Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

dllhost.exe*32 too many instances and eating memory up


  • This topic is locked This topic is locked
26 replies to this topic

#1 sctrota

sctrota

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:38 PM

Posted 02 April 2014 - 09:23 AM

Hi everyone!,

 

Recently my laptop has been getting pretty laggy and the cpu temps have increased big time. I traced it back to my processes where there are probably 20-30+ processes of dllhost.exe*32 each with massive amounts of memory usage each. If I am to boot the laptop up without an internet connection I get a constant message from IE saying "are you sure you want to leave this page?" But I cannot find IE in my processes and I have not tried clicking it as it seems to "suppress" the problem for a short time. 

 

What is my first step to fixing this? 

Here are the specs

WIN7 Home Edition 64 bit

HP- G62 Notebook PC

AMDAnthlon™ II P320 Dual-Core Processor    2.10GHz

3gb Ram

 

 

 

EDIT: Have Farbar scan, should I post that too?


Edited by sctrota, 02 April 2014 - 09:24 AM.


BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:02:38 AM

Posted 02 April 2014 - 09:26 AM

Hello! Welcome to BleepingComputer Forums! :welcome:
My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:

  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.

 

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

Regards,

Georgi


cXfZ4wS.png


#3 sctrota

sctrota
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:38 PM

Posted 02 April 2014 - 09:26 AM

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 13-03-2014
Ran by unknown (administrator) on UNKNOWN-PC on 02-04-2014 10:12:35
Running from C:\Users\unknown\Desktop
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(AMD) C:\Windows\system32\atiesrxx.exe
() C:\Windows\Installer\MSIACFA.tmp
(AMD) C:\Windows\system32\atieclxx.exe
(Microsoft Corporation) C:\Windows\system32\WLANExt.exe
(Andrea Electronics Corporation) C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(ESET) C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe
() C:\Mitchell1\OnDemand5\Mitchell1.Security.MachineTokenService.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
(TuneUp Software) C:\Program Files (x86)\TuneUp Utilities 2011\TuneUpUtilitiesService64.exe
(TuneUp Software) C:\Program Files (x86)\TuneUp Utilities 2011\TuneUpUtilitiesApp64.exe
(Microsoft Corporation) c:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe
(Microsoft Corporation) c:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe
(Microsoft Corporation) C:\Windows\SysWOW64\DllHost.exe
(Microsoft Corporation) C:\Windows\SysWOW64\DllHost.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Realtek Semiconductor Corp.) C:\Program Files (x86)\Realtek\Audio\OSD\RtVOsd64.exe
(ESET) C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
() C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Microsoft Corporation) C:\Windows\syswow64\dllhost.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe
(Hewlett-Packard) C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
(Microsoft Corporation) C:\Windows\syswow64\dllhost.exe
(Microsoft Corporation) C:\Windows\syswow64\dllhost.exe
(Microsoft Corporation) C:\Windows\syswow64\dllhost.exe
(Microsoft Corporation) C:\Windows\syswow64\dllhost.exe
(Microsoft Corporation) C:\Windows\syswow64\dllhost.exe
(Microsoft Corporation) C:\Windows\syswow64\dllhost.exe
(Microsoft Corporation) C:\Windows\syswow64\dllhost.exe
(Microsoft Corporation) C:\Windows\syswow64\dllhost.exe
(Microsoft Corporation) C:\Windows\syswow64\dllhost.exe
(Microsoft Corporation) C:\Windows\syswow64\dllhost.exe
(Microsoft Corporation) C:\Windows\syswow64\dllhost.exe
(Microsoft Corporation) C:\Windows\syswow64\dllhost.exe
(Microsoft Corporation) C:\Windows\syswow64\dllhost.exe
(Microsoft Corporation) C:\Windows\syswow64\dllhost.exe
(Microsoft Corporation) C:\Windows\syswow64\dllhost.exe
(Microsoft Corporation) C:\Windows\syswow64\dllhost.exe


==================== Registry (Whitelisted) ==================

HKLM\...\Run: [SynTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2096424 2010-05-28] (Synaptics Incorporated)
HKLM\...\Run: [HP Quick Launch] - C:\Program Files\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe [451072 2010-01-12] (Hewlett-Packard Company)
HKLM\...\Run: [RTHDVCPL] - C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [6160928 2010-02-05] (Realtek Semiconductor)
HKLM\...\Run: [RtkOSD] - C:\Program Files (x86)\Realtek\Audio\OSD\RtVOsd64.exe [995840 2010-02-05] (Realtek Semiconductor Corp.)
HKLM\...\Run: [egui] - C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe [4030008 2011-08-09] (ESET)
HKLM-x32\...\Run: [Nero MediaHome 4] - C:\Program Files (x86)\Nero\Nero MediaHome 4\NeroMediaHome.exe [4891944 2009-06-23] (Nero AG)
HKLM-x32\...\Run: [StartCCC] - C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [641704 2012-11-16] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-09-13] (Apple Inc.)
HKU\S-1-5-21-969690743-1763251319-4033328527-1000\...\Run: [LightScribe Control Panel] - C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe [2363392 2010-02-22] (Hewlett-Packard Company)
HKU\S-1-5-21-969690743-1763251319-4033328527-1000\...\Run: [Nero MediaHome 4] - C:\Program Files (x86)\Nero\Nero MediaHome 4\NeroMediaHome.exe [4891944 2009-06-23] (Nero AG)
HKU\S-1-5-21-969690743-1763251319-4033328527-1000\...\Run: [DAEMON Tools Lite] - C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe [3671872 2012-04-17] (DT Soft Ltd)
HKU\S-1-5-21-969690743-1763251319-4033328527-1000\...\Run: [Pando Media Booster] - C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe [4287536 2013-11-16] ()
HKU\S-1-5-21-969690743-1763251319-4033328527-1000\...\Run: [BitTorrent] - C:\Users\unknown\AppData\Roaming\BitTorrent\BitTorrent.exe [900696 2014-03-12] (BitTorrent Inc.)
HKU\S-1-5-21-969690743-1763251319-4033328527-1000\...409d6c4515e9\InprocServer32: [Default-shell32] \\?\globalroot\Device\HarddiskVolume2\Users\unknown\AppData\Local\Temp\sgptuqw\soerupc\wow.dll ATTENTION! ====> ZeroAccess?
IFEO\autoclicker.exe: [Debugger] "C:\Program Files (x86)\TuneUp Utilities 2011\TUAutoReactivator64.exe"
IFEO\ccleaner64.exe: [Debugger] "C:\Program Files (x86)\TuneUp Utilities 2011\TUAutoReactivator64.exe"
IFEO\gamebooster.exe: [Debugger] "C:\Program Files (x86)\TuneUp Utilities 2011\TUAutoReactivator64.exe"
IFEO\hpwucli.exe: [Debugger] "C:\Program Files (x86)\TuneUp Utilities 2011\TUAutoReactivator64.exe"

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/HPCON/4
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/HPCON/4
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/HPCON/4
URLSearchHook: HKCU - (No Name) - {472734EA-242A-422b-ADF8-83D1E48CC825} - No File
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKLM - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 - {B28BD584-485D-46A3-B042-532B4645FE6A} URL = http://www.ask.com/web?q={searchTerms}&l=dis&o=cahpl
SearchScopes: HKCU - {B28BD584-485D-46A3-B042-532B4645FE6A} URL = http://www.ask.com/web?q={searchTerms}&l=dis&o=cahpl
SearchScopes: HKCU - {CEF9D5C0-C89B-4354-929B-BB770B723EFF} URL = http://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=994519&p={searchTerms}
SearchScopes: HKCU - {F5240CCD-FDDB-4C40-8724-E0BABDDA539C} URL = http://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=382950&p={searchTerms}
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO-x32: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)
BHO-x32: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
BHO-x32: CutePDF Form Filler Helper - {D41289F2-69C6-417B-897E-C653D677CBAF} - C:\Program Files (x86)\Acro Software\CutePDF Pro\CPFillerCo.dll (Acro Software Inc.)
BHO-x32: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Skype Technologies S.A.)
Handler-x32: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
Tcpip\..\Interfaces\{454726B7-693C-475D-9B10-4B523AEB8C9F}: [NameServer]208.67.222.222,208.67.220.220

FireFox:
========
FF ProfilePath: C:\Users\unknown\AppData\Roaming\Mozilla\Firefox\Profiles\6efrisvq.default
FF DefaultSearchEngine: Yahoo!
FF Homepage: hxxp://google.ca/
FF Keyword.URL: hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=994519&p=
FF NetworkProxy: "no_proxies_on", ""
FF NetworkProxy: "type", 0
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF64_12_0_0_77.dll ()
FF Plugin: @microsoft.com/GENUINE - C:\Windows\system32\Wat\npWatWeb.dll (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_12_0_0_77.dll ()
FF Plugin-x32: @adobe.com/ShockwavePlayer - C:\Windows\SysWOW64\Adobe\Director\np32dsw_1200112.dll (Adobe Systems, Inc.)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @java.com/DTPlugin,version=10.7.2 - C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.7.2 - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE - C:\Windows\system32\Wat\npWatWeb.dll (Microsoft Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files (x86)\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=14.0.8117.0416 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @nexon.net/NxGame - C:\ProgramData\NexonUS\NGM\npNxGameUS.dll (Nexon)
FF Plugin-x32: @pandonetworks.com/PandoWebPlugin - C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
FF Plugin-x32: @videolan.org/vlc,version=2.0.3 - C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKCU: pandonetworks.com/PandoWebPlugin - C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npdeployJava1.dll (Sun Microsystems, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npijjiFFPlugin1.dll (NHN USA Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin2.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin3.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin4.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin5.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin6.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin7.dll (Apple Inc.)
FF SearchPlugin: C:\Users\unknown\AppData\Roaming\Mozilla\Firefox\Profiles\6efrisvq.default\searchplugins\yahoo_ff.xml
FF Extension: No Name - C:\Users\unknown\AppData\Roaming\Mozilla\Firefox\Profiles\6efrisvq.default\Extensions\{58d2a791-6199-482f-a9aa-9b725ec61362} [2013-11-13]
FF Extension: HP Detect - C:\Users\unknown\AppData\Roaming\Mozilla\Firefox\Profiles\6efrisvq.default\Extensions\{ab91efd4-6975-4081-8552-1b3922ed79e2} [2013-05-23]
FF Extension: Web Property Page - C:\Users\unknown\AppData\Roaming\Mozilla\Firefox\Profiles\6efrisvq.default\Extensions\{F4AB823F-FC75-C63C-10D7-00D9741374C9} [2014-01-14]
FF Extension: Autofill Forms - C:\Users\unknown\AppData\Roaming\Mozilla\Firefox\Profiles\6efrisvq.default\Extensions\autofillForms@blueimp.net.xpi [2012-08-22]
FF Extension: Start Page - C:\Users\unknown\AppData\Roaming\Mozilla\Firefox\Profiles\6efrisvq.default\Extensions\{58d2a791-6199-482f-a9aa-9b725ec61362}.xpi [2014-01-09]
FF Extension: Adblock Plus - C:\Users\unknown\AppData\Roaming\Mozilla\Firefox\Profiles\6efrisvq.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2012-06-28]
FF Extension: Greasemonkey - C:\Users\unknown\AppData\Roaming\Mozilla\Firefox\Profiles\6efrisvq.default\Extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}.xpi [2012-08-24]
FF Extension: No Name - C:\Program Files (x86)\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} [2014-03-30]
FF HKLM-x32\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF Extension: HP Smart Web Printing - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2012-09-04]
FF HKLM-x32\...\Thunderbird\Extensions: [eplgTb@eset.com] - C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird
FF Extension: ESET Smart Security Extension - C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird [2014-02-02]
FF HKCU\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF Extension: HP Smart Web Printing - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2012-09-04]

Chrome:
=======
Error reading preferences. Please check "preferences" file for possible corruption. <======= ATTENTION

==================== Services (Whitelisted) =================

S4 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [361984 2012-11-16] (Advanced Micro Devices, Inc.)
R2 ekrn; C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe [974944 2011-08-09] (ESET)
S4 HPWMISVC; C:\Program Files\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [19968 2010-01-12] ()
R2 HyperDeskCustomThemeEnabler; C:\Windows\Installer\MSIACFA.tmp [102400 2011-10-22] ()
R2 MachineTokenService; C:\Mitchell1\OnDemand5\Mitchell1.Security.MachineTokenService.exe [57344 2011-05-10] ()
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [399432 2012-09-29] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [676936 2012-09-29] (Malwarebytes Corporation)
S4 NeroMediaHomeService.4; C:\Program Files (x86)\Nero\Nero MediaHome 4\NMMediaServerService.exe [259368 2009-06-23] (Nero AG)
S3 npggsvc; C:\Windows\SysWOW64\GameMon.des [4610408 2013-08-25] (INCA Internet Co., Ltd.)
R2 TuneUp.UtilitiesSvc; C:\Program Files (x86)\TuneUp Utilities 2011\TuneUpUtilitiesService64.exe [2027840 2011-08-15] (TuneUp Software)

==================== Drivers (Whitelisted) ====================

R2 AODDriver4.1; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [53888 2012-03-05] (Advanced Micro Devices)
U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
R1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [283200 2012-05-07] (DT Soft Ltd)
R2 eamonm; C:\Windows\System32\DRIVERS\eamonm.sys [202576 2011-08-09] (ESET)
R1 ehdrv; C:\Windows\System32\DRIVERS\ehdrv.sys [146432 2011-08-04] (ESET)
R2 epfw; C:\Windows\System32\DRIVERS\epfw.sys [187632 2011-08-04] (ESET)
R1 EpfwLWF; C:\Windows\System32\DRIVERS\EpfwLWF.sys [38288 2011-08-04] (ESET)
R0 epfwwfp; C:\Windows\System32\DRIVERS\epfwwfp.sys [62496 2011-08-04] (ESET)
S3 NPPTNT2; C:\Windows\SysWOW64\npptNT2.sys [4682 2005-01-03] (INCA Internet Co., Ltd.)
S3 pwdrvio; C:\Windows\system32\pwdrvio.sys [19152 2013-09-30] ()
S3 pwdspio; C:\Windows\system32\pwdspio.sys [12504 2013-09-30] ()
S3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [74752 2011-07-25] (Research In Motion Limited)
S3 RimVSerPort; C:\Windows\System32\DRIVERS\RimSerial_AMD64.sys [44032 2011-07-20] (Research in Motion Ltd)
S3 taphss6; C:\Windows\System32\DRIVERS\taphss6.sys [42184 2013-10-15] (Anchorfree Inc.)
R3 TuneUpUtilitiesDrv; C:\Program Files (x86)\TuneUp Utilities 2011\TuneUpUtilitiesDriver64.sys [11856 2011-06-06] (TuneUp Software)
S3 U2SP; C:\Windows\System32\DRIVERS\u2s2kxp64.sys [91672 2013-01-25] (Magic Control Technology Corp.)
S3 WinRing0_1_2_0; C:\Program Files (x86)\Razer\Razer Game Booster\Driver\WinRing0x64.sys [14544 2012-08-01] (OpenLibSys.org)
S3 dump_wmimmc; \??\C:\GamesCampus\DriftCity\GameGuard\dump_wmimmc.sys [X]
S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [X]
S3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [X]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2014-04-02 10:12 - 2014-04-02 10:12 - 00018359 _____ () C:\Users\unknown\Desktop\FRST.txt
2014-04-02 10:02 - 2014-04-02 10:02 - 02157056 _____ (Farbar) C:\Users\unknown\Desktop\FRST64.exe
2014-04-01 22:41 - 2014-04-01 22:52 - 4205696685 _____ () C:\Users\unknown\Desktop\[PC GAME MULTI] - Gran Theft Auto San Andreas + Crack NoCD - (Perfect DVD Version) - (Eng-Ita-Deu-Fra-Esp) - (By G-ADLVR_R7.rar
2014-04-01 22:40 - 2014-04-02 09:56 - 958579659 _____ () C:\Users\unknown\Desktop\BetaPwnRage HD Pack.rar
2014-03-31 21:11 - 2014-04-02 09:49 - 00000340 _____ () C:\Windows\Tasks\HPCeeScheduleForunknown.job
2014-03-31 21:11 - 2014-03-31 21:11 - 00003198 _____ () C:\Windows\System32\Tasks\HPCeeScheduleForunknown
2014-03-30 19:57 - 2014-03-30 19:57 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2014-03-30 19:07 - 2014-03-30 19:54 - 00000000 ____D () C:\Users\unknown\Desktop\Mapes
2014-03-29 19:38 - 2014-03-29 19:38 - 00179712 _____ () C:\Users\unknown\Desktop\Sugoi-Trainer-v1.3.dll
2014-03-26 21:39 - 2014-03-26 22:02 - 00000000 ____D () C:\Users\unknown\Desktop\Electro
2014-03-18 00:12 - 2014-03-19 23:22 - 00000000 ____D () C:\Users\unknown\Desktop\Papers
2014-03-18 00:00 - 2014-04-02 10:12 - 00000000 ____D () C:\FRST
2014-03-17 23:57 - 2014-03-17 23:57 - 00000000 ____D () C:\Windows\ERUNT
2014-03-17 23:50 - 2014-03-17 23:52 - 00000000 ____D () C:\AdwCleaner
2014-03-15 20:31 - 2014-03-15 20:57 - 00000000 ___RD () C:\Users\unknown\Desktop\100CANON
2014-03-12 08:55 - 2014-03-31 21:11 - 00000069 _____ () C:\Windows\system32\wapcbk.msq
2014-03-12 08:38 - 2014-03-12 08:38 - 00000028 _____ () C:\Windows\SysWOW64\u
2014-03-12 08:37 - 2014-03-12 08:37 - 00000064 _____ () C:\Windows\system32\tdjlgsr.quj
2014-03-12 08:37 - 2014-03-12 08:37 - 00000000 _____ () C:\Windows\system32\udjjhda.iky
2014-03-11 22:02 - 2014-03-11 22:02 - 00230284 ____S () C:\Windows\system32\crgkgvw.dqg
2014-03-09 12:25 - 2014-03-09 12:51 - 00000000 ____D () C:\Users\unknown\Desktop\Scan from a Xerox WorkCentre
2014-03-05 01:34 - 2014-03-05 01:34 - 00000000 ____D () C:\Users\unknown\Desktop\New folder

==================== One Month Modified Files and Folders =======

2014-04-02 10:16 - 2011-07-07 23:10 - 00000000 ___HD () C:\Users\unknown\AppData\Local\CrashDumps
2014-04-02 10:15 - 2014-04-02 10:12 - 00018359 _____ () C:\Users\unknown\Desktop\FRST.txt
2014-04-02 10:15 - 2013-11-16 14:16 - 00000000 ____D () C:\Users\unknown\AppData\Local\PMB Files
2014-04-02 10:12 - 2014-03-18 00:00 - 00000000 ____D () C:\FRST
2014-04-02 10:04 - 2009-07-14 00:45 - 00023248 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-04-02 10:04 - 2009-07-14 00:45 - 00023248 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-04-02 10:02 - 2014-04-02 10:02 - 02157056 _____ (Farbar) C:\Users\unknown\Desktop\FRST64.exe
2014-04-02 10:00 - 2012-04-06 21:00 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-04-02 09:59 - 2010-06-05 04:31 - 01936257 _____ () C:\Windows\WindowsUpdate.log
2014-04-02 09:58 - 2009-07-14 01:13 - 00006206 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-04-02 09:56 - 2014-04-01 22:40 - 958579659 _____ () C:\Users\unknown\Desktop\BetaPwnRage HD Pack.rar
2014-04-02 09:55 - 2011-09-15 00:43 - 00000000 ____D () C:\Users\unknown\AppData\Roaming\BitTorrent
2014-04-02 09:49 - 2014-03-31 21:11 - 00000340 _____ () C:\Windows\Tasks\HPCeeScheduleForunknown.job
2014-04-02 09:49 - 2013-11-03 12:59 - 00015112 _____ () C:\Windows\setupact.log
2014-04-02 09:49 - 2009-07-14 01:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-04-02 09:48 - 2013-11-03 12:59 - 00217532 _____ () C:\Windows\PFRO.log
2014-04-01 22:52 - 2014-04-01 22:41 - 4205696685 _____ () C:\Users\unknown\Desktop\[PC GAME MULTI] - Gran Theft Auto San Andreas + Crack NoCD - (Perfect DVD Version) - (Eng-Ita-Deu-Fra-Esp) - (By G-ADLVR_R7.rar
2014-03-31 21:11 - 2014-03-31 21:11 - 00003198 _____ () C:\Windows\System32\Tasks\HPCeeScheduleForunknown
2014-03-31 21:11 - 2014-03-12 08:55 - 00000069 _____ () C:\Windows\system32\wapcbk.msq
2014-03-31 18:41 - 2012-11-27 13:20 - 00116696 _____ () C:\Windows\SysWOW64\GDIPFONTCACHEV1.DAT
2014-03-31 14:38 - 2011-07-05 11:42 - 00513536 _____ (Microsoft Corporation) C:\Windows\system32\rpcss.dll
2014-03-31 14:36 - 2012-11-22 11:46 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2014-03-30 19:57 - 2014-03-30 19:57 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2014-03-30 19:54 - 2014-03-30 19:07 - 00000000 ____D () C:\Users\unknown\Desktop\Mapes
2014-03-30 19:40 - 2013-11-16 14:16 - 00000000 ____D () C:\ProgramData\PMB Files
2014-03-29 19:38 - 2014-03-29 19:38 - 00179712 _____ () C:\Users\unknown\Desktop\Sugoi-Trainer-v1.3.dll
2014-03-26 22:02 - 2014-03-26 21:39 - 00000000 ____D () C:\Users\unknown\Desktop\Electro
2014-03-26 21:36 - 2012-01-27 23:36 - 00000000 ____D () C:\Users\unknown\AppData\Roaming\MediaMonkey
2014-03-23 17:55 - 2012-04-03 21:59 - 00007608 ____H () C:\Users\unknown\AppData\Local\resmon.resmoncfg
2014-03-19 23:22 - 2014-03-18 00:12 - 00000000 ____D () C:\Users\unknown\Desktop\Papers
2014-03-18 00:13 - 2011-09-24 11:20 - 00000000 ___RD () C:\Users\unknown\Desktop\School
2014-03-17 23:57 - 2014-03-17 23:57 - 00000000 ____D () C:\Windows\ERUNT
2014-03-17 23:52 - 2014-03-17 23:50 - 00000000 ____D () C:\AdwCleaner
2014-03-17 17:01 - 2011-06-27 17:10 - 00000000 ___RD () C:\Users\unknown\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2014-03-17 16:55 - 2011-06-27 17:13 - 00000000 ____D () C:\Users\unknown\AppData\Roaming\Adobe
2014-03-17 00:36 - 2012-01-09 17:36 - 00000000 ___RD () C:\Users\unknown\Desktop\BT
2014-03-16 01:24 - 2012-09-04 02:52 - 00000000 ____D () C:\Users\unknown\AppData\Roaming\vlc
2014-03-15 21:25 - 2013-06-15 19:08 - 00000000 ____D () C:\Nexon
2014-03-15 20:57 - 2014-03-15 20:31 - 00000000 ___RD () C:\Users\unknown\Desktop\100CANON
2014-03-12 09:00 - 2012-04-06 21:00 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-03-12 09:00 - 2012-04-06 21:00 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2014-03-12 09:00 - 2011-06-28 02:09 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-03-12 08:42 - 2012-08-14 02:19 - 00000000 ___HD () C:\Users\unknown\AppData\Roaming\MotionDSP
2014-03-12 08:38 - 2014-03-12 08:38 - 00000028 _____ () C:\Windows\SysWOW64\u
2014-03-12 08:37 - 2014-03-12 08:37 - 00000064 _____ () C:\Windows\system32\tdjlgsr.quj
2014-03-12 08:37 - 2014-03-12 08:37 - 00000000 _____ () C:\Windows\system32\udjjhda.iky
2014-03-11 22:02 - 2014-03-11 22:02 - 00230284 ____S () C:\Windows\system32\crgkgvw.dqg
2014-03-11 22:02 - 2011-06-27 17:01 - 00000000 ____D () C:\Users\unknown
2014-03-11 22:02 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\system32\sysprep
2014-03-09 12:51 - 2014-03-09 12:25 - 00000000 ____D () C:\Users\unknown\Desktop\Scan from a Xerox WorkCentre
2014-03-05 23:17 - 2014-01-15 06:27 - 00000000 ____D () C:\Users\unknown\AppData\Local\Uwdpmedia
2014-03-05 01:34 - 2014-03-05 01:34 - 00000000 ____D () C:\Users\unknown\Desktop\New folder
2014-03-05 01:34 - 2013-12-25 18:10 - 00000000 ____D () C:\Users\unknown\Desktop\pics
2014-03-04 23:50 - 2012-05-27 00:59 - 00000000 ___HD () C:\Users\unknown\AppData\Roaming\Acoustica

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll
[2011-07-05 11:42] - [2014-03-31 14:38] - 0513536 ____A (Microsoft Corporation) 464A5DACD062646CE16D197826474C1C

 ATTENTION ======> If the system is having audio adware rpcss.dll is patched. Google the MD5, if the MD5 is unique the file is infected.
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
ATTENTION: ====> ZeroAccess. Use DeleteJunctionsIndirectory: C:\Windows\system64


LastRegBack: 2014-03-30 18:59

==================== End Of Log ============================



#4 sctrota

sctrota
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:38 PM

Posted 02 April 2014 - 09:27 AM

I put it in there, I used the x64 bit version

 

EDIT: It seems someone was torrenting a few things recently without my permission again. My roomates are quite anoyying with this -_-

Editx2: trying to do the addition.txt but its lagging hard atm.


Edited by sctrota, 02 April 2014 - 09:35 AM.


#5 sctrota

sctrota
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:38 PM

Posted 02 April 2014 - 09:42 AM

Here I finished it!

Attached Files



#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:38 PM

Posted 02 April 2014 - 09:42 AM

Moved to Virus, Trojan, Spyware, and Malware Removal Logs where it will stay.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:02:38 AM

Posted 02 April 2014 - 09:45 AM

Hello,

 

Attach the Addition.txt as well!

 

Also I suggest you to uninstall BitTorrent.

Your log(s) show that you are using so called peer-to-peer or file-sharing programs (in your case BitTorrent). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Libre Office or GIMP."


Also, please take a look here:

How cyber criminals infect victims via P2P with pirated software
 

 

 

Registry Editor / Cleaner Warning !!


The following is referring to TuneUp Utilities.
Please be aware that bleepingcomputer staff do not recommend the usage of registry cleaners / tools due to the following facts:

  • Registry tools can cause irreparable damage to your Operating System
  • Registry tools can, as a result of the above, render your pc to be inoperable.

This is done, assuming that the major audience here at this board might be inexperienced users and thus a suggested safeguard from our side.
If you feel you have the need for a registry cleaner, then you are just as welcome to keep it. This is what we refer to an "optional fix" and is up to the user, so just take this as a recommendation from my side.


For more information about why you should avoid using a such programs please take a look here => Registry Cleaners and System Tweaking Tools

 

 

 

 

I don't recommend you to use any themes for Windows (like HyperDesk) if they require to patch system files in order to work properly.

 

 

And finally avoid using cracks and unknown programs from sources you don't trust. There are MANY alternative open-source applications.

Malware writers just love cracks and keygens, and will often attach malicious code into them. By using cracks and/or keygens, you are asking for problems.

So my advice is - stay away from them!

 

 

 

IMPORTANT NOTE: One or more of the identified infections is related to the rootkit ZeroAccess. Rootkits, backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to be used be the attacker for malicious purposes. Rootkits are used be Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bepasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:

If your computer was used for online banking, has credit card information or other sensitive data on it, you should stay disconnected from the Internet until your system is fully cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised and change each password using a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:

Although the infection has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. If you decide to continue please do this:

 

 

  • Please re-run FRST again and type the following in the edit box after Search: rpcss.dll
  • Click the Search button
  • It will make a log (Search.txt)- please post the log into your reply to me. (you can use pastebin as well).

 

 

Regards,

Georgi


Edited by B-boy/StyLe/, 02 April 2014 - 09:47 AM.

cXfZ4wS.png


#8 sctrota

sctrota
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:38 PM

Posted 02 April 2014 - 09:58 AM

After reading a few articles listed above, I will fix this current problem and then prepare for a reformat. It is too laggy right now to perform a back up but I am also scared that the rootkit will follow in the back up. Still waiting on the rpcss.dll scan



#9 sctrota

sctrota
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:38 PM

Posted 02 April 2014 - 10:09 AM

Farbar Recovery Scan Tool (x64) Version: 13-03-2014
Ran by unknown at 2014-04-02 10:54:40
Running from C:\Users\unknown\Desktop
Boot Mode: Normal

================== Search: "rpcss.dll" ===================

C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_c7f0e16b547f887d\rpcss.dll
[2011-07-05 11:42] - [2010-11-20 09:27] - 0512000 ____A (Microsoft Corporation) 5C627D1B1138676C0A7AB2C2C190D123

C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7600.16385_none_c5bfcda3579104e3\rpcss.dll
[2009-07-13 20:00] - [2009-07-13 21:41] - 0509440 ____A (Microsoft Corporation) 7266972E86890E2B30C0C322E906B027

C:\Windows\system64\rpcss.dll
[2011-07-05 11:42] - [2014-03-31 14:38] - 0513536 ____A (Microsoft Corporation) 464A5DACD062646CE16D197826474C1C

C:\Windows\System32\rpcss.dll
[2011-07-05 11:42] - [2014-03-31 14:38] - 0513536 ____A (Microsoft Corporation) 464A5DACD062646CE16D197826474C1C

====== End Of Search ======



#10 sctrota

sctrota
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:38 PM

Posted 02 April 2014 - 11:23 AM

Is there anything else required? I removed everything listed above and posted the data needed



#11 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:02:38 AM

Posted 02 April 2014 - 12:55 PM

After reading a few articles listed above, I will fix this current problem and then prepare for a reformat. It is too laggy right now to perform a back up but I am also scared that the rootkit will follow in the back up. Still waiting on the rpcss.dll scan

 

Hello,

 

What is the point to prepare a fix for you if you want to do a format? :)

In my opinion a format is not needed because we can fix this (but my duty was to inform you about the current infection)...so it's your call.

Let me know what you decide.

 

 

Regards,

Georgi


Edited by B-boy/StyLe/, 02 April 2014 - 12:56 PM.

cXfZ4wS.png


#12 sctrota

sctrota
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:38 PM

Posted 02 April 2014 - 02:01 PM

I want to fix it, no formatting please:)



#13 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:02:38 AM

Posted 02 April 2014 - 02:43 PM

Hi,
 
 
Please download the following file => and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.
 
 
Regards,
Georgi


cXfZ4wS.png


#14 sctrota

sctrota
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:38 PM

Posted 02 April 2014 - 08:53 PM

Ok it is working far better than before however, I cannot upload the fixlog.txt I have been trying all day today and it will not upload.



#15 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:02:38 AM

Posted 02 April 2014 - 11:41 PM

Hello,

 

If the fixlog.txt is too long then paste the log here => http://pastebin.com/ and then send me the link to the log in your next reply for my review.

 

 

Regards,

Georgi


cXfZ4wS.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users