Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

rpcss.dll trojan and Windows 7 black screen of death issues


  • This topic is locked This topic is locked
19 replies to this topic

#1 brbonn

brbonn

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:21 PM

Posted 08 April 2014 - 08:50 PM

Saw a post from swpickle regarding ad noises from speakers.  I recently had the same issue on my laptop.  Ran a scan with Malwarebytes and it quarantined an rpcss.dll trojan.  When it prompted for a reboot I did and now I am stuck in "black screen with cursor" hell.  Can't boot in safe mode etc. everything ends at black screen.

 

I found a similar topic:

 

http://www.bleepingcomputer.com/forums/t/522754/radio-virus-rpcssdll-now-win7-black-screen-of-death/

 

and tried to follow in his footsteps (down to the French windows iso) but still can't seem to get the laptop running.  Tried a new copy of rpcss.dll, changing permissions etc. but still no love.  I'm hoping that if anyone can help swpickle maybe they can help me as well.



BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:21 AM

Posted 09 April 2014 - 03:47 AM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 
 
 
 
 
HijackThis is not the preferred initial scanning tool in this forum. With today's malware, a more comprehensive set of logs is required to determine the presence of malware.
 
 
 
 
Scan with FRST in normal mode

Please download Farbar's Recovery Scan Tool to your desktop: FRST 32bit or FRST 64bit (If not sure: Start --> Computer (right click) --> properties)
 
  • Run FRST.
  • Don´t change one of the checkboxes and hit Scan.
  • Logfiles are created on your desktop.
  • Poste the FRST.txt and (after the first scan only!) the Addition.txt.

 
 
 
 
 
Scan with TDSS-Killer

Please read and follow these instructions carefully. We do not want it to fix anything yet (if found), we need to see a report first.

Download TDSSKiller.zip and extract to your desktop
  • Execute TDSSKiller.exe by doubleclicking on it.
  • Press Start Scan
  • If Malicious objects are found, do NOT select Copy to quarantine. Change the action to Skip, and save the log.
  • Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt



Please attach this file to your next reply.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 brbonn

brbonn
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:21 PM

Posted 09 April 2014 - 07:30 PM

Hi Marius.

 

I cannot boot the affected computer in any mode without going into the black screen with cursor.   Yesterday before I posted here, I created a bootable thumb drive with a windows iso on my desk top, used this to boot the laptop and ran frst.  Please let me know if this was the wrong thing to do or if I need to take other actions.  This is the text from the log:

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 13-03-2014
Ran by SYSTEM on MININT-5DROC0R on 05-04-2014 19:13:11
Running from F:\
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 11
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [] - [X]
HKLM\...\Run: [RTHDVCPL] - C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [12446824 2012-01-31] (Realtek Semiconductor)
HKLM\...\Run: [SynTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2867984 2011-12-22] (Synaptics Incorporated)
HKLM\...\Run: [TPwrMain] - C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE [590256 2011-09-22] (TOSHIBA Corporation)
HKLM\...\Run: [TCrdMain] - C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe [989056 2011-12-13] (TOSHIBA Corporation)
HKLM\...\Run: [Teco] - C:\Program Files\TOSHIBA\TECO\Teco.exe [1548208 2011-11-24] (TOSHIBA Corporation)
HKLM\...\Run: [TosWaitSrv] - C:\Program Files\TOSHIBA\TPHM\TosWaitSrv.exe [712096 2011-12-14] (TOSHIBA Corporation)
HKLM\...\Run: [TosSENotify] - C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe [710560 2011-11-25] (TOSHIBA Corporation)
HKLM\...\Run: [TosVolRegulator] - C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe [24376 2009-11-11] (TOSHIBA Corporation)
HKLM\...\Run: [TosNC] - C:\Program Files\Toshiba\BulletinBoard\TosNcCore.exe [597936 2011-07-27] (TOSHIBA Corporation)
HKLM\...\Run: [TosReelTimeMonitor] - C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe [38824 2011-06-28] (TOSHIBA Corporation)
HKLM\...\Run: [MSC] - c:\Program Files\Microsoft Security Client\msseces.exe [1271072 2014-03-11] (Microsoft Corporation)
HKLM\...\Run: [Logitech Download Assistant] - C:\Windows\System32\LogiLDA.dll [1832760 2012-09-20] (Logitech, Inc.)
HKLM-x32\...\Run: [USB3MON] - C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [291608 2012-01-05] (Intel Corporation)
HKLM-x32\...\Run: [ToshibaServiceStation] - C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe [1298816 2011-07-11] (TOSHIBA Corporation)
HKLM-x32\...\Run: [ToshibaAppPlace] - C:\Program Files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe [552960 2010-09-23] (Toshiba)
HKLM-x32\...\Run: [NortonOnlineBackupReminder] - C:\Program Files (x86)\Toshiba\Toshiba Online Backup\Activation\TOBuActivation.exe [3218864 2011-06-22] (Toshiba)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [vProt] - C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe [2539544 2014-03-13] ()
HKLM-x32\...\Run: [BrowserSafeguard] - "C:\Program Files (x86)\Browsersafeguard\BrowserSafeguard.exe"
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\Brian\...\Run: [swg] - C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2012-06-03] (Google Inc.)
HKU\Brian\...\Run: [Steam] - C:\Program Files (x86)\Steam\Steam.exe [1821888 2014-02-25] (Valve Corporation)
HKU\Brian\...\Run: [Overwolf] - C:\Program Files (x86)\Overwolf\Overwolf.exe -silent

==================== Services (Whitelisted) =================

S2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [128280 2012-01-20] ()
S2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [161560 2012-01-20] (Intel Corporation)
S2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1809720 2014-04-03] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [857912 2014-04-03] (Malwarebytes Corporation)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.8.141\McCHSvc.exe [289256 2014-01-15] (McAfee, Inc.)
S2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2014-03-11] (Microsoft Corporation)
S2 NAT; C:\Program Files (x86)\Norton Anti-Theft\Engine\1.10.0.9\NAT.exe [232424 2013-10-11] (Symantec Corporation)
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [347872 2014-03-11] (Microsoft Corporation)
S2 PasswordBox; C:\Program Files (x86)\PasswordBox\pbbtnService.exe [67584 2013-11-01] (PasswordBox, Inc.)
S2 PCCUJobMgr; C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.17.38\ccSvcHst.exe [126392 2011-11-30] (Symantec Corporation)
S2 vToolbarUpdater18.0.0; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.0.0\ToolbarUpdater.exe [1759768 2014-03-02] (AVG Secure Search)

==================== Drivers (Whitelisted) ====================

S1 avgtp; C:\windows\system32\drivers\avgtpx64.sys [50976 2014-03-02] (AVG Technologies)
S1 ccSet_NAT; C:\Windows\system32\drivers\NATx64\010A000.009\ccSetx64.sys [150104 2013-07-29] (Symantec Corporation)
S3 hitmanpro37; C:\windows\system32\drivers\hitmanpro37.sys [32512 2014-04-05] ()
S3 MBAMProtector; C:\windows\system32\drivers\mbam.sys [25816 2014-04-03] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\windows\system32\drivers\mwac.sys [63192 2014-04-03] (Malwarebytes Corporation)
S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [268512 2014-01-24] (Microsoft Corporation)
S2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [133928 2014-03-11] (Microsoft Corporation)
S3 SmbDrv; C:\Windows\System32\DRIVERS\Smb_driver.sys [21264 2011-12-22] (Synaptics Incorporated)
S3 YMIDUSBW; C:\Windows\System32\drivers\ymidusbx64.sys [51016 2011-11-01] (Yamaha Corporation)

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2014-04-05 19:12 - 2014-04-05 19:13 - 00000000 ____D () C:\FRST
2014-04-05 13:19 - 2014-04-05 13:19 - 00032512 _____ () C:\Windows\System32\Drivers\hitmanpro37.sys
2014-04-05 13:17 - 2014-04-05 13:17 - 00019848 _____ () C:\Users\Brian\Desktop\address.txt
2014-04-05 13:16 - 2014-04-05 13:16 - 00031714 _____ () C:\Windows\System32\.crusader
2014-04-05 12:20 - 2014-04-05 12:42 - 00119512 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\MBAMSwissArmy.sys
2014-04-05 12:19 - 2014-04-05 12:19 - 00001113 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-04-05 12:19 - 2014-04-05 12:19 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-04-05 12:19 - 2014-04-05 12:19 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-04-05 12:19 - 2014-04-03 05:51 - 00088280 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamchameleon.sys
2014-04-05 12:19 - 2014-04-03 05:51 - 00063192 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\mwac.sys
2014-04-05 12:19 - 2014-04-03 05:50 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2014-04-05 09:37 - 2014-04-05 09:28 - 00395776 _____ (Microsoft Corporation) C:\Windows\System32\rpcss.dll
2014-04-02 19:00 - 2014-04-05 12:51 - 00000080 _____ () C:\Windows\System32\gzvhy.oty
2014-04-02 18:50 - 2014-04-02 18:50 - 00000064 _____ () C:\Windows\System32\gzeetwx.bgv
2014-04-02 18:50 - 2014-04-02 18:50 - 00000000 _____ () C:\Windows\System32\awoiel.duo
2014-04-02 18:37 - 2014-04-02 18:37 - 00000000 ____D () C:\Users\Brian\AppData\Local\{9F346398-99B6-4CA3-BE3A-54AF0A1E4F6E}
2014-04-02 18:34 - 2014-04-02 18:34 - 00299344 ____S () C:\Windows\System32\jxzstmh.gfx
2014-04-02 06:22 - 2014-04-02 06:23 - 00000000 ____D () C:\Users\Brian\AppData\Local\{B9C147DA-D452-4577-84FD-2640FA8821C5}
2014-03-21 14:05 - 2014-03-21 14:05 - 00000000 ____D () C:\Users\Brian\AppData\Local\{F5D1B586-1C29-466B-8FBD-A28DC59B379F}
2014-03-17 19:37 - 2014-03-17 19:37 - 00000000 ____D () C:\Users\Brian\AppData\Local\{4AEE25D3-2639-4A02-926E-AC9211C97FCF}
2014-03-11 23:46 - 2014-02-28 22:05 - 23133696 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2014-03-11 23:46 - 2014-02-28 21:17 - 02724864 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2014-03-11 23:46 - 2014-02-28 21:16 - 00004096 _____ (Microsoft Corporation) C:\Windows\System32\ieetwcollectorres.dll
2014-03-11 23:46 - 2014-02-28 20:58 - 02765824 _____ (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2014-03-11 23:46 - 2014-02-28 20:52 - 00066048 _____ (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2014-03-11 23:46 - 2014-02-28 20:51 - 00048640 _____ (Microsoft Corporation) C:\Windows\System32\ieetwproxystub.dll
2014-03-11 23:46 - 2014-02-28 20:42 - 00053760 _____ (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2014-03-11 23:46 - 2014-02-28 20:40 - 00033792 _____ (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2014-03-11 23:46 - 2014-02-28 20:37 - 00574976 _____ (Microsoft Corporation) C:\Windows\System32\ieui.dll
2014-03-11 23:46 - 2014-02-28 20:33 - 00139264 _____ (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2014-03-11 23:46 - 2014-02-28 20:33 - 00111616 _____ (Microsoft Corporation) C:\Windows\System32\ieetwcollector.exe
2014-03-11 23:46 - 2014-02-28 20:32 - 00708608 _____ (Microsoft Corporation) C:\Windows\System32\jscript9diag.dll
2014-03-11 23:46 - 2014-02-28 20:30 - 17074688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-03-11 23:46 - 2014-02-28 20:23 - 00940032 _____ (Microsoft Corporation) C:\Windows\System32\MsSpellCheckingFacility.exe
2014-03-11 23:46 - 2014-02-28 20:17 - 00218624 _____ (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2014-03-11 23:46 - 2014-02-28 20:11 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-03-11 23:46 - 2014-02-28 20:02 - 00195584 _____ (Microsoft Corporation) C:\Windows\System32\msrating.dll
2014-03-11 23:46 - 2014-02-28 19:54 - 05768704 _____ (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2014-03-11 23:46 - 2014-02-28 19:52 - 00061952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2014-03-11 23:46 - 2014-02-28 19:51 - 00051200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2014-03-11 23:46 - 2014-02-28 19:47 - 02168320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-03-11 23:46 - 2014-02-28 19:43 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-03-11 23:46 - 2014-02-28 19:43 - 00032768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2014-03-11 23:46 - 2014-02-28 19:42 - 00627200 _____ (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2014-03-11 23:46 - 2014-02-28 19:40 - 00440832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2014-03-11 23:46 - 2014-02-28 19:38 - 00112128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2014-03-11 23:46 - 2014-02-28 19:37 - 00553472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2014-03-11 23:46 - 2014-02-28 19:35 - 02041856 _____ (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2014-03-11 23:46 - 2014-02-28 19:18 - 13051904 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2014-03-11 23:46 - 2014-02-28 19:16 - 00164864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2014-03-11 23:46 - 2014-02-28 19:14 - 04244480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-03-11 23:46 - 2014-02-28 19:10 - 02334208 _____ (Microsoft Corporation) C:\Windows\System32\wininet.dll
2014-03-11 23:46 - 2014-02-28 19:03 - 00524288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-03-11 23:46 - 2014-02-28 19:00 - 01964032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2014-03-11 23:46 - 2014-02-28 18:57 - 11266048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-03-11 23:46 - 2014-02-28 18:38 - 01393664 _____ (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2014-03-11 23:46 - 2014-02-28 18:32 - 01820160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-03-11 23:46 - 2014-02-28 18:27 - 01156096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-03-11 23:46 - 2014-02-28 18:25 - 00817664 _____ (Microsoft Corporation) C:\Windows\System32\ieapfltr.dll
2014-03-11 23:46 - 2014-02-28 18:25 - 00703488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2014-03-11 23:46 - 2014-02-06 17:23 - 03156480 _____ (Microsoft Corporation) C:\Windows\System32\win32k.sys
2014-03-11 23:46 - 2014-01-28 18:32 - 00484864 _____ (Microsoft Corporation) C:\Windows\System32\wer.dll
2014-03-11 23:46 - 2014-01-28 18:06 - 00381440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wer.dll
2014-03-11 23:46 - 2014-01-27 18:32 - 00228864 _____ (Microsoft Corporation) C:\Windows\System32\wwansvc.dll
2014-03-11 23:45 - 2014-02-03 18:32 - 01424384 _____ (Microsoft Corporation) C:\Windows\System32\WindowsCodecs.dll
2014-03-11 23:45 - 2014-02-03 18:32 - 00624128 _____ (Microsoft Corporation) C:\Windows\System32\qedit.dll
2014-03-11 23:45 - 2014-02-03 18:04 - 01230336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecs.dll
2014-03-11 23:45 - 2014-02-03 18:04 - 00509440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\qedit.dll
2014-03-07 09:10 - 2014-03-07 09:14 - 00001311 _____ () C:\Users\Brian\Desktop\SnippingTool.lnk
2014-03-07 09:08 - 2014-03-07 09:08 - 00001272 _____ () C:\Users\Brian\Desktop\Snipping Tool.lnk

==================== One Month Modified Files and Folders =======

2014-04-05 19:13 - 2014-04-05 19:12 - 00000000 ____D () C:\FRST
2014-04-05 13:40 - 2013-12-16 18:33 - 00000000 ____D () C:\ProgramData\HitmanPro
2014-04-05 13:19 - 2014-04-05 13:19 - 00032512 _____ () C:\Windows\System32\Drivers\hitmanpro37.sys
2014-04-05 13:19 - 2010-11-20 19:47 - 00825282 _____ () C:\Windows\PFRO.log
2014-04-05 13:18 - 2012-06-03 21:37 - 01542357 _____ () C:\Windows\WindowsUpdate.log
2014-04-05 13:17 - 2014-04-05 13:17 - 00019848 _____ () C:\Users\Brian\Desktop\address.txt
2014-04-05 13:16 - 2014-04-05 13:16 - 00031714 _____ () C:\Windows\System32\.crusader
2014-04-05 13:01 - 2012-06-03 22:25 - 00000912 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-04-05 12:51 - 2014-04-02 19:00 - 00000080 _____ () C:\Windows\System32\gzvhy.oty
2014-04-05 12:48 - 2009-07-13 21:13 - 00783360 _____ () C:\Windows\System32\PerfStringBackup.INI
2014-04-05 12:48 - 2009-07-13 20:45 - 00024608 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-04-05 12:48 - 2009-07-13 20:45 - 00024608 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-04-05 12:42 - 2014-04-05 12:20 - 00119512 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\MBAMSwissArmy.sys
2014-04-05 12:42 - 2013-07-09 08:23 - 00000000 ____D () C:\Program Files (x86)\Steam
2014-04-05 12:42 - 2012-06-03 22:25 - 00000908 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-04-05 12:42 - 2012-06-03 21:43 - 00000828 _____ () C:\Windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d-Logon.job
2014-04-05 12:41 - 2013-08-20 17:21 - 00000436 _____ () C:\Windows\System32\Drivers\etc\hosts.ics
2014-04-05 12:40 - 2009-07-13 21:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-04-05 12:40 - 2009-07-13 20:51 - 00053881 _____ () C:\Windows\setupact.log
2014-04-05 12:38 - 2012-12-08 13:39 - 00000000 ____D () C:\ProgramData\WeCareReminder
2014-04-05 12:31 - 2012-10-13 18:52 - 00000000 ____D () C:\Users\Brian\AppData\Local\CrashDumps
2014-04-05 12:19 - 2014-04-05 12:19 - 00001113 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-04-05 12:19 - 2014-04-05 12:19 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-04-05 12:19 - 2014-04-05 12:19 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-04-05 12:14 - 2014-02-08 10:46 - 00000000 ____D () C:\Users\Brian\AppData\Local\DayZ
2014-04-05 09:28 - 2014-04-05 09:37 - 00395776 _____ (Microsoft Corporation) C:\Windows\System32\rpcss.dll
2014-04-05 09:14 - 2009-07-13 21:08 - 00025176 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-04-04 17:09 - 2013-11-21 17:02 - 00000000 ____D () C:\Program Files (x86)\PasswordBox
2014-04-04 08:22 - 2012-06-03 21:43 - 00000830 _____ () C:\Windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d.job
2014-04-03 05:51 - 2014-04-05 12:19 - 00088280 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamchameleon.sys
2014-04-03 05:51 - 2014-04-05 12:19 - 00063192 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\mwac.sys
2014-04-03 05:50 - 2014-04-05 12:19 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2014-04-02 23:01 - 2013-06-05 14:00 - 00001945 _____ () C:\Windows\epplauncher.mif
2014-04-02 23:01 - 2013-06-05 14:00 - 00000000 ____D () C:\Program Files\Microsoft Security Client
2014-04-02 23:01 - 2013-06-05 14:00 - 00000000 ____D () C:\Program Files (x86)\Microsoft Security Client
2014-04-02 18:50 - 2014-04-02 18:50 - 00000064 _____ () C:\Windows\System32\gzeetwx.bgv
2014-04-02 18:50 - 2014-04-02 18:50 - 00000000 _____ () C:\Windows\System32\awoiel.duo
2014-04-02 18:37 - 2014-04-02 18:37 - 00000000 ____D () C:\Users\Brian\AppData\Local\{9F346398-99B6-4CA3-BE3A-54AF0A1E4F6E}
2014-04-02 18:36 - 2014-03-03 16:46 - 00000000 ____D () C:\Users\Brian\AppData\Local\Windows Live
2014-04-02 18:34 - 2014-04-02 18:34 - 00299344 ____S () C:\Windows\System32\jxzstmh.gfx
2014-04-02 16:08 - 2012-12-08 06:24 - 00000000 ____D () C:\Users\Brian\AppData\Local\CutePDF Writer
2014-04-02 06:23 - 2014-04-02 06:22 - 00000000 ____D () C:\Users\Brian\AppData\Local\{B9C147DA-D452-4577-84FD-2640FA8821C5}
2014-04-02 06:12 - 2013-08-14 16:57 - 00000000 ____D () C:\Users\Brian\Desktop\Bonnie
2014-04-02 03:13 - 2013-10-31 18:57 - 00008887 _____ () C:\Users\Brian\Desktop\list.xlsx
2014-04-02 03:13 - 2012-11-03 13:21 - 00000000 ____D () C:\Users\Brian\AppData\Roaming\SoftGrid Client
2014-03-28 17:56 - 2012-06-03 22:25 - 00003908 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2014-03-28 17:56 - 2012-06-03 22:25 - 00003656 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2014-03-21 14:05 - 2014-03-21 14:05 - 00000000 ____D () C:\Users\Brian\AppData\Local\{F5D1B586-1C29-466B-8FBD-A28DC59B379F}
2014-03-18 23:00 - 2013-08-14 23:01 - 00000000 ____D () C:\Windows\System32\MRT
2014-03-18 23:00 - 2013-06-01 14:06 - 90015360 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe
2014-03-17 19:37 - 2014-03-17 19:37 - 00000000 ____D () C:\Users\Brian\AppData\Local\{4AEE25D3-2639-4A02-926E-AC9211C97FCF}
2014-03-16 10:47 - 2012-11-05 18:12 - 00000000 ___RD () C:\Users\Brian\Desktop\Brian
2014-03-13 20:23 - 2013-10-08 18:01 - 00000000 ____D () C:\Users\Brian\AppData\Local\AVG SafeGuard toolbar
2014-03-13 20:22 - 2013-10-08 17:35 - 00000000 ____D () C:\Program Files (x86)\AVG SafeGuard toolbar
2014-03-13 14:18 - 2014-02-08 16:36 - 00036864 ___SH () C:\Users\Brian\Desktop\Thumbs.db
2014-03-13 14:18 - 2009-07-13 21:09 - 00000000 ____D () C:\Windows\System32\Tasks\WPD
2014-03-12 23:22 - 2009-07-13 20:45 - 00284560 _____ () C:\Windows\System32\FNTCACHE.DAT
2014-03-12 23:21 - 2013-06-06 08:05 - 00000000 ____D () C:\Program Files\Microsoft Silverlight
2014-03-12 23:21 - 2013-06-06 08:05 - 00000000 ____D () C:\Program Files (x86)\Microsoft Silverlight
2014-03-12 23:01 - 2012-09-30 15:14 - 00000000 ____D () C:\Users\Brian\AppData\Roaming\Skype
2014-03-11 05:52 - 2013-01-20 11:59 - 00133928 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\NisDrvWFP.sys
2014-03-07 09:14 - 2014-03-07 09:10 - 00001311 _____ () C:\Users\Brian\Desktop\SnippingTool.lnk
2014-03-07 09:08 - 2014-03-07 09:08 - 00001272 _____ () C:\Users\Brian\Desktop\Snipping Tool.lnk

ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-4055714171-221256347-1479975053-1000\$f4e27e32d5b5bc8261cb000bef51340d

Files to move or delete:
====================
C:\ProgramData\uninstaller.exe
C:\Users\Brian\CuteWriter.exe

Some content of TEMP:
====================
C:\Users\Brian\AppData\Local\Temp\BackupSetup.exe
C:\Users\Brian\AppData\Local\Temp\converter.exe
C:\Users\Brian\AppData\Local\Temp\DefaultAssets.exe
C:\Users\Brian\AppData\Local\Temp\DefaultOfflineContent.exe
C:\Users\Brian\AppData\Local\Temp\HitmanPro.exe
C:\Users\Brian\AppData\Local\Temp\InstallFlashPlayer.exe
C:\Users\Brian\AppData\Local\Temp\javasysmo6179626430391889473.dll
C:\Users\Brian\AppData\Local\Temp\Kickstarter.exe
C:\Users\Brian\AppData\Local\Temp\NLStubInstallerResources.dll
C:\Users\Brian\AppData\Local\Temp\oi_{533B2C99-DFB2-476C-83CE-5C174B5C35FD}.exe
C:\Users\Brian\AppData\Local\Temp\PCCU_Installer.exe
C:\Users\Brian\AppData\Local\Temp\System.Data.SQLite.dll
C:\Users\Brian\AppData\Local\Temp\System.Data.SQLite60391.dll
C:\Users\Brian\AppData\Local\Temp\System.Data.SQLite63275.dll
C:\Users\Brian\AppData\Local\Temp\System.Data.SQLite63645.dll

==================== Known DLLs (Whitelisted) ================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll
[2014-04-05 09:37] - [2014-04-05 09:28] - 0395776 ____A (Microsoft Corporation) 5C83A4408604F737717AB96371201680

 ATTENTION ======> If the system is having audio adware rpcss.dll is patched. Google the MD5, if the MD5 is unique the file is infected.
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2014-03-18 23:00:25
Restore point made on: 2014-03-21 23:34:02
Restore point made on: 2014-03-25 23:33:44
Restore point made on: 2014-03-28 23:35:07
Restore point made on: 2014-04-01 23:34:20
Restore point made on: 2014-04-02 23:00:33

==================== Memory info ===========================

Percentage of memory in use: 15%
Total physical RAM: 4020.8 MB
Available physical RAM: 3403.87 MB
Total Pagefile: 4019 MB
Available Pagefile: 3399.77 MB
Total Virtual: 8192 MB
Available Virtual: 8191.88 MB

==================== Drives ================================

Drive c: (TI106401W0D) (Fixed) (Total:581.42 GB) (Free:446.74 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive d: (System) (Fixed) (Total:1.46 GB) (Free:1.25 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive e: (CD_ROM) (CDROM) (Total:3.71 GB) (Free:0 GB) CDFS
Drive f: () (Removable) (Total:0.48 GB) (Free:0.47 GB) FAT
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 596 GB) (Disk ID: 4537E8B6)
Partition 1: (Active) - (Size=1 GB) - (Type=27)
Partition 2: (Not Active) - (Size=581 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=13 GB) - (Type=17)

========================================================
Disk: 1 (Size: 489 MB) (Disk ID: D99EFF67)

Partition: GPT Partition Type.

LastRegBack: 2014-03-29 20:07

==================== End Of Log ============================



#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:21 AM

Posted 10 April 2014 - 06:39 AM

Fix with FRST (Recovery Environment)


  • Open notepad (Start =>All Programs => Accessories => Notepad).
  • Please copy the entire contents of the code box below.
    (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

    HKLM-x32\...\Run: [BrowserSafeguard] - "C:\Program Files (x86)\Browsersafeguard\BrowserSafeguard.exe"
    
    C:\Program Files (x86)\Browsersafeguard
    2014-04-02 19:00 - 2014-04-05 12:51 - 00000080 _____ () C:\Windows\System32\gzvhy.oty
    2014-04-02 18:50 - 2014-04-02 18:50 - 00000064 _____ () C:\Windows\System32\gzeetwx.bgv
    2014-04-02 18:50 - 2014-04-02 18:50 - 00000000 _____ () C:\Windows\System32\awoiel.duo
    2014-04-02 18:34 - 2014-04-02 18:34 - 00299344 ____S () C:\Windows\System32\jxzstmh.gfx
    C:\$Recycle.Bin\S-1-5-21-4055714171-221256347-1479975053-1000\$f4e27e32d5b5bc8261cb000bef51340d
    C:\ProgramData\uninstaller.exe
    C:\Users\Brian\CuteWriter.exe

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    Now please enter System Recovery Options again.

  • Run frst.exe (on 64bit, run frst64.exe) and press the Fix button just once and wait.
  • The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

 

 

We´re not finished yet - try to boot into windows.

 

 

Run FRST there and ensure a checkmark is placed next to addition.txt.

Hit run and post up the two logs the tool provides.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 brbonn

brbonn
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:21 PM

Posted 10 April 2014 - 04:08 PM

OK.  This is the text from the Fixlog.txt file:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 13-03-2014  01
Ran by Système at 2014-04-10 17:00:42 Run:1
Running from F:\temp
Boot Mode: Recovery

==============================================

Content of fixlist:
*****************
HKLM-x32\...\Run: [BrowserSafeguard] - "C:\Program Files (x86)\Browsersafeguard\BrowserSafeguard.exe"

C:\Program Files (x86)\Browsersafeguard
2014-04-02 19:00 - 2014-04-05 12:51 - 00000080 _____ () C:\Windows\System32\gzvhy.oty
2014-04-02 18:50 - 2014-04-02 18:50 - 00000064 _____ () C:\Windows\System32\gzeetwx.bgv
2014-04-02 18:50 - 2014-04-02 18:50 - 00000000 _____ () C:\Windows\System32\awoiel.duo
2014-04-02 18:34 - 2014-04-02 18:34 - 00299344 ____S ()
C:\Windows\System32\jxzstmh.gfx
C:\$Recycle.Bin\S-1-5-21-4055714171-221256347-1479975053-1000\$f4e27e32d5b5bc8261cb000bef51340d
C:\ProgramData\uninstaller.exe
C:\Users\Brian\CuteWriter.exe
*****************

"C:\Program Files (x86)\Browsersafeguard" => File/Directory not found.
C:\Windows\System32\gzvhy.oty => Moved successfully.
C:\Windows\System32\gzeetwx.bgv => Moved successfully.
C:\Windows\System32\awoiel.duo => Moved successfully.
"2014-04-02 18:34 - 2014-04-02 18:34 - 00299344 ____S ()" => File/Directory not found.
C:\Windows\System32\jxzstmh.gfx => Moved successfully.
C:\$Recycle.Bin\S-1-5-18\$f4e27e32d5b5bc8261cb000bef51340d => Deleted successfully.
C:\ProgramData\uninstaller.exe => Moved successfully.
C:\Users\Brian\CuteWriter.exe => Moved successfully.

==== End of Fixlog ====

 

 

I tried to boot back into windows but got the black screen with cursor again.



#6 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:21 AM

Posted 11 April 2014 - 08:13 AM

Fix with FRST (Recovery Environment)


  • Open notepad (Start =>All Programs => Accessories => Notepad).
  • Please copy the entire contents of the code box below.
    (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

    LastRegBack: 2014-03-29 20:07

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    Now please enter System Recovery Options again.

  • Run frst.exe (on 64bit, run frst64.exe) and press the Fix button just once and wait.
  • The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

 

 

Try again to boot into windows.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#7 brbonn

brbonn
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:21 PM

Posted 11 April 2014 - 04:42 PM

Ok.  Here are the contents of the new fixlog.txt file:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 13-03-2014  01
Ran by Système at 2014-04-11 17:36:31 Run:2
Running from F:\temp
Boot Mode: Recovery

==============================================

Content of fixlist:
*****************
LastRegBack: 2014-03-29 20:07
*****************

DEFAULT hive was successfully copied to System32\config\HiveBackup
DEFAULT hive was successfully restored from registry back up.
SAM hive was successfully copied to System32\config\HiveBackup
SAM hive was successfully restored from registry back up.
SECURITY hive was successfully copied to System32\config\HiveBackup
SECURITY hive was successfully restored from registry back up.
SOFTWARE hive was successfully copied to System32\config\HiveBackup
SOFTWARE hive was successfully restored from registry back up.
SYSTEM hive was successfully copied to System32\config\HiveBackup
SYSTEM hive was successfully restored from registry back up.

==== End of Fixlog ====

 

Tried to boot to windows but got the black screen with cursor again.



#8 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:21 AM

Posted 14 April 2014 - 04:59 AM

OK, please delete your existing copy of FRST and download new one.

Rescan and post the log (the tool has been updated)


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#9 brbonn

brbonn
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:21 PM

Posted 14 April 2014 - 06:13 PM

OK, here is the result of the scan.  I also noticed that the windows iso I've been using in x86 while the laptop operating system is 64 bit.  I don't know if this makes a difference but I am going to make a new bootable usb stick.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 14-04-2014
Ran by Système on MININT-D77L5TQ on 14-04-2014 19:07:13
Running from F:\temp
Windows 7 Home Premium (X86) OS Language: French Standard
Internet Explorer Version 11
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.

ATTENTION!:=====> THE OPERATING SYSTEM IS A X64 SYSTEM BUT THE BOOT DISK THAT IS USED TO BOOT TO RECOVERY ENVIRONMENT IS A X86 SYSTEM DISK.

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [] => [X]
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [12446824 2012-02-01] (Realtek Semiconductor)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2867984 2011-12-23] (Synaptics Incorporated)
HKLM\...\Run: [TPwrMain] => C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE [590256 2011-09-23] (TOSHIBA Corporation)
HKLM\...\Run: [TCrdMain] => C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe [989056 2011-12-14] (TOSHIBA Corporation)
HKLM\...\Run: [Teco] => C:\Program Files\TOSHIBA\TECO\Teco.exe [1548208 2011-11-24] (TOSHIBA Corporation)
HKLM\...\Run: [TosWaitSrv] => C:\Program Files\TOSHIBA\TPHM\TosWaitSrv.exe [712096 2011-12-14] (TOSHIBA Corporation)
HKLM\...\Run: [TosSENotify] => C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe [710560 2011-11-26] (TOSHIBA Corporation)
HKLM\...\Run: [TosVolRegulator] => C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe [24376 2009-11-11] (TOSHIBA Corporation)
HKLM\...\Run: [TosNC] => C:\Program Files\Toshiba\BulletinBoard\TosNcCore.exe [597936 2011-07-27] (TOSHIBA Corporation)
HKLM\...\Run: [TosReelTimeMonitor] => C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe [38824 2011-06-28] (TOSHIBA Corporation)
HKLM\...\Run: [IgfxTray] => C:\windows\system32\igfxtray.exe [170264 2012-05-10] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] => C:\windows\system32\hkcmd.exe [398616 2012-05-10] (Intel Corporation)
HKLM\...\Run: [Persistence] => C:\windows\system32\igfxpers.exe [440088 2012-05-10] (Intel Corporation)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1266912 2013-10-23] (Microsoft Corporation)
HKLM\...\Run: [Logitech Download Assistant] => C:\Windows\System32\LogiLDA.dll [1832760 2012-09-20] (Logitech, Inc.)
HKU\Brian\...\Run: [swg] => C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2012-06-04] (Google Inc.)
HKU\Brian\...\Run: [Steam] => C:\Program Files (x86)\Steam\Steam.exe [1821888 2014-02-25] (Valve Corporation)
HKU\Brian\...\Run: [Overwolf] => C:\Program Files (x86)\Overwolf\Overwolf.exe -silent
HKU\Default\...\Run: [Sidebar] => C:\Program Files\Windows Sidebar\Sidebar.exe [1475584 2010-11-21] (Microsoft Corporation)
HKU\Default User\...\Run: [Sidebar] => C:\Program Files\Windows Sidebar\Sidebar.exe [1475584 2010-11-21] (Microsoft Corporation)

========================== Services (Whitelisted) =================

S2 AdobeARMservice; C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [65640 2013-05-10] (Adobe Systems Incorporated)
S3 aspnet_state; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe [51808 2013-09-12] (Microsoft Corporation)
S4 clr_optimization_v2.0.50727_64; C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [89920 2009-06-10] (Microsoft Corporation)
S2 clr_optimization_v4.0.30319_64; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [124088 2013-09-12] (Microsoft Corporation)
S3 cphs; C:\Windows\SysWow64\IntelCpHeciSvc.exe [276248 2012-05-10] (Intel Corporation)
S2 cvhsvc; C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [822504 2013-04-22] (Microsoft Corporation)
S2 DcomLaunch; C:\Windows\system32\rpcss.dll [513536 2010-11-21] ()
S3 FLEXnet Licensing Service; C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [1045256 2012-10-03] (Acresso Software Inc.)
S3 FontCache3.0.0.0; C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [42856 2010-11-21] (Microsoft Corporation)
S3 GamesAppService; C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [206072 2010-10-12] (WildTangent, Inc.)
S2 gupdate; C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [136176 2012-06-04] (Google Inc.)
S3 gupdatem; C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [136176 2012-06-04] (Google Inc.)
S3 gusvc; C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe [194032 2012-10-04] (Google)
S3 idsvc; C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe [856400 2010-11-21] (Microsoft Corporation)
S2 Intel® Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [627936 2012-01-11] (Intel® Corporation)
S2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [128280 2012-01-20] ()
S2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [161560 2012-01-20] (Intel Corporation)
S2 LMS; C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe [277784 2012-01-21] (Intel Corporation)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.8.141\McCHSvc.exe [289256 2014-01-16] (McAfee, Inc.)
S2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2013-10-23] (Microsoft Corporation)
S2 NAT; C:\Program Files (x86)\Norton Anti-Theft\Engine\1.10.0.9\NAT.exe [232424 2013-10-11] (Symantec Corporation)
S4 NetMsmqActivator; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe [139856 2013-09-12] (Microsoft Corporation)
S4 NetPipeActivator; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe [139856 2013-09-12] (Microsoft Corporation)
S4 NetTcpActivator; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe [139856 2013-09-12] (Microsoft Corporation)
S4 NetTcpPortSharing; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe [139856 2013-09-12] (Microsoft Corporation)
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [348376 2013-10-23] (Microsoft Corporation)
S3 ose; C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE [149352 2010-01-10] (Microsoft Corporation)
S2 PasswordBox; C:\Program Files (x86)\PasswordBox\pbbtnService.exe [67584 2013-11-01] (PasswordBox, Inc.)
S2 PCCUJobMgr; C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.17.38\ccSvcHst.exe [126392 2011-12-01] (Symantec Corporation)
S3 PerfHost; C:\Windows\SysWow64\perfhost.exe [20992 2009-07-14] (Microsoft Corporation)
S2 RosettaStoneDaemon; C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe [1646608 2012-06-19] (Rosetta Stone Ltd.)
S2 RpcSs; C:\Windows\system32\rpcss.dll [513536 2010-11-21] ()
S2 sftlist; C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [523944 2013-06-27] (Microsoft Corporation)
S3 sftvsa; C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [207528 2013-06-27] (Microsoft Corporation)
S2 SkypeUpdate; C:\Program Files (x86)\Skype\Updater\Updater.exe [172192 2013-10-23] (Skype Technologies)
S3 Steam Client Service; C:\Program Files (x86)\Common Files\Steam\SteamService.exe [568512 2014-02-25] (Valve Corporation)
S3 TMachInfo; C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [57216 2011-07-12] (TOSHIBA Corporation)
S2 TOSHIBA eco Utility Service; C:\Program Files\TOSHIBA\TECO\TecoService.exe [294848 2011-11-24] (TOSHIBA Corporation)
S3 TOSHIBA HDD SSD Alert Service; C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [138152 2011-11-26] (TOSHIBA Corporation)
S3 TPCHSrv; C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe [833976 2011-12-14] (TOSHIBA Corporation)
S2 UNS; C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [363800 2012-01-21] (Intel Corporation)
S2 vToolbarUpdater18.0.0; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.0.0\ToolbarUpdater.exe [1759768 2014-03-03] (AVG Secure Search)
S2 YahooAUService; C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe [602392 2008-11-09] (Yahoo! Inc.)

==================== Drivers (Whitelisted) ====================



#10 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:21 AM

Posted 15 April 2014 - 06:21 AM

The log is incomplete, please post the whole content of the file


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#11 brbonn

brbonn
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:21 PM

Posted 15 April 2014 - 08:14 PM

Sorry, here is the whole log:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 14-04-2014
Ran by Système on MININT-D77L5TQ on 14-04-2014 19:07:13
Running from F:\temp
Windows 7 Home Premium (X86) OS Language: French Standard
Internet Explorer Version 11
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.

ATTENTION!:=====> THE OPERATING SYSTEM IS A X64 SYSTEM BUT THE BOOT DISK THAT IS USED TO BOOT TO RECOVERY ENVIRONMENT IS A X86 SYSTEM DISK.

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [] => [X]
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [12446824 2012-02-01] (Realtek Semiconductor)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2867984 2011-12-23] (Synaptics Incorporated)
HKLM\...\Run: [TPwrMain] => C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE [590256 2011-09-23] (TOSHIBA Corporation)
HKLM\...\Run: [TCrdMain] => C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe [989056 2011-12-14] (TOSHIBA Corporation)
HKLM\...\Run: [Teco] => C:\Program Files\TOSHIBA\TECO\Teco.exe [1548208 2011-11-24] (TOSHIBA Corporation)
HKLM\...\Run: [TosWaitSrv] => C:\Program Files\TOSHIBA\TPHM\TosWaitSrv.exe [712096 2011-12-14] (TOSHIBA Corporation)
HKLM\...\Run: [TosSENotify] => C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe [710560 2011-11-26] (TOSHIBA Corporation)
HKLM\...\Run: [TosVolRegulator] => C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe [24376 2009-11-11] (TOSHIBA Corporation)
HKLM\...\Run: [TosNC] => C:\Program Files\Toshiba\BulletinBoard\TosNcCore.exe [597936 2011-07-27] (TOSHIBA Corporation)
HKLM\...\Run: [TosReelTimeMonitor] => C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe [38824 2011-06-28] (TOSHIBA Corporation)
HKLM\...\Run: [IgfxTray] => C:\windows\system32\igfxtray.exe [170264 2012-05-10] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] => C:\windows\system32\hkcmd.exe [398616 2012-05-10] (Intel Corporation)
HKLM\...\Run: [Persistence] => C:\windows\system32\igfxpers.exe [440088 2012-05-10] (Intel Corporation)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1266912 2013-10-23] (Microsoft Corporation)
HKLM\...\Run: [Logitech Download Assistant] => C:\Windows\System32\LogiLDA.dll [1832760 2012-09-20] (Logitech, Inc.)
HKU\Brian\...\Run: [swg] => C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2012-06-04] (Google Inc.)
HKU\Brian\...\Run: [Steam] => C:\Program Files (x86)\Steam\Steam.exe [1821888 2014-02-25] (Valve Corporation)
HKU\Brian\...\Run: [Overwolf] => C:\Program Files (x86)\Overwolf\Overwolf.exe -silent
HKU\Default\...\Run: [Sidebar] => C:\Program Files\Windows Sidebar\Sidebar.exe [1475584 2010-11-21] (Microsoft Corporation)
HKU\Default User\...\Run: [Sidebar] => C:\Program Files\Windows Sidebar\Sidebar.exe [1475584 2010-11-21] (Microsoft Corporation)

========================== Services (Whitelisted) =================

S2 AdobeARMservice; C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [65640 2013-05-10] (Adobe Systems Incorporated)
S3 aspnet_state; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe [51808 2013-09-12] (Microsoft Corporation)
S4 clr_optimization_v2.0.50727_64; C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [89920 2009-06-10] (Microsoft Corporation)
S2 clr_optimization_v4.0.30319_64; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [124088 2013-09-12] (Microsoft Corporation)
S3 cphs; C:\Windows\SysWow64\IntelCpHeciSvc.exe [276248 2012-05-10] (Intel Corporation)
S2 cvhsvc; C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [822504 2013-04-22] (Microsoft Corporation)
S2 DcomLaunch; C:\Windows\system32\rpcss.dll [513536 2010-11-21] ()
S3 FLEXnet Licensing Service; C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [1045256 2012-10-03] (Acresso Software Inc.)
S3 FontCache3.0.0.0; C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [42856 2010-11-21] (Microsoft Corporation)
S3 GamesAppService; C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [206072 2010-10-12] (WildTangent, Inc.)
S2 gupdate; C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [136176 2012-06-04] (Google Inc.)
S3 gupdatem; C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [136176 2012-06-04] (Google Inc.)
S3 gusvc; C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe [194032 2012-10-04] (Google)
S3 idsvc; C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe [856400 2010-11-21] (Microsoft Corporation)
S2 Intel® Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [627936 2012-01-11] (Intel® Corporation)
S2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [128280 2012-01-20] ()
S2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [161560 2012-01-20] (Intel Corporation)
S2 LMS; C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe [277784 2012-01-21] (Intel Corporation)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.8.141\McCHSvc.exe [289256 2014-01-16] (McAfee, Inc.)
S2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2013-10-23] (Microsoft Corporation)
S2 NAT; C:\Program Files (x86)\Norton Anti-Theft\Engine\1.10.0.9\NAT.exe [232424 2013-10-11] (Symantec Corporation)
S4 NetMsmqActivator; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe [139856 2013-09-12] (Microsoft Corporation)
S4 NetPipeActivator; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe [139856 2013-09-12] (Microsoft Corporation)
S4 NetTcpActivator; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe [139856 2013-09-12] (Microsoft Corporation)
S4 NetTcpPortSharing; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe [139856 2013-09-12] (Microsoft Corporation)
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [348376 2013-10-23] (Microsoft Corporation)
S3 ose; C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE [149352 2010-01-10] (Microsoft Corporation)
S2 PasswordBox; C:\Program Files (x86)\PasswordBox\pbbtnService.exe [67584 2013-11-01] (PasswordBox, Inc.)
S2 PCCUJobMgr; C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.17.38\ccSvcHst.exe [126392 2011-12-01] (Symantec Corporation)
S3 PerfHost; C:\Windows\SysWow64\perfhost.exe [20992 2009-07-14] (Microsoft Corporation)
S2 RosettaStoneDaemon; C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe [1646608 2012-06-19] (Rosetta Stone Ltd.)
S2 RpcSs; C:\Windows\system32\rpcss.dll [513536 2010-11-21] ()
S2 sftlist; C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [523944 2013-06-27] (Microsoft Corporation)
S3 sftvsa; C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [207528 2013-06-27] (Microsoft Corporation)
S2 SkypeUpdate; C:\Program Files (x86)\Skype\Updater\Updater.exe [172192 2013-10-23] (Skype Technologies)
S3 Steam Client Service; C:\Program Files (x86)\Common Files\Steam\SteamService.exe [568512 2014-02-25] (Valve Corporation)
S3 TMachInfo; C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [57216 2011-07-12] (TOSHIBA Corporation)
S2 TOSHIBA eco Utility Service; C:\Program Files\TOSHIBA\TECO\TecoService.exe [294848 2011-11-24] (TOSHIBA Corporation)
S3 TOSHIBA HDD SSD Alert Service; C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [138152 2011-11-26] (TOSHIBA Corporation)
S3 TPCHSrv; C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe [833976 2011-12-14] (TOSHIBA Corporation)
S2 UNS; C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [363800 2012-01-21] (Intel Corporation)
S2 vToolbarUpdater18.0.0; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.0.0\ToolbarUpdater.exe [1759768 2014-03-03] (AVG Secure Search)
S2 YahooAUService; C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe [602392 2008-11-09] (Yahoo! Inc.)

==================== Drivers (Whitelisted) ====================

S1 avgtp; C:\windows\system32\drivers\avgtpx64.sys [50976 2014-03-03] (AVG Technologies)
S3 b06bdrv; C:\Windows\system32\drivers\bxvbda.sys [468480 2009-06-10] (Broadcom Corporation)
S3 b57nd60a; C:\Windows\System32\DRIVERS\b57nd60a.sys [270848 2009-06-10] (Broadcom Corporation)
S1 ccSet_NAT; C:\Windows\system32\drivers\NATx64\010A000.009\ccSetx64.sys [150104 2013-07-29] (Symantec Corporation)
S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
S3 igfx; C:\Windows\System32\DRIVERS\igdkmd64.sys [14759136 2012-05-10] (Intel Corporation)
S3 IntcAzAudAddService; C:\Windows\System32\drivers\RTKVHD64.sys [4739304 2012-02-01] (Realtek Semiconductor Corp.)
S0 iusb3hcs; C:\Windows\System32\DRIVERS\iusb3hcs.sys [16152 2012-01-05] (Intel Corporation)
S3 iusb3hub; C:\Windows\System32\DRIVERS\iusb3hub.sys [355096 2012-01-05] (Intel Corporation)
S3 iusb3xhc; C:\Windows\System32\DRIVERS\iusb3xhc.sys [786200 2012-01-05] (Intel Corporation)
S3 ksthunk; C:\Windows\system32\drivers\ksthunk.sys [20992 2009-07-14] (Microsoft Corporation)
S3 L1C; C:\Windows\System32\DRIVERS\L1C62x64.sys [103536 2012-01-16] (Atheros Communications, Inc.)
S3 MEIx64; C:\Windows\System32\DRIVERS\HECIx64.sys [60184 2011-11-10] (Intel Corporation)
S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [248240 2013-09-27] (Microsoft Corporation)
S3 PGEffect; C:\Windows\System32\DRIVERS\pgeffect.sys [38096 2011-02-09] (TOSHIBA Corporation)
S3 RSUSBVSTOR; C:\Windows\System32\Drivers\RtsUVStor.sys [313448 2011-07-28] (Realtek Semiconductor Corp.)
S3 RTL8192Ce; C:\Windows\System32\DRIVERS\rtl8192Ce.sys [1145448 2011-07-19] (Realtek Semiconductor Corporation                           )
S3 SmbDrv; C:\Windows\System32\DRIVERS\Smb_driver.sys [21264 2011-12-23] (Synaptics Incorporated)
S0 tos_sps64; C:\Windows\System32\DRIVERS\tos_sps64.sys [482384 2009-06-24] (TOSHIBA Corporation)
S2 TVALZFL; C:\Windows\System32\DRIVERS\TVALZFL.sys [14472 2009-06-20] (TOSHIBA Corporation)
S3 WDC_SAM; C:\Windows\System32\DRIVERS\wdcsam64.sys [14464 2008-05-06] (Western Digital Technologies)
S3 YMIDUSBW; C:\Windows\System32\drivers\ymidusbx64.sys [51016 2011-11-01] (Yamaha Corporation)

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2014-04-11 17:36 - 2014-04-11 17:36 - 00000000 ____D () C:\Windows\System32\config\HiveBackup
2014-04-07 20:59 - 2014-04-07 21:00 - 00027206 _____ () C:\FRST.txt
2014-04-07 20:58 - 2014-04-05 18:45 - 01145856 _____ (Farbar) C:\FRST.exe
2014-04-07 20:57 - 2014-04-06 22:01 - 02157056 _____ (Farbar) C:\FRST64.exe
2014-04-06 04:12 - 2014-04-14 19:07 - 00000000 ____D () C:\FRST
2014-04-05 22:17 - 2014-04-05 22:17 - 00019848 _____ () C:\Users\Brian\Desktop\address.txt
2014-04-05 21:19 - 2014-04-05 21:19 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-04-03 03:37 - 2014-04-03 03:37 - 00000000 ____D () C:\Users\Brian\AppData\Local\{9F346398-99B6-4CA3-BE3A-54AF0A1E4F6E}
2014-04-02 15:22 - 2014-04-02 15:23 - 00000000 ____D () C:\Users\Brian\AppData\Local\{B9C147DA-D452-4577-84FD-2640FA8821C5}
2014-03-21 23:05 - 2014-03-21 23:05 - 00000000 ____D () C:\Users\Brian\AppData\Local\{F5D1B586-1C29-466B-8FBD-A28DC59B379F}
2014-03-18 04:37 - 2014-03-18 04:37 - 00000000 ____D () C:\Users\Brian\AppData\Local\{4AEE25D3-2639-4A02-926E-AC9211C97FCF}

==================== One Month Modified Files and Folders =======

2014-04-14 19:07 - 2014-04-06 04:12 - 00000000 ____D () C:\FRST
2014-04-11 22:41 - 2010-11-21 04:47 - 00796132 _____ () C:\Windows\PFRO.log
2014-04-11 17:36 - 2014-04-11 17:36 - 00000000 ____D () C:\Windows\System32\config\HiveBackup
2014-04-10 22:06 - 2012-09-30 04:54 - 00000000 ____D () C:\users\Brian
2014-04-07 21:00 - 2014-04-07 20:59 - 00027206 _____ () C:\FRST.txt
2014-04-06 22:01 - 2014-04-07 20:57 - 02157056 _____ (Farbar) C:\FRST64.exe
2014-04-06 04:34 - 2014-02-08 19:46 - 00000000 ____D () C:\Users\Brian\Documents\DayZ
2014-04-06 04:34 - 2014-02-06 04:36 - 00000000 ____D () C:\Users\Brian\AppData\Roaming\InstallX Search Protect for Yahoo
2014-04-06 04:34 - 2013-12-04 00:11 - 00000000 ____D () C:\ProgramData\McAfee Security Scan
2014-04-06 04:34 - 2013-06-05 23:00 - 00000000 ____D () C:\Program Files\Microsoft Security Client
2014-04-06 04:34 - 2012-12-08 22:39 - 00000000 ____D () C:\ProgramData\WeCareReminder
2014-04-06 04:34 - 2012-12-08 22:38 - 00000000 ____D () C:\Users\Brian\AppData\Local\TNT2
2014-04-06 04:34 - 2009-07-14 04:20 - 00000000 ___RD () C:\Program Files (x86)
2014-04-06 04:34 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\SysWOW64
2014-04-06 04:34 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\System32\wfp
2014-04-06 04:33 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\registration
2014-04-06 04:08 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\System32\LogFiles
2014-04-05 22:40 - 2013-12-17 03:33 - 00000000 ____D () C:\ProgramData\HitmanPro
2014-04-05 22:17 - 2014-04-05 22:17 - 00019848 _____ () C:\Users\Brian\Desktop\address.txt
2014-04-05 21:31 - 2012-10-14 03:52 - 00000000 ____D () C:\Users\Brian\AppData\Local\CrashDumps
2014-04-05 21:19 - 2014-04-05 21:19 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-04-05 18:45 - 2014-04-07 20:58 - 01145856 _____ (Farbar) C:\FRST.exe
2014-04-03 08:00 - 2012-06-04 06:37 - 01433924 _____ () C:\Windows\WindowsUpdate.log
2014-04-03 04:03 - 2014-02-08 19:46 - 00000000 ____D () C:\Users\Brian\AppData\Local\DayZ
2014-04-03 03:57 - 2009-07-14 05:45 - 00024608 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-04-03 03:57 - 2009-07-14 05:45 - 00024608 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-04-03 03:56 - 2009-07-14 06:13 - 00783360 _____ () C:\Windows\System32\PerfStringBackup.INI
2014-04-03 03:50 - 2013-08-21 02:21 - 00000436 _____ () C:\Windows\System32\Drivers\etc\hosts.ics
2014-04-03 03:50 - 2009-07-14 05:51 - 00052817 _____ () C:\Windows\setupact.log
2014-04-03 03:37 - 2014-04-03 03:37 - 00000000 ____D () C:\Users\Brian\AppData\Local\{9F346398-99B6-4CA3-BE3A-54AF0A1E4F6E}
2014-04-03 03:36 - 2014-03-04 01:46 - 00000000 ____D () C:\Users\Brian\AppData\Local\Windows Live
2014-04-03 01:08 - 2012-12-08 15:24 - 00000000 ____D () C:\Users\Brian\AppData\Local\CutePDF Writer
2014-04-02 15:23 - 2014-04-02 15:22 - 00000000 ____D () C:\Users\Brian\AppData\Local\{B9C147DA-D452-4577-84FD-2640FA8821C5}
2014-04-02 15:12 - 2013-08-15 01:57 - 00000000 ____D () C:\Users\Brian\Desktop\Bonnie
2014-04-02 12:13 - 2013-11-01 03:57 - 00008887 _____ () C:\Users\Brian\Desktop\list.xlsx
2014-04-02 12:13 - 2012-11-03 22:21 - 00000000 ____D () C:\Users\Brian\AppData\Roaming\SoftGrid Client
2014-03-21 23:05 - 2014-03-21 23:05 - 00000000 ____D () C:\Users\Brian\AppData\Local\{F5D1B586-1C29-466B-8FBD-A28DC59B379F}
2014-03-19 08:02 - 2013-08-15 08:01 - 00000000 ____D () C:\Windows\System32\MRT
2014-03-19 08:00 - 2013-06-01 23:06 - 90015360 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe
2014-03-18 04:37 - 2014-03-18 04:37 - 00000000 ____D () C:\Users\Brian\AppData\Local\{4AEE25D3-2639-4A02-926E-AC9211C97FCF}
2014-03-16 19:47 - 2012-11-06 03:12 - 00000000 ___RD () C:\Users\Brian\Desktop\Brian

ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-4055714171-221256347-1479975053-1000\$f4e27e32d5b5bc8261cb000bef51340d

Some content of TEMP:
====================
C:\Users\Brian\AppData\Local\Temp\BackupSetup.exe
C:\Users\Brian\AppData\Local\Temp\converter.exe
C:\Users\Brian\AppData\Local\Temp\DefaultAssets.exe
C:\Users\Brian\AppData\Local\Temp\DefaultOfflineContent.exe
C:\Users\Brian\AppData\Local\Temp\HitmanPro.exe
C:\Users\Brian\AppData\Local\Temp\InstallFlashPlayer.exe
C:\Users\Brian\AppData\Local\Temp\javasysmo6179626430391889473.dll
C:\Users\Brian\AppData\Local\Temp\Kickstarter.exe
C:\Users\Brian\AppData\Local\Temp\NLStubInstallerResources.dll
C:\Users\Brian\AppData\Local\Temp\nsa7042.exe
C:\Users\Brian\AppData\Local\Temp\nsa739D.exe
C:\Users\Brian\AppData\Local\Temp\nsf3B0C.exe
C:\Users\Brian\AppData\Local\Temp\nsk6D25.exe
C:\Users\Brian\AppData\Local\Temp\nsp37A1.exe
C:\Users\Brian\AppData\Local\Temp\nsv3E29.exe
C:\Users\Brian\AppData\Local\Temp\nsv5E05.exe
C:\Users\Brian\AppData\Local\Temp\oi_{533B2C99-DFB2-476C-83CE-5C174B5C35FD}.exe
C:\Users\Brian\AppData\Local\Temp\PCCU_Installer.exe
C:\Users\Brian\AppData\Local\Temp\System.Data.SQLite.dll
C:\Users\Brian\AppData\Local\Temp\System.Data.SQLite60391.dll
C:\Users\Brian\AppData\Local\Temp\System.Data.SQLite63275.dll
C:\Users\Brian\AppData\Local\Temp\System.Data.SQLite63645.dll

==================== Known DLLs (Whitelisted) ============

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe
[2012-03-22 22:15] - [2011-02-25 07:19] - 2871808 ____A (Microsoft Corporation) 332FEAB1435662FC6C672E25BEB37BE3

C:\Windows\System32\winlogon.exe
[2010-11-21 04:24] - [2010-11-21 04:24] - 0390656 ____A (Microsoft Corporation) 1151B1BAA6F350B1DB6598E0FEA7C457

C:\Windows\System32\wininit.exe
[2009-07-14 00:52] - [2009-07-14 02:39] - 0129024 ____A (Microsoft Corporation) 94355C28C1970635A31B3FE52EB7CEBA

C:\Windows\System32\svchost.exe
[2012-03-22 22:14] - [2011-03-01 09:07] - 0027648 ____A (Microsoft Corporation) 6F68F63794097E54F36474ED4384B759

C:\Windows\System32\services.exe
[2009-07-14 00:19] - [2009-07-14 02:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\User32.dll
[2010-11-21 04:24] - [2010-11-21 04:24] - 1008128 ____A (Microsoft Corporation) FE70103391A64039A921DBFFF9C7AB1B

C:\Windows\System32\userinit.exe
[2010-11-21 04:24] - [2010-11-21 04:24] - 0030720 ____A (Microsoft Corporation) BAFE84E637BF7388C96EF48D4D3FDD53

C:\Windows\System32\rpcss.dll
[2010-11-21 04:24] - [2010-11-21 04:24] - 0513536 ____A () E83BD83574E41BF25AB85A04C16E555B

C:\Windows\System32\rpcss.dll No Company Name <===== ATTENTION!

 ATTENTION ======> If the system is having audio adware rpcss.dll is patched. Google the MD5, if the MD5 is unique the file is infected.
C:\Windows\System32\Drivers\volsnap.sys
[2012-03-22 22:13] - [2011-02-25 07:25] - 0296320 ____A (Microsoft Corporation) DF8126BD41180351A093A3AD2FC8903B

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2014-03-19 08:00:25
Restore point made on: 2014-03-22 08:34:02
Restore point made on: 2014-03-26 08:33:44
Restore point made on: 2014-03-29 08:35:07
Restore point made on: 2014-04-02 08:34:20
Restore point made on: 2014-04-03 08:00:33

==================== Memory info ===========================

Percentage of memory in use: 24%
Total physical RAM: 2750.8 MB
Available physical RAM: 2071.31 MB
Total Pagefile: 2749.08 MB
Available Pagefile: 2028.34 MB
Total Virtual: 2047.88 MB
Available Virtual: 1957.43 MB

==================== Drives ================================

Drive c: (TI106401W0D) (Fixed) (Total:581.42 GB) (Free:446.26 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive d: (System) (Fixed) (Total:1.46 GB) (Free:1.25 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive e: (CD_ROM) (CDROM) (Total:3.71 GB) (Free:0 GB) CDFS
Drive f: (WIN7PE_X86) (Removable) (Total:14.52 GB) (Free:14.23 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.25 GB) (Free:0.25 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 596 GB) (Disk ID: 4537E8B6)
Partition 1: (Active) - (Size=1 GB) - (Type=27)
Partition 2: (Not Active) - (Size=581 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=13 GB) - (Type=17)

========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 15 GB) (Disk ID: 00000000)

Partition: GPT Partition Type.

LastRegBack: 2014-03-30 05:07

==================== End Of Log ============================



#12 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:21 AM

Posted 16 April 2014 - 04:00 PM

You have a very nasty trojan called ZeroAccess on the system - fixing this may be really hard.

Let´s try:

 

 

Search for files with FRST (Recovery Environment)


In Vista or Windows 7: Boot to System Recovery Options and run FRST.

In Windows XP: Please boot to BartPe and run FRST.



Type the following in the edit box after "Search:"

rpcss.dl

Click Search button and post the log (Search.txt) it makes to your reply.
Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#13 brbonn

brbonn
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:21 PM

Posted 16 April 2014 - 08:35 PM

A search for "rpcss.dl" didn't show any hits so I assumed this was a typo and reran the search for "rpcss.dll".  This is the result:

 

Farbar Recovery Scan Tool (x86) Version: 14-04-2014
Ran by Système at 2014-04-16 21:30:03
Running from F:\temp
Boot Mode: Recovery

================== Search: "rpcss.dll" ===================

C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_c7f0e16b547f887d\rpcss.dll
[2010-11-21 04:24] - [2010-11-21 04:24] - 0512000 ____A (Microsoft Corporation) 5C627D1B1138676C0A7AB2C2C190D123

C:\Windows\System32\rpcss.dll
[2010-11-21 04:24] - [2010-11-21 04:24] - 0513536 ____A () E83BD83574E41BF25AB85A04C16E555B

X:\Windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7600.16385_none_69a1321f9f3393ad\rpcss.dll
[2009-07-14 00:45] - [2009-07-14 02:16] - 0376320 ____A (Microsoft Corporation) B82CD39E336973359D7C9BF911E8E84F

X:\Windows\System32\rpcss.dll
[2009-07-14 00:45] - [2009-07-14 02:16] - 0376320 ____A (Microsoft Corporation) B82CD39E336973359D7C9BF911E8E84F

=== End Of Search ===



#14 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:21 AM

Posted 17 April 2014 - 08:29 AM

Fix with FRST (Recovery Environment)


  • Open notepad (Start =>All Programs => Accessories => Notepad).
  • Please copy the entire contents of the code box below.
    (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

    Replace: C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_c7f0e16b547f887d\rpcss.dll C:\Windows\System32\rpcss.dll
    
    C:\$Recycle.Bin\S-1-5-21-4055714171-221256347-1479975053-1000\$f4e27e32d5b5bc8261cb000bef51340d
    2014-04-06 04:34 - 2012-12-08 22:39 - 00000000 ____D () C:\ProgramData\WeCareReminder
    2014-04-06 04:34 - 2012-12-08 22:38 - 00000000 ____D () C:\Users\Brian\AppData\Local\TNT2

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    Now please enter System Recovery Options again.

  • Run frst.exe (on 64bit, run frst64.exe) and press the Fix button just once and wait.
  • The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#15 brbonn

brbonn
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:21 PM

Posted 19 April 2014 - 08:01 PM

Ok, here is the contents of fixlog.txt:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 14-04-2014
Ran by Système at 2014-04-19 20:58:08 Run:3
Running from F:\temp
Boot Mode: Recovery

==============================================

Content of fixlist:
*****************
Replace: C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_c7f0e16b547f887d\rpcss.dll C:\Windows\System32\rpcss.dll

C:\$Recycle.Bin\S-1-5-21-4055714171-221256347-1479975053-1000\$f4e27e32d5b5bc8261cb000bef51340d
2014-04-06 04:34 - 2012-12-08 22:39 - 00000000 ____D () C:\ProgramData\WeCareReminder
2014-04-06 04:34 - 2012-12-08 22:38 - 00000000 ____D () C:\Users\Brian\AppData\Local\TNT2
*****************

C:\Windows\System32\rpcss.dll => Moved successfully.
C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_c7f0e16b547f887d\rpcss.dll copied successfully to C:\Windows\System32\rpcss.dll
C:\$Recycle.Bin\S-1-5-18\$f4e27e32d5b5bc8261cb000bef51340d => Deleted successfully.
C:\ProgramData\WeCareReminder => Moved successfully.
C:\Users\Brian\AppData\Local\TNT2 => Moved successfully.

==== End of Fixlog ====






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users