Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ESET antivirus reports infection: Win64/Patched.H trojan


  • This topic is locked This topic is locked
18 replies to this topic

#1 ronpunan

ronpunan

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 26 March 2014 - 07:02 AM

Hi,

 

I'm running windows 7 home premium and have been gettting a lot of popup messages recently from ESET NOD32 Antivirus 7.

Here is an example of one of the messages:

 

Object: C:\Windows\system32\rpcss.dll

Threat: Win64/Patched.H trojan

 

Error while cleaning.

Event occured during an attempt to access the file by the application: C:\Windows\System32\SearchIndexer.exe

 

I have tried using system restore and malware bytes, but no luck.

Any help would be greatly appreciated.

 

Thanks.

 

Here is the link back to the original post in the "Am I infected? What do I do?" forum: http://www.bleepingcomputer.com/forums/t/528665/eset-antivirus-reports-infection-win64patchedh-trojan/?p=3324034

 

I followed the prep guide. here is the contents of the dds log:

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.16798
Run by Eva at 7:43:37 on 2014-03-26
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3032.1263 [GMT -4:00]
.
AV: ESET NOD32 Antivirus 7.0 *Enabled/Updated* {19259FAE-8396-A113-46DB-15B0E7DFA289}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: ESET NOD32 Antivirus 7.0 *Enabled/Updated* {A2447E4A-A5AC-AE9D-7C6B-2EC29C58E834}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_afc3018f8cfedd20\STacSV64.exe
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRYSVC.EXE
C:\Windows\system32\WLANExt.exe
C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe
C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\Toaster.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRAY.EXE
C:\Windows\system32\igfxsrvc.exe
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe
C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe
C:\Program Files (x86)\Citrix\ICA Client\concentr.exe
C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Windows\system32\Macromed\Flash\FlashUtil64_12_0_0_77_ActiveX.exe
C:\Program Files (x86)\Dell Support Center\bin\sprtsvc.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: Search Helper: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Skype Plug-In: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: &Windows Live Toolbar: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [PDVDDXSrv] "C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
mRun: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2
mRun: [DellSupportCenter] "C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe"
mRun: [ConnectionCenter] "C:\Program Files (x86)\Citrix\ICA Client\concentr.exe" /startup
mRun: [TkBellExe] "c:\program files (x86)\real\realplayer\Update\realsched.exe" -osboot
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRunOnce: [STToasterLauncher] C:\program files (x86)\Dell DataSafe Local Backup\toasterLauncher.exe
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} - C:\Users\Eva\AppData\Local\Temp\f5tmp\f5tunsrv.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} - C:\Users\Eva\AppData\Local\Temp\f5tmp\urxhost.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{98E5CFF8-7072-4B7A-9581-65F79120C42C} : DHCPNameServer = 172.168.1.161
TCP: Interfaces\{B54F64F4-66D6-4BBE-8799-2698B43BB94F} : DHCPNameServer = 192.168.1.254
TCP: Interfaces\{B54F64F4-66D6-4BBE-8799-2698B43BB94F}\2375942554132313 : DHCPNameServer = 192.168.1.254
TCP: Interfaces\{B54F64F4-66D6-4BBE-8799-2698B43BB94F}\C696E6B6379737 : DHCPNameServer = 68.87.74.166 68.87.68.166
TCP: Interfaces\{B54F64F4-66D6-4BBE-8799-2698B43BB94F}\D4F44554B4D4F4D4A595F5E4564777F627B6 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{B54F64F4-66D6-4BBE-8799-2698B43BB94F}\E4F6A4F6E4564777F627B6 : DHCPNameServer = 192.168.2.1 167.206.254.1 167.206.254.2
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.146\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [Broadcom Wireless Manager UI] C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRAY.exe
x64-Run: [IAAnotif] C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe
x64-Run: [LogMeIn GUI] "C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe"
x64-Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
x64-DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
x64-DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
x64-DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
x64-Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - <orphaned>
x64-Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - <orphaned>
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Notify: GoToAssist - C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2010-8-22 55280]
R1 ctxusbm;Citrix USB Monitor Driver;C:\Windows\System32\drivers\ctxusbm.sys [2009-9-8 87600]
R1 eamonm;eamonm;C:\Windows\System32\drivers\eamonm.sys [2013-8-15 239320]
R2 DockLoginService;Dock Login Service;C:\Program Files\Dell\DellDock\DockLogin.exe [2009-6-9 155648]
R2 ekrn;ESET Service;C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe [2013-9-12 1337752]
R2 epfwwfpr;epfwwfpr;C:\Windows\System32\drivers\epfwwfpr.sys [2013-8-15 157432]
R2 LMIGuardianSvc;LMIGuardianSvc;C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [2010-11-13 376144]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files (x86)\LogMeIn\x64\rainfo.sys [2010-1-27 16056]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\Windows\System32\drivers\LMIRfsDriver.sys [2010-8-22 72216]
R2 SftService;SoftThinks Agent Service;C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe [2010-1-25 656624]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;C:\Windows\System32\drivers\CtClsFlt.sys [2010-1-25 172704]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\System32\drivers\RtsUStor.sys [2010-1-25 215552]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\System32\drivers\yk62x64.sys [2010-1-25 393728]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2013-9-11 124088]
S3 McComponentHostService;McAfee Security Scan Component Host Service;C:\Program Files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2011-6-25 59392]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2013-3-18 54784]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-8-23 1255736]
.
=============== Created Last 30 ================
.
2014-03-26 11:41:41 10521840 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{BE89B2AD-6AFF-4DD4-835A-8CCF94C519C1}\mpengine.dll
2014-03-13 22:50:08 -------- d-sh--w- C:\$RECYCLE.BIN
2014-03-13 22:01:35 98816 ----a-w- C:\Windows\sed.exe
2014-03-13 22:01:35 256000 ----a-w- C:\Windows\PEV.exe
2014-03-13 22:01:35 208896 ----a-w- C:\Windows\MBR.exe
2014-03-11 01:54:46 33240 ----a-w- C:\Windows\System32\drivers\GEARAspiWDM.sys
2014-03-11 01:53:58 -------- d-----w- C:\Program Files\iPod
2014-03-11 01:53:56 -------- d-----w- C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2014-03-11 01:53:56 -------- d-----w- C:\Program Files\iTunes
2014-02-28 04:12:46 -------- d-----w- C:\Users\Eva\AppData\Roaming\BitTorrent
2014-02-28 04:08:47 -------- d-----w- C:\Users\Eva\AppData\Roaming\uTorrent
2014-02-26 05:48:11 -------- d-----w- C:\Windows\Migration
.
==================== Find3M  ====================
.
2014-03-13 22:32:15 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2014-03-13 22:32:15 692616 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2014-02-01 09:19:49 2241536 ----a-w- C:\Windows\System32\wininet.dll
2014-02-01 09:18:25 3960320 ----a-w- C:\Windows\System32\jscript9.dll
2014-02-01 09:18:21 67072 ----a-w- C:\Windows\System32\iesetup.dll
2014-02-01 09:18:21 136704 ----a-w- C:\Windows\System32\iesysprep.dll
2014-02-01 07:58:31 1767936 ----a-w- C:\Windows\SysWow64\wininet.dll
2014-02-01 07:57:20 2877952 ----a-w- C:\Windows\SysWow64\jscript9.dll
2014-02-01 07:57:16 61440 ----a-w- C:\Windows\SysWow64\iesetup.dll
2014-02-01 07:57:16 109056 ----a-w- C:\Windows\SysWow64\iesysprep.dll
2014-02-01 07:40:43 2706432 ----a-w- C:\Windows\System32\mshtml.tlb
2014-02-01 07:34:53 2706432 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2014-02-01 06:45:40 89600 ----a-w- C:\Windows\System32\RegisterIEPKEYs.exe
2014-02-01 06:38:03 71680 ----a-w- C:\Windows\SysWow64\RegisterIEPKEYs.exe
2014-01-22 03:42:23 107368 ----a-w- C:\Windows\System32\LMIRfsClientNP.dll
2014-01-22 03:42:22 35656 ----a-w- C:\Windows\System32\LMIport.dll
2014-01-22 03:42:21 92488 ----a-w- C:\Windows\System32\LMIinit.dll
.
============= FINISH:  7:45:25.37 ===============

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:07:24 AM

Posted 26 March 2014 - 07:24 AM

Hello! Welcome to BleepingComputer Forums! :welcome:
My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:

  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.

 

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

 

Regards,

Georgi


cXfZ4wS.png


#3 ronpunan

ronpunan
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 26 March 2014 - 10:00 PM

Hi Georgi,

 

Thanks for helping out. Here is the FRST log and addition.txt

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 13-03-2014
Ran by Eva (administrator) on MOTEKMOMZY on 26-03-2014 22:55:17
Running from C:\Users\Eva\Desktop
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(IDT, Inc.) C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_afc3018f8cfedd20\STacSV64.exe
(Stardock Corporation) C:\Program Files\Dell\DellDock\DockLogin.exe
() C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRYSVC.EXE
(Microsoft Corporation) C:\Windows\system32\WLANExt.exe
(Dell Inc.) C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(ESET) C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe
(Microsoft Corporation) C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
(Microsoft Corp.) C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
(SoftThinks) C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE
(Intel Corporation) C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
(SoftThinks - Dell) C:\Program Files (x86)\Dell DataSafe Local Backup\Toaster.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\Apoint.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Dell Inc.) C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRAY.EXE
(Intel Corporation) C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
(Intel Corporation) C:\Windows\system32\igfxsrvc.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe
(ESET) C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
(Google Inc.) C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
(CyberLink Corp.) C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\ApMsgFwd.exe
(Creative Technology Ltd) C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe
(SupportSoft, Inc.) C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\Apntex.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\HidFind.exe
() C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\concentr.exe
(RealNetworks, Inc.) C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Google Inc.) C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
(SupportSoft, Inc.) C:\Program Files (x86)\Dell Support Center\bin\sprtsvc.exe
(Adobe Systems Incorporated) C:\Windows\system32\Macromed\Flash\FlashUtil64_12_0_0_77_ActiveX.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [Apoint] - C:\Program Files\DellTPad\Apoint.exe [305664 2009-01-22] (Alps Electric Co., Ltd.)
HKLM\...\Run: [Broadcom Wireless Manager UI] - C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRAY.exe [4968960 2009-07-16] (Dell Inc.)
HKLM\...\Run: [IAAnotif] - C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe [186904 2009-06-04] (Intel Corporation)
HKLM\...\Run: [LogMeIn GUI] - C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe [57928 2010-01-27] (LogMeIn, Inc.)
HKLM\...\Run: [egui] - C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe [5618456 2013-09-12] (ESET)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe [35696 2009-02-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [PDVDDXSrv] - C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe [140520 2009-06-24] (CyberLink Corp.)
HKLM-x32\...\Run: [Dell Webcam Central] - C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe [409744 2009-06-24] (Creative Technology Ltd)
HKLM-x32\...\Run: [DellSupportCenter] - C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe [206064 2009-05-21] (SupportSoft, Inc.)
HKLM-x32\...\Run: [GrooveMonitor] - C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe [31016 2006-10-27] (Microsoft Corporation)
HKLM-x32\...\Run: [Desktop Disc Tool] - C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe [498160 2009-12-15] ()
HKLM-x32\...\Run: [ConnectionCenter] - C:\Program Files (x86)\Citrix\ICA Client\concentr.exe [103768 2009-09-13] (Citrix Systems, Inc.)
HKLM-x32\...\Run: [TkBellExe] - c:\program files (x86)\real\realplayer\Update\realsched.exe [274608 2011-01-17] (RealNetworks, Inc.)
HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [43848 2014-02-12] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] - C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2011-10-24] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2014-02-21] (Apple Inc.)
HKLM-x32\...\RunOnce: [STToasterLauncher] - C:\program files (x86)\Dell DataSafe Local Backup\toasterLauncher.exe [120048 2009-09-17] ()
Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll [X]
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-817328781-4279381411-426128289-1000\...\Run: [swg] - C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2011-01-10] (Google Inc.)
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKCU - {F07D0766-EEFA-4CEA-A8EC-F21C89B286FF} URL =
BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO-x32: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO-x32: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
BHO-x32: No Name - {5C255C8A-E604-49b4-9D64-90988571CECB} -  No File
BHO-x32: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll (Microsoft Corp.)
BHO-x32: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
BHO-x32: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
BHO-x32: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO-x32: Skype Plug-In - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
BHO-x32: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO-x32: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
Toolbar: HKLM-x32 - &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU - No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} -  No File
Toolbar: HKCU - Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
DPF: HKLM-x32 {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} C:\Users\Eva\AppData\Local\Temp\f5tmp\f5tunsrv.cab
DPF: HKLM-x32 {E0FF21FA-B857-45C5-8621-F120A0C17FF2} C:\Users\Eva\AppData\Local\Temp\f5tmp\urxhost.cab
DPF: HKLM-x32 {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: HKLM-x32 {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://secure.logmein.com/activex/ractrl.cab?lmi=100
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} -  No File
Handler-x32: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
Handler-x32: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
Handler-x32: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254

Chrome:
=======
CHR HomePage: hxxp://www.google.com
CHR RestoreOnStartup: "hxxp://www.google.com"
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\31.0.1650.63\pdf.dll No File
CHR Plugin: (Google Gears 0.5.33.0) - C:\Program Files (x86)\Google\Chrome\Application\31.0.1650.63\gears.dll No File
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\31.0.1650.63\gcswf32.dll No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (Java Deployment Toolkit 6.0.240.7) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll (Sun Microsystems, Inc.)
CHR Plugin: (Java™ Platform SE 6 U24) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin2.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin3.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin4.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin5.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin6.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin7.dll (Apple Inc.)
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.2.183.39\npGoogleOneClick8.dll No File
CHR Plugin: (Windows Live® Photo Gallery) - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
CHR Plugin: (iTunes Application Detector) - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
CHR Plugin: (RealPlayer™ HTML5VideoShim Plug-In (32-bit) ) - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
CHR Plugin: (BrowserPlus (from Yahoo!) v2.9.8) - C:\Users\Eva\AppData\Local\Yahoo!\BrowserPlus\2.9.8\Plugins\npybrowserplus_2.9.8.dll (Yahoo! Inc.)
CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\3.0.40624.0\npctrl.dll ( Microsoft Corporation)
CHR Plugin: (RealPlayer™ G2 LiveConnect-Enabled Plug-In (32-bit) ) - c:\program files (x86)\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
CHR Plugin: (RealJukebox NS Plugin) - c:\program files (x86)\real\realplayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
CHR Plugin: (RealPlayer Version Plugin) - c:\program files (x86)\real\realplayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
CHR Plugin: (Default Plug-in) - default_plugin No File
CHR Extension: (Entanglement Web App) - C:\Users\Eva\AppData\Local\Google\Chrome\User Data\Default\Extensions\aciahcmjmecflokailenpkdchphgkefd [2011-02-24]
CHR Extension: (We-Care.com Reminder) - C:\Users\Eva\AppData\Local\Google\Chrome\User Data\Default\Extensions\ippkomaaonokjnfjoikaemidanojkfmm [2012-06-17]
CHR Extension: (RealPlayer HTML5Video Downloader Extension) - C:\Users\Eva\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfmjfhklogoienhpfnppmbcbjfjnkonk [2011-01-17]
CHR Extension: (Poppit) - C:\Users\Eva\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcbkbpnkkkipelfledbfocopglifcfmi [2011-02-24]
CHR Extension: (Google Wallet) - C:\Users\Eva\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-12-23]
CHR HKLM-x32\...\Chrome\Extension: [ippkomaaonokjnfjoikaemidanojkfmm] - C:\ProgramData\WeCareReminder\\wecarereminderro.crx [2012-03-22]
CHR HKLM-x32\...\Chrome\Extension: [jfmjfhklogoienhpfnppmbcbjfjnkonk] - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Chrome\Ext\rphtml5video.crx [2011-01-17]

==================== Services (Whitelisted) =================

R2 DcomLaunch; C:\Windows\system32\rpcss.dll [513024 2010-11-20] ()
R2 ekrn; C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe [1337752 2013-09-12] (ESET)
R2 LMIGuardianSvc; C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [376144 2014-01-21] (LogMeIn, Inc.)
S4 LMIMaint; C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe [226640 2014-01-21] (LogMeIn, Inc.)
S4 LogMeIn; C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe [407424 2010-12-08] (LogMeIn, Inc.)
S3 McComponentHostService; C:\Program Files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe [227232 2010-01-15] (McAfee, Inc.)
R2 RpcSs; C:\Windows\system32\rpcss.dll [513024 2010-11-20] ()
R2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_afc3018f8cfedd20\STacSV64.exe [240128 2009-06-29] (IDT, Inc.)
R2 wltrysvc; C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe [3417088 2009-07-16] (Dell Inc.)

==================== Drivers (Whitelisted) ====================

U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
R1 eamonm; C:\Windows\System32\DRIVERS\eamonm.sys [239320 2013-08-15] (ESET)
U5 edevmon; C:\Windows\System32\Drivers\edevmon.sys [239296 2013-08-19] (ESET)
R1 ehdrv; C:\Windows\System32\DRIVERS\ehdrv.sys [168256 2013-08-15] (ESET)
R2 epfwwfpr; C:\Windows\System32\DRIVERS\epfwwfpr.sys [157432 2013-08-15] (ESET)
R2 LMIInfo; C:\Program Files (x86)\LogMeIn\x64\RaInfo.sys [16056 2013-05-29] (LogMeIn, Inc.)
S4 LMIRfsClientNP; No ImagePath
S3 StarOpen; No ImagePath
S3 catchme; \??\C:\ComboFix\catchme.sys [X]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2014-03-26 22:55 - 2014-03-26 22:56 - 00017078 _____ () C:\Users\Eva\Desktop\FRST.txt
2014-03-26 22:54 - 2014-03-26 22:55 - 00000000 ____D () C:\FRST
2014-03-26 22:54 - 2014-03-26 22:54 - 02157056 _____ (Farbar) C:\Users\Eva\Desktop\FRST64.exe
2014-03-26 08:00 - 2014-03-26 08:00 - 00002308 _____ () C:\Users\Eva\Desktop\ddsattach.zip
2014-03-26 07:45 - 2014-03-26 07:46 - 00016543 _____ () C:\Users\Eva\Desktop\dds.txt
2014-03-26 07:45 - 2014-03-26 07:46 - 00005324 _____ () C:\Users\Eva\Desktop\ddsattach.txt
2014-03-26 07:40 - 2014-03-26 07:41 - 00688992 ____R (Swearware) C:\Users\Eva\Desktop\dds.com
2014-03-13 18:50 - 2014-03-13 18:50 - 00015657 _____ () C:\ComboFix.txt
2014-03-13 18:01 - 2011-06-26 02:45 - 00256000 _____ () C:\Windows\PEV.exe
2014-03-13 18:01 - 2010-11-07 13:20 - 00208896 _____ () C:\Windows\MBR.exe
2014-03-13 18:01 - 2009-04-20 00:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2014-03-13 18:01 - 2000-08-30 20:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2014-03-13 18:01 - 2000-08-30 20:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2014-03-13 18:01 - 2000-08-30 20:00 - 00098816 _____ () C:\Windows\sed.exe
2014-03-13 18:01 - 2000-08-30 20:00 - 00080412 _____ () C:\Windows\grep.exe
2014-03-13 18:01 - 2000-08-30 20:00 - 00068096 _____ () C:\Windows\zip.exe
2014-03-13 18:00 - 2014-03-13 18:50 - 00000000 ____D () C:\Qoobox
2014-03-13 18:00 - 2014-03-13 18:46 - 00000000 ____D () C:\Windows\erdnt
2014-03-13 17:59 - 2014-03-13 17:59 - 05190279 ____R (Swearware) C:\Users\Eva\Downloads\ComboFix.exe
2014-03-12 20:26 - 2014-03-12 20:27 - 00000000 ____D () C:\Users\Eva\Downloads\Bank Statements
2014-03-10 21:54 - 2014-03-10 21:54 - 00001785 _____ () C:\Users\Public\Desktop\iTunes.lnk
2014-03-10 21:54 - 2012-08-21 13:01 - 00033240 _____ (GEAR Software Inc.) C:\Windows\system32\Drivers\GEARAspiWDM.sys
2014-03-10 21:53 - 2014-03-10 21:54 - 00000000 ____D () C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2014-03-10 21:53 - 2014-03-10 21:54 - 00000000 ____D () C:\Program Files\iTunes
2014-03-10 21:53 - 2014-03-10 21:53 - 00000000 ____D () C:\Program Files\iPod
2014-03-01 22:40 - 2014-03-01 22:40 - 00000000 ____D () C:\Users\Default\AppData\Local\SoftThinks
2014-03-01 22:40 - 2014-03-01 22:40 - 00000000 ____D () C:\Users\Default User\AppData\Local\SoftThinks
2014-03-01 22:34 - 2014-03-26 07:44 - 00000081 _____ () C:\Windows\system32\svple.djv
2014-03-01 22:29 - 2014-03-01 22:29 - 00037888 _____ () C:\Windows\system32\ztswkj.etm
2014-03-01 22:23 - 2014-03-01 22:29 - 00000105 _____ () C:\Windows\system32\xokdvu.asw
2014-03-01 22:23 - 2014-03-01 22:23 - 00000064 _____ () C:\Windows\system32\llzny.crj
2014-03-01 22:07 - 2014-03-01 22:07 - 00229971 ____S () C:\Windows\system32\vhplidb.nzu
2014-03-01 20:21 - 2014-03-04 23:00 - 00000000 ____D () C:\Users\e.Motekmomzy
2014-02-28 00:15 - 2014-02-28 06:57 - 00000000 ____D () C:\Users\Eva\Downloads\Riddick.2013.EXTENDED.1080p.BluRay.x264-ALLiANCE [PublicHD]
2014-02-28 00:14 - 2014-02-28 00:16 - 00000000 ____D () C:\Users\Eva\Downloads\Modern.Family.S05E14.1080p.WEB-DL.DD5.1.H.264-HWD [PublicHD]
2014-02-28 00:14 - 2014-02-28 00:14 - 00000000 ____D () C:\Users\Eva\Downloads\Modern.Family.S05E15.720p.WEB-DL.DD5.1.H.264-HWD [PublicHD]
2014-02-28 00:13 - 2014-02-28 00:13 - 00000875 _____ () C:\Users\Eva\Desktop\BitTorrent.lnk
2014-02-28 00:13 - 2014-02-28 00:13 - 00000855 _____ () C:\Users\Eva\AppData\Roaming\Microsoft\Windows\Start Menu\BitTorrent.lnk
2014-02-28 00:12 - 2014-02-28 18:41 - 00000000 ____D () C:\Users\Eva\AppData\Roaming\BitTorrent
2014-02-28 00:08 - 2014-03-04 22:58 - 00000000 ____D () C:\Users\Eva\AppData\Roaming\uTorrent
2014-02-28 00:08 - 2014-02-28 00:08 - 00000855 _____ () C:\Users\Eva\Desktop\µTorrent.lnk
2014-02-28 00:08 - 2014-02-28 00:08 - 00000835 _____ () C:\Users\Eva\AppData\Roaming\Microsoft\Windows\Start Menu\µTorrent.lnk
2014-02-26 01:50 - 2014-02-26 11:45 - 00775124 _____ () C:\Windows\SysWOW64\PerfStringBackup.INI

==================== One Month Modified Files and Folders =======

2014-03-26 22:56 - 2014-03-26 22:55 - 00017078 _____ () C:\Users\Eva\Desktop\FRST.txt
2014-03-26 22:55 - 2014-03-26 22:54 - 00000000 ____D () C:\FRST
2014-03-26 22:54 - 2014-03-26 22:54 - 02157056 _____ (Farbar) C:\Users\Eva\Desktop\FRST64.exe
2014-03-26 22:53 - 2009-07-14 01:10 - 01663424 _____ () C:\Windows\WindowsUpdate.log
2014-03-26 22:47 - 2010-06-08 01:00 - 00000073 _____ () C:\Windows\SysWOW64\ToasterLauncherLog.log
2014-03-26 22:47 - 2010-01-25 09:56 - 00000000 ____D () C:\Program Files (x86)\Dell DataSafe Local Backup
2014-03-26 22:46 - 2014-02-09 12:01 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA1cf25b03a3c4915.job
2014-03-26 22:46 - 2011-01-10 13:44 - 00000888 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-03-26 22:46 - 2009-07-14 01:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-03-26 22:46 - 2009-07-14 00:51 - 00228890 _____ () C:\Windows\setupact.log
2014-03-26 08:08 - 2013-08-15 01:01 - 00000000 ____D () C:\Windows\system32\MRT
2014-03-26 08:07 - 2010-11-16 20:49 - 90015360 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-03-26 08:00 - 2014-03-26 08:00 - 00002308 _____ () C:\Users\Eva\Desktop\ddsattach.zip
2014-03-26 07:46 - 2014-03-26 07:45 - 00016543 _____ () C:\Users\Eva\Desktop\dds.txt
2014-03-26 07:46 - 2014-03-26 07:45 - 00005324 _____ () C:\Users\Eva\Desktop\ddsattach.txt
2014-03-26 07:44 - 2014-03-01 22:34 - 00000081 _____ () C:\Windows\system32\svple.djv
2014-03-26 07:41 - 2014-03-26 07:40 - 00688992 ____R (Swearware) C:\Users\Eva\Desktop\dds.com
2014-03-26 07:41 - 2009-07-14 00:45 - 00014240 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-03-26 07:41 - 2009-07-14 00:45 - 00014240 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-03-24 22:32 - 2012-06-17 15:07 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-03-13 19:40 - 2009-07-14 01:13 - 00782510 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-03-13 19:32 - 2010-01-25 11:39 - 00596796 _____ () C:\Windows\PFRO.log
2014-03-13 18:50 - 2014-03-13 18:50 - 00015657 _____ () C:\ComboFix.txt
2014-03-13 18:50 - 2014-03-13 18:00 - 00000000 ____D () C:\Qoobox
2014-03-13 18:50 - 2009-07-13 23:20 - 00000000 __RHD () C:\Users\Default
2014-03-13 18:46 - 2014-03-13 18:00 - 00000000 ____D () C:\Windows\erdnt
2014-03-13 18:45 - 2009-07-13 22:34 - 00000215 _____ () C:\Windows\system.ini
2014-03-13 18:32 - 2012-06-17 15:07 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-03-13 18:32 - 2012-06-17 15:07 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2014-03-13 18:32 - 2011-06-18 10:24 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-03-13 17:59 - 2014-03-13 17:59 - 05190279 ____R (Swearware) C:\Users\Eva\Downloads\ComboFix.exe
2014-03-13 17:45 - 2010-06-08 00:57 - 00000000 ____D () C:\Users\Eva
2014-03-13 17:42 - 2010-12-28 16:54 - 00000000 ____D () C:\Users\Eva\AppData\Roaming\ICAClient
2014-03-13 17:42 - 2010-01-25 09:48 - 00000000 ____D () C:\Windows\SysWOW64\Macromed
2014-03-13 17:42 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\registration
2014-03-13 17:42 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\AppCompat
2014-03-12 20:27 - 2014-03-12 20:26 - 00000000 ____D () C:\Users\Eva\Downloads\Bank Statements
2014-03-10 21:54 - 2014-03-10 21:54 - 00001785 _____ () C:\Users\Public\Desktop\iTunes.lnk
2014-03-10 21:54 - 2014-03-10 21:53 - 00000000 ____D () C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2014-03-10 21:54 - 2014-03-10 21:53 - 00000000 ____D () C:\Program Files\iTunes
2014-03-10 21:54 - 2011-02-20 05:21 - 00000000 ____D () C:\Program Files (x86)\iTunes
2014-03-10 21:53 - 2014-03-10 21:53 - 00000000 ____D () C:\Program Files\iPod
2014-03-10 21:49 - 2011-02-19 21:02 - 00000000 ____D () C:\ProgramData\Apple
2014-03-09 22:10 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\system32\NDF
2014-03-04 23:00 - 2014-03-01 20:21 - 00000000 ____D () C:\Users\e.Motekmomzy
2014-03-04 22:58 - 2014-02-28 00:08 - 00000000 ____D () C:\Users\Eva\AppData\Roaming\uTorrent
2014-03-03 22:03 - 2009-07-14 01:08 - 00032606 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-03-02 17:07 - 2010-01-25 10:13 - 00000000 ____D () C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2014-03-02 17:07 - 2010-01-25 10:13 - 00000000 ____D () C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2014-03-01 22:40 - 2014-03-01 22:40 - 00000000 ____D () C:\Users\Default\AppData\Local\SoftThinks
2014-03-01 22:40 - 2014-03-01 22:40 - 00000000 ____D () C:\Users\Default User\AppData\Local\SoftThinks
2014-03-01 22:29 - 2014-03-01 22:29 - 00037888 _____ () C:\Windows\system32\ztswkj.etm
2014-03-01 22:29 - 2014-03-01 22:23 - 00000105 _____ () C:\Windows\system32\xokdvu.asw
2014-03-01 22:23 - 2014-03-01 22:23 - 00000064 _____ () C:\Windows\system32\llzny.crj
2014-03-01 22:07 - 2014-03-01 22:07 - 00229971 ____S () C:\Windows\system32\vhplidb.nzu
2014-03-01 22:07 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\system32\sysprep
2014-03-01 20:17 - 2010-08-22 19:02 - 00000000 ____D () C:\ProgramData\LogMeIn
2014-02-28 18:41 - 2014-02-28 00:12 - 00000000 ____D () C:\Users\Eva\AppData\Roaming\BitTorrent
2014-02-28 06:57 - 2014-02-28 00:15 - 00000000 ____D () C:\Users\Eva\Downloads\Riddick.2013.EXTENDED.1080p.BluRay.x264-ALLiANCE [PublicHD]
2014-02-28 00:16 - 2014-02-28 00:14 - 00000000 ____D () C:\Users\Eva\Downloads\Modern.Family.S05E14.1080p.WEB-DL.DD5.1.H.264-HWD [PublicHD]
2014-02-28 00:14 - 2014-02-28 00:14 - 00000000 ____D () C:\Users\Eva\Downloads\Modern.Family.S05E15.720p.WEB-DL.DD5.1.H.264-HWD [PublicHD]
2014-02-28 00:13 - 2014-02-28 00:13 - 00000875 _____ () C:\Users\Eva\Desktop\BitTorrent.lnk
2014-02-28 00:13 - 2014-02-28 00:13 - 00000855 _____ () C:\Users\Eva\AppData\Roaming\Microsoft\Windows\Start Menu\BitTorrent.lnk
2014-02-28 00:08 - 2014-02-28 00:08 - 00000855 _____ () C:\Users\Eva\Desktop\µTorrent.lnk
2014-02-28 00:08 - 2014-02-28 00:08 - 00000835 _____ () C:\Users\Eva\AppData\Roaming\Microsoft\Windows\Start Menu\µTorrent.lnk
2014-02-26 11:45 - 2014-02-26 01:50 - 00775124 _____ () C:\Windows\SysWOW64\PerfStringBackup.INI

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll
[2011-06-25 21:03] - [2010-11-20 09:27] - 0513024 ____A () D41D8CD98F00B204E9800998ECF8427E

C:\Windows\System32\rpcss.dll No Company Name <===== ATTENTION!

 ATTENTION ======> If the system is having audio adware rpcss.dll is patched. Google the MD5, if the MD5 is unique the file is infected.
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

LastRegBack: 2014-03-10 18:04

==================== End Of Log ============================

Attached Files



#4 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:07:24 AM

Posted 27 March 2014 - 08:03 AM

Hello,

 

 

Your log(s) show that you are using so called peer-to-peer or file-sharing programs (in your case BitTorrent and uTorrent). These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Libre Office or GIMP."


Also, please take a look here:

How cyber criminals infect victims via P2P with pirated software

 

 

  • Next please re-run FRST again and type the following in the edit box after Search: rpcss.dll
  • Click the Search button
  • It will make a log (Search.txt)- please post the log into your reply to me. (you can use pastebin as well).

 

 

Regards,

Georgi


cXfZ4wS.png


#5 ronpunan

ronpunan
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 27 March 2014 - 09:32 PM

Hi,

Here is the search.txt log:

 

Farbar Recovery Scan Tool (x64) Version: 13-03-2014
Ran by Eva at 2014-03-27 22:28:15
Running from C:\Users\Eva\Desktop
Boot Mode: Normal

================== Search: "rpcss.dll" ===================

C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_c7f0e16b547f887d\rpcss.dll
[2011-06-25 21:03] - [2010-11-20 09:27] - 0512000 ____A () D41D8CD98F00B204E9800998ECF8427E

C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7600.16385_none_c5bfcda3579104e3\rpcss.dll
[2009-07-13 20:00] - [2009-07-13 21:41] - 0509440 ____A (Microsoft Corporation) 7266972E86890E2B30C0C322E906B027

C:\Windows\System32\rpcss.dll
[2011-06-25 21:03] - [2010-11-20 09:27] - 0513024 ____A () D41D8CD98F00B204E9800998ECF8427E

====== End Of Search ======



#6 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:07:24 AM

Posted 28 March 2014 - 03:58 AM

Please check you PM...and then proceed with the following steps:

 

Please download the following file => and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

 

 

Regards,

Georgi


Edited by B-boy/StyLe/, 28 March 2014 - 04:00 AM.

cXfZ4wS.png


#7 ronpunan

ronpunan
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 28 March 2014 - 09:11 PM

Hi,

 

Here is the fixlog.txt:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 13-03-2014
Ran by Eva at 2014-03-28 22:04:44 Run:1
Running from C:\Users\Eva\Desktop
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
start
BHO-x32: No Name - {5C255C8A-E604-49b4-9D64-90988571CECB} -  No File
Toolbar: HKCU - No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} -  No File
CHR Extension: (We-Care.com Reminder) - C:\Users\Eva\AppData\Local\Google\Chrome\User Data\Default\Extensions\ippkomaaonokjnfjoikaemidanojkfmm [2012-06-17]
CHR HKLM-x32\...\Chrome\Extension: [ippkomaaonokjnfjoikaemidanojkfmm] - C:\ProgramData\WeCareReminder\\wecarereminderro.crx [2012-03-22]
S3 McComponentHostService; C:\Program Files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe [227232 2010-01-15] (McAfee, Inc.)
C:\Program Files (x86)\McAfee Security Scan
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
2014-03-01 22:34 - 2014-03-26 07:44 - 00000081 _____ () C:\Windows\system32\svple.djv
2014-03-01 22:29 - 2014-03-01 22:29 - 00037888 _____ () C:\Windows\system32\ztswkj.etm
2014-03-01 22:23 - 2014-03-01 22:29 - 00000105 _____ () C:\Windows\system32\xokdvu.asw
2014-03-01 22:23 - 2014-03-01 22:23 - 00000064 _____ () C:\Windows\system32\llzny.crj
2014-03-01 22:07 - 2014-03-01 22:07 - 00229971 ____S () C:\Windows\system32\vhplidb.nzu
Replace: C:\rpcss.dll C:\Windows\System32\rpcss.dll
Replace: C:\rpcss.dll C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_c7f0e16b547f887d\rpcss.dll
end
*****************

HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB} => Key not found.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{21FA44EF-376D-4D53-9B0F-8A89D3229068} => Value deleted successfully.
HKCR\CLSID\{21FA44EF-376D-4D53-9B0F-8A89D3229068} => Key not found.
C:\Users\Eva\AppData\Local\Google\Chrome\User Data\Default\Extensions\ippkomaaonokjnfjoikaemidanojkfmm => Moved successfully.
HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\ippkomaaonokjnfjoikaemidanojkfmm => Key deleted successfully.
Could not move "C:\ProgramData\WeCareReminder\\wecarereminderro.crx" => Scheduled to move on reboot.
McComponentHostService => Service deleted successfully.
C:\Program Files (x86)\McAfee Security Scan => Moved successfully.
catchme => Service deleted successfully.
C:\Windows\system32\svple.djv => Moved successfully.
C:\Windows\system32\ztswkj.etm => Moved successfully.
Could not move "C:\Windows\system32\xokdvu.asw" => Scheduled to move on reboot.
C:\Windows\system32\llzny.crj => Moved successfully.
Could not move "C:\Windows\system32\vhplidb.nzu" => Scheduled to move on reboot.
C:\Windows\System32\rpcss.dll => Moved successfully.
C:\rpcss.dll copied successfully to C:\Windows\System32\rpcss.dll
C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_c7f0e16b547f887d\rpcss.dll => Moved successfully.
Could not replace C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_c7f0e16b547f887d\rpcss.dll.

=> Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2014-03-28 22:06:49)<=

C:\ProgramData\WeCareReminder\\wecarereminderro.crx => Moved successfully.
C:\Windows\system32\xokdvu.asw => Is moved successfully.
C:\Windows\system32\vhplidb.nzu => Is moved successfully.

==== End of Fixlog ====



#8 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:07:24 AM

Posted 29 March 2014 - 10:11 AM

Hello,

 

Great work.

 

Please download & run the following batch file =>

 

Next can you please run a new scan with FRST and post back the results?

 

Also please re-run FRST again and type the following in the edit box after Search: rpcss.dll and click the Search button and post back the content of the log - Search.txt.

 

Also let me know how are things now.

 

 

 

Regards,

Georgi

 

 

 

 

 

 


cXfZ4wS.png


#9 ronpunan

ronpunan
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 29 March 2014 - 11:45 AM

Hi,

 

Thanks for your continued help. I turned the computer on this morning and it was doing a windows update. Other than that, it looks like it's back to normal. No popups from eset and looks like computer is running fine speedwise.

 

Here is the log from FRST scan:

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 13-03-2014
Ran by Eva (administrator) on MOTEKMOMZY on 29-03-2014 12:37:02
Running from C:\Users\Eva\Desktop
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(IDT, Inc.) C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_afc3018f8cfedd20\STacSV64.exe
(Stardock Corporation) C:\Program Files\Dell\DellDock\DockLogin.exe
() C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRYSVC.EXE
(Microsoft Corporation) C:\Windows\system32\WLANExt.exe
(Dell Inc.) C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(ESET) C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe
(Microsoft Corporation) C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
(Microsoft Corp.) C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
(SoftThinks) C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE
(Intel Corporation) C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
(SoftThinks - Dell) C:\Program Files (x86)\Dell DataSafe Local Backup\Toaster.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\Apoint.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Dell Inc.) C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRAY.EXE
(Intel Corporation) C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
(Intel Corporation) C:\Windows\system32\igfxsrvc.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe
(ESET) C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
(Google Inc.) C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
(CyberLink Corp.) C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe
(Creative Technology Ltd) C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe
(SupportSoft, Inc.) C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe
() C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\concentr.exe
(RealNetworks, Inc.) C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\ApMsgFwd.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\Apntex.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\HidFind.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(SupportSoft, Inc.) C:\Program Files (x86)\Dell Support Center\bin\sprtsvc.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Google Inc.) C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
(Adobe Systems Incorporated) C:\Windows\system32\Macromed\Flash\FlashUtil64_12_0_0_77_ActiveX.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [Apoint] - C:\Program Files\DellTPad\Apoint.exe [305664 2009-01-22] (Alps Electric Co., Ltd.)
HKLM\...\Run: [Broadcom Wireless Manager UI] - C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRAY.exe [4968960 2009-07-16] (Dell Inc.)
HKLM\...\Run: [IAAnotif] - C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe [186904 2009-06-04] (Intel Corporation)
HKLM\...\Run: [LogMeIn GUI] - C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe [57928 2010-01-27] (LogMeIn, Inc.)
HKLM\...\Run: [egui] - C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe [5618456 2013-09-12] (ESET)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe [35696 2009-02-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [PDVDDXSrv] - C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe [140520 2009-06-24] (CyberLink Corp.)
HKLM-x32\...\Run: [Dell Webcam Central] - C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe [409744 2009-06-24] (Creative Technology Ltd)
HKLM-x32\...\Run: [DellSupportCenter] - C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe [206064 2009-05-21] (SupportSoft, Inc.)
HKLM-x32\...\Run: [GrooveMonitor] - C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe [31016 2006-10-27] (Microsoft Corporation)
HKLM-x32\...\Run: [Desktop Disc Tool] - C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe [498160 2009-12-15] ()
HKLM-x32\...\Run: [ConnectionCenter] - C:\Program Files (x86)\Citrix\ICA Client\concentr.exe [103768 2009-09-13] (Citrix Systems, Inc.)
HKLM-x32\...\Run: [TkBellExe] - c:\program files (x86)\real\realplayer\Update\realsched.exe [274608 2011-01-17] (RealNetworks, Inc.)
HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [43848 2014-02-12] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] - C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2011-10-24] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2014-02-21] (Apple Inc.)
HKLM-x32\...\RunOnce: [STToasterLauncher] - C:\program files (x86)\Dell DataSafe Local Backup\toasterLauncher.exe [120048 2009-09-17] ()
Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll [X]
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-817328781-4279381411-426128289-1000\...\Run: [swg] - C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2011-01-10] (Google Inc.)
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKCU - {F07D0766-EEFA-4CEA-A8EC-F21C89B286FF} URL =
BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO-x32: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO-x32: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
BHO-x32: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll (Microsoft Corp.)
BHO-x32: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
BHO-x32: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
BHO-x32: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO-x32: Skype Plug-In - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
BHO-x32: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO-x32: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
Toolbar: HKLM-x32 - &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU - Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
DPF: HKLM-x32 {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} C:\Users\Eva\AppData\Local\Temp\f5tmp\f5tunsrv.cab
DPF: HKLM-x32 {E0FF21FA-B857-45C5-8621-F120A0C17FF2} C:\Users\Eva\AppData\Local\Temp\f5tmp\urxhost.cab
DPF: HKLM-x32 {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: HKLM-x32 {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://secure.logmein.com/activex/ractrl.cab?lmi=100
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} -  No File
Handler-x32: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
Handler-x32: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
Handler-x32: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254

Chrome:
=======
CHR HomePage: hxxp://www.google.com
CHR RestoreOnStartup: "hxxp://www.google.com"
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\31.0.1650.63\pdf.dll No File
CHR Plugin: (Google Gears 0.5.33.0) - C:\Program Files (x86)\Google\Chrome\Application\31.0.1650.63\gears.dll No File
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\31.0.1650.63\gcswf32.dll No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (Java Deployment Toolkit 6.0.240.7) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll (Sun Microsystems, Inc.)
CHR Plugin: (Java™ Platform SE 6 U24) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin2.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin3.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin4.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin5.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin6.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin7.dll (Apple Inc.)
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.2.183.39\npGoogleOneClick8.dll No File
CHR Plugin: (Windows Live® Photo Gallery) - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
CHR Plugin: (iTunes Application Detector) - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
CHR Plugin: (RealPlayer™ HTML5VideoShim Plug-In (32-bit) ) - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
CHR Plugin: (BrowserPlus (from Yahoo!) v2.9.8) - C:\Users\Eva\AppData\Local\Yahoo!\BrowserPlus\2.9.8\Plugins\npybrowserplus_2.9.8.dll (Yahoo! Inc.)
CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\3.0.40624.0\npctrl.dll ( Microsoft Corporation)
CHR Plugin: (RealPlayer™ G2 LiveConnect-Enabled Plug-In (32-bit) ) - c:\program files (x86)\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
CHR Plugin: (RealJukebox NS Plugin) - c:\program files (x86)\real\realplayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
CHR Plugin: (RealPlayer Version Plugin) - c:\program files (x86)\real\realplayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
CHR Plugin: (Default Plug-in) - default_plugin No File
CHR Extension: (Entanglement Web App) - C:\Users\Eva\AppData\Local\Google\Chrome\User Data\Default\Extensions\aciahcmjmecflokailenpkdchphgkefd [2011-02-24]
CHR Extension: (RealPlayer HTML5Video Downloader Extension) - C:\Users\Eva\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfmjfhklogoienhpfnppmbcbjfjnkonk [2011-01-17]
CHR Extension: (Poppit) - C:\Users\Eva\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcbkbpnkkkipelfledbfocopglifcfmi [2011-02-24]
CHR Extension: (Google Wallet) - C:\Users\Eva\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-12-23]
CHR HKLM-x32\...\Chrome\Extension: [jfmjfhklogoienhpfnppmbcbjfjnkonk] - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Chrome\Ext\rphtml5video.crx [2011-01-17]

==================== Services (Whitelisted) =================

R2 ekrn; C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe [1337752 2013-09-12] (ESET)
R2 LMIGuardianSvc; C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [376144 2014-01-21] (LogMeIn, Inc.)
S4 LMIMaint; C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe [226640 2014-01-21] (LogMeIn, Inc.)
S4 LogMeIn; C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe [407424 2010-12-08] (LogMeIn, Inc.)
R2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_afc3018f8cfedd20\STacSV64.exe [240128 2009-06-29] (IDT, Inc.)
R2 wltrysvc; C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe [3417088 2009-07-16] (Dell Inc.)

==================== Drivers (Whitelisted) ====================

U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
R1 eamonm; C:\Windows\System32\DRIVERS\eamonm.sys [239320 2013-08-15] (ESET)
U5 edevmon; C:\Windows\System32\Drivers\edevmon.sys [239296 2013-08-19] (ESET)
R1 ehdrv; C:\Windows\System32\DRIVERS\ehdrv.sys [168256 2013-08-15] (ESET)
R2 epfwwfpr; C:\Windows\System32\DRIVERS\epfwwfpr.sys [157432 2013-08-15] (ESET)
R2 LMIInfo; C:\Program Files (x86)\LogMeIn\x64\RaInfo.sys [16056 2013-05-29] (LogMeIn, Inc.)
S4 LMIRfsClientNP; No ImagePath
S3 StarOpen; No ImagePath

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2014-03-29 12:33 - 2014-03-29 12:33 - 00001846 _____ () C:\Users\Eva\Desktop\fix.bat
2014-03-29 11:30 - 2014-02-23 04:13 - 02241536 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-03-29 11:30 - 2014-02-23 04:13 - 01365504 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-03-29 11:30 - 2014-02-23 04:13 - 00051712 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-03-29 11:30 - 2014-02-23 04:12 - 19273216 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-03-29 11:30 - 2014-02-23 04:12 - 00603136 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-03-29 11:30 - 2014-02-23 04:12 - 00197120 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-03-29 11:30 - 2014-02-23 04:11 - 15404032 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-03-29 11:30 - 2014-02-23 04:11 - 03960320 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-03-29 11:30 - 2014-02-23 04:11 - 02648576 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-03-29 11:30 - 2014-02-23 04:11 - 00855552 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2014-03-29 11:30 - 2014-02-23 04:11 - 00526336 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-03-29 11:30 - 2014-02-23 04:11 - 00136704 _____ (Microsoft Corporation) C:\Windows\system32\iesysprep.dll
2014-03-29 11:30 - 2014-02-23 04:11 - 00067072 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-03-29 11:30 - 2014-02-23 04:11 - 00053760 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-03-29 11:30 - 2014-02-23 04:11 - 00039936 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-03-29 11:30 - 2014-02-23 02:54 - 01767936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-03-29 11:30 - 2014-02-23 02:54 - 01140736 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-03-29 11:30 - 2014-02-23 02:53 - 14358016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-03-29 11:30 - 2014-02-23 02:53 - 13761024 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-03-29 11:30 - 2014-02-23 02:53 - 02877952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-03-29 11:30 - 2014-02-23 02:53 - 02049024 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-03-29 11:30 - 2014-02-23 02:53 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2014-03-29 11:30 - 2014-02-23 02:53 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-03-29 11:30 - 2014-02-23 02:53 - 00391168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2014-03-29 11:30 - 2014-02-23 02:53 - 00163840 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2014-03-29 11:30 - 2014-02-23 02:53 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2014-03-29 11:30 - 2014-02-23 02:53 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2014-03-29 11:30 - 2014-02-23 02:53 - 00039936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-03-29 11:30 - 2014-02-23 02:53 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2014-03-29 11:30 - 2014-02-23 02:35 - 02706432 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-03-29 11:30 - 2014-02-23 02:31 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-03-29 11:30 - 2014-02-23 01:39 - 00089600 _____ (Microsoft Corporation) C:\Windows\system32\RegisterIEPKEYs.exe
2014-03-29 11:30 - 2014-02-23 01:35 - 00071680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2014-03-28 22:03 - 2014-03-28 22:02 - 00512000 _____ (Microsoft Corporation) C:\rpcss.dll
2014-03-28 22:02 - 2014-03-28 22:02 - 00512000 _____ (Microsoft Corporation) C:\Users\Eva\Desktop\rpcss.dll
2014-03-27 22:28 - 2014-03-27 22:31 - 00000822 _____ () C:\Users\Eva\Desktop\Search.txt
2014-03-26 22:57 - 2014-03-26 22:57 - 00027023 _____ () C:\Users\Eva\Desktop\Addition.txt
2014-03-26 22:55 - 2014-03-29 12:37 - 00016331 _____ () C:\Users\Eva\Desktop\FRST.txt
2014-03-26 22:54 - 2014-03-29 12:37 - 00000000 ____D () C:\FRST
2014-03-26 22:54 - 2014-03-26 22:54 - 02157056 _____ (Farbar) C:\Users\Eva\Desktop\FRST64.exe
2014-03-26 08:00 - 2014-03-26 08:00 - 00002308 _____ () C:\Users\Eva\Desktop\ddsattach.zip
2014-03-26 07:45 - 2014-03-26 07:46 - 00016543 _____ () C:\Users\Eva\Desktop\dds.txt
2014-03-26 07:45 - 2014-03-26 07:46 - 00005324 _____ () C:\Users\Eva\Desktop\ddsattach.txt
2014-03-26 07:40 - 2014-03-26 07:41 - 00688992 ____R (Swearware) C:\Users\Eva\Desktop\dds.com
2014-03-13 18:50 - 2014-03-13 18:50 - 00015657 _____ () C:\ComboFix.txt
2014-03-13 18:01 - 2011-06-26 02:45 - 00256000 _____ () C:\Windows\PEV.exe
2014-03-13 18:01 - 2010-11-07 13:20 - 00208896 _____ () C:\Windows\MBR.exe
2014-03-13 18:01 - 2009-04-20 00:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2014-03-13 18:01 - 2000-08-30 20:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2014-03-13 18:01 - 2000-08-30 20:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2014-03-13 18:01 - 2000-08-30 20:00 - 00098816 _____ () C:\Windows\sed.exe
2014-03-13 18:01 - 2000-08-30 20:00 - 00080412 _____ () C:\Windows\grep.exe
2014-03-13 18:01 - 2000-08-30 20:00 - 00068096 _____ () C:\Windows\zip.exe
2014-03-13 18:00 - 2014-03-13 18:50 - 00000000 ____D () C:\Qoobox
2014-03-13 18:00 - 2014-03-13 18:46 - 00000000 ____D () C:\Windows\erdnt
2014-03-13 17:59 - 2014-03-13 17:59 - 05190279 ____R (Swearware) C:\Users\Eva\Downloads\ComboFix.exe
2014-03-12 20:26 - 2014-03-12 20:27 - 00000000 ____D () C:\Users\Eva\Downloads\Bank Statements
2014-03-10 21:54 - 2014-03-10 21:54 - 00001785 _____ () C:\Users\Public\Desktop\iTunes.lnk
2014-03-10 21:54 - 2012-08-21 13:01 - 00033240 _____ (GEAR Software Inc.) C:\Windows\system32\Drivers\GEARAspiWDM.sys
2014-03-10 21:53 - 2014-03-10 21:54 - 00000000 ____D () C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2014-03-10 21:53 - 2014-03-10 21:54 - 00000000 ____D () C:\Program Files\iTunes
2014-03-10 21:53 - 2014-03-10 21:53 - 00000000 ____D () C:\Program Files\iPod
2014-03-01 22:40 - 2014-03-01 22:40 - 00000000 ____D () C:\Users\Default\AppData\Local\SoftThinks
2014-03-01 22:40 - 2014-03-01 22:40 - 00000000 ____D () C:\Users\Default User\AppData\Local\SoftThinks
2014-03-01 20:21 - 2014-03-04 23:00 - 00000000 ____D () C:\Users\e.Motekmomzy
2014-02-28 00:15 - 2014-02-28 06:57 - 00000000 ____D () C:\Users\Eva\Downloads\Riddick.2013.EXTENDED.1080p.BluRay.x264-ALLiANCE [PublicHD]
2014-02-28 00:14 - 2014-02-28 00:16 - 00000000 ____D () C:\Users\Eva\Downloads\Modern.Family.S05E14.1080p.WEB-DL.DD5.1.H.264-HWD [PublicHD]
2014-02-28 00:14 - 2014-02-28 00:14 - 00000000 ____D () C:\Users\Eva\Downloads\Modern.Family.S05E15.720p.WEB-DL.DD5.1.H.264-HWD [PublicHD]
2014-02-28 00:13 - 2014-02-28 00:13 - 00000875 _____ () C:\Users\Eva\Desktop\BitTorrent.lnk
2014-02-28 00:13 - 2014-02-28 00:13 - 00000855 _____ () C:\Users\Eva\AppData\Roaming\Microsoft\Windows\Start Menu\BitTorrent.lnk
2014-02-28 00:12 - 2014-02-28 18:41 - 00000000 ____D () C:\Users\Eva\AppData\Roaming\BitTorrent
2014-02-28 00:08 - 2014-03-04 22:58 - 00000000 ____D () C:\Users\Eva\AppData\Roaming\uTorrent
2014-02-28 00:08 - 2014-02-28 00:08 - 00000855 _____ () C:\Users\Eva\Desktop\µTorrent.lnk
2014-02-28 00:08 - 2014-02-28 00:08 - 00000835 _____ () C:\Users\Eva\AppData\Roaming\Microsoft\Windows\Start Menu\µTorrent.lnk

==================== One Month Modified Files and Folders =======

2014-03-29 12:38 - 2014-03-26 22:55 - 00016331 _____ () C:\Users\Eva\Desktop\FRST.txt
2014-03-29 12:37 - 2014-03-26 22:54 - 00000000 ____D () C:\FRST
2014-03-29 12:33 - 2014-03-29 12:33 - 00001846 _____ () C:\Users\Eva\Desktop\fix.bat
2014-03-29 12:32 - 2012-06-17 15:07 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-03-29 12:31 - 2009-07-14 01:10 - 01845906 _____ () C:\Windows\WindowsUpdate.log
2014-03-29 12:27 - 2009-07-14 00:45 - 00014240 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-03-29 12:27 - 2009-07-14 00:45 - 00014240 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-03-29 12:21 - 2010-01-25 09:56 - 00000000 ____D () C:\Program Files (x86)\Dell DataSafe Local Backup
2014-03-29 12:20 - 2011-01-10 13:44 - 00000888 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-03-29 12:20 - 2010-06-08 01:00 - 00000073 _____ () C:\Windows\SysWOW64\ToasterLauncherLog.log
2014-03-29 12:19 - 2009-07-14 01:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-03-29 12:19 - 2009-07-14 00:51 - 00229114 _____ () C:\Windows\setupact.log
2014-03-29 11:29 - 2014-02-09 12:01 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA1cf25b03a3c4915.job
2014-03-28 22:08 - 2011-01-10 13:44 - 00000000 ____D () C:\Users\Eva\AppData\Local\Google
2014-03-28 22:06 - 2012-05-08 15:32 - 00000000 ____D () C:\ProgramData\WeCareReminder
2014-03-28 22:02 - 2014-03-28 22:03 - 00512000 _____ (Microsoft Corporation) C:\rpcss.dll
2014-03-28 22:02 - 2014-03-28 22:02 - 00512000 _____ (Microsoft Corporation) C:\Users\Eva\Desktop\rpcss.dll
2014-03-28 22:02 - 2011-06-25 21:03 - 00512000 _____ (Microsoft Corporation) C:\Windows\system32\rpcss.dll
2014-03-27 22:31 - 2014-03-27 22:28 - 00000822 _____ () C:\Users\Eva\Desktop\Search.txt
2014-03-26 22:57 - 2014-03-26 22:57 - 00027023 _____ () C:\Users\Eva\Desktop\Addition.txt
2014-03-26 22:54 - 2014-03-26 22:54 - 02157056 _____ (Farbar) C:\Users\Eva\Desktop\FRST64.exe
2014-03-26 08:08 - 2013-08-15 01:01 - 00000000 ____D () C:\Windows\system32\MRT
2014-03-26 08:07 - 2010-11-16 20:49 - 90015360 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-03-26 08:00 - 2014-03-26 08:00 - 00002308 _____ () C:\Users\Eva\Desktop\ddsattach.zip
2014-03-26 07:46 - 2014-03-26 07:45 - 00016543 _____ () C:\Users\Eva\Desktop\dds.txt
2014-03-26 07:46 - 2014-03-26 07:45 - 00005324 _____ () C:\Users\Eva\Desktop\ddsattach.txt
2014-03-26 07:41 - 2014-03-26 07:40 - 00688992 ____R (Swearware) C:\Users\Eva\Desktop\dds.com
2014-03-13 19:40 - 2009-07-14 01:13 - 00782510 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-03-13 19:32 - 2010-01-25 11:39 - 00596796 _____ () C:\Windows\PFRO.log
2014-03-13 18:50 - 2014-03-13 18:50 - 00015657 _____ () C:\ComboFix.txt
2014-03-13 18:50 - 2014-03-13 18:00 - 00000000 ____D () C:\Qoobox
2014-03-13 18:50 - 2009-07-13 23:20 - 00000000 __RHD () C:\Users\Default
2014-03-13 18:46 - 2014-03-13 18:00 - 00000000 ____D () C:\Windows\erdnt
2014-03-13 18:45 - 2009-07-13 22:34 - 00000215 _____ () C:\Windows\system.ini
2014-03-13 18:32 - 2012-06-17 15:07 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-03-13 18:32 - 2012-06-17 15:07 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2014-03-13 18:32 - 2011-06-18 10:24 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-03-13 17:59 - 2014-03-13 17:59 - 05190279 ____R (Swearware) C:\Users\Eva\Downloads\ComboFix.exe
2014-03-13 17:45 - 2010-06-08 00:57 - 00000000 ____D () C:\Users\Eva
2014-03-13 17:42 - 2010-12-28 16:54 - 00000000 ____D () C:\Users\Eva\AppData\Roaming\ICAClient
2014-03-13 17:42 - 2010-01-25 09:48 - 00000000 ____D () C:\Windows\SysWOW64\Macromed
2014-03-13 17:42 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\registration
2014-03-13 17:42 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\AppCompat
2014-03-12 20:27 - 2014-03-12 20:26 - 00000000 ____D () C:\Users\Eva\Downloads\Bank Statements
2014-03-10 21:54 - 2014-03-10 21:54 - 00001785 _____ () C:\Users\Public\Desktop\iTunes.lnk
2014-03-10 21:54 - 2014-03-10 21:53 - 00000000 ____D () C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2014-03-10 21:54 - 2014-03-10 21:53 - 00000000 ____D () C:\Program Files\iTunes
2014-03-10 21:54 - 2011-02-20 05:21 - 00000000 ____D () C:\Program Files (x86)\iTunes
2014-03-10 21:53 - 2014-03-10 21:53 - 00000000 ____D () C:\Program Files\iPod
2014-03-10 21:49 - 2011-02-19 21:02 - 00000000 ____D () C:\ProgramData\Apple
2014-03-09 22:10 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\system32\NDF
2014-03-04 23:00 - 2014-03-01 20:21 - 00000000 ____D () C:\Users\e.Motekmomzy
2014-03-04 22:58 - 2014-02-28 00:08 - 00000000 ____D () C:\Users\Eva\AppData\Roaming\uTorrent
2014-03-03 22:03 - 2009-07-14 01:08 - 00032606 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-03-02 17:07 - 2010-01-25 10:13 - 00000000 ____D () C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2014-03-02 17:07 - 2010-01-25 10:13 - 00000000 ____D () C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2014-03-01 22:40 - 2014-03-01 22:40 - 00000000 ____D () C:\Users\Default\AppData\Local\SoftThinks
2014-03-01 22:40 - 2014-03-01 22:40 - 00000000 ____D () C:\Users\Default User\AppData\Local\SoftThinks
2014-03-01 22:07 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\system32\sysprep
2014-03-01 20:17 - 2010-08-22 19:02 - 00000000 ____D () C:\ProgramData\LogMeIn
2014-02-28 18:41 - 2014-02-28 00:12 - 00000000 ____D () C:\Users\Eva\AppData\Roaming\BitTorrent
2014-02-28 06:57 - 2014-02-28 00:15 - 00000000 ____D () C:\Users\Eva\Downloads\Riddick.2013.EXTENDED.1080p.BluRay.x264-ALLiANCE [PublicHD]
2014-02-28 00:16 - 2014-02-28 00:14 - 00000000 ____D () C:\Users\Eva\Downloads\Modern.Family.S05E14.1080p.WEB-DL.DD5.1.H.264-HWD [PublicHD]
2014-02-28 00:14 - 2014-02-28 00:14 - 00000000 ____D () C:\Users\Eva\Downloads\Modern.Family.S05E15.720p.WEB-DL.DD5.1.H.264-HWD [PublicHD]
2014-02-28 00:13 - 2014-02-28 00:13 - 00000875 _____ () C:\Users\Eva\Desktop\BitTorrent.lnk
2014-02-28 00:13 - 2014-02-28 00:13 - 00000855 _____ () C:\Users\Eva\AppData\Roaming\Microsoft\Windows\Start Menu\BitTorrent.lnk
2014-02-28 00:08 - 2014-02-28 00:08 - 00000855 _____ () C:\Users\Eva\Desktop\µTorrent.lnk
2014-02-28 00:08 - 2014-02-28 00:08 - 00000835 _____ () C:\Users\Eva\AppData\Roaming\Microsoft\Windows\Start Menu\µTorrent.lnk

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

LastRegBack: 2014-03-10 18:04

==================== End Of Log ============================

 

Here is the search log:

 

Farbar Recovery Scan Tool (x64) Version: 13-03-2014
Ran by Eva at 2014-03-29 12:43:51
Running from C:\Users\Eva\Desktop
Boot Mode: Normal

================== Search: "rpcss.dll" ===================

C:\rpcss.dll
[2014-03-28 22:03] - [2014-03-28 22:02] - 0512000 ____A (Microsoft Corporation) 5C627D1B1138676C0A7AB2C2C190D123

C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7600.16385_none_c5bfcda3579104e3\rpcss.dll
[2009-07-13 20:00] - [2009-07-13 21:41] - 0509440 ____A (Microsoft Corporation) 7266972E86890E2B30C0C322E906B027

C:\Windows\System32\rpcss.dll
[2011-06-25 21:03] - [2014-03-28 22:02] - 0512000 ____A (Microsoft Corporation) 5C627D1B1138676C0A7AB2C2C190D123

C:\Users\Eva\Desktop\rpcss.dll
[2014-03-28 22:02] - [2014-03-28 22:02] - 0512000 ____A (Microsoft Corporation) 5C627D1B1138676C0A7AB2C2C190D123

====== End Of Search ======



#10 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:07:24 AM

Posted 29 March 2014 - 12:15 PM

Good work! :)

 

Also if you don't mind, I want to make sure there is nothing lurking on the system so just in case I want you to go through these steps:

 

The most of them should take no more than 5 minutes each (but the time they take to complete can vary depending on the size of your hard and the speed of your computer).

 

 

STEP 1

 

 

  • Please download RKill by Grinler from the link below and save it to your desktop.

    Rkill
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply.
  • A log pops up at the end of the run. This log file is located at C:\rkill.log.
  • Please post the log in your next reply.

 

 

STEP 2

 

 

  • Please download RogueKillerX64.exe and save to the desktop.
  • Close all windows and browsers
  • Right-click the program and select 'Run as Administrator'
  • Press the scan button.
  • A report opens on the desktop named - RKreport.txt
  • Please copy and past the results at pastebin.com and post the link to the log in your next reply.

 

 

STEP 3
 

 

Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
     
  • Put a checkmark beside loaded modules.
    Sbf88.png
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
     
  • Click the Start Scan button.
     
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    67776163.jpg
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    62117367.jpg
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and past the results at pastebin.com and post the link to the log in your next reply.

 

 

STEP 4

 

 

Please download Malwarebytes Anti-Malware to your desktop.
 

  • Double-click mb3-setup-1878.1878-3.5.1.2522.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.
  • On the Settings tab > Detection and Protection subtab, Detection Options, tick the box 'Scan for rootkits'.
  • Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • With some infections, you may see this message box.
    • 'Could not load DDA driver'
  • Click 'Yes' to this message, to allow the driver to load after a restart.
  • Allow the computer to restart. Continue with the rest of these instructions.
  • When the scan is complete, click Apply Actions.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply.

 

 

STEP 5

 

 

1.Please download HitmanPro.

  • For 32-bit Operating System - dEMD6.gif.
  • This is the mirror - dEMD6.gif
  • For 64-bit Operating System - dEMD6.gif
  • This is the mirror - dEMD6.gif

2.Launch the program by double clicking on the 5vo5F.jpg icon. (Windows Vista/7 users right click on the HitmanPro icon and select run as administrator).

Note: If the program won't run please then open the program while holding down the left CTRL key until the program is loaded.

3.Click on the next button. You must agree with the terms of EULA. (if asked)

4.Check the box beside "No, I only want to perform a one-time scan to check this computer".

5.Click on the next button.

6.The program will start to scan the computer. The scan will typically take no more than 2-3 minutes.

7.When the scan is done click on drop-down menu of the found entries (if any) and choose - Apply to all => Ignore <= IMPORTANT!!!
 
8.Click on the next button.

9.Click on the "Save Log" button.

10.Save that file to your desktop and post the content of that file in your next reply.
 
Note: if there isn't a dropdown menu when the scan is done then please don't delete anything and close HitmanPro

Navigate to C:\ProgramData\HitmanPro\Logs open the report and copy and paste it to your next reply.

 

 

 

STEP 6

 

 

Download Security Check by screen317 from here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

 

and then if there aren't any issues left I'll give you my final recommendations. :)

 

 

Regards,

Georgi


cXfZ4wS.png


#11 ronpunan

ronpunan
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 29 March 2014 - 10:37 PM

Hi,

 

Thanks. I can feel we're almost done :-)

 

Here is the log from RKill:

 

Rkill 2.6.5 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 03/29/2014 09:41:21 PM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * No issues found.

Checking Windows Service Integrity:

 * No issues found.

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * HOSTS file entries found:

  127.0.0.1       localhost

Program finished at: 03/29/2014 09:41:58 PM
Execution time: 0 hours(s), 0 minute(s), and 36 seconds(s)

 

Link to RogueKiller log:

<script src="http://pastebin.com/embed_js.php?i=fFaEq3Hs"></script>

 

Links to TDSSKiller (there were 3 logs generated):

<script src="http://pastebin.com/embed_js.php?i=dpdFBBRG"></script>

<script src="http://pastebin.com/embed_js.php?i=NjaQVgbH"></script>

<script src="http://pastebin.com/embed_js.php?i=dcHsggMq"></script>

 

Malware Bytes log:

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 3/29/2014
Scan Time: 10:47:21 PM
Logfile:
Administrator: Yes

Version: 2.00.0.1000
Malware Database: v2014.03.29.08
Rootkit Database: v2014.03.27.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Chameleon: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Eva

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 323000
Time Elapsed: 16 min, 36 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Shuriken: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

 

Hitman log:

 

HitmanPro 3.7.9.216
www.hitmanpro.com
   Computer name . . . . : MOTEKMOMZY
   Windows . . . . . . . : 6.1.1.7601.X64/2
   User name . . . . . . : Motekmomzy\Eva
   UAC . . . . . . . . . : Enabled
   License . . . . . . . : Free
   Scan date . . . . . . : 2014-03-29 22:59:48
   Scan mode . . . . . . : Normal
   Scan duration . . . . : 4m 40s
   Disk access mode  . . : Direct disk access (SRB)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : No
   Threats . . . . . . . : 1
   Traces  . . . . . . . : 36
   Objects scanned . . . : 1,419,255
   Files scanned . . . . : 40,564
   Remnants scanned  . . : 297,522 files / 1,081,169 keys
Malware _____________________________________________________________________
   C:\Windows\system32\rpcss.dll.vir
      Size . . . . . . . : 513,024 bytes
      Age  . . . . . . . : 1008.1 days (2011-06-25 21:03:30)
      Entropy  . . . . . : 6.3
      SHA-256  . . . . . : 9470204B6971D4CF7B6073BCC4D4A5D540BAD4136FE9ABD887A6C6B614194D74
      Product  . . . . . : Microsoft® Windows® Operating System
      Publisher  . . . . : Microsoft Corporation
      Description  . . . : Distributed COM Services
      Version  . . . . . : 6.1.7601.17514
      Copyright  . . . . : © Microsoft Corporation. All rights reserved.
    > Bitdefender  . . . : Trojan.Patched.Zekos.B
    > Kaspersky  . . . . : Trojan.Win64.Patched.bj
      Fuzzy  . . . . . . : 102.0

Potential Unwanted Programs _________________________________________________
   ask.com
   C:\Users\Eva\AppData\Local\Google\Chrome\User Data\Default\Web Data

Cookies _____________________________________________________________________
   C:\Users\Eva\AppData\Local\Google\Chrome\User Data\Default\Cookies:a1.interclick.com
   C:\Users\Eva\AppData\Local\Google\Chrome\User Data\Default\Cookies:ad.360yield.com
   C:\Users\Eva\AppData\Local\Google\Chrome\User Data\Default\Cookies:ad.mlnadvertising.com
   C:\Users\Eva\AppData\Local\Google\Chrome\User Data\Default\Cookies:adbrite.com
   C:\Users\Eva\AppData\Local\Google\Chrome\User Data\Default\Cookies:adlegend.com
   C:\Users\Eva\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.ba-bamail.co.il
   C:\Users\Eva\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.pointroll.com
   C:\Users\Eva\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.pubmatic.com
   C:\Users\Eva\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.undertone.com
   C:\Users\Eva\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.yahoo.com
   C:\Users\Eva\AppData\Local\Google\Chrome\User Data\Default\Cookies:advertising.com
   C:\Users\Eva\AppData\Local\Google\Chrome\User Data\Default\Cookies:apmebf.com
   C:\Users\Eva\AppData\Local\Google\Chrome\User Data\Default\Cookies:ar.atwola.com
   C:\Users\Eva\AppData\Local\Google\Chrome\User Data\Default\Cookies:at.atwola.com
   C:\Users\Eva\AppData\Local\Google\Chrome\User Data\Default\Cookies:atdmt.com
   C:\Users\Eva\AppData\Local\Google\Chrome\User Data\Default\Cookies:atwola.com
   C:\Users\Eva\AppData\Local\Google\Chrome\User Data\Default\Cookies:casalemedia.com
   C:\Users\Eva\AppData\Local\Google\Chrome\User Data\Default\Cookies:citi.bridgetrack.com
   C:\Users\Eva\AppData\Local\Google\Chrome\User Data\Default\Cookies:collective-media.net
   C:\Users\Eva\AppData\Local\Google\Chrome\User Data\Default\Cookies:doubleclick.net
   C:\Users\Eva\AppData\Local\Google\Chrome\User Data\Default\Cookies:fastclick.net
   C:\Users\Eva\AppData\Local\Google\Chrome\User Data\Default\Cookies:in.getclicky.com
   C:\Users\Eva\AppData\Local\Google\Chrome\User Data\Default\Cookies:interclick.com
   C:\Users\Eva\AppData\Local\Google\Chrome\User Data\Default\Cookies:invitemedia.com
   C:\Users\Eva\AppData\Local\Google\Chrome\User Data\Default\Cookies:media6degrees.com
   C:\Users\Eva\AppData\Local\Google\Chrome\User Data\Default\Cookies:mediaplex.com
   C:\Users\Eva\AppData\Local\Google\Chrome\User Data\Default\Cookies:pointroll.com
   C:\Users\Eva\AppData\Local\Google\Chrome\User Data\Default\Cookies:questionmarket.com
   C:\Users\Eva\AppData\Local\Google\Chrome\User Data\Default\Cookies:ru4.com
   C:\Users\Eva\AppData\Local\Google\Chrome\User Data\Default\Cookies:serving-sys.com
   C:\Users\Eva\AppData\Local\Google\Chrome\User Data\Default\Cookies:specificclick.net
   C:\Users\Eva\AppData\Local\Google\Chrome\User Data\Default\Cookies:stats.adotube.com
   C:\Users\Eva\AppData\Local\Google\Chrome\User Data\Default\Cookies:tacoda.at.atwola.com
   C:\Users\Eva\AppData\Local\Google\Chrome\User Data\Default\Cookies:tribalfusion.com

 

Security Check log:

 

 Results of screen317's Security Check version 0.99.81 
 Windows 7 Service Pack 1 x64 (UAC is enabled) 
 Internet Explorer 10 Out of date!
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled! 
ESET NOD32 Antivirus 7.0  
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:`````````
 Java™ 6 Update 26 
 Java version out of Date!
 Adobe Reader 9 Adobe Reader out of Date!
 Google Chrome 33.0.1750.146 
 Google Chrome 33.0.1750.154 
````````Process Check: objlist.exe by Laurent```````` 
 ESET NOD32 Antivirus egui.exe 
 ESET NOD32 Antivirus ekrn.exe 
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````

 

 



#12 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:07:24 AM

Posted 30 March 2014 - 04:22 AM

Hello,

 

 

Yes, we are almost done here.

 

 

STEP 1

 

 

Please download the following file => and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

 

Also please do this:

 

 

STEP 2

 

 

Please download AdwCleaner by Xplode and save to your Desktop.

  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin to scan your computer like it did before.
  • After the scan has finished click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.

 

 

STEP 3

 

 

thisisujrt.gif  Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

 

 

STEP 4

 

 

Since Internet Explorer 11 Final was released a few weeks ago I suggest you upgrade it to the latest version even if you don't use it.
You can download it from here:

 

software.gif Download for 64 bits: Internet Explorer 11.0 Final за Windows 7 EN x64

 

 

Also your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application.

  • Download the latest version of Java SE 8.
  • Click the Java SE 8  "Download JRE" button to the right.
  • Select your Platform, Register and check the box that says: "I agree to the Java SE Runtime Environment 7 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-8-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel > Programs, click on Uninstall a program and remove all older versions of Java:
    Java™ 6 Update 26
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version. (Vista/Windows 7 users, right click on the jre-8-windows-i586.exe and select "Run as an Administrator.")

 

Next please run JavaRa.

  • Please download JavaRa 2.5 and unzip it to your desktop.
  • Double-click on JavaRa.exe to start the program.
  • Choose Remove JRE and since you already uninstalled JAVA skip step 1 and click on the next button.
  • Now click on Perform Removal Routine to remove the older versions of Java installed on your computer.
  • When that's successfully done, please click OK to close the message.
  • Click on Next and skip the downloading process. Click Next and now click on Close this wizard and click Finish.
  • From the main menu please choose Additional tasks
  • Place a checkmark beside Remove startup entry, Remove Outdated JRE Firefox Extentions and Clean JRE Temp Files and click Run. The browsers should be closed before running this task.
  • When that's succesfully done you will see a message at the top saying: "Selected tasks completed successfully".
  • A log file should be created in the same directory as JavaRa.
  • Please attach the log to your next reply.
  • Close JavaRa by clicking the red cross button.

 

You can choose between 2 variants:

 

1. If you have applications that require Java to be installed on the computer then uninstall the old version of Java and then run JavaRa to remove all remnants and then go ahead and download & install the latest version of Java (Java SE 8).

 

2. If you want to be on the safe side then go ahead and uninstall the old version of Java, then run JavaRa to remove all remnants and then remove all applications that require Java (time to learn to live without Java and find alternatives to the applications that require Java)... Check this article.

 

It's your call. smile.png

 

 

Your Adobe Reader is out of date.
Older versions may have vulnerabilities that malware can use to infect your system.
Please download Adobe Reader 11.0.06 to your PC's desktop.
 

  • Uninstall Adobe Reader 9 via Start => Control Panel > Uninstall a program
  • Install the new downloaded updated software.

 

 

  • It is possible for other programs on your computer to have security vulnerability that can allow malware to infect you.
  • Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities.
  • You can check these by visiting Secunia Software Inspector or you can use the following application for this purpose PatchMyPC

 
Visit Microsoft's Windows Update Site Frequently

 

  • It is important that you visit Windows Update regularly.
  • This will ensure your computer has always the latest security updates available installed on your computer.
  • If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

 

Finally post a new log from SecurityCheck. :)

 

 

Regards,

Georgi


cXfZ4wS.png


#13 ronpunan

ronpunan
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 30 March 2014 - 11:11 PM

Hi,

 

Here is the FRST log:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 13-03-2014
Ran by Eva at 2014-03-30 21:44:34 Run:2
Running from C:\Users\Eva\Desktop
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
start
C:\Windows\system32\rpcss.dll.vir
Unlock: C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_c7f0e16b547f887d
CMD: copy /y C:\rpcss.dll C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_c7f0e16b547f887d
end
*****************

C:\Windows\system32\rpcss.dll.vir => Moved successfully.
"C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_c7f0e16b547f887d" => File/Directory unlocked successfully.

=========  copy /y C:\rpcss.dll C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_c7f0e16b547f887d =========

        1 file(s) copied.

========= End of CMD: =========

==== End of Fixlog ====

 

 

Here is the AdwCleaner log:

 

# AdwCleaner v3.022 - Report created 30/03/2014 at 21:48:43
# Updated 13/03/2014 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Eva - MOTEKMOMZY
# Running from : C:\Users\Eva\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\WeCareReminder
Folder Deleted : C:\Program Files (x86)\Common Files\DVDVideoSoft\TB

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\AppID\IEHelperv2.5.0.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\WLXQuickTimeShellExt.DLL
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{0A18A436-2A7A-49F3-A488-30538A2F6323}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{4FBBF769-ECEB-420A-B536-133B1D505C36}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F773BB94-6C19-4643-A570-0E429103D1C3}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AC5B6CDA-8F90-4740-9A8C-28AC5D3C73FE}
Key Deleted : HKCU\Software\wecarereminder
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CD95D125-2992-4858-B3EF-5F6FB52FBAD6}

***** [ Browsers ] *****

-\\ Internet Explorer v10.0.9200.16843

-\\ Google Chrome v33.0.1750.154

[ File : C:\Users\Eva\AppData\Local\Google\Chrome\User Data\Default\preferences ]

*************************

AdwCleaner[R0].txt - [2213 octets] - [30/03/2014 21:47:10]
AdwCleaner[S0].txt - [2071 octets] - [30/03/2014 21:48:43]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2131 octets] ##########

 

Here is the JRT log:

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.3 (03.23.2014:1)
OS: Windows 7 Home Premium x64
Ran by Eva on Sun 03/30/2014 at 21:57:51.95
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

 

~~~ Registry Values

 

~~~ Registry Keys

 

~~~ Files

 

~~~ Folders

 

~~~ Event Viewer Logs were cleared

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 03/30/2014 at 22:07:07.15
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

I updated IE, Java, and Adobe Reader

 

Here is the Security Check log:

 

 Results of screen317's Security Check version 0.99.81 
 Windows 7 Service Pack 1 x64 (UAC is enabled) 
 Internet Explorer 11 
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled! 
ESET NOD32 Antivirus 7.0  
 Antivirus out of date! 
`````````Anti-malware/Other Utilities Check:`````````
 Java 8   
 Java version out of Date!
 Adobe Reader XI 
 Google Chrome 33.0.1750.146 
 Google Chrome 33.0.1750.154 
````````Process Check: objlist.exe by Laurent```````` 
 ESET NOD32 Antivirus egui.exe 
 ESET NOD32 Antivirus ekrn.exe 
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 
````````````````````End of Log``````````````````````

 

 



#14 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:07:24 AM

Posted 31 March 2014 - 02:31 AM

Hello,

 

 

Great work.

Please delete the following 2 files manually:

 

C:\rpcss.dll <= this file
C:\Users\Eva\Desktop\rpcss.dll <= this file

 

If you receive the message which says "the files are in use" then we will delete them with a script. Just let me know what you got. :)

 

 

Regards,

Georgi


cXfZ4wS.png


#15 ronpunan

ronpunan
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 31 March 2014 - 07:13 AM

Hi Georgi,

 

Files are deleted. Thank you so much for your help! I really appreciate it.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users