Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple dllhost.exe's running at once, eating 100% CPU.


  • This topic is locked This topic is locked
11 replies to this topic

#1 TinaTunalu

TinaTunalu

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:05 PM

Posted 05 October 2014 - 06:17 PM

Hi guys. Since yesterday, I've noticed 20-30 instances of dllhost.exe *32 running at once on my computer. The dllhost.exe will multiply at random intervals throughout the day. I can go through my Task Manager, and manually end process them... but they will pop up and multiply again and again. Sometimes, if I end process the "right" one, all of the rest of them will vanish. I can end process all of the dllhost.exe but one from the Task Manager.

 

I've also just found this website in my history, which I never went to: "[lots of numbers].optimize.clickshieldfilter.com/click.php." That sounds like a keylogger virus to me.

 

Please help!


Edited by TinaTunalu, 05 October 2014 - 07:44 PM.


BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:03:05 AM

Posted 09 October 2014 - 05:43 AM

Hello! Welcome to BleepingComputer Forums! :welcome:
My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:

  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.

 

 

I need fresh logs so please download the latest version of Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

 

Regards,

Georgi


cXfZ4wS.png


#3 TinaTunalu

TinaTunalu
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:05 PM

Posted 09 October 2014 - 10:13 PM

Hello! Thanks for your help. I have copy-pasted the FRST.txt below... and attached the Addition.txt to this post... as requested.

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 08-10-2014 01
Ran by Mom (administrator) on MOM-PC on 09-10-2014 20:03:23
Running from C:\Users\Mom.Mom-PC\Desktop
Loaded Profile: Mom (Available profiles: Mom)
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Stardock Corporation) C:\Program Files\Dell\DellDock\DockLogin.exe
(Hi-Rez Studios) C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe
(Microsoft Corporation) C:\WINDOWS\SysWOW64\svchost.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\systemcore\mfevtps.exe
(SoftThinks SAS) C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
(SupportSoft, Inc.) C:\Program Files (x86)\Dell\DellComms\bin\sprtsvc.exe
(McAfee, Inc.) C:\Program Files\mcafee\msc\McAPExe.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\systemcore\mcshield.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\AMCore\mcshield.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\systemcore\mfefire.exe
(SoftThinks - Dell) C:\Program Files (x86)\Dell DataSafe Local Backup\Toaster.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
() C:\Program Files (x86)\Dell DataSafe Local Backup\Components\Scheduler\STService.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Intel Corporation) C:\WINDOWS\System32\igfxtray.exe
(Intel Corporation) C:\WINDOWS\System32\igfxpers.exe
(Microsoft Corporation) C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe
(Hewlett-Packard Co.) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(Stardock Corporation) C:\Program Files\Dell\DellDock\DellDock.exe
() C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe
(SupportSoft, Inc.) C:\Program Files (x86)\Dell\DellComms\bin\sprtcmd.exe
(Hewlett-Packard) C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE
(Hewlett-Packard Co.) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqste08.exe
(Hewlett-Packard Co.) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe
(Hewlett-Packard) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe
(McAfee, Inc.) C:\Program Files\mcafee\msm\McSmtFwk.exe
(Microsoft Corporation) C:\WINDOWS\SysWOW64\dllhost.exe
(Microsoft Corporation) C:\WINDOWS\System32\MsSpellCheckingFacility.exe
(Microsoft Corporation) C:\WINDOWS\SysWOW64\svchost.exe
(McAfee, Inc.) C:\Program Files\mcafee.com\agent\mcupdate.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\Platform\McUICnt.exe
(Microsoft Corporation) C:\WINDOWS\System32\taskmgr.exe
(Microsoft Corporation) C:\WINDOWS\System32\dllhost.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [8306208 2009-10-20] (Realtek Semiconductor)
HKLM\...\Run: [XboxStat] => C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe [825184 2009-09-30] (Microsoft Corporation)
HKLM-x32\...\Run: [IAStorIcon] => C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284696 2010-03-03] (Intel Corporation)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe [35696 2009-02-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Dell DataSafe Online] => C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe [1807680 2010-02-09] ()
HKLM-x32\...\Run: [Desktop Disc Tool] => c:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe [498160 2009-10-15] ()
HKLM-x32\...\Run: [mcui_exe] => C:\Program Files\McAfee.com\Agent\mcagent.exe [537992 2014-04-25] (McAfee, Inc.)
HKLM-x32\...\Run: [DellComms] => C:\Program Files (x86)\Dell\DellComms\bin\sprtcmd.exe [206064 2009-05-05] (SupportSoft, Inc.)
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [49208 2011-10-28] (Hewlett-Packard)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [mcpltui_exe] => C:\Program Files\McAfee.com\Agent\mcagent.exe [537992 2014-04-25] (McAfee, Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [256896 2014-07-11] (Oracle Corporation)
Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll [X]
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer: [NoFolderOptions] 0
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKU\S-1-5-21-2488620431-2452570745-4068918182-1001\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
HKU\S-1-5-18\...\RunOnce: [SPReview] => C:\Windows\System32\SPReview\SPReview.exe [301568 2014-02-09] (Microsoft Corporation)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Mom.Mom-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnk
ShortcutTarget: Dell Dock.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Mom.Mom-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnk
ShortcutTarget: Dell Dock.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USCON/1
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKCU - DefaultScope {C5C1FA0C-A509-4B3D-B3CF-32C7C0AF7AFF} URL =
SearchScopes: HKCU - {8DE8B3A3-C6F5-4291-9924-7E62E2DCE8EA} URL =
SearchScopes: HKCU - {C5C1FA0C-A509-4B3D-B3CF-32C7C0AF7AFF} URL =
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll No File
BHO-x32: No Name -> {02478D38-C3F9-4efb-9B51-7695ECA05670} ->  No File
BHO-x32: HP Print Enhancer -> {0347C33E-8762-4905-BF09-768834316C61} -> C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)
BHO-x32: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO-x32: No Name -> {5C255C8A-E604-49b4-9D64-90988571CECB} ->  No File
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: ArcPluginIEBHO Class -> {84BFE29A-8139-402a-B2A4-C23AE9E1A75F} -> C:\Program Files (x86)\Perfect World Entertainment\Arc\plugins\ArcPluginIE.dll (Perfect World Entertainment Inc)
BHO-x32: Windows Live Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
BHO-x32: Skype add-on for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: HP Smart BHO Class -> {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} -> C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)
Toolbar: HKCU - No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} -  No File
DPF: HKLM-x32 {444785F1-DE89-4295-863A-D46C3A781394} http://webplayer.unity3d.com/download_webplayer-2.x/UnityWebPlayer.cab
DPF: HKLM-x32 {A17BFC9F-18A7-4BE7-915A-C106624AC802} http://d-fighter.nefficient.co.kr/samsungdnf/neople/dnf_hg/installer/dnf_real.cab
DPF: HKLM-x32 {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} http://content.systemrequirementslab.com/bin/srldetect_intel_4.5.24.0.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} -  No File
Handler-x32: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
Handler-x32: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
Handler-x32: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\mcafee\msc\McSnIePl64.dll (McAfee, Inc.)
Filter-x32: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files (x86)\McAfee\msc\McSnIePl.dll (McAfee, Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_14_0_0_125.dll ()
FF Plugin: @mcafee.com/MSC,version=10 -> c:\PROGRA~1\mcafee\msc\NPMCSN~1.DLL ()
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_14_0_0_125.dll ()
FF Plugin-x32: @java.com/DTPlugin,version=10.65.2 -> C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.65.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @mcafee.com/MSC,version=10 -> c:\PROGRA~2\mcafee\msc\NPMCSN~1.DLL ()
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MIF5BA~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=14.0.8081.0709 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @nexon.net/NxGame -> C:\ProgramData\NexonUS\NGM\npNxGameUS.dll (Nexon)
FF Plugin-x32: @perfectworld.com/npArcPlayNowPlugin -> C:\Program Files (x86)\Perfect World Entertainment\Arc\plugins\npArcPluginFF.dll (Perfect World Entertainment Inc)
FF Plugin HKCU: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\Mom.Mom-PC\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)
FF HKLM-x32\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF Extension: HP Smart Web Printing - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2014-02-11]
FF HKCU\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3

Chrome:
=======

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 ArcService; C:\Program Files (x86)\Perfect World Entertainment\Arc\ArcService.exe [88400 2014-08-12] (Perfect World Entertainment Inc)
R2 DockLoginService; C:\Program Files\Dell\DellDock\DockLogin.exe [155648 2009-06-09] (Stardock Corporation) [File not signed]
U2 HiPatchService; C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe [9216 2014-08-22] (Hi-Rez Studios) [File not signed]
R2 HomeNetSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
R3 hpqcxs08; C:\Program Files (x86)\HP\Digital Imaging\bin\hpqcxs08.dll [248832 2009-05-21] (Hewlett-Packard Co.) [File not signed]
R2 hpqddsvc; C:\Program Files (x86)\HP\Digital Imaging\bin\hpqddsvc.dll [133120 2009-05-21] (Hewlett-Packard Co.) [File not signed]
R2 HPSLPSVC; C:\Program Files (x86)\HP\Digital Imaging\bin\HPSLPSVC64.DLL [1039360 2010-10-22] (Hewlett-Packard Co.) [File not signed]
R2 McAPExe; C:\Program Files\McAfee\MSC\McAPExe.exe [178528 2014-04-25] (McAfee, Inc.)
R2 McMPFSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
R2 McNaiAnn; C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
S3 McODS; C:\Program Files\mcafee\VirusScan\mcods.exe [603424 2014-06-12] (McAfee, Inc.)
S4 McOobeSv; C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe [355440 2010-03-10] (McAfee, Inc.)
R2 mcpltsvc; C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
R2 McProxy; C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
R2 McShield; C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe [200056 2011-04-14] (McAfee, Inc.)
R2 mfecore; C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe [1041192 2014-07-24] (McAfee, Inc.)
R2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [219752 2014-06-20] (McAfee, Inc.)
R2 mfevtp; C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe [189912 2014-06-20] (McAfee, Inc.)
R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [71680 2010-08-06] (Hewlett-Packard) [File not signed]
R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [89600 2010-08-06] (Hewlett-Packard) [File not signed]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R3 cfwids; C:\Windows\System32\drivers\cfwids.sys [72128 2014-06-20] (McAfee, Inc.)
S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [197704 2013-09-23] (McAfee, Inc.)
S3 hxsyol; C:\AeriaGames\AuraKingdom\avital\hxsy64.sys [86352 2013-11-26] ()
R3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [181704 2014-06-20] (McAfee, Inc.)
U3 mfeapfk01; No ImagePath
R3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [313544 2014-06-20] (McAfee, Inc.)
U3 mfeavfk01; No ImagePath
R3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [523792 2014-06-20] (McAfee, Inc.)
R0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [786296 2014-06-20] (McAfee, Inc.)
R3 mfencbdc; C:\Windows\System32\DRIVERS\mfencbdc.sys [444720 2014-07-24] (McAfee, Inc.)
S3 mfencrk; C:\Windows\System32\DRIVERS\mfencrk.sys [96592 2014-07-24] (McAfee, Inc.)
S3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [94992 2011-04-14] (McAfee, Inc.)
R0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [348552 2014-06-20] (McAfee, Inc.)
R3 Sftfs; C:\Windows\System32\DRIVERS\Sftfswin7.sys [768680 2013-06-26] (Microsoft Corporation)
R3 Sftplay; C:\Windows\System32\DRIVERS\Sftplaywin7.sys [273576 2013-06-26] (Microsoft Corporation)
R3 Sftredir; C:\Windows\System32\DRIVERS\Sftredirwin7.sys [29352 2013-06-26] (Microsoft Corporation)
R3 Sftvol; C:\Windows\System32\DRIVERS\Sftvolwin7.sys [23208 2013-06-26] (Microsoft Corporation)
S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-09 20:03 - 2014-10-09 20:05 - 00017649 _____ () C:\Users\Mom.Mom-PC\Desktop\FRST.txt
2014-10-09 20:03 - 2014-10-09 20:03 - 02109952 _____ (Farbar) C:\Users\Mom.Mom-PC\Desktop\FRST64.exe
2014-10-09 20:02 - 2014-10-09 20:02 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee
2014-10-09 19:33 - 2014-10-09 19:33 - 00000000 ____D () C:\Windows\Sun
2014-10-09 19:31 - 2014-10-09 19:31 - 00000028 _____ () C:\Windows\SysWOW64\u
2014-10-09 19:30 - 2014-10-09 19:30 - 00081408 _____ () C:\Windows\system32\seuigb.dll
2014-10-09 19:30 - 2014-10-09 19:30 - 00003858 _____ () C:\Windows\System32\Tasks\{3DDFB9DB-4A3E-651D-1548-D4F420B45CE7}
2014-10-09 19:30 - 2014-10-09 19:30 - 00000000 _____ () C:\Windows\system32\fmfxg.dll
2014-10-09 19:29 - 2014-10-09 19:30 - 00000000 ____D () C:\ProgramData\Windows Genuine Advantage
2014-10-08 21:54 - 2014-10-08 21:54 - 00000000 ____D () C:\Users\Mom.Mom-PC\AppData\Roaming\Trove
2014-10-08 20:56 - 2014-10-08 21:57 - 00000000 ____D () C:\Users\Mom.Mom-PC\AppData\Local\Glyph
2014-10-08 20:56 - 2014-10-08 20:56 - 00000000 ____D () C:\ProgramData\Glyph
2014-10-08 20:55 - 2014-10-08 20:56 - 32084080 _____ (Trion Worlds Inc.) C:\Users\Mom.Mom-PC\Downloads\GlyphInstall.exe
2014-10-05 15:43 - 2014-10-05 15:52 - 303878144 _____ () C:\Users\Mom.Mom-PC\Downloads\kav_rescue_10.iso
2014-10-04 17:02 - 2014-10-09 20:03 - 00000000 ____D () C:\FRST
2014-10-01 11:04 - 2014-09-24 19:08 - 00371712 _____ (Microsoft Corporation) C:\Windows\system32\qdvd.dll
2014-10-01 11:04 - 2014-09-24 18:40 - 00519680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\qdvd.dll
2014-09-27 20:03 - 2014-09-27 20:03 - 00000000 ____D () C:\Users\Mom.Mom-PC\AppData\Roaming\vlc
2014-09-27 15:58 - 2014-09-27 15:58 - 00118824 _____ (Microsoft Corporation) C:\ProgramData\49D9B1C.cpp
2014-09-26 21:16 - 2014-09-26 21:16 - 00000289 _____ () C:\Windows\SysWOW64\msexcr.ini
2014-09-26 21:15 - 2014-09-26 21:15 - 00003812 _____ () C:\Windows\System32\Tasks\Opera scheduled Autoupdate 1394227861
2014-09-23 13:42 - 2014-09-09 15:11 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2014-09-23 13:42 - 2014-09-09 14:47 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2014-09-23 08:59 - 2014-09-23 08:59 - 00000000 ____D () C:\Users\Mom.Mom-PC\AppData\Local\Macromedia
2014-09-12 00:03 - 2014-08-19 11:05 - 00374968 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2014-09-12 00:03 - 2014-08-19 10:39 - 00327872 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2014-09-12 00:03 - 2014-08-18 16:01 - 23591424 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-09-12 00:03 - 2014-08-18 15:29 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-09-12 00:03 - 2014-08-18 15:29 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2014-09-12 00:03 - 2014-08-18 15:26 - 17455104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-09-12 00:03 - 2014-08-18 15:20 - 02793984 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-09-12 00:03 - 2014-08-18 15:19 - 05833728 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-09-12 00:03 - 2014-08-18 15:15 - 00547328 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2014-09-12 00:03 - 2014-08-18 15:15 - 00066048 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-09-12 00:03 - 2014-08-18 15:14 - 00083968 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2014-09-12 00:03 - 2014-08-18 15:14 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2014-09-12 00:03 - 2014-08-18 15:08 - 04232704 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-09-12 00:03 - 2014-08-18 15:08 - 00051200 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-09-12 00:03 - 2014-08-18 15:08 - 00033792 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-09-12 00:03 - 2014-08-18 15:05 - 00596480 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-09-12 00:03 - 2014-08-18 15:03 - 00758272 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2014-09-12 00:03 - 2014-08-18 15:03 - 00139264 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-09-12 00:03 - 2014-08-18 15:03 - 00111616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2014-09-12 00:03 - 2014-08-18 14:57 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-09-12 00:03 - 2014-08-18 14:56 - 00940032 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2014-09-12 00:03 - 2014-08-18 14:51 - 00446464 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2014-09-12 00:03 - 2014-08-18 14:46 - 00454656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2014-09-12 00:03 - 2014-08-18 14:45 - 00072704 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2014-09-12 00:03 - 2014-08-18 14:45 - 00061952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2014-09-12 00:03 - 2014-08-18 14:44 - 00061952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll
2014-09-12 00:03 - 2014-08-18 14:44 - 00051200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2014-09-12 00:03 - 2014-08-18 14:42 - 02185728 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-09-12 00:03 - 2014-08-18 14:40 - 00195584 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-09-12 00:03 - 2014-08-18 14:39 - 00085504 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-09-12 00:03 - 2014-08-18 14:39 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-09-12 00:03 - 2014-08-18 14:39 - 00032768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2014-09-12 00:03 - 2014-08-18 14:38 - 00289280 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2014-09-12 00:03 - 2014-08-18 14:37 - 00440320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2014-09-12 00:03 - 2014-08-18 14:36 - 00112128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2014-09-12 00:03 - 2014-08-18 14:35 - 00597504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2014-09-12 00:03 - 2014-08-18 14:27 - 00365056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2014-09-12 00:03 - 2014-08-18 14:25 - 00727040 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-09-12 00:03 - 2014-08-18 14:25 - 00707072 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-09-12 00:03 - 2014-08-18 14:23 - 02104832 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-09-12 00:03 - 2014-08-18 14:23 - 01249280 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2014-09-12 00:03 - 2014-08-18 14:22 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
2014-09-12 00:03 - 2014-08-18 14:19 - 00164864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2014-09-12 00:03 - 2014-08-18 14:17 - 00243200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2014-09-12 00:03 - 2014-08-18 14:17 - 00069632 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2014-09-12 00:03 - 2014-08-18 14:16 - 13588480 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-09-12 00:03 - 2014-08-18 14:15 - 11769856 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-09-12 00:03 - 2014-08-18 14:15 - 02310656 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-09-12 00:03 - 2014-08-18 14:09 - 00603136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-09-12 00:03 - 2014-08-18 14:08 - 02014208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2014-09-12 00:03 - 2014-08-18 14:07 - 01068032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll
2014-09-12 00:03 - 2014-08-18 13:55 - 01447424 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-09-12 00:03 - 2014-08-18 13:46 - 01812992 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-09-12 00:03 - 2014-08-18 13:38 - 01190400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-09-12 00:03 - 2014-08-18 13:38 - 00775168 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2014-09-12 00:03 - 2014-08-18 13:36 - 00678400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2014-09-11 23:58 - 2014-06-26 19:08 - 02777088 _____ (Microsoft Corporation) C:\Windows\system32\msmpeg2vdec.dll
2014-09-11 23:58 - 2014-06-26 18:45 - 02285056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msmpeg2vdec.dll
2014-09-11 17:26 - 2014-08-01 04:53 - 01031168 _____ (Microsoft Corporation) C:\Windows\system32\TSWorkspace.dll
2014-09-11 17:26 - 2014-08-01 04:35 - 00793600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSWorkspace.dll
2014-09-11 17:26 - 2014-06-23 20:29 - 02565120 _____ (Microsoft Corporation) C:\Windows\system32\d3d10warp.dll
2014-09-11 17:26 - 2014-06-23 19:59 - 01987584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3d10warp.dll
2014-09-11 17:25 - 2014-09-04 19:10 - 00578048 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll
2014-09-11 17:25 - 2014-09-04 19:05 - 00424448 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2014-09-11 17:25 - 2014-07-06 19:06 - 01460736 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2014-09-11 17:25 - 2014-07-06 19:06 - 00728064 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2014-09-11 17:25 - 2014-07-06 18:40 - 00550912 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2014-09-11 17:25 - 2014-07-06 18:40 - 00022016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2014-09-11 17:25 - 2014-07-06 18:39 - 00096768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-09 19:30 - 2009-07-13 20:20 - 00000000 ____D () C:\Windows\system32\sysprep
2014-10-09 19:27 - 2009-07-13 22:10 - 01170205 _____ () C:\Windows\WindowsUpdate.log
2014-10-09 19:00 - 2010-10-28 20:00 - 00000000 ____D () C:\dell
2014-10-09 18:31 - 2009-07-13 21:45 - 00022464 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-10-09 18:31 - 2009-07-13 21:45 - 00022464 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-10-09 18:24 - 2010-10-28 17:33 - 00000000 ____D () C:\Program Files (x86)\Dell DataSafe Local Backup
2014-10-09 18:23 - 2010-10-28 19:22 - 00916572 _____ () C:\Windows\PFRO.log
2014-10-09 18:23 - 2010-10-28 17:55 - 00000000 ____D () C:\Users\Default\AppData\Local\SoftThinks
2014-10-09 18:23 - 2010-10-28 17:55 - 00000000 ____D () C:\Users\Default User\AppData\Local\SoftThinks
2014-10-09 18:23 - 2009-07-13 22:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-10-09 18:23 - 2009-07-13 21:51 - 00056647 _____ () C:\Windows\setupact.log
2014-10-08 22:11 - 2014-02-27 23:57 - 00009592 _____ () C:\Users\Mom.Mom-PC\AppData\Localtransition_569b2c4b9bcb90cf036714add3a312f6.ini
2014-10-08 21:56 - 2014-06-08 20:51 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Snail Games USA
2014-10-08 21:56 - 2010-10-28 17:28 - 00000000 ___HD () C:\Program Files (x86)\InstallShield Installation Information
2014-10-05 17:19 - 2014-06-08 16:52 - 00000000 ____D () C:\Users\Mom.Mom-PC\Desktop\New folder
2014-10-04 18:39 - 2014-02-28 00:14 - 00000000 ____D () C:\Users\Mom.Mom-PC\AppData\Roaming\Mozilla
2014-09-27 16:08 - 2014-06-07 13:39 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GBE Games
2014-09-27 16:08 - 2014-06-07 13:33 - 00000000 ____D () C:\Program Files (x86)\GBE Games
2014-09-27 16:04 - 2014-05-04 12:09 - 00000000 ____D () C:\Users\Mom.Mom-PC\AppData\Roaming\BitTorrent
2014-09-26 21:15 - 2014-03-07 14:31 - 00000000 ____D () C:\Program Files (x86)\Opera
2014-09-25 21:49 - 2014-02-09 22:42 - 00000000 ____D () C:\Program Files (x86)\Steam
2014-09-24 14:30 - 2009-07-13 20:20 - 00000000 ____D () C:\Windows\rescache
2014-09-18 16:57 - 2009-07-13 22:08 - 00032586 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-09-12 00:02 - 2014-02-11 15:10 - 00775010 _____ () C:\Windows\SysWOW64\PerfStringBackup.INI
2014-09-12 00:02 - 2009-07-13 22:13 - 00775010 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-09-12 00:01 - 2014-02-09 17:04 - 00000000 ____D () C:\Windows\system32\MRT
2014-09-11 23:58 - 2014-05-07 02:01 - 00000000 ___SD () C:\Windows\system32\CompatTel
2014-09-11 23:58 - 2014-02-09 17:04 - 101694776 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-09-10 17:08 - 2014-02-18 14:41 - 00000000 ____D () C:\Users\Mom.Mom-PC\AppData\Roaming\HpUpdate
2014-09-09 10:25 - 2014-02-11 15:13 - 00000000 ____D () C:\Users\Mom.Mom-PC\AppData\Roaming\SoftGrid Client

Alureon:
C:\Users\Mom\AppData\Local\Temp\spqbvfe\sckooxx\wow.dll

Files to move or delete:
====================
C:\ProgramData\hash.dat

Some content of TEMP:
====================
C:\Users\Mom.Mom-PC\AppData\Local\Temp\dxwebsetup.exe
C:\Users\Mom.Mom-PC\AppData\Local\Temp\HiPatchSelfUpdateWindow.exe
C:\Users\Mom.Mom-PC\AppData\Local\Temp\HiRezLauncherControls.dll
C:\Users\Mom.Mom-PC\AppData\Local\Temp\jre-7u65-windows-i586-iftw.exe
C:\Users\Mom.Mom-PC\AppData\Local\Temp\NGMDll.dll
C:\Users\Mom.Mom-PC\AppData\Local\Temp\NGMResource.dll
C:\Users\Mom.Mom-PC\AppData\Local\Temp\SRLDetectionLibrary9064991856597482835.dll
C:\Users\Mom.Mom-PC\AppData\Local\Temp\swt-win32-3349.dll
C:\Users\Mom.Mom-PC\AppData\Local\Temp\unicows.dll
C:\Users\Mom.Mom-PC\AppData\Local\Temp\Uninstaller-8196.exe
C:\Users\Mom.Mom-PC\AppData\Local\Temp\UpdateFlashPlayer_60e49c5a.exe
C:\Users\Mom.Mom-PC\AppData\Local\Temp\UpdateFlashPlayer_e316d60e.exe
C:\Users\Mom.Mom-PC\AppData\Local\Temp\vcredist_x86.exe

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2014-10-06 13:18

==================== End Of Log ============================

Attached Files



#4 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:03:05 AM

Posted 11 October 2014 - 05:15 AM

Hello,

 

Please download the following file => and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

 

 

Also please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link => VirusTotal.com

When the Virustotal page has finished loading, click the Browse button and navigate to the following file and click Submit.

C:\Windows\system32\seuigb.dll

Note, if VT says these files have already been analysed, make sure you click reanalyse file now.

Please post the link to the results page rather than the contents of the page itself (its a little easier for me to read).

 

Repeat the steps for the following files as well:

 

C:\Windows\system32\fmfxg.dll

C:\Users\Mom.Mom-PC\AppData\Roaming\tyllta.dll

 

 

Regards,

Georgi


Edited by B-boy/StyLe/, 11 October 2014 - 05:16 AM.

cXfZ4wS.png


#5 TinaTunalu

TinaTunalu
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:05 PM

Posted 11 October 2014 - 08:27 PM

Hi Georgi,

 

I've downloaded the fixlist.txt, and clicked "fix" once. The Fixlog is ready to post.

 

I followed the instructions to see hidden files. I can find the seuigb.dll and fmfxg.dll files by manually searching my computer. I cannot find them using VirusTotal.com. I cannot find the tyllta.dll file by using manual serach or VirusTotal.com. What should I do?


Edited by TinaTunalu, 11 October 2014 - 08:52 PM.


#6 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:03:05 AM

Posted 12 October 2014 - 03:25 AM

Hello,

 

Please attach the fixlog.txt to your next reply or zip it and upload it at zippyshare.com and then post a link to the log in your next reply.

As for the files you can try the following:

 

Find seuigb.dll by searching the computer and open the VirusTotal website. Drag the file and put it in the VirusTotal search box and click on the Scan it button.

Do the same for the other one as well.

 

Thanks!

 

 

Regards,

Georgi


cXfZ4wS.png


#7 TinaTunalu

TinaTunalu
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:05 PM

Posted 14 October 2014 - 08:13 PM

Hi Georgi,

 

Here is the fixlog. Also:  whenever I try to drag the seuigb.dll and fmfxg.dll files from my computer to the virus total website, it simply tries to open the whole file into a new web browser.

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 08-10-2014 01
Ran by Mom at 2014-10-11 17:32:13 Run:1
Running from C:\Users\Mom.Mom-PC\Desktop
Loaded Profile: Mom (Available profiles: Mom)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
start
CloseProcesses:
HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-21-2488620431-2452570745-4068918182-1001\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
BHO-x32: No Name -> {02478D38-C3F9-4efb-9B51-7695ECA05670} ->  No File
BHO-x32: No Name -> {5C255C8A-E604-49b4-9D64-90988571CECB} ->  No File
Toolbar: HKCU - No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} -  No File
Unlock: C:\Users\Mom\AppData\Local\Temp\spqbvfe
C:\Users\Mom\AppData\Local\Temp\spqbvfe
C:\ProgramData\49D9B1C.cpp
Reg: reg query "hklm\SYSTEM\CurrentControlSet\services\Winmgmt" /s
File: C:\Windows\system32\seuigb.dll
File: C:\Windows\system32\fmfxg.dll
File: C:\Users\Mom.Mom-PC\AppData\Roaming\tyllta.dll
emptytemp:
end
*****************

Processes closed successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value deleted successfully.
"HKU\S-1-5-21-2488620431-2452570745-4068918182-1001\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32" => Key Deleted Successfully.
"HKU\S-1-5-21-2488620431-2452570745-4068918182-1001\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" => Key deleted successfully.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}" => Key deleted successfully.
"HKCR\Wow6432Node\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}" => Key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}" => Key deleted successfully.
"HKCR\Wow6432Node\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}" => Key not found.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{21FA44EF-376D-4D53-9B0F-8A89D3229068} => value deleted successfully.
"HKCR\CLSID\{21FA44EF-376D-4D53-9B0F-8A89D3229068}" => Key not found.
"C:\Users\Mom\AppData\Local\Temp\spqbvfe" => File/Directory unlocked successfully.
C:\Users\Mom\AppData\Local\Temp\spqbvfe => Moved successfully.
C:\ProgramData\49D9B1C.cpp => Moved successfully.

========= reg query "hklm\SYSTEM\CurrentControlSet\services\Winmgmt" /s =========

ERROR: The system was unable to find the specified registry key or value.

========= End of Reg: =========

========================= File: C:\Windows\system32\seuigb.dll ========================

MD5: 0A639FCF99A1FB9DFC4268572E17C305
Creation and modification date: 2014-10-09 19:30 - 2014-10-09 19:30
Size: 0081408
Attributes: ----A
Company Name:
Internal Name:
Original Name:
Product Name:
Description:
File Version:
Product Version:
Copyright:

====== End Of File: ======

========================= File: C:\Windows\system32\fmfxg.dll ========================

MD5:
Creation and modification date: 2014-10-09 19:30 - 2014-10-09 19:30
Size: 0000000
Attributes: ----A
Company Name:
Internal Name:
Original Name:
Product Name:
Description:
File Version:
Product Version:
Copyright:

====== End Of File: ======

========================= File: C:\Users\Mom.Mom-PC\AppData\Roaming\tyllta.dll ========================

"C:\Users\Mom.Mom-PC\AppData\Roaming\tyllta.dll" not found.
====== End Of File: ======

EmptyTemp: => Removed 15.7 GB temporary data.

The system needed a reboot.

==== End of Fixlog ====



#8 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:03:05 AM

Posted 15 October 2014 - 12:34 PM

Hello,

 

Please re-run Farbar Recovery Scan Tool (FRST) and make sure that Addition.txt is ticked as well before you press the scan button. Next please post both logs FRST.txt and Addition.txt in your next reply.

 

Also please download Farbar Service Scanner and run it on the computer with the issue.

  • Make sure that all options are checked.
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and past the results at pastebin.com and post the link to the log in your next reply.

 

Regards,

Georgi


cXfZ4wS.png


#9 TinaTunalu

TinaTunalu
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:05 PM

Posted 15 October 2014 - 07:54 PM

Hello,

 

I have posted the FRST.txt below, and attached the Additions.txt and FSS.txt logs as attachments to this post.

 

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 15-10-2014 02
Ran by Mom (administrator) on MOM-PC on 15-10-2014 17:45:18
Running from C:\Users\Mom.Mom-PC\Desktop
Loaded Profile: Mom (Available profiles: Mom)
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Stardock Corporation) C:\Program Files\Dell\DellDock\DockLogin.exe
(Hi-Rez Studios) C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe
(Microsoft Corporation) C:\WINDOWS\SysWOW64\svchost.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\systemcore\mfevtps.exe
(SoftThinks SAS) C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
(SupportSoft, Inc.) C:\Program Files (x86)\Dell\DellComms\bin\sprtsvc.exe
(McAfee, Inc.) C:\Program Files\mcafee\msc\McAPExe.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\systemcore\mcshield.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\AMCore\mcshield.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\systemcore\mfefire.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
(SoftThinks - Dell) C:\Program Files (x86)\Dell DataSafe Local Backup\Toaster.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Intel Corporation) C:\WINDOWS\System32\igfxtray.exe
(Intel Corporation) C:\WINDOWS\System32\hkcmd.exe
(Intel Corporation) C:\WINDOWS\System32\igfxpers.exe
(Microsoft Corporation) C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe
(Microsoft Corporation) C:\WINDOWS\SysWOW64\svchost.exe
(Hewlett-Packard Co.) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
(Stardock Corporation) C:\Program Files\Dell\DellDock\DellDock.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(Microsoft Corporation) C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE
() C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe
(SupportSoft, Inc.) C:\Program Files (x86)\Dell\DellComms\bin\sprtcmd.exe
(Hewlett-Packard) C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\Platform\McUICnt.exe
(Hewlett-Packard Co.) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqste08.exe
(Hewlett-Packard Co.) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe
(Hewlett-Packard) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe
(Adobe Systems Incorporated) C:\WINDOWS\System32\Macromed\Flash\FlashUtil64_12_0_0_77_ActiveX.exe
(Microsoft Corporation) C:\WINDOWS\System32\dllhost.exe
(Microsoft Corporation) C:\WINDOWS\SysWOW64\dllhost.exe
(Microsoft Corporation) C:\WINDOWS\SysWOW64\dllhost.exe
(Microsoft Corporation) C:\WINDOWS\System32\taskmgr.exe
(Microsoft Corporation) C:\WINDOWS\SysWOW64\dllhost.exe
(McAfee, Inc.) C:\Program Files\mcafee\msm\McSmtFwk.exe
(Microsoft Corporation) C:\WINDOWS\SysWOW64\dllhost.exe
(Microsoft Corporation) C:\WINDOWS\SysWOW64\dllhost.exe
(Microsoft Corporation) C:\WINDOWS\SysWOW64\dllhost.exe
(Microsoft Corporation) C:\WINDOWS\SysWOW64\dllhost.exe
(Microsoft Corporation) C:\WINDOWS\SysWOW64\dllhost.exe
(Microsoft Corporation) C:\WINDOWS\SysWOW64\dllhost.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [8306208 2009-10-20] (Realtek Semiconductor)
HKLM\...\Run: [XboxStat] => C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe [825184 2009-09-30] (Microsoft Corporation)
HKLM-x32\...\Run: [IAStorIcon] => C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284696 2010-03-03] (Intel Corporation)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe [35696 2009-02-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Dell DataSafe Online] => C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe [1807680 2010-02-09] ()
HKLM-x32\...\Run: [Desktop Disc Tool] => c:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe [498160 2009-10-15] ()
HKLM-x32\...\Run: [mcui_exe] => C:\Program Files\McAfee.com\Agent\mcagent.exe [537992 2014-04-25] (McAfee, Inc.)
HKLM-x32\...\Run: [DellComms] => C:\Program Files (x86)\Dell\DellComms\bin\sprtcmd.exe [206064 2009-05-05] (SupportSoft, Inc.)
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [49208 2011-10-28] (Hewlett-Packard)
HKLM-x32\...\Run: [mcpltui_exe] => C:\Program Files\McAfee.com\Agent\mcagent.exe [537992 2014-04-25] (McAfee, Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [256896 2014-07-11] (Oracle Corporation)
Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll [X]
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer: [NoFolderOptions] 0
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKU\S-1-5-18\...\RunOnce: [SPReview] => C:\Windows\System32\SPReview\SPReview.exe [301568 2014-02-09] (Microsoft Corporation)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Mom.Mom-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnk
ShortcutTarget: Dell Dock.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Mom.Mom-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnk
ShortcutTarget: Dell Dock.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/USCON/1
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USCON/1
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKCU - DefaultScope {C5C1FA0C-A509-4B3D-B3CF-32C7C0AF7AFF} URL =
SearchScopes: HKCU - {8DE8B3A3-C6F5-4291-9924-7E62E2DCE8EA} URL =
SearchScopes: HKCU - {C5C1FA0C-A509-4B3D-B3CF-32C7C0AF7AFF} URL =
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll No File
BHO-x32: HP Print Enhancer -> {0347C33E-8762-4905-BF09-768834316C61} -> C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)
BHO-x32: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: ArcPluginIEBHO Class -> {84BFE29A-8139-402a-B2A4-C23AE9E1A75F} -> C:\Program Files (x86)\Perfect World Entertainment\Arc\plugins\ArcPluginIE.dll (Perfect World Entertainment Inc)
BHO-x32: Windows Live Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
BHO-x32: Skype add-on for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: HP Smart BHO Class -> {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} -> C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)
DPF: HKLM-x32 {444785F1-DE89-4295-863A-D46C3A781394} http://webplayer.unity3d.com/download_webplayer-2.x/UnityWebPlayer.cab
DPF: HKLM-x32 {A17BFC9F-18A7-4BE7-915A-C106624AC802} http://d-fighter.nefficient.co.kr/samsungdnf/neople/dnf_hg/installer/dnf_real.cab
DPF: HKLM-x32 {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} http://content.systemrequirementslab.com/bin/srldetect_intel_4.5.24.0.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} -  No File
Handler-x32: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
Handler-x32: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
Handler-x32: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\mcafee\msc\McSnIePl64.dll (McAfee, Inc.)
Filter-x32: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files (x86)\McAfee\msc\McSnIePl.dll (McAfee, Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_14_0_0_125.dll ()
FF Plugin: @mcafee.com/MSC,version=10 -> c:\PROGRA~1\mcafee\msc\NPMCSN~1.DLL ()
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_14_0_0_125.dll ()
FF Plugin-x32: @java.com/DTPlugin,version=10.65.2 -> C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.65.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @mcafee.com/MSC,version=10 -> c:\PROGRA~2\mcafee\msc\NPMCSN~1.DLL ()
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MIF5BA~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=14.0.8081.0709 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @nexon.net/NxGame -> C:\ProgramData\NexonUS\NGM\npNxGameUS.dll (Nexon)
FF Plugin-x32: @perfectworld.com/npArcPlayNowPlugin -> C:\Program Files (x86)\Perfect World Entertainment\Arc\plugins\npArcPluginFF.dll (Perfect World Entertainment Inc)
FF Plugin HKCU: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\Mom.Mom-PC\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)
FF HKLM-x32\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF Extension: HP Smart Web Printing - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2014-02-11]
FF HKCU\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3

Chrome:
=======

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 ArcService; C:\Program Files (x86)\Perfect World Entertainment\Arc\ArcService.exe [88400 2014-08-12] (Perfect World Entertainment Inc)
R2 DockLoginService; C:\Program Files\Dell\DellDock\DockLogin.exe [155648 2009-06-09] (Stardock Corporation) [File not signed]
U2 HiPatchService; C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe [9216 2014-08-22] (Hi-Rez Studios) [File not signed]
R2 HomeNetSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
R3 hpqcxs08; C:\Program Files (x86)\HP\Digital Imaging\bin\hpqcxs08.dll [248832 2009-05-21] (Hewlett-Packard Co.) [File not signed]
R2 hpqddsvc; C:\Program Files (x86)\HP\Digital Imaging\bin\hpqddsvc.dll [133120 2009-05-21] (Hewlett-Packard Co.) [File not signed]
R2 HPSLPSVC; C:\Program Files (x86)\HP\Digital Imaging\bin\HPSLPSVC64.DLL [1039360 2010-10-22] (Hewlett-Packard Co.) [File not signed]
R2 McAPExe; C:\Program Files\McAfee\MSC\McAPExe.exe [178528 2014-04-25] (McAfee, Inc.)
R2 McMPFSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
R2 McNaiAnn; C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
S3 McODS; C:\Program Files\mcafee\VirusScan\mcods.exe [603424 2014-06-12] (McAfee, Inc.)
S4 McOobeSv; C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe [355440 2010-03-10] (McAfee, Inc.)
R2 mcpltsvc; C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
R2 McProxy; C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
R2 McShield; C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe [200056 2011-04-14] (McAfee, Inc.)
R2 mfecore; C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe [1041192 2014-07-24] (McAfee, Inc.)
R2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [219752 2014-06-20] (McAfee, Inc.)
R2 mfevtp; C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe [189912 2014-06-20] (McAfee, Inc.)
R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [71680 2010-08-06] (Hewlett-Packard) [File not signed]
R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [89600 2010-08-06] (Hewlett-Packard) [File not signed]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R3 cfwids; C:\Windows\System32\drivers\cfwids.sys [72128 2014-06-20] (McAfee, Inc.)
S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [197704 2013-09-23] (McAfee, Inc.)
S3 hxsyol; C:\AeriaGames\AuraKingdom\avital\hxsy64.sys [86352 2013-11-26] ()
R3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [181704 2014-06-20] (McAfee, Inc.)
U3 mfeapfk01; No ImagePath
R3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [313544 2014-06-20] (McAfee, Inc.)
U3 mfeavfk01; No ImagePath
R3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [523792 2014-06-20] (McAfee, Inc.)
R0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [786296 2014-06-20] (McAfee, Inc.)
R3 mfencbdc; C:\Windows\System32\DRIVERS\mfencbdc.sys [444720 2014-07-24] (McAfee, Inc.)
S3 mfencrk; C:\Windows\System32\DRIVERS\mfencrk.sys [96592 2014-07-24] (McAfee, Inc.)
S3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [94992 2011-04-14] (McAfee, Inc.)
R0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [348552 2014-06-20] (McAfee, Inc.)
R3 Sftfs; C:\Windows\System32\DRIVERS\Sftfswin7.sys [768680 2013-06-26] (Microsoft Corporation)
R3 Sftplay; C:\Windows\System32\DRIVERS\Sftplaywin7.sys [273576 2013-06-26] (Microsoft Corporation)
R3 Sftredir; C:\Windows\System32\DRIVERS\Sftredirwin7.sys [29352 2013-06-26] (Microsoft Corporation)
R3 Sftvol; C:\Windows\System32\DRIVERS\Sftvolwin7.sys [23208 2013-06-26] (Microsoft Corporation)
S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-15 17:45 - 2014-10-15 17:47 - 00017477 _____ () C:\Users\Mom.Mom-PC\Desktop\FRST.txt
2014-10-15 17:40 - 2014-10-15 17:40 - 00415232 _____ (Farbar) C:\Users\Mom.Mom-PC\Desktop\FSS.exe
2014-10-15 17:40 - 2014-10-15 17:40 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee
2014-10-10 23:29 - 2014-10-10 23:29 - 00000000 __SHD () C:\found.000
2014-10-09 20:03 - 2014-10-15 17:44 - 02111488 _____ (Farbar) C:\Users\Mom.Mom-PC\Desktop\FRST64.exe
2014-10-09 19:33 - 2014-10-09 19:33 - 00000000 ____D () C:\Windows\Sun
2014-10-09 19:31 - 2014-10-09 19:31 - 00000028 _____ () C:\Windows\SysWOW64\u
2014-10-09 19:30 - 2014-10-09 19:30 - 00081408 _____ () C:\Windows\system32\seuigb.dll
2014-10-09 19:30 - 2014-10-09 19:30 - 00003858 _____ () C:\Windows\System32\Tasks\{3DDFB9DB-4A3E-651D-1548-D4F420B45CE7}
2014-10-09 19:30 - 2014-10-09 19:30 - 00000000 _____ () C:\Windows\system32\fmfxg.dll
2014-10-09 19:29 - 2014-10-09 19:30 - 00000000 ____D () C:\ProgramData\Windows Genuine Advantage
2014-10-08 21:54 - 2014-10-08 21:54 - 00000000 ____D () C:\Users\Mom.Mom-PC\AppData\Roaming\Trove
2014-10-08 20:56 - 2014-10-08 21:57 - 00000000 ____D () C:\Users\Mom.Mom-PC\AppData\Local\Glyph
2014-10-08 20:56 - 2014-10-08 20:56 - 00000000 ____D () C:\ProgramData\Glyph
2014-10-08 20:55 - 2014-10-08 20:56 - 32084080 _____ (Trion Worlds Inc.) C:\Users\Mom.Mom-PC\Downloads\GlyphInstall.exe
2014-10-05 15:43 - 2014-10-05 15:52 - 303878144 _____ () C:\Users\Mom.Mom-PC\Downloads\kav_rescue_10.iso
2014-10-04 17:02 - 2014-10-15 17:45 - 00000000 ____D () C:\FRST
2014-10-01 11:04 - 2014-09-24 19:08 - 00371712 _____ (Microsoft Corporation) C:\Windows\system32\qdvd.dll
2014-10-01 11:04 - 2014-09-24 18:40 - 00519680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\qdvd.dll
2014-09-27 20:03 - 2014-09-27 20:03 - 00000000 ____D () C:\Users\Mom.Mom-PC\AppData\Roaming\vlc
2014-09-26 21:16 - 2014-09-26 21:16 - 00000289 _____ () C:\Windows\SysWOW64\msexcr.ini
2014-09-26 21:15 - 2014-10-15 08:54 - 00003826 _____ () C:\Windows\System32\Tasks\Opera scheduled Autoupdate 1394227861
2014-09-23 13:42 - 2014-09-09 15:11 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2014-09-23 13:42 - 2014-09-09 14:47 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2014-09-23 08:59 - 2014-09-23 08:59 - 00000000 ____D () C:\Users\Mom.Mom-PC\AppData\Local\Macromedia

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-15 17:43 - 2009-07-13 22:10 - 01611885 _____ () C:\Windows\WindowsUpdate.log
2014-10-15 17:43 - 2009-07-13 21:45 - 00022464 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-10-15 17:43 - 2009-07-13 21:45 - 00022464 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-10-15 17:36 - 2010-10-28 20:00 - 00000000 ____D () C:\dell
2014-10-15 17:36 - 2010-10-28 19:22 - 01143058 _____ () C:\Windows\PFRO.log
2014-10-15 17:36 - 2010-10-28 17:33 - 00000000 ____D () C:\Program Files (x86)\Dell DataSafe Local Backup
2014-10-15 17:36 - 2009-07-13 22:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-10-15 17:36 - 2009-07-13 21:51 - 00057431 _____ () C:\Windows\setupact.log
2014-10-15 08:54 - 2014-03-07 14:31 - 00000000 ____D () C:\Program Files (x86)\Opera
2014-10-15 08:24 - 2010-10-28 17:55 - 00000000 ____D () C:\Users\Default\AppData\Local\SoftThinks
2014-10-15 08:24 - 2010-10-28 17:55 - 00000000 ____D () C:\Users\Default User\AppData\Local\SoftThinks
2014-10-14 18:05 - 2014-02-27 23:57 - 00009593 _____ () C:\Users\Mom.Mom-PC\AppData\Localtransition_569b2c4b9bcb90cf036714add3a312f6.ini
2014-10-11 20:56 - 2014-02-09 22:42 - 00000000 ____D () C:\Program Files (x86)\Steam
2014-10-10 23:35 - 2009-07-13 20:20 - 00000000 ____D () C:\Windows\system32\NDF
2014-10-09 19:30 - 2009-07-13 20:20 - 00000000 ____D () C:\Windows\system32\sysprep
2014-10-08 21:56 - 2014-06-08 20:51 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Snail Games USA
2014-10-08 21:56 - 2010-10-28 17:28 - 00000000 ___HD () C:\Program Files (x86)\InstallShield Installation Information
2014-10-05 17:19 - 2014-06-08 16:52 - 00000000 ____D () C:\Users\Mom.Mom-PC\Desktop\New folder
2014-10-04 18:39 - 2014-02-28 00:14 - 00000000 ____D () C:\Users\Mom.Mom-PC\AppData\Roaming\Mozilla
2014-09-27 16:08 - 2014-06-07 13:39 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GBE Games
2014-09-27 16:08 - 2014-06-07 13:33 - 00000000 ____D () C:\Program Files (x86)\GBE Games
2014-09-27 16:04 - 2014-05-04 12:09 - 00000000 ____D () C:\Users\Mom.Mom-PC\AppData\Roaming\BitTorrent
2014-09-24 14:30 - 2009-07-13 20:20 - 00000000 ____D () C:\Windows\rescache
2014-09-18 16:57 - 2009-07-13 22:08 - 00032586 _____ () C:\Windows\Tasks\SCHEDLGU.TXT

Files to move or delete:
====================
C:\ProgramData\hash.dat

Some content of TEMP:
====================
C:\Users\Mom.Mom-PC\AppData\Local\Temp\obupdat.exe

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2014-10-06 13:18

==================== End Of Log ============================

Attached Files



#10 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:03:05 AM

Posted 18 October 2014 - 11:16 AM

Hi,

 

I am sorry about the delay. I was out of town for a couple of days so I couldn't reply earlier.

 

Please download the following file => and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

 

Also can you please temporary disable McAfee real-time protection. Check here how:

How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Then go to C:\FRST\Quarantine and right click on the folder, select send to compressed(zip) folder that will make a zipped copy of this folder.

Then please upload it to http://www.bleepingcomputer.com/submit-malware.php?channel=122 so we can examine the files and submit to antivirus companies if needed.
After that please delete the zip file you just created and re-enable McAfee.

 

 

Next let's try to fix the broken services.


Backup Your Registry

 

 

Now download the following files and save them to your desktop:

 

Winmgmt.reg

 

wscsvc.reg

Now double click on each of them one by one. An information box will pop up asking if you want to merge the information in the file into the registry, click YES.

 

  • Next please download the ESET ServicesRepair utility and save it to your Desktop.
  • Double-click ServicesRepair.exe to run the ESET ServicesRepair utility.
  • If you are using User Access Control, click Run when prompted and then click Yes when asked to allow changes.
  • Reboot the computer and then please attach fresh logs from Farbar Service Scanner.

 

 

Regards,

Georgi


cXfZ4wS.png


#11 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:03:05 AM

Posted 25 October 2014 - 04:04 AM

Hi,

 

Do you still need assistance?

 

 

Regards,

Georgi


cXfZ4wS.png


#12 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:03:05 AM

Posted 19 November 2014 - 03:43 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

cXfZ4wS.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users