Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need Help Removing Possible Viruses or Malware!!!


  • This topic is locked This topic is locked
12 replies to this topic

#1 mybcun

mybcun

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:07:48 AM

Posted 20 January 2014 - 12:42 AM

Hello Everyone,

I'm having a couple computer issues, and I'm hoping someone might be able to help me, please. The two issues I'm having are:

1. My computer is shutting down on it's own. I received a message in a window that popped up that read,
 
            
             "Windows must now restart because the DCOM Server Process Launcher service terminated unexpectedly"

 
At the top of this message window (which had a yellow exclamation point) it says,
 
 
             "You are about to be logged off"

 
Then, roughly a minute or so later, whatever I have open closes and my computer shuts down on it's own.


2. The other issue I'm having is that sound is randomly playing on my computer. It comes and goes, and I have no idea where it is coming from!

I've run Microsoft Security Essentials multiple times since all this started, to no avail. I downloaded and ran a couple of other anti-virus/anti-malware programs...still, to no avail.

 
 
I am obviously seeking to eliminate these two issues.  Might anyone be able to help me, please?  Thanks in advance!!!

Best,
~mybcun


BC AdBot (Login to Remove)

 


#2 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:48 PM

Posted 24 January 2014 - 04:47 PM

Hello mybcun,

 

to analyse your problems we need to run a FRST-scan:

 

 

Please download Farbar Recovery Scan Tool and save it to your Desktop.
(If you are not sure which version (32-/64-bit) applies to your system, download and try to start both of them as just the right one will run.)

  • Start FRST with administator privileges.
  • Make sure the option Addition.txt is checked and press the Scan button.
  • When finished, FRST will produce two logs (FRST.txt and Addition.txt) in the same directory the tool was run from.
    Please copy and paste these logs in your next reply.



#3 mybcun

mybcun
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:07:48 AM

Posted 26 January 2014 - 03:11 PM

Ok, here are the two logs as requested:

 

 

FRST Log:

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 26-01-2014 02
Ran by ********** ********** ********** (administrator) on ******************** on 26-01-2014 12:50:54
Running from C:\Users\********** ********** **********\Desktop
Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
() C:\Program Files (x86)\DDNi\Oasis2Service 1.0\Oasis2Service.exe
(Intuit) C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
(Intuit Inc.) C:\Program Files (x86)\Common Files\Intuit\DataProtect\QBIDPService.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Microsoft Corporation) C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Conexant Systems, Inc.) C:\Program Files\CONEXANT\cAudioFilterAgent\cAudioFilterAgent64.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Lenovo) C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeyStudio.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
() C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeySupport.exe
(Lenovo(beijing) Limited) C:\Program Files (x86)\Lenovo\Energy Management\utility.exe
(Lenovo (Beijing) Limited) C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(ooVoo LLC) C:\Program Files (x86)\ooVoo\ooVoo.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\ReadyComm\ReadyComm.exe
(Microsoft Corporation) C:\Windows\Speech\Common\sapisvr.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\ReadyComm\AppSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(Vimicro) C:\Program Files (x86)\USB Camera\VM331_STI.EXE
(Lenovo) C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe
(OLYMPUS IMAGING CORP.) C:\Program Files (x86)\Olympus\DeviceDetector\DevDtct2.exe
(Hewlett-Packard Co.) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
(Dropbox, Inc.) C:\Users\********** ********** **********\AppData\Roaming\Dropbox\bin\Dropbox.exe
(CyberLink Corp.) C:\Program Files (x86)\Lenovo\YouCam\YouCamTray.exe
(brother) C:\Program Files (x86)\Brownie\BrStsW64.exe
(Sun Microsystems, Inc.) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Hewlett-Packard) C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe
(brother) C:\Program Files (x86)\Brownie\brpjp04a.exe
(Cypress Semiconductor) C:\Windows\wdcbg.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Lenovo Group Limited) C:\Program Files (x86)\Lenovo\ReadyComm\common\IGRS.exe
(Hewlett-Packard Co.) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqste08.exe
(Hewlett-Packard Co.) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe
(Hewlett-Packard) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\ReadyComm\ConnSvc.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\ReadyComm\BTSvc.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Sun Microsystems, Inc.) C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [cAudioFilterAgent] - C:\Program Files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe [521272 2010-03-21] (Conexant Systems, Inc.)
HKLM\...\Run: [SynTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2176296 2010-06-10] (Synaptics Incorporated)
HKLM\...\Run: [OnekeyStudio] - C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeyStudio.exe [776608 2009-12-18] (Lenovo)
HKLM\...\Run: [EnergyUtility] - C:\Program Files (x86)\Lenovo\Energy Management\utility.exe [4367808 2009-12-17] (Lenovo(beijing) Limited)
HKLM\...\Run: [Energy Management] - C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe [6988736 2009-12-17] (Lenovo (Beijing) Limited)
HKLM\...\Run: [MSC] - C:\Program Files\Microsoft Security Client\msseces.exe [1266912 2013-10-23] (Microsoft Corporation)
HKLM-x32\...\Run: [IAStorIcon] - C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284696 2010-03-03] (Intel Corporation)
HKLM-x32\...\Run: [331BigDog] - C:\Program Files (x86)\USB Camera\VM331_STI.EXE [536576 2010-01-15] (Vimicro)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe [35184 2008-12-02] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [VeriFaceManager] - C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe [3122528 2010-09-24] (Lenovo)
HKLM-x32\...\Run: [UCam_Menu] - C:\Program Files (x86)\Lenovo\YouCam\MUITransfer\MUIStartMenu.exe [222504 2009-05-19] (CyberLink Corp.)
HKLM-x32\...\Run: [YouCam Mirror Tray icon] - C:\Program Files (x86)\Lenovo\YouCam\YouCamTray.exe [167008 2009-12-22] (CyberLink Corp.)
HKLM-x32\...\Run: [UpdateP2GShortCut] - C:\Program Files (x86)\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe [218408 2008-12-03] (CyberLink Corp.)
HKLM-x32\...\Run: [BrStsWnd] - C:\Program Files (x86)\Brownie\BrstsW64.exe [3695416 2009-06-11] (brother)
HKLM-x32\...\Run: [QuickTime Task] - C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2010-11-29] (Apple Inc.)
HKLM-x32\...\Run: [Intuit SyncManager] - C:\Program Files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe [1443080 2010-09-27] (Intuit Inc. All rights reserved.)
HKLM-x32\...\Run: [SunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254696 2011-06-09] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [HP Software Update] - C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [54840 2007-05-08] (Hewlett-Packard)
HKLM-x32\...\Run: [hpqSRMon] - C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe [150528 2008-07-22] (Hewlett-Packard)
HKLM-x32\...\Run: [WDCBG] - C:\windows\WDCBG.EXE [118784 2004-08-02] (Cypress Semiconductor)
HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2013-08-16] (Apple Inc.)
HKLM-x32\...\Runonce: [AvgUninstallURL] - cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVZOVgtTlNWVkwtTzRCWlEtUUlNQ0wtUVREQ0gtNElKTUg"&"inst=NzctNTY3MDE4Mjg1LVhPMTArMTItTElDKzItRkwxMCsxLVNQMSsxLVNQMVRCKzEtU1VQKzEtRERUKzM2NTM4LUREMTBGKzEtU1QxMEZBUFArMS1GMTBNMTJBTiszLUYxME0xMkErMS1GMTBNMTJBQisxLVUxMCsxLUYxME0xMkFUQk4rMS1GMTBNMTJCKzEtRlVJKzItVEJWVVBHKzEyLUYxME0xMkZUKzEtVEJOKzE"&"prod=90"&"ver=10.0.1424 [x]
Winlogon\Notify\igfxcui: C:\windows\system32\igfxdev.dll (Intel Corporation)
HKCU\...\Run: [ooVoo.exe] - C:\Program Files (x86)\ooVoo\ooVoo.exe [19812536 2010-02-02] (ooVoo LLC)
HKCU\...\Run: [ReadyComm5] - C:\Program Files\Lenovo\ReadyComm\ReadyComm.exe [1501000 2009-09-22] (Lenovo Group Limited)
HKCU\...\Run: [swg] - C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2011-01-06] (Google Inc.)
HKCU\...\Run: [Speech Recognition] - C:\windows\Speech\Common\sapisvr.exe [44544 2009-07-13] (Microsoft Corporation)
HKCU\...\Run: [CompanionLink] - c:\program files (x86)\companionlink\companionlink.exe [53279744 2013-08-05] (CompanionLink Software, Inc.)
HKU\Default\...\Run: [ooVoo.exe] - C:\Program Files (x86)\ooVoo\ooVoo.exe [19812536 2010-02-02] (ooVoo LLC)
HKU\Default\...\RunOnce: [WLStart] - C:\Program Files (x86)\Windows Live\Installer\wlstart.exe [768336 2009-07-26] (Microsoft Corporation)
HKU\Default User\...\Run: [ooVoo.exe] - C:\Program Files (x86)\ooVoo\ooVoo.exe [19812536 2010-02-02] (ooVoo LLC)
HKU\Default User\...\RunOnce: [WLStart] - C:\Program Files (x86)\Windows Live\Installer\wlstart.exe [768336 2009-07-26] (Microsoft Corporation)
Startup: C:\Users\********** ********** **********\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\********** ********** **********\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
Startup: C:\Users\********** ********** **********\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~$ationary Envelope Template.doc ()
Startup: C:\Users\********** ********** **********\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~$cebook.doc ()
Startup: C:\Users\********** ********** **********\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~$ent File Labels.doc ()
Startup: C:\Users\********** ********** **********\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~$ochure Envelope Template.doc ()
Startup: C:\Users\********** ********** **********\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~$uare Envelope Address.doc ()
Startup: C:\Users\********** ********** **********\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~WRL0406.tmp ()

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0x46D26D77B375CE01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
HKCU\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = https://www.google.com/
URLSearchHook: HKCU - Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKLM - DefaultScope {9BB47C17-9C68-4BB3-B188-DD9AF0FD2405} URL = http://dts.search-results.com/sr?src=ieb&appid=0&systemid=405&q={searchTerms}
SearchScopes: HKLM - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2405} URL = http://dts.search-results.com/sr?src=ieb&appid=0&systemid=405&q={searchTerms}
SearchScopes: HKLM-x32 - DefaultScope {9BB47C17-9C68-4BB3-B188-DD9AF0FD2405} URL = http://dts.search-results.com/sr?src=ieb&appid=0&systemid=405&q={searchTerms}
SearchScopes: HKLM-x32 - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2405} URL = http://dts.search-results.com/sr?src=ieb&appid=0&systemid=405&q={searchTerms}
SearchScopes: HKCU - DefaultScope {9BB47C17-9C68-4BB3-B188-DD9AF0FD2405} URL = http://dts.search-results.com/sr?src=ieb&appid=0&systemid=405&q={searchTerms}
SearchScopes: HKCU - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2405} URL = http://dts.search-results.com/sr?src=ieb&appid=0&systemid=405&q={searchTerms}
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.9012.1008\swg64.dll (Google Inc.)
BHO-x32: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
BHO-x32: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)
BHO-x32: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO-x32: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
BHO-x32: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO-x32: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.9012.1008\swg.dll (Google Inc.)
BHO-x32: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO-x32: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)
BHO-x32: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
Toolbar: HKLM-x32 - Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU - No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} -  No File
Toolbar: HKCU - Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
DPF: HKLM {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://secure.logmein.com/activex/x64/ractrl.cab?lmi=722
DPF: HKLM-x32 {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: HKLM-x32 {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: HKLM-x32 {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://secure.logmein.com/activex/ractrl.cab?lmi=724
Handler: intu-help-qb4 - {ACE22922-D07C-4860-B51B-8CF472FEC2CB} -  No File
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} -  No File
Handler-x32: intu-help-qb4 - {ACE22922-D07C-4860-B51B-8CF472FEC2CB} - C:\Program Files (x86)\Intuit\QuickBooks 2011\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)
Handler-x32: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - C:\windows\SysWOW64\mscoree.dll (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
Tcpip\..\Interfaces\{E5A5D7C3-ABFE-437E-977C-BB7F14CFF7A9}: [NameServer]4.2.2.2,4.2.2.3

Chrome:
=======
CHR HomePage: hxxp://www.searchqu.com/405
CHR DefaultSearchProvider: Search Results
CHR DefaultSearchURL: http://dts.search-results.com/sr?src=crb&appid=0&systemid=405&q={searchTerms}
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\32.0.1700.41\PepperFlash\pepflashplayer.dll ()
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\32.0.1700.41\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\32.0.1700.41\pdf.dll ()
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (Java Deployment Toolkit 6.0.270.7) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll (Sun Microsystems, Inc.)
CHR Plugin: (Java™ Platform SE 6 U27) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin2.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin3.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin4.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin5.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin6.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin7.dll (Apple Inc.)
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dll No File
CHR Plugin: (VLC Web Plugin) - C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
CHR Plugin: (Windows Live Photo Gallery) - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll No File
CHR Extension: (YouTube) - C:\Users\********** ********** **********\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2012-04-05]
CHR Extension: (Google Search) - C:\Users\********** ********** **********\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2012-04-05]
CHR Extension: (avast! Online Security) - C:\Users\********** ********** **********\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2014-01-09]
CHR Extension: (Google Wallet) - C:\Users\********** ********** **********\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-01-09]
CHR Extension: (Gmail) - C:\Users\********** ********** **********\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2012-04-05]

 

 

==================== Services (Whitelisted) =================

R3 IGRS; C:\Program Files (x86)\Lenovo\ReadyComm\common\IGRS.exe [38152 2009-07-14] (Lenovo Group Limited)
R3 Lenovo ReadyComm AppSvc; C:\Program Files\Lenovo\ReadyComm\AppSvc.exe [509192 2009-08-14] (Lenovo Group Limited)
R3 Lenovo ReadyComm ConnSvc; C:\Program Files\Lenovo\ReadyComm\ConnSvc.exe [579400 2009-09-22] (Lenovo Group Limited)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2013-10-23] (Microsoft Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [348376 2013-10-23] (Microsoft Corporation)
R2 Oasis2Service; C:\Program Files (x86)\DDNi\Oasis2Service 1.0\Oasis2Service.exe [46080 2010-06-23] ()
S3 PS_MDP; C:\Program Files (x86)\Lenovo\ReadyComm\PS_MDP.dll [276296 2009-07-15] (Lenovo Group Limited)
S2 ReadyComm.DirectRouter; C:\Program Files (x86)\Lenovo\ReadyComm\common\router.dll [103688 2009-07-14] (Lenovo Group Limited)

==================== Drivers (Whitelisted) ====================

S3 Bridge0; C:\Windows\System32\drivers\WDBridge.sys [79376 2009-07-15] (Lenovo)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [248240 2013-09-27] (Microsoft Corporation)
R2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [134944 2013-09-27] (Microsoft Corporation)
S3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [27520 2007-05-31] (Research In Motion Limited)
R3 RimVSerPort; C:\Windows\System32\DRIVERS\RimSerial_AMD64.sys [30336 2007-01-18] (Research in Motion Ltd)
R3 vm331avs; C:\Windows\System32\Drivers\vm331avs.sys [215168 2010-03-18] (Vimicro Corporation)
S3 VNUSB; C:\Windows\System32\Drivers\VNUSB.sys [22528 2009-09-29] (OLYMPUS IMAGING CORP.)
R3 wdmirror; C:\Windows\System32\DRIVERS\WDMirror.sys [11280 2009-07-16] (Lenovo)
U3 BcmSqlStartupSvc;
U2 IviRegMgr;
U2 RichVideo;
U3 SQLWriter;

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2014-01-26 12:50 - 2014-01-26 12:50 - 00000000 ____D C:\Users\********** ********** **********\Desktop\FRST-OlderVersion
2014-01-24 17:11 - 2014-01-24 17:12 - 00027594 _____ C:\Users\********** ********** **********\Desktop\Addition.txt
2014-01-24 17:08 - 2014-01-26 12:51 - 00021494 _____ C:\Users\********** ********** **********\Desktop\FRST.txt
2014-01-24 17:08 - 2014-01-26 12:50 - 00000000 ____D C:\FRST
2014-01-24 17:07 - 2014-01-26 12:50 - 02078208 _____ (Farbar) C:\Users\********** ********** **********\Desktop\FRST64.exe
2014-01-22 20:27 - 2014-01-22 20:28 - 00113224 _____ C:\Users\********** ********** **********\g2ax_customer_downloadhelper_win32_x86.exe
2014-01-22 03:40 - 2014-01-26 12:44 - 00214215 _____ C:\FaceProv.log
2014-01-22 02:40 - 2014-01-22 02:40 - 00000909 _____ C:\Users\********** ********** **********\Desktop\Movie Maker.lnk
2014-01-22 02:40 - 2014-01-22 02:40 - 00000000 ____D C:\Users\********** ********** **********\AppData\Local\WMTools Downloaded Files
2014-01-19 17:55 - 2014-01-19 17:55 - 00000000 _____ C:\windows\SysWOW64\shoB50D.tmp
2014-01-18 15:49 - 2014-01-18 16:22 - 00012292 ____H C:\Users\********** ********** **********\.DS_Store
2014-01-18 15:49 - 2014-01-18 15:49 - 00006148 ____H C:\Users\.DS_Store
2014-01-14 13:56 - 2014-01-22 15:28 - 00002822 _____ C:\windows\wininit.ini
2014-01-14 01:05 - 2014-01-14 01:05 - 00000000 ____D C:\windows\System32\Tasks\Safer-Networking
2014-01-14 01:04 - 2014-01-22 15:32 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
2014-01-14 01:04 - 2014-01-22 15:28 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2014-01-13 15:49 - 2014-01-13 15:50 - 00000000 ____D C:\Program Files\Blackberry
2014-01-13 02:04 - 2014-01-13 02:04 - 00000000 ____D C:\Users\********** ********** **********\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2014-01-13 01:49 - 2014-01-13 01:50 - 00003014 _____ C:\windows\SysWOW64\TEST.log
2014-01-10 15:16 - 2014-01-10 15:16 - 00000000 ____D C:\Users\********** ********** **********\AppData\Local\{9CA8C879-7898-4D58-874A-7223B483B5DC}
2014-01-10 15:04 - 2014-01-10 15:19 - 00000000 ____D C:\Users\********** ********** **********\AppData\Roaming\Nico Mak Computing
2014-01-10 15:03 - 2014-01-10 15:19 - 00000000 ____D C:\Program Files (x86)\WinZip Registry Optimizer
2014-01-10 15:03 - 2013-07-10 17:49 - 00019120 _____ (WinZip Computing, S.L.(WinZip Computing)) C:\windows\system32\roboot64.exe
2014-01-09 20:10 - 2014-01-09 20:10 - 00000000 ____D C:\Users\********** ********** **********\AppData\Local\MFAData
2014-01-09 20:10 - 2014-01-09 20:10 - 00000000 ____D C:\Users\********** ********** **********\AppData\Local\Avg2014
2014-01-09 12:05 - 2014-01-09 20:45 - 00000000 ____D C:\ProgramData\AVAST Software
2014-01-06 22:26 - 2014-01-06 22:27 - 00000000 ____D C:\Users\********** ********** **********\AppData\Local\{D5852B08-F8B0-4FDF-A70B-191039108B9E}
2014-01-06 10:24 - 2014-01-06 10:25 - 00000000 ____D C:\Users\********** ********** **********\AppData\Local\{CBD003B9-3C8F-4B1F-8DD0-FD55B4DC4D86}
2014-01-05 18:54 - 2014-01-05 18:55 - 00000081 _____ C:\Users\********** ********** **********\AppData\Roaming\mbam.context.scan
2014-01-05 05:57 - 2014-01-05 05:57 - 00000000 ____D C:\Users\********** ********** **********\AppData\Roaming\Malwarebytes
2014-01-05 05:54 - 2014-01-05 05:54 - 00000000 ____D C:\ProgramData\Malwarebytes
2014-01-02 16:09 - 2014-01-02 16:09 - 00037376 _____ C:\windows\system32\gugg.hon
2014-01-02 14:25 - 2014-01-22 01:25 - 00000088 _____ C:\windows\system32\ooojeph.yfd
2014-01-02 14:15 - 2014-01-02 16:09 - 00000095 _____ C:\windows\system32\jifvjwy.gxh
2014-01-02 14:15 - 2014-01-02 14:15 - 00000064 _____ C:\windows\system32\hcqxjab.muv
2014-01-02 13:59 - 2014-01-02 13:59 - 00219314 ____S C:\windows\system32\arkxq.bwx
2013-12-28 13:29 - 2013-12-28 13:29 - 00000000 ____D C:\Users\********** ********** **********\AppData\Local\{C649D499-4071-4566-B4A3-246389518592}

==================== One Month Modified Files and Folders =======

2014-01-26 12:51 - 2014-01-24 17:08 - 00021494 _____ C:\Users\********** ********** **********\Desktop\FRST.txt
2014-01-26 12:51 - 2009-07-13 22:45 - 00013632 ____H C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-01-26 12:51 - 2009-07-13 22:45 - 00013632 ____H C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-01-26 12:50 - 2014-01-26 12:50 - 00000000 ____D C:\Users\********** ********** **********\Desktop\FRST-OlderVersion
2014-01-26 12:50 - 2014-01-24 17:08 - 00000000 ____D C:\FRST
2014-01-26 12:50 - 2014-01-24 17:07 - 02078208 _____ (Farbar) C:\Users\********** ********** **********\Desktop\FRST64.exe
2014-01-26 12:47 - 2010-09-24 00:58 - 02046291 _____ C:\windows\WindowsUpdate.log
2014-01-26 12:44 - 2014-01-22 03:40 - 00214215 _____ C:\FaceProv.log
2014-01-26 12:44 - 2013-07-19 14:57 - 00000000 ___RD C:\Users\********** ********** **********\Dropbox
2014-01-26 12:44 - 2013-07-19 14:50 - 00000000 ____D C:\Users\********** ********** **********\AppData\Roaming\Dropbox
2014-01-26 12:44 - 2011-01-06 16:40 - 00000922 _____ C:\windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-01-26 12:44 - 2010-12-04 03:17 - 00000386 _____ C:\windows\Brownie.ini
2014-01-26 12:44 - 2010-09-24 01:38 - 00000000 ____D C:\ProgramData\VeriFace
2014-01-26 12:43 - 2009-07-13 23:08 - 00000006 ____H C:\windows\Tasks\SA.DAT
2014-01-26 12:43 - 2009-07-13 22:51 - 00149498 _____ C:\windows\setupact.log
2014-01-26 07:40 - 2011-01-06 16:40 - 00000926 _____ C:\windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-01-26 07:37 - 2012-10-20 21:46 - 00000830 _____ C:\windows\Tasks\Adobe Flash Player Updater.job
2014-01-26 01:29 - 2009-07-13 23:08 - 00032654 _____ C:\windows\Tasks\SCHEDLGU.TXT
2014-01-25 19:47 - 2010-12-05 00:43 - 00000000 ____D C:\Users\********** ********** **********\AppData\Roaming\SoftGrid Client
2014-01-25 18:09 - 2012-04-05 12:17 - 00000000 ____D C:\Users\********** ********** **********\AppData\Roaming\vlc
2014-01-25 15:01 - 2011-04-01 13:40 - 00000000 ____D C:\Users\********** ********** **********\AppData\Local\CrashDumps
2014-01-25 00:30 - 2012-10-17 16:37 - 00000000 ____D C:\Users\********** ********** **********\Desktop\***************
2014-01-25 00:21 - 2013-11-30 16:03 - 00000000 ____D C:\Users\********** ********** **********\Desktop\***************
2014-01-25 00:16 - 2010-11-29 20:22 - 00002239 _____ C:\Users\********** ********** **********\Desktop\OneKey Recovery.lnk
2014-01-24 23:11 - 2013-11-03 05:01 - 00000000 ____D C:\Users\********** ********** **********\Desktop\***************
2014-01-24 23:10 - 2013-11-30 16:04 - 00000000 ____D C:\Users\********** ********** **********\Desktop\***************
2014-01-24 17:33 - 2011-03-22 18:26 - 00000000 ____D C:\Users\********** ********** **********\AppData\Local\Windows Live
2014-01-24 17:12 - 2014-01-24 17:11 - 00027594 _____ C:\Users\********** ********** **********\Desktop\Addition.txt
2014-01-24 01:20 - 2013-11-30 15:59 - 00000000 ____D C:\Users\********** ********** **********\Desktop\***************
2014-01-24 00:22 - 2010-09-24 01:37 - 01539982 _____ C:\windows\PFRO.log
2014-01-23 00:53 - 2010-12-04 03:21 - 00000426 _____ C:\windows\BRWMARK.INI
2014-01-23 00:51 - 2013-07-05 12:26 - 00000000 ____D C:\Program Files (x86)\Citrix
2014-01-22 21:41 - 2012-04-06 09:35 - 00000000 ____D C:\***************
2014-01-22 20:28 - 2014-01-22 20:27 - 00113224 _____ C:\Users\********** ********** **********\g2ax_customer_downloadhelper_win32_x86.exe
2014-01-22 20:27 - 2010-11-29 20:22 - 00000000 ____D C:\Users\********** ********** **********
2014-01-22 15:44 - 2011-09-11 22:07 - 00000000 ____D C:\Users\********** ********** **********\AppData\Roaming\FileZilla
2014-01-22 15:32 - 2014-01-14 01:04 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
2014-01-22 15:28 - 2014-01-14 13:56 - 00002822 _____ C:\windows\wininit.ini
2014-01-22 15:28 - 2014-01-14 01:04 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2014-01-22 02:40 - 2014-01-22 02:40 - 00000909 _____ C:\Users\********** ********** **********\Desktop\Movie Maker.lnk
2014-01-22 02:40 - 2014-01-22 02:40 - 00000000 ____D C:\Users\********** ********** **********\AppData\Local\WMTools Downloaded Files
2014-01-22 02:40 - 2010-12-07 00:34 - 00000000 ____D C:\Movie Maker
2014-01-22 02:32 - 2009-07-13 23:32 - 00000000 ____D C:\Program Files\Microsoft Games
2014-01-22 01:25 - 2014-01-02 14:25 - 00000088 _____ C:\windows\system32\ooojeph.yfd
2014-01-20 18:07 - 2012-04-16 10:14 - 00083944 _____ C:\windows\SysWOW64\GDIPFONTCACHEV1.DAT
2014-01-19 17:55 - 2014-01-19 17:55 - 00000000 _____ C:\windows\SysWOW64\shoB50D.tmp
2014-01-19 01:33 - 2011-03-14 06:44 - 00270496 ____N (Microsoft Corporation) C:\windows\system32\MpSigStub.exe
2014-01-18 22:45 - 2009-07-13 23:13 - 00727334 _____ C:\windows\system32\PerfStringBackup.INI
2014-01-18 16:22 - 2014-01-18 15:49 - 00012292 ____H C:\Users\********** ********** **********\.DS_Store
2014-01-18 15:49 - 2014-01-18 15:49 - 00006148 ____H C:\Users\.DS_Store
2014-01-16 01:36 - 2013-11-27 22:04 - 00000000 ____D C:\Users\********** ********** **********\Desktop\Lists
2014-01-15 22:24 - 2011-10-24 22:45 - 00002183 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2014-01-14 21:17 - 2013-07-16 01:25 - 00000000 ____D C:\windows\system32\MRT
2014-01-14 21:09 - 2011-03-22 19:33 - 86054176 _____ (Microsoft Corporation) C:\windows\system32\MRT.exe
2014-01-14 01:05 - 2014-01-14 01:05 - 00000000 ____D C:\windows\System32\Tasks\Safer-Networking
2014-01-13 15:50 - 2014-01-13 15:49 - 00000000 ____D C:\Program Files\Blackberry
2014-01-13 14:22 - 2012-03-27 10:56 - 00000000 ____D C:\Users\********** ********** **********\Desktop\Intuit
2014-01-13 02:04 - 2014-01-13 02:04 - 00000000 ____D C:\Users\********** ********** **********\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2014-01-13 01:53 - 2011-01-06 17:15 - 00000000 ____D C:\Program Files (x86)\QuickTime
2014-01-13 01:50 - 2014-01-13 01:49 - 00003014 _____ C:\windows\SysWOW64\TEST.log
2014-01-10 15:19 - 2014-01-10 15:04 - 00000000 ____D C:\Users\********** ********** **********\AppData\Roaming\Nico Mak Computing
2014-01-10 15:19 - 2014-01-10 15:03 - 00000000 ____D C:\Program Files (x86)\WinZip Registry Optimizer
2014-01-10 15:16 - 2014-01-10 15:16 - 00000000 ____D C:\Users\********** ********** **********\AppData\Local\{9CA8C879-7898-4D58-874A-7223B483B5DC}
2014-01-09 20:45 - 2014-01-09 12:05 - 00000000 ____D C:\ProgramData\AVAST Software
2014-01-09 20:29 - 2010-09-24 01:16 - 00037652 _____ C:\windows\DPINST.LOG
2014-01-09 20:13 - 2011-03-14 04:20 - 00000000 ____D C:\ProgramData\MFAData
2014-01-09 20:10 - 2014-01-09 20:10 - 00000000 ____D C:\Users\********** ********** **********\AppData\Local\MFAData
2014-01-09 20:10 - 2014-01-09 20:10 - 00000000 ____D C:\Users\********** ********** **********\AppData\Local\Avg2014
2014-01-09 16:46 - 2013-07-19 14:57 - 00001069 _____ C:\Users\********** ********** **********\Desktop\Dropbox.lnk
2014-01-09 16:46 - 2013-07-19 14:51 - 00000000 ____D C:\Users\********** ********** **********\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox
2014-01-09 16:46 - 2010-11-29 20:23 - 00000000 ___RD C:\Users\********** ********** **********\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2014-01-08 04:13 - 2011-09-11 22:07 - 00000000 ____D C:\Users\********** ********** **********\Downloads\FileZilla FTP Client
2014-01-07 08:49 - 2011-08-03 11:02 - 00000000 ____D C:\Users\********** ********** **********\AppData\Roaming\Apple Computer
2014-01-06 22:27 - 2014-01-06 22:26 - 00000000 ____D C:\Users\********** ********** **********\AppData\Local\{D5852B08-F8B0-4FDF-A70B-191039108B9E}
2014-01-06 10:25 - 2014-01-06 10:24 - 00000000 ____D C:\Users\********** ********** **********\AppData\Local\{CBD003B9-3C8F-4B1F-8DD0-FD55B4DC4D86}
2014-01-05 18:55 - 2014-01-05 18:54 - 00000081 _____ C:\Users\********** ********** **********\AppData\Roaming\mbam.context.scan
2014-01-05 11:40 - 2013-07-05 13:32 - 00000000 ____D C:\GMutils
2014-01-05 06:34 - 2012-12-29 11:00 - 00000000 ____D C:\Users\********** ********** **********\AppData\Roaming\DefaultTab
2014-01-05 05:57 - 2014-01-05 05:57 - 00000000 ____D C:\Users\********** ********** **********\AppData\Roaming\Malwarebytes
2014-01-05 05:54 - 2014-01-05 05:54 - 00000000 ____D C:\ProgramData\Malwarebytes
2014-01-03 21:28 - 2013-10-29 13:05 - 00110592 ___SH C:\Users\********** ********** **********\Thumbs.db
2014-01-02 16:09 - 2014-01-02 16:09 - 00037376 _____ C:\windows\system32\gugg.hon
2014-01-02 16:09 - 2014-01-02 14:15 - 00000095 _____ C:\windows\system32\jifvjwy.gxh
2014-01-02 14:15 - 2014-01-02 14:15 - 00000064 _____ C:\windows\system32\hcqxjab.muv
2014-01-02 13:59 - 2014-01-02 13:59 - 00219314 ____S C:\windows\system32\arkxq.bwx
2014-01-01 18:37 - 2011-03-25 18:11 - 01685504 ___SH C:\Users\********** ********** **********\Documents\Thumbs.db
2013-12-28 13:29 - 2013-12-28 13:29 - 00000000 ____D C:\Users\********** ********** **********\AppData\Local\{C649D499-4071-4566-B4A3-246389518592}

Files to move or delete:
====================
C:\Users\********** ********** **********\g2ax_customer_downloadhelper_win32_x86.exe

Some content of TEMP:
====================
C:\Users\********** ********** **********\AppData\Local\Temp\IeSearchProvider.exe
C:\Users\********** ********** **********\AppData\Local\Temp\Installhelper.dll
C:\Users\********** ********** **********\AppData\Local\Temp\Intuit.Spc.Map.EntitlementClient.Install.dll
C:\Users\********** ********** **********\AppData\Local\Temp\qbinstal.dll
C:\Users\********** ********** **********\AppData\Local\Temp\sqlite-3.7.2-sqlitejdbc.dll
C:\Users\********** ********** **********\AppData\Local\Temp\SRAssetsHelper.dll
C:\Users\********** ********** **********\AppData\Local\Temp\stlport_r50.dll
C:\Users\********** ********** **********\AppData\Local\Temp\tmpF3FF.exe
C:\Users\********** ********** **********\AppData\Local\Temp\tmpFDF5.exe
C:\Users\********** ********** **********\AppData\Local\Temp\updater_uninstall.exe

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll
[2009-07-13 18:00] - [2009-07-13 19:41] - 0510464 ____A (Microsoft Corporation) 97F4CE881800A0F6B499B27CCA7F9B71

 ATTENTION ======> If the system is having audio adware rpcss.dll is patched. Google the MD5, if the MD5 is unique the file is infected.
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

LastRegBack: 2014-01-12 18:06

==================== End Of Log ============================

 

 

 

 

Addition Log:

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 26-01-2014 02
Ran by ********** ********** ********** at 2014-01-26 12:58:20
Running from C:\Users\********** ********** **********\Desktop
Boot Mode: Normal
==========================================================

==================== Security Center ========================

AV: Microsoft Security Essentials (Enabled - Up to date) {641105E6-77ED-3F35-A304-765193BCB75F}
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Microsoft Security Essentials (Enabled - Up to date) {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}

==================== Installed Programs ======================

5600 (x32 Version: 130.0.365.000 - Hewlett-Packard) Hidden
5600_Help (x32 Version: 82.0.242.000 - Hewlett-Packard) Hidden
64 Bit HP CIO Components Installer (Version: 6.2.1 - Hewlett-Packard) Hidden
7-zip v9.20 (x32 Version: v9.20 - TUGUU SL)
Acrobat.com (x32 Version: 1.1.377 - Adobe Systems Incorporated)
Adobe AIR (x32 Version: 1.5.0.7220 - Adobe Systems Inc.)
Adobe AIR (x32 Version: 1.5.0.7220 - Adobe Systems Inc.) Hidden
Adobe Flash Player 11 ActiveX (x32 Version: 11.9.900.170 - Adobe Systems Incorporated)
Adobe Reader 9.0.1 (x32 Version: 9.0.1 - Adobe Systems Incorporated)
Adobe Shockwave Player 11.6 (x32 Version: 11.6.7.637 - Adobe Systems, Inc.)
AIO_CDB_ProductContext (x32 Version: 130.0.365.000 - Hewlett-Packard) Hidden
AIO_CDB_Software (x32 Version: 130.0.365.000 - Hewlett-Packard) Hidden
AIO_Scan (x32 Version: 130.0.421.000 - Hewlett-Packard) Hidden
Apple Application Support (x32 Version: 2.3.4 - Apple Inc.)
Apple Mobile Device Support (Version: 6.1.0.13 - Apple Inc.)
Apple Software Update (x32 Version: 2.1.3.127 - Apple Inc.)
BlackBerry Desktop Software 4.2 (x32 Version: 4.2.0.14 - Research In Motion Ltd.)
BlackBerry Desktop Software 4.2 (x32 Version: 4.2.0.14 - Research In Motion Ltd.) Hidden
BlackBerry Device Software v4.5.0 for the BlackBerry 8310 smartphone (x32 Version: 4.5.0.182 (Platform 2.7.0.106) - Research In Motion Ltd.)
Bonjour (Version: 3.0.0.10 - Apple Inc.)
Broadcom 802.11 Wireless Driver (x32 Version: 1.0.0.0 - )
Brother HL-2140 (x32 Version: 1.00 - Brother)
BufferChm (x32 Version: 130.0.331.000 - Hewlett-Packard) Hidden
CompanionLink (x32 Version: 5.00.5050 - CompanionLink Software, Inc.)
Conexant HD Audio (Version: 4.111.0.62 - Conexant)
Copy (x32 Version: 130.0.428.000 - Hewlett-Packard) Hidden
CyberLink YouCam (x32 Version: 3.0.2421a - CyberLink Corp.)
CyberLink YouCam (x32 Version: 3.0.2421a - CyberLink Corp.) Hidden
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
Destinations (x32 Version: 130.0.0.0 - Hewlett-Packard) Hidden
DeviceDiscovery (x32 Version: 130.0.465.000 - Hewlett-Packard) Hidden
DocProc (x32 Version: 13.0.0.0 - Hewlett-Packard) Hidden
Dropbox (HKCU Version: 2.4.11 - Dropbox, Inc.)
Energy Management (x32 Version: 5.4.0.8 - Lenovo)
Fax (x32 Version: 130.0.418.000 - Hewlett-Packard) Hidden
FileZilla Client 3.5.1 (x32 Version: 3.5.1 - FileZilla Project)
*************** 5.7 (x32 Version: 5.70.11111.0 - FrontRange Solutions)
Google Chrome (x32 Version: 32.0.1700.76 - Google Inc.)
Google Toolbar for Internet Explorer (x32 Version: 1.0.0 - Google Inc.) Hidden
Google Toolbar for Internet Explorer (x32 Version: 7.5.4805.320 - Google Inc.)
Google Update Helper (x32 Version: 1.3.22.3 - Google Inc.) Hidden
GPBaseService2 (x32 Version: 130.0.371.000 - Hewlett-Packard) Hidden
HP Customer Participation Program 13.0 (Version: 13.0 - HP)
HP Imaging Device Functions 13.0 (Version: 13.0 - HP)
HP Photosmart Essential 3.5 (Version: 3.5 - HP)
HP Photosmart Officejet and Deskjet All-In-One Driver Software 13.0 Rel. B (Version: 13.0 - HP)
HP Smart Web Printing 4.51 (Version: 4.51 - HP)
HP Solution Center 13.0 (Version: 13.0 - HP)
HP Update (x32 Version: 4.000.011.006 - Hewlett-Packard)
HPPhotoGadget (x32 Version: 130.0.282.000 - Hewlett-Packard) Hidden
HPPhotoSmartDiscLabelContent1 (x32 Version: 2.04.0000 - Hewlett-Packard) Hidden
HPPhotosmartEssential (x32 Version: 2.04.0000 - Hewlett-Packard) Hidden
HPProductAssistant (x32 Version: 130.0.371.000 - Hewlett-Packard) Hidden
HPSSupply (x32 Version: 130.0.371.000 - Hewlett-Packard) Hidden
Intel® Control Center (x32 Version: 1.2.1.1007 - Intel Corporation)
Intel® Graphics Media Accelerator Driver (x32 Version: 8.15.10.2104 - Intel Corporation)
Intel® Management Engine Components (x32 Version: 6.0.0.1179 - Intel Corporation)
Intel® Rapid Storage Technology (x32 Version: 9.6.0.1014 - Intel Corporation)
Internet TV for Windows Media Center (x32 Version: 4.2.2.0 - Microsoft Corporation)
iTunes (Version: 11.0.5.5 - Apple Inc.)
Jasc Paint Shop Photo Album (x32 Version: 4.0.1 - Jasc Software, Inc.)
Java Auto Updater (x32 Version: 2.0.6.1 - Sun Microsystems, Inc.) Hidden
Java™ 6 Update 27 (x32 Version: 6.0.270 - Oracle)
join.me (HKCU Version: 1.3.1.429 - LogMeIn, Inc.)
Junk Mail filter update (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Lenovo DirectShare (x32 Version: 1.0.1.38 - ArcSoft)
Lenovo DirectShare (x32 Version: 1.0.1.38 - ArcSoft) Hidden
Lenovo EasyCamera (x32 Version: 1.10.0415.1 - Vimicro)
Lenovo OneKey Recovery (Version: 7.0.1230 - CyberLink Corp.) Hidden
Lenovo OneKey Recovery (x32 Version: 7.0.1230 - CyberLink Corp.)
Lenovo ReadyComm 5 (x32 Version: 5.1.1.20 - Lenovo)
Lenovo ReadyComm 5.0 Service (x32 Version: 5.0.0.1 - Lenovo Group Limited)
Lenovo Smile Dock (x32 Version: 2.0.201.1 - DDNi)
Lenovo Smile Dock (x32 Version: 2.0.201.1 - DDNi) Hidden
MarketResearch (x32 Version: 130.0.374.000 - Hewlett-Packard) Hidden
Memorex exPressit Label Design Studio (x32 Version:  - )
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319 - Microsoft Corporation) Hidden
Microsoft Application Error Reporting (Version: 12.0.6015.5000 - Microsoft Corporation) Hidden
Microsoft Office 2010 (x32 Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Office Click-to-Run 2010 (Version: 14.0.4763.1000 - Microsoft Corporation) Hidden
Microsoft Office Click-to-Run 2010 (x32 Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Office Starter 2010 - English (x32 Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Search Enhancement Pack (x32 Version: 3.0.133.0 - Microsoft Corporation) Hidden
Microsoft Security Client (Version: 4.4.0304.0 - Microsoft Corporation) Hidden
Microsoft Security Essentials (Version: 4.4.304.0 - Microsoft Corporation)
Microsoft Silverlight (Version: 5.1.20913.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (x32 Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053 (Version: 8.0.50727.4053 - Microsoft Corporation)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (x32 Version: 8.0.50727.4053 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x32 Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) - KB2467175 (Version: 8.0.51011 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (x32 Version: 9.0.30729.5570 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (x32 Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (x32 Version: 9.0.30729.6161 - Microsoft Corporation)
MSVCRT (x32 Version: 15.4.2862.0708 - Microsoft) Hidden
MSVCRT_amd64 (x32 Version: 15.4.2862.0708 - Microsoft) Hidden
MSXML 4.0 SP2 (KB954430) (x32 Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (x32 Version: 4.20.9876.0 - Microsoft Corporation)
MSXML 4.0 SP2 Parser and SDK (x32 Version: 4.20.9818.0 - Microsoft Corporation)
Network64 (Version: 130.0.572.000 - Hewlett-Packard) Hidden
Oasis2Service 1.0 (x32 Version: 1.0.0 - DDNi)
OCR Software by I.R.I.S. 13.0 (Version: 13.0 - HP)
Olympus Digital Wave Player (x32 Version:  - )
Onekey Theater (x32 Version: 2.0.1.7 - Lenovo)
ooVoo (x32 Version: 2.2.4.25 - ooVoo LLC.)
Power2Go (x32 Version: 5.6.0.4809d4 - CyberLink Corp.)
QuickBooks (x32 Version: 21.0.4003.904 - Intuit Inc.) Hidden
QuickBooks Pro 2011 (x32 Version: 21.0.4003.904 - Intuit Inc.)
QuickTime (x32 Version: 7.69.80.9 - Apple Inc.)
Realtek Ethernet Controller Driver For Windows Vista and Later (x32 Version: 1.00.0009 - Realtek)
Realtek USB 2.0 Card Reader (x32 Version: 6.1.7600.30116 - Realtek Semiconductor Corp.)
SaveVid Plug-in (x32 Version: 2.0.0.107556 - Bandoo Media, Inc)
SaveVid Plug-in (x32 Version: 2.0.0.107556 - Bandoo Media, Inc) Hidden
Scan (x32 Version: 13.0.0.0 - Hewlett-Packard) Hidden
Shop for HP Supplies (Version: 13.0 - HP)
SmartWebPrinting (x32 Version: 130.0.457.000 - Hewlett-Packard) Hidden
SolutionCenter (x32 Version: 130.0.373.000 - Hewlett-Packard) Hidden
Status (x32 Version: 130.0.469.000 - Hewlett-Packard) Hidden
swMSM (x32 Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
Synaptics Pointing Device Driver (Version: 15.0.25.0 - Synaptics Incorporated)
Toolbox (x32 Version: 130.0.648.000 - Hewlett-Packard) Hidden
TrayApp (x32 Version: 130.0.422.000 - Hewlett-Packard) Hidden
UnloadSupport (x32 Version: 11.0.0 - Hewlett-Packard) Hidden
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (x32 Version: 1 - Microsoft Corporation)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (x32 Version: 1 - Microsoft Corporation)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (x32 Version: 1 - Microsoft Corporation)
USB Storage Adapter FX/AT (WDC) (x32 Version:  - )
VeriFace (x32 Version: 3.6.0.1211 - Lenovo)
Video Download Capture V4.5.6 (x32 Version: 4.5.6 - Apowersoft)
Visual Studio 2008 x64 Redistributables (x32 Version: 10.0.0.2 - AVG Technologies)
VLC media player 2.0.1 (x32 Version: 2.0.1 - VideoLAN)
WebReg (x32 Version: 130.0.132.017 - Hewlett-Packard) Hidden
Western Digital USB Mass Storage Driver Installation (x32 Version: 6.03 - Western Digital Technologies, Inc.)
Windows Driver Package - Lenovo (ACPIVPC) System  (10/19/2009 5.4.0.1) (Version: 10/19/2009 5.4.0.1 - Lenovo)
Windows Live Communications Platform (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Essentials (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Essentials (x32 Version: 15.4.3555.0308 - Microsoft Corporation)
Windows Live ID Sign-in Assistant (Version: 7.250.4232.0 - Microsoft Corporation) Hidden
Windows Live Installer (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Language Selector (Version: 15.4.3555.0308 - Microsoft Corporation) Hidden
Windows Live Mail (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Messenger (x32 Version: 15.4.3538.0513 - Microsoft Corporation) Hidden
Windows Live MIME IFilter (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Movie Maker (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Photo Common (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Photo Gallery (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live PIMT Platform (x32 Version: 15.4.3508.1109 - Microsoft Corporation) Hidden
Windows Live SOXE (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live SOXE Definitions (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Sync (x32 Version: 14.0.8089.726 - Microsoft Corporation)
Windows Live UX Platform (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live UX Platform Language Pack (x32 Version: 15.4.3508.1109 - Microsoft Corporation) Hidden
Windows Live Writer (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Writer Resources (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Yahoo! Install Manager (x32 Version:  - )
Yahoo! Toolbar (x32 Version:  - )

==================== Restore Points  =========================

14-01-2014 19:57:52 C
15-01-2014 03:07:40 Windows Update
18-01-2014 20:58:51 Windows Update
22-01-2014 02:13:14 Windows Update
25-01-2014 20:29:46 Windows Update

==================== Hosts content: ==========================

2009-07-13 20:34 - 2009-06-10 15:00 - 00000824 ____A C:\windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (whitelisted) =============

Task: {2C7B5BB0-2992-433B-AC9F-E0545DC093B7} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-01-06] (Google Inc.)
Task: {3D9DA6C2-0500-4108-BD22-FE630E54FB76} - System32\Tasks\Microsoft\Windows\Media Center\DispatchRecoveryTasks
Task: {570022D7-AF4A-4AA4-A916-4F6FC35B1287} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: {87DE5E2F-BEA3-441D-AEDE-F565DD56AFAE} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-01-06] (Google Inc.)
Task: {DDF1D5F9-30D7-477F-BCA7-93AF19085AE4} - System32\Tasks\Microsoft\Windows\WindowsBackup\AutomaticBackup => Rundll32.exe /d sdengin2.dll,ExecuteScheduledBackup
Task: {E80E35CE-BC71-4963-AAC8-D71E6BCCD58C} - System32\Tasks\Adobe Flash Player Updater => C:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-12-10] (Adobe Systems Incorporated)
Task: C:\windows\Tasks\Adobe Flash Player Updater.job => C:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

==================== Loaded Modules (whitelisted) =============

2010-09-24 01:36 - 2009-12-18 20:52 - 00201120 _____ () C:\Program Files (x86)\Lenovo\Onekey Theater\ActiveDetect64.dll
2010-09-24 01:36 - 2009-12-18 20:53 - 00156576 _____ () C:\Program Files (x86)\Lenovo\Onekey Theater\WindowsApiHookDll64.dll
2010-09-24 01:38 - 2010-09-24 01:38 - 01502720 _____ () C:\windows\system32\IcnOvrly.dll
2010-01-02 08:42 - 2010-01-02 08:42 - 00098304 _____ () C:\Users\********** ********** **********\Downloads\FileZilla FTP Client\fzshellext_64.dll
2010-09-24 01:38 - 2010-09-24 01:38 - 00622592 _____ () C:\windows\system32\SimpleExt.dll
2010-09-24 01:52 - 2009-07-15 09:55 - 00054088 _____ () C:\Program Files (x86)\Lenovo\Energy Management\kbdhook.dll
2010-09-24 01:52 - 2009-07-15 09:55 - 00054088 _____ () C:\Program Files (x86)\Lenovo\Energy Management\HookLib.dll
2013-04-21 20:44 - 2013-04-21 20:44 - 00087952 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
2013-04-21 20:44 - 2013-04-21 20:44 - 01242952 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll
2010-06-23 05:39 - 2010-06-23 05:39 - 00049152 _____ () C:\Program Files (x86)\DDNi\Oasis2Service 1.0\DdniCore.dll
2010-06-23 05:39 - 2010-06-23 05:39 - 00033280 _____ () C:\Program Files (x86)\DDNi\Oasis2Service 1.0\AspUpdate.dll
2010-09-24 01:36 - 2009-12-18 20:50 - 00161696 _____ () C:\Program Files (x86)\Lenovo\Onekey Theater\ActiveDetect32.dll
2010-09-24 01:36 - 2009-12-18 20:51 - 00133024 _____ () C:\Program Files (x86)\Lenovo\Onekey Theater\WindowsApiHookDll32.dll
2010-09-24 01:38 - 2010-09-24 01:38 - 00492896 _____ () C:\Program Files (x86)\Lenovo\VeriFace\ChooseLang.dll
2013-10-18 17:55 - 2013-10-18 17:55 - 25100288 _____ () C:\Users\********** ********** **********\AppData\Roaming\Dropbox\bin\libcef.dll
2013-01-11 11:45 - 2013-01-11 11:45 - 00170496 _____ () C:\windows\assembly\NativeImages_v2.0.50727_32\IsdiInterop\d89f0252d910d617de1de783a812f840\IsdiInterop.ni.dll
2010-09-24 01:06 - 2010-03-03 14:08 - 00058880 _____ () C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IsdiInterop.dll

==================== Alternate Data Streams (whitelisted) =========

AlternateDataStreams: C:\Users\.DS_Store:AFP_AfpInfo
AlternateDataStreams: C:\Users\********** ********** **********\.DS_Store:AFP_AfpInfo

==================== Safe Mode (whitelisted) ===================

==================== Faulty Device Manager Devices =============

Name: HP LaserJet 600 M601
Description: HP LaserJet 600 M601
Class Guid: {4d36e971-e325-11ce-bfc1-08002be10318}
Manufacturer: Hewlett-Packard
Service:
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name:
Description:
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

==================== Event log errors: =========================

Application errors:
==================
Error: (01/26/2014 06:32:56 AM) (Source: CVHSVC) (User: )
Description: Information only.
(Patch task for {90140011-0066-0409-0000-0000000FF1CE}): DownloadLatest Failed: There are currently no active network connections. Background Intelligent Transfer Service (BITS) will try again when an adapter is connected.

Error: (01/25/2014 05:20:36 PM) (Source: CVHSVC) (User: )
Description: Information only.
(Patch task for {90140011-0066-0409-0000-0000000FF1CE}): DownloadLatest Failed: There are currently no active network connections. Background Intelligent Transfer Service (BITS) will try again when an adapter is connected.

Error: (01/25/2014 03:01:21 PM) (Source: Application Error) (User: )
Description: Faulting application name: iexplore.exe, version: 8.0.7600.17267, time stamp: 0x51317269
Faulting module name: mshtml.dll, version: 8.0.7600.17267, time stamp: 0x5131882e
Exception code: 0xc0000005
Fault offset: 0x000a111b
Faulting process id: 0x1710
Faulting application start time: 0xiexplore.exe0
Faulting application path: iexplore.exe1
Faulting module path: iexplore.exe2
Report Id: iexplore.exe3

Error: (01/25/2014 11:25:30 AM) (Source: Application Error) (User: )
Description: Faulting application name: svchost.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc3c1
Faulting module name: Flash64_11_9_900_170.ocx, version: 11.9.900.170, time stamp: 0x529b76a2
Exception code: 0xc0000005
Fault offset: 0x00000000002432d1
Faulting process id: 0x2c4
Faulting application start time: 0xsvchost.exe0
Faulting application path: svchost.exe1
Faulting module path: svchost.exe2
Report Id: svchost.exe3

Error: (01/25/2014 00:31:55 AM) (Source: Application Hang) (User: )
Description: The program WINWORDC.EXE version 0.0.0.0 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 23b4

Start Time: 01cf199678b30f77

Termination Time: 267

Application Path: Q:\140066.enu\Office14\WINWORDC.EXE

Report Id: d48033cf-8589-11e3-bdd9-88ae1dda9852

Error: (01/24/2014 10:08:35 PM) (Source: Bonjour Service) (User: )
Description: ERROR: handle_resolve_request bad interfaceIndex 24

Error: (01/24/2014 10:08:35 PM) (Source: Bonjour Service) (User: )
Description: ERROR: handle_resolve_request bad interfaceIndex 23

Error: (01/24/2014 10:08:35 PM) (Source: Bonjour Service) (User: )
Description: ERROR: handle_resolve_request bad interfaceIndex 22

Error: (01/24/2014 10:08:35 PM) (Source: Bonjour Service) (User: )
Description: ERROR: handle_resolve_request bad interfaceIndex 21

Error: (01/24/2014 10:08:35 PM) (Source: Bonjour Service) (User: )
Description: ERROR: handle_resolve_request bad interfaceIndex 20

System errors:
=============
Error: (01/26/2014 00:46:21 PM) (Source: Service Control Manager) (User: )
Description: The ReadyComm.DirectRouter service failed to start due to the following error:
%%2

Error: (01/26/2014 00:44:11 PM) (Source: Service Control Manager) (User: )
Description: The Power service terminated with the following error:
%%4203

Error: (01/26/2014 07:14:20 AM) (Source: Service Control Manager) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the eventlog service.

Error: (01/26/2014 06:24:57 AM) (Source: Service Control Manager) (User: )
Description: The ReadyComm.DirectRouter service failed to start due to the following error:
%%2

Error: (01/26/2014 06:24:13 AM) (Source: WMPNetworkSvc) (User: )
Description: WMPNetworkSvc0x80004005

Error: (01/26/2014 06:22:36 AM) (Source: Service Control Manager) (User: )
Description: The Power service terminated with the following error:
%%4203

Error: (01/26/2014 02:42:15 AM) (Source: Service Control Manager) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Windows Error Reporting Service service to connect.

Error: (01/26/2014 01:32:07 AM) (Source: Service Control Manager) (User: )
Description: The ReadyComm.DirectRouter service failed to start due to the following error:
%%2

Error: (01/26/2014 01:29:44 AM) (Source: Service Control Manager) (User: )
Description: The Power service terminated with the following error:
%%4203

Error: (01/25/2014 05:13:07 PM) (Source: Service Control Manager) (User: )
Description: The ReadyComm.DirectRouter service failed to start due to the following error:
%%2

Microsoft Office Sessions:
=========================
Error: (01/26/2014 06:32:56 AM) (Source: CVHSVC)(User: )
Description: (Patch task for {90140011-0066-0409-0000-0000000FF1CE}): DownloadLatest Failed: There are currently no active network connections. Background Intelligent Transfer Service (BITS) will try again when an adapter is connected.

Error: (01/25/2014 05:20:36 PM) (Source: CVHSVC)(User: )
Description: (Patch task for {90140011-0066-0409-0000-0000000FF1CE}): DownloadLatest Failed: There are currently no active network connections. Background Intelligent Transfer Service (BITS) will try again when an adapter is connected.

Error: (01/25/2014 03:01:21 PM) (Source: Application Error)(User: )
Description: iexplore.exe8.0.7600.1726751317269mshtml.dll8.0.7600.172675131882ec0000005000a111b171001cf1a0ff6e744acC:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Windows\SysWOW64\mshtml.dlld70957c3-8603-11e3-ba96-88ae1dda9852

Error: (01/25/2014 11:25:30 AM) (Source: Application Error)(User: )
Description: svchost.exe6.1.7600.163854a5bc3c1Flash64_11_9_900_170.ocx11.9.900.170529b76a2c000000500000000002432d12c401cf19f0f5daecd1C:\windows\system32\svchost.exeC:\windows\system32\Macromed\Flash\Flash64_11_9_900_170.ocxaf5a3659-85e5-11e3-86c4-88ae1dda9852

Error: (01/25/2014 00:31:55 AM) (Source: Application Hang)(User: )
Description: WINWORDC.EXE0.0.0.023b401cf199678b30f77267Q:\140066.enu\Office14\WINWORDC.EXEd48033cf-8589-11e3-bdd9-88ae1dda9852

Error: (01/24/2014 10:08:35 PM) (Source: Bonjour Service)(User: )
Description: ERROR: handle_resolve_request bad interfaceIndex 24

Error: (01/24/2014 10:08:35 PM) (Source: Bonjour Service)(User: )
Description: ERROR: handle_resolve_request bad interfaceIndex 23

Error: (01/24/2014 10:08:35 PM) (Source: Bonjour Service)(User: )
Description: ERROR: handle_resolve_request bad interfaceIndex 22

Error: (01/24/2014 10:08:35 PM) (Source: Bonjour Service)(User: )
Description: ERROR: handle_resolve_request bad interfaceIndex 21

Error: (01/24/2014 10:08:35 PM) (Source: Bonjour Service)(User: )
Description: ERROR: handle_resolve_request bad interfaceIndex 20

CodeIntegrity Errors:
===================================
  Date: 2014-01-21 16:14:10.914
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\VNUSB.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2014-01-21 16:14:10.726
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\VNUSB.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2014-01-21 16:11:22.388
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\VNUSB.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2014-01-21 16:11:22.283
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\VNUSB.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2014-01-21 16:07:55.788
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\VNUSB.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2014-01-21 16:07:55.680
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\VNUSB.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

==================== Memory info ===========================

Percentage of memory in use: 84%
Total physical RAM: 3894.85 MB
Available physical RAM: 600.32 MB
Total Pagefile: 7787.84 MB
Available Pagefile: 3326.5 MB
Total Virtual: 8192 MB
Available Virtual: 8191.81 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:254.14 GB) (Free:22.63 GB) NTFS
Drive d: (LENOVO) (Fixed) (Total:29 GB) (Free:27.82 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298 GB) (Disk ID: 11361618)
Partition 1: (Active) - (Size=200 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=254 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=29 GB) - (Type=OF Extended)
Partition 4: (Not Active) - (Size=15 GB) - (Type=12)

==================== End Of Log ============================



#4 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:48 PM

Posted 27 January 2014 - 09:16 AM

Hello,

the malware has patched a system file so we need to find a clean replacement.
Because the malware tries to defend itself let's work in system recovery environment where the malware doesn't run and therefor isn't able to interfere.



Please move FRST64.exe to a flash drive.To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.
To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html




To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
==========

On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt


Select Command Prompt

==========


Once in the Command Prompt:
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst64 and press Enter
    Note: Replace letter e with the actual drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.


#5 mybcun

mybcun
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:07:48 AM

Posted 27 January 2014 - 05:04 PM

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 26-01-2014 02
Ran by SYSTEM on MININT-G21KQI1 on 27-01-2014 15:32:12
Running from G:\
Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [cAudioFilterAgent] - C:\Program Files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe [521272 2010-03-21] (Conexant Systems, Inc.)
HKLM\...\Run: [SynTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2176296 2010-06-10] (Synaptics Incorporated)
HKLM\...\Run: [OnekeyStudio] - C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeyStudio.exe [776608 2009-12-18] (Lenovo)
HKLM\...\Run: [EnergyUtility] - C:\Program Files (x86)\Lenovo\Energy Management\utility.exe [4367808 2009-12-16] (Lenovo(beijing) Limited)
HKLM\...\Run: [Energy Management] - C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe [6988736 2009-12-16] (Lenovo (Beijing) Limited)
HKLM\...\Run: [MSC] - C:\Program Files\Microsoft Security Client\msseces.exe [1266912 2013-10-23] (Microsoft Corporation)
HKLM-x32\...\Run: [IAStorIcon] - C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284696 2010-03-03] (Intel Corporation)
HKLM-x32\...\Run: [331BigDog] - C:\Program Files (x86)\USB Camera\VM331_STI.EXE [536576 2010-01-15] (Vimicro)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe [35184 2008-12-02] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [VeriFaceManager] - C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe [3122528 2010-09-23] (Lenovo)
HKLM-x32\...\Run: [UCam_Menu] - C:\Program Files (x86)\Lenovo\YouCam\MUITransfer\MUIStartMenu.exe [222504 2009-05-19] (CyberLink Corp.)
HKLM-x32\...\Run: [YouCam Mirror Tray icon] - C:\Program Files (x86)\Lenovo\YouCam\YouCamTray.exe [167008 2009-12-22] (CyberLink Corp.)
HKLM-x32\...\Run: [UpdateP2GShortCut] - C:\Program Files (x86)\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe [218408 2008-12-03] (CyberLink Corp.)
HKLM-x32\...\Run: [BrStsWnd] - C:\Program Files (x86)\Brownie\BrstsW64.exe [3695416 2009-06-11] (brother)
HKLM-x32\...\Run: [QuickTime Task] - C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2010-11-29] (Apple Inc.)
HKLM-x32\...\Run: [Intuit SyncManager] - C:\Program Files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe [1443080 2010-09-27] (Intuit Inc. All rights reserved.)
HKLM-x32\...\Run: [SunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254696 2011-06-09] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [HP Software Update] - C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [54840 2007-05-08] (Hewlett-Packard)
HKLM-x32\...\Run: [hpqSRMon] - C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe [150528 2008-07-22] (Hewlett-Packard)
HKLM-x32\...\Run: [WDCBG] - C:\windows\WDCBG.EXE [118784 2004-08-02] (Cypress Semiconductor)
HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2013-08-16] (Apple Inc.)
HKLM-x32\...\Runonce: [AvgUninstallURL] - cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVZOVgtTlNWVkwtTzRCWlEtUUlNQ0wtUVREQ0gtNElKTUg"&"inst=NzctNTY3MDE4Mjg1LVhPMTArMTItTElDKzItRkwxMCsxLVNQMSsxLVNQMVRCKzEtU1VQKzEtRERUKzM2NTM4LUREMTBGKzEtU1QxMEZBUFArMS1GMTBNMTJBTiszLUYxME0xMkErMS1GMTBNMTJBQisxLVUxMCsxLUYxME0xMkFUQk4rMS1GMTBNMTJCKzEtRlVJKzItVEJWVVBHKzEyLUYxME0xMkZUKzEtVEJOKzE"&"prod=90"&"ver=10.0.1424 [x]
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\********** ********** **********\...\Run: [ooVoo.exe] - C:\Program Files (x86)\ooVoo\ooVoo.exe [19812536 2010-02-02] (ooVoo LLC)
HKU\********** ********** **********\...\Run: [ReadyComm5] - C:\Program Files\Lenovo\ReadyComm\ReadyComm.exe [1501000 2009-09-22] (Lenovo Group Limited)
HKU\********** ********** **********\...\Run: [swg] - C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2011-01-06] (Google Inc.)
HKU\********** ********** **********\...\Run: [Speech Recognition] - C:\windows\Speech\Common\sapisvr.exe [44544 2009-07-13] (Microsoft Corporation)
HKU\********** ********** **********\...\Run: [CompanionLink] - c:\program files (x86)\companionlink\companionlink.exe [53279744 2013-08-05] (CompanionLink Software, Inc.)
HKU\Default\...\Run: [ooVoo.exe] - C:\Program Files (x86)\ooVoo\ooVoo.exe [19812536 2010-02-02] (ooVoo LLC)
HKU\Default\...\RunOnce: [WLStart] - C:\Program Files (x86)\Windows Live\Installer\wlstart.exe [768336 2009-07-26] (Microsoft Corporation)
HKU\Default User\...\Run: [ooVoo.exe] - C:\Program Files (x86)\ooVoo\ooVoo.exe [19812536 2010-02-02] (ooVoo LLC)
HKU\Default User\...\RunOnce: [WLStart] - C:\Program Files (x86)\Windows Live\Installer\wlstart.exe [768336 2009-07-26] (Microsoft Corporation)
Startup: C:\Users\********** ********** **********\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk ->  (No File)
Startup: C:\Users\********** ********** **********\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~$ationary Envelope Template.doc ()
Startup: C:\Users\********** ********** **********\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~$cebook.doc ()
Startup: C:\Users\********** ********** **********\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~$ent File Labels.doc ()
Startup: C:\Users\********** ********** **********\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~$ochure Envelope Template.doc ()
Startup: C:\Users\********** ********** **********\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~$uare Envelope Address.doc ()
Startup: C:\Users\********** ********** **********\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~WRL0406.tmp ()

==================== Services (Whitelisted) =================

S3 IGRS; C:\Program Files (x86)\Lenovo\ReadyComm\common\IGRS.exe [38152 2009-07-14] (Lenovo Group Limited)
S3 Lenovo ReadyComm AppSvc; C:\Program Files\Lenovo\ReadyComm\AppSvc.exe [509192 2009-08-14] (Lenovo Group Limited)
S3 Lenovo ReadyComm ConnSvc; C:\Program Files\Lenovo\ReadyComm\ConnSvc.exe [579400 2009-09-22] (Lenovo Group Limited)
S2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2013-10-23] (Microsoft Corporation)
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [348376 2013-10-23] (Microsoft Corporation)
S2 Oasis2Service; C:\Program Files (x86)\DDNi\Oasis2Service 1.0\Oasis2Service.exe [46080 2010-06-23] ()
S3 PS_MDP; C:\Program Files (x86)\Lenovo\ReadyComm\PS_MDP.dll [276296 2009-07-15] (Lenovo Group Limited)
S2 ReadyComm.DirectRouter; C:\Program Files (x86)\Lenovo\ReadyComm\common\router.dll [103688 2009-07-14] (Lenovo Group Limited)

==================== Drivers (Whitelisted) ====================

S3 Bridge0; C:\Windows\System32\drivers\WDBridge.sys [79376 2009-07-15] (Lenovo)
S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [248240 2013-09-27] (Microsoft Corporation)
S2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [134944 2013-09-27] (Microsoft Corporation)
S3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [27520 2007-05-31] (Research In Motion Limited)
S3 RimVSerPort; C:\Windows\System32\DRIVERS\RimSerial_AMD64.sys [30336 2007-01-18] (Research in Motion Ltd)
S3 vm331avs; C:\Windows\System32\Drivers\vm331avs.sys [215168 2010-03-18] (Vimicro Corporation)
S3 VNUSB; C:\Windows\System32\Drivers\VNUSB.sys [22528 2009-09-29] (OLYMPUS IMAGING CORP.)
S3 wdmirror; C:\Windows\System32\DRIVERS\WDMirror.sys [11280 2009-07-16] (Lenovo)
S3 BcmSqlStartupSvc;
S2 IviRegMgr;
S2 RichVideo;
S3 SQLWriter;

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2014-01-26 16:06 - 2014-01-26 16:06 - 00000000 ____D C:\Users\********** ********** **********\AppData\Local\{09FB0A53-2CB6-49C7-8450-49E1CF7472A9}
2014-01-26 10:50 - 2014-01-26 10:50 - 00000000 ____D C:\Users\********** ********** **********\Desktop\FRST-OlderVersion
2014-01-24 15:11 - 2014-01-26 11:57 - 00027450 _____ C:\Users\********** ********** **********\Desktop\Addition.txt
2014-01-24 15:08 - 2014-01-26 11:00 - 00036164 _____ C:\Users\********** ********** **********\Desktop\FRST.txt
2014-01-24 15:08 - 2014-01-26 10:50 - 00000000 ____D C:\FRST
2014-01-22 18:27 - 2014-01-22 18:28 - 00113224 _____ C:\Users\********** ********** **********\g2ax_customer_downloadhelper_win32_x86.exe
2014-01-22 01:40 - 2014-01-27 13:17 - 00262964 _____ C:\FaceProv.log
2014-01-22 00:40 - 2014-01-22 00:40 - 00000909 _____ C:\Users\********** ********** **********\Desktop\Movie Maker.lnk
2014-01-22 00:40 - 2014-01-22 00:40 - 00000000 ____D C:\Users\********** ********** **********\AppData\Local\WMTools Downloaded Files
2014-01-19 15:55 - 2014-01-19 15:55 - 00000000 _____ C:\Windows\SysWOW64\shoB50D.tmp
2014-01-18 13:49 - 2014-01-18 14:22 - 00012292 ____H C:\Users\********** ********** **********\.DS_Store
2014-01-18 13:49 - 2014-01-18 13:49 - 00006148 ____H C:\users\.DS_Store
2014-01-14 11:56 - 2014-01-22 13:28 - 00002822 _____ C:\Windows\wininit.ini
2014-01-13 23:05 - 2014-01-13 23:05 - 00000000 ____D C:\Windows\System32\Tasks\Safer-Networking
2014-01-13 23:04 - 2014-01-22 13:32 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
2014-01-13 23:04 - 2014-01-22 13:28 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2014-01-13 13:49 - 2014-01-13 13:50 - 00000000 ____D C:\Program Files\Blackberry
2014-01-13 00:04 - 2014-01-13 00:04 - 00000000 ____D C:\Users\********** ********** **********\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2014-01-12 23:49 - 2014-01-12 23:50 - 00003014 _____ C:\Windows\SysWOW64\TEST.log
2014-01-10 13:16 - 2014-01-10 13:16 - 00000000 ____D C:\Users\********** ********** **********\AppData\Local\{9CA8C879-7898-4D58-874A-7223B483B5DC}
2014-01-10 13:04 - 2014-01-10 13:19 - 00000000 ____D C:\Users\********** ********** **********\AppData\Roaming\Nico Mak Computing
2014-01-10 13:03 - 2014-01-10 13:19 - 00000000 ____D C:\Program Files (x86)\WinZip Registry Optimizer
2014-01-10 13:03 - 2013-07-10 15:49 - 00019120 _____ (WinZip Computing, S.L.(WinZip Computing)) C:\Windows\System32\roboot64.exe
2014-01-09 18:10 - 2014-01-09 18:10 - 00000000 ____D C:\Users\********** ********** **********\AppData\Local\MFAData
2014-01-09 18:10 - 2014-01-09 18:10 - 00000000 ____D C:\Users\********** ********** **********\AppData\Local\Avg2014
2014-01-09 10:05 - 2014-01-09 18:45 - 00000000 ____D C:\ProgramData\AVAST Software
2014-01-06 20:26 - 2014-01-06 20:27 - 00000000 ____D C:\Users\********** ********** **********\AppData\Local\{D5852B08-F8B0-4FDF-A70B-191039108B9E}
2014-01-06 08:24 - 2014-01-06 08:25 - 00000000 ____D C:\Users\********** ********** **********\AppData\Local\{CBD003B9-3C8F-4B1F-8DD0-FD55B4DC4D86}
2014-01-05 16:54 - 2014-01-05 16:55 - 00000081 _____ C:\Users\********** ********** **********\AppData\Roaming\mbam.context.scan
2014-01-05 03:57 - 2014-01-05 03:57 - 00000000 ____D C:\Users\********** ********** **********\AppData\Roaming\Malwarebytes
2014-01-05 03:54 - 2014-01-05 03:54 - 00000000 ____D C:\ProgramData\Malwarebytes
2014-01-02 14:09 - 2014-01-02 14:09 - 00037376 _____ C:\Windows\System32\gugg.hon
2014-01-02 12:25 - 2014-01-27 12:56 - 00000084 _____ C:\Windows\System32\ooojeph.yfd
2014-01-02 12:15 - 2014-01-02 14:09 - 00000095 _____ C:\Windows\System32\jifvjwy.gxh
2014-01-02 12:15 - 2014-01-02 12:15 - 00000064 _____ C:\Windows\System32\hcqxjab.muv
2014-01-02 11:59 - 2014-01-02 11:59 - 00219314 ____S C:\Windows\System32\arkxq.bwx
2013-12-28 11:29 - 2013-12-28 11:29 - 00000000 ____D C:\Users\********** ********** **********\AppData\Local\{C649D499-4071-4566-B4A3-246389518592}

==================== One Month Modified Files and Folders =======

2014-01-27 13:17 - 2014-01-22 01:40 - 00262964 _____ C:\FaceProv.log
2014-01-27 13:17 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2014-01-27 13:16 - 2009-07-13 20:51 - 00149722 _____ C:\Windows\setupact.log
2014-01-27 13:11 - 2010-12-04 01:17 - 00000334 _____ C:\Windows\Brownie.ini
2014-01-27 13:11 - 2010-09-23 22:58 - 02088886 _____ C:\Windows\WindowsUpdate.log
2014-01-27 13:09 - 2009-07-13 21:13 - 00727334 _____ C:\Windows\System32\PerfStringBackup.INI
2014-01-27 12:56 - 2014-01-02 12:25 - 00000084 _____ C:\Windows\System32\ooojeph.yfd
2014-01-27 12:52 - 2009-07-13 20:45 - 00013632 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-01-27 12:52 - 2009-07-13 20:45 - 00013632 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-01-27 12:49 - 2013-07-19 12:57 - 00000000 ___RD C:\Users\********** ********** **********\Dropbox
2014-01-27 12:49 - 2013-07-19 12:50 - 00000000 ____D C:\Users\********** ********** **********\AppData\Roaming\Dropbox
2014-01-27 12:47 - 2011-01-06 14:40 - 00000922 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-01-27 12:47 - 2010-09-23 23:38 - 00000000 ____D C:\ProgramData\VeriFace
2014-01-26 22:53 - 2010-12-04 22:43 - 00000000 ____D C:\Users\********** ********** **********\AppData\Roaming\SoftGrid Client
2014-01-26 22:40 - 2011-01-06 14:40 - 00000926 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-01-26 22:35 - 2012-10-20 19:46 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-01-26 20:48 - 2010-12-04 01:21 - 00000426 _____ C:\Windows\BRWMARK.INI
2014-01-26 19:40 - 2013-11-30 13:59 - 00000000 ____D C:\Users\********** ********** **********\Desktop\*************** Projects
2014-01-26 19:15 - 2011-04-01 11:40 - 00000000 ____D C:\Users\********** ********** **********\AppData\Local\CrashDumps
2014-01-26 16:08 - 2012-04-05 10:17 - 00000000 ____D C:\Users\********** ********** **********\AppData\Roaming\vlc
2014-01-26 16:06 - 2014-01-26 16:06 - 00000000 ____D C:\Users\********** ********** **********\AppData\Local\{09FB0A53-2CB6-49C7-8450-49E1CF7472A9}
2014-01-26 11:57 - 2014-01-24 15:11 - 00027450 _____ C:\Users\********** ********** **********\Desktop\Addition.txt
2014-01-26 11:00 - 2014-01-24 15:08 - 00036164 _____ C:\Users\********** ********** **********\Desktop\FRST.txt
2014-01-26 10:50 - 2014-01-26 10:50 - 00000000 ____D C:\Users\********** ********** **********\Desktop\FRST-OlderVersion
2014-01-26 10:50 - 2014-01-24 15:08 - 00000000 ____D C:\FRST
2014-01-25 23:29 - 2009-07-13 21:08 - 00032654 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2014-01-24 22:30 - 2012-10-17 14:37 - 00000000 ____D C:\Users\********** ********** **********\Desktop\TO BE READ ONLY UPON MY PASSING
2014-01-24 22:21 - 2013-11-30 14:03 - 00000000 ____D C:\Users\********** ********** **********\Desktop\*************** Projects
2014-01-24 22:16 - 2010-11-29 18:22 - 00002239 _____ C:\Users\********** ********** **********\Desktop\OneKey Recovery.lnk
2014-01-24 21:11 - 2013-11-03 03:01 - 00000000 ____D C:\Users\********** ********** **********\Desktop\For Other Storge Locations
2014-01-24 21:10 - 2013-11-30 14:04 - 00000000 ____D C:\Users\********** ********** **********\Desktop\*************** Projects
2014-01-24 15:33 - 2011-03-22 16:26 - 00000000 ____D C:\Users\********** ********** **********\AppData\Local\Windows Live
2014-01-23 08:22 - 2010-09-23 23:37 - 01539982 _____ C:\Windows\PFRO.log
2014-01-22 22:51 - 2013-07-05 10:26 - 00000000 ____D C:\Program Files (x86)\Citrix
2014-01-22 19:41 - 2012-04-06 07:35 - 00000000 ____D C:\***************
2014-01-22 18:28 - 2014-01-22 18:27 - 00113224 _____ C:\Users\********** ********** **********\g2ax_customer_downloadhelper_win32_x86.exe
2014-01-22 18:27 - 2010-11-29 18:22 - 00000000 ____D C:\users\********** ********** **********
2014-01-22 13:44 - 2011-09-11 20:07 - 00000000 ____D C:\Users\********** ********** **********\AppData\Roaming\FileZilla
2014-01-22 13:32 - 2014-01-13 23:04 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
2014-01-22 13:28 - 2014-01-14 11:56 - 00002822 _____ C:\Windows\wininit.ini
2014-01-22 13:28 - 2014-01-13 23:04 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2014-01-22 00:40 - 2014-01-22 00:40 - 00000909 _____ C:\Users\********** ********** **********\Desktop\Movie Maker.lnk
2014-01-22 00:40 - 2014-01-22 00:40 - 00000000 ____D C:\Users\********** ********** **********\AppData\Local\WMTools Downloaded Files
2014-01-22 00:40 - 2010-12-06 22:34 - 00000000 ____D C:\Movie Maker
2014-01-22 00:32 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Microsoft Games
2014-01-20 16:07 - 2012-04-16 08:14 - 00083944 _____ C:\Windows\SysWOW64\GDIPFONTCACHEV1.DAT
2014-01-19 15:55 - 2014-01-19 15:55 - 00000000 _____ C:\Windows\SysWOW64\shoB50D.tmp
2014-01-18 23:33 - 2011-03-14 04:44 - 00270496 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
2014-01-18 14:22 - 2014-01-18 13:49 - 00012292 ____H C:\Users\********** ********** **********\.DS_Store
2014-01-18 13:49 - 2014-01-18 13:49 - 00006148 ____H C:\users\.DS_Store
2014-01-15 23:36 - 2013-11-27 20:04 - 00000000 ____D C:\Users\********** ********** **********\Desktop\Lists
2014-01-15 20:24 - 2011-10-24 20:45 - 00002183 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2014-01-14 19:17 - 2013-07-15 23:25 - 00000000 ____D C:\Windows\System32\MRT
2014-01-14 19:09 - 2011-03-22 17:33 - 86054176 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe
2014-01-13 23:05 - 2014-01-13 23:05 - 00000000 ____D C:\Windows\System32\Tasks\Safer-Networking
2014-01-13 13:50 - 2014-01-13 13:49 - 00000000 ____D C:\Program Files\Blackberry
2014-01-13 12:22 - 2012-03-27 08:56 - 00000000 ____D C:\Users\********** ********** **********\Desktop\Intuit
2014-01-13 00:04 - 2014-01-13 00:04 - 00000000 ____D C:\Users\********** ********** **********\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2014-01-12 23:53 - 2011-01-06 15:15 - 00000000 ____D C:\Program Files (x86)\QuickTime
2014-01-12 23:50 - 2014-01-12 23:49 - 00003014 _____ C:\Windows\SysWOW64\TEST.log
2014-01-10 13:19 - 2014-01-10 13:04 - 00000000 ____D C:\Users\********** ********** **********\AppData\Roaming\Nico Mak Computing
2014-01-10 13:19 - 2014-01-10 13:03 - 00000000 ____D C:\Program Files (x86)\WinZip Registry Optimizer
2014-01-10 13:16 - 2014-01-10 13:16 - 00000000 ____D C:\Users\********** ********** **********\AppData\Local\{9CA8C879-7898-4D58-874A-7223B483B5DC}
2014-01-09 18:45 - 2014-01-09 10:05 - 00000000 ____D C:\ProgramData\AVAST Software
2014-01-09 18:29 - 2010-09-23 23:16 - 00037652 _____ C:\Windows\DPINST.LOG
2014-01-09 18:13 - 2011-03-14 02:20 - 00000000 ____D C:\ProgramData\MFAData
2014-01-09 18:10 - 2014-01-09 18:10 - 00000000 ____D C:\Users\********** ********** **********\AppData\Local\MFAData
2014-01-09 18:10 - 2014-01-09 18:10 - 00000000 ____D C:\Users\********** ********** **********\AppData\Local\Avg2014
2014-01-09 14:46 - 2013-07-19 12:57 - 00001069 _____ C:\Users\********** ********** **********\Desktop\Dropbox.lnk
2014-01-08 02:13 - 2011-09-11 20:07 - 00000000 ____D C:\Users\********** ********** **********\Downloads\FileZilla FTP Client
2014-01-07 06:49 - 2011-08-03 09:02 - 00000000 ____D C:\Users\********** ********** **********\AppData\Roaming\Apple Computer
2014-01-06 20:27 - 2014-01-06 20:26 - 00000000 ____D C:\Users\********** ********** **********\AppData\Local\{D5852B08-F8B0-4FDF-A70B-191039108B9E}
2014-01-06 08:25 - 2014-01-06 08:24 - 00000000 ____D C:\Users\********** ********** **********\AppData\Local\{CBD003B9-3C8F-4B1F-8DD0-FD55B4DC4D86}
2014-01-05 16:55 - 2014-01-05 16:54 - 00000081 _____ C:\Users\********** ********** **********\AppData\Roaming\mbam.context.scan
2014-01-05 09:40 - 2013-07-05 11:32 - 00000000 ____D C:\GMutils
2014-01-05 04:34 - 2012-12-29 09:00 - 00000000 ____D C:\Users\********** ********** **********\AppData\Roaming\DefaultTab
2014-01-05 03:57 - 2014-01-05 03:57 - 00000000 ____D C:\Users\********** ********** **********\AppData\Roaming\Malwarebytes
2014-01-05 03:54 - 2014-01-05 03:54 - 00000000 ____D C:\ProgramData\Malwarebytes
2014-01-03 19:28 - 2013-10-29 11:05 - 00110592 ___SH C:\Users\********** ********** **********\Thumbs.db
2014-01-02 14:09 - 2014-01-02 14:09 - 00037376 _____ C:\Windows\System32\gugg.hon
2014-01-02 14:09 - 2014-01-02 12:15 - 00000095 _____ C:\Windows\System32\jifvjwy.gxh
2014-01-02 12:15 - 2014-01-02 12:15 - 00000064 _____ C:\Windows\System32\hcqxjab.muv
2014-01-02 11:59 - 2014-01-02 11:59 - 00219314 ____S C:\Windows\System32\arkxq.bwx
2014-01-01 16:37 - 2011-03-25 16:11 - 01685504 ___SH C:\Users\********** ********** **********\Documents\Thumbs.db
2013-12-28 11:29 - 2013-12-28 11:29 - 00000000 ____D C:\Users\********** ********** **********\AppData\Local\{C649D499-4071-4566-B4A3-246389518592}

Files to move or delete:
====================
C:\Users\********** ********** **********\g2ax_customer_downloadhelper_win32_x86.exe

Some content of TEMP:
====================
C:\Users\********** ********** **********\AppData\Local\Temp\IeSearchProvider.exe
C:\Users\********** ********** **********\AppData\Local\Temp\Installhelper.dll
C:\Users\********** ********** **********\AppData\Local\Temp\Intuit.Spc.Map.EntitlementClient.Install.dll
C:\Users\********** ********** **********\AppData\Local\Temp\qbinstal.dll
C:\Users\********** ********** **********\AppData\Local\Temp\sqlite-3.7.2-sqlitejdbc.dll
C:\Users\********** ********** **********\AppData\Local\Temp\SRAssetsHelper.dll
C:\Users\********** ********** **********\AppData\Local\Temp\stlport_r50.dll
C:\Users\********** ********** **********\AppData\Local\Temp\tmpF3FF.exe
C:\Users\********** ********** **********\AppData\Local\Temp\tmpFDF5.exe
C:\Users\********** ********** **********\AppData\Local\Temp\updater_uninstall.exe

==================== Known DLLs (Whitelisted) ================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll
[2009-07-13 16:00] - [2009-07-13 17:41] - 0510464 ____A (Microsoft Corporation) 97F4CE881800A0F6B499B27CCA7F9B71

 ATTENTION ======> If the system is having audio adware rpcss.dll is patched. Google the MD5, if the MD5 is unique the file is infected.
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2014-01-14 11:58:06
Restore point made on: 2014-01-14 19:08:14
Restore point made on: 2014-01-18 12:59:24
Restore point made on: 2014-01-21 18:14:44
Restore point made on: 2014-01-25 12:30:11

==================== Memory info ===========================

Percentage of memory in use: 17%
Total physical RAM: 3894.85 MB
Available physical RAM: 3217.87 MB
Total Pagefile: 3893 MB
Available Pagefile: 3275.35 MB
Total Virtual: 8192 MB
Available Virtual: 8191.87 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:254.14 GB) (Free:22.33 GB) NTFS
Drive d: (LENOVO) (Fixed) (Total:29 GB) (Free:27.82 GB) NTFS
Drive g: (USB20FD) (Removable) (Total:30.46 GB) (Free:0.42 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: () (Fixed) (Total:0.2 GB) (Free:0.15 GB) NTFS ==>[System with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298 GB) (Disk ID: 11361618)
Partition 1: (Active) - (Size=200 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=254 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=29 GB) - (Type=OF Extended)
Partition 4: (Not Active) - (Size=15 GB) - (Type=12)

========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 30 GB) (Disk ID: C3072E18)
Partition 1: (Active) - (Size=30 GB) - (Type=0C)

LastRegBack: 2014-01-12 16:06

==================== End Of Log ============================



#6 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:48 PM

Posted 28 January 2014 - 02:02 PM

All right. Now let's search for a clean replacement file:
 
 
Start your computer in the System Recovery Options again and open FRST.

  • Write the following text into the Search: textbox:
    rpcss.dll
  • Click on the Search File(s) button.
  • When the search is finished a log file (Search.txt) is save on your flash drive.
    Copy and paste it in your next reply.


#7 mybcun

mybcun
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:07:48 AM

Posted 28 January 2014 - 03:33 PM

Here's the Search.txt. Log as requested:

 

Farbar Recovery Scan Tool (x64) Version: 26-01-2014 02
Ran by SYSTEM at 2014-01-28 14:19:06
Running from G:\
Boot Mode: Recovery

================== Search: "rpcss.dll" ===================

C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7600.16385_none_c5bfcda3579104e3\rpcss.dll
[2009-07-13 16:00] - [2009-07-13 17:41] - 0509440 ____A (Microsoft Corporation) 7266972E86890E2B30C0C322E906B027

C:\Windows\System32\rpcss.dll
[2009-07-13 16:00] - [2009-07-13 17:41] - 0510464 ____A (Microsoft Corporation) 97F4CE881800A0F6B499B27CCA7F9B71

X:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7600.16385_none_c5bfcda3579104e3\rpcss.dll
[2009-07-13 16:00] - [2009-07-13 17:41] - 0509440 ____A (Microsoft Corporation) 7266972E86890E2B30C0C322E906B027

X:\Windows\System32\rpcss.dll
[2009-07-13 16:00] - [2009-07-13 17:41] - 0509440 ____A (Microsoft Corporation) 7266972E86890E2B30C0C322E906B027

====== End Of Search ======



#8 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:48 PM

Posted 28 January 2014 - 04:12 PM

It looks like we are lucky. There is a clean copy of this infected file that we can use for replacement.


Step 1

Please download this attached Attached File  fixlist.txt   588bytes   1 downloads and save it on the same flash drive as FRST.

  • Plug in the flash drive to the infected computer, enter the System Recovery Options and open FRST.
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) is saved on the flash drive.
    Please copy and paste its contents in your next reply.

 

 

Step 2

Boot the computer into normal mode.
Start FRST with administator privileges.

  • Press the Scan button.
  • When finished, FRST will produce a log (FRST.txt) in the same directory the tool was run from.
    Please copy and paste this log in your next reply.


#9 mybcun

mybcun
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:07:48 AM

Posted 28 January 2014 - 05:15 PM

Here you go:

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 26-01-2014 02
Ran by SYSTEM at 2014-01-28 15:56:33 Run:1
Running from G:\
Boot Mode: Recovery
==============================================

Content of fixlist:
*****************
Replace: C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7600.16385_none_c5bfcda3579104e3\rpcss.dll C:\Windows\System32\rpcss.dll
2014-01-02 14:09 - 2014-01-02 14:09 - 00037376 _____ C:\Windows\System32\gugg.hon
2014-01-02 14:09 - 2014-01-02 12:15 - 00000095 _____ C:\Windows\System32\jifvjwy.gxh
2014-01-02 12:15 - 2014-01-02 12:15 - 00000064 _____ C:\Windows\System32\hcqxjab.muv
2014-01-02 11:59 - 2014-01-02 11:59 - 00219314 ____S C:\Windows\System32\arkxq.bwx
2014-01-27 12:56 - 2014-01-02 12:25 - 00000084 _____ C:\Windows\System32\ooojeph.yfd
*****************

C:\Windows\System32\rpcss.dll => Moved successfully.
C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7600.16385_none_c5bfcda3579104e3\rpcss.dll copied successfully to C:\Windows\System32\rpcss.dll
C:\Windows\System32\gugg.hon => Moved successfully.
C:\Windows\System32\jifvjwy.gxh => Moved successfully.
C:\Windows\System32\hcqxjab.muv => Moved successfully.
C:\Windows\System32\arkxq.bwx => Moved successfully.
C:\Windows\System32\ooojeph.yfd => Moved successfully.

==== End of Fixlog ====

 

 

 

 

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 26-01-2014 02
Ran by ********** ********** ********** (administrator) on ******************** on 28-01-2014 16:01:55
Running from G:\
Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
() C:\Program Files (x86)\DDNi\Oasis2Service 1.0\Oasis2Service.exe
(Intuit) C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
(Intuit Inc.) C:\Program Files (x86)\Common Files\Intuit\DataProtect\QBIDPService.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Microsoft Corporation) C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Conexant Systems, Inc.) C:\Program Files\CONEXANT\cAudioFilterAgent\cAudioFilterAgent64.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Lenovo) C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeyStudio.exe
(Lenovo(beijing) Limited) C:\Program Files (x86)\Lenovo\Energy Management\utility.exe
(Lenovo (Beijing) Limited) C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(ooVoo LLC) C:\Program Files (x86)\ooVoo\ooVoo.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\ReadyComm\ReadyComm.exe
(Microsoft Corporation) C:\Windows\Speech\Common\sapisvr.exe
() C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeySupport.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\ReadyComm\AppSvc.exe
(Lenovo Group Limited) C:\Program Files (x86)\Lenovo\ReadyComm\common\IGRS.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\ReadyComm\ConnSvc.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\ReadyComm\BTSvc.exe
(CompanionLink Software, Inc.) C:\Program Files (x86)\CompanionLink\CompanionLink.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(Vimicro) C:\Program Files (x86)\USB Camera\VM331_STI.EXE
(Adobe Systems Incorporated) C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe
(Lenovo) C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe
(CyberLink Corp.) C:\Program Files (x86)\Lenovo\YouCam\YouCamTray.exe
(OLYMPUS IMAGING CORP.) C:\Program Files (x86)\Olympus\DeviceDetector\DevDtct2.exe
(brother) C:\Program Files (x86)\Brownie\BrStsW64.exe
(Hewlett-Packard Co.) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
(Dropbox, Inc.) C:\Users\********** ********** **********\AppData\Roaming\Dropbox\bin\Dropbox.exe
(brother) C:\Program Files (x86)\Brownie\brpjp04a.exe
(Sun Microsystems, Inc.) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Hewlett-Packard) C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe
(Cypress Semiconductor) C:\Windows\wdcbg.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Hewlett-Packard Co.) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqste08.exe
(Hewlett-Packard Co.) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe
(Hewlett-Packard) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [cAudioFilterAgent] - C:\Program Files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe [521272 2010-03-21] (Conexant Systems, Inc.)
HKLM\...\Run: [SynTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2176296 2010-06-10] (Synaptics Incorporated)
HKLM\...\Run: [OnekeyStudio] - C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeyStudio.exe [776608 2009-12-18] (Lenovo)
HKLM\...\Run: [EnergyUtility] - C:\Program Files (x86)\Lenovo\Energy Management\utility.exe [4367808 2009-12-17] (Lenovo(beijing) Limited)
HKLM\...\Run: [Energy Management] - C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe [6988736 2009-12-17] (Lenovo (Beijing) Limited)
HKLM\...\Run: [MSC] - C:\Program Files\Microsoft Security Client\msseces.exe [1266912 2013-10-23] (Microsoft Corporation)
HKLM-x32\...\Run: [IAStorIcon] - C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284696 2010-03-03] (Intel Corporation)
HKLM-x32\...\Run: [331BigDog] - C:\Program Files (x86)\USB Camera\VM331_STI.EXE [536576 2010-01-15] (Vimicro)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe [35184 2008-12-02] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [VeriFaceManager] - C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe [3122528 2010-09-24] (Lenovo)
HKLM-x32\...\Run: [UCam_Menu] - C:\Program Files (x86)\Lenovo\YouCam\MUITransfer\MUIStartMenu.exe [222504 2009-05-19] (CyberLink Corp.)
HKLM-x32\...\Run: [YouCam Mirror Tray icon] - C:\Program Files (x86)\Lenovo\YouCam\YouCamTray.exe [167008 2009-12-22] (CyberLink Corp.)
HKLM-x32\...\Run: [UpdateP2GShortCut] - C:\Program Files (x86)\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe [218408 2008-12-03] (CyberLink Corp.)
HKLM-x32\...\Run: [BrStsWnd] - C:\Program Files (x86)\Brownie\BrstsW64.exe [3695416 2009-06-11] (brother)
HKLM-x32\...\Run: [QuickTime Task] - C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2010-11-29] (Apple Inc.)
HKLM-x32\...\Run: [Intuit SyncManager] - C:\Program Files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe [1443080 2010-09-27] (Intuit Inc. All rights reserved.)
HKLM-x32\...\Run: [SunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254696 2011-06-09] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [HP Software Update] - C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [54840 2007-05-08] (Hewlett-Packard)
HKLM-x32\...\Run: [hpqSRMon] - C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe [150528 2008-07-22] (Hewlett-Packard)
HKLM-x32\...\Run: [WDCBG] - C:\windows\WDCBG.EXE [118784 2004-08-02] (Cypress Semiconductor)
HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2013-08-16] (Apple Inc.)
HKLM-x32\...\Runonce: [AvgUninstallURL] - cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVZOVgtTlNWVkwtTzRCWlEtUUlNQ0wtUVREQ0gtNElKTUg"&"inst=NzctNTY3MDE4Mjg1LVhPMTArMTItTElDKzItRkwxMCsxLVNQMSsxLVNQMVRCKzEtU1VQKzEtRERUKzM2NTM4LUREMTBGKzEtU1QxMEZBUFArMS1GMTBNMTJBTiszLUYxME0xMkErMS1GMTBNMTJBQisxLVUxMCsxLUYxME0xMkFUQk4rMS1GMTBNMTJCKzEtRlVJKzItVEJWVVBHKzEyLUYxME0xMkZUKzEtVEJOKzE"&"prod=90"&"ver=10.0.1424 [x]
Winlogon\Notify\igfxcui: C:\windows\system32\igfxdev.dll (Intel Corporation)
HKCU\...\Run: [ooVoo.exe] - C:\Program Files (x86)\ooVoo\ooVoo.exe [19812536 2010-02-02] (ooVoo LLC)
HKCU\...\Run: [ReadyComm5] - C:\Program Files\Lenovo\ReadyComm\ReadyComm.exe [1501000 2009-09-22] (Lenovo Group Limited)
HKCU\...\Run: [swg] - C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2011-01-06] (Google Inc.)
HKCU\...\Run: [Speech Recognition] - C:\windows\Speech\Common\sapisvr.exe [44544 2009-07-13] (Microsoft Corporation)
HKCU\...\Run: [CompanionLink] - c:\program files (x86)\companionlink\companionlink.exe [53279744 2013-08-05] (CompanionLink Software, Inc.)
HKU\Default\...\Run: [ooVoo.exe] - C:\Program Files (x86)\ooVoo\ooVoo.exe [19812536 2010-02-02] (ooVoo LLC)
HKU\Default\...\RunOnce: [WLStart] - C:\Program Files (x86)\Windows Live\Installer\wlstart.exe [768336 2009-07-26] (Microsoft Corporation)
HKU\Default User\...\Run: [ooVoo.exe] - C:\Program Files (x86)\ooVoo\ooVoo.exe [19812536 2010-02-02] (ooVoo LLC)
HKU\Default User\...\RunOnce: [WLStart] - C:\Program Files (x86)\Windows Live\Installer\wlstart.exe [768336 2009-07-26] (Microsoft Corporation)
Startup: C:\Users\********** ********** **********\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\********** ********** **********\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
Startup: C:\Users\********** ********** **********\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~$ationary Envelope Template.doc ()
Startup: C:\Users\********** ********** **********\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~$cebook.doc ()
Startup: C:\Users\********** ********** **********\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~$ent File Labels.doc ()
Startup: C:\Users\********** ********** **********\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~$ochure Envelope Template.doc ()
Startup: C:\Users\********** ********** **********\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~$uare Envelope Address.doc ()
Startup: C:\Users\********** ********** **********\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~WRL0406.tmp ()

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0x46D26D77B375CE01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
HKCU\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = https://www.google.com/
URLSearchHook: HKCU - Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKLM - DefaultScope {9BB47C17-9C68-4BB3-B188-DD9AF0FD2405} URL = http://dts.search-results.com/sr?src=ieb&appid=0&systemid=405&q={searchTerms}
SearchScopes: HKLM - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2405} URL = http://dts.search-results.com/sr?src=ieb&appid=0&systemid=405&q={searchTerms}
SearchScopes: HKLM-x32 - DefaultScope {9BB47C17-9C68-4BB3-B188-DD9AF0FD2405} URL = http://dts.search-results.com/sr?src=ieb&appid=0&systemid=405&q={searchTerms}
SearchScopes: HKLM-x32 - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2405} URL = http://dts.search-results.com/sr?src=ieb&appid=0&systemid=405&q={searchTerms}
SearchScopes: HKCU - DefaultScope {9BB47C17-9C68-4BB3-B188-DD9AF0FD2405} URL = http://dts.search-results.com/sr?src=ieb&appid=0&systemid=405&q={searchTerms}
SearchScopes: HKCU - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2405} URL = http://dts.search-results.com/sr?src=ieb&appid=0&systemid=405&q={searchTerms}
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.9012.1008\swg64.dll (Google Inc.)
BHO-x32: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
BHO-x32: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)
BHO-x32: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO-x32: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
BHO-x32: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO-x32: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.9012.1008\swg.dll (Google Inc.)
BHO-x32: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO-x32: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)
BHO-x32: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
Toolbar: HKLM-x32 - Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU - No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} -  No File
Toolbar: HKCU - Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
DPF: HKLM {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://secure.logmein.com/activex/x64/ractrl.cab?lmi=722
DPF: HKLM-x32 {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: HKLM-x32 {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: HKLM-x32 {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://secure.logmein.com/activex/ractrl.cab?lmi=724
Handler: intu-help-qb4 - {ACE22922-D07C-4860-B51B-8CF472FEC2CB} -  No File
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} -  No File
Handler-x32: intu-help-qb4 - {ACE22922-D07C-4860-B51B-8CF472FEC2CB} - C:\Program Files (x86)\Intuit\QuickBooks 2011\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)
Handler-x32: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - C:\windows\SysWOW64\mscoree.dll (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
Tcpip\..\Interfaces\{E5A5D7C3-ABFE-437E-977C-BB7F14CFF7A9}: [NameServer]4.2.2.2,4.2.2.3

Chrome:
=======
CHR HomePage: hxxp://www.searchqu.com/405
CHR DefaultSearchProvider: Search Results
CHR DefaultSearchURL: http://dts.search-results.com/sr?src=crb&appid=0&systemid=405&q={searchTerms}
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\32.0.1700.41\PepperFlash\pepflashplayer.dll No File
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\32.0.1700.41\ppGoogleNaClPluginChrome.dll No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\32.0.1700.41\pdf.dll No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (Java Deployment Toolkit 6.0.270.7) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll (Sun Microsystems, Inc.)
CHR Plugin: (Java™ Platform SE 6 U27) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin2.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin3.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin4.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin5.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin6.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin7.dll (Apple Inc.)
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dll No File
CHR Plugin: (VLC Web Plugin) - C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
CHR Plugin: (Windows Live Photo Gallery) - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll No File
CHR Extension: (YouTube) - C:\Users\********** ********** **********\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2012-04-05]
CHR Extension: (Google Search) - C:\Users\********** ********** **********\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2012-04-05]
CHR Extension: (avast! Online Security) - C:\Users\********** ********** **********\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2014-01-09]
CHR Extension: (Google Wallet) - C:\Users\********** ********** **********\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-01-09]
CHR Extension: (Gmail) - C:\Users\********** ********** **********\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2012-04-05]

==================== Services (Whitelisted) =================

R3 IGRS; C:\Program Files (x86)\Lenovo\ReadyComm\common\IGRS.exe [38152 2009-07-14] (Lenovo Group Limited)
R3 Lenovo ReadyComm AppSvc; C:\Program Files\Lenovo\ReadyComm\AppSvc.exe [509192 2009-08-14] (Lenovo Group Limited)
R3 Lenovo ReadyComm ConnSvc; C:\Program Files\Lenovo\ReadyComm\ConnSvc.exe [579400 2009-09-22] (Lenovo Group Limited)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2013-10-23] (Microsoft Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [348376 2013-10-23] (Microsoft Corporation)
R2 Oasis2Service; C:\Program Files (x86)\DDNi\Oasis2Service 1.0\Oasis2Service.exe [46080 2010-06-23] ()
S3 PS_MDP; C:\Program Files (x86)\Lenovo\ReadyComm\PS_MDP.dll [276296 2009-07-15] (Lenovo Group Limited)
S2 ReadyComm.DirectRouter; C:\Program Files (x86)\Lenovo\ReadyComm\common\router.dll [103688 2009-07-14] (Lenovo Group Limited)

==================== Drivers (Whitelisted) ====================

S3 Bridge0; C:\Windows\System32\drivers\WDBridge.sys [79376 2009-07-15] (Lenovo)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [248240 2013-09-27] (Microsoft Corporation)
R2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [134944 2013-09-27] (Microsoft Corporation)
S3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [27520 2007-05-31] (Research In Motion Limited)
R3 RimVSerPort; C:\Windows\System32\DRIVERS\RimSerial_AMD64.sys [30336 2007-01-18] (Research in Motion Ltd)
R3 vm331avs; C:\Windows\System32\Drivers\vm331avs.sys [215168 2010-03-18] (Vimicro Corporation)
S3 VNUSB; C:\Windows\System32\Drivers\VNUSB.sys [22528 2009-09-29] (OLYMPUS IMAGING CORP.)
R3 wdmirror; C:\Windows\System32\DRIVERS\WDMirror.sys [11280 2009-07-16] (Lenovo)
U3 BcmSqlStartupSvc;
U2 IviRegMgr;
U2 RichVideo;
U3 SQLWriter;

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2014-01-27 16:09 - 2014-01-27 16:09 - 00000000 ____D C:\Users\********** ********** **********\Documents\Digital Wave Player
2014-01-26 18:06 - 2014-01-26 18:06 - 00000000 ____D C:\Users\********** ********** **********\AppData\Local\{09FB0A53-2CB6-49C7-8450-49E1CF7472A9}
2014-01-26 12:50 - 2014-01-26 12:50 - 00000000 ____D C:\Users\********** ********** **********\Desktop\FRST-OlderVersion
2014-01-24 17:11 - 2014-01-26 13:57 - 00027450 _____ C:\Users\********** ********** **********\Desktop\Addition.txt
2014-01-24 17:08 - 2014-01-26 13:00 - 00036164 _____ C:\Users\********** ********** **********\Desktop\FRST.txt
2014-01-24 17:08 - 2014-01-26 12:50 - 00000000 ____D C:\FRST
2014-01-22 20:27 - 2014-01-22 20:28 - 00113224 _____ C:\Users\********** ********** **********\g2ax_customer_downloadhelper_win32_x86.exe
2014-01-22 03:40 - 2014-01-28 15:59 - 00335390 _____ C:\FaceProv.log
2014-01-22 02:40 - 2014-01-22 02:40 - 00000909 _____ C:\Users\********** ********** **********\Desktop\Movie Maker.lnk
2014-01-22 02:40 - 2014-01-22 02:40 - 00000000 ____D C:\Users\********** ********** **********\AppData\Local\WMTools Downloaded Files
2014-01-19 17:55 - 2014-01-19 17:55 - 00000000 _____ C:\windows\SysWOW64\shoB50D.tmp
2014-01-18 15:49 - 2014-01-18 16:22 - 00012292 ____H C:\Users\********** ********** **********\.DS_Store
2014-01-18 15:49 - 2014-01-18 15:49 - 00006148 ____H C:\Users\.DS_Store
2014-01-14 13:56 - 2014-01-22 15:28 - 00002822 _____ C:\windows\wininit.ini
2014-01-14 01:05 - 2014-01-14 01:05 - 00000000 ____D C:\windows\System32\Tasks\Safer-Networking
2014-01-14 01:04 - 2014-01-22 15:32 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
2014-01-14 01:04 - 2014-01-22 15:28 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2014-01-13 15:49 - 2014-01-13 15:50 - 00000000 ____D C:\Program Files\Blackberry
2014-01-13 02:04 - 2014-01-13 02:04 - 00000000 ____D C:\Users\********** ********** **********\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2014-01-13 01:49 - 2014-01-13 01:50 - 00003014 _____ C:\windows\SysWOW64\TEST.log
2014-01-10 15:16 - 2014-01-10 15:16 - 00000000 ____D C:\Users\********** ********** **********\AppData\Local\{9CA8C879-7898-4D58-874A-7223B483B5DC}
2014-01-10 15:04 - 2014-01-10 15:19 - 00000000 ____D C:\Users\********** ********** **********\AppData\Roaming\Nico Mak Computing
2014-01-10 15:03 - 2014-01-10 15:19 - 00000000 ____D C:\Program Files (x86)\WinZip Registry Optimizer
2014-01-10 15:03 - 2013-07-10 17:49 - 00019120 _____ (WinZip Computing, S.L.(WinZip Computing)) C:\windows\system32\roboot64.exe
2014-01-09 20:10 - 2014-01-09 20:10 - 00000000 ____D C:\Users\********** ********** **********\AppData\Local\MFAData
2014-01-09 20:10 - 2014-01-09 20:10 - 00000000 ____D C:\Users\********** ********** **********\AppData\Local\Avg2014
2014-01-09 12:05 - 2014-01-09 20:45 - 00000000 ____D C:\ProgramData\AVAST Software
2014-01-06 22:26 - 2014-01-06 22:27 - 00000000 ____D C:\Users\********** ********** **********\AppData\Local\{D5852B08-F8B0-4FDF-A70B-191039108B9E}
2014-01-06 10:24 - 2014-01-06 10:25 - 00000000 ____D C:\Users\********** ********** **********\AppData\Local\{CBD003B9-3C8F-4B1F-8DD0-FD55B4DC4D86}
2014-01-05 18:54 - 2014-01-05 18:55 - 00000081 _____ C:\Users\********** ********** **********\AppData\Roaming\mbam.context.scan
2014-01-05 05:57 - 2014-01-05 05:57 - 00000000 ____D C:\Users\********** ********** **********\AppData\Roaming\Malwarebytes
2014-01-05 05:54 - 2014-01-05 05:54 - 00000000 ____D C:\ProgramData\Malwarebytes

==================== One Month Modified Files and Folders =======

2014-01-28 16:00 - 2013-07-19 14:50 - 00000000 ____D C:\Users\********** ********** **********\AppData\Roaming\Dropbox
2014-01-28 16:00 - 2010-12-04 03:17 - 00000386 _____ C:\windows\Brownie.ini
2014-01-28 16:00 - 2010-09-24 01:38 - 00000000 ____D C:\ProgramData\VeriFace
2014-01-28 15:59 - 2014-01-22 03:40 - 00335390 _____ C:\FaceProv.log
2014-01-28 15:59 - 2011-01-06 16:40 - 00000922 _____ C:\windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-01-28 15:57 - 2009-07-13 23:08 - 00000006 ____H C:\windows\Tasks\SA.DAT
2014-01-28 15:57 - 2009-07-13 22:51 - 00150282 _____ C:\windows\setupact.log
2014-01-28 15:51 - 2010-09-24 00:58 - 01086939 _____ C:\windows\WindowsUpdate.log
2014-01-28 15:40 - 2011-01-06 16:40 - 00000926 _____ C:\windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-01-28 15:38 - 2009-07-13 23:13 - 00727334 _____ C:\windows\system32\PerfStringBackup.INI
2014-01-28 15:35 - 2012-10-20 21:46 - 00000830 _____ C:\windows\Tasks\Adobe Flash Player Updater.job
2014-01-28 15:03 - 2011-10-24 22:45 - 00002183 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2014-01-28 14:45 - 2013-11-30 15:59 - 00000000 ____D C:\Users\********** ********** **********\Desktop\*************** Projects
2014-01-28 14:38 - 2009-07-13 22:45 - 00013632 ____H C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-01-28 14:38 - 2009-07-13 22:45 - 00013632 ____H C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-01-28 14:29 - 2013-07-19 14:57 - 00000000 ___RD C:\Users\********** ********** **********\Dropbox
2014-01-28 01:21 - 2010-12-05 00:43 - 00000000 ____D C:\Users\********** ********** **********\AppData\Roaming\SoftGrid Client
2014-01-27 23:51 - 2010-12-07 00:33 - 00000000 ____D C:\Olympus
2014-01-27 22:10 - 2013-11-30 16:04 - 00000000 ____D C:\Users\********** ********** **********\Desktop\*************** Projects
2014-01-27 21:00 - 2013-11-03 05:01 - 00000000 ____D C:\Users\********** ********** **********\Desktop\For Other Storge Locations
2014-01-27 16:09 - 2014-01-27 16:09 - 00000000 ____D C:\Users\********** ********** **********\Documents\Digital Wave Player
2014-01-27 15:57 - 2011-04-01 13:40 - 00000000 ____D C:\Users\********** ********** **********\AppData\Local\CrashDumps
2014-01-26 22:48 - 2010-12-04 03:21 - 00000426 _____ C:\windows\BRWMARK.INI
2014-01-26 18:08 - 2012-04-05 12:17 - 00000000 ____D C:\Users\********** ********** **********\AppData\Roaming\vlc
2014-01-26 18:06 - 2014-01-26 18:06 - 00000000 ____D C:\Users\********** ********** **********\AppData\Local\{09FB0A53-2CB6-49C7-8450-49E1CF7472A9}
2014-01-26 13:57 - 2014-01-24 17:11 - 00027450 _____ C:\Users\********** ********** **********\Desktop\Addition.txt
2014-01-26 13:00 - 2014-01-24 17:08 - 00036164 _____ C:\Users\********** ********** **********\Desktop\FRST.txt
2014-01-26 12:50 - 2014-01-26 12:50 - 00000000 ____D C:\Users\********** ********** **********\Desktop\FRST-OlderVersion
2014-01-26 12:50 - 2014-01-24 17:08 - 00000000 ____D C:\FRST
2014-01-26 01:29 - 2009-07-13 23:08 - 00032654 _____ C:\windows\Tasks\SCHEDLGU.TXT
2014-01-25 00:21 - 2013-11-30 16:03 - 00000000 ____D C:\Users\********** ********** **********\Desktop\*************** Projects
2014-01-25 00:16 - 2010-11-29 20:22 - 00002239 _____ C:\Users\********** ********** **********\Desktop\OneKey Recovery.lnk
2014-01-24 17:33 - 2011-03-22 18:26 - 00000000 ____D C:\Users\********** ********** **********\AppData\Local\Windows Live
2014-01-23 10:22 - 2010-09-24 01:37 - 01539982 _____ C:\windows\PFRO.log
2014-01-23 00:51 - 2013-07-05 12:26 - 00000000 ____D C:\Program Files (x86)\Citrix
2014-01-22 21:41 - 2012-04-06 09:35 - 00000000 ____D C:\***************
2014-01-22 20:28 - 2014-01-22 20:27 - 00113224 _____ C:\Users\********** ********** **********\g2ax_customer_downloadhelper_win32_x86.exe
2014-01-22 20:27 - 2010-11-29 20:22 - 00000000 ____D C:\Users\********** ********** **********
2014-01-22 15:44 - 2011-09-11 22:07 - 00000000 ____D C:\Users\********** ********** **********\AppData\Roaming\FileZilla
2014-01-22 15:32 - 2014-01-14 01:04 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
2014-01-22 15:28 - 2014-01-14 13:56 - 00002822 _____ C:\windows\wininit.ini
2014-01-22 15:28 - 2014-01-14 01:04 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2014-01-22 02:40 - 2014-01-22 02:40 - 00000909 _____ C:\Users\********** ********** **********\Desktop\Movie Maker.lnk
2014-01-22 02:40 - 2014-01-22 02:40 - 00000000 ____D C:\Users\********** ********** **********\AppData\Local\WMTools Downloaded Files
2014-01-22 02:40 - 2010-12-07 00:34 - 00000000 ____D C:\Movie Maker
2014-01-22 02:32 - 2009-07-13 23:32 - 00000000 ____D C:\Program Files\Microsoft Games
2014-01-20 18:07 - 2012-04-16 10:14 - 00083944 _____ C:\windows\SysWOW64\GDIPFONTCACHEV1.DAT
2014-01-19 17:55 - 2014-01-19 17:55 - 00000000 _____ C:\windows\SysWOW64\shoB50D.tmp
2014-01-19 01:33 - 2011-03-14 06:44 - 00270496 ____N (Microsoft Corporation) C:\windows\system32\MpSigStub.exe
2014-01-18 16:22 - 2014-01-18 15:49 - 00012292 ____H C:\Users\********** ********** **********\.DS_Store
2014-01-18 15:49 - 2014-01-18 15:49 - 00006148 ____H C:\Users\.DS_Store
2014-01-16 01:36 - 2013-11-27 22:04 - 00000000 ____D C:\Users\********** ********** **********\Desktop\Lists
2014-01-14 21:17 - 2013-07-16 01:25 - 00000000 ____D C:\windows\system32\MRT
2014-01-14 21:09 - 2011-03-22 19:33 - 86054176 _____ (Microsoft Corporation) C:\windows\system32\MRT.exe
2014-01-14 01:05 - 2014-01-14 01:05 - 00000000 ____D C:\windows\System32\Tasks\Safer-Networking
2014-01-13 15:50 - 2014-01-13 15:49 - 00000000 ____D C:\Program Files\Blackberry
2014-01-13 14:22 - 2012-03-27 10:56 - 00000000 ____D C:\Users\********** ********** **********\Desktop\Intuit
2014-01-13 02:04 - 2014-01-13 02:04 - 00000000 ____D C:\Users\********** ********** **********\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2014-01-13 01:53 - 2011-01-06 17:15 - 00000000 ____D C:\Program Files (x86)\QuickTime
2014-01-13 01:50 - 2014-01-13 01:49 - 00003014 _____ C:\windows\SysWOW64\TEST.log
2014-01-10 15:19 - 2014-01-10 15:04 - 00000000 ____D C:\Users\********** ********** **********\AppData\Roaming\Nico Mak Computing
2014-01-10 15:19 - 2014-01-10 15:03 - 00000000 ____D C:\Program Files (x86)\WinZip Registry Optimizer
2014-01-10 15:16 - 2014-01-10 15:16 - 00000000 ____D C:\Users\********** ********** **********\AppData\Local\{9CA8C879-7898-4D58-874A-7223B483B5DC}
2014-01-09 20:45 - 2014-01-09 12:05 - 00000000 ____D C:\ProgramData\AVAST Software
2014-01-09 20:29 - 2010-09-24 01:16 - 00037652 _____ C:\windows\DPINST.LOG
2014-01-09 20:13 - 2011-03-14 04:20 - 00000000 ____D C:\ProgramData\MFAData
2014-01-09 20:10 - 2014-01-09 20:10 - 00000000 ____D C:\Users\********** ********** **********\AppData\Local\MFAData
2014-01-09 20:10 - 2014-01-09 20:10 - 00000000 ____D C:\Users\********** ********** **********\AppData\Local\Avg2014
2014-01-09 16:46 - 2013-07-19 14:57 - 00001069 _____ C:\Users\********** ********** **********\Desktop\Dropbox.lnk
2014-01-09 16:46 - 2013-07-19 14:51 - 00000000 ____D C:\Users\********** ********** **********\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox
2014-01-09 16:46 - 2010-11-29 20:23 - 00000000 ___RD C:\Users\********** ********** **********\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2014-01-08 04:13 - 2011-09-11 22:07 - 00000000 ____D C:\Users\********** ********** **********\Downloads\FileZilla FTP Client
2014-01-07 08:49 - 2011-08-03 11:02 - 00000000 ____D C:\Users\********** ********** **********\AppData\Roaming\Apple Computer
2014-01-06 22:27 - 2014-01-06 22:26 - 00000000 ____D C:\Users\********** ********** **********\AppData\Local\{D5852B08-F8B0-4FDF-A70B-191039108B9E}
2014-01-06 10:25 - 2014-01-06 10:24 - 00000000 ____D C:\Users\********** ********** **********\AppData\Local\{CBD003B9-3C8F-4B1F-8DD0-FD55B4DC4D86}
2014-01-05 18:55 - 2014-01-05 18:54 - 00000081 _____ C:\Users\********** ********** **********\AppData\Roaming\mbam.context.scan
2014-01-05 11:40 - 2013-07-05 13:32 - 00000000 ____D C:\GMutils
2014-01-05 06:34 - 2012-12-29 11:00 - 00000000 ____D C:\Users\********** ********** **********\AppData\Roaming\DefaultTab
2014-01-05 05:57 - 2014-01-05 05:57 - 00000000 ____D C:\Users\********** ********** **********\AppData\Roaming\Malwarebytes
2014-01-05 05:54 - 2014-01-05 05:54 - 00000000 ____D C:\ProgramData\Malwarebytes
2014-01-03 21:28 - 2013-10-29 13:05 - 00110592 ___SH C:\Users\********** ********** **********\Thumbs.db
2014-01-01 18:37 - 2011-03-25 18:11 - 01685504 ___SH C:\Users\********** ********** **********\Documents\Thumbs.db

Files to move or delete:
====================
C:\Users\********** ********** **********\g2ax_customer_downloadhelper_win32_x86.exe

Some content of TEMP:
====================
C:\Users\********** ********** **********\AppData\Local\Temp\IeSearchProvider.exe
C:\Users\********** ********** **********\AppData\Local\Temp\Installhelper.dll
C:\Users\********** ********** **********\AppData\Local\Temp\Intuit.Spc.Map.EntitlementClient.Install.dll
C:\Users\********** ********** **********\AppData\Local\Temp\qbinstal.dll
C:\Users\********** ********** **********\AppData\Local\Temp\sqlite-3.7.2-sqlitejdbc.dll
C:\Users\********** ********** **********\AppData\Local\Temp\SRAssetsHelper.dll
C:\Users\********** ********** **********\AppData\Local\Temp\stlport_r50.dll
C:\Users\********** ********** **********\AppData\Local\Temp\tmpF3FF.exe
C:\Users\********** ********** **********\AppData\Local\Temp\tmpFDF5.exe
C:\Users\********** ********** **********\AppData\Local\Temp\updater_uninstall.exe

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

LastRegBack: 2014-01-12 18:06

==================== End Of Log ============================

 

 



#10 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:48 PM

Posted 28 January 2014 - 05:19 PM

That worked.

How is the computer running now? Do you still notice any problems?

 

Let's do a final check:

 

 

Please download the ESET Online Scanner and save it to your Desktop.

  • Disable the realtime-protection of your antivirus and anti-malware programs because they might interfere with the scan.
  • Start esetsmartinstaller_enu.exe with administartor privileges.
  • Select the option Yes, I accept the Terms of Use and click on Start.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click on Start. The virus signature database will begin to download. This may take some time.
  • When completed the Online Scan will begin automatically.
    Note: This scan might take a long time! Please be patient.
  • When completed select Uninstall application on close if you so wish, but make sure you copy the logfile first!
  • Now click on Finish
  • A log file is created at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
    Copy and paste the content of this log file in your next reply.

Note: Do not forget to re-enable your antivirus application after running the above scan!



#11 mybcun

mybcun
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:07:48 AM

Posted 28 January 2014 - 10:10 PM

I don't see a log file in C:\Program Files\ESET\EsetOnlineScanner\

 

All I see in the EsetOnlineScanner folder are the following three files:

 

     OnlineScanner.ocx

     OnlineScannerApp.exe.

     OnlineScannerUninstaller.exe

 

 

 

Here's are the results of the scan:

 

C:\FRST\Quarantine\rpcss.dll     Win64/Patched.H trojan

C:\GMutils\7zip-setup.exe          multiple threats

C:\ProgramData\{ACFC9F59-F1AE-43D2-8CFE-E2F1E0F82ABA}\SavevidSetupV2.res         multiple threats

C:\Users\All Users\{ACFC9F59-F1AE-43D2-8CFE-E2F1E0F82ABA}\SavevidSetupV2.res     multiple threats

C:\Windows\System32\Macromed\Shockwave 10\gt.exe           Win32/Bundled.Toolbar.Google.D application

C:\Windows\SysWOW64\Macromed\Shockwave 10\gt.exe        Win32/Bundled.Toolbar.Google.D application


Edited by mybcun, 29 January 2014 - 02:01 AM.


#12 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:48 PM

Posted 01 February 2014 - 02:04 PM

Great. ESET hasn't found any active malware.


That's it! Your logs look clean to me at the moment.
We're gonna clean up everything now, close security holes on your computer and in the end I'll provide you with a list of security tips so you hopefully will not need our help anymore in the future.

My help is free for everybody.
If you want to support me fighting against malware or offer me a beer for the assistance you received, then you can consider a donation: btn_donate_SM.gif.
Thank you!



Clean Up

Now we remove all the tools we used (including their logs and quarantine folders), restore your settings and delete old and infected system restorepoints:

  • You can uninstall programs that you had to install (e.g. MBAM or ESET Onlinescanner) in the control panel if you so wish.
  • Download DelFix (by Xplode) and save it to your Desktop.
    • Close all running programs and start delfix.exe.
    • Make sure that all available options are checked.
    • Click on Run
    • DelFix should remove all our tools and delete itself afterwards. I don't need the log file.
  • If there is still something left you can delete it manually.

 

 

Closing security holes

The Service Pack 1 is missing on your computer. Please download and install it now.

Many infections happen via drive-by downloads that run unnoticed in the background while the user visits an infected website. To achieve this malware exploits security holes in installed software (e.g. browser or its plugins). Older versions of such software often have lots of known exploitable holes. Therefor it's very important to always keep your software up-to-date.
The following software is outdated. Make sure you remove all old versions and install the current one instead if you need the program:



Adobe Flash Player 11 ActiveX
Adobe Reader 9.0.1
Java™ 6 Update 27
Internet Explorer Version 8




Tips

I recommend to read and follow the "16 simple and easy ways to keep your computer safe and secure on the Internet" (Link) by Lawrence Abrams.


Edited by aharonov, 01 February 2014 - 02:07 PM.


#13 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:48 PM

Posted 04 March 2014 - 11:25 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users