Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

background audio ads virus "please help"


  • This topic is locked This topic is locked
33 replies to this topic

#1 puterdude71

puterdude71

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:louisiana
  • Local time:12:33 AM

Posted 06 April 2014 - 02:34 AM

Hi guys, I'm having issue's with my wife and i's laptop's, it started a few days ago. first with hers, then wile working on hers mine was somehow infected also, as if it found a path so to speak. they restarted by themselves and when they rebooted these audio ads in the background started playing. I've already tried malwarebytes, TDSS killer, and a few others from bleeping but the background music ads keep coming back and are killing the cpu. so If someone could please help me as you've done for numerous others. it would be greatly appreciated, at this time we will be working with this laptop, and then the other one, I've already ran DDS on this one and here's the log I got from it. and will do the same for the other one when this one is completed. and please bear in mind I work a lot so I'm not always here but I will reply in time. thank you in advance


Edited by puterdude71, 06 April 2014 - 03:13 AM.


BC AdBot (Login to Remove)

 


#2 puterdude71

puterdude71
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:louisiana
  • Local time:12:33 AM

Posted 06 April 2014 - 02:36 AM

here's DDS log

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.16635
Run by Hayes at 2:57:10 on 2014-04-06
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.2940.1934 [GMT -5:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
svchost.exe
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\windows\system32\taskhost.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\windows\system32\lxdncoms.exe
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\regsvr32.exe
C:\windows\system32\igfxsrvc.exe
C:\Program Files (x86)\Toshiba\TOSHIBA Service Station\ToshibaServiceStation.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\windows\system32\taskeng.exe
C:\Program Files (x86)\TOSHIBA\ConfigFree\NDSTray.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\Program Files\TOSHIBA\TECO\TecoService.exe
C:\windows\system32\SearchIndexer.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\SyncServer.exe
C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe
C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe
C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe
C:\windows\System32\svchost.exe -k swprv
C:\windows\system32\taskeng.exe
C:\windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uDefault_Page_URL = hxxp://www.google.com/ig?brand=TSNA&bmod=TSNA
mWinlogon: Userinit = userinit.exe,
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} -
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
uRun: [GFI Software Update] regsvr32.exe "C:\Users\Hayes\AppData\Local\GFI Software\SHFontParser.dll"
uRun: [Facebook Update] "C:\Users\Hayes\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver
uRun: [Spybot-S&D Cleaning] "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDCleaner.exe" /autoclean
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
mRun: [TWebCamera] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun
mRun: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
dRunOnce: [SPReview] "C:\windows\System32\SPReview\SPReview.exe" /sp:1 /errorfwlink:"http://go.microsoft.com/fwlink/?LinkID=122915" /build:7601
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MIF5BA~1\Office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{1310A805-172B-4F7C-8EB1-95252BC165FD} : DHCPNameServer = 192.168.0.1
TCP: Interfaces\{1310A805-172B-4F7C-8EB1-95252BC165FD}\B656C6C697 : DHCPNameServer = 192.168.2.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Notify: SDWinLogon - SDWinLogon.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.154\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-Run: [TPwrMain] C:\Program Files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE
x64-Run: [TosWaitSrv] C:\Program Files (x86)\TOSHIBA\TPHM\TosWaitSrv.exe
x64-Run: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe
x64-Run: [TosReelTimeMonitor] C:\Program Files (x86)\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
x64-Run: [TosNC] C:\Program Files (x86)\Toshiba\BulletinBoard\TosNcCore.exe
x64-Run: [Teco] "C:\Program Files (x86)\TOSHIBA\TECO\Teco.exe" /r
x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
x64-Run: [SmoothView] C:\Program Files (x86)\Toshiba\SmoothView\SmoothView.exe
x64-Run: [SmartFaceVWatcher] C:\Program Files (x86)\Toshiba\SmartFaceV\SmartFaceVWatcher.exe
x64-Run: [SBRegRebootCleaner] "C:\Program Files (x86)\GFI Software\VIPRE\SBRC.exe"
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
x64-Run: [Persistence] C:\windows\System32\igfxpers.exe
x64-Run: [IgfxTray] C:\windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\windows\System32\hkcmd.exe
x64-Run: [00TCrdMain] C:\Program Files (x86)\TOSHIBA\FlashCards\TCrdMain.exe
x64-Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 PxHlpa64;PxHlpa64;C:\windows\System32\drivers\PxHlpa64.sys [2011-11-29 55280]
R0 tos_sps64;TOSHIBA tos_sps64 Service;C:\windows\System32\drivers\tos_sps64.sys [2011-11-29 482384]
R1 A2DDA;A2 Direct Disk Access Support Driver;C:\EEK\Run\a2ddax64.sys [2014-4-5 26176]
R2 cfWiMAXService;ConfigFree WiMAX Service;C:\Program Files (x86)\Toshiba\ConfigFree\CFIWmxSvcs64.exe [2009-8-10 248688]
R2 ConfigFree Gadget Service;ConfigFree Gadget Service;C:\Program Files (x86)\Toshiba\ConfigFree\CFProcSRVC.exe [2009-7-14 42368]
R2 ConfigFree Service;ConfigFree Service;C:\Program Files (x86)\Toshiba\ConfigFree\CFSvcs.exe [2009-3-10 46448]
R2 lxdn_device;lxdn_device;C:\windows\System32\lxdncoms.exe -service --> C:\windows\System32\lxdncoms.exe -service [?]
R2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;C:\Program Files\TOSHIBA\TECO\TecoService.exe [2009-8-11 252272]
R2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;C:\windows\System32\drivers\TVALZFL.sys [2009-6-19 14472]
R3 FwLnk;FwLnk Driver;C:\windows\System32\drivers\FwLnk.sys [2011-11-29 9216]
R3 PGEffect;Pangu effect driver;C:\windows\System32\drivers\PGEffect.sys [2011-11-29 35008]
R3 RTL8167;Realtek 8167 NT Driver;C:\windows\System32\drivers\Rt64win7.sys [2011-6-10 539240]
R3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;C:\windows\System32\drivers\rtl8192se.sys [2010-4-26 1103904]
R3 TMachInfo;TMachInfo;C:\Program Files (x86)\Toshiba\TOSHIBA Service Station\TMachInfo.exe [2011-11-29 51512]
R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2009-8-3 137560]
R3 USBAAPL64;Apple Mobile USB Driver;C:\windows\System32\drivers\usbaapl64.sys [2013-3-18 54784]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 SDScannerService;Spybot-S&D 2 Scanner Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [2013-10-16 1817560]
S2 SDUpdateService;Spybot-S&D 2 Updating Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2013-10-16 1033688]
S2 SDWSCService;Spybot-S&D 2 Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [2013-10-16 171928]
S3 cleanhlp;cleanhlp;C:\EEK\Run\cleanhlp64.sys [2014-4-5 57024]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\windows\System32\drivers\RtsUStor.sys [2011-11-29 222208]
S3 TPCHSrv;TPCH Service;C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe [2009-8-4 826224]
S3 TsUsbFlt;TsUsbFlt;C:\windows\System32\drivers\TsUsbFlt.sys [2011-12-7 59392]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\System32\Wat\WatAdminSvc.exe [2011-12-5 1255736]
.
=============== Created Last 30 ================
.
2014-04-05 23:03:46 -------- d-----w- C:\FRST
2014-04-05 07:28:29 -------- d-----w- C:\windows\ERUNT
2014-04-05 07:13:36 -------- d-----w- C:\Users\Hayes\AppData\Local\CrashDumps
2014-04-05 07:02:50 -------- d-----w- C:\EEK
2014-04-04 18:38:01 -------- d-----w- C:\AdwCleaner
.
==================== Find3M  ====================
.
.
============= FINISH:  2:57:20.07 ===============
 


Edited by puterdude71, 06 April 2014 - 03:25 AM.


#3 puterdude71

puterdude71
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:louisiana
  • Local time:12:33 AM

Posted 06 April 2014 - 03:42 AM

oh and I will donate :wink:



#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:33 AM

Posted 06 April 2014 - 05:53 AM





Hello puterdude71

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.

Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

I would like you to run this program for me.

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 puterdude71

puterdude71
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:louisiana
  • Local time:12:33 AM

Posted 06 April 2014 - 04:21 PM

hi gringo nice to meet you. here's the FRST.txt

 

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 13-03-2014
Ran by Hayes (administrator) on HAYES-PC on 06-04-2014 16:16:45
Running from C:\Users\Hayes\Downloads
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
( ) C:\windows\system32\lxdncoms.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Microsoft Corporation) C:\Windows\System32\regsvr32.exe
(Intel Corporation) C:\windows\system32\igfxsrvc.exe
(TOSHIBA Corporation) C:\Program Files (x86)\Toshiba\TOSHIBA Service Station\ToshibaServiceStation.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(TOSHIBA CORPORATION) C:\Program Files (x86)\TOSHIBA\ConfigFree\NDSTray.exe
(TOSHIBA Corporation) C:\Windows\system32\TODDSrv.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TECO\TecoService.exe
(TOSHIBA CORPORATION) C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSwMgr.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(TOSHIBA Corporation) C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
(TOSHIBA CORPORATION) C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe
(TOSHIBA CORPORATION) C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe
(TOSHIBA CORPORATION) C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\IEXPLORE.EXE
(Google Inc.) C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [] - [X]
HKLM\...\Run: [TPwrMain] - C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE [497504 2009-08-05] (TOSHIBA Corporation)
HKLM\...\Run: [TosWaitSrv] - C:\Program Files\TOSHIBA\TPHM\TosWaitSrv.exe [711000 2009-08-04] (TOSHIBA Corporation)
HKLM\...\Run: [TosSENotify] - C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe [709976 2009-08-03] (TOSHIBA Corporation)
HKLM\...\Run: [TosReelTimeMonitor] - C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe [34648 2009-10-28] (TOSHIBA Corporation)
HKLM\...\Run: [TosNC] - C:\Program Files\Toshiba\BulletinBoard\TosNcCore.exe [595816 2009-10-28] (TOSHIBA Corporation)
HKLM\...\Run: [Teco] - C:\Program Files\TOSHIBA\TECO\Teco.exe [1482080 2009-08-11] (TOSHIBA Corporation)
HKLM\...\Run: [SynTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1815848 2009-07-20] (Synaptics Incorporated)
HKLM\...\Run: [SmoothView] - C:\Program Files\Toshiba\SmoothView\SmoothView.exe [508216 2009-07-28] (TOSHIBA Corporation)
HKLM\...\Run: [SmartFaceVWatcher] - C:\Program Files\Toshiba\SmartFaceV\SmartFaceVWatcher.exe [238080 2009-07-29] (TOSHIBA Corporation)
HKLM\...\Run: [SBRegRebootCleaner] - "C:\Program Files (x86)\GFI Software\VIPRE\SBRC.exe"
HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [7982112 2009-07-29] (Realtek Semiconductor)
HKLM\...\Run: [00TCrdMain] - C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe [909624 2009-08-05] (TOSHIBA Corporation)
HKLM-x32\...\Run: [TWebCamera] - C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe [2446648 2009-08-11] (TOSHIBA CORPORATION.)
HKLM-x32\...\Run: [ToshibaServiceStation] - C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe [1294136 2009-08-17] (TOSHIBA Corporation)
HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2014-01-20] (Apple Inc.)
Winlogon\Notify\igfxcui: C:\windows\system32\igfxdev.dll (Intel Corporation)
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKU\.DEFAULT\...\RunOnce: [SPReview] - C:\windows\System32\SPReview\SPReview.exe [301568 2013-07-21] (Microsoft Corporation)
HKU\S-1-5-21-2184372166-3017526623-2338485473-1001\...\Run: [GFI Software Update] - regsvr32.exe "C:\Users\Hayes\AppData\Local\GFI Software\SHFontParser.dll"
HKU\S-1-5-21-2184372166-3017526623-2338485473-1001\...\Run: [Facebook Update] - "C:\Users\Hayes\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver
HKU\S-1-5-21-2184372166-3017526623-2338485473-1001\...\Run: [Spybot-S&D Cleaning] - C:\Program Files (x86)\Spybot - Search & Destroy 2\SDCleaner.exe [3642312 2013-05-16] (Safer-Networking Ltd.)
HKU\S-1-5-21-2184372166-3017526623-2338485473-1001\...\Run: [swg] - C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2009-11-12] (Google Inc.)
HKU\S-1-5-21-2184372166-3017526623-2338485473-1001\...409d6c4515e9\InprocServer32: [Default-shell32] \\?\globalroot\Device\HarddiskVolume2\Users\Hayes\AppData\Local\Temp\stersts\shosweb\wow.dll ATTENTION! ====> ZeroAccess?
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy Software Installer.lnk
ShortcutTarget: Best Buy Software Installer.lnk -> C:\Program Files\Best Buy Software Installer\Best Buy Software Installer.exe (Best Buy®)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy Software Installer.lnk
ShortcutTarget: Best Buy Software Installer.lnk -> C:\Program Files\Best Buy Software Installer\Best Buy Software Installer.exe (Best Buy®)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig?brand=TSNA&bmod=TSNA
SearchScopes: HKLM - DefaultScope {40F13AB9-DC39-45F4-983C-C95451CA63A3} URL = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7TSNA
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM - {40F13AB9-DC39-45F4-983C-C95451CA63A3} URL = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7TSNA
SearchScopes: HKLM-x32 - {DE8620F1-2C5A-48F2-80D9-9C88BF0E7944} URL = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7TSNA
SearchScopes: HKCU - DefaultScope {40F13AB9-DC39-45F4-983C-C95451CA63A3} URL =
SearchScopes: HKCU - {40F13AB9-DC39-45F4-983C-C95451CA63A3} URL =
SearchScopes: HKCU - {DE8620F1-2C5A-48F2-80D9-9C88BF0E7944} URL = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7TSNA
SearchScopes: HKCU - {DE86C86C-77CF-40D9-A4C0-90D5910450E9} URL = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7TSNA_enUS460US460
BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
BHO-x32: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO-x32: No Name - {5C255C8A-E604-49b4-9D64-90988571CECB} -  No File
BHO-x32: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
BHO-x32: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO-x32: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll No File
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU - Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} -  No File
Handler-x32: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
Handler-x32: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
Handler-x32: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
Winsock: Catalog5 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"

Hosts: Hosts file not detected in the default directory
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1

Chrome:
=======
CHR HomePage: hxxp://www.google.com
CHR RestoreOnStartup: "hxxp://www.google.com"
CHR Extension: (Docs) - C:\Users\Hayes\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2013-07-21]
CHR Extension: (Google Drive) - C:\Users\Hayes\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2013-07-21]
CHR Extension: (YouTube) - C:\Users\Hayes\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2013-07-21]
CHR Extension: (Google Search) - C:\Users\Hayes\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2013-07-21]
CHR Extension: (No Name) - C:\Users\Hayes\AppData\Local\Google\Chrome\User Data\Default\Extensions\fgnjomjlkaenpngklfddmaodjljpjblk [2013-11-02]
CHR Extension: (Gmail) - C:\Users\Hayes\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2013-07-21]
CHR HKCU\...\Chrome\Extension: [fgnjomjlkaenpngklfddmaodjljpjblk] - C:\Users\Hayes\AppData\Local\CRE\fgnjomjlkaenpngklfddmaodjljpjblk.crx [2013-07-21]
CHR HKLM-x32\...\Chrome\Extension: [fgnjomjlkaenpngklfddmaodjljpjblk] - C:\Users\Hayes\AppData\Local\CRE\fgnjomjlkaenpngklfddmaodjljpjblk.crx [2013-07-21]

==================== Services (Whitelisted) =================

R2 lxdn_device; C:\windows\system32\lxdncoms.exe [1039872 2007-11-28] ( )
S2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1817560 2013-05-16] (Safer-Networking Ltd.)
S2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [1033688 2013-05-16] (Safer-Networking Ltd.)
S2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2013-05-15] (Safer-Networking Ltd.)

==================== Drivers (Whitelisted) ====================

R1 A2DDA; C:\EEK\RUN\a2ddax64.sys [26176 2014-04-05] (Emsisoft GmbH)
S3 cleanhlp; C:\EEK\Run\cleanhlp64.sys [57024 2014-04-05] (Emsisoft GmbH)
S3 Serial; C:\Windows\system32\DRIVERS\serial.sys [94208 2009-07-13] (Brother Industries Ltd.)
S3 RtsUIR; system32\DRIVERS\Rts516xIR.sys [X]
S1 SBRE; \??\C:\windows\system32\drivers\SBREdrv.sys [X]
S3 USBCCID; system32\DRIVERS\RtsUCcid.sys [X]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2014-04-06 16:16 - 2014-04-06 16:16 - 00012597 _____ () C:\Users\Hayes\Downloads\FRST.txt
2014-04-06 02:57 - 2014-04-06 02:57 - 00011274 _____ () C:\Users\Hayes\Desktop\dds.txt
2014-04-06 02:57 - 2014-04-06 02:57 - 00008491 _____ () C:\Users\Hayes\Desktop\attach.txt
2014-04-05 23:54 - 2014-04-05 23:54 - 00688992 ____R (Swearware) C:\Users\Hayes\Desktop\dds.com
2014-04-05 19:19 - 2014-04-05 19:19 - 00388608 _____ (Trend Micro Inc.) C:\Users\Hayes\Downloads\HijackThis.exe
2014-04-05 19:03 - 2014-04-05 19:03 - 04139872 _____ (Kaspersky Lab ZAO) C:\Users\Hayes\Downloads\tdsskiller.exe
2014-04-05 18:11 - 2014-04-05 18:11 - 12589848 _____ (Malwarebytes Corp.) C:\Users\Hayes\Downloads\mbar-1.07.0.1009.exe
2014-04-05 18:09 - 2014-04-05 18:09 - 05193579 _____ (Swearware) C:\Users\Hayes\Downloads\ComboFix.exe
2014-04-05 18:03 - 2014-04-06 16:16 - 00000000 ____D () C:\FRST
2014-04-05 18:03 - 2014-04-05 18:03 - 02157056 _____ (Farbar) C:\Users\Hayes\Downloads\FRST64.exe
2014-04-05 02:28 - 2014-04-05 02:28 - 00000000 ____D () C:\windows\ERUNT
2014-04-05 02:13 - 2014-04-05 02:36 - 00000000 ____D () C:\Users\Hayes\AppData\Local\CrashDumps
2014-04-05 02:02 - 2014-04-05 02:03 - 00000000 ____D () C:\EEK
2014-04-05 00:55 - 2014-04-05 00:55 - 01038974 _____ (Thisisu) C:\Users\Hayes\Downloads\JRT.exe
2014-04-05 00:49 - 2014-04-05 00:51 - 225609112 _____ () C:\Users\Hayes\Downloads\EmsisoftEmergencyKit.exe
2014-04-05 00:44 - 2014-04-05 00:44 - 10971424 _____ (SurfRight B.V.) C:\Users\Hayes\Downloads\HitmanPro_x64.exe
2014-04-05 00:36 - 2014-04-05 00:36 - 03972608 _____ () C:\Users\Hayes\Downloads\RogueKiller.exe
2014-04-04 13:38 - 2014-04-05 02:19 - 00000000 ____D () C:\AdwCleaner
2014-04-04 13:37 - 2014-04-04 13:37 - 01426178 _____ () C:\Users\Hayes\Downloads\AdwCleaner.exe
2014-04-04 13:22 - 2014-04-04 13:22 - 01933048 _____ (Bleeping Computer, LLC) C:\Users\Hayes\Downloads\rkill.exe
2014-04-04 12:52 - 2014-04-06 16:07 - 00000084 _____ () C:\windows\system32\mfckirj.dlh
2014-04-04 12:32 - 2014-04-04 12:32 - 00000064 _____ () C:\windows\system32\nfkasl.sbt
2014-04-04 12:32 - 2014-04-04 12:32 - 00000000 _____ () C:\windows\system32\nfpfdpe.hxa
2014-04-04 12:09 - 2014-04-04 12:09 - 00305834 ____S () C:\windows\system32\cnexj.wmc
2014-04-02 22:59 - 2014-04-02 22:59 - 00000000 ____H () C:\windows\system32\Drivers\Msft_Kernel_dc3d_01011.Wdf
2014-03-29 14:09 - 2014-03-29 14:09 - 00000750 _____ () C:\Users\Hayes\Documents\surefire tac.txt
2014-03-19 18:45 - 2014-03-28 20:17 - 00000617 _____ () C:\Users\Hayes\Documents\bookoo sellers.txt
2014-03-19 17:45 - 2014-03-19 17:45 - 00000201 _____ () C:\Users\Hayes\Documents\bookoo sale relist.txt
2014-03-08 15:06 - 2014-03-18 17:20 - 00000450 _____ () C:\Users\Hayes\Documents\tv parts stock.txt

==================== One Month Modified Files and Folders =======

2014-04-06 16:17 - 2014-04-06 16:16 - 00012597 _____ () C:\Users\Hayes\Downloads\FRST.txt
2014-04-06 16:16 - 2014-04-05 18:03 - 00000000 ____D () C:\FRST
2014-04-06 16:15 - 2009-07-14 00:13 - 00726444 _____ () C:\windows\system32\PerfStringBackup.INI
2014-04-06 16:10 - 2014-02-01 17:43 - 00004334 _____ () C:\windows\setupact.log
2014-04-06 16:10 - 2013-10-20 00:42 - 00000928 _____ () C:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2184372166-3017526623-2338485473-1001UA.job
2014-04-06 16:10 - 2011-11-29 16:48 - 00000894 _____ () C:\windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-04-06 16:10 - 2009-07-14 00:08 - 00000006 ____H () C:\windows\Tasks\SA.DAT
2014-04-06 16:07 - 2014-04-04 12:52 - 00000084 _____ () C:\windows\system32\mfckirj.dlh
2014-04-06 04:03 - 2011-11-29 22:36 - 01671551 _____ () C:\windows\WindowsUpdate.log
2014-04-06 03:55 - 2011-11-29 16:48 - 00000898 _____ () C:\windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-04-06 02:57 - 2014-04-06 02:57 - 00011274 _____ () C:\Users\Hayes\Desktop\dds.txt
2014-04-06 02:57 - 2014-04-06 02:57 - 00008491 _____ () C:\Users\Hayes\Desktop\attach.txt
2014-04-06 02:55 - 2009-07-13 23:45 - 00015792 ____H () C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-04-06 02:55 - 2009-07-13 23:45 - 00015792 ____H () C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-04-05 23:54 - 2014-04-05 23:54 - 00688992 ____R (Swearware) C:\Users\Hayes\Desktop\dds.com
2014-04-05 19:19 - 2014-04-05 19:19 - 00388608 _____ (Trend Micro Inc.) C:\Users\Hayes\Downloads\HijackThis.exe
2014-04-05 19:03 - 2014-04-05 19:03 - 04139872 _____ (Kaspersky Lab ZAO) C:\Users\Hayes\Downloads\tdsskiller.exe
2014-04-05 18:11 - 2014-04-05 18:11 - 12589848 _____ (Malwarebytes Corp.) C:\Users\Hayes\Downloads\mbar-1.07.0.1009.exe
2014-04-05 18:09 - 2014-04-05 18:09 - 05193579 _____ (Swearware) C:\Users\Hayes\Downloads\ComboFix.exe
2014-04-05 18:03 - 2014-04-05 18:03 - 02157056 _____ (Farbar) C:\Users\Hayes\Downloads\FRST64.exe
2014-04-05 02:36 - 2014-04-05 02:13 - 00000000 ____D () C:\Users\Hayes\AppData\Local\CrashDumps
2014-04-05 02:28 - 2014-04-05 02:28 - 00000000 ____D () C:\windows\ERUNT
2014-04-05 02:19 - 2014-04-04 13:38 - 00000000 ____D () C:\AdwCleaner
2014-04-05 02:03 - 2014-04-05 02:02 - 00000000 ____D () C:\EEK
2014-04-05 00:55 - 2014-04-05 00:55 - 01038974 _____ (Thisisu) C:\Users\Hayes\Downloads\JRT.exe
2014-04-05 00:51 - 2014-04-05 00:49 - 225609112 _____ () C:\Users\Hayes\Downloads\EmsisoftEmergencyKit.exe
2014-04-05 00:44 - 2014-04-05 00:44 - 10971424 _____ (SurfRight B.V.) C:\Users\Hayes\Downloads\HitmanPro_x64.exe
2014-04-05 00:36 - 2014-04-05 00:36 - 03972608 _____ () C:\Users\Hayes\Downloads\RogueKiller.exe
2014-04-04 13:44 - 2009-11-12 21:44 - 00298716 _____ () C:\windows\PFRO.log
2014-04-04 13:37 - 2014-04-04 13:37 - 01426178 _____ () C:\Users\Hayes\Downloads\AdwCleaner.exe
2014-04-04 13:22 - 2014-04-04 13:22 - 01933048 _____ (Bleeping Computer, LLC) C:\Users\Hayes\Downloads\rkill.exe
2014-04-04 12:32 - 2014-04-04 12:32 - 00000064 _____ () C:\windows\system32\nfkasl.sbt
2014-04-04 12:32 - 2014-04-04 12:32 - 00000000 _____ () C:\windows\system32\nfpfdpe.hxa
2014-04-04 12:09 - 2014-04-04 12:09 - 00305834 ____S () C:\windows\system32\cnexj.wmc
2014-04-04 12:09 - 2009-07-13 22:20 - 00000000 ____D () C:\windows\system32\sysprep
2014-04-04 11:55 - 2013-07-23 22:12 - 00031368 _____ () C:\Users\Hayes\Documents\bookoo sale.txt
2014-04-04 00:10 - 2013-10-20 00:41 - 00000906 _____ () C:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2184372166-3017526623-2338485473-1001Core.job
2014-04-02 22:59 - 2014-04-02 22:59 - 00000000 ____H () C:\windows\system32\Drivers\Msft_Kernel_dc3d_01011.Wdf
2014-04-01 14:50 - 2011-11-29 16:48 - 00003894 _____ () C:\windows\System32\Tasks\GoogleUpdateTaskMachineUA
2014-04-01 14:50 - 2011-11-29 16:48 - 00003642 _____ () C:\windows\System32\Tasks\GoogleUpdateTaskMachineCore
2014-03-31 16:55 - 2009-07-13 22:20 - 00000000 ____D () C:\windows\system32\NDF
2014-03-29 14:09 - 2014-03-29 14:09 - 00000750 _____ () C:\Users\Hayes\Documents\surefire tac.txt
2014-03-28 20:17 - 2014-03-19 18:45 - 00000617 _____ () C:\Users\Hayes\Documents\bookoo sellers.txt
2014-03-26 21:12 - 2011-11-29 16:41 - 00000000 ____D () C:\Users\Hayes\AppData\Local\Google
2014-03-19 17:45 - 2014-03-19 17:45 - 00000201 _____ () C:\Users\Hayes\Documents\bookoo sale relist.txt
2014-03-18 17:20 - 2014-03-08 15:06 - 00000450 _____ () C:\Users\Hayes\Documents\tv parts stock.txt

Alureon:
C:\Users\Hayes\AppData\Local\Temp\stersts\shosweb\wow.dll

Files to move or delete:
====================
C:\Users\Hayes\alg.exe
C:\Users\Hayes\icq.exe

Some content of TEMP:
====================
C:\Users\Hayes\AppData\Local\Temp\Quarantine.exe
C:\Users\Hayes\AppData\Local\Temp\sqlite3.exe

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll
[2011-12-07 00:17] - [2010-11-20 08:27] - 0520192 ____A (Microsoft Corporation) 16BAE89B956C59DDC7A6134263B04060

 ATTENTION ======> If the system is having audio adware rpcss.dll is patched. Google the MD5, if the MD5 is unique the file is infected.
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
ATTENTION: ====> ZeroAccess. Use DeleteJunctionsIndirectory: C:\Windows\system64

LastRegBack: 2014-03-30 03:26

==================== End Of Log ============================



#6 puterdude71

puterdude71
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:louisiana
  • Local time:12:33 AM

Posted 06 April 2014 - 04:40 PM

sorry gringo but I do not see an Addition.txt maybe because I've run this tool before? and another question, do I run all these tools and test in normal mode? or safe mode? thank you 



#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:33 AM

Posted 07 April 2014 - 07:46 AM


Please read these steps thoroughly before proceeding.


download Malwarebytes Anti-Rootkit (MBAR) from here http://downloads.malwarebytes.org/file/mbar and save it to your desktop.

•Be sure to print out and follow the instructions provided on that same page.

•Caution: This is a beta version so please be sure to read the disclaimer and back up any important data before using.

•Doubleclick on the MBAR file you downloaded.
•Approve the UAC prompt in Vista and newer operating systems.
•Click OK on the next screen, to allow the package to extract the contents of the file to it's own folder, mbar.
•By default, this will be on your desktop, though you can choose another location if you wish. We advise using the default location for simplicity.
•mbar.exe will launch automatically. On some systems, this may take a few extra seconds. Please be patient and wait for the program to open.
•After reading the Introduction, click 'Next' if you agree.
•On the Update Database screen, click on the 'Update' button.
•Once you see 'Success: Database was successfully updated' click on 'Next'.
•Click the 'Scan' button.

A.With some infections, you may see two messages boxes.
1.'Could not load protection driver'. Click 'OK'.
2.'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.

-
Please monitor the scan. If during the scan you see a message that says this:
"could not be remediated because backup file is not available"

Do NOT click Cleanup when it becomes available, but rather click Exit, and provide the same logs as requested below.





•If malware is found, click the 'Cleanup' button with the above mentioned exception.

Once the system restore point is created and the cleanup is scheduled, a 'Reboot required' message will appear.
Click 'Yes' and allow the computer to reboot.

Once back in Windows, run mbar.exe once again to ensure all previously detected items have been removed, and no additional threats found.

Please send all logs which were generated.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 puterdude71

puterdude71
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:louisiana
  • Local time:12:33 AM

Posted 07 April 2014 - 10:17 AM

after two malware were found I hit cleanup, it was cleaned but I never got an option of reboot required. so I manually rebooted myself. and you never answered my previous question of do I run all these tools and test in normal mode? or safe mode? thank you 


Edited by puterdude71, 07 April 2014 - 10:39 AM.


#9 puterdude71

puterdude71
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:louisiana
  • Local time:12:33 AM

Posted 07 April 2014 - 10:47 AM

I hope this is the log your looking for, I believe it was from the first scan. you will have to excuse me as i'm not very savvy when it comes to logs, scripts, code, 

and if it means anything the background audio ads are still playing and slowing everything down

 

Malwarebytes Anti-Rootkit BETA 1.07.0.1009
www.malwarebytes.org

Database version: v2014.04.07.07

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16635
Hayes :: HAYES-PC [administrator]

4/7/2014 9:20:51 AM
mbar-log-2014-04-07 (09-20-51).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 242558
Time elapsed: 22 minute(s), 37 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 1
HKCU\SOFTWARE\CLASSES\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\INPROCSERVER32| (Hijack.SHELL32) -> Bad: (\\?\globalroot\Device\HarddiskVolume2\Users\Hayes\AppData\Local\Temp\stersts\shosweb\wow.dll) Good: (SHELL32.dll) -> Replace on reboot.

Folders Detected: 1
C:\Windows\system64 (Trojan.0Access) -> Delete on reboot.

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)



#10 puterdude71

puterdude71
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:louisiana
  • Local time:12:33 AM

Posted 07 April 2014 - 11:25 AM

log for second scan after manual reboot, background audio ads are still playing and slowing everything down

 

Malwarebytes Anti-Rootkit BETA 1.07.0.1009
www.malwarebytes.org

Database version: v2014.04.07.08

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16635
Hayes :: HAYES-PC [administrator]

4/7/2014 10:50:06 AM
mbar-log-2014-04-07 (10-50-06).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 242608
Time elapsed: 22 minute(s), 19 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKCU\SOFTWARE\CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} (Hijack.Trojan.Siredef.C) -> Delete on reboot.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)



#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:33 AM

Posted 07 April 2014 - 12:33 PM

OK rerun frst for me and send me the new report

I need to see it just in case something changed before making a fix


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 puterdude71

puterdude71
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:louisiana
  • Local time:12:33 AM

Posted 07 April 2014 - 01:05 PM

ok here is the rerun frst

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 13-03-2014
Ran by Hayes (administrator) on HAYES-PC on 07-04-2014 13:02:07
Running from C:\Users\Hayes\Downloads
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\windows\system32\igfxsrvc.exe
(Microsoft Corporation) C:\Windows\System32\regsvr32.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
( ) C:\windows\system32\lxdncoms.exe
(TOSHIBA Corporation) C:\Program Files (x86)\Toshiba\TOSHIBA Service Station\ToshibaServiceStation.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(TOSHIBA CORPORATION) C:\Program Files (x86)\TOSHIBA\ConfigFree\NDSTray.exe
(TOSHIBA Corporation) C:\Windows\system32\TODDSrv.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TECO\TecoService.exe
(TOSHIBA CORPORATION) C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSwMgr.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
(TOSHIBA Corporation) C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
(TOSHIBA CORPORATION) C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe
(TOSHIBA CORPORATION) C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe
(TOSHIBA CORPORATION) C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\IEXPLORE.EXE
(Google Inc.) C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [] - [X]
HKLM\...\Run: [TPwrMain] - C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE [497504 2009-08-05] (TOSHIBA Corporation)
HKLM\...\Run: [TosWaitSrv] - C:\Program Files\TOSHIBA\TPHM\TosWaitSrv.exe [711000 2009-08-04] (TOSHIBA Corporation)
HKLM\...\Run: [TosSENotify] - C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe [709976 2009-08-03] (TOSHIBA Corporation)
HKLM\...\Run: [TosReelTimeMonitor] - C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe [34648 2009-10-28] (TOSHIBA Corporation)
HKLM\...\Run: [TosNC] - C:\Program Files\Toshiba\BulletinBoard\TosNcCore.exe [595816 2009-10-28] (TOSHIBA Corporation)
HKLM\...\Run: [Teco] - C:\Program Files\TOSHIBA\TECO\Teco.exe [1482080 2009-08-11] (TOSHIBA Corporation)
HKLM\...\Run: [SynTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1815848 2009-07-20] (Synaptics Incorporated)
HKLM\...\Run: [SmoothView] - C:\Program Files\Toshiba\SmoothView\SmoothView.exe [508216 2009-07-28] (TOSHIBA Corporation)
HKLM\...\Run: [SmartFaceVWatcher] - C:\Program Files\Toshiba\SmartFaceV\SmartFaceVWatcher.exe [238080 2009-07-29] (TOSHIBA Corporation)
HKLM\...\Run: [SBRegRebootCleaner] - "C:\Program Files (x86)\GFI Software\VIPRE\SBRC.exe"
HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [7982112 2009-07-29] (Realtek Semiconductor)
HKLM\...\Run: [00TCrdMain] - C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe [909624 2009-08-05] (TOSHIBA Corporation)
HKLM-x32\...\Run: [TWebCamera] - C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe [2446648 2009-08-11] (TOSHIBA CORPORATION.)
HKLM-x32\...\Run: [ToshibaServiceStation] - C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe [1294136 2009-08-17] (TOSHIBA Corporation)
HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2014-01-20] (Apple Inc.)
Winlogon\Notify\igfxcui: C:\windows\system32\igfxdev.dll (Intel Corporation)
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKU\.DEFAULT\...\RunOnce: [SPReview] - C:\windows\System32\SPReview\SPReview.exe [301568 2013-07-21] (Microsoft Corporation)
HKU\S-1-5-21-2184372166-3017526623-2338485473-1001\...\Run: [GFI Software Update] - regsvr32.exe "C:\Users\Hayes\AppData\Local\GFI Software\SHFontParser.dll"
HKU\S-1-5-21-2184372166-3017526623-2338485473-1001\...\Run: [Facebook Update] - "C:\Users\Hayes\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver
HKU\S-1-5-21-2184372166-3017526623-2338485473-1001\...\Run: [Spybot-S&D Cleaning] - C:\Program Files (x86)\Spybot - Search & Destroy 2\SDCleaner.exe [3642312 2013-05-16] (Safer-Networking Ltd.)
HKU\S-1-5-21-2184372166-3017526623-2338485473-1001\...\Run: [swg] - C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2009-11-12] (Google Inc.)
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy Software Installer.lnk
ShortcutTarget: Best Buy Software Installer.lnk -> C:\Program Files\Best Buy Software Installer\Best Buy Software Installer.exe (Best Buy®)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy Software Installer.lnk
ShortcutTarget: Best Buy Software Installer.lnk -> C:\Program Files\Best Buy Software Installer\Best Buy Software Installer.exe (Best Buy®)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig?brand=TSNA&bmod=TSNA
SearchScopes: HKLM - DefaultScope {40F13AB9-DC39-45F4-983C-C95451CA63A3} URL = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7TSNA
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM - {40F13AB9-DC39-45F4-983C-C95451CA63A3} URL = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7TSNA
SearchScopes: HKLM-x32 - {DE8620F1-2C5A-48F2-80D9-9C88BF0E7944} URL = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7TSNA
SearchScopes: HKCU - DefaultScope {40F13AB9-DC39-45F4-983C-C95451CA63A3} URL =
SearchScopes: HKCU - {40F13AB9-DC39-45F4-983C-C95451CA63A3} URL =
SearchScopes: HKCU - {DE8620F1-2C5A-48F2-80D9-9C88BF0E7944} URL = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7TSNA
SearchScopes: HKCU - {DE86C86C-77CF-40D9-A4C0-90D5910450E9} URL = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7TSNA_enUS460US460
BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
BHO-x32: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO-x32: No Name - {5C255C8A-E604-49b4-9D64-90988571CECB} -  No File
BHO-x32: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
BHO-x32: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO-x32: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll No File
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU - Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} -  No File
Handler-x32: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
Handler-x32: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
Handler-x32: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
Winsock: Catalog5 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"

Hosts: Hosts file not detected in the default directory
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1

Chrome:
=======
CHR HomePage: hxxp://www.google.com
CHR RestoreOnStartup: "hxxp://www.google.com"
CHR Extension: (Docs) - C:\Users\Hayes\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2013-07-21]
CHR Extension: (Google Drive) - C:\Users\Hayes\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2013-07-21]
CHR Extension: (YouTube) - C:\Users\Hayes\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2013-07-21]
CHR Extension: (Google Search) - C:\Users\Hayes\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2013-07-21]
CHR Extension: (No Name) - C:\Users\Hayes\AppData\Local\Google\Chrome\User Data\Default\Extensions\fgnjomjlkaenpngklfddmaodjljpjblk [2013-11-02]
CHR Extension: (Gmail) - C:\Users\Hayes\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2013-07-21]
CHR HKCU\...\Chrome\Extension: [fgnjomjlkaenpngklfddmaodjljpjblk] - C:\Users\Hayes\AppData\Local\CRE\fgnjomjlkaenpngklfddmaodjljpjblk.crx [2013-07-21]
CHR HKLM-x32\...\Chrome\Extension: [fgnjomjlkaenpngklfddmaodjljpjblk] - C:\Users\Hayes\AppData\Local\CRE\fgnjomjlkaenpngklfddmaodjljpjblk.crx [2013-07-21]

==================== Services (Whitelisted) =================

R2 lxdn_device; C:\windows\system32\lxdncoms.exe [1039872 2007-11-28] ( )
R2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1817560 2013-05-16] (Safer-Networking Ltd.)
S2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [1033688 2013-05-16] (Safer-Networking Ltd.)
R2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2013-05-15] (Safer-Networking Ltd.)

==================== Drivers (Whitelisted) ====================

R1 A2DDA; C:\EEK\RUN\a2ddax64.sys [26176 2014-04-05] (Emsisoft GmbH)
S3 cleanhlp; C:\EEK\Run\cleanhlp64.sys [57024 2014-04-05] (Emsisoft GmbH)
R0 MBAMSwissArmy; C:\Windows\System32\drivers\MBAMSwissArmy.sys [119000 2014-04-07] (Malwarebytes Corporation)
S3 Serial; C:\Windows\system32\DRIVERS\serial.sys [94208 2009-07-13] (Brother Industries Ltd.)
S3 RtsUIR; system32\DRIVERS\Rts516xIR.sys [X]
S1 SBRE; \??\C:\windows\system32\drivers\SBREdrv.sys [X]
S3 USBCCID; system32\DRIVERS\RtsUCcid.sys [X]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2014-04-07 09:20 - 2014-04-07 11:18 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2014-04-07 09:20 - 2014-04-07 10:50 - 00119000 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\MBAMSwissArmy.sys
2014-04-07 09:18 - 2014-04-07 11:19 - 00000000 ____D () C:\Users\Hayes\Desktop\mbar
2014-04-07 09:18 - 2014-04-07 10:49 - 00091352 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\mbamchameleon.sys
2014-04-06 16:35 - 2014-04-07 13:02 - 00012662 _____ () C:\Users\Hayes\Downloads\FRST.txt
2014-04-06 16:34 - 2014-04-06 16:34 - 02157056 _____ (Farbar) C:\Users\Hayes\Downloads\FRST64.exe
2014-04-06 02:57 - 2014-04-06 02:57 - 00011274 _____ () C:\Users\Hayes\Desktop\dds.txt
2014-04-06 02:57 - 2014-04-06 02:57 - 00008491 _____ () C:\Users\Hayes\Desktop\attach.txt
2014-04-05 23:54 - 2014-04-05 23:54 - 00688992 ____R (Swearware) C:\Users\Hayes\Desktop\dds.com
2014-04-05 19:19 - 2014-04-05 19:19 - 00388608 _____ (Trend Micro Inc.) C:\Users\Hayes\Downloads\HijackThis.exe
2014-04-05 19:03 - 2014-04-05 19:03 - 04139872 _____ (Kaspersky Lab ZAO) C:\Users\Hayes\Downloads\tdsskiller.exe
2014-04-05 18:11 - 2014-04-05 18:11 - 12589848 _____ (Malwarebytes Corp.) C:\Users\Hayes\Downloads\mbar-1.07.0.1009.exe
2014-04-05 18:09 - 2014-04-05 18:09 - 05193579 _____ (Swearware) C:\Users\Hayes\Downloads\ComboFix.exe
2014-04-05 18:03 - 2014-04-07 13:02 - 00000000 ____D () C:\FRST
2014-04-05 02:28 - 2014-04-05 02:28 - 00000000 ____D () C:\windows\ERUNT
2014-04-05 02:13 - 2014-04-05 02:36 - 00000000 ____D () C:\Users\Hayes\AppData\Local\CrashDumps
2014-04-05 02:02 - 2014-04-05 02:03 - 00000000 ____D () C:\EEK
2014-04-05 00:55 - 2014-04-05 00:55 - 01038974 _____ (Thisisu) C:\Users\Hayes\Downloads\JRT.exe
2014-04-05 00:49 - 2014-04-05 00:51 - 225609112 _____ () C:\Users\Hayes\Downloads\EmsisoftEmergencyKit.exe
2014-04-05 00:44 - 2014-04-05 00:44 - 10971424 _____ (SurfRight B.V.) C:\Users\Hayes\Downloads\HitmanPro_x64.exe
2014-04-05 00:36 - 2014-04-05 00:36 - 03972608 _____ () C:\Users\Hayes\Downloads\RogueKiller.exe
2014-04-04 13:38 - 2014-04-05 02:19 - 00000000 ____D () C:\AdwCleaner
2014-04-04 13:37 - 2014-04-04 13:37 - 01426178 _____ () C:\Users\Hayes\Downloads\AdwCleaner.exe
2014-04-04 13:22 - 2014-04-04 13:22 - 01933048 _____ (Bleeping Computer, LLC) C:\Users\Hayes\Downloads\rkill.exe
2014-04-04 12:52 - 2014-04-07 12:40 - 00000080 _____ () C:\windows\system32\mfckirj.dlh
2014-04-04 12:32 - 2014-04-04 12:32 - 00000064 _____ () C:\windows\system32\nfkasl.sbt
2014-04-04 12:32 - 2014-04-04 12:32 - 00000000 _____ () C:\windows\system32\nfpfdpe.hxa
2014-04-04 12:09 - 2014-04-04 12:09 - 00305834 ____S () C:\windows\system32\cnexj.wmc
2014-04-02 22:59 - 2014-04-02 22:59 - 00000000 ____H () C:\windows\system32\Drivers\Msft_Kernel_dc3d_01011.Wdf
2014-03-29 14:09 - 2014-03-29 14:09 - 00000750 _____ () C:\Users\Hayes\Documents\surefire tac.txt
2014-03-19 18:45 - 2014-03-28 20:17 - 00000617 _____ () C:\Users\Hayes\Documents\bookoo sellers.txt
2014-03-19 17:45 - 2014-03-19 17:45 - 00000201 _____ () C:\Users\Hayes\Documents\bookoo sale relist.txt
2014-03-08 15:06 - 2014-03-18 17:20 - 00000450 _____ () C:\Users\Hayes\Documents\tv parts stock.txt

==================== One Month Modified Files and Folders =======

2014-04-07 13:02 - 2014-04-06 16:35 - 00012662 _____ () C:\Users\Hayes\Downloads\FRST.txt
2014-04-07 13:02 - 2014-04-05 18:03 - 00000000 ____D () C:\FRST
2014-04-07 12:55 - 2011-11-29 16:48 - 00000898 _____ () C:\windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-04-07 12:40 - 2014-04-04 12:52 - 00000080 _____ () C:\windows\system32\mfckirj.dlh
2014-04-07 12:10 - 2013-10-20 00:42 - 00000928 _____ () C:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2184372166-3017526623-2338485473-1001UA.job
2014-04-07 11:19 - 2014-04-07 09:18 - 00000000 ____D () C:\Users\Hayes\Desktop\mbar
2014-04-07 11:18 - 2014-04-07 09:20 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2014-04-07 10:50 - 2014-04-07 09:20 - 00119000 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\MBAMSwissArmy.sys
2014-04-07 10:49 - 2014-04-07 09:18 - 00091352 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\mbamchameleon.sys
2014-04-07 10:29 - 2009-07-13 23:45 - 00015792 ____H () C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-04-07 10:29 - 2009-07-13 23:45 - 00015792 ____H () C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-04-07 10:26 - 2009-07-14 00:13 - 00726444 _____ () C:\windows\system32\PerfStringBackup.INI
2014-04-07 10:25 - 2011-11-29 22:36 - 01675668 _____ () C:\windows\WindowsUpdate.log
2014-04-07 10:21 - 2014-02-01 17:43 - 00004390 _____ () C:\windows\setupact.log
2014-04-07 10:21 - 2011-11-29 16:48 - 00000894 _____ () C:\windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-04-07 10:21 - 2009-07-14 00:08 - 00000006 ____H () C:\windows\Tasks\SA.DAT
2014-04-07 00:10 - 2013-10-20 00:41 - 00000906 _____ () C:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2184372166-3017526623-2338485473-1001Core.job
2014-04-06 16:34 - 2014-04-06 16:34 - 02157056 _____ (Farbar) C:\Users\Hayes\Downloads\FRST64.exe
2014-04-06 02:57 - 2014-04-06 02:57 - 00011274 _____ () C:\Users\Hayes\Desktop\dds.txt
2014-04-06 02:57 - 2014-04-06 02:57 - 00008491 _____ () C:\Users\Hayes\Desktop\attach.txt
2014-04-05 23:54 - 2014-04-05 23:54 - 00688992 ____R (Swearware) C:\Users\Hayes\Desktop\dds.com
2014-04-05 19:19 - 2014-04-05 19:19 - 00388608 _____ (Trend Micro Inc.) C:\Users\Hayes\Downloads\HijackThis.exe
2014-04-05 19:03 - 2014-04-05 19:03 - 04139872 _____ (Kaspersky Lab ZAO) C:\Users\Hayes\Downloads\tdsskiller.exe
2014-04-05 18:11 - 2014-04-05 18:11 - 12589848 _____ (Malwarebytes Corp.) C:\Users\Hayes\Downloads\mbar-1.07.0.1009.exe
2014-04-05 18:09 - 2014-04-05 18:09 - 05193579 _____ (Swearware) C:\Users\Hayes\Downloads\ComboFix.exe
2014-04-05 02:36 - 2014-04-05 02:13 - 00000000 ____D () C:\Users\Hayes\AppData\Local\CrashDumps
2014-04-05 02:28 - 2014-04-05 02:28 - 00000000 ____D () C:\windows\ERUNT
2014-04-05 02:19 - 2014-04-04 13:38 - 00000000 ____D () C:\AdwCleaner
2014-04-05 02:03 - 2014-04-05 02:02 - 00000000 ____D () C:\EEK
2014-04-05 00:55 - 2014-04-05 00:55 - 01038974 _____ (Thisisu) C:\Users\Hayes\Downloads\JRT.exe
2014-04-05 00:51 - 2014-04-05 00:49 - 225609112 _____ () C:\Users\Hayes\Downloads\EmsisoftEmergencyKit.exe
2014-04-05 00:44 - 2014-04-05 00:44 - 10971424 _____ (SurfRight B.V.) C:\Users\Hayes\Downloads\HitmanPro_x64.exe
2014-04-05 00:36 - 2014-04-05 00:36 - 03972608 _____ () C:\Users\Hayes\Downloads\RogueKiller.exe
2014-04-04 13:44 - 2009-11-12 21:44 - 00298716 _____ () C:\windows\PFRO.log
2014-04-04 13:37 - 2014-04-04 13:37 - 01426178 _____ () C:\Users\Hayes\Downloads\AdwCleaner.exe
2014-04-04 13:22 - 2014-04-04 13:22 - 01933048 _____ (Bleeping Computer, LLC) C:\Users\Hayes\Downloads\rkill.exe
2014-04-04 12:32 - 2014-04-04 12:32 - 00000064 _____ () C:\windows\system32\nfkasl.sbt
2014-04-04 12:32 - 2014-04-04 12:32 - 00000000 _____ () C:\windows\system32\nfpfdpe.hxa
2014-04-04 12:09 - 2014-04-04 12:09 - 00305834 ____S () C:\windows\system32\cnexj.wmc
2014-04-04 12:09 - 2009-07-13 22:20 - 00000000 ____D () C:\windows\system32\sysprep
2014-04-04 11:55 - 2013-07-23 22:12 - 00031368 _____ () C:\Users\Hayes\Documents\bookoo sale.txt
2014-04-02 22:59 - 2014-04-02 22:59 - 00000000 ____H () C:\windows\system32\Drivers\Msft_Kernel_dc3d_01011.Wdf
2014-04-01 14:50 - 2011-11-29 16:48 - 00003894 _____ () C:\windows\System32\Tasks\GoogleUpdateTaskMachineUA
2014-04-01 14:50 - 2011-11-29 16:48 - 00003642 _____ () C:\windows\System32\Tasks\GoogleUpdateTaskMachineCore
2014-03-31 16:55 - 2009-07-13 22:20 - 00000000 ____D () C:\windows\system32\NDF
2014-03-29 14:09 - 2014-03-29 14:09 - 00000750 _____ () C:\Users\Hayes\Documents\surefire tac.txt
2014-03-28 20:17 - 2014-03-19 18:45 - 00000617 _____ () C:\Users\Hayes\Documents\bookoo sellers.txt
2014-03-26 21:12 - 2011-11-29 16:41 - 00000000 ____D () C:\Users\Hayes\AppData\Local\Google
2014-03-19 17:45 - 2014-03-19 17:45 - 00000201 _____ () C:\Users\Hayes\Documents\bookoo sale relist.txt
2014-03-18 17:20 - 2014-03-08 15:06 - 00000450 _____ () C:\Users\Hayes\Documents\tv parts stock.txt

Alureon:
C:\Users\Hayes\AppData\Local\Temp\stersts\shosweb\wow.dll

Files to move or delete:
====================
C:\Users\Hayes\alg.exe
C:\Users\Hayes\icq.exe

Some content of TEMP:
====================
C:\Users\Hayes\AppData\Local\Temp\Quarantine.exe
C:\Users\Hayes\AppData\Local\Temp\sqlite3.exe

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll
[2011-12-07 00:17] - [2010-11-20 08:27] - 0520192 ____A (Microsoft Corporation) 16BAE89B956C59DDC7A6134263B04060

 ATTENTION ======> If the system is having audio adware rpcss.dll is patched. Google the MD5, if the MD5 is unique the file is infected.
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

LastRegBack: 2014-03-30 03:26

==================== End Of Log ============================



#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:33 AM

Posted 07 April 2014 - 01:17 PM


Hello puterdude71

Ok lets see if we can find a replacement for the infected file

run FRST like you did before

Type the following in the edit box after "Search:".

rpcss.dll

It then should look like:

Search: rpcss.dll

Click Search button and post the log (Search.txt) it makes to your reply.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 puterdude71

puterdude71
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:louisiana
  • Local time:12:33 AM

Posted 07 April 2014 - 01:36 PM

ok gringo here's the search.txt

 

Farbar Recovery Scan Tool (x64) Version: 13-03-2014
Ran by Hayes at 2014-04-07 13:24:12
Running from C:\Users\Hayes\Downloads
Boot Mode: Normal

================== Search: "rpcss.dll" ===================

C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_c7f0e16b547f887d\rpcss.dll
[2011-12-07 00:17] - [2010-11-20 08:27] - 0512000 ____A (Microsoft Corporation) 5C627D1B1138676C0A7AB2C2C190D123

C:\Windows\System32\rpcss.dll
[2011-12-07 00:17] - [2010-11-20 08:27] - 0520192 ____A (Microsoft Corporation) 16BAE89B956C59DDC7A6134263B04060

====== End Of Search ======



#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:33 AM

Posted 07 April 2014 - 06:38 PM

Hello puterdude71



I need you to download this script I have made for you --> Attached File  fixlist.txt   974bytes   8 downloads

It needs to be saved Next to the "Farbar Recovery Scan Tool" (FRST) program (If asked to overwrite existing one please allow)

Run FRST again but this time press the Fix button just once and wait.


When finished, it will make a log (fixlog.txt) next to FRST. Please copy and paste the content of this file to your reply.


NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users