Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Zekos (atleast) HELP!


  • This topic is locked This topic is locked
25 replies to this topic

#1 JJxBlade

JJxBlade

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:58 AM

Posted 01 April 2014 - 10:41 PM

       Original Post: Hello all, over the past few months on my computer I have been receiving messages while using my computer, more commonly when I am doing something resource intensive like gaming saying "Windows must shutdown because Plug and Play or DCOM server was unexpectedly terminated" but for the past couple days I just see "Windows will shutdown in 1 minute" which causes me to have to restart my computer and lose my progress in anything I may be doing and until this point I have been to lazy/busy to do anything about it (lol) but now spring break is here and I have time so I am asking for help!   :tophat:

Specs: aSsJ2lV.png

 

I have read many forums on different sites, tried virus/threat scans and I come off clean and my only thought is I have a super virus. I have also dug some digging around for anything out of the ordinary and the biggest thing is Windows Updater is disabled and every time I try to update the installer it gives me an error.  

 

AKvHCdF.png

 

 

Since you guys are the experts just tell me what I need to do and ill do it and it would be awesome if we can fix it! 

 

Ironically I didn't get to finish posting this because I just got the error and had to retype it... Please help! .

(http://www.bleepingcomputer.com/forums/t/529575/windows-shutdowns-plugplaydcom-terminated-help/)

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

 

I posted that today and an BC Adviser (Broni) told me to reply with an rKill log and he diagnosed me with a Zekos Malware and told me create a new topic here and follow this guide so that is what I am doing and I hope you guys can help me!

 

DDS Log

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64 

Internet Explorer: 8.0.7601.17514  BrowserJavaVersion: 10.45.2
Run by owner at 22:25:13 on 2014-04-01
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.8123.5393 [GMT -5:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files (x86)\IObit\Advanced SystemCare 6\ASCService.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe
C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe
C:\Program Files\Intel\iCLS Client\HeciServer.exe
C:\Windows\system32\IProsetMonitor.exe
C:\Program Files\Intel\Intel® Smart Connect Technology Agent\iSCTAgent.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
C:\Program Files (x86)\Razer\Core\64bit\rzovlmon.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
C:\Program Files\Logitech Gaming Software\LCore.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\System32\StikyNot.exe
C:\Program Files (x86)\IObit\Advanced SystemCare 6\ASCTray.exe
C:\Program Files\Intel\Intel® Smart Connect Technology Agent\iSCTsysTray8.exe
C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe
C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe
C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe
C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\IPC\AdobeIPCBroker.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\IObit\Advanced SystemCare 6\Monitor.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files (x86)\Adobe\Adobe Creative Cloud\HEX\Adobe CEF Helper.exe
C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Windows\system32\sppsvc.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
uRun: [GoogleChromeAutoLaunch_BFB1AAC9AD5759BCC5B883652DF33E69] "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --no-startup-window
uRun: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe
uRun: [Advanced SystemCare 6] "C:\Program Files (x86)\IObit\Advanced SystemCare 6\ASCTray.exe" /AutoStart
mRun: [USB3MON] "C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [Adobe Creative Cloud] "C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe" --showwindow=false --onOSstartup=true
mRun: [AdobeCEPServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CEPServiceManager4\CEPServiceManager.exe" -launchedbylogin
mRun: [LWS] C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe -hide
mRun: [Razer Synapse] "C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe"
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\ISCTSY~1.LNK - C:\Program Files\Intel\Intel® Smart Connect Technology Agent\iSCTsysTray8.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
TCP: NameServer = 75.75.76.76 75.75.75.75
TCP: Interfaces\{1FE332B5-8AF7-4526-BB7C-16DC20C65366} : DHCPNameServer = 75.75.76.76 75.75.75.75
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.154\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Skype add-on for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-Run: [IAStorIcon] "C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIconLaunch.exe" "C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" 60
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [Nvtmru] "C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\nvtmru.exe"
x64-Run: [ShadowPlay] C:\Windows\System32\rundll32.exe C:\Windows\System32\nvspcap64.dll,ShadowPlayOnSystemStart
x64-Run: [NvBackend] "C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe"
x64-Run: [Launch LCore] C:\Program Files\Logitech Gaming Software\LCore.exe /minimized
x64-IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 iaStorA;iaStorA;C:\Windows\System32\drivers\iaStorA.sys [2013-8-7 644968]
R0 iaStorF;iaStorF;C:\Windows\System32\drivers\iaStorF.sys [2013-8-7 28008]
R0 iusb3hcs;Intel® USB 3.0 Host Controller Switch Driver;C:\Windows\System32\drivers\iusb3hcs.sys [2013-4-26 20464]
R0 RzFilter;RzFilter;C:\Windows\System32\drivers\RzFilter.sys [2014-2-8 74432]
R1 AsrAppCharger;AsrAppCharger;C:\Windows\System32\drivers\AsrAppCharger.sys [2013-12-18 17192]
R2 AdvancedSystemCareService6;Advanced SystemCare Service 6;C:\Program Files (x86)\IObit\Advanced SystemCare 6\ASCService.exe [2014-4-1 464256]
R2 c2cautoupdatesvc;Skype Click to Call Updater;C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [2014-3-3 1363584]
R2 c2cpnrsvc;Skype Click to Call PNR Service;C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [2014-3-3 1748608]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2013-8-7 15720]
R2 Intel® Capability Licensing Service Interface;Intel® Capability Licensing Service Interface;C:\Program Files\Intel\iCLS Client\HeciServer.exe [2013-5-11 733696]
R2 Intel® ME Service;Intel® ME Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [2013-12-18 131544]
R2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;C:\Windows\System32\IPROSetMonitor.exe [2013-7-8 195336]
R2 ISCTAgent;Intel® Smart Connect Technology Agent;C:\Program Files\Intel\Intel® Smart Connect Technology Agent\iSCTAgent.exe [2013-3-14 182248]
R2 jhi_service;Intel® Dynamic Application Loader Host Interface Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [2013-12-18 169432]
R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2014-1-4 418376]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2014-1-4 701512]
R2 NvNetworkService;NVIDIA Network Service;C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [2013-12-19 1593632]
R2 NvStreamSvc;NVIDIA Streamer Service;C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [2013-12-19 16939296]
R2 RtkAudioService;Realtek Audio Service;C:\Program Files\Realtek\Audio\HDA\RTKAUDIOSERVICE64.EXE [2013-12-18 246488]
R2 RzOvlMon;Razer Overlay Subsystem Emergency Service;C:\Program Files (x86)\Razer\Core\64bit\RzOvlMon.exe [2013-12-10 32960]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2013-11-11 414496]
R3 CompFilter64;UVCCompositeFilter;C:\Windows\System32\drivers\lvbflt64.sys [2012-9-21 24608]
R3 e1dexpress;Intel® PRO/1000 PCI Express Network Connection Driver D;C:\Windows\System32\drivers\e1d62x64.sys [2013-5-30 495376]
R3 ikbevent;Intel Upper keyboard Class Filter Driver;C:\Windows\System32\drivers\ikbevent.sys [2013-3-14 21048]
R3 imsevent;Intel Upper Mouse Class Filter Driver;C:\Windows\System32\drivers\imsevent.sys [2013-3-14 21048]
R3 ISCT;Intel® Smart Connect Technology Device Driver;C:\Windows\System32\drivers\ISCTD64.sys [2013-3-14 46568]
R3 iusb3hub;Intel® USB 3.0 Hub Driver;C:\Windows\System32\drivers\iusb3hub.sys [2013-4-26 368112]
R3 iusb3xhc;Intel® USB 3.0 eXtensible Host Controller Driver;C:\Windows\System32\drivers\iusb3xhc.sys [2013-4-26 786416]
R3 LADF_CaptureOnly;LADF Capture Filter Driver;C:\Windows\System32\drivers\ladfGSCamd64.sys [2013-4-15 410008]
R3 LADF_RenderOnly;LADF Render Filter Driver;C:\Windows\System32\drivers\ladfGSRamd64.sys [2013-4-15 102808]
R3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;C:\Windows\System32\drivers\LGBusEnum.sys [2009-11-23 22408]
R3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;C:\Windows\System32\drivers\LGVirHid.sys [2009-11-23 16008]
R3 LVRS64;Logitech RightSound Filter Driver;C:\Windows\System32\drivers\lvrs64.sys [2012-9-21 351520]
R3 LVUVC64;Logitech HD Webcam C615(UVC);C:\Windows\System32\drivers\lvuvc64.sys [2012-9-21 4763680]
R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2014-1-4 25928]
R3 nvvad_WaveExtensible;NVIDIA Virtual Audio Device (Wave Extensible) (WDM);C:\Windows\System32\drivers\nvvad64v.sys [2014-1-22 39200]
R3 RzDxgk;RzDxgk;C:\Windows\System32\drivers\RzDxgk.sys [2014-2-8 129472]
R3 rzendpt;rzendpt;C:\Windows\System32\drivers\rzendpt.sys [2013-11-15 39080]
R3 rzmpos;rzmpos;C:\Windows\System32\drivers\rzmpos.sys [2013-11-15 34984]
R3 rzudd;Razer Keyboard Driver;C:\Windows\System32\drivers\rzudd.sys [2013-11-15 149160]
R3 WPRO_41_2001;WinPcap Packet Driver (WPRO_41_2001);C:\Windows\System32\drivers\WPRO_41_2001.sys [2014-1-4 34752]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 ReimageRealTimeProtection;Reimage Real Time Protection;C:\Program Files\Reimage\Reimage Repair\ReiGuard.exe --> C:\Program Files\Reimage\Reimage Repair\ReiGuard.exe [?]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-10-23 172192]
S3 Intel® Capability Licensing Service TCP IP Interface;Intel® Capability Licensing Service TCP IP Interface;C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [2013-5-11 822232]
S3 rzjstk;Razer Virtual Joystick Driver;C:\Windows\System32\drivers\rzjstk.sys [2014-1-10 27816]
S3 rzkeypadendpt;Razer Keypad Endpoint;C:\Windows\System32\drivers\rzkeypadendpt.sys [2013-11-15 32936]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]
.
=============== Created Last 30 ================
.
2014-04-02 03:19:19 94656 ----a-w- C:\Windows\System32\WPRO_41_2001woem.tmp
2014-04-01 23:09:49 -------- d-----w- C:\ProgramData\IObit
2014-04-01 23:09:45 -------- d-----w- C:\Users\owner\AppData\Roaming\IObit
2014-04-01 23:09:43 -------- d-----w- C:\Program Files (x86)\IObit
2014-04-01 23:05:07 20312 ----a-w- C:\Windows\System32\roboot64.exe
2014-04-01 23:05:07 -------- d-----w- C:\Users\owner\AppData\Roaming\systweak
2014-04-01 22:09:16 -------- d-----w- C:\ProgramData\CDB
2014-04-01 22:08:55 -------- d-----w- C:\Program Files\Reimage
2014-04-01 22:08:52 -------- d-----w- C:\rei
2014-04-01 21:29:38 8199504 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2014-04-01 21:29:33 10521840 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{5E3F14BF-102F-4A23-8C3B-8BF8D39F0461}\mpengine.dll
2014-03-31 16:18:29 -------- d-----w- C:\Users\owner\AppData\Local\FalloutNV
2014-03-12 21:45:25 -------- d-sh--w- C:\$RECYCLE.BIN
2014-03-12 21:20:55 98816 ----a-w- C:\Windows\sed.exe
2014-03-12 21:20:55 256000 ----a-w- C:\Windows\PEV.exe
2014-03-12 21:20:55 208896 ----a-w- C:\Windows\MBR.exe
2014-03-12 21:20:54 -------- d-s---w- C:\ComboFix
2014-03-12 21:09:36 -------- d-----w- C:\Windows\ERUNT
2014-03-12 20:54:03 -------- d-----w- C:\AdwCleaner
.
==================== Find3M  ====================
.
2014-04-02 03:19:19 34752 ----a-w- C:\Windows\System32\drivers\WPRO_41_2001.sys
2014-01-21 02:53:40 1048152 ----a-w- C:\Windows\SysWow64\nvspcap.dll
2014-01-21 02:53:29 1179576 ----a-w- C:\Windows\System32\nvspcap64.dll
2014-01-14 01:53:50 88576 ----a-w- C:\Windows\SysWow64\rzdevinfo.dll
2014-01-14 01:53:44 296448 ----a-w- C:\Windows\SysWow64\rzaudiodll.dll
2014-01-10 08:11:10 27816 ----a-w- C:\Windows\System32\drivers\rzjstk.sys
.
============= FINISH: 22:26:58.87 ===============
 
and here is the attach I was told to attach: 
 
Thanks and I hope you can help me!
 


BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:58 AM

Posted 01 April 2014 - 11:24 PM

Hello! Welcome to BleepingComputer Forums! :welcome:
My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:

  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.

 

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

  • Next please re-run FRST again and type the following in the edit box after Search: rpcss.dll
  • Click the Search button
  • It will make a log (Search.txt)- please post the log into your reply to me. (you can use pastebin as well).

 

 

Regards,

Georgi


cXfZ4wS.png


#3 JJxBlade

JJxBlade
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:58 AM

Posted 02 April 2014 - 12:00 AM

FRST

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 13-03-2014
Ran by owner (administrator) on OWNER-PC on 01-04-2014 23:51:10
Running from C:\Users\owner\Downloads
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal
 
The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/ 
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/ 
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
 
==================== Processes (Whitelisted) =================
 
(IObit) C:\Program Files (x86)\IObit\Advanced SystemCare 6\ASCService.exe
(NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe
(Microsoft Corporation) C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe
(Microsoft Corporation) C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Windows\system32\IProsetMonitor.exe
() C:\Program Files\Intel\Intel® Smart Connect Technology Agent\iSCTAgent.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(Razer, Inc.) C:\Program Files (x86)\Razer\Core\64bit\rzovlmon.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
(Logitech Inc.) C:\Program Files\Logitech Gaming Software\LCore.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(IObit) C:\Program Files (x86)\IObit\Advanced SystemCare 6\ASCTray.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Smart Connect Technology Agent\iSCTsysTray8.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe
(Logitech Inc.) C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe
(Razer Inc.) C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\IPC\AdobeIPCBroker.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(IObit) C:\Program Files (x86)\IObit\Advanced SystemCare 6\Monitor.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
() C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Adobe\Adobe Creative Cloud\HEX\Adobe CEF Helper.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Valve Corporation) C:\Program Files (x86)\Steam\Steam.exe
(Valve Corporation) C:\Program Files (x86)\Common Files\Steam\SteamService.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Adobe Systems, Incorporated) C:\Program Files\Adobe\Adobe Photoshop CC (64 Bit)\Photoshop.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\CEPServiceManager4\CEPServiceManager.exe
 
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [IAStorIcon] - C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [287592 2013-08-07] (Intel Corporation)
HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13636824 2013-07-26] (Realtek Semiconductor)
HKLM\...\Run: [Nvtmru] - "C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\nvtmru.exe"
HKLM\...\Run: [ShadowPlay] - C:\Windows\system32\nvspcap64.dll [1179576 2014-01-20] (NVIDIA Corporation)
HKLM\...\Run: [NvBackend] - C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2234144 2014-01-20] (NVIDIA Corporation)
HKLM\...\Run: [Launch LCore] - C:\Program Files\Logitech Gaming Software\LCore.exe [8292120 2013-11-14] (Logitech Inc.)
HKLM-x32\...\Run: [USB3MON] - C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [292848 2013-04-26] (Intel Corporation)
HKLM-x32\...\Run: [SunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
HKLM-x32\...\Run: [Adobe Creative Cloud] - C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe [2239376 2013-12-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AdobeCEPServiceManager] - C:\Program Files (x86)\Common Files\Adobe\CEPServiceManager4\CEPServiceManager.exe [1039248 2013-03-13] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [LWS] - C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe [204136 2012-09-13] (Logitech Inc.)
HKLM-x32\...\Run: [] - [X]
HKLM-x32\...\Run: [Razer Synapse] - C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe [442712 2014-01-16] (Razer Inc.)
HKU\S-1-5-21-3668673199-942160885-1744315029-1000\...\Run: [GoogleChromeAutoLaunch_BFB1AAC9AD5759BCC5B883652DF33E69] - C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [859976 2014-03-14] (Google Inc.)
HKU\S-1-5-21-3668673199-942160885-1744315029-1000\...\Run: [Advanced SystemCare 6] - C:\Program Files (x86)\IObit\Advanced SystemCare 6\ASCTray.exe [405376 2012-11-02] (IObit)
 
==================== Internet (Whitelisted) ====================
 
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0x66688EA616FCCE01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Skype add-on for Internet Explorer - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Skype Browser Helper - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Microsoft Corporation)
Handler-x32: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Microsoft Corporation)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 75.75.76.76 75.75.75.75
 
Chrome: 
=======
CHR HomePage: 
CHR Extension: (Google Docs) - C:\Users\owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2013-12-19]
CHR Extension: (Google Drive) - C:\Users\owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2013-12-19]
CHR Extension: (Siggy Automator) - C:\Users\owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\bjdhemfmihbpmjpdjgagkdinfdmabgel [2014-01-01]
CHR Extension: (YouTube) - C:\Users\owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2013-12-19]
CHR Extension: (Adblock Plus) - C:\Users\owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2014-01-01]
CHR Extension: (Google Search) - C:\Users\owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2013-12-19]
CHR Extension: (AdBlock) - C:\Users\owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2014-01-01]
CHR Extension: (Roblox Auto-Signature) - C:\Users\owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\hbkjblojhhiigcklodheehnlmmjpibak [2014-01-01]
CHR Extension: (Roblox Hat Notifier) - C:\Users\owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjepeiijmflchkjgfjpopeimafiognkc [2014-01-01]
CHR Extension: (Youtube Subscriptions as Default Page) - C:\Users\owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\klljlfcipmgohgfdgmliaobikgdoeaah [2014-01-01]
CHR Extension: (Black Black Chrome Theme Yellow Highlight) - C:\Users\owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\lehalblkpgmicidcaapmfoekhnebcafl [2014-01-01]
CHR Extension: (Google Wallet) - C:\Users\owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-12-19]
CHR Extension: (Gmail) - C:\Users\owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2013-12-19]
CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files (x86)\Skype\Toolbars\ChromeExtension\skype_chrome_extension.crx [2014-03-03]
 
==================== Services (Whitelisted) =================
 
R2 AdvancedSystemCareService6; C:\Program Files (x86)\IObit\Advanced SystemCare 6\ASCService.exe [464256 2012-10-31] (IObit)
R2 c2cautoupdatesvc; C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [1363584 2014-03-03] (Microsoft Corporation)
R2 c2cpnrsvc; C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [1748608 2014-03-03] (Microsoft Corporation)
R2 IAStorDataMgrSvc; C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [15720 2013-08-07] (Intel Corporation)
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [822232 2013-05-11] (Intel® Corporation)
R2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [131544 2013-09-03] (Intel Corporation)
R2 ISCTAgent; C:\Program Files\Intel\Intel® Smart Connect Technology Agent\iSCTAgent.exe [182248 2013-03-14] ()
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [169432 2013-09-03] (Intel Corporation)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
R2 NvNetworkService; C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1593632 2014-01-20] (NVIDIA Corporation)
R2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [16939296 2014-01-20] (NVIDIA Corporation)
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [246488 2013-06-18] (Realtek Semiconductor)
R2 RzOvlMon; C:\Program Files (x86)\Razer\Core\64bit\rzovlmon.exe [32960 2013-12-10] (Razer, Inc.)
S2 ReimageRealTimeProtection; C:\Program Files\Reimage\Reimage Repair\ReiGuard.exe [X]
 
==================== Drivers (Whitelisted) ====================
 
U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
R3 e1dexpress; C:\Windows\System32\DRIVERS\e1d62x64.sys [495376 2013-05-30] (Intel Corporation)
R0 iaStorF; C:\Windows\System32\DRIVERS\iaStorF.sys [28008 2013-08-07] (Intel Corporation)
R3 ikbevent; C:\Windows\System32\DRIVERS\ikbevent.sys [21048 2013-03-14] ()
R3 imsevent; C:\Windows\System32\DRIVERS\imsevent.sys [21048 2013-03-14] ()
R3 ISCT; C:\Windows\System32\DRIVERS\ISCTD64.sys [46568 2013-03-14] ()
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
R3 nvvad_WaveExtensible; C:\Windows\System32\drivers\nvvad64v.sys [39200 2013-12-27] (NVIDIA Corporation)
R3 RzDxgk; C:\Windows\system32\drivers\RzDxgk.sys [129472 2013-12-10] (Razer, Inc.)
R3 rzendpt; C:\Windows\System32\DRIVERS\rzendpt.sys [39080 2013-11-15] (Razer Inc)
R0 RzFilter; C:\Windows\System32\drivers\RzFilter.sys [74432 2013-12-10] (Razer, Inc.)
S3 rzjstk; C:\Windows\System32\DRIVERS\rzjstk.sys [27816 2014-01-10] (Razer Inc)
S3 rzkeypadendpt; C:\Windows\System32\DRIVERS\rzkeypadendpt.sys [32936 2013-11-15] (Razer Inc)
R3 rzmpos; C:\Windows\System32\DRIVERS\rzmpos.sys [34984 2013-11-15] (Razer Inc)
R1 Serial; C:\Windows\System32\DRIVERS\serial.sys [94208 2009-07-13] (Brother Industries Ltd.)
R3 WPRO_41_2001; C:\Windows\System32\drivers\WPRO_41_2001.sys [34752 2014-04-01] ()
S3 AsrSetupDrv; \??\C:\Windows\SysWOW64\Drivers\AsrSetupDrv.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2014-04-01 23:51 - 2014-04-01 23:51 - 00015498 _____ () C:\Users\owner\Downloads\FRST.txt
2014-04-01 23:50 - 2014-04-01 23:51 - 00000000 ____D () C:\FRST
2014-04-01 23:49 - 2014-04-01 23:49 - 02157056 _____ (Farbar) C:\Users\owner\Downloads\FRST64.exe
2014-04-01 22:28 - 2014-04-01 22:28 - 00017402 _____ () C:\Users\owner\Documents\DDS.txt
2014-04-01 22:27 - 2014-04-01 22:27 - 00006737 _____ () C:\Users\owner\Documents\Attach.txt
2014-04-01 22:27 - 2014-04-01 22:27 - 00006737 _____ () C:\Users\owner\Desktop\attach.txt
2014-04-01 22:27 - 2014-04-01 22:26 - 00017402 _____ () C:\Users\owner\Desktop\dds.txt
2014-04-01 22:24 - 2014-04-01 22:24 - 00688992 ____R (Swearware) C:\Users\owner\Downloads\dds.com
2014-04-01 22:19 - 2014-04-01 22:19 - 00094656 _____ (CACE Technologies) C:\Windows\system32\WPRO_41_2001woem.tmp
2014-04-01 18:55 - 2014-04-01 18:56 - 00002632 _____ () C:\Users\owner\Desktop\Rkill.txt
2014-04-01 18:55 - 2014-04-01 18:55 - 01933048 _____ (Bleeping Computer, LLC) C:\Users\owner\Downloads\rkill.exe
2014-04-01 18:10 - 2014-04-01 18:45 - 00003094 _____ () C:\Windows\System32\Tasks\ASC6_PerformanceMonitor
2014-04-01 18:09 - 2014-04-01 18:47 - 00000000 ____D () C:\Users\owner\AppData\Roaming\IObit
2014-04-01 18:09 - 2014-04-01 18:09 - 00001272 _____ () C:\Users\Public\Desktop\Uninstaller.lnk
2014-04-01 18:09 - 2014-04-01 18:09 - 00001260 _____ () C:\Users\owner\AppData\Roaming\Microsoft\Windows\Start Menu\Uninstall Programs.lnk
2014-04-01 18:09 - 2014-04-01 18:09 - 00001243 _____ () C:\Users\Public\Desktop\Advanced SystemCare 6.lnk
2014-04-01 18:09 - 2014-04-01 18:09 - 00000000 ____D () C:\ProgramData\IObit
2014-04-01 18:09 - 2014-04-01 18:09 - 00000000 ____D () C:\Program Files (x86)\IObit
2014-04-01 18:08 - 2014-04-01 18:08 - 19327656 _____ (IObit ) C:\Users\owner\Downloads\ASC_Setup.exe
2014-04-01 18:05 - 2014-04-01 18:39 - 00000000 ____D () C:\Users\owner\AppData\Roaming\systweak
2014-04-01 18:05 - 2014-04-01 18:05 - 00003108 _____ () C:\Windows\System32\Tasks\RegClean Pro
2014-04-01 18:05 - 2014-04-01 18:05 - 00001350 _____ () C:\Users\owner\Desktop\Clean Registry for Free!.lnk
2014-04-01 18:05 - 2014-04-01 18:05 - 00001050 _____ () C:\Users\Public\Desktop\RegClean Pro.lnk
2014-04-01 18:05 - 2014-02-26 18:45 - 00020312 _____ (Systweak Inc., (www.systweak.com)) C:\Windows\system32\roboot64.exe
2014-04-01 17:09 - 2014-04-01 17:09 - 00000000 ____D () C:\ProgramData\CDB
2014-04-01 17:08 - 2014-04-01 18:48 - 00000000 ____D () C:\rei
2014-04-01 17:08 - 2014-04-01 17:09 - 00000155 _____ () C:\Windows\Reimage.ini
2014-04-01 17:08 - 2014-04-01 17:08 - 00785536 _____ (Reimage®) C:\Users\owner\Downloads\ReimageRepair.exe
2014-04-01 17:08 - 2014-04-01 17:08 - 00000000 ____D () C:\Program Files\Reimage
2014-03-31 11:18 - 2014-03-31 11:18 - 00000000 ____D () C:\Users\owner\Documents\My Games
2014-03-31 11:18 - 2014-03-31 11:18 - 00000000 ____D () C:\Users\owner\AppData\Local\FalloutNV
2014-03-31 01:56 - 2014-03-31 01:56 - 00000221 _____ () C:\Users\owner\Desktop\Amnesia The Dark Descent.url
2014-03-16 15:02 - 2014-03-16 15:02 - 00000220 _____ () C:\Users\owner\Desktop\The Ship.url
2014-03-16 13:28 - 2014-03-16 13:29 - 10285040 _____ (Malwarebytes Corporation ) C:\Users\owner\Downloads\mbam-setup-1.75.0.1300 (1).exe
2014-03-16 13:27 - 2014-03-16 13:27 - 00982016 _____ (Farbar) C:\Users\owner\Downloads\MiniToolBox.exe
2014-03-16 13:27 - 2014-03-16 13:27 - 00024357 _____ () C:\Users\owner\Downloads\Result.txt
2014-03-16 13:26 - 2014-03-16 13:26 - 00409600 _____ (Farbar) C:\Users\owner\Downloads\FSS.exe
2014-03-16 13:26 - 2014-03-16 13:26 - 00002484 _____ () C:\Users\owner\Downloads\FSS.txt
2014-03-16 13:24 - 2014-03-16 13:24 - 00987442 _____ () C:\Users\owner\Downloads\SecurityCheck.exe
2014-03-13 16:41 - 2014-03-13 16:42 - 06789829 _____ () C:\Users\owner\Documents\English Video.wmv
2014-03-13 15:57 - 2014-03-13 15:57 - 00005008 _____ () C:\Users\owner\Documents\Track 5 - 3.sfk
2014-03-13 15:50 - 2014-03-13 15:57 - 01267890 _____ () C:\Users\owner\Documents\Track 5 - 3.wav
2014-03-13 15:50 - 2014-03-13 15:50 - 00010304 _____ () C:\Users\owner\Documents\Track 5 - 2.sfk
2014-03-13 15:48 - 2014-03-13 15:50 - 02623486 _____ () C:\Users\owner\Documents\Track 5 - 2.wav
2014-03-13 15:48 - 2014-03-13 15:48 - 00002880 _____ () C:\Users\owner\Documents\Track 5 - 1.sfk
2014-03-13 15:47 - 2014-03-13 15:48 - 00723158 _____ () C:\Users\owner\Documents\Track 5 - 1.wav
2014-03-13 15:38 - 2014-03-13 16:39 - 00000000 ____D () C:\Users\owner\Desktop\English
2014-03-12 16:20 - 2014-03-12 16:44 - 00000000 ___SD () C:\ComboFix
2014-03-12 16:20 - 2014-03-12 16:20 - 00000000 ___SD () C:\32788R22FWJFW
2014-03-12 16:20 - 2014-03-12 16:20 - 00000000 ____D () C:\Windows\erdnt
2014-03-12 16:20 - 2014-03-12 16:20 - 00000000 ____D () C:\Qoobox
2014-03-12 16:20 - 2011-06-26 01:45 - 00256000 _____ () C:\Windows\PEV.exe
2014-03-12 16:20 - 2010-11-07 12:20 - 00208896 _____ () C:\Windows\MBR.exe
2014-03-12 16:20 - 2009-04-19 23:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2014-03-12 16:20 - 2000-08-30 19:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2014-03-12 16:20 - 2000-08-30 19:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2014-03-12 16:20 - 2000-08-30 19:00 - 00098816 _____ () C:\Windows\sed.exe
2014-03-12 16:20 - 2000-08-30 19:00 - 00080412 _____ () C:\Windows\grep.exe
2014-03-12 16:20 - 2000-08-30 19:00 - 00068096 _____ () C:\Windows\zip.exe
2014-03-12 16:09 - 2014-03-12 16:09 - 00000000 ____D () C:\Windows\ERUNT
2014-03-12 16:08 - 2014-03-12 16:08 - 01037734 _____ (Thisisu) C:\Users\owner\Downloads\JRT.exe
2014-03-12 15:54 - 2014-03-12 15:57 - 00000000 ____D () C:\AdwCleaner
2014-03-12 15:52 - 2014-03-12 15:52 - 01949184 _____ () C:\Users\owner\Downloads\AdwCleaner.exe
2014-03-10 22:27 - 2014-03-10 22:27 - 00008501 _____ () C:\Users\owner\Documents\ben convo.txt
2014-03-07 21:48 - 2014-03-07 21:48 - 00000219 _____ () C:\Users\owner\Desktop\Counter-Strike Global Offensive.url
 
==================== One Month Modified Files and Folders =======
 
2014-04-01 23:51 - 2014-04-01 23:51 - 00015498 _____ () C:\Users\owner\Downloads\FRST.txt
2014-04-01 23:51 - 2014-04-01 23:50 - 00000000 ____D () C:\FRST
2014-04-01 23:49 - 2014-04-01 23:49 - 02157056 _____ (Farbar) C:\Users\owner\Downloads\FRST64.exe
2014-04-01 23:36 - 2013-12-19 20:50 - 00000000 ____D () C:\Program Files (x86)\Steam
2014-04-01 23:01 - 2013-12-19 20:38 - 00000896 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-04-01 22:48 - 2009-07-13 23:51 - 00098196 _____ () C:\Windows\setupact.log
2014-04-01 22:28 - 2014-04-01 22:28 - 00017402 _____ () C:\Users\owner\Documents\DDS.txt
2014-04-01 22:27 - 2014-04-01 22:27 - 00006737 _____ () C:\Users\owner\Documents\Attach.txt
2014-04-01 22:27 - 2014-04-01 22:27 - 00006737 _____ () C:\Users\owner\Desktop\attach.txt
2014-04-01 22:27 - 2009-07-13 23:45 - 00021664 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-04-01 22:27 - 2009-07-13 23:45 - 00021664 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-04-01 22:26 - 2014-04-01 22:27 - 00017402 _____ () C:\Users\owner\Desktop\dds.txt
2014-04-01 22:25 - 2009-07-14 00:13 - 00779966 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-04-01 22:24 - 2014-04-01 22:24 - 00688992 ____R (Swearware) C:\Users\owner\Downloads\dds.com
2014-04-01 22:22 - 2013-12-18 11:56 - 01320151 _____ () C:\Windows\WindowsUpdate.log
2014-04-01 22:20 - 2013-12-19 20:38 - 00000892 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-04-01 22:19 - 2014-04-01 22:19 - 00094656 _____ (CACE Technologies) C:\Windows\system32\WPRO_41_2001woem.tmp
2014-04-01 22:19 - 2014-01-04 15:16 - 00034752 _____ () C:\Windows\system32\Drivers\WPRO_41_2001.sys
2014-04-01 22:19 - 2013-12-18 12:42 - 00000000 ____D () C:\ProgramData\NVIDIA
2014-04-01 22:19 - 2010-11-20 22:47 - 00153696 _____ () C:\Windows\PFRO.log
2014-04-01 22:19 - 2009-07-14 00:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-04-01 18:56 - 2014-04-01 18:55 - 00002632 _____ () C:\Users\owner\Desktop\Rkill.txt
2014-04-01 18:55 - 2014-04-01 18:55 - 01933048 _____ (Bleeping Computer, LLC) C:\Users\owner\Downloads\rkill.exe
2014-04-01 18:48 - 2014-04-01 17:08 - 00000000 ____D () C:\rei
2014-04-01 18:47 - 2014-04-01 18:09 - 00000000 ____D () C:\Users\owner\AppData\Roaming\IObit
2014-04-01 18:45 - 2014-04-01 18:10 - 00003094 _____ () C:\Windows\System32\Tasks\ASC6_PerformanceMonitor
2014-04-01 18:39 - 2014-04-01 18:05 - 00000000 ____D () C:\Users\owner\AppData\Roaming\systweak
2014-04-01 18:39 - 2014-01-02 14:23 - 00000000 ____D () C:\Users\owner\Desktop\Sony Vegas Pro 12 for Free
2014-04-01 18:39 - 2014-01-02 14:22 - 00000000 ____D () C:\Users\owner\Downloads\Sony Vegas Pro 12 for Free
2014-04-01 18:39 - 2013-12-31 22:19 - 00000000 ____D () C:\Users\owner\Desktop\V Thing
2014-04-01 18:09 - 2014-04-01 18:09 - 00001272 _____ () C:\Users\Public\Desktop\Uninstaller.lnk
2014-04-01 18:09 - 2014-04-01 18:09 - 00001260 _____ () C:\Users\owner\AppData\Roaming\Microsoft\Windows\Start Menu\Uninstall Programs.lnk
2014-04-01 18:09 - 2014-04-01 18:09 - 00001243 _____ () C:\Users\Public\Desktop\Advanced SystemCare 6.lnk
2014-04-01 18:09 - 2014-04-01 18:09 - 00000000 ____D () C:\ProgramData\IObit
2014-04-01 18:09 - 2014-04-01 18:09 - 00000000 ____D () C:\Program Files (x86)\IObit
2014-04-01 18:08 - 2014-04-01 18:08 - 19327656 _____ (IObit ) C:\Users\owner\Downloads\ASC_Setup.exe
2014-04-01 18:05 - 2014-04-01 18:05 - 00003108 _____ () C:\Windows\System32\Tasks\RegClean Pro
2014-04-01 18:05 - 2014-04-01 18:05 - 00001350 _____ () C:\Users\owner\Desktop\Clean Registry for Free!.lnk
2014-04-01 18:05 - 2014-04-01 18:05 - 00001050 _____ () C:\Users\Public\Desktop\RegClean Pro.lnk
2014-04-01 17:09 - 2014-04-01 17:09 - 00000000 ____D () C:\ProgramData\CDB
2014-04-01 17:09 - 2014-04-01 17:08 - 00000155 _____ () C:\Windows\Reimage.ini
2014-04-01 17:08 - 2014-04-01 17:08 - 00785536 _____ (Reimage®) C:\Users\owner\Downloads\ReimageRepair.exe
2014-04-01 17:08 - 2014-04-01 17:08 - 00000000 ____D () C:\Program Files\Reimage
2014-04-01 16:58 - 2013-12-19 20:54 - 00000000 ____D () C:\Users\owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Steam
2014-04-01 16:57 - 2013-12-19 20:44 - 00000000 ____D () C:\Users\owner\AppData\Roaming\uTorrent
2014-04-01 02:18 - 2013-12-25 23:46 - 00000000 ____D () C:\Users\owner\AppData\Local\Adobe
2014-03-31 17:05 - 2014-02-06 17:30 - 00000000 ____D () C:\Users\owner\Desktop\Recordings Game
2014-03-31 11:23 - 2014-01-01 01:16 - 00000000 ____D () C:\Users\owner\Desktop\Webcam Recordings
2014-03-31 11:18 - 2014-03-31 11:18 - 00000000 ____D () C:\Users\owner\Documents\My Games
2014-03-31 11:18 - 2014-03-31 11:18 - 00000000 ____D () C:\Users\owner\AppData\Local\FalloutNV
2014-03-31 11:18 - 2013-12-20 19:29 - 00046715 _____ () C:\Windows\DirectX.log
2014-03-31 02:19 - 2013-12-21 11:55 - 00000000 ____D () C:\Users\owner\AppData\Local\CrashDumps
2014-03-31 01:56 - 2014-03-31 01:56 - 00000221 _____ () C:\Users\owner\Desktop\Amnesia The Dark Descent.url
2014-03-28 11:56 - 2013-12-19 20:38 - 00003892 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2014-03-28 11:56 - 2013-12-19 20:38 - 00003640 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2014-03-27 21:27 - 2013-12-26 00:42 - 00000132 _____ () C:\Users\owner\AppData\Roaming\Adobe PNG Format CC Prefs
2014-03-26 20:21 - 2013-12-19 20:44 - 00000000 ____D () C:\Users\owner\AppData\Roaming\.minecraft
2014-03-16 15:02 - 2014-03-16 15:02 - 00000220 _____ () C:\Users\owner\Desktop\The Ship.url
2014-03-16 13:29 - 2014-03-16 13:28 - 10285040 _____ (Malwarebytes Corporation ) C:\Users\owner\Downloads\mbam-setup-1.75.0.1300 (1).exe
2014-03-16 13:29 - 2014-01-04 01:33 - 00001109 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-03-16 13:29 - 2014-01-04 01:33 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes' Anti-Malware
2014-03-16 13:27 - 2014-03-16 13:27 - 00982016 _____ (Farbar) C:\Users\owner\Downloads\MiniToolBox.exe
2014-03-16 13:27 - 2014-03-16 13:27 - 00024357 _____ () C:\Users\owner\Downloads\Result.txt
2014-03-16 13:26 - 2014-03-16 13:26 - 00409600 _____ (Farbar) C:\Users\owner\Downloads\FSS.exe
2014-03-16 13:26 - 2014-03-16 13:26 - 00002484 _____ () C:\Users\owner\Downloads\FSS.txt
2014-03-16 13:24 - 2014-03-16 13:24 - 00987442 _____ () C:\Users\owner\Downloads\SecurityCheck.exe
2014-03-15 23:27 - 2013-12-24 17:53 - 00000000 ____D () C:\Users\owner\AppData\Roaming\Skype
2014-03-15 22:25 - 2013-12-31 01:03 - 00000000 ____D () C:\Users\owner\AppData\Local\Roblox
2014-03-15 22:22 - 2013-12-31 01:03 - 00001348 _____ () C:\Users\owner\Desktop\ROBLOX Player.lnk
2014-03-15 22:22 - 2013-12-31 01:03 - 00001167 _____ () C:\Users\owner\Desktop\ROBLOX Studio 2013.lnk
2014-03-15 22:22 - 2013-12-31 01:03 - 00000000 ____D () C:\Users\owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Roblox
2014-03-15 16:26 - 2013-12-19 20:42 - 00000000 ____D () C:\Program Files (x86)\World of Warcraft
2014-03-15 14:56 - 2013-12-19 20:38 - 00002183 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2014-03-15 14:38 - 2013-12-24 17:53 - 00000000 ___RD () C:\Program Files (x86)\Skype
2014-03-13 16:47 - 2014-01-01 23:38 - 00000000 ____D () C:\Users\owner\AppData\Roaming\Audacity
2014-03-13 16:42 - 2014-03-13 16:41 - 06789829 _____ () C:\Users\owner\Documents\English Video.wmv
2014-03-13 16:39 - 2014-03-13 15:38 - 00000000 ____D () C:\Users\owner\Desktop\English
2014-03-13 15:57 - 2014-03-13 15:57 - 00005008 _____ () C:\Users\owner\Documents\Track 5 - 3.sfk
2014-03-13 15:57 - 2014-03-13 15:50 - 01267890 _____ () C:\Users\owner\Documents\Track 5 - 3.wav
2014-03-13 15:50 - 2014-03-13 15:50 - 00010304 _____ () C:\Users\owner\Documents\Track 5 - 2.sfk
2014-03-13 15:50 - 2014-03-13 15:48 - 02623486 _____ () C:\Users\owner\Documents\Track 5 - 2.wav
2014-03-13 15:48 - 2014-03-13 15:48 - 00002880 _____ () C:\Users\owner\Documents\Track 5 - 1.sfk
2014-03-13 15:48 - 2014-03-13 15:47 - 00723158 _____ () C:\Users\owner\Documents\Track 5 - 1.wav
2014-03-12 16:44 - 2014-03-12 16:20 - 00000000 ___SD () C:\ComboFix
2014-03-12 16:20 - 2014-03-12 16:20 - 00000000 ___SD () C:\32788R22FWJFW
2014-03-12 16:20 - 2014-03-12 16:20 - 00000000 ____D () C:\Windows\erdnt
2014-03-12 16:20 - 2014-03-12 16:20 - 00000000 ____D () C:\Qoobox
2014-03-12 16:09 - 2014-03-12 16:09 - 00000000 ____D () C:\Windows\ERUNT
2014-03-12 16:08 - 2014-03-12 16:08 - 01037734 _____ (Thisisu) C:\Users\owner\Downloads\JRT.exe
2014-03-12 15:57 - 2014-03-12 15:54 - 00000000 ____D () C:\AdwCleaner
2014-03-12 15:52 - 2014-03-12 15:52 - 01949184 _____ () C:\Users\owner\Downloads\AdwCleaner.exe
2014-03-10 22:27 - 2014-03-10 22:27 - 00008501 _____ () C:\Users\owner\Documents\ben convo.txt
2014-03-07 21:48 - 2014-03-07 21:48 - 00000219 _____ () C:\Users\owner\Desktop\Counter-Strike Global Offensive.url
2014-03-06 15:39 - 2009-07-14 00:08 - 00032570 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
 
Some content of TEMP:
====================
C:\Users\owner\AppData\Local\Temp\ReimagePackage.exe
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll
[2010-11-20 22:24] - [2010-11-20 22:24] - 0512512 ____A (Microsoft Corporation) 1471C17E189CFBF197C8167F51EB2F46
 
 ATTENTION ======> If the system is having audio adware rpcss.dll is patched. Google the MD5, if the MD5 is unique the file is infected.
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
 
LastRegBack: 2014-03-13 17:22
 
==================== End Of Log ============================
 
                                                                                                                                                                     Search.txt

 

Farbar Recovery Scan Tool (x64) Version: 13-03-2014
Ran by owner at 2014-04-01 23:55:44
Running from C:\Users\owner\Downloads
Boot Mode: Normal
 
================== Search: "rpcss.dll" ===================
 
C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_c7f0e16b547f887d\rpcss.dll
[2010-11-20 22:24] - [2010-11-20 22:24] - 0512000 ____A (Microsoft Corporation) 5C627D1B1138676C0A7AB2C2C190D123
 
C:\Windows\System32\rpcss.dll
[2010-11-20 22:24] - [2010-11-20 22:24] - 0512512 ____A (Microsoft Corporation) 1471C17E189CFBF197C8167F51EB2F46
 
====== End Of Search ======

Attached Files



#4 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:58 AM

Posted 02 April 2014 - 02:30 AM

Hello,

 

 

STEP 1

 

Click on Start > type in appwiz.cpl in the search box and press Enter
Find and uninstall the following programs from the list:

 

RegClean Pro

 

Registry Editor / Cleaner Warning !!



The following is referring to RegClean Pro.

Please be aware that bleepingcomputer staff do not recommend the usage of registry cleaners / tools due to the following facts:

  • Registry tools can cause irreparable damage to your Operating System
  • Registry tools can, as a result of the above, render your pc to be inoperable.

This is done, assuming that the major audience here at this board might be inexperienced users and thus a suggested safeguard from our side.
If you feel you have the need for a registry cleaner, then you are just as welcome to keep it. This is what we refer to an "optional fix" and is up to the user, so just take this as a recommendation from my side.


For more information about why you should avoid using a such programs please take a look here => Registry Cleaners and System Tweaking Tools

 

 

 

STEP 2

 

 

Please download the following file => and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.
 

 

 

Regards,

Georgi


cXfZ4wS.png


#5 JJxBlade

JJxBlade
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:58 AM

Posted 02 April 2014 - 02:19 PM

Fixlog Log

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 13-03-2014

Ran by owner at 2014-04-02 14:18:32 Run:1
Running from C:\Users\owner\Downloads
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
start
HKLM-x32\...\Run: [] - [X]
Replace: C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_c7f0e16b547f887d\rpcss.dll C:\Windows\System32\rpcss.dll
Task: {E36B3083-E227-4743-9BDD-ECCC08B24658} - System32\Tasks\RegClean Pro => C:\Program Files (x86)\RegClean Pro\RegCleanPro.exe <==== ATTENTION
end
*****************
 
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => Value deleted successfully.
C:\Windows\System32\rpcss.dll => Moved successfully.
C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_c7f0e16b547f887d\rpcss.dll copied successfully to C:\Windows\System32\rpcss.dll
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{E36B3083-E227-4743-9BDD-ECCC08B24658} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E36B3083-E227-4743-9BDD-ECCC08B24658} => Key deleted successfully.
C:\Windows\System32\Tasks\RegClean Pro => Moved successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\RegClean Pro => Key deleted successfully.
 
==== End of Fixlog ====


#6 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:58 AM

Posted 02 April 2014 - 02:45 PM

Hello,

 

 

Please download Farbar Service Scanner and run it on the computer with the issue.

  • Make sure that all options are checked.
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

 

 

Regards,

Georgi


cXfZ4wS.png


#7 JJxBlade

JJxBlade
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:58 AM

Posted 02 April 2014 - 02:49 PM

Farbar Service Scanner Version: 25-02-2014
Ran by owner (administrator) on 02-04-2014 at 14:48:32
Running from "C:\Users\owner\Downloads"
Microsoft Windows 7 Home Premium  Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************
 
Internet Services:
============
 
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.
 
 
Windows Firewall:
=============
 
Firewall Disabled Policy: 
==================
 
 
System Restore:
============
 
System Restore Disabled Policy: 
========================
 
 
Action Center:
============
 
 
Windows Update:
============
 
Windows Autoupdate Disabled Policy: 
============================
 
 
Windows Defender:
==============
 
Other Services:
==============
 
 
File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys
[2010-11-20 22:24] - [2010-11-20 22:24] - 0499712 ____A (Microsoft Corporation) D31DC7A16DEA4A9BAF179F3D6FBDB38C
 
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys
[2010-11-20 22:24] - [2010-11-20 22:24] - 1924480 ____A (Microsoft Corporation) 509383E505C973ED7534A06B3D19688D
 
C:\Windows\System32\dnsrslvr.dll
[2010-11-20 22:24] - [2010-11-20 22:24] - 0183296 ____A (Microsoft Corporation) CD55F5355D8F55D44C9F4ED875705BD6
 
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\ipnathlp.dll => MD5 is legit
C:\Windows\System32\iphlpsvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
 
 
**** End of log ****


#8 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:58 AM

Posted 02 April 2014 - 03:03 PM

Hello,

 

I don't see any problems with the windows services (related to Windows Update) and we already removed the Zekos trojan.

 

How are things now?

 

Just in case please run the following tool for me and post back the results from the scan.

 

  • Please download RKill by Grinler from the link below and save it to your desktop.

    Rkill
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply.
  • A log pops up at the end of the run. This log file is located at C:\rkill.log.
  • Please post the log in your next reply.

 

 

Regards,

Georgi


cXfZ4wS.png


#9 JJxBlade

JJxBlade
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:58 AM

Posted 02 April 2014 - 03:12 PM

Rkill 2.6.5 by Lawrence Abrams (Grinler)
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Program started at: 04/02/2014 03:09:23 PM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * No malware processes found to kill.
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * No issues found.
 
Checking Windows Service Integrity: 
 
 * No issues found.
 
Searching for Missing Digital Signatures: 
 
 * No issues found.
 
I am attempting to update windows as we speak and I will get back to you if it works! As for crashing I will have to wait and use my computer for a little while to see if it is still crashing!


#10 JJxBlade

JJxBlade
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:58 AM

Posted 02 April 2014 - 03:16 PM

pN7qUeg.png

 

The updater finally works and after I update all of this and use my computer Ill see if it is still crashing and report back to you, but thanks for all the help!   :bounce:  :guitar:  :thumbup2:



#11 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:58 AM

Posted 02 April 2014 - 03:52 PM

Hi,

 

Thank you for the feedback! :)

 

 

Also if you don't mind, I want to make sure there is nothing lurking on the system so just in case I want you to go through these steps:

 

The most of them should take no more than 5 minutes each (but the time they take to complete can vary depending on the size of your hard and the speed of your computer).

 

 

 

STEP 1

 

 

  • Please download RogueKillerX64.exe and save to the desktop.
  • Close all windows and browsers
  • Right-click the program and select 'Run as Administrator'
  • Press the scan button.
  • A report opens on the desktop named - RKreport.txt
  • Please copy and past the results at pastebin.com and post the link to the log in your next reply.

 

 

STEP 2
 

 

Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
     
  • Put a checkmark beside loaded modules.
    Sbf88.png
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
     
  • Click the Start Scan button.
     
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    67776163.jpg
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    62117367.jpg
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and past the results at pastebin.com and post the link to the log in your next reply.

 

 

STEP 3

 

 

Please download Malwarebytes Anti-Malware to your desktop.
 

  • Double-click mb3-setup-1878.1878-3.5.1.2522.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.
  • On the Settings tab > Detection and Protection subtab, Detection Options, tick the box 'Scan for rootkits'.
  • Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • With some infections, you may see this message box.
    • 'Could not load DDA driver'
  • Click 'Yes' to this message, to allow the driver to load after a restart.
  • Allow the computer to restart. Continue with the rest of these instructions.
  • When the scan is complete, click Apply Actions.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply.

 

 

STEP 4

 

 

1.Please download HitmanPro.

  • For 32-bit Operating System - dEMD6.gif.
  • This is the mirror - dEMD6.gif
  • For 64-bit Operating System - dEMD6.gif
  • This is the mirror - dEMD6.gif

2.Launch the program by double clicking on the 5vo5F.jpg icon. (Windows Vista/7 users right click on the HitmanPro icon and select run as administrator).

Note: If the program won't run please then open the program while holding down the left CTRL key until the program is loaded.

3.Click on the next button. You must agree with the terms of EULA. (if asked)

4.Check the box beside "No, I only want to perform a one-time scan to check this computer".

5.Click on the next button.

6.The program will start to scan the computer. The scan will typically take no more than 2-3 minutes.

7.When the scan is done click on drop-down menu of the found entries (if any) and choose - Apply to all => Ignore <= IMPORTANT!!!
 
8.Click on the next button.

9.Click on the "Save Log" button.

10.Save that file to your desktop and post the content of that file in your next reply.
 
Note: if there isn't a dropdown menu when the scan is done then please don't delete anything and close HitmanPro

Navigate to C:\ProgramData\HitmanPro\Logs open the report and copy and paste it to your next reply.

 

 

 

STEP 5

 

 

Download Security Check by screen317 from here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

 

and then if there aren't any issues left I'll give you my final recommendations. :)

 

 

Regards,

Georgi


cXfZ4wS.png


#12 JJxBlade

JJxBlade
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:58 AM

Posted 02 April 2014 - 06:23 PM

hey! I am posting from my phone because ever since I finished the updates it said it needs to shutdown and about an hour and a half later it is still shutting down. I realiZe 160 updates is a lot but should I just let it do it's thing or Is something wrong? I'll post again if it finishes by the time you read this.

thanks! - James

#13 JJxBlade

JJxBlade
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:58 AM

Posted 02 April 2014 - 10:43 PM

update: it has been 5 hours since It said "Updates Finished Installing" and it still has not finished shutting down. is it now time to do something or is this normal for 160 updates? I'll just keep waiting and post if it finishes or something happens

#14 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:58 AM

Posted 02 April 2014 - 11:39 PM

Hello,

 

If the computer is stuck on windows update, then you can wait for some time and see if the process is getting completed. If nothing is happening, then you can try to force restart the system by pressing power button and then try to restart the computer and check what happens.

 

 

Regards,

Georgi


cXfZ4wS.png


#15 JJxBlade

JJxBlade
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:58 AM

Posted 02 April 2014 - 11:46 PM

alright I did as you said and restarted my computer and now I am at my Asrock Setup Utility, what now?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users