Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.Win32.Zekos.a found in svchost.exe and rpcss.dll, can't quarantine!


  • This topic is locked This topic is locked
7 replies to this topic

#1 novasect

novasect

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chico, CA
  • Local time:10:41 PM

Posted 27 March 2014 - 02:46 PM

I'm trying to get rid of this nasty infection.  It's identified by Vipre as a Zekos Trojan. Vipre Business finds this in it's scans, but is unable to quarantine it. Malwarebytes doesn't find anything.  There are no unusual programs listed in the control panel and I don't see any abnormal processes running.  When I log on to computer under my profile (which is the profile I pulled the logs with) it seems to run mostly fine.  The primary user, however, has started getting a "Plug and Play service could not start, your computer must restart" error when he logs in.

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.7601.17514
Run by KReagan at 12:37:42 on 2014-03-27
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.3555.1858 [GMT -7:00]
.
AV: GFI Software VIPRE *Enabled/Updated* {FFE93D16-FD09-0282-C7D3-8B1731B6A051}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: GFI Software VIPRE *Enabled/Updated* {4488DCF2-DB33-0D0C-FD63-B0654A31EAEC}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Intel\iCLS Client\HeciServer.exe
C:\Program Files\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Program Files\Printer DCA\PrinterDCA.Service.exe
C:\Program Files\GFI Software\GFIAgent\SBPIMSvc.exe
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Windows\system32\wbengine.exe
C:\Program Files\Realtek\Audio\HDA\RtkNGUI.exe
C:\Program Files\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
C:\Program Files\GFI Software\GFIAgent\SBAMSvc.exe
C:\Program Files\GFI Software\GFIAgent\SBAMTray.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\msiexec.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Windows\system32\sppsvc.exe
C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\servicing\TrustedInstaller.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\System32\mobsync.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://companyweb
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
mRun: [RTHDVCPL] c:\program files\realtek\audio\hda\RtkNGUI.exe -s
mRun: [USB3MON] "c:\program files\intel\intel® usb 3.0 extensible host controller driver\application\iusb3mon.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SBAMTray] "c:\program files\gfi software\gfiagent\SBAMTray.exe"
mRun: [SBRegRebootCleaner] "c:\program files\gfi software\gfiagent\SBRC.exe"
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: HideFastUserSwitching = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~1\office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
DPF: {174793AA-EAE2-4188-AFA5-064BE26901B1} - hxxp://www.digitalgsp.com/xvr/CXRMS_1,1,1,2.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{D837631F-F862-4516-A3EF-2E4B0DA889FB} : DHCPNameServer = 192.168.1.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\kreagan\appdata\roaming\mozilla\firefox\profiles\2vuviw60.default\
FF - plugin: c:\progra~1\micros~1\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~1\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\intel\intel® management engine components\ipt\npIntelWebAPIIPT.dll
FF - plugin: c:\program files\intel\intel® management engine components\ipt\npIntelWebAPIUpdater.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20513.0\npctrlui.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dvstreaming.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_12_0_0_77.dll
.
============= SERVICES / DRIVERS ===============
.
R0 iusb3hcs;Intel® USB 3.0 Host Controller Switch Driver;c:\windows\system32\drivers\iusb3hcs.sys [2012-8-23 13592]
R1 oxpar;OX16PCI95x Parallel port driver;c:\windows\system32\drivers\oxpar.sys [2012-8-23 80128]
R2 Intel® Capability Licensing Service Interface;Intel® Capability Licensing Service Interface;c:\program files\intel\icls client\HeciServer.exe [2012-2-2 458464]
R2 jhi_service;Intel® Dynamic Application Loader Host Interface Service;c:\program files\intel\intel® management engine components\dal\Jhi_service.exe [2012-8-23 161560]
R2 Printer DCA;Printer DCA;c:\program files\printer dca\PrinterDCA.Service.exe [2013-3-21 56832]
R2 SBAMSvc;VIPRE Business;c:\program files\gfi software\gfiagent\SBAMSvc.exe [2013-5-30 3681016]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2013-1-15 68904]
R2 SBPIMSvc;SB Recovery Service;c:\program files\gfi software\gfiagent\SBPIMSvc.exe [2013-5-30 176536]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2010-8-8 235624]
R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\intel\intel® management engine components\uns\UNS.exe [2012-8-23 363800]
R3 gfiark;gfiark;c:\windows\system32\drivers\gfiark.sys [2013-5-21 43368]
R3 gfiutil;gfiutil;c:\windows\system32\drivers\gfiutil.sys [2013-6-11 24040]
R3 iusb3hub;Intel® USB 3.0 Hub Driver;c:\windows\system32\drivers\iusb3hub.sys [2012-8-23 348440]
R3 iusb3xhc;Intel® USB 3.0 eXtensible Host Controller Driver;c:\windows\system32\drivers\iusb3xhc.sys [2012-8-23 791832]
R3 MEI;Intel® Management Engine Interface ;c:\windows\system32\drivers\HECI.sys [2012-8-23 46080]
R3 oxmep;OXPCI support driver;c:\windows\system32\drivers\oxmep.sys [2012-8-23 5120]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2012-8-23 490088]
R3 staccel;staccel;c:\windows\system32\drivers\staccel.sys [2012-7-17 32864]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2011-4-11 62464]
S3 sbwtis;sbwtis;c:\windows\system32\drivers\sbwtis.sys [2013-1-15 76064]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2010-11-20 52224]
S3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
.
=============== Created Last 30 ================
.
2014-03-27 19:02:22    --------    d-----w-    c:\program files\HitmanPro
2014-03-27 18:34:28    --------    d-----w-    c:\programdata\HitmanPro
2014-03-27 18:32:03    --------    d-----w-    c:\users\kreagan\appdata\local\Macromedia
2014-03-26 23:59:39    --------    d-sh--w-    C:\$RECYCLE.BIN
2014-03-26 23:57:24    --------    d-----w-    c:\users\kreagan\appdata\local\temp
2014-03-26 23:44:55    98816    ----a-w-    c:\windows\sed.exe
2014-03-26 23:44:55    256000    ----a-w-    c:\windows\PEV.exe
2014-03-26 23:44:55    208896    ----a-w-    c:\windows\MBR.exe
.
==================== Find3M  ====================
.
2014-03-11 22:20:22    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2014-03-11 22:20:22    692616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2014-03-11 01:16:33    50688    ----a-w-    c:\windows\RemComSvc80.exe
.
============= FINISH: 12:38:32.62 ===============
 

Attached Files



BC AdBot (Login to Remove)

 


#2 novasect

novasect
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chico, CA
  • Local time:10:41 PM

Posted 27 March 2014 - 03:03 PM

Ok, so now my user as well is getting a "Windows must now restart because the DCOM Server Process Launcher service terminated unexpectedly" error and Microsoft Office 2010 gives a license error and now shows as a trial version in the help menu, even though it was previously licensed?



#3 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:41 AM

Posted 28 March 2014 - 09:02 AM

Hi there,

please run the following scans:


Step 1

Please download Farbar Recovery Scan Tool and save it to your Desktop.

  • Start FRST with administator privileges.
  • Make sure the option Addition.txt is checked and press the Scan button.
  • When finished, FRST will produce two logs (FRST.txt and Addition.txt) in the same directory the tool was run from.
  • Please copy and paste these logs in your next reply.

 

 

Step 2

  • Start FRST with Administrator privileges.
  • Write the following text into the Search: textbox:
    rpcss.dll
  • Click on the Search File(s) button.
  • When finished, a log file (Search.txt) pops up and is saved to the same location the tool was run from.
    Please copy and paste its contents in your next reply.


#4 novasect

novasect
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chico, CA
  • Local time:10:41 PM

Posted 28 March 2014 - 10:58 AM

Step 1:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 13-03-2014  01
Ran by KReagan (administrator) on CNFC-WS7-PC on 28-03-2014 08:51:07
Running from C:\Users\kreagan\Desktop
Microsoft Windows 7 Professional  Service Pack 1 (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe
(NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
(Nero AG) C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
(PrintFleet Inc) C:\Program Files\Printer DCA\PrinterDCA.Service.exe
(ThreatTrack Security, Inc.) C:\Program Files\GFI Software\GFIAgent\SBPIMSvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(Microsoft Corporation) C:\Windows\system32\PrintIsolationHost.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI.exe
(Intel Corporation) C:\Program Files\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
(ThreatTrack Security, Inc.) C:\Program Files\GFI Software\GFIAgent\SBAMTray.exe
(Adobe Systems Incorporated) C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe
(ThreatTrack Security, Inc.) C:\Program Files\GFI Software\GFIAgent\SBAMSvc.exe
(Microsoft Corporation) C:\Windows\system32\msiexec.exe


==================== Registry (Whitelisted) ==================

HKLM\...\Run: [RTHDVCPL] - C:\Program Files\Realtek\Audio\HDA\RtkNGUI.exe [6318696 2011-12-12] (Realtek Semiconductor)
HKLM\...\Run: [USB3MON] - C:\Program Files\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [291608 2012-01-26] (Intel Corporation)
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM\...\Run: [SBAMTray] - C:\Program Files\GFI Software\GFIAgent\SBAMTray.exe [3232152 2013-05-30] (ThreatTrack Security, Inc.)
HKLM\...\Run: [SBRegRebootCleaner] - C:\Program Files\GFI Software\GFIAgent\SBRC.exe [202648 2013-05-30] (ThreatTrack Security, Inc.)
Startup: C:\Users\jcampbell\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://companyweb
SearchScopes: HKCU - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
DPF: {174793AA-EAE2-4188-AFA5-064BE26901B1} http://www.digitalgsp.com/xvr/CXRMS_1,1,1,2.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\BelarcAdvisor\System\BAVoilaX.dll (Belarc, Inc.)
Winsock: Catalog5 01 %SystemRoot%\System32\mswsock.dll [232448] (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF ProfilePath: C:\Users\kreagan\AppData\Roaming\Mozilla\Firefox\Profiles\2vuviw60.default
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF32_12_0_0_77.dll ()
FF Plugin: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.0.59 - C:\Program Files\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
FF Plugin: @intel-webapi.intel.com/Intel WebAPI updater - C:\Program Files\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.20513.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 - C:\PROGRA~1\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin: @nvidia.com/3DVision - C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
FF Plugin: @nvidia.com/3DVisionStreaming - C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

========================== Services (Whitelisted) =================

R2 Intel® Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [458464 2012-02-02] (Intel® Corporation)
R2 jhi_service; C:\Program Files\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [161560 2012-02-07] (Intel Corporation)
R2 Printer DCA; C:\Program Files\Printer DCA\PrinterDCA.Service.exe [56832 2013-03-21] (PrintFleet Inc)
S4 RemoteAccess; C:\Windows\System32\svchost.exe [20992 2009-07-13] (Microsoft Corporation)
R2 SBAMSvc; C:\Program Files\GFI Software\GFIAgent\SBAMSvc.exe [3681016 2013-05-30] (ThreatTrack Security, Inc.)
R2 SBPIMSvc; C:\Program Files\GFI Software\GFIAgent\SBPIMSvc.exe [176536 2013-05-30] (ThreatTrack Security, Inc.)

==================== Drivers (Whitelisted) ====================

S3 gfiark; C:\Windows\System32\drivers\gfiark.sys [43368 2013-05-23] (ThreatTrack Security)
S3 gfiutil; C:\Windows\System32\drivers\gfiutil.sys [24040 2013-09-04] (ThreatTrack Security)
R0 iusb3hcs; C:\Windows\System32\DRIVERS\iusb3hcs.sys [13592 2012-01-26] (Intel Corporation)
R3 iusb3hub; C:\Windows\System32\DRIVERS\iusb3hub.sys [348440 2012-01-26] (Intel Corporation)
R3 iusb3xhc; C:\Windows\System32\DRIVERS\iusb3xhc.sys [791832 2012-01-26] (Intel Corporation)
R3 MEI; C:\Windows\System32\DRIVERS\HECI.sys [46080 2011-11-10] (Intel Corporation)
R3 oxmep; C:\Windows\System32\DRIVERS\oxmep.sys [5120 2007-01-22] (OEM)
R1 oxpar; C:\Windows\System32\DRIVERS\oxpar.sys [80128 2007-01-23] (OEM)
R2 sbapifs; C:\Windows\System32\DRIVERS\sbapifs.sys [68904 2013-01-15] (GFI Software)
S3 sbwtis; C:\Windows\System32\DRIVERS\sbwtis.sys [76064 2013-01-15] (GFI Software)
R3 staccel; C:\Windows\System32\DRIVERS\staccel.sys [32864 2012-07-17] (ShoreTel, Inc)
S3 catchme; \??\C:\Users\JCAMPB~1\AppData\Local\Temp\catchme.sys [X]
S1 SBRE; \SystemRoot\system32\drivers\SBREDrv.sys [X]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2014-03-28 08:51 - 2014-03-28 08:51 - 00007295 _____ () C:\Users\kreagan\Desktop\FRST.txt
2014-03-28 08:51 - 2014-03-28 08:51 - 00000000 ____D () C:\FRST
2014-03-28 08:50 - 2014-03-28 08:33 - 01145856 _____ (Farbar) C:\Users\kreagan\Desktop\FRST.exe
2014-03-27 14:10 - 2014-03-27 14:10 - 00002076 _____ () C:\Users\Public\Desktop\Belarc Advisor.lnk
2014-03-27 14:10 - 2014-03-27 14:10 - 00000000 ____D () C:\Program Files\Belarc
2014-03-27 14:10 - 2014-03-14 10:22 - 03181760 _____ () C:\Users\kreagan\Desktop\advisorinstaller.exe
2014-03-27 14:06 - 2014-03-27 14:06 - 00000000 ____D () C:\Program Files\CPUID
2014-03-27 14:06 - 2014-02-10 13:52 - 01466824 _____ ( ) C:\Users\kreagan\Desktop\cpu-z_1.68-setup-en.exe
2014-03-27 12:38 - 2014-03-27 12:38 - 00013956 _____ () C:\Users\kreagan\Desktop\attach.txt
2014-03-27 12:38 - 2014-03-27 12:38 - 00009099 _____ () C:\Users\kreagan\Desktop\dds.txt
2014-03-27 12:35 - 2014-03-27 12:35 - 00688992 ____R (Swearware) C:\Users\kreagan\Downloads\dds.com
2014-03-27 12:02 - 2014-03-27 12:02 - 00000000 ____D () C:\Program Files\HitmanPro
2014-03-27 11:34 - 2014-03-27 12:07 - 00000000 ____D () C:\ProgramData\HitmanPro
2014-03-27 11:32 - 2014-03-27 11:32 - 00000000 ____D () C:\Users\kreagan\AppData\Roaming\Macromedia
2014-03-27 11:32 - 2014-03-27 11:32 - 00000000 ____D () C:\Users\kreagan\AppData\Local\Macromedia
2014-03-26 17:04 - 2014-03-26 17:04 - 00018587 _____ () C:\ComboFix.txt
2014-03-26 16:44 - 2014-03-26 17:04 - 00000000 ____D () C:\Qoobox
2014-03-26 16:44 - 2014-03-26 17:03 - 00000000 ____D () C:\Windows\erdnt
2014-03-26 16:44 - 2011-06-25 23:45 - 00256000 _____ () C:\Windows\PEV.exe
2014-03-26 16:44 - 2010-11-07 10:20 - 00208896 _____ () C:\Windows\MBR.exe
2014-03-26 16:44 - 2009-04-19 21:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2014-03-26 16:44 - 2000-08-30 17:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2014-03-26 16:44 - 2000-08-30 17:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2014-03-26 16:44 - 2000-08-30 17:00 - 00098816 _____ () C:\Windows\sed.exe
2014-03-26 16:44 - 2000-08-30 17:00 - 00080412 _____ () C:\Windows\grep.exe
2014-03-26 16:44 - 2000-08-30 17:00 - 00068096 _____ () C:\Windows\zip.exe
2014-03-26 16:43 - 2014-03-26 16:43 - 05192353 ____R (Swearware) C:\Users\jcampbell\Downloads\ComboFix.exe
2014-03-22 18:14 - 2014-03-22 18:14 - 01089536 _____ () C:\Users\jcampbell\Desktop\UNFI Custom price -- Wellness.xls
2014-03-22 18:13 - 2014-03-22 18:13 - 00000002 _____ () C:\Users\jcampbell\Desktop\UNFI Custom price -- Wellness.txt
2014-03-10 16:17 - 2014-03-10 16:17 - 00401920 _____ () C:\Users\jcampbell\Desktop\2014 Expo West CMAC Reimbursement Form.xls
2014-03-10 16:00 - 2014-03-10 16:00 - 00000000 _____ () C:\Users\jcampbell\Desktop\doc03882320140310145903.txt
2014-03-10 12:27 - 2014-03-28 08:40 - 00000080 _____ () C:\Windows\system32\yaxn.phw
2014-03-10 11:09 - 2014-03-10 11:09 - 00000000 ____H () C:\Windows\system32\Drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
2014-03-10 11:02 - 2014-03-10 11:02 - 00028672 _____ () C:\Windows\system32\qzddss.tyu
2014-03-10 11:02 - 2014-03-10 11:02 - 00000100 _____ () C:\Windows\system32\eylqm.zop
2014-03-10 11:02 - 2014-03-10 11:02 - 00000064 _____ () C:\Windows\system32\kblzxfm.ziv
2014-03-06 14:37 - 2014-03-06 14:37 - 00000000 ____D () C:\Users\arouse\AppData\Roaming\Macromedia
2014-03-06 14:37 - 2014-03-06 14:37 - 00000000 ____D () C:\Users\arouse\AppData\Roaming\Adobe
2014-03-06 13:39 - 2014-03-06 13:39 - 00000000 ____D () C:\Users\arouse\AppData\Roaming\GFI Software

==================== One Month Modified Files and Folders =======

2014-03-28 08:51 - 2014-03-28 08:51 - 00007295 _____ () C:\Users\kreagan\Desktop\FRST.txt
2014-03-28 08:51 - 2014-03-28 08:51 - 00000000 ____D () C:\FRST
2014-03-28 08:50 - 2012-08-30 10:42 - 00000120 _____ () C:\Windows\system32\config\netlogon.ftl
2014-03-28 08:50 - 2012-08-23 09:35 - 00000000 ____D () C:\ProgramData\NVIDIA
2014-03-28 08:50 - 2009-07-13 21:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-03-28 08:50 - 2009-07-13 21:39 - 00038490 _____ () C:\Windows\setupact.log
2014-03-28 08:49 - 2012-08-22 17:05 - 01097200 _____ () C:\Windows\WindowsUpdate.log
2014-03-28 08:49 - 2010-11-20 14:01 - 00778302 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-03-28 08:49 - 2009-07-13 21:34 - 00031680 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-03-28 08:49 - 2009-07-13 21:34 - 00031680 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-03-28 08:40 - 2014-03-10 12:27 - 00000080 _____ () C:\Windows\system32\yaxn.phw
2014-03-28 08:33 - 2014-03-28 08:50 - 01145856 _____ (Farbar) C:\Users\kreagan\Desktop\FRST.exe
2014-03-28 08:26 - 2014-02-08 18:04 - 00000920 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2913660180-408937012-4099970771-2726UA.job
2014-03-28 08:20 - 2013-01-07 11:20 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-03-28 08:14 - 2013-12-27 13:36 - 00000928 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2913660180-408937012-4099970771-2765UA.job
2014-03-27 18:26 - 2014-02-08 18:04 - 00000868 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2913660180-408937012-4099970771-2726Core.job
2014-03-27 14:10 - 2014-03-27 14:10 - 00002076 _____ () C:\Users\Public\Desktop\Belarc Advisor.lnk
2014-03-27 14:10 - 2014-03-27 14:10 - 00000000 ____D () C:\Program Files\Belarc
2014-03-27 14:06 - 2014-03-27 14:06 - 00000000 ____D () C:\Program Files\CPUID
2014-03-27 13:13 - 2013-12-27 13:36 - 00000876 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2913660180-408937012-4099970771-2765Core.job
2014-03-27 12:38 - 2014-03-27 12:38 - 00013956 _____ () C:\Users\kreagan\Desktop\attach.txt
2014-03-27 12:38 - 2014-03-27 12:38 - 00009099 _____ () C:\Users\kreagan\Desktop\dds.txt
2014-03-27 12:35 - 2014-03-27 12:35 - 00688992 ____R (Swearware) C:\Users\kreagan\Downloads\dds.com
2014-03-27 12:07 - 2014-03-27 11:34 - 00000000 ____D () C:\ProgramData\HitmanPro
2014-03-27 12:02 - 2014-03-27 12:02 - 00000000 ____D () C:\Program Files\HitmanPro
2014-03-27 11:35 - 2013-10-20 10:59 - 00000000 ____D () C:\Users\kreagan\AppData\Local\Mozilla
2014-03-27 11:32 - 2014-03-27 11:32 - 00000000 ____D () C:\Users\kreagan\AppData\Roaming\Macromedia
2014-03-27 11:32 - 2014-03-27 11:32 - 00000000 ____D () C:\Users\kreagan\AppData\Local\Macromedia
2014-03-27 11:15 - 2010-11-20 14:48 - 00027114 _____ () C:\Windows\PFRO.log
2014-03-26 17:04 - 2014-03-26 17:04 - 00018587 _____ () C:\ComboFix.txt
2014-03-26 17:04 - 2014-03-26 16:44 - 00000000 ____D () C:\Qoobox
2014-03-26 17:04 - 2009-07-13 19:37 - 00000000 ___RD () C:\Users\Public
2014-03-26 17:03 - 2014-03-26 16:44 - 00000000 ____D () C:\Windows\erdnt
2014-03-26 16:59 - 2009-07-13 19:04 - 00000215 _____ () C:\Windows\system.ini
2014-03-26 16:44 - 2009-07-13 21:53 - 00022944 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-03-26 16:43 - 2014-03-26 16:43 - 05192353 ____R (Swearware) C:\Users\jcampbell\Downloads\ComboFix.exe
2014-03-22 18:14 - 2014-03-22 18:14 - 01089536 _____ () C:\Users\jcampbell\Desktop\UNFI Custom price -- Wellness.xls
2014-03-22 18:13 - 2014-03-22 18:13 - 00000002 _____ () C:\Users\jcampbell\Desktop\UNFI Custom price -- Wellness.txt
2014-03-18 10:25 - 2013-12-27 13:38 - 00002361 _____ () C:\Users\lhenderson\Desktop\Google Chrome.lnk
2014-03-14 19:21 - 2012-12-05 15:38 - 00000000 ____D () C:\Users\svincent\AppData\Roaming\ShoreWare Client
2014-03-14 10:22 - 2014-03-27 14:10 - 03181760 _____ () C:\Users\kreagan\Desktop\advisorinstaller.exe
2014-03-11 15:20 - 2012-08-30 16:09 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2014-03-11 15:20 - 2012-08-30 16:09 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2014-03-10 18:16 - 2013-10-12 21:39 - 00050688 _____ () C:\Windows\RemComSvc80.exe
2014-03-10 16:17 - 2014-03-10 16:17 - 00401920 _____ () C:\Users\jcampbell\Desktop\2014 Expo West CMAC Reimbursement Form.xls
2014-03-10 16:00 - 2014-03-10 16:00 - 00000000 _____ () C:\Users\jcampbell\Desktop\doc03882320140310145903.txt
2014-03-10 11:09 - 2014-03-10 11:09 - 00000000 ____H () C:\Windows\system32\Drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
2014-03-10 11:02 - 2014-03-10 11:02 - 00028672 _____ () C:\Windows\system32\qzddss.tyu
2014-03-10 11:02 - 2014-03-10 11:02 - 00000100 _____ () C:\Windows\system32\eylqm.zop
2014-03-10 11:02 - 2014-03-10 11:02 - 00000064 _____ () C:\Windows\system32\kblzxfm.ziv
2014-03-10 11:02 - 2012-08-30 16:17 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2014-03-06 14:37 - 2014-03-06 14:37 - 00000000 ____D () C:\Users\arouse\AppData\Roaming\Macromedia
2014-03-06 14:37 - 2014-03-06 14:37 - 00000000 ____D () C:\Users\arouse\AppData\Roaming\Adobe
2014-03-06 13:39 - 2014-03-06 13:39 - 00000000 ____D () C:\Users\arouse\AppData\Roaming\GFI Software
2014-03-06 13:39 - 2012-09-13 08:19 - 00002026 __RSH () C:\Users\arouse\ntuser.pol
2014-03-06 13:39 - 2012-09-13 08:18 - 00000000 ____D () C:\Users\arouse
2014-02-27 15:52 - 2009-07-13 21:52 - 00000000 ____D () C:\Windows\system32\FxsTmp

Some content of TEMP:
====================
C:\Users\kreagan\AppData\Local\temp\ntdll_dump.dll


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\system32\winlogon.exe => MD5 is legit
C:\Windows\system32\wininit.exe => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\services.exe => MD5 is legit
C:\Windows\system32\User32.dll => MD5 is legit
C:\Windows\system32\userinit.exe => MD5 is legit
C:\Windows\system32\rpcss.dll
[2010-11-20 14:29] - [2010-11-20 14:29] - 0377344 ____A (Microsoft Corporation) C3EC1499DBD836E4D17EF3C7C7C8B371

 ATTENTION ======> If the system is having audio adware rpcss.dll is patched. Google the MD5, if the MD5 is unique the file is infected.
C:\Windows\system32\Drivers\volsnap.sys => MD5 is legit


LastRegBack: 2014-03-20 00:01

==================== End Of Log ============================

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 13-03-2014  01
Ran by KReagan at 2014-03-28 08:51:46
Running from C:\Users\kreagan\Desktop
Boot Mode: Normal
==========================================================


==================== Security Center ========================

AV: GFI Software VIPRE (Enabled - Up to date) {FFE93D16-FD09-0282-C7D3-8B1731B6A051}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: GFI Software VIPRE (Enabled - Up to date) {4488DCF2-DB33-0D0C-FD63-B0654A31EAEC}

==================== Installed Programs ======================

Adobe Flash Player 12 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 12.0.0.77 - Adobe Systems Incorporated)
Adobe Flash Player 12 Plugin (HKLM\...\Adobe Flash Player Plugin) (Version: 12.0.0.77 - Adobe Systems Incorporated)
Adobe Reader X (10.1.9) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AA1000000001}) (Version: 10.1.9 - Adobe Systems Incorporated)
Advertising Center (Version: 0.0.0.1 - Nero AG) Hidden
Belarc Advisor 8.4 (HKLM\...\Belarc Advisor) (Version: 8.4.0.0 - Belarc Inc.)
Cisco WebEx Meetings (HKLM\...\ActiveTouchMeetingClient) (Version:  - Cisco WebEx LLC)
Citrix Online Launcher (HKLM\...\{3318B54A-B5A8-49B1-8016-753DC6CAC63B}) (Version: 1.0.110 - Citrix)
CPUID CPU-Z 1.68 (HKLM\...\CPUID CPU-Z_is1) (Version:  - )
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition (HKLM\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{131CD369-AA3B-424F-A83C-54DF3534B95C}) (Version:  - Microsoft)
DolbyFiles (Version: 2.0 - Nero AG) Hidden
GFI Business Agent (HKLM\...\{C1D1FC57-3EB9-4B21-BCA3-F1C927508200}) (Version: 6.2.5530 - GFI Software)
GFI Business Agent (Version: 6.2.5530 - GFI Software) Hidden
ImagXpress (Version: 7.0.74.0 - Nero AG) Hidden
Intel® Management Engine Components (HKLM\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 8.0.2.1410 - Intel Corporation)
Intel® USB 3.0 eXtensible Host Controller Driver (HKLM\...\{240C3DDD-C5E9-4029-9DF7-95650D040CF2}) (Version: 1.0.3.214 - Intel Corporation)
Intel® Trusted Connect Service Client (HKLM\...\{51A66ED3-200E-4147-8D1E-E8D30936FD26}) (Version: 1.23.605.1 - Intel Corporation)
Malwarebytes Anti-Malware version 1.75.0.1300 (HKLM\...\Malwarebytes' Anti-Malware_is1) (Version: 1.75.0.1300 - Malwarebytes Corporation)
Menu Templates - Starter Kit (Version: 9.4.2.0 - Nero AG) Hidden
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4 Extended (HKLM\...\Microsoft .NET Framework 4 Extended) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Extended (Version: 4.0.30319 - Microsoft Corporation) Hidden
Microsoft Office 2010 Primary Interop Assemblies (HKLM\...\{90140000-1105-0000-0000-0000000FF1CE}) (Version: 14.0.4763.1024 - Microsoft Corporation)
Microsoft Office 2010 Service Pack 1 (SP1) (HKLM\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{047B0968-E622-4FAA-9B4B-121FA109EDDE}) (Version:  - Microsoft)
Microsoft Office 2010 Service Pack 1 (SP1) (Version:  - Microsoft) Hidden
Microsoft Office Access MUI (English) 2010 (Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Access Setup Metadata MUI (English) 2010 (Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Excel MUI (English) 2010 (Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Home and Business 2010 (HKLM\...\Office14.SingleImage) (Version: 14.0.6029.1000 - Microsoft Corporation)
Microsoft Office OneNote MUI (English) 2010 (Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Outlook Connector (HKLM\...\{95140000-0081-0409-0000-0000000FF1CE}) (Version: 14.0.6123.5001 - Microsoft Corporation)
Microsoft Office Outlook MUI (English) 2010 (Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office PowerPoint MUI (English) 2010 (Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (English) 2010 (Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (French) 2010 (Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (Spanish) 2010 (Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Proofing (English) 2010 (Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Publisher MUI (English) 2010 (Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared MUI (English) 2010 (Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared Setup Metadata MUI (English) 2010 (Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Single Image 2010 (Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Word MUI (English) 2010 (Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.20513.0 - Microsoft Corporation)
Microsoft SQL Server 2008 Analysis Services 10.0 OLEDB Provider (HKLM\...\{F5A1B80A-7675-4955-AB7F-D8C5FD3C50BA}) (Version: 10.0.1600.22 - Microsoft Corporation)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (HKLM\...\{770657D0-A123-3C07-8E44-1C83EC895118}) (Version: 8.0.50727.4053 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319 (HKLM\...\{196BB40D-1578-3D01-B289-BEFC77A11A1E}) (Version: 10.0.30319 - Microsoft Corporation)
Movie Templates - Starter Kit (Version: 9.4.2.0 - Nero AG) Hidden
Mozilla Firefox 27.0.1 (x86 en-US) (HKLM\...\Mozilla Firefox 27.0.1 (x86 en-US)) (Version: 27.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 27.0.1 - Mozilla)
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
Nero 9 Essentials (HKLM\...\{11920acb-5a4a-4b3b-813b-977c2c3cbb06}) (Version:  - Nero AG)
Nero BurnRights (Version: 3.4.11.100 - Nero AG) Hidden
Nero BurnRights Help (Version: 3.4.4.100 - Nero AG) Hidden
Nero ControlCenter (Version: 9.0.0.1 - Nero AG) Hidden
Nero CoverDesigner (Version: 4.4.9.100 - Nero AG) Hidden
Nero CoverDesigner Help (Version: 4.4.9.100 - Nero AG) Hidden
Nero Disc Copy Gadget (Version: 2.4.22.0 - Nero AG) Hidden
Nero Disc Copy Gadget Help (Version: 2.4.22.0 - Nero AG) Hidden
Nero DiscSpeed (Version: 5.4.11.100 - Nero AG) Hidden
Nero DiscSpeed Help (Version: 5.4.4.100 - Nero AG) Hidden
Nero DriveSpeed (Version: 4.4.11.100 - Nero AG) Hidden
Nero DriveSpeed Help (Version: 4.4.4.100 - Nero AG) Hidden
Nero Express Help (Version: 9.6.2.101 - Nero AG) Hidden
Nero InfoTool (Version: 6.4.11.100 - Nero AG) Hidden
Nero InfoTool Help (Version: 6.4.4.100 - Nero AG) Hidden
Nero Installer (Version: 4.4.9.0 - Nero AG) Hidden
Nero Live (Version: 1.4.40.0 - Nero AG) Hidden
Nero Live Help (Version: 1.4.40.0 - Nero AG) Hidden
Nero Online Upgrade (Version: 1.3.0.0 - Nero AG) Hidden
Nero Rescue Agent (Version: 2.4.12.100 - Nero AG) Hidden
Nero RescueAgent Help (Version: 2.4.4.100 - Nero AG) Hidden
Nero ShowTime (Version: 5.4.0.100 - Nero AG) Hidden
Nero ShowTime (Version: 5.4.13.100 - Nero AG) Hidden
Nero StartSmart (Version: 9.4.12.100 - Nero AG) Hidden
Nero StartSmart Help (Version: 9.4.12.100 - Nero AG) Hidden
Nero Vision (Version: 6.4.12.100 - Nero AG) Hidden
Nero Vision Help (Version: 6.4.8.100 - Nero AG) Hidden
NeroExpress (Version: 9.4.17.100 - Nero AG) Hidden
NeroLiveGadget (Version: 1.2.12.100 - Nero AG) Hidden
NeroLiveGadget Help (Version: 1.2.12.100 - Nero AG) Hidden
neroxml (Version: 1.0.0 - Nero AG) Hidden
NVIDIA Display Control Panel (HKLM\...\NVIDIA Display Control Panel) (Version: 6.14.12.5936 - NVIDIA Corporation)
NVIDIA Drivers (HKLM\...\NVIDIA Drivers) (Version: 1.10.62.40 - NVIDIA Corporation)
NVIDIA PhysX (HKLM\...\{8A809006-C25A-4A3A-9DAB-94659BCDB107}) (Version: 9.10.0224 - NVIDIA Corporation)
NVIDIA Stereoscopic 3D Driver (HKLM\...\NVIDIAStereo) (Version: 7.17.12.5936 - NVIDIA Corporation)
Printer DCA (HKLM\...\{A6ED6761-D0E1-4A4A-8BF8-073FEC1A89CF}) (Version: 4.1.23032 - PrintFleet Inc.)
Realtek Ethernet Controller Driver (HKLM\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 7.49.927.2011 - Realtek)
Realtek High Definition Audio Driver (HKLM\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6526 - Realtek Semiconductor Corp.)
ShoreTel Communicator (HKLM\...\{9FB8E06A-05E0-4A26-B1E7-964F1378CE4F}) (Version: 18.23.1600.0 - ShoreTel, Inc.)
Update for Microsoft Office 2010 (KB2553065) (HKLM\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{A8686D24-1E89-43A1-973E-05A258D2B3F8}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition (HKLM\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{48E1B6C2-7299-4F3F-AA63-42F0ACE55AA4}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2553267) 32-Bit Edition (HKLM\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{18B3CF2A-73F7-4716-B1AE-86D68726D408}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition (HKLM\...\{90140000-006E-0409-0000-0000000FF1CE}_Office14.SingleImage_{73E67A3A-8D61-44EF-90C2-1697C3DBE668}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2553378) 32-Bit Edition (HKLM\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{14B7142F-D7E2-4FB0-9E3B-7CAA8D7FFC56}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2566458) (HKLM\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{EFB525A0-E1C0-4E32-9968-FE401BC87363}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition (HKLM\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{ED31DE9A-3E13-4E2C-9106-E0D8AFFB9FA6}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2598242) 32-Bit Edition (HKLM\...\{90140000-001F-0409-0000-0000000FF1CE}_Office14.SingleImage_{C4F26A9B-B121-4135-8084-A0D9C780C7C8}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2598242) 32-Bit Edition (HKLM\...\{90140000-001F-040C-0000-0000000FF1CE}_Office14.SingleImage_{460FF681-BC66-4C38-99DF-7012E03F1EBA}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2598242) 32-Bit Edition (HKLM\...\{90140000-001F-0C0A-0000-0000000FF1CE}_Office14.SingleImage_{C633216E-FF30-45B6-B2AB-21922A9353EF}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2687509) 32-Bit Edition (HKLM\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{1CBEDB37-C438-473F-8BA0-2535B0D237E2}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition (HKLM\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{35698CB7-AAA2-4577-B505-DBFF504AEF23}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2767886) 32-Bit Edition (HKLM\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{9CFD026D-EB1C-48C2-9DD2-8E8875F251B2}) (Version:  - Microsoft)
Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition (HKLM\...\{90140000-00A1-0409-0000-0000000FF1CE}_Office14.SingleImage_{9865DC3A-2898-48D9-B96A-46397571C934}) (Version:  - Microsoft)
Update for Microsoft Outlook 2010 (KB2597090) 32-Bit Edition (HKLM\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{F1CBE095-403D-466D-BB13-B185A5F33231}) (Version:  - Microsoft)
Update for Microsoft Outlook 2010 (KB2687623) 32-Bit Edition (HKLM\...\{90140000-001A-0409-0000-0000000FF1CE}_Office14.SingleImage_{47894754-0FEC-4920-9A65-6C1E732587AC}) (Version:  - Microsoft)
Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition (HKLM\...\{90140000-001A-0409-0000-0000000FF1CE}_Office14.SingleImage_{1EEFF749-6F29-4F0B-AB08-4C6EA52AA110}) (Version:  - Microsoft)
Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition (HKLM\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{BC6DFBFD-16DD-47E1-A7EF-2C062930FA4F}) (Version:  - Microsoft)
Update for Microsoft PowerPoint 2010 (KB2598240) 32-Bit Edition (HKLM\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{6B6DDDCE-B456-4FE1-9A07-DBC1708E4158}) (Version:  - Microsoft)
Visual Studio Tools for the Office system 3.0 Runtime (HKLM\...\Visual Studio Tools for the Office system 3.0 Runtime) (Version:  - Microsoft Corporation)
Visual Studio Tools for the Office system 3.0 Runtime (Version: 9.0.30729 - Microsoft Corporation) Hidden
Visual Studio Tools for the Office system 3.0 Runtime Service Pack 1 (KB949258) (HKLM\...\{8FB53850-246A-3507-8ADE-0060093FFEA6}.KB949258) (Version: 1 - Microsoft Corporation)
Windows Small Business Server 2011 Standard ClientAgent (HKLM\...\{3032BC7D-E713-452D-AAF7-F5ED073226C8}) (Version: 6.1.7900.1 - Microsoft Corporation)
Windows Small Business Server 2011 Standard WMI Provider (Version: 6.1.7900.1 - Microsoft Corporation) Hidden

==================== Restore Points  =========================

14-02-2014 08:00:05 Scheduled Checkpoint
22-02-2014 08:00:03 Scheduled Checkpoint
02-03-2014 08:00:02 Scheduled Checkpoint
10-03-2014 19:13:23 Scheduled Checkpoint
17-03-2014 22:09:59 Scheduled Checkpoint
25-03-2014 07:00:03 Scheduled Checkpoint
27-03-2014 19:24:28 Restore Operation

==================== Hosts content: ==========================

2009-07-13 19:04 - 2014-03-26 16:59 - 00000027 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1       localhost

==================== Scheduled Tasks (whitelisted) =============

Task: {001FE6A1-E49E-489E-8999-B5C6EA510D88} - System32\Tasks\Disk Cleanup => C:\Windows\System32\cleanmgr.exe [2009-07-13] (Microsoft Corporation)
Task: {143F0741-D221-42AC-8457-8AE13EAFFE10} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-2913660180-408937012-4099970771-2765Core => C:\Users\lhenderson\AppData\Local\Google\Update\GoogleUpdate.exe [2013-12-27] (Google Inc.)
Task: {233225A7-B294-477A-8523-85C19A994F1D} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-2913660180-408937012-4099970771-2726UA => C:\Users\svincent\AppData\Local\Google\Update\GoogleUpdate.exe [2014-02-08] (Google Inc.)
Task: {3DADBD84-4484-4D34-B06F-BEBBB4BAAE0B} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-2913660180-408937012-4099970771-2726Core => C:\Users\svincent\AppData\Local\Google\Update\GoogleUpdate.exe [2014-02-08] (Google Inc.)
Task: {6BD0CAE7-C353-4D34-B10D-E037961613DD} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-2913660180-408937012-4099970771-2765UA => C:\Users\lhenderson\AppData\Local\Google\Update\GoogleUpdate.exe [2013-12-27] (Google Inc.)
Task: {C9F802B5-1D8D-4B72-B9C8-960305373442} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2014-03-11] (Adobe Systems Incorporated)
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2913660180-408937012-4099970771-2726Core.job => C:\Users\svincent\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2913660180-408937012-4099970771-2726UA.job => C:\Users\svincent\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2913660180-408937012-4099970771-2765Core.job => C:\Users\lhenderson\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2913660180-408937012-4099970771-2765UA.job => C:\Users\lhenderson\AppData\Local\Google\Update\GoogleUpdate.exe

==================== Loaded Modules (whitelisted) =============

2013-03-21 14:03 - 2013-03-21 14:03 - 00045568 _____ () C:\Program Files\Printer DCA\PrintFleet.Common.SevenZip.dll
2013-01-15 16:17 - 2013-01-15 16:17 - 00160768 _____ () C:\Program Files\GFI Software\GFIAgent\unrar.dll
2012-12-28 11:40 - 2014-03-07 10:57 - 00190752 _____ () C:\Program Files\GFI Software\GFIAgent\Definitions\libBase64.dll
2012-12-28 11:40 - 2014-03-07 10:57 - 00178464 _____ () C:\Program Files\GFI Software\GFIAgent\Definitions\libMachoUniv.dll

==================== Alternate Data Streams (whitelisted) =========


==================== Safe Mode (whitelisted) ===================

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBPIMSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SBAMSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SBPIMSvc => ""="Service"

==================== Disabled items from MSCONFIG ==============


==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (03/28/2014 08:51:51 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (03/28/2014 08:50:14 AM) (Source: PrintFleet Enterprise) (User: )
Description: Process: PrinterDCA.Service
Level: Error
Time: 2014-03-28 08:50:14.5616
[PrinterDCA.Service] This DCA has not been activated! Please activate to use the DCA's functionality

Process ID: 668
Thread ID: 5

Error: (03/28/2014 08:48:16 AM) (Source: Application Error) (User: )
Description: Faulting application name: svchost.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc100
Faulting module name: ntdll.dll, version: 6.1.7601.17725, time stamp: 0x4ec49b60
Exception code: 0xc0000374
Fault offset: 0x000c380b
Faulting process id: 0x348
Faulting application start time: 0xsvchost.exe0
Faulting application path: svchost.exe1
Faulting module path: svchost.exe2
Report Id: svchost.exe3

Error: (03/28/2014 07:37:05 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (03/28/2014 07:35:28 AM) (Source: PrintFleet Enterprise) (User: )
Description: Process: PrinterDCA.Service
Level: Error
Time: 2014-03-28 07:35:28.8336
[PrinterDCA.Service] This DCA has not been activated! Please activate to use the DCA's functionality

Process ID: 660
Thread ID: 7

Error: (03/28/2014 07:33:34 AM) (Source: Application Error) (User: )
Description: Faulting application name: svchost.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc100
Faulting module name: ntdll.dll, version: 6.1.7601.17725, time stamp: 0x4ec49b60
Exception code: 0xc0000374
Fault offset: 0x000c380b
Faulting process id: 0x34c
Faulting application start time: 0xsvchost.exe0
Faulting application path: svchost.exe1
Faulting module path: svchost.exe2
Report Id: svchost.exe3

Error: (03/28/2014 06:37:35 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (03/28/2014 06:35:58 AM) (Source: PrintFleet Enterprise) (User: )
Description: Process: PrinterDCA.Service
Level: Error
Time: 2014-03-28 06:35:58.4982
[PrinterDCA.Service] This DCA has not been activated! Please activate to use the DCA's functionality

Process ID: 624
Thread ID: 4

Error: (03/28/2014 06:34:04 AM) (Source: Application Error) (User: )
Description: Faulting application name: svchost.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc100
Faulting module name: ntdll.dll, version: 6.1.7601.17725, time stamp: 0x4ec49b60
Exception code: 0xc0000374
Fault offset: 0x000c380b
Faulting process id: 0x354
Faulting application start time: 0xsvchost.exe0
Faulting application path: svchost.exe1
Faulting module path: svchost.exe2
Report Id: svchost.exe3

Error: (03/28/2014 04:03:45 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


System errors:
=============
Error: (03/28/2014 08:50:08 AM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
SBRE

Error: (03/28/2014 08:50:05 AM) (Source: Parvdm) (User: )
Description: Unable to get device object pointer for port object.

Error: (03/28/2014 08:48:18 AM) (Source: Service Control Manager) (User: )
Description: The Windows Media Center Receiver Service service terminated with the following error:
%%-2147467243

Error: (03/28/2014 08:48:16 AM) (Source: Service Control Manager) (User: )
Description: The Service Control Manager tried to take a corrective action (Reboot the machine) after the unexpected termination of the DCOM Server Process Launcher service, but this action failed with the following error:
%%1190

Error: (03/28/2014 08:48:16 AM) (Source: Service Control Manager) (User: )
Description: The Plug and Play service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Reboot the machine.

Error: (03/28/2014 08:48:16 AM) (Source: Service Control Manager) (User: )
Description: The DCOM Server Process Launcher service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Reboot the machine.

Error: (03/28/2014 08:43:18 AM) (Source: Service Control Manager) (User: )
Description: The Power service terminated with the following error:
%%5

Error: (03/28/2014 08:38:18 AM) (Source: Service Control Manager) (User: )
Description: The Power service terminated with the following error:
%%5

Error: (03/28/2014 08:33:18 AM) (Source: Service Control Manager) (User: )
Description: The Power service terminated with the following error:
%%5

Error: (03/28/2014 08:28:18 AM) (Source: Service Control Manager) (User: )
Description: The Power service terminated with the following error:
%%5


Microsoft Office Sessions:
=========================
Error: (03/28/2014 08:51:51 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (03/28/2014 08:50:14 AM) (Source: PrintFleet Enterprise)(User: )
Description: Process: PrinterDCA.Service
Level: Error
Time: 2014-03-28 08:50:14.5616
[PrinterDCA.Service] This DCA has not been activated! Please activate to use the DCA's functionality

Process ID: 668
Thread ID: 5

Error: (03/28/2014 08:48:16 AM) (Source: Application Error)(User: )
Description: svchost.exe6.1.7600.163854a5bc100ntdll.dll6.1.7601.177254ec49b60c0000374000c380b34801cf4a92f031685cC:\Windows\system32\svchost.exeC:\Windows\SYSTEM32\ntdll.dll601a6fa5-b690-11e3-a984-c86000ca84f6

Error: (03/28/2014 07:37:05 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (03/28/2014 07:35:28 AM) (Source: PrintFleet Enterprise)(User: )
Description: Process: PrinterDCA.Service
Level: Error
Time: 2014-03-28 07:35:28.8336
[PrinterDCA.Service] This DCA has not been activated! Please activate to use the DCA's functionality

Process ID: 660
Thread ID: 7

Error: (03/28/2014 07:33:34 AM) (Source: Application Error)(User: )
Description: svchost.exe6.1.7600.163854a5bc100ntdll.dll6.1.7601.177254ec49b60c0000374000c380b34c01cf4a8aa036d59aC:\Windows\system32\svchost.exeC:\Windows\SYSTEM32\ntdll.dllf0befbfa-b685-11e3-b9a0-c86000ca84f6

Error: (03/28/2014 06:37:35 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (03/28/2014 06:35:58 AM) (Source: PrintFleet Enterprise)(User: )
Description: Process: PrinterDCA.Service
Level: Error
Time: 2014-03-28 06:35:58.4982
[PrinterDCA.Service] This DCA has not been activated! Please activate to use the DCA's functionality

Process ID: 624
Thread ID: 4

Error: (03/28/2014 06:34:04 AM) (Source: Application Error)(User: )
Description: svchost.exe6.1.7600.163854a5bc100ntdll.dll6.1.7601.177254ec49b60c0000374000c380b35401cf4a7558525f79C:\Windows\system32\svchost.exeC:\Windows\SYSTEM32\ntdll.dlla09a1751-b67d-11e3-ae60-c86000ca84f6

Error: (03/28/2014 04:03:45 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


==================== Memory info ===========================

Percentage of memory in use: 38%
Total physical RAM: 3555.44 MB
Available physical RAM: 2185.57 MB
Total Pagefile: 7109.16 MB
Available Pagefile: 5687.81 MB
Total Virtual: 2047.88 MB
Available Virtual: 1884.62 MB

==================== Drives ================================

Drive c: (Local Disk) (Fixed) (Total:297.99 GB) (Free:252.59 GB) NTFS
Drive f: (IT COORD) (Removable) (Total:7.25 GB) (Free:7.06 GB) FAT32

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298 GB) (Disk ID: 822F873A)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=298 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 7 GB) (Disk ID: 5D2DFABF)
Partition 1: (Active) - (Size=7 GB) - (Type=0B)

==================== End Of Log ============================

 

Step 2:

 

Farbar Recovery Scan Tool (x86) Version: 13-03-2014  01
Ran by KReagan at 2014-03-28 08:54:22
Running from C:\Users\kreagan\Desktop
Boot Mode: Normal

================== Search: "rpcss.dll" ===================

C:\Windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_6bd245e79c221747\rpcss.dll
[2010-11-20 14:29] - [2010-11-20 14:29] - 0376832 ____A () D41D8CD98F00B204E9800998ECF8427E

C:\Windows\System32\rpcss.dll
[2010-11-20 14:29] - [2010-11-20 14:29] - 0377344 ____A (Microsoft Corporation) C3EC1499DBD836E4D17EF3C7C7C8B371

=== End Of Search ===



#5 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:41 AM

Posted 28 March 2014 - 04:30 PM

Alright, let's try to replace the infected file.
How is your computer running after the following steps?


Step 1

Please download this attached Attached File  fixlist.txt   852bytes   8 downloads and save it in the same directory as FRST.
  • Start FRST with Administrator privileges.
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) pops up and is saved to the same location the tool was run from.
    Please copy and paste its contents in your next reply.


Step 2

Please download the ESET Online Scanner and save it to your Desktop.
  • Disable the realtime-protection of your antivirus and anti-malware programs because they might interfere with the scan.
  • Start esetsmartinstaller_enu.exe with administartor privileges.
  • Select the option Yes, I accept the Terms of Use and click on Start.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click on Start. The virus signature database will begin to download. This may take some time.
  • When completed the Online Scan will begin automatically.
    Note: This scan might take a long time! Please be patient.
  • When completed select Uninstall application on close if you so wish, but make sure you copy the logfile first!
  • Now click on Finish
  • A log file is created at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
    Copy and paste the content of this log file in your next reply.
Note: Do not forget to re-enable your antivirus application after running the above scan!



Step 3

Start FRST with administator privileges.
  • Press the Scan button.
  • When finished, FRST will produce a log (FRST.txt) in the same directory the tool was run from.
    Please copy and paste this log in your next reply.


#6 novasect

novasect
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chico, CA
  • Local time:10:41 PM

Posted 28 March 2014 - 07:04 PM

Well, computer seems better.  I have not had applications crash yet and it doesn't seem sluggish. I am no longer getting a DCOM server process error or a plug and play service error that forces a restart.  VIPRE scan also comes back clean now.  However, the one problem I still noticed was that the Office 2010 suite is still showing as an expired trial, even though it is a licensed product.  I tried re-entering the product key, but it didn't seem to "stick", it still shows as a trial even after restart.  I suppose I could try to uninstall and reinstall the software, but will wait until I hear back from you.  Thanks for all your help so far!  I really appreciate your time.  Here are the logs requested in last post:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 13-03-2014  01
Ran by KReagan at 2014-03-28 15:27:56 Run:1
Running from C:\Users\kreagan\Desktop
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
Unlock: C:\Windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_6bd245e79c221747\rpcss.dll
Replace: C:\Windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_6bd245e79c221747\rpcss.dll C:\Windows\System32\rpcss.dll
Unlock: C:\Windows\System32\rpcss.dll
Winsock: Catalog5 01 %SystemRoot%\System32\mswsock.dll [232448] (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
2014-03-10 12:27 - 2014-03-28 08:40 - 00000080 _____ () C:\Windows\system32\yaxn.phw
2014-03-10 11:02 - 2014-03-10 11:02 - 00028672 _____ () C:\Windows\system32\qzddss.tyu
2014-03-10 11:02 - 2014-03-10 11:02 - 00000100 _____ () C:\Windows\system32\eylqm.zop
2014-03-10 11:02 - 2014-03-10 11:02 - 00000064 _____ () C:\Windows\system32\kblzxfm.ziv
Reboot:
*****************

"C:\Windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_6bd245e79c221747\rpcss.dll" => File/Directory unlocked successfully.
C:\Windows\System32\rpcss.dll => Moved successfully.
C:\Windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_6bd245e79c221747\rpcss.dll copied successfully to C:\Windows\System32\rpcss.dll
"C:\Windows\System32\rpcss.dll" => File/Directory unlocked successfully.
Winsock: Catalog5 entry 000000000001\\LibraryPath  was set successfully to %SystemRoot%\system32\NLAapi.dll
C:\Windows\system32\yaxn.phw => Moved successfully.
C:\Windows\system32\qzddss.tyu => Moved successfully.
Could not move "C:\Windows\system32\eylqm.zop" => Scheduled to move on reboot.
C:\Windows\system32\kblzxfm.ziv => Moved successfully.

=> Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2014-03-28 15:29:22)<=

C:\Windows\system32\eylqm.zop => Is moved successfully.

==== End of Fixlog ====

 

ESETSmartInstaller@High as downloader log:
all ok
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=532c060f1e863b48b2676b2aa23fef57
# engine=17669
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2014-03-28 11:09:36
# local_time=2014-03-28 04:09:36 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=5893 16776574 100 94 38626994 147592967 0 0
# scanned=150421
# found=1
# cleaned=0
# scan_time=1505
sh=A62EEC32E77EB0A8A1F2B6988A006CD13EC87EDC ft=1 fh=082b15402ea3e638 vn="Win32/Patched.IB trojan" ac=I fn="C:\FRST\Quarantine\C\Windows\System32\rpcss.dll.xBAD"
 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 13-03-2014  01
Ran by KReagan (administrator) on CNFC-WS7-PC on 28-03-2014 16:20:05
Running from C:\Users\kreagan\Desktop
Microsoft Windows 7 Professional  Service Pack 1 (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe
(NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
(Nero AG) C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
(PrintFleet Inc) C:\Program Files\Printer DCA\PrinterDCA.Service.exe
(ThreatTrack Security, Inc.) C:\Program Files\GFI Software\GFIAgent\SBPIMSvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI.exe
(Intel Corporation) C:\Program Files\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe
(ThreatTrack Security, Inc.) C:\Program Files\GFI Software\GFIAgent\SBAMSvc.exe
(ThreatTrack Security, Inc.) C:\Program Files\GFI Software\GFIAgent\SBAMTray.exe
(Microsoft Corporation) C:\Windows\system32\msiexec.exe


==================== Registry (Whitelisted) ==================

HKLM\...\Run: [RTHDVCPL] - C:\Program Files\Realtek\Audio\HDA\RtkNGUI.exe [6318696 2011-12-12] (Realtek Semiconductor)
HKLM\...\Run: [USB3MON] - C:\Program Files\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [291608 2012-01-26] (Intel Corporation)
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM\...\Run: [SBAMTray] - C:\Program Files\GFI Software\GFIAgent\SBAMTray.exe [3232152 2013-05-30] (ThreatTrack Security, Inc.)
HKLM\...\Run: [SBRegRebootCleaner] - C:\Program Files\GFI Software\GFIAgent\SBRC.exe [202648 2013-05-30] (ThreatTrack Security, Inc.)
Startup: C:\Users\jcampbell\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://companyweb
SearchScopes: HKCU - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
DPF: {174793AA-EAE2-4188-AFA5-064BE26901B1} http://www.digitalgsp.com/xvr/CXRMS_1,1,1,2.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\BelarcAdvisor\System\BAVoilaX.dll (Belarc, Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF ProfilePath: C:\Users\kreagan\AppData\Roaming\Mozilla\Firefox\Profiles\2vuviw60.default
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF32_12_0_0_77.dll ()
FF Plugin: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.0.59 - C:\Program Files\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
FF Plugin: @intel-webapi.intel.com/Intel WebAPI updater - C:\Program Files\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.20513.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 - C:\PROGRA~1\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin: @nvidia.com/3DVision - C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
FF Plugin: @nvidia.com/3DVisionStreaming - C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

========================== Services (Whitelisted) =================

R2 Intel® Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [458464 2012-02-02] (Intel® Corporation)
R2 jhi_service; C:\Program Files\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [161560 2012-02-07] (Intel Corporation)
R2 Printer DCA; C:\Program Files\Printer DCA\PrinterDCA.Service.exe [56832 2013-03-21] (PrintFleet Inc)
S4 RemoteAccess; C:\Windows\System32\svchost.exe [20992 2009-07-13] (Microsoft Corporation)
R2 SBAMSvc; C:\Program Files\GFI Software\GFIAgent\SBAMSvc.exe [3681016 2013-05-30] (ThreatTrack Security, Inc.)
R2 SBPIMSvc; C:\Program Files\GFI Software\GFIAgent\SBPIMSvc.exe [176536 2013-05-30] (ThreatTrack Security, Inc.)

==================== Drivers (Whitelisted) ====================

S3 gfiark; C:\Windows\System32\drivers\gfiark.sys [43368 2013-05-23] (ThreatTrack Security)
S3 gfiutil; C:\Windows\System32\drivers\gfiutil.sys [24040 2013-09-04] (ThreatTrack Security)
R0 iusb3hcs; C:\Windows\System32\DRIVERS\iusb3hcs.sys [13592 2012-01-26] (Intel Corporation)
R3 iusb3hub; C:\Windows\System32\DRIVERS\iusb3hub.sys [348440 2012-01-26] (Intel Corporation)
R3 iusb3xhc; C:\Windows\System32\DRIVERS\iusb3xhc.sys [791832 2012-01-26] (Intel Corporation)
R3 MEI; C:\Windows\System32\DRIVERS\HECI.sys [46080 2011-11-10] (Intel Corporation)
R3 oxmep; C:\Windows\System32\DRIVERS\oxmep.sys [5120 2007-01-22] (OEM)
R1 oxpar; C:\Windows\System32\DRIVERS\oxpar.sys [80128 2007-01-23] (OEM)
R2 sbapifs; C:\Windows\System32\DRIVERS\sbapifs.sys [68904 2013-01-15] (GFI Software)
S3 sbwtis; C:\Windows\System32\DRIVERS\sbwtis.sys [76064 2013-01-15] (GFI Software)
R3 staccel; C:\Windows\System32\DRIVERS\staccel.sys [32864 2012-07-17] (ShoreTel, Inc)
S3 catchme; \??\C:\Users\JCAMPB~1\AppData\Local\Temp\catchme.sys [X]
S1 SBRE; \SystemRoot\system32\drivers\SBREDrv.sys [X]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2014-03-28 16:20 - 2014-03-28 16:20 - 00007168 _____ () C:\Users\kreagan\Desktop\FRST.txt
2014-03-28 15:40 - 2014-03-28 15:40 - 00000000 ____D () C:\Program Files\ESET
2014-03-28 15:30 - 2014-03-28 15:30 - 02347384 _____ (ESET) C:\Users\kreagan\Desktop\esetsmartinstaller_enu.exe
2014-03-28 08:54 - 2014-03-28 08:55 - 00000605 _____ () C:\Users\kreagan\Desktop\Search.txt
2014-03-28 08:51 - 2014-03-28 16:20 - 00000000 ____D () C:\FRST
2014-03-28 08:51 - 2014-03-28 08:52 - 00026374 _____ () C:\Users\kreagan\Desktop\Addition.txt
2014-03-28 08:51 - 2014-03-28 08:52 - 00017609 _____ () C:\Users\kreagan\Desktop\FRST1stRun.txt
2014-03-28 08:50 - 2014-03-28 08:33 - 01145856 _____ (Farbar) C:\Users\kreagan\Desktop\FRST.exe
2014-03-27 14:10 - 2014-03-27 14:10 - 00002076 _____ () C:\Users\Public\Desktop\Belarc Advisor.lnk
2014-03-27 14:10 - 2014-03-27 14:10 - 00000000 ____D () C:\Program Files\Belarc
2014-03-27 14:10 - 2014-03-14 10:22 - 03181760 _____ () C:\Users\kreagan\Desktop\advisorinstaller.exe
2014-03-27 14:06 - 2014-03-27 14:06 - 00000000 ____D () C:\Program Files\CPUID
2014-03-27 14:06 - 2014-02-10 13:52 - 01466824 _____ ( ) C:\Users\kreagan\Desktop\cpu-z_1.68-setup-en.exe
2014-03-27 12:38 - 2014-03-27 12:38 - 00013956 _____ () C:\Users\kreagan\Desktop\attach.txt
2014-03-27 12:38 - 2014-03-27 12:38 - 00009099 _____ () C:\Users\kreagan\Desktop\dds.txt
2014-03-27 12:35 - 2014-03-27 12:35 - 00688992 ____R (Swearware) C:\Users\kreagan\Downloads\dds.com
2014-03-27 12:02 - 2014-03-27 12:02 - 00000000 ____D () C:\Program Files\HitmanPro
2014-03-27 11:34 - 2014-03-27 12:07 - 00000000 ____D () C:\ProgramData\HitmanPro
2014-03-27 11:32 - 2014-03-27 11:32 - 00000000 ____D () C:\Users\kreagan\AppData\Roaming\Macromedia
2014-03-27 11:32 - 2014-03-27 11:32 - 00000000 ____D () C:\Users\kreagan\AppData\Local\Macromedia
2014-03-26 17:04 - 2014-03-26 17:04 - 00018587 _____ () C:\ComboFix.txt
2014-03-26 16:44 - 2014-03-26 17:04 - 00000000 ____D () C:\Qoobox
2014-03-26 16:44 - 2014-03-26 17:03 - 00000000 ____D () C:\Windows\erdnt
2014-03-26 16:44 - 2011-06-25 23:45 - 00256000 _____ () C:\Windows\PEV.exe
2014-03-26 16:44 - 2010-11-07 10:20 - 00208896 _____ () C:\Windows\MBR.exe
2014-03-26 16:44 - 2009-04-19 21:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2014-03-26 16:44 - 2000-08-30 17:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2014-03-26 16:44 - 2000-08-30 17:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2014-03-26 16:44 - 2000-08-30 17:00 - 00098816 _____ () C:\Windows\sed.exe
2014-03-26 16:44 - 2000-08-30 17:00 - 00080412 _____ () C:\Windows\grep.exe
2014-03-26 16:44 - 2000-08-30 17:00 - 00068096 _____ () C:\Windows\zip.exe
2014-03-26 16:43 - 2014-03-26 16:43 - 05192353 ____R (Swearware) C:\Users\jcampbell\Downloads\ComboFix.exe
2014-03-22 18:14 - 2014-03-22 18:14 - 01089536 _____ () C:\Users\jcampbell\Desktop\UNFI Custom price -- Wellness.xls
2014-03-22 18:13 - 2014-03-22 18:13 - 00000002 _____ () C:\Users\jcampbell\Desktop\UNFI Custom price -- Wellness.txt
2014-03-10 16:17 - 2014-03-10 16:17 - 00401920 _____ () C:\Users\jcampbell\Desktop\2014 Expo West CMAC Reimbursement Form.xls
2014-03-10 16:00 - 2014-03-10 16:00 - 00000000 _____ () C:\Users\jcampbell\Desktop\doc03882320140310145903.txt
2014-03-10 11:09 - 2014-03-10 11:09 - 00000000 ____H () C:\Windows\system32\Drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
2014-03-06 14:37 - 2014-03-06 14:37 - 00000000 ____D () C:\Users\arouse\AppData\Roaming\Macromedia
2014-03-06 14:37 - 2014-03-06 14:37 - 00000000 ____D () C:\Users\arouse\AppData\Roaming\Adobe
2014-03-06 13:39 - 2014-03-06 13:39 - 00000000 ____D () C:\Users\arouse\AppData\Roaming\GFI Software

==================== One Month Modified Files and Folders =======

2014-03-28 16:20 - 2014-03-28 16:20 - 00007168 _____ () C:\Users\kreagan\Desktop\FRST.txt
2014-03-28 16:20 - 2014-03-28 08:51 - 00000000 ____D () C:\FRST
2014-03-28 16:20 - 2013-01-07 11:20 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-03-28 16:13 - 2013-12-27 13:36 - 00000928 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2913660180-408937012-4099970771-2765UA.job
2014-03-28 16:08 - 2009-07-13 21:34 - 00031680 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-03-28 16:08 - 2009-07-13 21:34 - 00031680 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-03-28 15:50 - 2013-10-12 21:39 - 00050688 _____ () C:\Windows\RemComSvc80.exe
2014-03-28 15:43 - 2012-08-22 17:05 - 01113043 _____ () C:\Windows\WindowsUpdate.log
2014-03-28 15:40 - 2014-03-28 15:40 - 00000000 ____D () C:\Program Files\ESET
2014-03-28 15:34 - 2010-11-20 14:01 - 00778302 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-03-28 15:30 - 2014-03-28 15:30 - 02347384 _____ (ESET) C:\Users\kreagan\Desktop\esetsmartinstaller_enu.exe
2014-03-28 15:28 - 2012-08-30 10:42 - 00000120 _____ () C:\Windows\system32\config\netlogon.ftl
2014-03-28 15:28 - 2012-08-23 09:35 - 00000000 ____D () C:\ProgramData\NVIDIA
2014-03-28 15:28 - 2009-07-13 21:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-03-28 15:28 - 2009-07-13 21:39 - 00038602 _____ () C:\Windows\setupact.log
2014-03-28 15:26 - 2014-02-08 18:04 - 00000920 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2913660180-408937012-4099970771-2726UA.job
2014-03-28 08:55 - 2014-03-28 08:54 - 00000605 _____ () C:\Users\kreagan\Desktop\Search.txt
2014-03-28 08:52 - 2014-03-28 08:51 - 00026374 _____ () C:\Users\kreagan\Desktop\Addition.txt
2014-03-28 08:52 - 2014-03-28 08:51 - 00017609 _____ () C:\Users\kreagan\Desktop\FRST1stRun.txt
2014-03-28 08:33 - 2014-03-28 08:50 - 01145856 _____ (Farbar) C:\Users\kreagan\Desktop\FRST.exe
2014-03-27 18:26 - 2014-02-08 18:04 - 00000868 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2913660180-408937012-4099970771-2726Core.job
2014-03-27 14:10 - 2014-03-27 14:10 - 00002076 _____ () C:\Users\Public\Desktop\Belarc Advisor.lnk
2014-03-27 14:10 - 2014-03-27 14:10 - 00000000 ____D () C:\Program Files\Belarc
2014-03-27 14:06 - 2014-03-27 14:06 - 00000000 ____D () C:\Program Files\CPUID
2014-03-27 13:13 - 2013-12-27 13:36 - 00000876 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2913660180-408937012-4099970771-2765Core.job
2014-03-27 12:38 - 2014-03-27 12:38 - 00013956 _____ () C:\Users\kreagan\Desktop\attach.txt
2014-03-27 12:38 - 2014-03-27 12:38 - 00009099 _____ () C:\Users\kreagan\Desktop\dds.txt
2014-03-27 12:35 - 2014-03-27 12:35 - 00688992 ____R (Swearware) C:\Users\kreagan\Downloads\dds.com
2014-03-27 12:07 - 2014-03-27 11:34 - 00000000 ____D () C:\ProgramData\HitmanPro
2014-03-27 12:02 - 2014-03-27 12:02 - 00000000 ____D () C:\Program Files\HitmanPro
2014-03-27 11:35 - 2013-10-20 10:59 - 00000000 ____D () C:\Users\kreagan\AppData\Local\Mozilla
2014-03-27 11:32 - 2014-03-27 11:32 - 00000000 ____D () C:\Users\kreagan\AppData\Roaming\Macromedia
2014-03-27 11:32 - 2014-03-27 11:32 - 00000000 ____D () C:\Users\kreagan\AppData\Local\Macromedia
2014-03-27 11:15 - 2010-11-20 14:48 - 00027114 _____ () C:\Windows\PFRO.log
2014-03-26 17:04 - 2014-03-26 17:04 - 00018587 _____ () C:\ComboFix.txt
2014-03-26 17:04 - 2014-03-26 16:44 - 00000000 ____D () C:\Qoobox
2014-03-26 17:04 - 2009-07-13 19:37 - 00000000 ___RD () C:\Users\Public
2014-03-26 17:03 - 2014-03-26 16:44 - 00000000 ____D () C:\Windows\erdnt
2014-03-26 16:59 - 2009-07-13 19:04 - 00000215 _____ () C:\Windows\system.ini
2014-03-26 16:44 - 2009-07-13 21:53 - 00023444 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-03-26 16:43 - 2014-03-26 16:43 - 05192353 ____R (Swearware) C:\Users\jcampbell\Downloads\ComboFix.exe
2014-03-22 18:14 - 2014-03-22 18:14 - 01089536 _____ () C:\Users\jcampbell\Desktop\UNFI Custom price -- Wellness.xls
2014-03-22 18:13 - 2014-03-22 18:13 - 00000002 _____ () C:\Users\jcampbell\Desktop\UNFI Custom price -- Wellness.txt
2014-03-18 10:25 - 2013-12-27 13:38 - 00002361 _____ () C:\Users\lhenderson\Desktop\Google Chrome.lnk
2014-03-14 19:21 - 2012-12-05 15:38 - 00000000 ____D () C:\Users\svincent\AppData\Roaming\ShoreWare Client
2014-03-14 10:22 - 2014-03-27 14:10 - 03181760 _____ () C:\Users\kreagan\Desktop\advisorinstaller.exe
2014-03-11 15:20 - 2012-08-30 16:09 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2014-03-11 15:20 - 2012-08-30 16:09 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2014-03-10 16:17 - 2014-03-10 16:17 - 00401920 _____ () C:\Users\jcampbell\Desktop\2014 Expo West CMAC Reimbursement Form.xls
2014-03-10 16:00 - 2014-03-10 16:00 - 00000000 _____ () C:\Users\jcampbell\Desktop\doc03882320140310145903.txt
2014-03-10 11:09 - 2014-03-10 11:09 - 00000000 ____H () C:\Windows\system32\Drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
2014-03-10 11:02 - 2012-08-30 16:17 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2014-03-06 14:37 - 2014-03-06 14:37 - 00000000 ____D () C:\Users\arouse\AppData\Roaming\Macromedia
2014-03-06 14:37 - 2014-03-06 14:37 - 00000000 ____D () C:\Users\arouse\AppData\Roaming\Adobe
2014-03-06 13:39 - 2014-03-06 13:39 - 00000000 ____D () C:\Users\arouse\AppData\Roaming\GFI Software
2014-03-06 13:39 - 2012-09-13 08:19 - 00002026 __RSH () C:\Users\arouse\ntuser.pol
2014-03-06 13:39 - 2012-09-13 08:18 - 00000000 ____D () C:\Users\arouse
2014-02-27 15:52 - 2009-07-13 21:52 - 00000000 ____D () C:\Windows\system32\FxsTmp

Some content of TEMP:
====================
C:\Users\kreagan\AppData\Local\temp\ntdll_dump.dll


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\system32\winlogon.exe => MD5 is legit
C:\Windows\system32\wininit.exe => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\services.exe => MD5 is legit
C:\Windows\system32\User32.dll => MD5 is legit
C:\Windows\system32\userinit.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit
C:\Windows\system32\Drivers\volsnap.sys => MD5 is legit


LastRegBack: 2014-03-20 00:01

==================== End Of Log ============================



#7 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:41 AM

Posted 28 March 2014 - 07:25 PM

Hello,

I don't see any connection between the malware issue and the Office activation problems. This might just be a coincidence. I'd go ahead and try the standard uninstall-reinstall magic trick you mentioned.
But from malware perspective it's looking good! The replacement worked well and ESET hasn't found anything but this file that we moved to quarantine.

That's it! Your logs look clean to me at the moment.
We're gonna clean up everything now, close security holes on your computer and in the end I'll provide you with a list of security tips so you hopefully will not need our help anymore in the future.


My help is free for everybody.
If you want to support me fighting against malware or buy me a beer for the assistance you received, then you can consider a donation: btn_donate_SM.gif.
Thank you!



Clean Up

Now we remove all the tools we used (including their logs and quarantine folders), restore your settings and delete old and infected system restorepoints:
  • You can uninstall programs that you had to install (e.g. MBAM or ESET Onlinescanner) in the control panel if you so wish.
  • Rename Combofix.exe in Uninstall.exe and execute it with a double click. (Beware that file extensions might be hidden. So don't add a double extension Uninstall.exe.exe.)
  • Download DelFix (by Xplode) and save it to your Desktop.
    • Close all running programs and start delfix.exe.
    • Make sure that all available options are checked.
    • Click on Run
    • DelFix should remove all our tools and delete itself afterwards. I don't need the log file.
  • If there is still something left you can delete it manually.


Closing security holes

Many infections happen via drive-by downloads that run unnoticed in the background while the user visits an infected website. To achieve this malware exploits security holes in installed software (e.g. browser or its plugins). Older versions of such software often have lots of known exploitable holes. Therefor it's very important to always keep your software up-to-date.
The following software is outdated. Make sure you remove all old versions and install the current one instead if you need the program:

Internet Explorer Version 8




Tips

I recommend to read and follow the "16 simple and easy ways to keep your computer safe and secure on the Internet" (Link) by Lawrence Abrams.

Edited by aharonov, 28 March 2014 - 07:26 PM.


#8 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:41 AM

Posted 03 September 2014 - 07:00 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users