dll is infected with Win64/Patched.H Trojan and it is unable to clean.

 

Thank you for any help.

 

DDS log:

 

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.16736
Run by AndyFisher at 12:33:22 on 2014-01-14
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.8094.5703 [GMT -6:00]
.
AV: ESET Endpoint Antivirus 5.0 *Enabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
SP: ESET Endpoint Antivirus 5.0 *Enabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Bluetooth Suite\adminservice.exe
C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\CxAudMsg64.exe
C:\Program Files\ESET\ESET Endpoint Antivirus\x86\ekrn.exe
C:\Program Files\Intel\iCLS Client\HeciServer.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\Program Files (x86)\PDF Architect\HelperService.exe
C:\Program Files (x86)\PDF Architect\ConversionService.exe
C:\Program Files (x86)\Sony\PlayMemories Home\PMBDeviceInfoProvider.exe
C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe
C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe
C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe
C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe
C:\Program Files (x86)\Lenovo\Energy Management\utility.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\ESET\ESET Endpoint Antivirus\egui.exe
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe
C:\Program Files (x86)\USB Camera\VM331_STI.EXE
C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe
C:\Program Files (x86)\LockKey\LockKey.exe
C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Sony\PlayMemories Home\PMBVolumeWatcher.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
C:\Windows\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Windows\System32\MsSpellCheckingFacility.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uProxyServer = hxxp=127.0.0.1:49980
uProxyOverride = 127.0.0.1:9421;<local>;*.local
BHO: RealNetworks Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll
BHO: PDF Architect Helper: {3A2D5EBA-F86D-4BD3-A177-019765996711} - C:\Program Files (x86)\PDF Architect\PDFIEHelper.dll
BHO: CIESpeechBHO Class: {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} - C:\Program Files (x86)\Bluetooth Suite\IEPlugIn.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: PDF Architect Toolbar: {25A3A431-30BB-47C8-AD6A-E1063801134F} - C:\Program Files (x86)\PDF Architect\PDFIEPlugin.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
uRun: [Akamai NetSession Interface] "C:\Users\andyfisher\AppData\Local\Akamai\netsession_win.exe"
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun: [USB3MON] "C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe"
mRun: [Dolby Advanced Audio v2] "C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe" -autostart
mRun: [331BigDog] C:\Program Files (x86)\USB Camera\VM331_STI.EXE
mRun: [Lenovo Registration] C:\Program Files (x86)\Lenovo Registration\LenovoReg.exe /boot
mRun: [YouCam Mirage] "C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe"
mRun: [YouCam Tray] "C:\Program Files (x86)\Lenovo\YouCam\YouCam.exe" /s
mRun: [UpdateP2GShortCut] "C:\Program Files (x86)\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Lenovo\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\5.0"
mRun: [UpdatePRCShortCut] "C:\Program Files\Lenovo\OneKey App\OneKey Recovery\MUITransfer\MUIStartMenu.exe" "C:\Program Files\Lenovo\OneKey App\OneKey Recovery" UpdateWithCreateOnce "Software\Lenovo\OneKey App\OneKey Recovery"
mRun: [LockKey] C:\Program Files (x86)\LockKey\LockKey.exe
mRun: [ADSK DLMSession] C:\Program Files (x86)\Common Files\Autodesk Shared\Autodesk Download Manager\DLMSession.exe
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe"  -osboot
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [PMBVolumeWatcher] C:\Program Files (x86)\Sony\PlayMemories Home\PMBVolumeWatcher.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~3\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~3\Office14\ONBttnIE.dll/105
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {7815BE26-237D-41A8-A98F-F7BD75F71086} - {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} - C:\Program Files (x86)\Bluetooth Suite\IEPlugIn.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
TCP: NameServer = 192.168.0.3
TCP: Interfaces\{92E46E3F-A130-4FA9-8BC5-2498DDA7E24F} : DHCPNameServer = 192.168.0.3
TCP: Interfaces\{CBCFD494-98AB-4823-A9EE-10B7A10DA15B} : DHCPNameServer = 192.168.0.3
TCP: Interfaces\{CBCFD494-98AB-4823-A9EE-10B7A10DA15B}\2456C6B696E6F5E4F575962756C6563737F5436693234323 : DHCPNameServer = 192.168.2.1
TCP: Interfaces\{CBCFD494-98AB-4823-A9EE-10B7A10DA15B}\4416E6 : DHCPNameServer = 198.224.154.135 198.224.152.119
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
AppInit_DLLs= C:\Windows\SysWOW64\nvinit.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\31.0.1650.63\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-Run: [cAudioFilterAgent] C:\Program Files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe
x64-Run: [ETDCtrl] C:\Program Files (x86)\Elantech\ETDCtrl.exe
x64-Run: [AtherosBtStack] "C:\Program Files (x86)\Bluetooth Suite\btvstack.exe"
x64-Run: [AthBtTray] "C:\Program Files (x86)\Bluetooth Suite\athbttray.exe"
x64-Run: [Energy Management] C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe
x64-Run: [EnergyUtility] C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe
x64-Run: [Lenovo EE Boot Optimizer] C:\Program Files (x86)\Lenovo\Boot Optimizer\PopWnd.exe
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [egui] "C:\Program Files\ESET\ESET Endpoint Antivirus\egui.exe" /hide /waitservice
x64-Run: [Nvtmru] "C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\nvtmru.exe"
x64-Run: [ShadowPlay] C:\Windows\System32\rundll32.exe C:\Windows\System32\nvspcap64.dll,ShadowPlayOnSystemStart
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 fbfmon;fbfmon;C:\Windows\System32\drivers\fbfmon.sys [2012-7-25 57952]
R0 iusb3hcs;Intel® USB 3.0 Host Controller Switch Driver;C:\Windows\System32\drivers\iusb3hcs.sys [2012-5-15 16152]
R0 LHDmgr;LHDmgr;C:\Windows\System32\drivers\LhdX64.sys [2012-7-25 39008]
R0 nvpciflt;nvpciflt;C:\Windows\System32\drivers\nvpciflt.sys [2013-11-20 32544]
R1 BPntDrv;BPntDrv;C:\Windows\System32\drivers\BPntDrv.sys [2012-7-25 13408]
R1 eamonm;eamonm;C:\Windows\System32\drivers\eamonm.sys [2012-7-4 213416]
R2 AtherosSvc;AtherosSvc;C:\Program Files (x86)\Bluetooth Suite\AdminService.exe [2012-4-28 119424]
R2 Autodesk Content Service;Autodesk Content Service;C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe [2011-2-2 18656]
R2 CxAudMsg;Conexant Audio Message Service;C:\Windows\System32\CxAudMsg64.exe [2012-7-25 198784]
R2 ekrn;ESET Service;C:\Program Files\ESET\ESET Endpoint Antivirus\x86\ekrn.exe [2012-7-4 999704]
R2 epfwwfpr;epfwwfpr;C:\Windows\System32\drivers\epfwwfpr.sys [2012-3-29 140752]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2012-7-25 13592]
R2 Intel® Capability Licensing Service Interface;Intel® Capability Licensing Service Interface;C:\Program Files\Intel\iCLS Client\HeciServer.exe [2012-2-2 628448]
R2 jhi_service;Intel® Dynamic Application Loader Host Interface Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe [2012-7-25 161560]
R2 NvStreamSvc;NVIDIA Streamer Service;C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [2013-11-20 15125280]
R2 PDF Architect Helper Service;PDF Architect Helper Service;C:\Program Files (x86)\PDF Architect\HelperService.exe [2013-4-8 1320496]
R2 PDF Architect Service;PDF Architect Service;C:\Program Files (x86)\PDF Architect\ConversionService.exe [2013-4-8 799280]
R2 PMBDeviceInfoProvider;PMBDeviceInfoProvider;C:\Program Files (x86)\Sony\PlayMemories Home\PMBDeviceInfoProvider.exe [2013-4-24 483864]
R2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe [2012-11-29 38608]
R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2012-7-25 363800]
R2 ZAtheros Bt&Wlan Coex Agent;ZAtheros Bt&Wlan Coex Agent;C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe [2012-4-28 163456]
R3 ACPIVPC;Lenovo Virtual Power Controller Driver;C:\Windows\System32\drivers\AcpiVpc.sys [2011-12-15 30816]
R3 AthBTPort;Atheros Virtual Bluetooth Class;C:\Windows\System32\drivers\btath_flt.sys [2012-4-28 36480]
R3 BTATH_A2DP;Bluetooth A2DP Audio Driver;C:\Windows\System32\drivers\btath_a2dp.sys [2012-4-28 341120]
R3 btath_avdt;Atheros Bluetooth AVDT Service;C:\Windows\System32\drivers\btath_avdt.sys [2012-4-28 111232]
R3 BTATH_BUS;Atheros Bluetooth Bus;C:\Windows\System32\drivers\btath_bus.sys [2012-4-28 30848]
R3 BTATH_HCRP;Bluetooth HCRP Server driver;C:\Windows\System32\drivers\btath_hcrp.sys [2012-4-28 168064]
R3 BTATH_LWFLT;Bluetooth LWFLT Device;C:\Windows\System32\drivers\btath_lwflt.sys [2012-4-28 68736]
R3 BTATH_RCP;Bluetooth AVRCP Device;C:\Windows\System32\drivers\btath_rcp.sys [2012-4-28 281472]
R3 BtFilter;BtFilter;C:\Windows\System32\drivers\btfilter.sys [2012-4-28 550528]
R3 clwvd;CyberLink WebCam Virtual Driver;C:\Windows\System32\drivers\clwvd.sys [2011-1-29 31088]
R3 ETD;ELAN PS/2 Port Input Device;C:\Windows\System32\drivers\ETD.sys [2012-5-15 208168]
R3 IntcDAud;Intel® Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2012-5-15 331264]
R3 iusb3hub;Intel® USB 3.0 Hub Driver;C:\Windows\System32\drivers\iusb3hub.sys [2012-5-15 356120]
R3 iusb3xhc;Intel® USB 3.0 eXtensible Host Controller Driver;C:\Windows\System32\drivers\iusb3xhc.sys [2012-5-15 788760]
R3 L1C;NDIS Miniport Driver for Atheros AR81xx PCI-E Ethernet Controller;C:\Windows\System32\drivers\L1C62x64.sys [2012-5-15 104048]
R3 nvvad_WaveExtensible;NVIDIA Virtual Audio Device (Wave Extensible) (WDM);C:\Windows\System32\drivers\nvvad64v.sys [2013-11-20 39200]
R3 vm331avs;Digital Camera 1;C:\Windows\System32\drivers\vm331avs.sys [2012-7-25 952832]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\PROGRA~2\mcafee\SITEAD~1\mcsacore.exe --> c:\PROGRA~2\mcafee\SITEAD~1\mcsacore.exe [?]
S3 ESHASRV;ESET SHA Service;C:\Program Files\ESET\ESET Endpoint Antivirus\EShaSrv.exe [2012-7-4 190208]
S3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2012-8-28 1431888]
S3 fssfltr;fssfltr;C:\Windows\System32\drivers\fssfltr.sys [2012-7-25 48488]
S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2010-9-23 1493352]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2013-1-10 19456]
S3 RSUSBVSTOR;RtsUVStor.Sys Realtek USB Card Reader;C:\Windows\System32\drivers\rtsuvstor.sys [2012-7-25 313960]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2013-1-10 57856]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2013-1-10 30208]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-12-13 54784]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-8-24 1255736]
S3 WDC_SAM;WD SCSI Pass Thru driver;C:\Windows\System32\drivers\wdcsam64.sys [2008-5-6 14464]
S3 wsvd;wsvd;C:\Windows\System32\drivers\wsvd.sys [2009-7-21 121840]
S4 DamageGuard;DamageGuard;C:\Windows\System32\drivers\DamageGuardX64.sys [2012-7-25 217392]
S4 DamageGuardSvc;Lenovo Instant Reset Service;C:\Program Files\Lenovo\Instant Reset\DamageGuardSvc.exe [2012-7-25 572976]
S4 dgFltr;dgFltr;C:\Windows\System32\drivers\dgfltrX64.sys [2012-7-25 23648]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== File Associations ===============
.
FileExt: .scr: AutoCADScriptFile=C:\Windows\System32\notepad.exe "%1"
.
=============== Created Last 30 ================
.
2014-01-14 17:44:07 -------- d-sh--w- C:\$RECYCLE.BIN
2014-01-14 17:34:33 75888 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{014EA020-00FC-4F57-9196-F0DFBC3214EB}\offreg.dll
2014-01-14 17:28:14 98816 ----a-w- C:\Windows\sed.exe
2014-01-14 17:28:14 256000 ----a-w- C:\Windows\PEV.exe
2014-01-14 17:28:14 208896 ----a-w- C:\Windows\MBR.exe
2014-01-14 17:19:06 -------- d-----w- C:\FRST
2014-01-14 16:44:51 10285968 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{014EA020-00FC-4F57-9196-F0DFBC3214EB}\mpengine.dll
2014-01-08 16:20:00 -------- d--h--w- C:\ProgramData\RICOH_DRV
.
==================== Find3M  ====================
.
2014-01-07 15:30:34 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2014-01-07 15:30:34 692616 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2013-11-19 09:33:38 267936 ----a-w- C:\Windows\System32\MpSigStub.exe
2013-11-11 15:02:02 6674208 ----a-w- C:\Windows\System32\nvcpl.dll
2013-11-11 15:02:02 3490080 ----a-w- C:\Windows\System32\nvsvc64.dll
2013-11-11 15:01:59 922912 ----a-w- C:\Windows\System32\nvvsvc.exe
2013-11-11 15:01:59 67072 ----a-w- C:\Windows\System32\nv3dappshextr.dll
2013-11-11 15:01:59 63776 ----a-w- C:\Windows\System32\nvshext.dll
2013-11-11 15:01:59 598304 ----a-w- C:\Windows\SysWow64\oemdspif.dll
2013-11-11 15:01:59 2559776 ----a-w- C:\Windows\System32\nvsvcr.dll
2013-11-11 15:01:59 219424 ----a-w- C:\Windows\System32\nvmctray.dll
2013-11-11 15:01:59 1065248 ----a-w- C:\Windows\System32\nv3dappshext.dll
2013-11-11 15:01:58 3467927 ----a-w- C:\Windows\System32\nvcoproc.bin
.
============= FINISH: 12:33:31.44 ===============

 

Attached Files



BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:11:39 AM

Posted 16 January 2014 - 08:10 AM

Hello! Welcome to BleepingComputer Forums! :welcome:
My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:

  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.

 

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Also

  • Please re-run FRST again and type the following in the edit box after Search: rpcss.dll
  • Click the Search button
  • It will make a log (Search.txt)- please post the log into your reply to me. (you can use pastebin as well).

 

 

Regards,

Georgi


cXfZ4wS.png


#3 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:11:39 AM

Posted 18 January 2014 - 06:23 AM

Hi,

 

Are you still there?

 

 

Regards,

Georgi


cXfZ4wS.png


#4 IMFisher

IMFisher
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:39 AM

Posted 18 January 2014 - 08:43 AM

Hi,
 
Are you still there?
 
 
Regards,
Georgi



#5 IMFisher

IMFisher
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:39 AM

Posted 18 January 2014 - 08:53 AM

Hello Georgi,

Yes I am still here. I am not sure if I have "viloated" the terms of BC. Our tech provider ran some scans and added CCleaner from Piriform after posting to the forum. But the ESET reports still show the trojan. Don't know if this renders the DDS report invalid. I do not wish to waste your time. Please let me know if I should/can continue & I will run the Farbar scan.

Thank you...IMFisher

#6 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:11:39 AM

Posted 18 January 2014 - 09:25 PM

Hi,

 

Please post the logs from FRST.

 

 

Regards,

Georgi


Edited by B-boy/StyLe/, 20 January 2014 - 05:31 AM.

cXfZ4wS.png


#7 IMFisher

IMFisher
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:39 AM

Posted 19 January 2014 - 04:53 PM

Georgi,

 

Thank you for your courtesy and patience.

 

Here's the FRST:

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 19-01-2014 04
Ran by AndyFisher (administrator) on ACAD1 on 19-01-2014 15:47:52
Running from \\ALPHA\RedirectedFolders\AndyFisher\Desktop
Windows 7 Professional Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Atheros Commnucations) C:\Program Files (x86)\Bluetooth Suite\AdminService.exe
() C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Conexant Systems Inc.) C:\Windows\System32\CxAudMsg64.exe
(ESET) C:\Program Files\ESET\ESET Endpoint Antivirus\x86\ekrn.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe
(Microsoft Corporation) C:\Windows\System32\msiexec.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
(pdfforge GmbH) C:\Program Files (x86)\PDF Architect\HelperService.exe
(pdfforge GmbH) C:\Program Files (x86)\PDF Architect\ConversionService.exe
(Sony Corporation) C:\Program Files (x86)\Sony\PlayMemories Home\PMBDeviceInfoProvider.exe
() C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe
(Atheros) C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(Conexant Systems, Inc.) C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrl.exe
(Atheros Commnucations) C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe
(Atheros Commnucations) C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe
(Lenovo (Beijing) Limited) C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe
(Lenovo(beijing) Limited) C:\Program Files (x86)\Lenovo\Energy Management\utility.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(ESET) C:\Program Files\ESET\ESET Endpoint Antivirus\egui.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe
(Google Inc.) C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
(Akamai Technologies, Inc.) C:\Users\andyfisher\AppData\Local\Akamai\netsession_win.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(Akamai Technologies, Inc.) C:\Users\andyfisher\AppData\Local\Akamai\netsession_win.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
(Dolby Laboratories Inc.) C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe
(Vimicro) C:\Program Files (x86)\USB Camera\VM331_STI.EXE
(CyberLink) C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrlHelper.exe
( ) C:\Program Files (x86)\LockKey\LockKey.exe
(Autodesk, Inc.) C:\Program Files (x86)\Common Files\Autodesk Shared\Autodesk Download Manager\DLMSession.exe
(RealNetworks, Inc.) C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Sony Corporation) C:\Program Files (x86)\Sony\PlayMemories Home\PMBVolumeWatcher.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Google Inc.) C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Farbar) \\ALPHA\RedirectedFolders\AndyFisher\Desktop\FRST64.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [cAudioFilterAgent] - C:\Program Files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe [564352 2011-12-15] (Conexant Systems, Inc.)
HKLM\...\Run: [ETDCtrl] - C:\Program Files\Elantech\ETDCtrl.exe [2809856 2012-01-16] (ELAN Microelectronics Corp.)
HKLM\...\Run: [AtherosBtStack] - C:\Program Files (x86)\Bluetooth Suite\btvstack.exe [1022592 2012-04-28] (Atheros Commnucations)
HKLM\...\Run: [AthBtTray] - C:\Program Files (x86)\Bluetooth Suite\athbttray.exe [801920 2012-04-28] (Atheros Commnucations)
HKLM\...\Run: [Energy Management] - C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe [8079408 2012-07-25] (Lenovo (Beijing) Limited)
HKLM\...\Run: [EnergyUtility] - C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe [6202416 2012-07-25] (Lenovo(beijing) Limited)
HKLM\...\Run: [Lenovo EE Boot Optimizer] - C:\Program Files (x86)\Lenovo\Boot Optimizer\PopWnd.exe [206176 2012-07-25] (Lenovo)
HKLM\...\Run: [egui] - C:\Program Files\ESET\ESET Endpoint Antivirus\egui.exe [4133072 2012-07-04] (ESET)
HKLM\...\Run: [Nvtmru] - C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\nvtmru.exe [1028384 2013-11-14] (NVIDIA Corporation)
HKLM\...\Run: [ShadowPlay] - C:\Windows\system32\nvspcap64.dll [1064224 2013-11-14] (NVIDIA Corporation)
HKLM-x32\...\Run: [IAStorIcon] - C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284440 2011-11-29] (Intel Corporation)
HKLM-x32\...\Run: [USB3MON] - C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [291608 2012-02-27] (Intel Corporation)
HKLM-x32\...\Run: [Dolby Advanced Audio v2] - C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe [507744 2011-12-20] (Dolby Laboratories Inc.)
HKLM-x32\...\Run: [331BigDog] - C:\Program Files (x86)\USB Camera\VM331_STI.EXE [548864 2011-11-24] (Vimicro)
HKLM-x32\...\Run: [Lenovo Registration] - C:\Program Files (x86)\Lenovo Registration\LenovoReg.exe [4351712 2012-01-26] (Lenovo, Inc.)
HKLM-x32\...\Run: [YouCam Mirage] - C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe [136488 2011-01-29] (CyberLink)
HKLM-x32\...\Run: [YouCam Tray] - C:\Program Files (x86)\Lenovo\YouCam\YouCam.exe [228448 2011-01-29] (CyberLink Corp.)
HKLM-x32\...\Run: [UpdateP2GShortCut] - C:\Program Files (x86)\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe [222504 2010-07-26] (CyberLink Corp.)
HKLM-x32\...\Run: [UpdatePRCShortCut] - C:\Program Files\Lenovo\OneKey App\OneKey Recovery\MUITransfer\MUIStartMenu.exe [222504 2009-05-13] (CyberLink Corp.)
HKLM-x32\...\Run: [LockKey] - C:\Program Files (x86)\LockKey\LockKey.exe [337776 2011-08-25] ( )
HKLM-x32\...\Run: [ADSK DLMSession] - C:\Program Files (x86)\Common Files\Autodesk Shared\Autodesk Download Manager\DLMSession.exe [1632216 2012-05-15] (Autodesk, Inc.)
HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [TkBellExe] - C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe [295072 2012-12-21] (RealNetworks, Inc.)
HKLM-x32\...\Run: [QuickTime Task] - C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2013-05-01] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2013-05-31] (Apple Inc.)
HKLM-x32\...\Run: [PMBVolumeWatcher] - C:\Program Files (x86)\Sony\PlayMemories Home\PMBVolumeWatcher.exe [740888 2013-04-24] (Sony Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKCU\...\Run: [swg] - C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2012-07-25] (Google Inc.)
HKCU\...\Run: [Akamai NetSession Interface] - C:\Users\andyfisher\AppData\Local\Akamai\netsession_win.exe [4489472 2013-06-05] (Akamai Technologies, Inc.)
HKU\etechadmin\...\Run: [swg] - C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2012-07-25] (Google Inc.)
AppInit_DLLs: C:\Windows\System32\nvinitx.dll => C:\Windows\System32\nvinitx.dll [168616 2013-11-14] (NVIDIA Corporation)
AppInit_DLLs-x32: C:\Windows\SysWOW64\nvinit.dll => C:\Windows\SysWOW64\nvinit.dll [141336 2013-11-14] (NVIDIA Corporation)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0x9009A70FAC80CD01
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKCU - {171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E} URL =
SearchScopes: HKCU - {70D46D94-BF1E-45ED-B567-48701376298E} URL = http://127.0.0.1:4664/search&s=DGkOYGTYRb-c4MI2UOBHT7Biy80?q={searchTerms}
SearchScopes: HKCU - {DECA3892-BA8F-44b8-A993-A466AD694AE4} URL = http://search.yahoo.com/search?p={searchTerms}&fr=chr-i3752
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: RealNetworks Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll (RealDownloader)
BHO-x32: PDF Architect Helper - {3A2D5EBA-F86D-4BD3-A177-019765996711} - C:\Program Files (x86)\PDF Architect\PDFIEHelper.dll (pdfforge GmbH)
BHO-x32: CIESpeechBHO Class - {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} - C:\Program Files (x86)\Bluetooth Suite\IEPlugIn.dll (Atheros Commnucations)
BHO-x32: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO-x32: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
Toolbar: HKLM-x32 - PDF Architect Toolbar - {25A3A431-30BB-47C8-AD6A-E1063801134F} - C:\Program Files (x86)\PDF Architect\PDFIEPlugin.dll (pdfforge GmbH)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU - Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.0.3

Chrome:
=======
CHR HomePage: hxxp://www.google.com/ig/redirectdomain?brand=LENN&bmod=LENN
CHR RestoreOnStartup: "hxxp://www.google.com/ig/redirectdomain?brand=LENN&bmod=LENN"
CHR Extension: (RealDownloader) - C:\Users\andyfisher\AppData\Local\Google\Chrome\User Data\Default\Extensions\idhngdhcfkoamngbedgpaokgjbnpdiji [2013-04-16]
CHR Extension: (Google Wallet) - C:\Users\andyfisher\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-11-20]
CHR HKLM-x32\...\Chrome\Extension: [idhngdhcfkoamngbedgpaokgjbnpdiji] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Chrome\Ext\realdownloader.crx [2012-11-29]

==================== Services (Whitelisted) =================

R2 Autodesk Content Service; C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe [18656 2011-02-02] ()
S4 DamageGuardSvc; C:\Program Files\Lenovo\Instant Reset\DamageGuardSvc.exe [572976 2012-03-26] (Lenovo (Beijing) Limited)
R2 DcomLaunch; C:\Windows\system32\rpcss.dll [512512 2010-11-20] ()
S3 EhttpSrv; C:\Program Files\ESET\ESET Endpoint Antivirus\EHttpSrv.exe [35720 2012-07-04] (ESET)
R2 ekrn; C:\Program Files\ESET\ESET Endpoint Antivirus\x86\ekrn.exe [999704 2012-07-04] (ESET)
S3 ESHASRV; C:\Program Files\ESET\ESET Endpoint Antivirus\EShaSrv.exe [190208 2012-07-04] (ESET)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [161560 2012-02-28] (Intel Corporation)
R2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [15125280 2013-11-14] (NVIDIA Corporation)
R2 PDF Architect Helper Service; C:\Program Files (x86)\PDF Architect\HelperService.exe [1320496 2013-04-08] (pdfforge GmbH)
R2 PDF Architect Service; C:\Program Files (x86)\PDF Architect\ConversionService.exe [799280 2013-04-08] (pdfforge GmbH)
R2 PMBDeviceInfoProvider; C:\Program Files (x86)\Sony\PlayMemories Home\PMBDeviceInfoProvider.exe [483864 2013-04-24] (Sony Corporation)
R2 RealNetworks Downloader Resolver Service; C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe [38608 2012-11-29] ()
R2 RpcSs; C:\Windows\system32\rpcss.dll [512512 2010-11-20] ()
R2 ZAtheros Bt&Wlan Coex Agent; C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe [163456 2012-04-28] (Atheros)

==================== Drivers (Whitelisted) ====================

S4 DamageGuard; C:\Windows\System32\DRIVERS\DamageGuardX64.sys [217392 2012-02-10] (Lenovo)
S4 dgFltr; C:\Windows\System32\drivers\dgFltrX64.sys [23648 2011-12-13] (Lenovo)
R1 eamonm; C:\Windows\System32\DRIVERS\eamonm.sys [213416 2012-07-04] (ESET)
R1 ehdrv; C:\Windows\System32\DRIVERS\ehdrv.sys [152136 2012-03-29] (ESET)
R2 epfwwfpr; C:\Windows\System32\DRIVERS\epfwwfpr.sys [140752 2012-03-29] (ESET)
R3 L1C; C:\Windows\System32\DRIVERS\L1C62x64.sys [104048 2012-03-02] (Qualcomm Atheros Co., Ltd.)
R3 nvvad_WaveExtensible; C:\Windows\System32\drivers\nvvad64v.sys [39200 2013-11-14] (NVIDIA Corporation)
R3 vm331avs; C:\Windows\System32\Drivers\vm331avs.sys [952832 2011-12-06] (Vimicro Corporation)
U3 BcmSqlStartupSvc;
S3 catchme; \??\C:\ComboFix\catchme.sys [x]
U2 CLKMSVC10_3A60B698;
U2 CLKMSVC10_C3B3B687;
U2 DriverService;
U5 edevmon; C:\Windows\System32\Drivers\edevmon.sys [179920 2012-07-04] (ESET)
U2 iATAgentService;
U2 idealife Update Service;
U3 IGRS;
U2 IviRegMgr;
U2 Oasis2Service;
U2 PCCarerService;
U2 ReadyComm.DirectRouter;
U2 RichVideo;
U2 RtLedService;
U2 SeaPort;
U2 SoftwareService;
U3 SQLWriter;

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2014-01-19 15:42 - 2014-01-19 15:42 - 00000316 _____ C:\Windows\PFRO.log
2014-01-19 15:29 - 2014-01-19 15:42 - 00000336 _____ C:\Windows\setupact.log
2014-01-19 15:29 - 2014-01-19 15:29 - 00000000 _____ C:\Windows\setuperr.log
2014-01-14 16:35 - 2014-01-14 16:35 - 00002782 _____ C:\Windows\System32\Tasks\CCleanerSkipUAC
2014-01-14 16:35 - 2014-01-14 16:35 - 00000000 ____D C:\Program Files\CCleaner
2014-01-14 16:34 - 2014-01-14 16:34 - 04645232 _____ (Piriform Ltd) C:\Users\andyfisher\Downloads\ccsetup409.exe
2014-01-14 15:21 - 2014-01-14 15:21 - 00000000 ____D C:\Users\andyfisher\AppData\Roaming\Malwarebytes
2014-01-14 15:20 - 2014-01-14 15:20 - 00000000 ____D C:\ProgramData\Malwarebytes
2014-01-14 15:20 - 2014-01-14 15:20 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2014-01-14 15:20 - 2013-04-04 14:50 - 00025928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-01-14 15:19 - 2014-01-14 15:20 - 10285040 _____ (Malwarebytes Corporation                                    ) C:\Users\andyfisher\Downloads\mbam-setup-1.75.0.1300.exe
2014-01-14 14:22 - 2014-01-15 07:42 - 00000000 ____D C:\ProgramData\LogMeIn Rescue ConnectOnLAN
2014-01-14 11:43 - 2014-01-14 11:43 - 00027322 _____ C:\ComboFix.txt
2014-01-14 11:28 - 2014-01-14 11:44 - 00000000 ____D C:\Qoobox
2014-01-14 11:28 - 2011-06-26 00:45 - 00256000 _____ C:\Windows\PEV.exe
2014-01-14 11:28 - 2010-11-07 11:20 - 00208896 _____ C:\Windows\MBR.exe
2014-01-14 11:28 - 2009-04-19 22:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2014-01-14 11:28 - 2000-08-30 18:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2014-01-14 11:28 - 2000-08-30 18:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2014-01-14 11:28 - 2000-08-30 18:00 - 00098816 _____ C:\Windows\sed.exe
2014-01-14 11:28 - 2000-08-30 18:00 - 00080412 _____ C:\Windows\grep.exe
2014-01-14 11:28 - 2000-08-30 18:00 - 00068096 _____ C:\Windows\zip.exe
2014-01-14 11:27 - 2014-01-14 11:40 - 00000000 ____D C:\Windows\erdnt
2014-01-14 11:19 - 2014-01-19 15:30 - 00000000 ____D C:\FRST
2014-01-14 11:01 - 2014-01-19 15:30 - 00000080 _____ C:\Windows\system32\cjkwlh.urp
2014-01-14 10:44 - 2014-01-14 10:44 - 00000064 _____ C:\Windows\system32\qgrq.aux
2014-01-14 10:44 - 2014-01-14 10:44 - 00000000 _____ C:\Windows\system32\yskbtr.ood
2014-01-14 09:53 - 2014-01-14 09:53 - 00219314 ____S C:\Windows\system32\zqrv.kjh
2014-01-08 10:20 - 2014-01-14 10:44 - 00000000 ___HD C:\ProgramData\RICOH_DRV
2013-12-26 11:11 - 2014-01-14 16:36 - 00000000 ____D C:\Windows\Minidump

==================== One Month Modified Files and Folders =======

2014-01-19 15:47 - 2009-07-13 23:13 - 00782902 _____ C:\Windows\system32\PerfStringBackup.INI
2014-01-19 15:45 - 2012-07-25 00:49 - 01244959 _____ C:\Windows\WindowsUpdate.log
2014-01-19 15:44 - 2012-07-25 01:35 - 00000912 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-01-19 15:43 - 2012-12-21 09:08 - 00003350 _____ C:\Windows\System32\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-2018297678-1196376427-1247052204-1182
2014-01-19 15:43 - 2012-12-21 09:08 - 00003226 _____ C:\Windows\System32\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-2018297678-1196376427-1247052204-1182
2014-01-19 15:43 - 2012-07-25 01:36 - 00218088 _____ C:\Windows\system32\fastboot.set
2014-01-19 15:43 - 2012-07-25 01:35 - 00000908 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-01-19 15:42 - 2014-01-19 15:42 - 00000316 _____ C:\Windows\PFRO.log
2014-01-19 15:42 - 2014-01-19 15:29 - 00000336 _____ C:\Windows\setupact.log
2014-01-19 15:42 - 2012-08-27 11:35 - 00000144 _____ C:\Windows\system32\config\netlogon.ftl
2014-01-19 15:42 - 2009-07-13 23:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2014-01-19 15:36 - 2009-07-13 22:45 - 00037216 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-01-19 15:36 - 2009-07-13 22:45 - 00037216 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-01-19 15:30 - 2014-01-14 11:19 - 00000000 ____D C:\FRST
2014-01-19 15:30 - 2014-01-14 11:01 - 00000080 _____ C:\Windows\system32\cjkwlh.urp
2014-01-19 15:29 - 2014-01-19 15:29 - 00000000 _____ C:\Windows\setuperr.log
2014-01-17 15:52 - 2012-08-23 09:27 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-01-16 11:25 - 2012-08-28 10:35 - 00000000 ____D C:\Users\andyfisher\AppData\Local\cache
2014-01-16 07:42 - 2012-07-25 01:27 - 00000000 ____D C:\ProgramData\Adobe
2014-01-15 07:42 - 2014-01-14 14:22 - 00000000 ____D C:\ProgramData\LogMeIn Rescue ConnectOnLAN
2014-01-14 16:36 - 2013-12-26 11:11 - 00000000 ____D C:\Windows\Minidump
2014-01-14 16:36 - 2012-08-31 10:29 - 00000000 ____D C:\Users\andyfisher\AppData\Local\CrashDumps
2014-01-14 16:36 - 2012-08-27 12:44 - 00000000 ___DC C:\Users\andyfisher\AppData\Local\MigWiz
2014-01-14 16:36 - 2011-02-24 11:03 - 00000000 ____D C:\Windows\Panther
2014-01-14 16:35 - 2014-01-14 16:35 - 00002782 _____ C:\Windows\System32\Tasks\CCleanerSkipUAC
2014-01-14 16:35 - 2014-01-14 16:35 - 00000000 ____D C:\Program Files\CCleaner
2014-01-14 16:34 - 2014-01-14 16:34 - 04645232 _____ (Piriform Ltd) C:\Users\andyfisher\Downloads\ccsetup409.exe
2014-01-14 15:21 - 2014-01-14 15:21 - 00000000 ____D C:\Users\andyfisher\AppData\Roaming\Malwarebytes
2014-01-14 15:20 - 2014-01-14 15:20 - 00000000 ____D C:\ProgramData\Malwarebytes
2014-01-14 15:20 - 2014-01-14 15:20 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2014-01-14 15:20 - 2014-01-14 15:19 - 10285040 _____ (Malwarebytes Corporation                                    ) C:\Users\andyfisher\Downloads\mbam-setup-1.75.0.1300.exe
2014-01-14 12:17 - 2012-08-27 11:55 - 00000000 ____D C:\Users\andyfisher
2014-01-14 11:44 - 2014-01-14 11:28 - 00000000 ____D C:\Qoobox
2014-01-14 11:43 - 2014-01-14 11:43 - 00027322 _____ C:\ComboFix.txt
2014-01-14 11:43 - 2009-07-13 21:20 - 00000000 ___HD C:\Users\Default
2014-01-14 11:40 - 2014-01-14 11:27 - 00000000 ____D C:\Windows\erdnt
2014-01-14 11:35 - 2009-07-13 20:34 - 00000215 _____ C:\Windows\system.ini
2014-01-14 10:45 - 2012-08-27 11:56 - 00122536 _____ C:\Users\andyfisher\AppData\Local\GDIPFONTCACHEV1.DAT
2014-01-14 10:44 - 2014-01-14 10:44 - 00000064 _____ C:\Windows\system32\qgrq.aux
2014-01-14 10:44 - 2014-01-14 10:44 - 00000000 _____ C:\Windows\system32\yskbtr.ood
2014-01-14 10:44 - 2014-01-08 10:20 - 00000000 ___HD C:\ProgramData\RICOH_DRV
2014-01-14 10:44 - 2012-12-21 09:05 - 00000000 ____D C:\ProgramData\Real
2014-01-14 10:44 - 2012-08-28 10:35 - 00000000 ____D C:\ProgramData\FLEXnet
2014-01-14 10:44 - 2012-08-27 18:37 - 00000000 ____D C:\Users\andyfisher\AppData\Local\Akamai
2014-01-14 10:44 - 2012-08-27 13:06 - 00000000 ____D C:\_rpcs
2014-01-14 10:44 - 2012-08-27 11:55 - 00000000 ____D C:\Users\andyfisher\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Lenovo
2014-01-14 10:44 - 2012-08-27 11:52 - 00000000 ____D C:\Users\administrator
2014-01-14 10:44 - 2012-08-24 08:04 - 00000000 __RHD C:\MSOCache
2014-01-14 10:44 - 2012-08-24 08:04 - 00000000 ____D C:\ProgramData\Microsoft Help
2014-01-14 10:44 - 2012-08-23 20:37 - 00000000 ____D C:\Users\etechadmin
2014-01-14 10:44 - 2012-08-23 09:27 - 00000000 ____D C:\Windows\system32\Macromed
2014-01-14 10:44 - 2012-08-23 08:44 - 00000000 ____D C:\ProgramData\Energy Management
2014-01-14 10:44 - 2012-07-25 01:13 - 00000000 ____D C:\ProgramData\Atheros
2014-01-14 10:44 - 2009-07-13 23:09 - 00000000 ____D C:\Windows\System32\Tasks\WPD
2014-01-14 10:44 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\system32\spool
2014-01-14 10:44 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\system32\NDF
2014-01-14 10:44 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\servicing
2014-01-14 10:44 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\security
2014-01-14 10:44 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\registration
2014-01-14 10:44 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\AppCompat
2014-01-14 10:44 - 2009-07-13 21:20 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared
2014-01-14 09:57 - 2013-08-14 07:42 - 00000000 ____D C:\Windows\system32\MRT
2014-01-14 09:53 - 2014-01-14 09:53 - 00219314 ____S C:\Windows\system32\zqrv.kjh
2014-01-10 15:33 - 2012-12-04 11:09 - 00000000 ____D C:\Users\andyfisher\HOME REMODEL INFO
2014-01-08 16:10 - 2009-07-13 22:45 - 00439840 _____ C:\Windows\system32\FNTCACHE.DAT
2014-01-08 11:00 - 2009-07-13 20:34 - 00000518 _____ C:\Windows\win.ini
2014-01-08 10:20 - 2012-08-27 13:06 - 00000373 _____ C:\Windows\system32\ricdb.ini
2014-01-08 10:20 - 2012-08-27 13:06 - 00000151 _____ C:\Windows\system32\RPCS.ini
2014-01-07 09:30 - 2012-08-28 15:55 - 00000000 ____D C:\Users\andyfisher\AppData\Local\Adobe
2014-01-07 09:30 - 2012-08-23 09:27 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-01-07 09:30 - 2012-08-23 09:27 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-01-07 09:30 - 2012-08-23 09:27 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll
[2010-11-20 21:24] - [2010-11-20 21:24] - 0512512 ____A () D41D8CD98F00B204E9800998ECF8427E

C:\Windows\System32\rpcss.dll IS INFECTED. <===== ATTENTION!

 ATTENTION ======> If the system is having audio adware rpcss.dll is patched. Google the MD5, if the MD5 is unique the file is infected.
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

LastRegBack: 2014-01-15 12:45

==================== End Of Log ============================

 

 

And the search:

 

 

Farbar Recovery Scan Tool (x64) Version: 19-01-2014 04
Ran by AndyFisher at 2014-01-19 15:49:03
Running from \\ALPHA\RedirectedFolders\AndyFisher\Desktop
Boot Mode: Normal

================== Search: "rpcss.dll" ===================

C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_c7f0e16b547f887d\rpcss.dll
[2010-11-20 21:24] - [2010-11-20 21:24] - 0512000 ____A (Microsoft Corporation) 5C627D1B1138676C0A7AB2C2C190D123

C:\Windows\System32\rpcss.dll
[2010-11-20 21:24] - [2010-11-20 21:24] - 0512512 ____A () D41D8CD98F00B204E9800998ECF8427E

====== End Of Search ======

Attached Files



#8 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:11:39 AM

Posted 20 January 2014 - 05:36 AM

Hi,
 
 
Please download the following file => and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.
 
 
Regards,
Georgi
 


cXfZ4wS.png


#9 IMFisher

IMFisher
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:39 AM

Posted 20 January 2014 - 09:05 AM

Good Morning B-Boy/StyLe/

 

Contents of Fixlog:

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 19-01-2014 04
Ran by andyfisher at 2014-01-20 08:00:04 Run:1
Running from \\ALPHA\RedirectedFolders\AndyFisher\Desktop
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
start
2014-01-14 11:01 - 2014-01-19 15:30 - 00000080 _____ C:\Windows\system32\cjkwlh.urp
2014-01-14 10:44 - 2014-01-14 10:44 - 00000064 _____ C:\Windows\system32\qgrq.aux
2014-01-14 10:44 - 2014-01-14 10:44 - 00000000 _____ C:\Windows\system32\yskbtr.ood
2014-01-14 09:53 - 2014-01-14 09:53 - 00219314 ____S C:\Windows\system32\zqrv.kjh
Replace: C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_c7f0e16b547f887d\rpcss.dll C:\Windows\System32\rpcss.dll
end
*****************

C:\Windows\system32\cjkwlh.urp => Moved successfully.
C:\Windows\system32\qgrq.aux => Moved successfully.
Could not move "C:\Windows\system32\yskbtr.ood" => Scheduled to move on reboot.
Could not move "C:\Windows\system32\zqrv.kjh" => Scheduled to move on reboot.
C:\Windows\System32\rpcss.dll => Moved successfully.
C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_c7f0e16b547f887d\rpcss.dll copied successfully to C:\Windows\System32\rpcss.dll

 

 

Mahalo,

 

IMFisher



#10 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:11:39 AM

Posted 20 January 2014 - 10:06 AM

Hi,

 

it's evening here. :)

 

The log is cut off.

Also can you tell me how are things now?

 

 

Regards,

Georgi


cXfZ4wS.png


#11 IMFisher

IMFisher
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:39 AM

Posted 20 January 2014 - 10:56 AM

Good Evening Sir,

 

Everything seems to be running OK.  The last threat warning the ESET log shows was at 800 AM (almost 2 hours ago) after showing one almost every minute previously.  The most recent threat is listed as C:\FRST\Quarantine\rpcss.dll.  I have turned the notifications back on and nothing pops up.

 

Am I good?  Or shall I still remain cautious about me passwords and accounts?  What is the next step, other than buying you a beer or two?

 

Here's the fixlist again:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 19-01-2014 04
Ran by andyfisher at 2014-01-20 08:00:04 Run:1
Running from \\ALPHA\RedirectedFolders\AndyFisher\Desktop
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
start
2014-01-14 11:01 - 2014-01-19 15:30 - 00000080 _____ C:\Windows\system32\cjkwlh.urp
2014-01-14 10:44 - 2014-01-14 10:44 - 00000064 _____ C:\Windows\system32\qgrq.aux
2014-01-14 10:44 - 2014-01-14 10:44 - 00000000 _____ C:\Windows\system32\yskbtr.ood
2014-01-14 09:53 - 2014-01-14 09:53 - 00219314 ____S C:\Windows\system32\zqrv.kjh
Replace: C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_c7f0e16b547f887d\rpcss.dll C:\Windows\System32\rpcss.dll
end
*****************

C:\Windows\system32\cjkwlh.urp => Moved successfully.
C:\Windows\system32\qgrq.aux => Moved successfully.
Could not move "C:\Windows\system32\yskbtr.ood" => Scheduled to move on reboot.
Could not move "C:\Windows\system32\zqrv.kjh" => Scheduled to move on reboot.
C:\Windows\System32\rpcss.dll => Moved successfully.
C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_c7f0e16b547f887d\rpcss.dll copied successfully to C:\Windows\System32\rpcss.dll

 

 

Please let me know.

 

Thank you,

IMFisher



#12 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:11:39 AM

Posted 21 January 2014 - 07:09 AM

Hello,

 

I want to make sure there is nothing lurking on the system so just in case I want you to go through these steps:

 

 

 

STEP 1

 

 

  • Please download RKill by Grinler from the link below and save it to your desktop.

    Rkill
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply.
  • A log pops up at the end of the run. This log file is located at C:\rkill.log.
  • Please post the log in your next reply.

 

 

STEP 2

 

 

  • Please download RogueKiller.exe and save to the desktop.
  • Close all windows and browsers
  • Right-click the program and select 'Run as Administrator'
  • Press the scan button.
  • A report opens on the desktop named - RKreport.txt
  • Please copy and past the results at pastebin.com and post the link to the log in your next reply.

 

 

STEP 3
 

 

Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    image000q.png
  • Put a checkmark beside loaded modules.
    Sbf88.png
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
    JtwHB.png
  • Click the Start Scan button.
    19695967.jpg
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    67776163.jpg
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    62117367.jpg
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and past the results at pastebin.com and post the link to the log in your next reply.

 

 

STEP 4

 

 

  • Please download the newest version of Malwarebytes' Anti-Malware and install it.
  • Please start the application by double-click on it's icon.
  • Once the program has loaded go to the UPDATE tab and check for updates.
  • When the update is complete, select the Scanner tab
  • Select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad.
  • Please save it to a convenient location and post the results in your next reply.

 

 

STEP 5

 

 

1.Please download HitmanPro.

  • For 32-bit Operating System - dEMD6.gif.
  • This is the mirror - dEMD6.gif
  • For 64-bit Operating System - dEMD6.gif
  • This is the mirror - dEMD6.gif

2.Launch the program by double clicking on the 5vo5F.jpg icon. (Windows Vista/7 users right click on the HitmanPro icon and select run as administrator).

Note: If the program won't run please then open the program while holding down the left CTRL key until the program is loaded.

3.Click on the next button. You must agree with the terms of EULA. (if asked)

4.Check the box beside "No, I only want to perform a one-time scan to check this computer".

5.Click on the next button.

6.The program will start to scan the computer. The scan will typically take no more than 2-3 minutes.

7.When the scan is done click on drop-down menu of the found entries (if any) and choose - Apply to all => Ignore <= IMPORTANT!!!
 
8.Click on the next button.

9.Click on the "Save Log" button.

10.Save that file to your desktop and post the content of that file in your next reply.
 
Note: if there isn't a dropdown menu when the scan is done then please don't delete anything and close HitmanPro

Navigate to C:\ProgramData\HitmanPro\Logs open the report and copy and paste it to your next reply.

 

 

 

STEP 6

 

 

Download Security Check by screen317 from here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

 

and then if there aren't any issues left I'll give you my final recommendations. :)

 

 

Regards,

Georgi


cXfZ4wS.png


#13 IMFisher

IMFisher
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:39 AM

Posted 21 January 2014 - 01:27 PM

Wow...OK, here we go.

 

STEP 1 - no C:\rkill.log found, but rkill.txt was created:

 

Rkill 2.6.5 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 01/21/2014 12:20:34 PM in x64 mode.
Windows Version: Windows 7 Professional Service Pack 1

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * No issues found.

Checking Windows Service Integrity:

 * No issues found.

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * HOSTS file entries found:

  127.0.0.1       localhost

Program finished at: 01/21/2014 12:20:45 PM
Execution time: 0 hours(s), 0 minute(s), and 11 seconds(s)



#14 IMFisher

IMFisher
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:39 AM

Posted 22 January 2014 - 09:00 AM

Good Evening B-Boy/StyLe/

 

I am having issues running RogueKiller.  The link works, I save to desktop & run as administrator.  Window pops up instantly starts running, then freezes.  The scan button is not enabled when the window pops up.

 

???  Please help.

 

Regards,

 

IMFisher



#15 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:11:39 AM

Posted 22 January 2014 - 05:48 PM

Hello IMFisher,

 

 

I informed the developer about the issue. For now please skip RogueKiller and proceed with the rest of the steps.

 

Thanks!

 

 

Regards,

Georgi


cXfZ4wS.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users