Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

rpcss.dll Infected With Patched.H trojan


  • This topic is locked This topic is locked
5 replies to this topic

#1 Lyekka

Lyekka

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:46 PM

Posted 28 February 2014 - 09:38 AM

Hello, and thanks in advance for your help. ESET has been constantly alerting for this virus about every 2-5 minutes.

 

I have gone ahead and ran the Farbar Recovery Scan Tool.. below are the results and the additions text is attached.

 

 

RESULTS:

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 27-02-2014 02
Ran by m83780 (administrator) on ASCP056 on 28-02-2014 09:29:21
Running from C:\Users\m83780\Downloads
Microsoft Windows 7 Professional  Service Pack 1 (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal
 
The only official download link for FRST:
Download link from any site other than Bleeping Computer is unpermitted or outdated.
 
==================== Processes (Whitelisted) =================
 
(ESET) C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
(LabTech Software) C:\Windows\LTSvc\LTSVC.exe
(O2Micro International) C:\Windows\system32\DRIVERS\o2flash.exe
(TeamViewer GmbH) C:\Program Files\Teamviewer\Version6\TeamViewer_Service.exe
(LabTech Software) C:\Windows\LTsvc\LTSvcMon.exe
(TeamViewer GmbH) C:\Program Files\Teamviewer\Version6\TeamViewer.exe
(Sun Microsystems, Inc.) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Citrix Systems, Inc.) C:\Program Files\Citrix\ICA Client\concentr.exe
(ESET) C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
(Visicom Media Inc. (Powered by Panda Security)) C:\ProgramData\Anti-phishing Domain Advisor\visicom_antiphishing.exe
(Citrix Systems, Inc.) C:\Program Files\Citrix\ICA Client\Receiver\Receiver.exe
(LabTech Software) C:\Windows\LTSvc\LTTray.exe
(Citrix Systems, Inc.) C:\Program Files\Citrix\SelfServicePlugin\SelfServicePlugin.exe
(Citrix Systems, Inc.) C:\Program Files\Citrix\ICA Client\wfcrun32.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
(Sun Microsystems, Inc.) C:\Program Files\Common Files\Java\Java Update\jucheck.exe
(Microsoft Corporation) C:\Windows\system32\wuauclt.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [SunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [254696 2011-06-09] (Sun Microsystems, Inc.)
HKLM\...\Run: [ConnectionCenter] - C:\Program Files\Citrix\ICA Client\concentr.exe [362432 2011-12-22] (Citrix Systems, Inc.)
HKLM\...\Run: [egui] - C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe [2219184 2011-01-12] (ESET)
HKLM\...\Run: [Anti-phishing Domain Advisor] - C:\ProgramData\Anti-phishing Domain Advisor\visicom_antiphishing.exe [217256 2012-05-03] (Visicom Media Inc. (Powered by Panda Security))
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM\...\Policies\Explorer: [HideSCAHealth] 1
 
==================== Internet (Whitelisted) ====================
 
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.9012.1008\swg.dll (Google Inc.)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Tcpip\Parameters: [DhcpNameServer] 10.105.2.225
 
Chrome: 
=======
CHR HomePage: hxxp://www.google.com/
CHR Extension: (Google Docs) - C:\Users\m83780\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-02-28]
CHR Extension: (Google Drive) - C:\Users\m83780\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-02-28]
CHR Extension: (YouTube) - C:\Users\m83780\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-02-28]
CHR Extension: (Google Search) - C:\Users\m83780\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-02-28]
CHR Extension: (Google Wallet) - C:\Users\m83780\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-02-28]
CHR Extension: (Gmail) - C:\Users\m83780\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-02-28]
CHR HKLM\...\Chrome\Extension: [mpfapcdfbbledbojijcbcclmlieaoogk] - C:\Users\m83780\AppData\Local\I Want This\Chrome\I Want This.crx [2014-02-28]
 
========================== Services (Whitelisted) =================
 
R2 DcomLaunch; C:\Windows\system32\rpcss.dll [377856 2010-11-20] ()
S3 EhttpSrv; C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe [33584 2011-01-12] (ESET)
R2 ekrn; C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe [810144 2011-01-12] (ESET)
R2 LTService; C:\Windows\LTSvc\LTSVC.exe [13219328 2013-04-02] (LabTech Software)
R2 LTSvcMon; C:\Windows\LTsvc\LTSvcMon.exe [97792 2013-04-29] (LabTech Software)
R2 O2FLASH; C:\Windows\system32\DRIVERS\o2flash.exe [72296 2011-10-04] (O2Micro International)
R2 RpcSs; C:\Windows\system32\rpcss.dll [377856 2010-11-20] ()
 
==================== Drivers (Whitelisted) ====================
 
S3 Acceler; C:\Windows\system32\drivers\accelern.sys [44144 2011-10-04] (ST Microelectronics)
R2 eamonm; C:\Windows\System32\DRIVERS\eamonm.sys [137144 2010-12-21] (ESET)
R1 ehdrv; C:\Windows\System32\DRIVERS\ehdrv.sys [115008 2010-12-21] (ESET)
R2 epfwwfpr; C:\Windows\System32\DRIVERS\epfwwfpr.sys [95384 2010-12-21] (ESET)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\mbamswissarmy.sys [40776 2014-02-28] (Malwarebytes Corporation)
R3 MEI; C:\Windows\system32\drivers\HECI.sys [41088 2010-10-19] (Intel Corporation)
S3 O2MDRRDR; C:\Windows\system32\drivers\O2MDRw7.sys [62440 2011-10-04] (O2Micro )
R3 cpuz135; \??\C:\Windows\TEMP\cpuz135\cpuz135_x32.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2014-02-28 09:28 - 2014-02-28 09:29 - 00018251 _____ () C:\Users\m83780\Downloads\Addition.txt
2014-02-28 09:27 - 2014-02-28 09:29 - 00009354 _____ () C:\Users\m83780\Downloads\FRST.txt
2014-02-28 09:27 - 2014-02-28 09:29 - 00000000 ____D () C:\FRST
2014-02-28 09:26 - 2014-02-28 09:27 - 01143808 _____ (Farbar) C:\Users\m83780\Downloads\FRST.exe
2014-02-28 09:17 - 2014-02-28 09:17 - 00000000 ____D () C:\Users\m83780\AppData\Local\Google
2014-02-28 09:02 - 2014-02-28 09:02 - 00040776 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamswissarmy.sys
2014-02-28 09:02 - 2014-02-28 09:02 - 00000000 ____D () C:\Users\m83780\AppData\Roaming\Malwarebytes
2014-02-28 09:01 - 2014-02-28 09:01 - 00063568 _____ () C:\Users\m83780\AppData\Local\GDIPFONTCACHEV1.DAT
2014-02-28 09:01 - 2014-02-28 09:01 - 00000000 ____D () C:\Users\m83780\AppData\Roaming\ICAClient
2014-02-28 09:00 - 2014-02-28 09:17 - 00000000 ____D () C:\Users\m83780\AppData\Local\blekkotb_005
2014-02-28 09:00 - 2014-02-28 09:01 - 00000000 ____D () C:\Users\m83780\AppData\Local\Citrix
2014-02-28 09:00 - 2014-02-28 09:00 - 00002158 __RSH () C:\Users\m83780\ntuser.pol
2014-02-28 09:00 - 2014-02-28 09:00 - 00001420 _____ () C:\Users\m83780\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2014-02-28 09:00 - 2014-02-28 09:00 - 00000020 ___SH () C:\Users\m83780\ntuser.ini
2014-02-28 09:00 - 2014-02-28 09:00 - 00000000 ____D () C:\Users\m83780\AppData\Roaming\Windows Small Business Server
2014-02-28 09:00 - 2014-02-28 09:00 - 00000000 ____D () C:\Users\m83780\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows SBS
2014-02-28 09:00 - 2014-02-28 09:00 - 00000000 ____D () C:\Users\m83780\AppData\Local\ESET
2014-02-28 09:00 - 2014-02-28 09:00 - 00000000 ____D () C:\Users\m83780
2014-02-28 09:00 - 2012-01-27 14:14 - 00000000 ____D () C:\Users\m83780\AppData\Roaming\Macromedia
2014-02-28 09:00 - 2009-07-13 23:42 - 00000000 ___RD () C:\Users\m83780\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2014-02-28 09:00 - 2009-07-13 23:37 - 00000000 ___RD () C:\Users\m83780\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
2014-02-28 08:49 - 2014-02-28 08:49 - 00000000 ____D () C:\Users\frankt\AppData\Local\ESET
2014-02-28 08:44 - 2014-02-28 08:44 - 00063568 _____ () C:\Users\frankt\AppData\Local\GDIPFONTCACHEV1.DAT
2014-02-28 08:44 - 2014-02-28 08:44 - 00001420 _____ () C:\Users\frankt\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2014-02-28 08:44 - 2014-02-28 08:44 - 00000000 ____D () C:\Users\frankt\AppData\Roaming\ICAClient
2014-02-28 08:44 - 2014-02-28 08:44 - 00000000 ____D () C:\Users\frankt\AppData\Local\Citrix
2014-02-28 08:44 - 2014-02-28 08:44 - 00000000 ____D () C:\Users\frankt\AppData\Local\blekkotb_005
2014-02-28 08:43 - 2014-02-28 08:43 - 00000000 ____D () C:\Users\frankt\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows SBS
2014-02-28 08:42 - 2014-02-28 08:43 - 00000000 ____D () C:\Users\frankt
2014-02-28 08:42 - 2014-02-28 08:42 - 00002158 __RSH () C:\Users\frankt\ntuser.pol
2014-02-28 08:42 - 2014-02-28 08:42 - 00000020 ___SH () C:\Users\frankt\ntuser.ini
2014-02-28 08:42 - 2014-02-28 08:42 - 00000000 ____D () C:\Users\frankt\AppData\Roaming\Windows Small Business Server
2014-02-28 08:42 - 2012-01-27 14:14 - 00000000 ____D () C:\Users\frankt\AppData\Roaming\Macromedia
2014-02-28 08:42 - 2009-07-13 23:42 - 00000000 ___RD () C:\Users\frankt\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2014-02-28 08:42 - 2009-07-13 23:37 - 00000000 ___RD () C:\Users\frankt\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
2014-02-28 08:34 - 2014-02-28 08:34 - 00000000 ____D () C:\Users\m83780.old\AppData\Roaming\Malwarebytes
2014-02-28 08:33 - 2014-02-28 08:33 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-02-28 08:33 - 2014-02-28 08:33 - 00000000 ____D () C:\Program Files\Malwarebytes' Anti-Malware
2014-02-28 08:33 - 2013-04-04 14:50 - 00022856 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-02-28 08:32 - 2014-02-28 08:33 - 10285040 _____ (Malwarebytes Corporation ) C:\Users\m83780.old\Downloads\mbam-setup-1.75.0.1300 (1).exe
2014-02-28 08:32 - 2014-02-28 08:32 - 10285040 _____ (Malwarebytes Corporation ) C:\Users\m83780.old\Downloads\mbam-setup-1.75.0.1300.exe
2014-02-26 09:04 - 2014-02-26 09:04 - 00166106 _____ () C:\Users\m83780.old\AppData\Roaming\1d4f6_l
2014-02-26 09:04 - 2014-02-26 09:04 - 00166106 _____ () C:\ProgramData\1d4f6_l
2014-02-25 05:53 - 2014-02-28 08:59 - 00000448 _____ () C:\Windows\setupact.log
2014-02-25 05:53 - 2014-02-25 05:53 - 00000000 _____ () C:\Windows\setuperr.log
2014-02-20 06:49 - 2014-02-28 09:09 - 00000071 _____ () C:\Windows\system32\ctve.phn
2014-02-20 06:37 - 2014-02-20 06:37 - 00000064 _____ () C:\Windows\system32\plrb.wlg
2014-02-20 06:37 - 2014-02-20 06:37 - 00000000 _____ () C:\Windows\system32\voas.wlt
2014-02-20 06:22 - 2014-02-20 06:22 - 00105465 ____S () C:\Windows\system32\lbhrqeb.mnb
2014-02-18 07:16 - 2014-02-28 08:50 - 00000000 ____D () C:\Users\m83780.old\AppData\Local\Ection
2014-02-14 14:24 - 2014-02-03 10:05 - 01232896 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-02-14 14:24 - 2014-02-03 10:05 - 00981504 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-02-14 14:24 - 2014-02-03 10:05 - 00132096 _____ (Microsoft Corporation) C:\Windows\system32\url.dll
2014-02-14 14:24 - 2014-02-03 10:04 - 11020800 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-02-14 14:24 - 2014-02-03 10:04 - 06040064 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-02-14 14:24 - 2014-02-03 10:04 - 02078208 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-02-14 14:24 - 2014-02-03 10:04 - 00627712 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-02-14 14:24 - 2014-02-03 10:04 - 00176640 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-02-14 14:24 - 2014-02-03 10:04 - 00067584 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-02-14 14:24 - 2014-02-03 10:04 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-02-14 14:24 - 2014-02-03 08:14 - 01638912 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-02-14 14:21 - 2013-12-05 21:02 - 01237504 _____ (Microsoft Corporation) C:\Windows\system32\msxml3.dll
2014-02-14 14:21 - 2013-12-05 21:02 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\msxml3r.dll
2014-02-14 14:13 - 2013-12-09 21:02 - 00428032 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
 
==================== One Month Modified Files and Folders =======
 
2014-02-28 09:29 - 2014-02-28 09:28 - 00018251 _____ () C:\Users\m83780\Downloads\Addition.txt
2014-02-28 09:29 - 2014-02-28 09:27 - 00009354 _____ () C:\Users\m83780\Downloads\FRST.txt
2014-02-28 09:29 - 2014-02-28 09:27 - 00000000 ____D () C:\FRST
2014-02-28 09:27 - 2014-02-28 09:26 - 01143808 _____ (Farbar) C:\Users\m83780\Downloads\FRST.exe
2014-02-28 09:17 - 2014-02-28 09:17 - 00000000 ____D () C:\Users\m83780\AppData\Local\Google
2014-02-28 09:17 - 2014-02-28 09:00 - 00000000 ____D () C:\Users\m83780\AppData\Local\blekkotb_005
2014-02-28 09:09 - 2014-02-20 06:49 - 00000071 _____ () C:\Windows\system32\ctve.phn
2014-02-28 09:07 - 2012-08-28 09:14 - 00000886 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-02-28 09:06 - 2009-07-13 23:34 - 00028928 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-02-28 09:06 - 2009-07-13 23:34 - 00028928 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-02-28 09:05 - 2010-11-20 16:01 - 00726316 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-02-28 09:02 - 2014-02-28 09:02 - 00040776 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamswissarmy.sys
2014-02-28 09:02 - 2014-02-28 09:02 - 00000000 ____D () C:\Users\m83780\AppData\Roaming\Malwarebytes
2014-02-28 09:01 - 2014-02-28 09:01 - 00063568 _____ () C:\Users\m83780\AppData\Local\GDIPFONTCACHEV1.DAT
2014-02-28 09:01 - 2014-02-28 09:01 - 00000000 ____D () C:\Users\m83780\AppData\Roaming\ICAClient
2014-02-28 09:01 - 2014-02-28 09:00 - 00000000 ____D () C:\Users\m83780\AppData\Local\Citrix
2014-02-28 09:00 - 2014-02-28 09:00 - 00002158 __RSH () C:\Users\m83780\ntuser.pol
2014-02-28 09:00 - 2014-02-28 09:00 - 00001420 _____ () C:\Users\m83780\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2014-02-28 09:00 - 2014-02-28 09:00 - 00000020 ___SH () C:\Users\m83780\ntuser.ini
2014-02-28 09:00 - 2014-02-28 09:00 - 00000000 ____D () C:\Users\m83780\AppData\Roaming\Windows Small Business Server
2014-02-28 09:00 - 2014-02-28 09:00 - 00000000 ____D () C:\Users\m83780\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows SBS
2014-02-28 09:00 - 2014-02-28 09:00 - 00000000 ____D () C:\Users\m83780\AppData\Local\ESET
2014-02-28 09:00 - 2014-02-28 09:00 - 00000000 ____D () C:\Users\m83780
2014-02-28 09:00 - 2012-08-28 09:14 - 00000882 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-02-28 08:59 - 2014-02-25 05:53 - 00000448 _____ () C:\Windows\setupact.log
2014-02-28 08:59 - 2012-05-03 09:23 - 00000000 ____D () C:\Windows\LTSvc
2014-02-28 08:59 - 2012-04-28 13:34 - 00000112 _____ () C:\Windows\system32\config\netlogon.ftl
2014-02-28 08:59 - 2009-07-13 23:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-02-28 08:50 - 2014-02-18 07:16 - 00000000 ____D () C:\Users\m83780.old\AppData\Local\Ection
2014-02-28 08:50 - 2012-05-17 07:47 - 00000000 ____D () C:\Program Files\I Want This
2014-02-28 08:50 - 2012-04-30 05:22 - 00000000 ____D () C:\Users\m83780.old\AppData\Roaming\Adobe
2014-02-28 08:50 - 2010-11-20 16:48 - 00031986 _____ () C:\Windows\PFRO.log
2014-02-28 08:49 - 2014-02-28 08:49 - 00000000 ____D () C:\Users\frankt\AppData\Local\ESET
2014-02-28 08:48 - 2012-05-23 04:48 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-02-28 08:44 - 2014-02-28 08:44 - 00063568 _____ () C:\Users\frankt\AppData\Local\GDIPFONTCACHEV1.DAT
2014-02-28 08:44 - 2014-02-28 08:44 - 00001420 _____ () C:\Users\frankt\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2014-02-28 08:44 - 2014-02-28 08:44 - 00000000 ____D () C:\Users\frankt\AppData\Roaming\ICAClient
2014-02-28 08:44 - 2014-02-28 08:44 - 00000000 ____D () C:\Users\frankt\AppData\Local\Citrix
2014-02-28 08:44 - 2014-02-28 08:44 - 00000000 ____D () C:\Users\frankt\AppData\Local\blekkotb_005
2014-02-28 08:43 - 2014-02-28 08:43 - 00000000 ____D () C:\Users\frankt\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows SBS
2014-02-28 08:43 - 2014-02-28 08:42 - 00000000 ____D () C:\Users\frankt
2014-02-28 08:42 - 2014-02-28 08:42 - 00002158 __RSH () C:\Users\frankt\ntuser.pol
2014-02-28 08:42 - 2014-02-28 08:42 - 00000020 ___SH () C:\Users\frankt\ntuser.ini
2014-02-28 08:42 - 2014-02-28 08:42 - 00000000 ____D () C:\Users\frankt\AppData\Roaming\Windows Small Business Server
2014-02-28 08:34 - 2014-02-28 08:34 - 00000000 ____D () C:\Users\m83780.old\AppData\Roaming\Malwarebytes
2014-02-28 08:33 - 2014-02-28 08:33 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-02-28 08:33 - 2014-02-28 08:33 - 00000000 ____D () C:\Program Files\Malwarebytes' Anti-Malware
2014-02-28 08:33 - 2014-02-28 08:32 - 10285040 _____ (Malwarebytes Corporation ) C:\Users\m83780.old\Downloads\mbam-setup-1.75.0.1300 (1).exe
2014-02-28 08:32 - 2014-02-28 08:32 - 10285040 _____ (Malwarebytes Corporation ) C:\Users\m83780.old\Downloads\mbam-setup-1.75.0.1300.exe
2014-02-28 07:10 - 2012-03-14 10:59 - 01610276 _____ () C:\Windows\WindowsUpdate.log
2014-02-26 09:04 - 2014-02-26 09:04 - 00166106 _____ () C:\Users\m83780.old\AppData\Roaming\1d4f6_l
2014-02-26 09:04 - 2014-02-26 09:04 - 00166106 _____ () C:\ProgramData\1d4f6_l
2014-02-25 06:17 - 2009-07-13 23:52 - 00000000 ____D () C:\Windows\system32\FxsTmp
2014-02-25 05:53 - 2014-02-25 05:53 - 00000000 _____ () C:\Windows\setuperr.log
2014-02-21 10:50 - 2012-05-23 04:48 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2014-02-21 10:50 - 2012-01-27 14:16 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2014-02-20 06:37 - 2014-02-20 06:37 - 00000064 _____ () C:\Windows\system32\plrb.wlg
2014-02-20 06:37 - 2014-02-20 06:37 - 00000000 _____ () C:\Windows\system32\voas.wlt
2014-02-20 06:22 - 2014-02-20 06:22 - 00105465 ____S () C:\Windows\system32\lbhrqeb.mnb
2014-02-20 06:22 - 2012-04-28 13:44 - 00000000 ____D () C:\Users\m83780.old
2014-02-17 06:16 - 2009-07-13 21:37 - 00000000 ____D () C:\Windows\Microsoft.NET
2014-02-03 10:05 - 2014-02-14 14:24 - 01232896 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-02-03 10:05 - 2014-02-14 14:24 - 00981504 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-02-03 10:05 - 2014-02-14 14:24 - 00132096 _____ (Microsoft Corporation) C:\Windows\system32\url.dll
2014-02-03 10:04 - 2014-02-14 14:24 - 11020800 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-02-03 10:04 - 2014-02-14 14:24 - 06040064 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-02-03 10:04 - 2014-02-14 14:24 - 02078208 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-02-03 10:04 - 2014-02-14 14:24 - 00627712 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-02-03 10:04 - 2014-02-14 14:24 - 00176640 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-02-03 10:04 - 2014-02-14 14:24 - 00067584 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-02-03 10:04 - 2014-02-14 14:24 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-02-03 08:14 - 2014-02-14 14:24 - 01638912 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-01-31 13:24 - 2012-05-01 07:37 - 00000000 ____D () C:\Users\m83780.old\AppData\Local\Adobe
 
==================== Bamital & volsnap Check =================
 
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\system32\winlogon.exe => MD5 is legit
C:\Windows\system32\wininit.exe => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\services.exe => MD5 is legit
C:\Windows\system32\User32.dll => MD5 is legit
C:\Windows\system32\userinit.exe => MD5 is legit
C:\Windows\system32\rpcss.dll
[2010-11-20 16:29] - [2010-11-20 16:29] - 0377856 ____A () D41D8CD98F00B204E9800998ECF8427E
 
C:\Windows\system32\rpcss.dll IS INFECTED. <===== ATTENTION!
 
 ATTENTION ======> If the system is having audio adware rpcss.dll is patched. Google the MD5, if the MD5 is unique the file is infected.
C:\Windows\system32\Drivers\volsnap.sys => MD5 is legit
 
 
LastRegBack: 2014-02-18 06:25
 
==================== End Of Log ============================

 

Attached Files



BC AdBot (Login to Remove)

 


m

#2 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:46 PM

Posted 28 February 2014 - 09:41 AM

Hi there,

yes this infection is obvious. But since a patched system file is involved it's better to work in Recovery Environment.
So please re-run a FRST scan there:


Move FRST to a flash drive
  • Plug the flashdrive into the infected PC.
To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.
To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html




To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
==========

On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt


Select Command Prompt

==========


Once in the Command Prompt:
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.


#3 Lyekka

Lyekka
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:46 PM

Posted 28 February 2014 - 09:42 AM

Doing so now, thank you.. sorry for the multiple thread opens. Only following this one now.



#4 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:46 PM

Posted 28 February 2014 - 10:06 AM

Ok, I closed the other threads and wait for the log file here. :)

#5 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:46 PM

Posted 12 March 2014 - 12:07 PM

Do you still need help?



#6 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:46 PM

Posted 19 March 2014 - 12:14 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users