Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ads playing in background


  • This topic is locked This topic is locked
8 replies to this topic

#1 mjduncan

mjduncan

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:23 PM

Posted 14 January 2014 - 02:31 PM

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16464
Run by lclark at 14:29:15 on 2014-01-14
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3991.1914 [GMT -5:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Dwm.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe
C:\Program Files\Intel\iCLS Client\HeciServer.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
C:\Program Files (x86)\PDF Complete\pdfsvc.exe
C:\Windows\system32\spool\drivers\x64\3\NetFaxServer64.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe
C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe
C:\Windows\System32\spool\drivers\x64\3\NetFaxTray64.exe
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe
C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\RunDll32.exe
C:\Windows\system32\vssvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
mStart Page = hxxp://www.yahoo.com/?fr=fp-tyc9
mDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-tyc9
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
uRun: [IncrediMail] C:\Program Files (x86)\IncrediMail\bin\IncMail.exe /c
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
mRun: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
mRun: [PDF Complete] C:\Program Files (x86)\PDF Complete\pdfsty.exe
mRun: [HPOSD] C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe
mRun: [VirtualCloneDrive] "C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\SAMSUN~1.LNK - C:\Windows\System32\spool\drivers\x64\3\NetFaxTray64.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
TCP: NameServer = 192.168.225.1
TCP: Interfaces\{28D149FA-AF4F-4401-87CD-C53FC1ECB731} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{A3933E05-8814-4DCA-8FEE-3A0E17CCB946} : DHCPNameServer = 192.168.225.1
TCP: Interfaces\{A3933E05-8814-4DCA-8FEE-3A0E17CCB946}\75F47512631393132353 : DHCPNameServer = 64.233.222.2 64.233.222.7
TCP: Interfaces\{A3933E05-8814-4DCA-8FEE-3A0E17CCB946}\E454457454142543837343 : DHCPNameServer = 192.168.1.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
x64-BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - <orphaned>
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe -s
x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [CDAServer] C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R2 AERTFilters;Andrea RT Filters Service;C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe [2013-2-18 98208]
R2 HPWMISVC;HPWMISVC;C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2012-3-5 35200]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2013-2-18 13592]
R2 Intel® Capability Licensing Service Interface;Intel® Capability Licensing Service Interface;C:\Program Files\Intel\iCLS Client\HeciServer.exe [2012-2-3 628448]
R2 jhi_service;Intel® Dynamic Application Loader Host Interface Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe [2013-2-18 161560]
R2 pdfcDispatcher;PDF Document Manager;C:\Program Files (x86)\PDF Complete\pdfsvc.exe [2012-3-14 1134584]
R2 Samsung Network Fax Server;Samsung Network Fax Server;C:\Windows\System32\spool\drivers\x64\3\NetFaxServer64.exe [2013-3-10 237056]
R2 SSPORT;SSPORT;C:\Windows\System32\drivers\SSPORT.sys [2012-11-19 11576]
R2 TeamViewer8;TeamViewer 8;C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe [2013-3-8 5087584]
R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2013-2-18 363800]
R3 clwvd;CyberLink WebCam Virtual Driver;C:\Windows\System32\drivers\clwvd.sys [2010-7-28 31088]
R3 IntcDAud;Intel® Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2011-12-6 331264]
R3 netr28x;Ralink 802.11n Extensible Wireless Driver;C:\Windows\System32\drivers\netr28x.sys [2013-2-18 1813056]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2013-2-18 675432]
R3 SmbDrv;SmbDrv;C:\Windows\System32\drivers\Smb_driver.sys [2012-2-23 21264]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 HP Support Assistant Service;HP Support Assistant Service;"C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe" --> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [?]
S3 GamesAppService;GamesAppService;C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
S3 RSP2STOR;Realtek PCIE CardReader Driver - P2;C:\Windows\System32\drivers\RtsP2Stor.sys [2013-2-18 259688]
S3 SrvHsfHDA;SrvHsfHDA;C:\Windows\System32\drivers\VSTAZL6.SYS [2009-7-13 292864]
S3 SrvHsfV92;SrvHsfV92;C:\Windows\System32\drivers\VSTDPV6.SYS [2009-7-13 1485312]
S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\System32\drivers\VSTCNXT6.SYS [2009-7-13 740864]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2013-3-8 1255736]
S3 WDC_SAM;WD SCSI Pass Thru driver;C:\Windows\System32\drivers\wdcsam64.sys [2008-5-6 14464]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2014-01-14 19:14:54 75888 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{B7190BAA-5EAD-45B7-B4C8-726E04F7F016}\offreg.dll
2014-01-14 15:02:26 -------- d-----w- C:\FRST
2014-01-14 14:25:57 10315576 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{B7190BAA-5EAD-45B7-B4C8-726E04F7F016}\mpengine.dll
2014-01-14 14:16:52 -------- d-----w- C:\Users\lclark\AppData\Roaming\Malwarebytes
2014-01-14 14:16:47 -------- d-----w- C:\ProgramData\Malwarebytes
2014-01-14 14:16:46 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
2014-01-14 14:16:46 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2014-01-14 14:16:41 -------- d-----w- C:\Users\lclark\AppData\Local\Programs
2014-01-14 13:56:12 -------- d-sh--w- C:\$RECYCLE.BIN
2014-01-14 13:45:19 98816 ----a-w- C:\Windows\sed.exe
2014-01-14 13:45:19 256000 ----a-w- C:\Windows\PEV.exe
2014-01-14 13:45:19 208896 ----a-w- C:\Windows\MBR.exe
2014-01-14 13:36:54 -------- d-----w- C:\Users\lclark\AppData\Roaming\SUPERAntiSpyware.com
2014-01-14 13:28:50 -------- d-----w- C:\AdwCleaner
2014-01-13 16:40:53 -------- d-----w- C:\Users\lclark\AppData\Roaming\eCyber
2014-01-09 21:54:31 -------- d-----w- C:\Users\lclark\.android
2014-01-09 21:54:29 -------- d-----w- C:\Users\lclark\AppData\Local\cache
2014-01-09 21:54:28 -------- d-----w- C:\Program Files (x86)\AmiExt
2014-01-09 21:53:39 -------- d-----w- C:\Windows\System32\log
.
==================== Find3M  ====================
.
2013-12-12 19:55:15 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-12-12 19:55:15 692616 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2013-11-26 17:25:52 267936 ------w- C:\Windows\System32\MpSigStub.exe
.
============= FINISH: 14:29:25.30 ===============
 

Attached Files



BC AdBot (Login to Remove)

 


#2 mjduncan

mjduncan
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:23 PM

Posted 15 January 2014 - 08:13 AM

bump



#3 mjduncan

mjduncan
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:23 PM

Posted 15 January 2014 - 01:07 PM

can anyone help?



#4 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:03:23 AM

Posted 16 January 2014 - 08:10 AM

Hello! Welcome to BleepingComputer Forums! :welcome:
My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:

  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.

 

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Also

  • Please re-run FRST again and type the following in the edit box after Search: rpcss.dll
  • Click the Search button
  • It will make a log (Search.txt)- please post the log into your reply to me. (you can use pastebin as well).

 

 

Regards,

Georgi


cXfZ4wS.png


#5 mjduncan

mjduncan
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:23 PM

Posted 17 January 2014 - 08:15 AM

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 15-01-2014 03
Ran by lclark (administrator) on LCLARKLT on 17-01-2014 08:11:39
Running from C:\Users\lclark\Desktop
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

 

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [RTHDVCPL] - C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [6463592 2012-02-13] (Realtek Semiconductor)
HKLM\...\Run: [SynTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2885904 2012-02-23] (Synaptics Incorporated)
HKLM\...\Run: [CDAServer] - C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe [462712 2012-03-09] ()
HKLM-x32\...\Run: [HP Quick Launch] - C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe [578944 2012-03-05] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [PDF Complete] - C:\Program Files (x86)\PDF Complete\pdfsty.exe [684024 2012-02-20] (PDF Complete Inc)
HKLM-x32\...\Run: [HPOSD] - C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe [379960 2011-08-19] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [VirtualCloneDrive] - C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe [89456 2011-03-07] (Elaborate Bytes AG)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKCU\...\Run: [IncrediMail] - C:\Program Files (x86)\IncrediMail\bin\IncMail.exe [367016 2013-03-10] (IncrediMail, Ltd.)
HKCU\...\Run: [swg] - C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2013-03-10] (Google Inc.)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hp-comm.us.msn.com/?pc=msnHomeST&ocid=msnHomepage
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/HPCOM/1
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?fr=fp-tyc9
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?fr=fp-tyc9
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKLM - {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/711-30572-11896-24/4?satitle={searchTerms}
SearchScopes: HKLM-x32 - {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/711-30572-11896-24/4?satitle={searchTerms}
SearchScopes: HKCU - {5A25F9FF-BE72-44E5-B44F-0B3C278927F9} URL = http://websearch.shopathome.com?user_id={E3BB9C7C-3DE4-4C42-914E-921A4C473EEF}&q={searchTerms}
SearchScopes: HKCU - {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/711-30572-11896-24/4?satitle={searchTerms}
BHO: No Name - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -  No File
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
BHO-x32: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU - Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 192.168.225.1

Chrome:
=======
CHR HomePage: hxxp://msn.com/
CHR RestoreOnStartup: "sync_promo": {
      "show_on_first_run_allowed"
CHR DefaultSearchProvider: Conduit Search
CHR DefaultSearchURL: http://www.google.com
CHR DefaultNewTabURL:
CHR Extension: (Google Docs) - C:\Users\lclark\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.5_0 [2014-01-01]
CHR Extension: (Google Drive) - C:\Users\lclark\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.3_0 [2014-01-01]
CHR Extension: (YouTube) - C:\Users\lclark\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0 [2014-01-01]
CHR Extension: (Google Search) - C:\Users\lclark\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0 [2014-01-01]
CHR Extension: (Google Wallet) - C:\Users\lclark\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.6.0_1 [2014-01-08]
CHR Extension: (Gmail) - C:\Users\lclark\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0 [2013-11-15]

==================== Services (Whitelisted) =================

R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [161560 2012-02-07] (Intel Corporation)
R2 pdfcDispatcher; C:\Program Files (x86)\PDF Complete\pdfsvc.exe [1134584 2012-02-20] (PDF Complete Inc)
R2 Samsung Network Fax Server; C:\Windows\system32\spool\drivers\x64\3\NetFaxServer64.exe [237056 2012-04-26] (Samsung Electronics Co., Ltd.)
S2 HP Support Assistant Service; "C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe" [x]

==================== Drivers (Whitelisted) ====================

S3 RSP2STOR; C:\Windows\System32\DRIVERS\RtsP2Stor.sys [259688 2011-10-27] (Realtek Semiconductor Corp.)
R3 SmbDrv; C:\Windows\system32\drivers\Smb_driver.sys [21264 2012-02-23] (Synaptics Incorporated)
U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2014-01-17 08:11 - 2014-01-17 08:11 - 00007243 _____ C:\Users\lclark\Desktop\FRST.txt
2014-01-17 08:11 - 2014-01-17 08:11 - 00000000 ____D C:\Users\lclark\Desktop\FRST-OlderVersion
2014-01-17 08:10 - 2014-01-17 08:10 - 02076160 _____ (Farbar) C:\Users\lclark\Downloads\FRST64.exe
2014-01-15 08:41 - 2014-01-17 08:10 - 00442368 _____ C:\Windows\msxml4-KB973688-enu.LOG
2014-01-15 08:41 - 2014-01-17 08:10 - 00440528 _____ C:\Windows\msxml4-KB954430-enu.LOG
2014-01-15 08:41 - 2014-01-15 08:42 - 00006251 _____ C:\Windows\IE11_main.log
2014-01-15 08:40 - 2014-01-15 08:41 - 00005153 _____ C:\Windows\IE10_main.log
2014-01-14 14:26 - 2014-01-14 14:26 - 00688992 ____R (Swearware) C:\Users\lclark\Downloads\dds.com
2014-01-14 13:31 - 2014-01-17 08:11 - 02076160 _____ (Farbar) C:\Users\lclark\Desktop\FRST64.exe
2014-01-14 13:31 - 2014-01-14 13:33 - 00019395 _____ C:\Users\lclark\Downloads\FRST.txt
2014-01-14 10:02 - 2014-01-17 08:11 - 00000000 ____D C:\FRST
2014-01-14 09:50 - 2014-01-14 09:50 - 00071974 _____ C:\Users\lclark\Downloads\Extras.Txt
2014-01-14 09:49 - 2014-01-14 09:49 - 00067806 _____ C:\Users\lclark\Downloads\OTL.Txt
2014-01-14 09:43 - 2014-01-14 09:43 - 00602112 _____ (OldTimer Tools) C:\Users\lclark\Downloads\OTL.exe
2014-01-14 09:16 - 2014-01-14 09:16 - 00000000 ____D C:\Users\lclark\AppData\Roaming\Malwarebytes
2014-01-14 09:16 - 2014-01-14 09:16 - 00000000 ____D C:\ProgramData\Malwarebytes
2014-01-14 09:16 - 2014-01-14 09:16 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2014-01-14 09:16 - 2013-04-04 14:50 - 00025928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-01-14 09:07 - 2014-01-14 09:08 - 04101441 _____ C:\Users\lclark\Downloads\tdsskiller.zip
2014-01-14 08:56 - 2014-01-14 08:56 - 00015610 _____ C:\ComboFix.txt
2014-01-14 08:45 - 2014-01-14 08:56 - 00000000 ____D C:\Qoobox
2014-01-14 08:45 - 2011-06-26 01:45 - 00256000 _____ C:\Windows\PEV.exe
2014-01-14 08:45 - 2010-11-07 12:20 - 00208896 _____ C:\Windows\MBR.exe
2014-01-14 08:45 - 2009-04-19 23:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2014-01-14 08:45 - 2000-08-30 19:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2014-01-14 08:45 - 2000-08-30 19:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2014-01-14 08:45 - 2000-08-30 19:00 - 00098816 _____ C:\Windows\sed.exe
2014-01-14 08:45 - 2000-08-30 19:00 - 00080412 _____ C:\Windows\grep.exe
2014-01-14 08:45 - 2000-08-30 19:00 - 00068096 _____ C:\Windows\zip.exe
2014-01-14 08:44 - 2014-01-14 08:54 - 00000000 ____D C:\Windows\erdnt
2014-01-14 08:36 - 2014-01-14 08:36 - 00000000 ____D C:\Users\lclark\AppData\Roaming\SUPERAntiSpyware.com
2014-01-14 08:28 - 2014-01-14 08:29 - 00000000 ____D C:\AdwCleaner
2014-01-13 11:40 - 2014-01-13 11:40 - 00000000 ____D C:\Users\lclark\AppData\Roaming\eCyber
2014-01-09 16:55 - 2014-01-09 16:55 - 00000076 _____ C:\extensions.ini
2014-01-09 16:55 - 2014-01-09 16:55 - 00000000 _____ C:\extensions.sqlite
2014-01-09 16:54 - 2014-01-14 08:16 - 00000000 ____D C:\Program Files (x86)\AmiExt
2014-01-09 16:54 - 2014-01-09 16:54 - 00000000 ____D C:\Users\lclark\AppData\Local\cache
2014-01-09 16:54 - 2014-01-09 16:54 - 00000000 ____D C:\Users\lclark\.android
2014-01-09 16:54 - 2014-01-09 16:54 - 00000000 _____ C:\Users\lclark\daemonprocess.txt
2014-01-09 16:53 - 2014-01-09 16:53 - 00000000 ____D C:\Windows\system32\log
2014-01-09 10:52 - 2014-01-09 10:52 - 00000000 ____S C:\Windows\system32\kxiyb.dwe
2014-01-03 12:17 - 2014-01-03 12:17 - 00037376 _____ C:\Windows\system32\efuam.pwa
2014-01-03 12:07 - 2014-01-15 15:06 - 00000078 _____ C:\Windows\system32\vcutjmv.pbq
2014-01-03 12:06 - 2014-01-03 12:17 - 00000097 _____ C:\Windows\system32\mwyagcq.yur
2014-01-03 12:06 - 2014-01-03 12:06 - 00000064 _____ C:\Windows\system32\yujzro.pgi
2014-01-03 11:50 - 2014-01-03 11:50 - 00219314 ____S C:\Windows\system32\sfejxyu.psz

==================== One Month Modified Files and Folders =======

2014-01-17 08:12 - 2014-01-17 08:11 - 00007243 _____ C:\Users\lclark\Desktop\FRST.txt
2014-01-17 08:12 - 2013-03-10 18:38 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-01-17 08:11 - 2014-01-17 08:11 - 00000000 ____D C:\Users\lclark\Desktop\FRST-OlderVersion
2014-01-17 08:11 - 2014-01-14 13:31 - 02076160 _____ (Farbar) C:\Users\lclark\Desktop\FRST64.exe
2014-01-17 08:11 - 2014-01-14 10:02 - 00000000 ____D C:\FRST
2014-01-17 08:11 - 2013-03-08 23:20 - 01993432 _____ C:\Windows\WindowsUpdate.log
2014-01-17 08:11 - 2009-07-14 00:13 - 00778834 _____ C:\Windows\system32\PerfStringBackup.INI
2014-01-17 08:10 - 2014-01-17 08:10 - 02076160 _____ (Farbar) C:\Users\lclark\Downloads\FRST64.exe
2014-01-17 08:10 - 2014-01-15 08:41 - 00442368 _____ C:\Windows\msxml4-KB973688-enu.LOG
2014-01-17 08:10 - 2014-01-15 08:41 - 00440528 _____ C:\Windows\msxml4-KB954430-enu.LOG
2014-01-17 08:10 - 2013-03-08 11:24 - 00003930 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{8F0BF30F-2BA8-431E-B0B2-0684BCC448C0}
2014-01-17 08:09 - 2012-03-14 23:22 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-01-17 08:08 - 2013-03-10 18:38 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-01-15 15:06 - 2014-01-03 12:07 - 00000078 _____ C:\Windows\system32\vcutjmv.pbq
2014-01-15 08:42 - 2014-01-15 08:41 - 00006251 _____ C:\Windows\IE11_main.log
2014-01-15 08:41 - 2014-01-15 08:40 - 00005153 _____ C:\Windows\IE10_main.log
2014-01-15 08:34 - 2012-03-14 23:26 - 00773050 _____ C:\Windows\SysWOW64\PerfStringBackup.INI
2014-01-14 14:26 - 2014-01-14 14:26 - 00688992 ____R (Swearware) C:\Users\lclark\Downloads\dds.com
2014-01-14 14:21 - 2009-07-13 23:45 - 00031472 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-01-14 14:21 - 2009-07-13 23:45 - 00031472 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-01-14 14:19 - 2013-03-10 18:38 - 00000000 ____D C:\Program Files (x86)\Google
2014-01-14 14:13 - 2013-03-08 16:21 - 00014826 _____ C:\Windows\AutoKMS.log
2014-01-14 14:13 - 2012-03-14 23:40 - 00000000 ____D C:\ProgramData\PDFC
2014-01-14 14:13 - 2009-07-14 00:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2014-01-14 14:13 - 2009-07-13 23:51 - 00052506 _____ C:\Windows\setupact.log
2014-01-14 13:33 - 2014-01-14 13:31 - 00019395 _____ C:\Users\lclark\Downloads\FRST.txt
2014-01-14 09:50 - 2014-01-14 09:50 - 00071974 _____ C:\Users\lclark\Downloads\Extras.Txt
2014-01-14 09:49 - 2014-01-14 09:49 - 00067806 _____ C:\Users\lclark\Downloads\OTL.Txt
2014-01-14 09:43 - 2014-01-14 09:43 - 00602112 _____ (OldTimer Tools) C:\Users\lclark\Downloads\OTL.exe
2014-01-14 09:16 - 2014-01-14 09:16 - 00000000 ____D C:\Users\lclark\AppData\Roaming\Malwarebytes
2014-01-14 09:16 - 2014-01-14 09:16 - 00000000 ____D C:\ProgramData\Malwarebytes
2014-01-14 09:16 - 2014-01-14 09:16 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2014-01-14 09:08 - 2014-01-14 09:07 - 04101441 _____ C:\Users\lclark\Downloads\tdsskiller.zip
2014-01-14 08:58 - 2010-11-20 22:47 - 00409920 _____ C:\Windows\PFRO.log
2014-01-14 08:56 - 2014-01-14 08:56 - 00015610 _____ C:\ComboFix.txt
2014-01-14 08:56 - 2014-01-14 08:45 - 00000000 ____D C:\Qoobox
2014-01-14 08:54 - 2014-01-14 08:44 - 00000000 ____D C:\Windows\erdnt
2014-01-14 08:54 - 2009-07-13 21:34 - 00000215 _____ C:\Windows\system.ini
2014-01-14 08:36 - 2014-01-14 08:36 - 00000000 ____D C:\Users\lclark\AppData\Roaming\SUPERAntiSpyware.com
2014-01-14 08:29 - 2014-01-14 08:28 - 00000000 ____D C:\AdwCleaner
2014-01-14 08:24 - 2013-03-08 11:24 - 00000000 ___RD C:\Users\lclark\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2014-01-14 08:16 - 2014-01-09 16:54 - 00000000 ____D C:\Program Files (x86)\AmiExt
2014-01-13 11:40 - 2014-01-13 11:40 - 00000000 ____D C:\Users\lclark\AppData\Roaming\eCyber
2014-01-09 17:31 - 2013-03-10 12:11 - 00000072 _____ C:\Users\Public\LMDebug.log
2014-01-09 16:55 - 2014-01-09 16:55 - 00000076 _____ C:\extensions.ini
2014-01-09 16:55 - 2014-01-09 16:55 - 00000000 _____ C:\extensions.sqlite
2014-01-09 16:54 - 2014-01-09 16:54 - 00000000 ____D C:\Users\lclark\AppData\Local\cache
2014-01-09 16:54 - 2014-01-09 16:54 - 00000000 ____D C:\Users\lclark\.android
2014-01-09 16:54 - 2014-01-09 16:54 - 00000000 _____ C:\Users\lclark\daemonprocess.txt
2014-01-09 16:54 - 2013-03-08 23:20 - 00000000 ____D C:\Users\lclark
2014-01-09 16:53 - 2014-01-09 16:53 - 00000000 ____D C:\Windows\system32\log
2014-01-09 12:21 - 2013-03-10 12:35 - 00000000 ____D C:\Users\lclark\AppData\Local\CrashDumps
2014-01-09 10:52 - 2014-01-09 10:52 - 00000000 ____S C:\Windows\system32\kxiyb.dwe
2014-01-03 16:14 - 2013-03-10 13:05 - 00000000 ___RD C:\Users\lclark\Documents\Liz's Docs
2014-01-03 12:17 - 2014-01-03 12:17 - 00037376 _____ C:\Windows\system32\efuam.pwa
2014-01-03 12:17 - 2014-01-03 12:06 - 00000097 _____ C:\Windows\system32\mwyagcq.yur
2014-01-03 12:06 - 2014-01-03 12:06 - 00000064 _____ C:\Windows\system32\yujzro.pgi
2014-01-03 11:50 - 2014-01-03 11:50 - 00219314 ____S C:\Windows\system32\sfejxyu.psz

Some content of TEMP:
====================
C:\Users\lclark\AppData\Local\Temp\ntdll_dump.dll
C:\Users\lclark\AppData\Local\Temp\{8DD3425B-0BF7-4B05-AA1E-030AC81CEC84}.exe

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll
[2010-11-20 22:24] - [2010-11-20 22:24] - 0512512 ____A (Microsoft Corporation) 899D206F57B1B290C738E7FAD85365C2

 ATTENTION ======> If the system is having audio adware rpcss.dll is patched. Google the MD5, if the MD5 is unique the file is infected.
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

LastRegBack: 2014-01-09 13:08

==================== End Of Log ============================

Attached Files



#6 mjduncan

mjduncan
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:23 PM

Posted 17 January 2014 - 08:18 AM

Farbar Recovery Scan Tool (x64) Version: 15-01-2014 03
Ran by lclark at 2014-01-17 08:16:11
Running from C:\Users\lclark\Desktop
Boot Mode: Normal

================== Search: "rpcss.dll" ===================

C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_c7f0e16b547f887d\rpcss.dll
[2010-11-20 22:24] - [2010-11-20 22:24] - 0512000 ____A (Microsoft Corporation) 5C627D1B1138676C0A7AB2C2C190D123

C:\Windows\System32\rpcss.dll
[2010-11-20 22:24] - [2010-11-20 22:24] - 0512512 ____A (Microsoft Corporation) 899D206F57B1B290C738E7FAD85365C2

====== End Of Search ======



#7 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:03:23 AM

Posted 17 January 2014 - 08:27 AM

Hi,

 

Thank you for the logs..will reply later today since I should go to work.

Catch you later.

 

 

Regards,

Georgi


cXfZ4wS.png


#8 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:03:23 AM

Posted 18 January 2014 - 06:30 AM

Hi,
 
 
Please download the following file => and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.
 
 
Regards,
Georgi


cXfZ4wS.png


#9 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:03:23 AM

Posted 30 January 2014 - 09:30 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

cXfZ4wS.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users