Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Radio virus, rpcss.dll, now Win7 Black Screen of Death


  • This topic is locked This topic is locked
9 replies to this topic

#1 Netghost56

Netghost56

  • Members
  • 973 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:03:37 PM

Posted 31 January 2014 - 01:46 PM

I received a notebook with a very unusual issue- every time it connected to the internet a radio station would start playing through the speakers. The other issue was that AVG would popup a warning repeatedly saying that 'rpcss.dll' was infected, but would not remove, giving the reason that another app was using the file. It later gave an 0x0 error but I failed to make a note of it.

 

The owner uses a Verizon USB Wifi dongle and thought it was causing the radio issue, but I determined that an Ethernet connection did the same effect. Did some reading online and found that there was a 'Unknown' audio device that was the cause of the radio audio, but could not find any suspicious process running, nor did I find any installed app that would cause this.

 

Ran scans of MBAM, Adwcleaner, Tdsskiller, and Rogue killer. MBAM returned PUPs which I removed, Adwcleaner found tons of registry entries to remove. Adwcleaner and Rogue killer both found DNS issues- Adwcleaner supposedly removed the entries, but Rogue Killer found PUMs? in DNS and 'replaced' those. Tdsskiller and AVG both say 'rpcss.dll' is a trojan, giving different names. I didn't remove it (via Tdsskiller) as I read that it's a necessary file.

 

Ran Hitman on the desktop. It also returned a trojan warning for 'rpcss.dll'.

 

Finally I decided to rename the file 'rpcss.dll' to rpcss.dll.VRS and started a quick scan of AVG, and left for the day.

 

The next morning I find the notebook with the Black screen, with only the cursor visible. I can move it freely.

 

Safe Mode has the same Black Screen, albeit with a lower resolution.

 

I ran SFC, it mentioned files were replaced. No change.

 

I tried running Hitman again, but notebook will not establish a internet connection needed for Hitman.

 

Next I tried copying the registry backup, which was just made the day before I received the notebook. No change.

 

So here I am. I ran Farbar as that's the only thing I can run in Recovery mode. It's a win7 Pro system and I have a disc. I currently don't have a key from the owner so a clean install is not an option.

 

EDIT: Forgot to mention that the rpcss.dll.VRS is gone and the rpcss.dll is present when I check the folder.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 31-10-2013 (ATTENTION: ====> FRST version is 92 days old and could be outdated)
Ran by SYSTEM on MININT-VG2N4FI on 31-01-2014 12:02:25
Running from F:\
Windows 7 Professional Service Pack 1 (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [SynTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1602856 2010-01-07] (Synaptics Incorporated)
HKLM\...\Run: [SysTrayApp] - C:\Program Files\IDT\WDM\sttray.exe [495708 2010-04-06] (IDT, Inc.)
HKLM\...\Run: [HotKeysCmds] - C:\Windows\system32\hkcmd.exe [ ] ()
HKLM\...\Run: [QuickSet] - C:\Program Files\Dell\QuickSet\quickset.exe [3873648 2010-01-15] (Dell Inc.)
HKLM\...\Run: [FreeFallProtection] - C:\Program Files\STMicroelectronics\AccelerometerP11\FF_Protection.exe [726640 2010-08-02] ()
HKLM\...\Run: [Broadcom Wireless Manager UI] - C:\Program Files\Dell\DW WLAN Card\WLTRAY.EXE [5249024 2010-12-14] (Dell Inc.)
HKLM\...\Run: [Dell Webcam Central] - C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell2.exe [409744 2009-06-24] (Creative Technology Ltd)
HKLM\...\Run: [AVG_UI] - C:\Program Files\AVG\AVG2014\avgui.exe [4956176 2013-11-07] (AVG Technologies CZ, s.r.o.)
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKU\Paul Snyder\...\Run: [swg] - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [ 2011-04-14] (Google Inc.)

========================== Services (Whitelisted) =================

S2 AVGIDSAgent; C:\Program Files\AVG\AVG2014\avgidsagent.exe [3478544 2013-11-11] (AVG Technologies CZ, s.r.o.)
S2 avgwd; C:\Program Files\AVG\AVG2014\avgwdsvc.exe [348008 2013-09-23] (AVG Technologies CZ, s.r.o.)
S2 ptumlcmsvc; C:\Windows\system32\ptumlcmsvc.exe [143360 2012-09-21] (DEVGURU Co., LTD)
S3 TMBMServer; c:\Program Files\Trend Micro\BM\TMBMSRV.exe [345352 2009-12-01] (Trend Micro Inc.)
S2 wltrysvc; C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe [4539392 2010-12-14] (Dell Inc.)

==================== Drivers (Whitelisted) ====================

S3 Acceler; C:\Windows\System32\DRIVERS\Accelern.sys [43888 2010-07-09] (ST Microelectronics)
S1 Avgdiskx; C:\Windows\System32\DRIVERS\avgdiskx.sys [120600 2013-11-05] (AVG Technologies CZ, s.r.o.)
S1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdriverx.sys [209176 2013-11-04] (AVG Technologies CZ, s.r.o.)
S0 AVGIDSHX; C:\Windows\System32\DRIVERS\avgidshx.sys [147768 2013-10-24] (AVG Technologies CZ, s.r.o.)
S1 AVGIDSShim; C:\Windows\System32\DRIVERS\avgidsshimx.sys [22840 2013-09-16] (AVG Technologies CZ, s.r.o.)
S1 Avgldx86; C:\Windows\System32\DRIVERS\avgldx86.sys [176952 2013-10-31] (AVG Technologies CZ, s.r.o.)
S0 Avglogx; C:\Windows\System32\DRIVERS\avglogx.sys [222520 2013-10-31] (AVG Technologies CZ, s.r.o.)
S0 Avgmfx86; C:\Windows\System32\DRIVERS\avgmfx86.sys [102712 2013-09-30] (AVG Technologies CZ, s.r.o.)
S0 Avgrkx86; C:\Windows\System32\DRIVERS\avgrkx86.sys [27448 2013-09-09] (AVG Technologies CZ, s.r.o.)
S1 Avgtdix; C:\Windows\System32\DRIVERS\avgtdix.sys [193848 2013-08-01] (AVG Technologies CZ, s.r.o.)
S3 BCM42RLY; C:\Windows\System32\drivers\BCM42RLY.sys [18424 2010-12-14] (Broadcom Corporation)
S3 CtAudDrv; C:\Windows\system32\Drivers\CtAudDrv.sys [134144 2009-05-28] (Creative Technology Ltd.)
S3 PTUMLBUS; C:\Windows\System32\DRIVERS\PTUMLBUS.sys [88632 2012-09-21] (DEVGURU Co., LTD.)
S3 PTUMLCVsp; C:\Windows\System32\DRIVERS\PTUMLCVsp.sys [169016 2012-09-21] (DEVGURU Co., LTD.(www.devguru.co.kr))
S3 PTUMLMBMP; C:\Windows\System32\DRIVERS\PTUMLMBMP.sys [279864 2012-09-21] (DEVGURU Co., LTD.)
S3 PTUMLMdm; C:\Windows\System32\DRIVERS\PTUMLMdm.sys [169016 2012-09-21] (DEVGURU Co., LTD.(www.devguru.co.kr))
S3 PTUMLNVsp; C:\Windows\System32\DRIVERS\PTUMLNVsp.sys [169656 2012-09-21] (DEVGURU Co., LTD.(www.devguru.co.kr))
S3 PTUMLRMNET; C:\Windows\System32\DRIVERS\PTUMLRMNET.sys [59704 2012-09-21] (DEVGURU Co., LTD.)
S3 PTUMLVsp; C:\Windows\System32\DRIVERS\PTUMLVsp.sys [169016 2012-09-21] (DEVGURU Co., LTD.(www.devguru.co.kr))
S0 stdcfltn; C:\Windows\System32\DRIVERS\stdcfltn.sys [17648 2010-07-09] (ST Microelectronics)
S3 tmactmon; C:\Windows\System32\DRIVERS\tmactmon.sys [59472 2010-07-19] (Trend Micro Inc.)
S2 tmcomm; C:\Windows\System32\DRIVERS\tmcomm.sys [163408 2010-07-19] (Trend Micro Inc.)
S3 tmevtmgr; C:\Windows\System32\DRIVERS\tmevtmgr.sys [51792 2010-07-19] (Trend Micro Inc.)
S1 tmlwf; C:\Windows\System32\DRIVERS\tmlwf.sys [146448 2009-07-15] (Trend Micro Inc.)
S1 tmtdi; C:\Windows\System32\DRIVERS\tmtdi.sys [89872 2009-07-15] (Trend Micro Inc.)
S2 tmwfp; C:\Windows\System32\DRIVERS\tmwfp.sys [283152 2009-07-15] (Trend Micro Inc.)
S3 PTUMLNET61; system32\DRIVERS\PTUMLNET61.sys [x]

========================== Drivers MD5 =======================

C:\Windows\system32\DRIVERS\1394ohci.sys D01E0B1CEF9EE82100C2BB07294880EF
C:\Windows\System32\DRIVERS\Accelern.sys EB008A36206BF9D0DE3C5F9DF67D20D8
C:\Windows\System32\DRIVERS\ACPI.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\acpipmi.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\adp94xx.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\adpahci.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\adpu320.sys ==> MD5 is legit
C:\Windows\system32\drivers\afd.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\agp440.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\djsvs.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\aliide.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\amdagp.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\amdide.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\amdk8.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\amdppm.sys ==> MD5 is legit
C:\Windows\system32\drivers\amdsata.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\amdsbs.sys ==> MD5 is legit
C:\Windows\System32\drivers\amdxata.sys ==> MD5 is legit
C:\Windows\system32\drivers\appid.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\arc.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\arcsas.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\asyncmac.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\atapi.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\avgdiskx.sys 9C7C45DE9E167F6268D32D6D10133F7D
C:\Windows\System32\DRIVERS\avgidsdriverx.sys C66B17D93F94622293608C2FB91C5806
C:\Windows\System32\DRIVERS\avgidshx.sys 0C70FAB4B08DC1FF6612AA3F352CFCA9
C:\Windows\System32\DRIVERS\avgidsshimx.sys 4118A9D326A76D485713A36988102C3E
C:\Windows\System32\DRIVERS\avgldx86.sys 578ECC3D911897B2C5B760EDAF8ED6CA
C:\Windows\System32\DRIVERS\avglogx.sys BD1A440B9F126AFE52978A44952B0018
C:\Windows\System32\DRIVERS\avgmfx86.sys 7DC192EC714342E7C020C7CF42E394D8
C:\Windows\System32\DRIVERS\avgrkx86.sys E6322DF686CE1C59D7797FAEF0732454
C:\Windows\System32\DRIVERS\avgtdix.sys E98603F9D1F412F38ADF2F76053F9E5A
C:\Windows\system32\DRIVERS\bxvbdx.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\b57nd60x.sys ==> MD5 is legit
C:\Windows\System32\drivers\BCM42RLY.sys 94F2DC372163D520D7B1DAD78AE40B5E
C:\Windows\System32\DRIVERS\bcmwl6.sys F689C5965CEFAD780A2948546703BD5D
C:\Windows\System32\Drivers\Beep.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\blbdrive.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\bowser.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\BrFiltLo.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\BrFiltUp.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Brserid.sys ==> MD5 is legit
C:\Windows\System32\Drivers\BrSerWdm.sys ==> MD5 is legit
C:\Windows\System32\Drivers\BrUsbMdm.sys ==> MD5 is legit
C:\Windows\System32\Drivers\BrUsbSer.sys ==> MD5 is legit
C:\Windows\system32\drivers\BthEnum.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\bthmodem.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\bthpan.sys ==> MD5 is legit
C:\Windows\System32\Drivers\BTHport.sys 04CEDA17A195924070B01174CB1F9AF8
C:\Windows\System32\Drivers\BTHUSB.sys ==> MD5 is legit
C:\Windows\System32\drivers\btwaudio.sys 7E826BE3B3558208D5C9B00034E51BE5
C:\Windows\System32\DRIVERS\btwavdt.sys AF9148C3E844131AC954CB53FF43D971
C:\Windows\System32\DRIVERS\btwl2cap.sys AAFD7CB76BA61FBB08E302DA208C974A
C:\Windows\System32\DRIVERS\btwrchid.sys 480B3D195854B2E55299CDDDDC50BCF9
C:\Windows\System32\DRIVERS\cdfs.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\cdrom.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\circlass.sys ==> MD5 is legit
C:\Windows\System32\CLFS.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\CmBatt.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\cmdide.sys ==> MD5 is legit
C:\Windows\System32\Drivers\cng.sys DB5E008B3744DD60C8498CBBF2A1CFA6
C:\Windows\System32\DRIVERS\compbatt.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\CompositeBus.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\crcdisk.sys ==> MD5 is legit
C:\Windows\System32\drivers\csc.sys ==> MD5 is legit
C:\Windows\system32\Drivers\CtAudDrv.sys 0F538DF1673E5216F3BAACB6911D9D0F
C:\Windows\System32\DRIVERS\CtClsFlt.sys 9A6CA307151505730DBFC91D97F01C7E
C:\Windows\System32\DRIVERS\dc3d.sys 946A232A6FC3368805A161B890C23544
C:\Windows\System32\Drivers\dfsc.sys ==> MD5 is legit
C:\Windows\System32\drivers\discache.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\disk.sys ==> MD5 is legit
C:\Windows\System32\drivers\drmkaud.sys ==> MD5 is legit
C:\Windows\System32\drivers\dxgkrnl.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\evbdx.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\elxstor.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\errdev.sys ==> MD5 is legit
C:\Windows\System32\Drivers\exfat.sys ==> MD5 is legit
C:\Windows\System32\Drivers\fastfat.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\fdc.sys ==> MD5 is legit
C:\Windows\System32\drivers\fileinfo.sys ==> MD5 is legit
C:\Windows\System32\drivers\filetrace.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\flpydisk.sys ==> MD5 is legitB
C:\Windows\System32\drivers\fltmgr.sys ==> MD5 is legit
C:\Windows\System32\drivers\FsDepends.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Fs_Rec.sys 500A9814FD9446A8126858A5A7F7D273
C:\Windows\System32\DRIVERS\fvevol.sys 4732E596BB1C50D9F9188C5074EE7782
C:\Windows\system32\DRIVERS\gagp30kx.sys ==> MD5 is legit
C:\Windows\system32\drivers\hcw85cir.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\HDAudBus.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\HECI.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\HidBatt.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\hidbth.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\hidir.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\hidusb.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\HpSAMD.sys ==> MD5 is legit
C:\Windows\System32\drivers\HTTP.sys ==> MD5 is legit
C:\Windows\System32\drivers\hwpolicy.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\i8042prt.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\iaStor.sys 26541A068572F650A2FA490726FE81BE
C:\Windows\system32\drivers\iaStorV.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\igdkmd32.sys 8E9DA2E49347AF49901526DCD4D0F397
C:\Windows\system32\DRIVERS\iirsp.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\Impcd.sys E3C36AC5AE87EC970AE8EA2A93D59AE1
C:\Windows\System32\DRIVERS\IntcDAud.sys BF31740828A26AB451803E3B35432651
C:\Windows\system32\DRIVERS\intelide.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\intelppm.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ipfltdrv.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\IPMIDrv.sys ==> MD5 is legit
C:\Windows\System32\drivers\ipnat.sys ==> MD5 is legit
C:\Windows\System32\drivers\irenum.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\isapnp.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\msiscsi.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\kbdclass.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\kbdhid.sys ==> MD5 is legit
C:\Windows\System32\Drivers\ksecdd.sys 52FC17C8589F11747D01D3CF592673D0
C:\Windows\System32\Drivers\ksecpkg.sys 3E5474B03568CFAB834DA3C38E8C9EFA
C:\Windows\System32\DRIVERS\lltdio.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\lsi_fc.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\lsi_sas.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\lsi_sas2.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\lsi_scsi.sys ==> MD5 is legit
C:\Windows\system32\drivers\luafv.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\megasas.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\MegaSR.sys ==> MD5 is legit
C:\Windows\System32\drivers\modem.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\monitor.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\mouclass.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\mouhid.sys ==> MD5 is legit
C:\Windows\System32\drivers\mountmgr.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\mpio.sys ==> MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys ==> MD5 is legit
C:\Windows\system32\drivers\mrxdav.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\mrxsmb.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\mrxsmb10.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\mrxsmb20.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\msahci.sys CB5D37E91135B0F15CEE64D1F1BA5DE5
C:\Windows\system32\DRIVERS\msdsm.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Msfs.sys ==> MD5 is legit
C:\Windows\System32\drivers\mshidkmdf.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\msisadrv.sys ==> MD5 is legit
C:\Windows\System32\drivers\MSKSSRV.sys ==> MD5 is legit
C:\Windows\System32\drivers\MSPCLOCK.sys ==> MD5 is legit
C:\Windows\System32\drivers\MSPQM.sys ==> MD5 is legit
C:\Windows\System32\Drivers\MsRPC.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\mssmbios.sys ==> MD5 is legit
C:\Windows\System32\drivers\MSTEE.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\MTConfig.sys ==> MD5 is legit
C:\Windows\System32\Drivers\mup.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\nwifi.sys ==> MD5 is legit
C:\Windows\System32\drivers\ndis.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ndiscap.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ndistapi.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ndisuio.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ndiswan.sys ==> MD5 is legit
C:\Windows\System32\Drivers\NDProxy.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\netbios.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\netbt.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\nfrd960.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Npfs.sys ==> MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Ntfs.sys A8F59428E9F361C7AC42A94AC1560BC9
C:\Windows\System32\Drivers\Null.sys ==> MD5 is legit
C:\Windows\system32\drivers\nvraid.sys ==> MD5 is legit
C:\Windows\system32\drivers\nvstor.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\nv_agp.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\ohci1394.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\parport.sys ==> MD5 is legit
C:\Windows\System32\drivers\partmgr.sys 66D3415C159741ADE7038A277EFFF99F
C:\Windows\system32\DRIVERS\parvdm.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\pci.sys C858CB77C577780ECC456A892E7E7D0F
C:\Windows\system32\DRIVERS\pciide.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\pcmcia.sys ==> MD5 is legit
C:\Windows\System32\drivers\pcw.sys ==> MD5 is legit
C:\Windows\System32\drivers\peauth.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\raspptp.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\processr.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\pacer.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\PTUMLBUS.sys 65E79F39169E2C08236E12A7A616A041
C:\Windows\System32\DRIVERS\PTUMLCVsp.sys D36D0882774B9C3B8E477C16608002C5
C:\Windows\System32\DRIVERS\PTUMLMBMP.sys EA68F698C6B0635697B9B8086017D08C
C:\Windows\System32\DRIVERS\PTUMLMdm.sys 966FF04D09A5B79A46EA67EB2DB44976
C:\Windows\System32\DRIVERS\PTUMLNVsp.sys 516B03527E3FA019042DA214FB699E1B
C:\Windows\System32\DRIVERS\PTUMLRMNET.sys 3F43B25096AB0AF475E90FA8262BD5BB
C:\Windows\System32\DRIVERS\PTUMLVsp.sys E36BB5CFD9CFA18911035C47881332A5
C:\Windows\System32\Drivers\PxHelp20.sys 40FEDD328F98245AD201CF5F9F311724
C:\Windows\system32\DRIVERS\ql2300.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\ql40xx.sys ==> MD5 is legit
C:\Windows\system32\drivers\qwavedrv.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rasacd.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\AgileVpn.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rasl2tp.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\raspppoe.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rassstp.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rdbss.sys 835D7E81BF517A3B72384BDCC85E1CE6
C:\Windows\System32\DRIVERS\rdpbus.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\RDPCDD.sys 1E016846895B15A99F9A176A05029075
C:\Windows\System32\drivers\rdpdr.sys C5FF95883FFEF704D50C40D21CFB3AB5
C:\Windows\System32\drivers\rdpencdd.sys ==> MD5 is legit
C:\Windows\System32\drivers\rdprefmp.sys ==> MD5 is legit
C:\Windows\System32\Drivers\RDPWD.sys C5B8D47A4688DE9D335204EA757C2240
C:\Windows\System32\drivers\rdyboost.sys 4EA225BF1CF05E158853F30A99CA29A7
C:\Windows\System32\DRIVERS\rfcomm.sys CB928D9E6DAF51879DD6BA8D02F01321
C:\Windows\System32\DRIVERS\rspndr.sys ==> MD5 is legit
C:\Windows\System32\Drivers\RtsUStor.sys 31D45ECA63884FF5F7AECC50F7D1BAE0
C:\Windows\System32\DRIVERS\Rt86win7.sys 80B66A4181F782884A815E69D0AFA743
C:\Windows\system32\DRIVERS\vms3cap.sys 5423D8437051E89DD34749F242C98648
C:\Windows\system32\DRIVERS\sbp2port.sys 34EE0C44B724E3E4CE2EFF29126DE5B5
C:\Windows\System32\DRIVERS\scfilter.sys A95C54B2AC3CC9C73FCDF9E51A1D6B51
C:\Windows\System32\Drivers\secdrv.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\serenum.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\serial.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\sermouse.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\sffdisk.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\sffp_mmc.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\sffp_sd.sys A0708BBD07D245C06FF9DE549CA47185
C:\Windows\system32\DRIVERS\sfloppy.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\sisagp.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\SiSRaid2.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\sisraid4.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\smb.sys ==> MD5 is legit
C:\Windows\System32\Drivers\spldr.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\srv.sys C4A027B8C0BD3FC0699F41FA5E9E0C87
C:\Windows\System32\DRIVERS\srv2.sys 414BB592CAD8A79649D01F9D94318FB3
C:\Windows\System32\DRIVERS\srvnet.sys FF207D67700AA18242AAF985D3E7D8F4
C:\Windows\System32\DRIVERS\stdcfltn.sys 73D7A81E3AF7763AA627D99F50BD3F49
C:\Windows\system32\DRIVERS\stexstor.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\stwrt.sys 06CBB271F42EF70FB6EF372C491BA9AA
C:\Windows\System32\DRIVERS\vmstorfl.sys 957E346CA948668F2496A6CCF6FF82CC
C:\Windows\system32\DRIVERS\storvsc.sys D5751969DC3E4B88BF482AC8EC9FE019
C:\Windows\System32\DRIVERS\swenum.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\SynTP.sys CF196A45FD61118C95585489FAD5B2AA
C:\Windows\System32\drivers\tcpip.sys BBCEAEFF1FD72A026F827CBB2F4AA8AD
C:\Windows\System32\DRIVERS\tcpip.sys BBCEAEFF1FD72A026F827CBB2F4AA8AD
C:\Windows\System32\drivers\tcpipreg.sys E64444523ADD154F86567C469BC0B17F
C:\Windows\System32\drivers\tdpipe.sys 1875C1490D99E70E449E3AFAE9FCBADF
C:\Windows\System32\drivers\tdtcp.sys 7156308896D34EA75A582F9A09E50C17
C:\Windows\System32\DRIVERS\tdx.sys CB39E896A2A83702D1737BFD402B3542
C:\Windows\System32\DRIVERS\termdd.sys C36F41EE20E6999DBF4B0425963268A5
C:\Windows\System32\DRIVERS\tmactmon.sys CA9E9C2C04A198ED345C1752222A5F3E
C:\Windows\System32\DRIVERS\tmcomm.sys A3D20789B3FF0576A29462BEF25BCFCC
C:\Windows\System32\DRIVERS\tmevtmgr.sys 21F215E54770C4BF93EFAF63F58FE57E
C:\Windows\System32\DRIVERS\tmlwf.sys 4E87D02E56E9B1AF831C5D521597D629
C:\Windows\System32\DRIVERS\tmtdi.sys 44C262C1B2412DED35078B6166D2ACC2
C:\Windows\System32\DRIVERS\tmwfp.sys D9882FD91B7C4C35ACAA8498D1F3CD68
C:\Windows\System32\DRIVERS\tssecsrv.sys 98AE6FA07D12CB4EC5CF4A9BFA5F4242
C:\Windows\System32\DRIVERS\tunnel.sys 3E461D890A97F9D4C168F5FDA36E1D00
C:\Windows\system32\DRIVERS\uagp35.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\udfs.sys EB0A7BD4D471AC3CE55564A4C55B9D8E
C:\Windows\system32\DRIVERS\uliagpkx.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\umbus.sys 049B3A50B3D646BAEEEE9EEC9B0668DC
C:\Windows\system32\DRIVERS\umpass.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\usbccgp.sys 5C233AEFB566EE78C1EFBC0493FB066A
C:\Windows\system32\DRIVERS\usbcir.sys ==> MD5 is legit
C:\Windows\system32\drivers\usbehci.sys 5B71019A6ACA0116FD21B368F19C0B91
C:\Windows\System32\DRIVERS\usbhub.sys 5823D3965C2A4F6F785ED1A3B403F3B8
C:\Windows\system32\drivers\usbohci.sys E753ED6C49DA13967EBABF9EA616454A
C:\Windows\System32\DRIVERS\usbprint.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\usbscan.sys 576096CCBC07E7C4EA4F5E6686D6888F
C:\Windows\System32\DRIVERS\USBSTOR.SYS 1C4287739A93594E57E2A9E6A3ED7353
C:\Windows\system32\drivers\usbuhci.sys 6A30928A469CE802600E1EA8C0F2F53F
C:\Windows\System32\Drivers\usbvideo.sys B5F6A992D996282B7FAE7048E50AF83A
C:\Windows\System32\DRIVERS\vdrvroot.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\vgapnp.sys ==> MD5 is legit
C:\Windows\System32\drivers\vga.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\vhdmp.sys 3BE6E1F3A4F1AFEC8CEE0D7883F93583
C:\Windows\system32\DRIVERS\viaagp.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\viac7.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\viaide.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\vmbus.sys 379B349F65F453D2A6E75EA6B7448E49
C:\Windows\system32\DRIVERS\VMBusHID.sys EC2BBAB4B84D0738C6C83D2234DC36FE
C:\Windows\System32\DRIVERS\volmgr.sys 384E5A2AA49934295171E499F86BA6F3
C:\Windows\System32\drivers\volmgrx.sys ==> MD5 is legit
C:\Windows\System32\drivers\volsnap.sys 59F06B4968E58BC83DFC56CA4517960E
C:\Windows\system32\DRIVERS\vsmraid.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\vwifibus.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\vwififlt.sys 7090D3436EEB4E7DA3373090A23448F7
C:\Windows\System32\DRIVERS\vwifimp.sys A3F04CBEA6C2A10E6CB01F8B47611882
C:\Windows\system32\DRIVERS\wacompen.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\wanarp.sys 692A712062146E96D28BA0B7D75DE31B
C:\Windows\System32\DRIVERS\wanarp.sys 692A712062146E96D28BA0B7D75DE31B
C:\Windows\system32\DRIVERS\wd.sys ==> MD5 is legit
C:\Windows\System32\drivers\Wdf01000.sys A840213F1ACDCC175B4D1D5AAEAC0D7A
C:\Windows\System32\DRIVERS\wfplwf.sys ==> MD5 is legit
C:\Windows\System32\drivers\wimmount.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\WinUsb.sys B5BA3CC19D00F2EBA92F1CFBEBB5D650
C:\Windows\System32\DRIVERS\wmiacpi.sys ==> MD5 is legit
C:\Windows\system32\drivers\ws2ifsl.sys ==> MD5 is legit
C:\Windows\System32\drivers\WudfPf.sys 06E6F32C8D0A3F66D956F57B43A2E070
C:\Windows\System32\DRIVERS\WUDFRd.sys 867C301E8B790040AE9CF6486E8041DF

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2014-01-31 11:56 - 2014-01-31 11:56 - 00000000 ____D C:\FRST
2014-01-30 15:04 - 2013-11-07 13:32 - 04121952 _____ (Kaspersky Lab ZAO) C:\Users\Paul Snyder\Desktop\tdsskiller.exe
2014-01-30 14:32 - 2014-01-30 15:14 - 00000000 ____D C:\AdwCleaner
2014-01-30 14:23 - 2013-07-31 11:08 - 00661184 _____ (Sysinternals - www.sysinternals.com) C:\Users\Paul Snyder\Desktop\autoruns.exe
2014-01-21 09:17 - 2014-01-21 09:17 - 00000000 ____D C:\ProgramData\Verizon Wireless
2014-01-21 09:16 - 2014-01-21 09:16 - 00001248 _____ C:\Users\Public\Desktop\VZAccess Manager.lnk
2014-01-21 09:13 - 2014-01-21 09:13 - 00000000 ____D C:\Users\Paul Snyder\AppData\Roaming\hpqLog
2014-01-21 09:13 - 2014-01-21 09:13 - 00000000 ____D C:\Program Files\PANTECH
2014-01-21 09:13 - 2012-09-21 00:13 - 00279864 _____ (DEVGURU Co., LTD.) C:\Windows\System32\Drivers\PTUMLMBMP.sys
2014-01-21 09:13 - 2012-09-21 00:13 - 00169656 _____ (DEVGURU Co., LTD.(www.devguru.co.kr)) C:\Windows\System32\Drivers\PTUMLNVsp.sys
2014-01-21 09:13 - 2012-09-21 00:13 - 00169016 _____ (DEVGURU Co., LTD.(www.devguru.co.kr)) C:\Windows\System32\Drivers\PTUMLVsp.sys
2014-01-21 09:13 - 2012-09-21 00:13 - 00169016 _____ (DEVGURU Co., LTD.(www.devguru.co.kr)) C:\Windows\System32\Drivers\PTUMLMdm.sys
2014-01-21 09:13 - 2012-09-21 00:13 - 00169016 _____ (DEVGURU Co., LTD.(www.devguru.co.kr)) C:\Windows\System32\Drivers\PTUMLCVsp.sys
2014-01-21 09:13 - 2012-09-21 00:13 - 00088632 _____ (DEVGURU Co., LTD.) C:\Windows\System32\Drivers\PTUMLBUS.sys
2014-01-21 09:13 - 2012-09-21 00:13 - 00059704 _____ (DEVGURU Co., LTD.) C:\Windows\System32\Drivers\PTUMLRMNET.sys
2014-01-21 09:12 - 2014-01-21 09:13 - 00115312 _____ C:\Windows\System32\PTUMLsetup_20140121.log
2014-01-03 09:48 - 2014-01-03 09:48 - 00028672 _____ C:\Windows\System32\qhal.qhe
2014-01-03 09:38 - 2014-01-30 14:44 - 00000089 _____ C:\Windows\System32\imvmw.jxk
2014-01-03 09:18 - 2014-01-03 09:48 - 00000096 _____ C:\Windows\System32\tkcmcw.ltq
2014-01-03 09:18 - 2014-01-03 09:18 - 00000064 _____ C:\Windows\System32\zuio.eze
2014-01-03 07:41 - 2014-01-03 07:41 - 00101213 ____S C:\Windows\System32\rfbjt.sxi

==================== One Month Modified Files and Folders =======

2014-01-31 11:56 - 2014-01-31 11:56 - 00000000 ____D C:\FRST
2014-01-31 10:16 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\LogFiles
2014-01-31 10:16 - 2009-07-13 18:03 - 48234496 _____ C:\Windows\System32\config\software.bak
2014-01-31 08:40 - 2009-07-13 18:03 - 15990784 _____ C:\Windows\System32\config\system.bak
2014-01-31 07:36 - 2009-07-13 18:03 - 00524288 _____ C:\Windows\System32\config\default.bak
2014-01-31 07:36 - 2009-07-13 18:03 - 00262144 _____ C:\Windows\System32\config\security.bak
2014-01-31 07:26 - 2013-12-05 08:49 - 00000000 ____D C:\ProgramData\MFAData
2014-01-31 07:20 - 2009-07-13 18:03 - 00262144 _____ C:\Windows\System32\config\sam.bak
2014-01-31 07:19 - 2009-07-13 20:55 - 01932734 _____ C:\Windows\WindowsUpdate.log
2014-01-31 07:00 - 2009-07-13 20:34 - 00014256 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-01-31 07:00 - 2009-07-13 20:34 - 00014256 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-01-31 06:18 - 2010-12-14 08:14 - 00745000 _____ C:\Windows\System32\PerfStringBackup.INI
2014-01-31 06:14 - 2009-07-13 20:39 - 00089570 _____ C:\Windows\setupact.log
2014-01-30 15:14 - 2014-01-30 14:32 - 00000000 ____D C:\AdwCleaner
2014-01-30 14:57 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\NDF
2014-01-30 14:44 - 2014-01-03 09:38 - 00000089 _____ C:\Windows\System32\imvmw.jxk
2014-01-30 11:52 - 2011-03-24 13:21 - 00000000 ____D C:\Users\Paul Snyder\Documents\Outlook Files
2014-01-30 11:29 - 2013-10-23 08:12 - 00000000 ____D C:\Users\Paul Snyder\Desktop\Cossatot Submittals
2014-01-23 07:23 - 2013-12-04 08:50 - 00000000 ____D C:\Users\Paul Snyder\AppData\Local\Windows Live
2014-01-21 09:17 - 2014-01-21 09:17 - 00000000 ____D C:\ProgramData\Verizon Wireless
2014-01-21 09:16 - 2014-01-21 09:16 - 00001248 _____ C:\Users\Public\Desktop\VZAccess Manager.lnk
2014-01-21 09:16 - 2011-03-24 12:43 - 00000000 ____D C:\Program Files\Verizon Wireless
2014-01-21 09:13 - 2014-01-21 09:13 - 00000000 ____D C:\Users\Paul Snyder\AppData\Roaming\hpqLog
2014-01-21 09:13 - 2014-01-21 09:13 - 00000000 ____D C:\Program Files\PANTECH
2014-01-21 09:13 - 2014-01-21 09:12 - 00115312 _____ C:\Windows\System32\PTUMLsetup_20140121.log
2014-01-21 08:54 - 2011-04-14 05:13 - 00000000 ____D C:\Program Files\Common Files\Adobe
2014-01-20 11:41 - 2013-12-09 11:36 - 00000000 ____D C:\Users\Paul Snyder\AppData\Local\CrashDumps
2014-01-15 07:06 - 2013-07-21 14:32 - 00000000 ____D C:\Windows\System32\MRT
2014-01-15 07:05 - 2012-09-06 05:35 - 83425928 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe
2014-01-03 09:48 - 2014-01-03 09:48 - 00028672 _____ C:\Windows\System32\qhal.qhe
2014-01-03 09:48 - 2014-01-03 09:18 - 00000096 _____ C:\Windows\System32\tkcmcw.ltq
2014-01-03 09:18 - 2014-01-03 09:18 - 00000064 _____ C:\Windows\System32\zuio.eze
2014-01-03 07:41 - 2014-01-03 07:41 - 00101213 ____S C:\Windows\System32\rfbjt.sxi

Some content of TEMP:
====================
C:\Users\Paul Snyder\AppData\Local\Temp\ntdll_dump.dll
C:\Users\Paul Snyder\AppData\Local\Temp\Quarantine.exe


==================== Known DLLs (Whitelisted) ============


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================


==================== BCD ================================

Windows Boot Manager
--------------------
identifier              {bootmgr}
device                  partition=Y:
description             Windows Boot Manager
locale                  en-US
inherit                 {globalsettings}
default                 {default}
resumeobject            {28579b29-07aa-11e0-b96d-f04da2b25072}
displayorder            {default}
toolsdisplayorder       {memdiag}
timeout                 30

Windows Boot Loader
-------------------
identifier              {default}
device                  partition=C:
path                    \Windows\system32\winload.exe
description             Windows 7
locale                  en-US
inherit                 {bootloadersettings}
recoverysequence        {28579b2b-07aa-11e0-b96d-f04da2b25072}
recoveryenabled         Yes
osdevice                partition=C:
systemroot              \Windows
resumeobject            {28579b29-07aa-11e0-b96d-f04da2b25072}
nx                      OptIn

Windows Boot Loader
-------------------
identifier              {28579b2b-07aa-11e0-b96d-f04da2b25072}
device                  ramdisk=[Y:]\Recovery\WindowsRE\Winre.wim,{28579b2c-07aa-11e0-b96d-f04da2b25072}
path                    \windows\system32\winload.exe
description             Windows Recovery Environment
inherit                 {bootloadersettings}
osdevice                ramdisk=[Y:]\Recovery\WindowsRE\Winre.wim,{28579b2c-07aa-11e0-b96d-f04da2b25072}
systemroot              \windows
nx                      OptIn
winpe                   Yes

Resume from Hibernate
---------------------
identifier              {28579b29-07aa-11e0-b96d-f04da2b25072}
device                  partition=C:
path                    \Windows\system32\winresume.exe
description             Windows Resume Application
locale                  en-US
inherit                 {resumeloadersettings}
filedevice              partition=C:
filepath                \hiberfil.sys
pae                     Yes
debugoptionenabled      No

Windows Memory Tester
---------------------
identifier              {memdiag}
device                  partition=Y:
path                    \boot\memtest.exe
description             Windows Memory Diagnostic
locale                  en-US
inherit                 {globalsettings}
badmemoryaccess         Yes

EMS Settings
------------
identifier              {emssettings}
bootems                 Yes

Debugger Settings
-----------------
identifier              {dbgsettings}
debugtype               Serial
debugport               1
baudrate                115200

RAM Defects
-----------
identifier              {badmemory}

Global Settings
---------------
identifier              {globalsettings}
inherit                 {dbgsettings}
                        {emssettings}
                        {badmemory}

Boot Loader Settings
--------------------
identifier              {bootloadersettings}
inherit                 {globalsettings}
                        {hypervisorsettings}

Hypervisor Settings
-------------------
identifier              {hypervisorsettings}
hypervisordebugtype     Serial
hypervisordebugport     1
hypervisorbaudrate      115200

Resume Loader Settings
----------------------
identifier              {resumeloadersettings}
inherit                 {globalsettings}

Device options
--------------
identifier              {28579b2c-07aa-11e0-b96d-f04da2b25072}
description             Ramdisk Options
ramdisksdidevice        partition=Y:
ramdisksdipath          \Recovery\WindowsRE\boot.sdi


==================== Memory info ===========================

Percentage of memory in use: 15%
Total physical RAM: 2934.68 MB
Available physical RAM: 2472.27 MB
Total Pagefile: 2932.96 MB
Available Pagefile: 2482.85 MB
Total Virtual: 2047.88 MB
Available Virtual: 1946.83 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:218.2 GB) (Free:185.41 GB) NTFS
Drive e: (GSP1RMCPRFRER_EN_DVD) (CDROM) (Total:2.39 GB) (Free:0 GB) UDF
Drive f: (SCHMIDT) (Removable) (Total:3.72 GB) (Free:2.28 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (RECOVERY) (Fixed) (Total:14.65 GB) (Free:9.89 GB) NTFS ==>[System with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 233 GB) (Disk ID: 61D41571)
Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)
Partition 2: (Active) - (Size=15 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=218 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 4 GB) (Disk ID: 0BC30785)
Partition 1: (Not Active) - (Size=4 GB) - (Type=0B)


LastRegBack: 2014-01-30 08:09

==================== End Of Log ============================


Edited by Netghost56, 31 January 2014 - 01:48 PM.


BC AdBot (Login to Remove)

 


#2 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:37 PM

Posted 31 January 2014 - 06:40 PM

Hi,
 
from your description I conclude that you've successfully knocked out rpcss.dll..
This is an essential system file. The malware has patched this file to abuse it as a loading point for its own purposes. But you nevertheless must not delete it altogether as this  influences the stability of the operating system the way you had to learn the hard way. :wink:
The clean this infection the rpcss.dll has to be either disinfected or replaced with a clean copy of it.
So let's search for a replacement:


Start your computer in the System Recovery Options again and open FRST.

  • Write the following text into the Search: textbox:
    rpcss.dll
  • Click on the Search File(s) button.
  • When the search is finished a log file (Search.txt) is save on your flash drive.
    Copy and paste it in your next reply.


#3 Netghost56

Netghost56
  • Topic Starter

  • Members
  • 973 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:03:37 PM

Posted 31 January 2014 - 08:07 PM

Hey thanks for the help!

 

When I first did a search I didn't find much info about rpcss.dll, but in the last 24 hours I've seen lots of new requests and pages mentioned. I've tracked it back to a Zero.Access rootkit called Zekos. Earliest record was Jan 10 2014, so I guess that's why there's a lack of info on it.

 

I thought I was on the right track and I had planned to copy a clean file off the CD (if possible) but I don't know what happened after I left AVG running the scan. I can only theorize that it removed the original file and did an auto-reboot, which would allow the w32.patched rpcss.dll to activate.

 

I'll be out of town until Monday so I'll post the search.txt then.

 

Thanks again!



#4 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:37 PM

Posted 03 February 2014 - 05:04 AM

It is not related to Zero.Access or a rootkit, but Zekos is spot on.

I'll be out of town until Monday so I'll post the search.txt then.

Alright.

#5 Netghost56

Netghost56
  • Topic Starter

  • Members
  • 973 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:03:37 PM

Posted 03 February 2014 - 09:58 AM

Here is the log:

 

Farbar Recovery Scan Tool (x86) Version: 31-10-2013
Ran by SYSTEM at 2014-02-03 08:53:18
Running from F:\
Boot Mode: Recovery

================== Search: "rpcss.dll" ===================

C:\Windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7600.16385_none_69a1321f9f3393ad\rpcss.dll
[2009-07-13 15:45] - [2009-07-13 17:16] - 0376320 ____A (Microsoft Corporation) B82CD39E336973359D7C9BF911E8E84F

C:\Windows\System32\rpcss.dll
[2009-07-13 15:45] - [2009-07-13 17:16] - 0376320 ____A (Microsoft Corporation) B82CD39E336973359D7C9BF911E8E84F

=== End Of Search ===



#6 Netghost56

Netghost56
  • Topic Starter

  • Members
  • 973 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:03:37 PM

Posted 03 February 2014 - 01:37 PM

UPDATE: FIXED! (for the moment)

 

Since rpcss.dll is present in the system I did some checking and found a page where Tigzy posted about Zekos removal with Rogue Killer. He mentioned the black screen could be caused by a permissions issue with the new rpcss.dll. I downloaded and used his rescue disk (it was in french! :wacko: ) to change the security permissions to Everyone. Booted up to the desktop shortly after. The boot process seems slower than it was, but I'm going to continue to check for any other any infection and test to see if it comes back.

 

Thanks again for the assistance!

 

PS: I did some more reading and found earlier records of this malware dating Dec.21.


Edited by Netghost56, 03 February 2014 - 01:38 PM.


#7 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:37 PM

Posted 05 February 2014 - 03:50 AM

Booted up to the desktop shortly after.

Good job. :thumbup2:

 

but I'm going to continue to check for any other any infection

Do you need further assistance or will you work on your own?



#8 Netghost56

Netghost56
  • Topic Starter

  • Members
  • 973 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:03:37 PM

Posted 05 February 2014 - 10:36 AM

All my other scans came back negative for anything, and I fixed a few issues with the wifi, so I'm good to go!

 

Thanks!



#9 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:37 PM

Posted 05 February 2014 - 10:58 AM

Great, thanks for letting me know.

#10 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:37 PM

Posted 05 February 2014 - 10:58 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users