Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

dllhost.exe COM SURROGATE too many processes slowing computer


  • This topic is locked This topic is locked
39 replies to this topic

#1 DeePe

DeePe

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:25 PM

Posted 15 April 2014 - 01:01 AM

Hello,

I am new to this site, and new to forums as well. I have joined bc I found another topic/thread with this same problem (Nov. 2013, diamondqueen) which seemed to be resolved by running OTL. I wasnt sure if I could copy all the steps from the other topic, or if they were computer-specific in some way. Basically, the dllhost.exe file keeps running many instances and consuming memory. Also, changes to my internet security settings and active window keeps switching momentarily.

I have been trying to resolve this problem by running clnmgr, which helped for a while, but now the problem is just getting worse.

Please help, and thank-you in advance.

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16483
Run by Owner at 22:43:41 on 2014-04-14
Microsoft Windows 7 Home Premium   6.1.7600.0.1252.2.1033.18.3895.2439 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ===============
.
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\windows\SysWOW64\svchost.exe -k hpdevmgmt
C:\windows\System32\svchost.exe -k HPZ12
C:\windows\System32\svchost.exe -k HPZ12
C:\windows\system32\svchost.exe -k imgsvc
C:\windows\system32\svchost.exe -k HPService
C:\windows\System32\alg.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\windows\system32\taskhost.exe
C:\windows\system32\taskeng.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Users\Owner\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\windows\system32\SearchIndexer.exe
C:\windows\system32\SearchProtocolHost.exe
C:\windows\system32\prevhost.exe
C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\windows\system32\sppsvc.exe
C:\windows\splwow64.exe
C:\windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\windows\system32\SearchFilterHost.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxps://webmail.uniserve.com/horde/imp/login.php
mStart Page = hxxp://lenovo.msn.com
dURLSearchHooks: {A3BC75A2-1F87-4686-AA43-5347D756017C} - <orphaned>
mWinlogon: Userinit = userinit.exe
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>
BHO: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll
mRun: [MSConfig] E:\GRTUtility\msconfig.exe /auto
StartupFolder: C:\Users\Owner\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\Owner\AppData\Roaming\Dropbox\bin\Dropbox.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: Append Link Target to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~1\MICROS~2\Office14\ONBttnIE.dll/105
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/_layouts/ClientBin/ieawsdc32.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 64.59.144.92 64.59.150.138 192.168.1.1
TCP: Interfaces\{22A6C43A-18F0-4ABE-B870-C3FCA1765953} : DHCPNameServer = 64.59.144.92 64.59.150.138 192.168.1.1
TCP: Interfaces\{22A6C43A-18F0-4ABE-B870-C3FCA1765953}\2656C6B696E6534376 : DHCPNameServer = 192.168.2.1 75.154.133.100 75.154.133.68
TCP: Interfaces\{22A6C43A-18F0-4ABE-B870-C3FCA1765953}\348616274727565737560274575637470223E243 : DHCPNameServer = 192.168.0.1
TCP: Interfaces\{22A6C43A-18F0-4ABE-B870-C3FCA1765953}\463707E4544513 : DHCPNameServer = 192.168.0.1
TCP: Interfaces\{22A6C43A-18F0-4ABE-B870-C3FCA1765953}\E4567775F627C64623 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{22A6C43A-18F0-4ABE-B870-C3FCA1765953}\F425C4 : DHCPNameServer = 10.100.130.14
TCP: Interfaces\{22A6C43A-18F0-4ABE-B870-C3FCA1765953}\F6E65616E6F647865627E45647 : DHCPNameServer = 192.168.1.254
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
mASetup: Neat ADF Scanner 2008 - reg copy "HKLM\Software\Wow6432Node\The Neat Company\Neat ADF Scanner 2008" "HKCU\Software\The Neat Company\Neat ADF Scanner 2008" /s /f
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\34.0.1847.116\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-mStart Page = hxxp://lenovo.msn.com
x64-BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Skype add-on for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
x64-IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
x64-SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
x64-mASetup: Send To Neat - reg copy "HKLM\Software\The Neat Company\Send To Neat" "HKCU\Software\The Neat Company\Send To Neat" /s /f
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\yj32x4pj.default\
FF - prefs.js: browser.startup.homepage - hxxps://webmail.uniserve.com/horde/imp/login.php
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\PROGRA~2\Palm\PACKAG~1\NPInstal.dll
FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.23.9\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.30214.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\windows\SysWOW64\Macromed\Flash\NPSWF32_12_0_0_70.dll
FF - plugin: C:\windows\SysWOW64\npdeployJava1.dll
FF - plugin: C:\windows\SysWOW64\npmproxy.dll
FF - ExtSQL: !HIDDEN! 2012-06-21 13:59; smartwebprinting@hp.com; C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;C:\windows\System32\drivers\MpFilter.sys [2014-1-25 268512]
R2 NisDrv;Microsoft Network Inspection System;C:\windows\System32\drivers\NisDrvWFP.sys [2013-9-27 133928]
R3 ACPIVPC;Lenovo Virtual Power Controller Driver;C:\windows\System32\drivers\AcpiVpc.sys [2011-3-2 28176]
R3 HECIx64;Intel® Management Engine Interface;C:\windows\System32\drivers\HECIx64.sys [2011-3-2 56344]
R3 Impcd;Impcd;C:\windows\System32\drivers\Impcd.sys [2011-3-2 158976]
R3 IntcDAud;Intel® Display Audio;C:\windows\System32\drivers\IntcDAud.sys [2011-3-2 271872]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2014-3-11 347872]
R3 RTL8167;Realtek 8167 NT Driver;C:\windows\System32\drivers\Rt64win7.sys [2011-1-21 413800]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-10-23 172192]
S3 AceecaUSBDx64;AceecaUSBDx64;C:\windows\System32\drivers\AceecaUSBDx64.sys [2011-4-5 66552]
S3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;C:\windows\System32\drivers\k57nd60a.sys [2009-6-10 270848]
S3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\windows\System32\drivers\netw5v64.sys [2009-6-10 5434368]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\windows\System32\drivers\RtsUStor.sys [2011-3-2 242720]
S3 USBAAPL64;Apple Mobile USB Driver;C:\windows\System32\drivers\usbaapl64.sys [2012-7-9 52736]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\System32\Wat\WatAdminSvc.exe [2011-3-29 1255736]
S3 wsvd;wsvd;C:\windows\System32\drivers\wsvd.sys [2009-7-21 121840]
S4 Agent;Agent;C:\Windows\agent_x64.exe [2012-2-18 102912]
S4 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-3-2 13336]
S4 UNS;Intel® Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-3-2 2320920]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2014-04-15 04:40:57    --------    d-----w-    C:\Users\Owner\AppData\Local\CrashDumps
2014-04-14 21:26:48    10521840    ----a-w-    C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{2BF29BAF-76F0-4D79-BEEC-CC425AB62240}\mpengine.dll
2014-04-14 21:13:26    --------    d-----w-    C:\windows\System32\MRT
2014-04-13 03:25:53    10521840    ----a-w-    C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2014-04-07 16:04:48    --------    d-----w-    C:\Users\Owner\AppData\Local\Skype
2014-04-04 16:51:59    1031560    ------w-    C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{62CDDB5D-11D6-4F73-B842-6694ACAF8A8E}\gapaengine.dll
2014-03-26 02:03:14    --------    d-----w-    C:\Program Files\CCleaner
.
==================== Find3M  ====================
.
2014-03-11 16:52:30    133928    ----a-w-    C:\windows\System32\drivers\NisDrvWFP.sys
2014-03-05 20:05:02    71048    ----a-w-    C:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-03-05 20:05:02    692616    ----a-w-    C:\windows\SysWow64\FlashPlayerApp.exe
2014-01-25 08:19:42    268512    ----a-w-    C:\windows\System32\drivers\MpFilter.sys
2014-01-16 17:59:44    270496    ------w-    C:\windows\System32\MpSigStub.exe
.
============= FINISH: 22:45:03.66 ===============



BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,309 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:09:25 PM

Posted 18 April 2014 - 12:15 PM

Hello! Welcome to BleepingComputer Forums! :welcome:
My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:

  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.

 

 

Please download the latest version of Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer. Make sure that Addition.txt is ticked as well.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
  • Next please re-run FRST again and type the following in the edit box after Search: rpcss.dll
  • Click the Search button
  • It will make a log (Search.txt)- please post the log into your reply to me. (you can use pastebin as well).

 

 

Regards,

Georgi


cXfZ4wS.png


#3 DeePe

DeePe
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:25 PM

Posted 20 April 2014 - 01:49 AM

Attached File  Addition.txt   42.26KB   3 downloadsHi Georgi,

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 19-04-2014
Ran by Owner (administrator) on DEMIANLAPTOP on 19-04-2014 23:35:49
Running from C:\Users\Owner\Desktop
Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(Microsoft Corporation) c:\Program Files\Microsoft Security Client\MsMpEng.exe
(Microsoft Corporation) C:\windows\System32\alg.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Dropbox, Inc.) C:\Users\Owner\AppData\Roaming\Dropbox\bin\Dropbox.exe
(Adobe Systems Incorporated) C:\windows\SysWOW64\Macromed\Flash\FlashUtil32_11_9_900_170_ActiveX.exe
(Microsoft Corporation) c:\Program Files\Microsoft Security Client\NisSrv.exe
(Apple Inc.) C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1271072 2014-03-11] (Microsoft Corporation)
HKLM-x32\...\Run: [MSConfig] => E:\GRTUtility\msconfig.exe /auto
Winlogon\Notify\igfxcui: C:\windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-321670176-3009742007-1074369548-1000\...\RunOnce: [FlashPlayerUpdate] - C:\windows\SysWOW64\Macromed\Flash\FlashUtil32_11_9_900_170_ActiveX.exe [839560 2013-12-10] (Adobe Systems Incorporated)
HKU\S-1-5-21-321670176-3009742007-1074369548-1000\...409d6c4515e9\InprocServer32: [Default-shell32] \\?\globalroot\Device\HarddiskVolume2\Users\Owner\AppData\Local\Temp\sixfynp\ssbpymp\wow.dll ATTENTION! ====> ZeroAccess?
Startup: C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\Owner\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://webmail.uniserve.com/horde/imp/login.php
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.msn.com
HKLM\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.lenovo.com/
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.msn.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.lenovo.com/
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKCU - DefaultScope {AF071835-D8C4-4CB6-A211-CA8B24484E2B} URL = https://www.google.com/search?q={searchTerms}
SearchScopes: HKCU - {AF071835-D8C4-4CB6-A211-CA8B24484E2B} URL = https://www.google.com/search?q={searchTerms}
BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: No Name - {02478D38-C3F9-4efb-9B51-7695ECA05670} -  No File
BHO-x32: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO-x32: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
BHO-x32: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Skype Browser Helper - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
BHO-x32: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
Toolbar: HKLM-x32 - No Name - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} -  No File
Toolbar: HKCU - No Name - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} -  No File
Toolbar: HKCU - No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} -  No File
Toolbar: HKCU - No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
DPF: HKLM-x32 {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/_layouts/ClientBin/ieawsdc32.cab
DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: ipp\0x00000001 - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} -  No File
Handler-x32: http\0x00000001 - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
Handler-x32: http\oledb - {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
Handler-x32: https\0x00000001 - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
Handler-x32: https\oledb - {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
Handler-x32: ipp\0x00000001 - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
Handler-x32: msdaipp\0x00000001 - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
Handler-x32: msdaipp\oledb - {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254

FireFox:
========
FF ProfilePath: C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\yj32x4pj.default
FF Homepage: https://webmail.uniserve.com/horde/imp/login.php
FF Plugin: @adobe.com/FlashPlayer - C:\windows\system32\Macromed\Flash\NPSWF64_12_0_0_70.dll ()
FF Plugin: @microsoft.com/GENUINE - disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin: adobe.com/AdobeAAMDetect - C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll No File
FF Plugin-x32: @adobe.com/FlashPlayer - C:\windows\SysWOW64\Macromed\Flash\NPSWF32_12_0_0_70.dll ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @Google.com/GoogleEarthPlugin - C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin-x32: @java.com/DTPlugin,version=1.6.0_37 - C:\windows\SysWOW64\npdeployJava1.dll (Sun Microsystems, Inc.)
FF Plugin-x32: @java.com/JavaPlugin - C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF Plugin-x32: @microsoft.com/GENUINE - disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files (x86)\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 - C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @palmsource.com/installer,version=1.0 - C:\PROGRA~2\Palm\PACKAG~1\NPInstal.dll ()
FF Plugin-x32: @tools.google.com/Google Update;version=3 - C:\Program Files (x86)\Google\Update\1.3.23.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 - C:\Program Files (x86)\Google\Update\1.3.23.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Extension: DAO.TableDef.120 - C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\yj32x4pj.default\Extensions\{3677AC1E-A5BC-280B-5FDB-E4EEA897C7CC} [2013-12-27]

Chrome:
=======
CHR StartupUrls: "hxxp://www.google.com"
CHR Extension: (Google Docs) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-03-25]
CHR Extension: (Google Drive) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-03-25]
CHR Extension: (YouTube) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-03-25]
CHR Extension: (Google Search) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-03-25]
CHR Extension: (Google Wallet) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-03-25]
CHR Extension: (Gmail) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-03-25]

==================== Services (Whitelisted) =================

S4 Agent; C:\windows\agent_x64.exe [102912 2011-08-24] ()
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2014-03-11] (Microsoft Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [347872 2014-03-11] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

S3 AceecaUSBDx64; C:\Windows\System32\DRIVERS\AceecaUSBDx64.sys [66552 2011-07-14] (PalmSource, Inc.)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [268512 2014-01-25] (Microsoft Corporation)
R2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [133928 2014-03-11] (Microsoft Corporation)
U3 BcmSqlStartupSvc;
U3 IGRS;
U2 IviRegMgr;
U2 ReadyComm.DirectRouter;
U2 RichVideo;
U3 SQLWriter;

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2014-04-19 23:35 - 2014-04-19 23:36 - 00011310 _____ () C:\Users\Owner\Desktop\FRST.txt
2014-04-19 23:33 - 2014-04-19 23:35 - 00000000 ____D () C:\FRST
2014-04-19 23:33 - 2014-04-19 23:33 - 02055680 _____ (Farbar) C:\Users\Owner\Desktop\FRST64.exe
2014-04-19 23:31 - 2014-04-19 23:31 - 01043968 _____ (Farbar) C:\Users\Owner\Desktop\FRST.exe
2014-04-16 21:31 - 2014-04-16 21:32 - 00000000 ____D () C:\Users\Owner\Documents\Design Essentials
2014-04-16 11:41 - 2014-04-16 11:41 - 00001062 _____ () C:\windows\PFRO.log
2014-04-15 12:22 - 2014-04-15 12:22 - 00007660 _____ () C:\Users\Owner\Desktop\RKreport[0]_S_04152014_122224.txt
2014-04-14 22:45 - 2014-04-14 22:47 - 00017160 _____ () C:\Users\Owner\Desktop\attach.txt
2014-04-14 22:45 - 2014-04-14 22:46 - 00015593 _____ () C:\Users\Owner\Desktop\dds.txt
2014-04-14 22:42 - 2014-04-14 22:42 - 00688992 ____R (Swearware) C:\Users\Owner\Desktop\dds.com
2014-04-14 21:40 - 2014-04-14 21:40 - 00016546 _____ () C:\Users\Owner\Desktop\RKreport[0]_S_04142014_214039.txt
2014-04-14 21:40 - 2014-04-14 21:40 - 00000000 ____D () C:\Users\Owner\AppData\Local\CrashDumps
2014-04-14 15:26 - 2014-04-14 21:40 - 00000000 ____D () C:\Users\Owner\Desktop\RK_Quarantine
2014-04-14 15:20 - 2014-04-14 23:20 - 00000000 ____D () C:\Users\Owner\Documents\Computer
2014-04-14 15:18 - 2014-04-14 15:18 - 00122378 _____ () C:\Users\Owner\Desktop\OTL.Txt
2014-04-14 14:58 - 2014-04-14 14:58 - 00602112 _____ (OldTimer Tools) C:\Users\Owner\Desktop\OTL.exe
2014-04-14 14:54 - 2014-04-14 14:54 - 03972608 _____ () C:\Users\Owner\Desktop\RogueKiller.exe
2014-04-14 14:13 - 2014-04-14 14:21 - 00000000 ____D () C:\windows\system32\MRT
2014-04-14 10:51 - 2014-04-19 23:21 - 00000616 _____ () C:\windows\setupact.log
2014-04-14 10:51 - 2014-04-14 10:51 - 00000000 _____ () C:\windows\setuperr.log
2014-04-09 22:01 - 2014-04-09 22:01 - 00007211 _____ () C:\Users\Owner\Downloads\Spark, The - Kristine Barnett.opf
2014-04-09 22:00 - 2014-04-09 22:00 - 04019499 _____ () C:\Users\Owner\Downloads\Spark, The - Kristine Barnett(1).epub
2014-04-09 13:34 - 2014-04-09 13:34 - 04019499 _____ () C:\Users\Owner\Downloads\Spark, The - Kristine Barnett.epub
2014-04-07 09:04 - 2014-04-07 09:04 - 00000000 ____D () C:\Users\Owner\AppData\Local\Skype
2014-04-07 09:03 - 2014-04-07 09:03 - 00002697 _____ () C:\Users\Public\Desktop\Skype.lnk
2014-03-25 19:09 - 2014-03-25 19:09 - 00000000 ____D () C:\Users\Owner\Documents\Backup files
2014-03-25 19:03 - 2014-04-11 15:45 - 00002229 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2014-03-25 19:03 - 2014-03-25 19:03 - 00002772 _____ () C:\windows\System32\Tasks\CCleanerSkipUAC
2014-03-25 19:03 - 2014-03-25 19:03 - 00000868 _____ () C:\Users\Public\Desktop\CCleaner.lnk
2014-03-25 19:03 - 2014-03-25 19:03 - 00000000 ____D () C:\Program Files\CCleaner
2014-03-24 14:28 - 2014-03-24 14:29 - 10777510 _____ () C:\Users\Owner\Downloads\Jon and Roy - Free Tracks.zip

==================== One Month Modified Files and Folders =======

2014-04-19 23:36 - 2014-04-19 23:35 - 00011310 _____ () C:\Users\Owner\Desktop\FRST.txt
2014-04-19 23:35 - 2014-04-19 23:33 - 00000000 ____D () C:\FRST
2014-04-19 23:34 - 2011-03-02 07:13 - 01194119 _____ () C:\windows\WindowsUpdate.log
2014-04-19 23:33 - 2014-04-19 23:33 - 02055680 _____ (Farbar) C:\Users\Owner\Desktop\FRST64.exe
2014-04-19 23:31 - 2014-04-19 23:31 - 01043968 _____ (Farbar) C:\Users\Owner\Desktop\FRST.exe
2014-04-19 23:30 - 2009-07-13 21:45 - 00013632 ____H () C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-04-19 23:30 - 2009-07-13 21:45 - 00013632 ____H () C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-04-19 23:23 - 2012-01-05 14:35 - 00000000 ___RD () C:\Users\Owner\Dropbox
2014-04-19 23:23 - 2012-01-05 14:33 - 00000000 ____D () C:\Users\Owner\AppData\Roaming\Dropbox
2014-04-19 23:21 - 2014-04-14 10:51 - 00000616 _____ () C:\windows\setupact.log
2014-04-19 23:21 - 2014-01-01 14:28 - 00000804 _____ () C:\windows\Tasks\Security Center Update - 1540307783.job
2014-04-19 23:21 - 2014-01-01 14:27 - 00000800 _____ () C:\windows\Tasks\Security Center Update - 482683292.job
2014-04-19 23:21 - 2013-06-02 21:12 - 00000350 _____ () C:\windows\Tasks\AVG-Secure-Search-Update_JUNE2013_TB_rmv.job
2014-04-19 23:21 - 2013-01-21 21:04 - 00000354 _____ () C:\windows\Tasks\ROC_JAN2013_TB_rmv.job
2014-04-19 23:21 - 2012-07-03 11:40 - 00000892 _____ () C:\windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-04-19 23:21 - 2012-06-18 09:44 - 00000440 _____ () C:\windows\system32\Drivers\etc\hosts.ics
2014-04-19 23:21 - 2011-03-29 02:37 - 12031239 _____ () C:\FaceProv.log
2014-04-19 23:21 - 2009-07-13 22:08 - 00000006 ____H () C:\windows\Tasks\SA.DAT
2014-04-18 07:00 - 2014-01-05 18:05 - 00000804 _____ () C:\windows\Tasks\Security Center Update - 4029151715.job
2014-04-18 07:00 - 2014-01-05 18:04 - 00000804 _____ () C:\windows\Tasks\Security Center Update - 673816392.job
2014-04-18 07:00 - 2014-01-05 18:03 - 00000806 _____ () C:\windows\Tasks\Security Center Update - 1969362649.job
2014-04-18 07:00 - 2014-01-05 18:02 - 00000802 _____ () C:\windows\Tasks\Security Center Update - 3590169447.job
2014-04-18 07:00 - 2014-01-05 18:01 - 00000802 _____ () C:\windows\Tasks\Security Center Update - 609236093.job
2014-04-18 07:00 - 2014-01-05 18:00 - 00000796 _____ () C:\windows\Tasks\Security Center Update - 3239141586.job
2014-04-18 07:00 - 2014-01-05 17:59 - 00000798 _____ () C:\windows\Tasks\Security Center Update - 3772493609.job
2014-04-18 07:00 - 2014-01-05 17:58 - 00000808 _____ () C:\windows\Tasks\Security Center Update - 1124036830.job
2014-04-18 07:00 - 2014-01-05 17:58 - 00000796 _____ () C:\windows\Tasks\Security Center Update - 4123562919.job
2014-04-18 07:00 - 2014-01-05 17:57 - 00000800 _____ () C:\windows\Tasks\Security Center Update - 3170205401.job
2014-04-18 07:00 - 2014-01-05 17:56 - 00000800 _____ () C:\windows\Tasks\Security Center Update - 1030026460.job
2014-04-18 07:00 - 2014-01-05 17:55 - 00000800 _____ () C:\windows\Tasks\Security Center Update - 3246005749.job
2014-04-18 07:00 - 2014-01-05 17:54 - 00000796 _____ () C:\windows\Tasks\Security Center Update - 4007631458.job
2014-04-18 07:00 - 2014-01-05 17:53 - 00000808 _____ () C:\windows\Tasks\Security Center Update - 3205184406.job
2014-04-18 07:00 - 2014-01-05 17:53 - 00000804 _____ () C:\windows\Tasks\Security Center Update - 693831817.job
2014-04-18 07:00 - 2014-01-05 17:52 - 00000800 _____ () C:\windows\Tasks\Security Center Update - 2285679923.job
2014-04-18 07:00 - 2014-01-05 17:51 - 00000804 _____ () C:\windows\Tasks\Security Center Update - 2434689295.job
2014-04-18 07:00 - 2014-01-05 17:51 - 00000800 _____ () C:\windows\Tasks\Security Center Update - 1747672967.job
2014-04-18 07:00 - 2014-01-05 17:50 - 00000802 _____ () C:\windows\Tasks\Security Center Update - 4206622712.job
2014-04-18 07:00 - 2014-01-05 17:49 - 00000802 _____ () C:\windows\Tasks\Security Center Update - 4176403256.job
2014-04-18 07:00 - 2014-01-05 17:49 - 00000800 _____ () C:\windows\Tasks\Security Center Update - 3151004476.job
2014-04-18 07:00 - 2014-01-01 14:29 - 00000800 _____ () C:\windows\Tasks\Security Center Update - 1095828331.job
2014-04-18 07:00 - 2014-01-01 14:28 - 00000796 _____ () C:\windows\Tasks\Security Center Update - 3794290681.job
2014-04-18 07:00 - 2014-01-01 14:26 - 00000798 _____ () C:\windows\Tasks\Security Center Update - 2886855803.job
2014-04-18 06:40 - 2012-07-03 11:40 - 00000896 _____ () C:\windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-04-18 06:12 - 2012-09-01 19:41 - 00000830 _____ () C:\windows\Tasks\Adobe Flash Player Updater.job
2014-04-18 06:03 - 2009-07-13 22:13 - 00726444 _____ () C:\windows\system32\PerfStringBackup.INI
2014-04-16 21:53 - 2014-01-02 22:02 - 00000000 ____D () C:\Users\Owner\AppData\Local\CutePDF Writer
2014-04-16 21:32 - 2014-04-16 21:31 - 00000000 ____D () C:\Users\Owner\Documents\Design Essentials
2014-04-16 11:41 - 2014-04-16 11:41 - 00001062 _____ () C:\windows\PFRO.log
2014-04-16 11:40 - 2012-06-21 13:56 - 00000000 ____D () C:\Program Files (x86)\HP
2014-04-16 11:40 - 2012-06-21 13:54 - 00007230 _____ () C:\ProgramData\hpzinstall.log
2014-04-16 11:32 - 2014-02-02 22:05 - 00129536 _____ () C:\Users\Owner\AppData\Local\GDIPFONTCACHEV1.DAT
2014-04-16 11:30 - 2009-07-13 21:45 - 00490528 _____ () C:\windows\system32\FNTCACHE.DAT
2014-04-16 11:29 - 2012-06-21 13:54 - 00000000 ____D () C:\ProgramData\HP
2014-04-15 22:17 - 2014-03-13 17:33 - 00000000 ____D () C:\Users\Owner\Documents\CWY Reunion
2014-04-15 14:06 - 2011-10-24 21:29 - 00000000 ____D () C:\Users\Owner\AppData\Roaming\Skype
2014-04-15 13:29 - 2009-07-13 20:20 - 00000000 ____D () C:\windows\system32\NDF
2014-04-15 12:22 - 2014-04-15 12:22 - 00007660 _____ () C:\Users\Owner\Desktop\RKreport[0]_S_04152014_122224.txt
2014-04-14 23:23 - 2013-10-20 19:14 - 00000000 ____D () C:\Users\Owner\Documents\EI 2013
2014-04-14 23:20 - 2014-04-14 15:20 - 00000000 ____D () C:\Users\Owner\Documents\Computer
2014-04-14 22:47 - 2014-04-14 22:45 - 00017160 _____ () C:\Users\Owner\Desktop\attach.txt
2014-04-14 22:46 - 2014-04-14 22:45 - 00015593 _____ () C:\Users\Owner\Desktop\dds.txt
2014-04-14 22:42 - 2014-04-14 22:42 - 00688992 ____R (Swearware) C:\Users\Owner\Desktop\dds.com
2014-04-14 21:40 - 2014-04-14 21:40 - 00016546 _____ () C:\Users\Owner\Desktop\RKreport[0]_S_04142014_214039.txt
2014-04-14 21:40 - 2014-04-14 21:40 - 00000000 ____D () C:\Users\Owner\AppData\Local\CrashDumps
2014-04-14 21:40 - 2014-04-14 15:26 - 00000000 ____D () C:\Users\Owner\Desktop\RK_Quarantine
2014-04-14 15:18 - 2014-04-14 15:18 - 00122378 _____ () C:\Users\Owner\Desktop\OTL.Txt
2014-04-14 14:58 - 2014-04-14 14:58 - 00602112 _____ (OldTimer Tools) C:\Users\Owner\Desktop\OTL.exe
2014-04-14 14:54 - 2014-04-14 14:54 - 03972608 _____ () C:\Users\Owner\Desktop\RogueKiller.exe
2014-04-14 14:21 - 2014-04-14 14:13 - 00000000 ____D () C:\windows\system32\MRT
2014-04-14 10:51 - 2014-04-14 10:51 - 00000000 _____ () C:\windows\setuperr.log
2014-04-11 15:45 - 2014-03-25 19:03 - 00002229 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2014-04-09 22:15 - 2011-12-06 12:28 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-04-09 22:01 - 2014-04-09 22:01 - 00007211 _____ () C:\Users\Owner\Downloads\Spark, The - Kristine Barnett.opf
2014-04-09 22:00 - 2014-04-09 22:00 - 04019499 _____ () C:\Users\Owner\Downloads\Spark, The - Kristine Barnett(1).epub
2014-04-09 14:27 - 2012-07-03 10:22 - 00000000 ____D () C:\Users\Owner\Documents\Outlook Files
2014-04-09 13:34 - 2014-04-09 13:34 - 04019499 _____ () C:\Users\Owner\Downloads\Spark, The - Kristine Barnett.epub
2014-04-07 09:04 - 2014-04-07 09:04 - 00000000 ____D () C:\Users\Owner\AppData\Local\Skype
2014-04-07 09:04 - 2011-10-24 21:28 - 00000000 ____D () C:\ProgramData\Skype
2014-04-07 09:03 - 2014-04-07 09:03 - 00002697 _____ () C:\Users\Public\Desktop\Skype.lnk
2014-04-07 09:03 - 2011-10-24 21:28 - 00000000 ___RD () C:\Program Files (x86)\Skype
2014-04-04 09:40 - 2014-01-09 11:42 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2014-04-04 09:40 - 2013-11-19 16:38 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2014-04-03 09:09 - 2013-12-30 17:02 - 00001945 _____ () C:\windows\epplauncher.mif
2014-04-03 08:47 - 2014-02-03 17:49 - 00000000 ____D () C:\Program Files\Microsoft Security Client
2014-04-03 08:47 - 2014-02-03 17:49 - 00000000 ____D () C:\Program Files (x86)\Microsoft Security Client
2014-03-31 03:51 - 2011-03-29 02:58 - 90655440 _____ (Microsoft Corporation) C:\windows\system32\MRT.exe
2014-03-30 12:35 - 2012-07-03 11:40 - 00003892 _____ () C:\windows\System32\Tasks\GoogleUpdateTaskMachineUA
2014-03-30 12:35 - 2012-07-03 11:40 - 00003640 _____ () C:\windows\System32\Tasks\GoogleUpdateTaskMachineCore
2014-03-25 19:09 - 2014-03-25 19:09 - 00000000 ____D () C:\Users\Owner\Documents\Backup files
2014-03-25 19:03 - 2014-03-25 19:03 - 00002772 _____ () C:\windows\System32\Tasks\CCleanerSkipUAC
2014-03-25 19:03 - 2014-03-25 19:03 - 00000868 _____ () C:\Users\Public\Desktop\CCleaner.lnk
2014-03-25 19:03 - 2014-03-25 19:03 - 00000000 ____D () C:\Program Files\CCleaner
2014-03-25 19:03 - 2012-07-03 11:40 - 00000000 ____D () C:\Users\Owner\AppData\Local\Google
2014-03-25 19:03 - 2012-07-03 11:40 - 00000000 ____D () C:\Program Files (x86)\Google
2014-03-24 14:39 - 2011-12-16 11:47 - 00000000 ____D () C:\Users\Owner\Documents\PERSONAL
2014-03-24 14:29 - 2014-03-24 14:28 - 10777510 _____ () C:\Users\Owner\Downloads\Jon and Roy - Free Tracks.zip

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

LastRegBack: 2014-04-14 11:15

==================== End Of Log ============================

 

Farbar Recovery Scan Tool (x64) Version: 19-04-2014
Ran by Owner at 2014-04-19 23:47:18
Running from C:\Users\Owner\Desktop
Boot Mode: Normal

================== Search: "rpcss.dll" ===================

C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7600.16385_none_c5bfcda3579104e3\rpcss.dll
[2009-07-13 17:00] - [2009-07-13 18:41] - 0509440 ____A (Microsoft Corporation) 7266972E86890E2B30C0C322E906B027

C:\Windows\System32\rpcss.dll
[2009-07-13 17:00] - [2009-07-13 18:41] - 0509440 ____A (Microsoft Corporation) 7266972E86890E2B30C0C322E906B027

====== End Of Search ======



#4 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,309 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:09:25 PM

Posted 20 April 2014 - 03:37 AM

Hi,

 

 

Please download the following file => and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

 

Regards,

Georgi


cXfZ4wS.png


#5 DeePe

DeePe
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:25 PM

Posted 20 April 2014 - 07:41 PM

hello,

I ran the fix this morning, but I am having difficulty sending the fixlog.txt...it seems to be too big (3861KB). I cant attach it or post it.

I have opened Task Mgr, and no more dllhost.exe processes running. There are ~13 svchost.exe (by users: System, local and network)...is this normal? 

Also, all these issues with my computer seemed to start when I un-installed AVG, wonder if there is any connection.

Thank-you for your help so far :-)

 

 

 

 



#6 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,309 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:09:25 PM

Posted 21 April 2014 - 04:29 AM

Hello,

 

I ran the fix this morning, but I am having difficulty sending the fixlog.txt...it seems to be too big (3861KB). I cant attach it or post it.

 

Can you upload the log here => http://www.filedropper.com/ and then post a link to the link in your next reply?

 

There are ~13 svchost.exe (by users: System, local and network)...is this normal?

 

Yes.. the most of Windows services are started through svchost.exe. You can read more information here:

 

http://windows.microsoft.com/en-us/windows/what-is-svchost-exe#1TC=windows-7

http://www.bleepingcomputer.com/tutorials/list-services-running-under-svchostexe-process/

 

so I would recommend to not mess with them. :)

 

Also, all these issues with my computer seemed to start when I un-installed AVG, wonder if there is any connection.

 

 

Maybe...I see that you have MSE at the moment but keep in mind that there is no antivirus software which can give you 100% lifetime protection... :)

I'll give you some advices on how to avoid reinfection at the end of the cleaning process...

 

 

Regards,

Georgi


cXfZ4wS.png


#7 DeePe

DeePe
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:25 PM

Posted 21 April 2014 - 09:28 AM

does this work?

 

<iframe src="https://onedrive.live.com/embed?cid=1D8C38B4FA6B4C55&resid=1D8C38B4FA6B4C55%21172&authkey=ANrV0RafX4YQByA" width="98" height="120" frameborder="0" scrolling="no"></iframe>



#8 DeePe

DeePe
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:25 PM

Posted 21 April 2014 - 09:30 AM

https://onedrive.live.com/?cid=1d8c38b4fa6b4c55&id=1D8C38B4FA6B4C55%21172&Bsrc=Share&Bpub=SDX.SkyDrive&authkey=!AuG61YPauKA-3kE



#9 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,309 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:09:25 PM

Posted 21 April 2014 - 05:13 PM

Hello,

 

 

Although we managed to clean the infection I want to make sure there is nothing lurking on the system so just in case I want you to go through these steps:

 

The most of them should take no more than 5 minutes each (but the time they take to complete can vary depending on the size of your hard and the speed of your computer).

 

 

STEP 1

 

 

  • Please download OTL from the link below:
  • Save it to your desktop/
  • Double click on the otlDesktopIcon.png icon on your desktop.
  • OTL should now start. Change the following settings:
    - Click on Scan All Users checkbox given at the top.
    - Under File Scans, change File age to 90
    - Change Standard Registry to All
    - Check the boxes beside LOP Check and Purity Check
  • Copy and Paste the following code into the customFix.png textbox.
  • Don't copy the word "quote"

    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %SYSTEMDRIVE%\*.*
    %SYSTEMDRIVE%\*.
    %USERPROFILE%\*.*
    %USERPROFILE%\*.
    %USERPROFILE%\*.exe /s
    %USERPROFILE%\Documents\*.*
    %USERPROFILE%\Downloads\*.*
    %USERPROFILE%\AppData\Local\*.*
    %USERPROFILE%\AppData\Local\*.
    %USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\*.*
    %USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\*.
    %USERPROFILE%\AppData\Local\temp\*.exe
    %USERPROFILE%\AppData\Local\temp\*.dll
    %USERPROFILE%\AppData\Local\temp\*.tlb
    %USERPROFILE%\AppData\Roaming\*.*
    %USERPROFILE%\AppData\Roaming\*.
    %ProgramData%\*.*
    %ProgramData%\*.
    %programdata%\Microsoft\Windows\DRM\*.tmp
    %programdata%\Microsoft\DRM\*.tmp
    %programdata%\temp\*.exe
    %programdata%\temp\*.dll
    %programdata%\temp\*.tlb
    C:\Users\All Users\*.exe /s
    C:\Users\Default\*.exe /s
    C:\Users\Public\*.exe /s
    %CommonProgramFiles%\*.*
    %CommonProgramFiles%\*.
    %CommonProgramFiles%\ComObjects\*.*
    %ProgramFiles%\*.*
    %ProgramFiles%\*.
    %Public%\Documents\*.*
    %Public%\Documents\*.
    %systemroot%\System32\config\systemprofile\*.exe /s
    %systemroot%\System32\config\systemprofile\*.*
    %systemroot%\System32\config\systemprofile\*.
    %systemroot%\system32\config\systemprofile\AppData\Local\*.*
    %systemroot%\system32\config\systemprofile\AppData\Local\*.
    %systemroot%\system32\config\systemprofile\AppData\Roaming\*.*
    %systemroot%\system32\config\systemprofile\AppData\Roaming\*.
    %systemroot%\SysWow64\config\systemprofile\*.exe /s
    %systemroot%\SysWow64\config\systemprofile\*.*
    %systemroot%\SysWow64\config\systemprofile\*.
    %systemroot%\SysWOW64\config\systemprofile\AppData\Local\*.*
    %systemroot%\SysWOW64\config\systemprofile\AppData\Local\*.
    %systemroot%\SysWOW64\config\systemprofile\AppData\Roaming\*.*
    %systemroot%\SysWOW64\config\systemprofile\AppData\Roaming\*.
    %systemroot%\ServiceProfiles\*.exe /s
    %systemroot%\ServiceProfiles\LocalService\AppData\Local\*.*
    %systemroot%\ServiceProfiles\LocalService\AppData\Local\*.
    %systemroot%\ServiceProfiles\LocalService\AppData\Local\Temp\*.exe
    %systemroot%\ServiceProfiles\LocalService\AppData\Local\Temp\*.dll
    %systemroot%\ServiceProfiles\LocalService\AppData\Local\Temp\*.tlb
    %systemroot%\ServiceProfiles\LocalService\AppData\Roaming\*.*
    %systemroot%\ServiceProfiles\LocalService\AppData\Roaming\*.
    %systemroot%\ServiceProfiles\NetworkService\AppData\Local\*.*
    %systemroot%\ServiceProfiles\NetworkService\AppData\Local\*.
    %systemroot%\ServiceProfiles\NetworkService\AppData\Local\Temp\*.exe
    %systemroot%\ServiceProfiles\NetworkService\AppData\Local\Temp\*.dll
    %systemroot%\ServiceProfiles\NetworkService\AppData\Local\Temp\*.tlb
    %systemroot%\ServiceProfiles\NetworkService\AppData\Roaming\*.*
    %systemroot%\ServiceProfiles\NetworkService\AppData\Roaming\*.
    %windir%\temp\*.exe /s
    %windir%\temp\*.*
    %windir%\temp\*.
    %windir%\*.
    %windir%\AppPatch\*.exe /s
    %windir%\ShellNew\*.*
    %windir%\installer\*.
    %windir%\system32\*.
    %windir%\sysnative\*.
    %Temp%\smtmp\1\*.*
    %Temp%\smtmp\2\*.*
    %Temp%\smtmp\3\*.*
    %Temp%\smtmp\4\*.*
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\syswow64\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /90
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\syswow64\drivers\*.sys /90
    %systemroot%\syswow64\drivers\*.sys /lockedfiles
    %SYSTEMDRIVE%\*. /rp /s
    %systemroot%\assembly\tmp\*.* /S /MD5
    %systemroot%\assembly\temp\*.* /S /MD5
    %systemroot%\assembly\GAC\*.ini
    %systemroot%\assembly\GAC_32\*.ini
    %systemroot%\assembly\GAC_64\*.ini
    %SystemRoot%\assembly\GAC_MSIL\*.ini
    wsSystemRoot|l,n,u,@;True;False;True;$,{ /fn
    %systemdrive%\$Recycle.Bin|@;true;true;true /fp
    HKEY_CLASSES_ROOT\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24} /s
    HKEY_CLASSES_ROOT\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} /s
    HKEY_CURRENT_USER\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24} /s
    HKEY_CLASSES_ROOT\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F} /s
    HKEY_CLASSES_ROOT\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9} /s
    HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F} /s
    HKEY_CURRENT_USER\Software\Microsoft\Command Processor /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor /s
    HKCU\Software\Classes\CLSID\{ECD4FC4D-521C-11D0-B792-00A0C90312E1}\InprocServer32 /s
    HKLM\Software\Classes\CLSID\{E6BB64BE-0618-4353-9193-0AFE606D6F0C}\InprocServer32 /s
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\scsimap /s
    HKEY_CLASSES_ROOT\CLSID\{118BEDCC-A901-4203-B4F2-ADCB957D1887} /s
    HKEY_CLASSES_ROOT\CLSID\{312BED3C-A901-4203-B4F2-ADCB957D1887} /s
    HKEY_CLASSES_ROOT\CLSID\{F12BE2CC-A901-4203-B4F2-ADCB957D1887} /s
    HKEY_CLASSES_ROOT\CLSID\{312BFDCE-A901-4203-B4F2-ADCB957D1887} /s
    HKEY_CLASSES_ROOT\CLSID\{212B3DCC-A901-4203-B4F2-ADCB957D1887} /s
    HKEY_CLASSES_ROOT\CLSID\{A12BEDCC-A901-4203-B4F2-ADCB957D1887} /s
    HKEY_CLASSES_ROOT\CLSID\{118BEDCA-A901-4203-B4F2-ADCB957D188F} /s
    HKEY_CLASSES_ROOT\CLSID\{118BEDCA-A901-4203-B4F2-ADCB957D188B} /s
    HKEY_CLASSES_ROOT\CLSID\{3543619C-D563-43f7-95EA-4DA7E1CC396A} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3543619C-D563-43f7-95EA-4DA7E1CC396A} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{3543619C-D563-43f7-95EA-4DA7E1CC396A} /s
    HKEY_CLASSES_ROOT\Directory\shellex\CopyHookHandlers /s
    HKEY_CLASSES_ROOT\Directory\Shellex\CopyHookHandlers\MSCopy /s
    HKEY_CURRENT_USER\Software\Classes\Directory\shellex\CopyHookHandlers /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\CopyHookHandlers /s
    HKEY_CURRENT_USER\Software\MSOLoad /s
    type C:\WINDOWS\system.ini >> test.txt /c
    bcdedit /enum all /v >C:\boot.txt /c
    >C:\commands.txt echo list vol /raw /hide /c
    /wait
    >C:\DiskReport.txt diskpart /s C:\commands.txt /raw /hide /c
    /wait
    type c:\diskreport.txt /c
    /wait
    erase c:\commands.txt /hide /c
    /wait
    erase c:\diskreport.txt /hide /c
    /md5start
    consrv.dll
    services.exe
    explorer.exe
    lsass.exe
    svchost.exe
    wininit.exe
    winlogon.exe
    userinit.exe
    smss.exe
    fastfat.sys
    atapi.sys
    serial.sys
    volsnap.sys
    disk.sys
    i8042prt.sys
    afd.sys
    netbt.sys
    csc.sys
    tcpip.sys
    kbdclass.sys
    kbdhid.sys
    mouclass.sys
    mouhid.sys
    spldr.sys
    dfsc.sys
    hlp.dat
    str.sys
    cerxvx.ocx
    crexv.ocx
    msseedir.dll
    msdr.dll
    lmbd.dll
    wsse.dll
    intel.exe
    WService.dll
    /md5stop

  • Push the runscanbutton.png button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

 

 

STEP 2

 

  • Please download RKill by Grinler from the link below and save it to your desktop.

    Rkill
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply.
  • A log pops up at the end of the run. This log file is located at C:\rkill.log.
  • Please post the log in your next reply.

 

 

STEP 3

 

 

  • Please download RogueKillerX64.exe and save to the desktop.
  • Close all windows and browsers
  • Right-click the program and select 'Run as Administrator'
  • Press the scan button.
  • A report opens on the desktop named - RKreport.txt
  • Please copy and past the results at pastebin.com and post the link to the log in your next reply.

 

 

STEP 4
 

 

Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
     
  • Put a checkmark beside loaded modules.
    Sbf88.png
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
     
  • Click the Start Scan button.
     
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    67776163.jpg
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    62117367.jpg
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and past the results at pastebin.com and post the link to the log in your next reply.

 

 

STEP 5

 

 

Please download Malwarebytes Anti-Malware to your desktop.
 

  • Double-click mb3-setup-1878.1878-3.5.1.2522.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.
  • On the Settings tab > Detection and Protection subtab, Detection Options, tick the box 'Scan for rootkits'.
  • Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • With some infections, you may see this message box.
    • 'Could not load DDA driver'
  • Click 'Yes' to this message, to allow the driver to load after a restart.
  • Allow the computer to restart. Continue with the rest of these instructions.
  • When the scan is complete, click Apply Actions.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply.

 

 

STEP 6

 

 

1.Please download HitmanPro.

  • For 32-bit Operating System - dEMD6.gif.
  • This is the mirror - dEMD6.gif
  • For 64-bit Operating System - dEMD6.gif
  • This is the mirror - dEMD6.gif

2.Launch the program by double clicking on the 5vo5F.jpg icon. (Windows Vista/7 users right click on the HitmanPro icon and select run as administrator).

Note: If the program won't run please then open the program while holding down the left CTRL key until the program is loaded.

3.Click on the next button. You must agree with the terms of EULA. (if asked)

4.Check the box beside "No, I only want to perform a one-time scan to check this computer".

5.Click on the next button.

6.The program will start to scan the computer. The scan will typically take no more than 2-3 minutes.

7.When the scan is done click on drop-down menu of the found entries (if any) and choose - Apply to all => Ignore <= IMPORTANT!!!
 
8.Click on the next button.

9.Click on the "Save Log" button.

10.Save that file to your desktop and post the content of that file in your next reply.
 
Note: if there isn't a dropdown menu when the scan is done then please don't delete anything and close HitmanPro

Navigate to C:\ProgramData\HitmanPro\Logs open the report and copy and paste it to your next reply.

 

 

 

STEP 7

 

 

Download Security Check by screen317 from here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

 

and then if there aren't any issues left I'll give you my final recommendations. :)

 

 

Regards,

Georgi


cXfZ4wS.png


#10 DeePe

DeePe
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:25 PM

Posted 21 April 2014 - 06:20 PM

There was no extra.txt file created...used the search function too and couldnt find it

OTL.txt:

https://onedrive.live.com/?cid=1d8c38b4fa6b4c55&id=1D8C38B4FA6B4C55%21177&Bsrc=Share&Bpub=SDX.SkyDrive&authkey=!AifhsSiORIJ4sG0



#11 DeePe

DeePe
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:25 PM

Posted 21 April 2014 - 06:26 PM

Step 2: RKill

 

Rkill 2.6.5 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 04/21/2014 04:24:40 PM in x64 mode.
Windows Version: Windows 7 Home Premium

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * No issues found.

Checking Windows Service Integrity:

 * No issues found.

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * No issues found.

Program finished at: 04/21/2014 04:25:11 PM
Execution time: 0 hours(s), 0 minute(s), and 31 seconds(s)



#12 DeePe

DeePe
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:25 PM

Posted 21 April 2014 - 06:48 PM

step 3:

https://onedrive.live.com/?cid=1d8c38b4fa6b4c55&id=1D8C38B4FA6B4C55%21178&Bsrc=Share&Bpub=SDX.SkyDrive&authkey=!AriRnrkxHGNmGqY

 

Roguekiller suggested I delete 4 registry items and something under the mbr tab. Not sure what to do here. I think I'll stop til I hear back from you.



#13 DeePe

DeePe
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:25 PM

Posted 22 April 2014 - 12:45 PM

Hi there, continuing on

Step 4 (first of 2 files that were created):

 

10:29:31.0971 0x13f4  TDSS rootkit removing tool 3.0.0.32 Apr 21 2014 18:31:25
10:30:36.0824 0x13f4  ============================================================
10:30:36.0824 0x13f4  Current date / time: 2014/04/22 10:30:36.0824
10:30:36.0824 0x13f4  SystemInfo:
10:30:36.0824 0x13f4  
10:30:36.0824 0x13f4  OS Version: 6.1.7600 ServicePack: 0.0
10:30:36.0824 0x13f4  Product type: Workstation
10:30:36.0824 0x13f4  ComputerName: DEMIANLAPTOP
10:30:36.0824 0x13f4  UserName: Owner
10:30:36.0824 0x13f4  Windows directory: C:\windows
10:30:36.0824 0x13f4  System windows directory: C:\windows
10:30:36.0824 0x13f4  Running under WOW64
10:30:36.0824 0x13f4  Processor architecture: Intel x64
10:30:36.0824 0x13f4  Number of processors: 2
10:30:36.0824 0x13f4  Page size: 0x1000
10:30:36.0824 0x13f4  Boot type: Normal boot
10:30:36.0824 0x13f4  ============================================================
10:30:36.0984 0x13f4  KLMD registered as C:\windows\system32\drivers\65051015.sys
10:30:37.0208 0x13f4  System UUID: {2768088D-1E26-95D9-4364-44D61B51BBAA}
10:30:37.0953 0x13f4  Drive \Device\Harddisk0\DR0 - Size: 0x4A85D56000 (298.09 Gb), SectorSize: 0x200, Cylinders: 0x9801, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
10:30:37.0991 0x13f4  ============================================================
10:30:37.0991 0x13f4  \Device\Harddisk0\DR0:
10:30:37.0991 0x13f4  MBR partitions:
10:30:37.0991 0x13f4  \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x64000
10:30:37.0991 0x13f4  \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x64800, BlocksNum 0x1FC49800
10:30:38.0014 0x13f4  \Device\Harddisk0\DR0\Partition3: MBR, Type 0x7, StartLBA 0x1FCAE800, BlocksNum 0x39FD800
10:30:38.0014 0x13f4  ============================================================
10:30:38.0071 0x13f4  C: <-> \Device\Harddisk0\DR0\Partition2
10:30:38.0146 0x13f4  D: <-> \Device\Harddisk0\DR0\Partition3
10:30:38.0146 0x13f4  ============================================================
10:30:38.0146 0x13f4  Initialize success
10:30:38.0146 0x13f4  ============================================================
10:32:33.0438 0x0d48  KLMD registered as C:\windows\system32\drivers\93014884.sys
10:32:34.0100 0x0d48  Deinitialize success
 

 



#14 DeePe

DeePe
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:25 PM

Posted 22 April 2014 - 01:04 PM

second file:

http://pastebin.com/YJzwspXM
 



#15 DeePe

DeePe
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:25 PM

Posted 22 April 2014 - 01:13 PM

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 22/04/2014
Scan Time: 11:11:12 AM
Logfile:
Administrator: Yes

Version: 2.00.1.1004
Malware Database: v2014.04.22.05
Rootkit Database: v2014.03.27.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Chameleon: Disabled

OS: Windows 7
CPU: x64
File System: NTFS
User: Owner

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 298
Time Elapsed: 3 min, 19 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Shuriken: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users