Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win64/Patched Post-removal problems


  • This topic is locked This topic is locked
7 replies to this topic

#1 BlueKangaroo

BlueKangaroo

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:15 AM

Posted 13 April 2014 - 04:56 PM

Hello, 

 

A friend of mine was having an issue with her AVG popping up a warning that there was a virus (Win64 Patched), but that it couldn't remove it. I looked on this site and followed the instructions I found to remove the virus. (She actually had Win64 Patched, two other trojans, and two other viruses that I don't remember their names.) Using Malwarebytes I was able to remove them all, and the warning sign never showed up again.  

 

The next day her computer was working fine and then seemed to freeze. Ever since it has had a blank black screen, no log in, and ctrl alt delete isn't pulling up task manager. I'm not sure what happened, but the only thing that had changed recently was that we removed the viruses the day before.

 

Any help you can offer would be greatly appreciated. Thank you for your time.   



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:15 AM

Posted 15 April 2014 - 08:26 AM


Hello BlueKangaroo

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.


Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

How to tell > 32 or 64 bit

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:

    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst64.exe or e:\frst.exe and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • First Press the Scan button.
  • It will make a log (FRST.txt)
I want you to poste the FRST.txt report into your reply to me

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:15 AM

Posted 18 April 2014 - 07:33 AM


Hello

48 Hour bump

It has been more than 48 hours since my last post.
  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 BlueKangaroo

BlueKangaroo
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:15 AM

Posted 20 April 2014 - 09:03 PM

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 20-04-2014 02
Ran by SYSTEM on MININT-1EKLT2U on 20-04-2014 21:57:52
Running from H:\
Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2097960 2011-03-22] (Synaptics Incorporated)
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [6489704 2011-03-22] (Realtek Semiconductor)
HKLM\...\Run: [RtkOSD] => C:\Program Files (x86)\Realtek\Audio\OSD\RtVOsd64.exe [995840 2010-07-24] (Realtek Semiconductor Corp.)
HKLM\...\Run: [Creative SB Monitoring Utility] => C:\Windows\system32\sbavmon.dll [116224 2010-08-02] (Creative Technology Ltd.)
HKLM\...\Run: [EKIJ5000StatusMonitor] => C:\Windows\system32\spool\DRIVERS\x64\3\EKIJ5000MUI.exe [2042368 2010-05-07] (Eastman Kodak Company)
HKLM\...\Run: [Logitech Download Assistant] => C:\Windows\System32\LogiLDA.dll [1832760 2012-09-20] (Logitech, Inc.)
HKLM-x32\...\Run: [QlbCtrl.exe] => C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe [323640 2010-02-25] ( Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [WirelessAssistant] => C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [500792 2010-05-20] (Hewlett-Packard Company)
HKLM-x32\...\Run: [VolPanel] => C:\Program Files (x86)\Creative\Sound Blaster X-Fi Go Pro\Volume Panel\VolPanlu.exe [241789 2010-02-18] (Creative Technology Ltd)
HKLM-x32\...\Run: [LWS] => C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe [165208 2010-05-07] (Logitech Inc.)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [43848 2014-01-20] (Apple Inc.)
HKLM-x32\...\Run: [vProt] => C:\Program Files (x86)\AVG Secure Search\vprot.exe [2539544 2014-03-03] ()
HKLM-x32\...\Run: [ApnUpdater] => C:\Program Files (x86)\Ask.com\Updater\Updater.exe [1646216 2013-03-31] (Ask)
HKLM-x32\...\Run: [AVG_UI] => C:\Program Files (x86)\AVG\AVG2014\avgui.exe [4971024 2014-03-19] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [Cisco AnyConnect Secure Mobility Agent for Windows] => C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe [707984 2013-10-10] (Cisco Systems, Inc.)
HKLM\...\RunOnce: [*WerKernelReporting] - %SYSTEMROOT%\SYSTEM32\WerFault.exe -k -rq [415232 2009-07-13] (Microsoft Corporation)
HKLM-x32\...\runonceex: [] -
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\Lauren\...\Run: [HPADVISOR] => C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe [1685048 2009-09-29] (Hewlett-Packard)
HKU\Lauren\...\Run: [googletalk] => C:\Users\Lauren\AppData\Roaming\Google\Google Talk\googletalk.exe [3739648 2007-01-01] (Google)
HKU\Lauren\...\Run: [Logitech Vid] => C:\Program Files (x86)\Logitech\Vid HD\Vid.exe [5915480 2010-10-29] (Logitech Inc.)
HKU\Lauren\...\Run: [Spotify Web Helper] => C:\Users\Lauren\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe [932528 2012-06-19] ()
HKU\Lauren\...\Run: [swg] => C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2013-07-23] (Google Inc.)
HKU\Lauren\...\Run: [ChromeFrameHelper] => C:\Users\Lauren\AppData\Local\Google\Chrome Frame\Application\32.0.1700.107\chrome_frame_helper.exe [83784 2014-02-01] (Google Inc.)
HKU\Lauren\...\Run: [GoogleDriveSync] => C:\Program Files (x86)\Google\Drive\googledrivesync.exe [21822128 2014-01-30] (Google)
HKU\Lauren\...\Run: [Google Update] => C:\Users\Lauren\AppData\Local\Google\Update\GoogleUpdate.exe [136176 2010-08-20] (Google Inc.)
HKU\Lauren\...\RunOnce: [Application Restart #4] - C:\Users\Lauren\AppData\Local\Google\Chrome\Application\chrome.exe [859976 2014-03-14] (Google Inc.)
HKU\Lauren Hartzler\...\Run: [LightScribe Control Panel] => C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
HKU\Lauren Hartzler\...\Run: [HPADVISOR] => C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe [1685048 2009-09-29] (Hewlett-Packard)
HKU\Lauren Hartzler\...\Run: [msnmsgr] => C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe [3883856 2009-07-26] (Microsoft Corporation)
HKU\Lauren Hartzler\...\Run: [googletalk] => C:\Users\Lauren Hartzler\AppData\Roaming\Google\Google Talk\googletalk.exe /autostart
HKU\Lauren Hartzler\...\Run: [RESTART_STICKY_NOTES] => C:\Windows\System32\StikyNot.exe [427520 2009-07-13] (Microsoft Corporation)
HKU\Lauren Hartzler\...\Run: [Google Update] => C:\Users\Lauren\AppData\Local\Google\Update\GoogleUpdate.exe [136176 2010-08-20] (Google Inc.)
HKU\Lauren Hartzler\...\Run: [AVG-Secure-Search-Update_JUNE2013_TB] => "C:\Program Files (x86)\AVG Secure Search\AVG-Secure-Search-Update_JUNE2013_TB.exe"  /PROMPT /CMPID=JUNE2013_TB
HKU\Lauren Hartzler\...\RunOnce: [InetReg] - "C:\Program Files (x86)\Creative\Product Registration\English\InetReg.exe" /PreProcess=RegFlash.exe /Delay=6
HKU\Lauren Hartzler\...\RunOnce: [CTAutoUpdate] - C:\Program Files (x86)\Creative\Shared Files\Software Update\AutoUpdate.exe [623416 2009-06-19] (Creative Technology Ltd)
Startup: C:\Users\Lauren\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk ->  (No File)

==================== Services (Whitelisted) =================

S3 AVG Security Toolbar Service; C:\Program Files (x86)\AVG\AVG10\Toolbar\ToolbarBroker.exe [167264 2011-11-10] ()
S2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe [3782672 2014-02-23] (AVG Technologies CZ, s.r.o.)
S2 avgwd; C:\Program Files (x86)\AVG\AVG2014\avgwdsvc.exe [348008 2013-09-23] (AVG Technologies CZ, s.r.o.)
S2 DcomLaunch; C:\Windows\system32\rpcss.dll [509440 2009-07-13] ()
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.8.130\McCHSvc.exe [288776 2013-09-06] (McAfee, Inc.)
S2 mozybackup; C:\Program Files\MozyHome\mozybackup.exe [55112 2013-01-09] (Mozy, Inc.)
S2 RichVideo; C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe [247152 2009-07-06] ()
S2 RpcSs; C:\Windows\system32\rpcss.dll [509440 2009-07-13] ()
S2 TuneUp.UtilitiesSvc; C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe [2102072 2013-12-18] (AVG)
S2 vToolbarUpdater18.0.5; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.0.5\ToolbarUpdater.exe [1771032 2014-03-21] (AVG Secure Search)

==================== Drivers (Whitelisted) ====================

S1 Avgdiska; C:\Windows\System32\DRIVERS\avgdiska.sys [150808 2013-11-25] (AVG Technologies CZ, s.r.o.)
S1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [243480 2013-11-25] (AVG Technologies CZ, s.r.o.)
S0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [196376 2013-11-25] (AVG Technologies CZ, s.r.o.)
S1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [212280 2013-10-31] (AVG Technologies CZ, s.r.o.)
S0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [294712 2013-10-31] (AVG Technologies CZ, s.r.o.)
S0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [123704 2013-09-30] (AVG Technologies CZ, s.r.o.)
S0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [31544 2013-09-09] (AVG Technologies CZ, s.r.o.)
S1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [251192 2013-08-01] (AVG Technologies CZ, s.r.o.)
S1 avgtp; C:\Windows\system32\drivers\avgtpx64.sys [49952 2014-03-21] (AVG Technologies)
S3 ksaud; C:\Windows\System32\drivers\ksaud.sys [1587968 2010-08-11] (Creative Technology Ltd.)
S3 LVPr2M64; C:\Windows\System32\DRIVERS\LVPr2M64.sys [30304 2010-05-07] ()
S3 LVPr2Mon; C:\Windows\System32\DRIVERS\LVPr2M64.sys [30304 2010-05-07] ()
S1 mozyFilter; C:\Windows\System32\DRIVERS\mozy.sys [67808 2013-05-21] (Mozy, Inc.)
S3 RSUSBSTOR; C:\Windows\SysWOW64\Drivers\RtsUStor.sys [225280 2009-09-22] (Realtek Semiconductor Corp.)
S3 TuneUpUtilitiesDrv; C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesDriver64.sys [14112 2013-12-16] (TuneUp Software)
S3 vpnva; C:\Windows\System32\DRIVERS\vpnva64-6.sys [52080 2013-10-10] (Cisco Systems, Inc.)
S3 CpqDfw; system32\drivers\CpqDfw.sys [X]
S4 eabfiltr;
S3 hwusbfake; system32\DRIVERS\ewusbfake.sys [X]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2014-04-20 21:57 - 2014-04-20 21:57 - 00000000 ____D () C:\FRST
2014-04-12 15:26 - 2014-04-12 15:26 - 00484768 _____ () C:\Windows\Minidump\041214-38298-01.dmp
2014-04-12 13:49 - 2014-04-12 13:49 - 00459008 _____ () C:\Windows\Minidump\041214-20342-01.dmp
2014-04-12 05:04 - 2014-04-12 05:05 - 00459008 _____ () C:\Windows\Minidump\041214-72758-01.dmp
2014-04-11 18:52 - 2014-04-11 18:53 - 00484768 _____ () C:\Windows\Minidump\041114-40014-01.dmp
2014-04-11 13:16 - 2014-04-11 13:16 - 00459008 _____ () C:\Windows\Minidump\041114-34725-01.dmp
2014-04-10 05:53 - 2014-04-10 10:46 - 00000064 _____ () C:\Users\Lauren\Documents\Career Support.ldb
2014-04-10 02:21 - 2014-04-10 02:21 - 00278528 _____ () C:\Windows\Minidump\041014-36504-01.dmp
2014-04-09 17:02 - 2014-04-09 18:00 - 00000000 ____D () C:\Users\Lauren\Desktop\mbar
2014-04-09 17:02 - 2014-04-09 17:05 - 12589848 _____ (Malwarebytes Corp.) C:\Users\Lauren\Downloads\mbar-1.07.0.1009 (1).exe
2014-04-09 17:02 - 2014-04-09 17:02 - 00091352 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamchameleon.sys
2014-04-09 16:59 - 2014-04-09 17:02 - 12589848 _____ (Malwarebytes Corp.) C:\Users\Lauren\Downloads\mbar-1.07.0.1009.exe
2014-03-21 04:14 - 2014-03-21 04:14 - 00000000 ____D () C:\ProgramData\AVG Secure Search

==================== One Month Modified Files and Folders =======

2014-04-20 21:57 - 2014-04-20 21:57 - 00000000 ____D () C:\FRST
2014-04-15 16:27 - 2011-07-13 08:09 - 00000000 ____D () C:\Windows\System32\logishrd
2014-04-15 16:27 - 2010-06-15 18:14 - 00000000 ____D () C:\ProgramData\Kodak
2014-04-12 18:49 - 2010-12-06 08:06 - 00000000 ____D () C:\ProgramData\MFAData
2014-04-12 15:26 - 2014-04-12 15:26 - 00484768 _____ () C:\Windows\Minidump\041214-38298-01.dmp
2014-04-12 15:26 - 2011-06-17 22:17 - 320310558 _____ () C:\Windows\MEMORY.DMP
2014-04-12 15:26 - 2010-08-22 04:58 - 00000000 ____D () C:\Windows\Minidump
2014-04-12 13:49 - 2014-04-12 13:49 - 00459008 _____ () C:\Windows\Minidump\041214-20342-01.dmp
2014-04-12 05:05 - 2014-04-12 05:04 - 00459008 _____ () C:\Windows\Minidump\041214-72758-01.dmp
2014-04-11 18:53 - 2014-04-11 18:52 - 00484768 _____ () C:\Windows\Minidump\041114-40014-01.dmp
2014-04-11 13:16 - 2014-04-11 13:16 - 00459008 _____ () C:\Windows\Minidump\041114-34725-01.dmp
2014-04-11 04:22 - 2012-03-15 12:15 - 00327680 _____ () C:\Windows\System32\Ikeext.etl
2014-04-11 04:22 - 2011-06-28 17:10 - 00000912 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3240361932-3662456968-3098582840-1000UA.job
2014-04-11 04:21 - 2010-08-20 14:23 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-04-11 04:21 - 2010-02-11 01:24 - 02024253 _____ () C:\Windows\WindowsUpdate.log
2014-04-11 01:27 - 2012-08-25 03:53 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-04-11 01:26 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\tracing
2014-04-10 18:33 - 2013-01-09 09:34 - 00006334 _____ () C:\Windows\mozy.flt
2014-04-10 18:33 - 2013-01-09 09:34 - 00005332 _____ () C:\Windows\mozy.blk
2014-04-10 18:28 - 2013-05-01 16:14 - 00000000 ____D () C:\Users\Lauren\AppData\Roaming\Dropbox
2014-04-10 12:16 - 2013-05-01 16:20 - 00000000 ___RD () C:\Users\Lauren\Dropbox
2014-04-10 12:05 - 2014-03-14 10:19 - 00000000 ___RD () C:\Users\Lauren\Google Drive
2014-04-10 10:54 - 2009-07-13 20:45 - 00023248 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-04-10 10:54 - 2009-07-13 20:45 - 00023248 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-04-10 10:50 - 2010-08-20 14:23 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-04-10 10:47 - 2011-07-13 08:09 - 00000000 ____D () C:\Windows\SysWOW64\logishrd
2014-04-10 10:47 - 2011-05-16 09:56 - 00061532 _____ () C:\Windows\setupact.log
2014-04-10 10:47 - 2010-06-03 21:30 - 00276252 _____ () C:\Windows\PFRO.log
2014-04-10 10:47 - 2009-07-13 21:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-04-10 10:46 - 2014-04-10 05:53 - 00000064 _____ () C:\Users\Lauren\Documents\Career Support.ldb
2014-04-10 10:46 - 2011-06-28 17:10 - 00000860 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3240361932-3662456968-3098582840-1000Core.job
2014-04-10 06:26 - 2011-03-26 06:22 - 00003934 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization-{8437E7D1-AD5D-4798-A377-43E84DC814BA}
2014-04-10 05:55 - 2013-11-13 11:40 - 01806336 _____ () C:\Users\Lauren\Documents\Career Support.mpddb
2014-04-10 02:29 - 2009-07-13 18:34 - 00000499 _____ () C:\Windows\win.ini
2014-04-10 02:28 - 2010-01-20 10:54 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-04-10 02:21 - 2014-04-10 02:21 - 00278528 _____ () C:\Windows\Minidump\041014-36504-01.dmp
2014-04-09 18:00 - 2014-04-09 17:02 - 00000000 ____D () C:\Users\Lauren\Desktop\mbar
2014-04-09 17:43 - 2014-02-07 20:51 - 00000081 _____ () C:\Windows\System32\hail.oaq
2014-04-09 17:05 - 2014-04-09 17:02 - 12589848 _____ (Malwarebytes Corp.) C:\Users\Lauren\Downloads\mbar-1.07.0.1009 (1).exe
2014-04-09 17:02 - 2014-04-09 17:02 - 00091352 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamchameleon.sys
2014-04-09 17:02 - 2014-04-09 16:59 - 12589848 _____ (Malwarebytes Corp.) C:\Users\Lauren\Downloads\mbar-1.07.0.1009.exe
2014-04-09 16:48 - 2011-06-28 17:20 - 00002374 _____ () C:\Users\Lauren\Desktop\Google Chrome.lnk
2014-04-09 09:01 - 2010-06-03 19:03 - 00036750 _____ () C:\Users\Lauren\AppData\Roaming\wklnhst.dat
2014-04-09 06:22 - 2010-08-09 04:59 - 00000000 ____D () C:\Users\Lauren\AppData\Local\CrashDumps
2014-04-09 05:23 - 2011-06-23 13:44 - 00000000 ____D () C:\users\Lauren Hartzler
2014-04-09 05:22 - 2014-03-03 16:54 - 00000336 _____ () C:\Windows\Tasks\HPCeeScheduleForLauren.job
2014-04-08 05:00 - 2011-09-06 05:23 - 00003220 _____ () C:\Windows\System32\Tasks\HPCeeScheduleForLAUREN-PC$
2014-04-08 05:00 - 2011-09-06 05:23 - 00000344 _____ () C:\Windows\Tasks\HPCeeScheduleForLAUREN-PC$.job
2014-04-07 15:23 - 2014-03-03 16:55 - 00003192 _____ () C:\Windows\System32\Tasks\HPCeeScheduleForLauren
2014-04-06 10:29 - 2013-07-15 12:42 - 00009728 _____ () C:\Users\Lauren\Documents\Letter to pastors.wps
2014-04-06 10:28 - 2009-07-13 21:32 - 00000000 ____D () C:\Windows\System32\FxsTmp
2014-04-02 04:53 - 2009-07-13 21:13 - 00005156 _____ () C:\Windows\System32\PerfStringBackup.INI
2014-04-01 04:56 - 2010-08-20 14:23 - 00003894 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2014-04-01 04:56 - 2010-08-20 14:23 - 00003642 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2014-03-31 10:30 - 2009-07-13 21:09 - 00000000 ____D () C:\Windows\System32\Tasks\WPD
2014-03-31 10:16 - 2011-06-28 17:10 - 00003884 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3240361932-3662456968-3098582840-1000UA
2014-03-31 10:16 - 2011-06-28 17:10 - 00003488 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3240361932-3662456968-3098582840-1000Core
2014-03-31 06:56 - 2013-10-14 15:56 - 00000965 _____ () C:\Users\Public\Desktop\AVG 2014.lnk
2014-03-31 06:45 - 2009-07-13 21:08 - 00032550 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-03-21 09:36 - 2013-09-22 05:10 - 00000000 ____D () C:\Users\Lauren\AppData\Local\Avg2014
2014-03-21 04:14 - 2014-03-21 04:14 - 00000000 ____D () C:\ProgramData\AVG Secure Search
2014-03-21 04:12 - 2014-02-11 17:31 - 00000000 ____D () C:\Program Files (x86)\AVG Secure Search
2014-03-21 04:12 - 2012-09-03 04:10 - 00049952 _____ (AVG Technologies) C:\Windows\System32\Drivers\avgtpx64.sys
2014-03-21 04:11 - 2012-05-14 23:01 - 00000000 ____D () C:\Program Files\Microsoft Silverlight
2014-03-21 04:11 - 2012-05-14 23:01 - 00000000 ____D () C:\Program Files (x86)\Microsoft Silverlight

Some content of TEMP:
====================
C:\Users\Lauren\AppData\Local\Temp\224kkk290347.exe
C:\Users\Lauren\AppData\Local\Temp\ApnStub.exe
C:\Users\Lauren\AppData\Local\Temp\avguidx.dll
C:\Users\Lauren\AppData\Local\Temp\CommonInstaller.exe
C:\Users\Lauren\AppData\Local\Temp\conduitinstaller.exe
C:\Users\Lauren\AppData\Local\Temp\contentDATs.exe
C:\Users\Lauren\AppData\Local\Temp\DataCard_Setup64.exe
C:\Users\Lauren\AppData\Local\Temp\GLFA533.tmp.ConduitEngineSetup.exe
C:\Users\Lauren\AppData\Local\Temp\iGearedHelper.dll
C:\Users\Lauren\AppData\Local\Temp\jre-6u35-windows-i586-iftw.exe
C:\Users\Lauren\AppData\Local\Temp\jre-6u37-windows-i586-iftw.exe
C:\Users\Lauren\AppData\Local\Temp\jre-6u39-windows-i586-iftw.exe
C:\Users\Lauren\AppData\Local\Temp\jre-7u15-windows-i586-iftw.exe
C:\Users\Lauren\AppData\Local\Temp\jre-7u17-windows-i586-iftw.exe
C:\Users\Lauren\AppData\Local\Temp\jre-7u21-windows-i586-iftw.exe
C:\Users\Lauren\AppData\Local\Temp\jre-7u25-windows-i586-iftw.exe
C:\Users\Lauren\AppData\Local\Temp\jre-7u45-windows-i586-iftw.exe
C:\Users\Lauren\AppData\Local\Temp\jre-7u51-windows-i586-iftw.exe
C:\Users\Lauren\AppData\Local\Temp\MachineIdCreator.exe
C:\Users\Lauren\AppData\Local\Temp\mssinstaller.exe
C:\Users\Lauren\AppData\Local\Temp\oi_{0D1DDC46-2CA5-4D36-94A3-1B281A0D8618}.exe
C:\Users\Lauren\AppData\Local\Temp\prxGLFA533.tmp.tbHots.dll
C:\Users\Lauren\AppData\Local\Temp\ResetDevice.exe
C:\Users\Lauren\AppData\Local\Temp\Resource.exe
C:\Users\Lauren\AppData\Local\Temp\SecurityScan_Release.exe
C:\Users\Lauren\AppData\Local\Temp\sp54373.exe
C:\Users\Lauren\AppData\Local\Temp\tbHots.dll
C:\Users\Lauren\AppData\Local\Temp\ToolbarInstaller.exe
C:\Users\Lauren\AppData\Local\Temp\UninstallHPSA.exe
C:\Users\Lauren\AppData\Local\Temp\UninstallHPTCA.exe
C:\Users\Lauren\AppData\Local\Temp\vcredist_x64.exe

==================== Known DLLs (Whitelisted) ================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll
[2009-07-13 16:00] - [2009-07-13 17:41] - 0509440 ____A () 9F3012F22A927A9493804C9F1E2045B5

C:\Windows\System32\rpcss.dll No Company Name <===== ATTENTION!

 ATTENTION ======> If the system is having audio adware rpcss.dll is patched. Google the MD5, if the MD5 is unique the file is infected.
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2014-03-13 10:48:31
Restore point made on: 2014-03-17 07:27:04
Restore point made on: 2014-03-21 04:18:26
Restore point made on: 2014-03-23 19:08:17
Restore point made on: 2014-03-31 13:42:05
Restore point made on: 2014-04-02 04:51:43
Restore point made on: 2014-04-04 05:17:27
Restore point made on: 2014-04-04 14:08:44
Restore point made on: 2014-04-08 05:01:31
Restore point made on: 2014-04-09 05:28:48
Restore point made on: 2014-04-09 17:58:38
Restore point made on: 2014-04-09 17:59:43
Restore point made on: 2014-04-10 02:26:26
Restore point made on: 2014-04-10 06:32:31
Restore point made on: 2014-04-10 18:33:01

==================== Memory info ===========================

Percentage of memory in use: 18%
Total physical RAM: 3893.86 MB
Available physical RAM: 3177.02 MB
Total Pagefile: 3892.01 MB
Available Pagefile: 3164.71 MB
Total Virtual: 8192 MB
Available Virtual: 8191.89 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:285.23 GB) (Free:191.5 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive e: (RECOVERY) (Fixed) (Total:12.56 GB) (Free:2.1 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive f: (HP_TOOLS) (Fixed) (Total:0.1 GB) (Free:0.09 GB) FAT32
Drive h: () (Removable) (Total:7.49 GB) (Free:6.77 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (SYSTEM) (Fixed) (Total:0.19 GB) (Free:0.16 GB) NTFS ==>[System with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 298 GB) (Disk ID: 34A97794)
Partition 1: (Active) - (Size=199 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=285 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=13 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=103 MB) - (Type=0C)

========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 8 GB) (Disk ID: C3072E18)
Partition 1: (Not Active) - (Size=7 GB) - (Type=0C)

LastRegBack: 2014-04-10 02:51

==================== End Of Log ============================



#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:15 AM

Posted 20 April 2014 - 09:23 PM


Hello BlueKangaroo

Ok lets see if we can find a replacement for the infected file

Boot back into the recovery Environment and run FRST like you did before

Type the following in the edit box after "Search:".

rpcss.dll

It then should look like:

Search: rpcss.dll

Click Search button and post the log (Search.txt) it makes to your reply.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:15 AM

Posted 23 April 2014 - 07:23 AM


Greetings


I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools




Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:15 AM

Posted 26 April 2014 - 06:17 AM



Hello

48 Hour bump

It has been more than 48 hours since my last post.
  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:15 AM

Posted 29 April 2014 - 06:52 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users