Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

dllhost.exe COM Surrogate replicating and killing memory


  • This topic is locked This topic is locked
4 replies to this topic

#1 ctdeanks

ctdeanks

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:08 PM

Posted 26 October 2014 - 03:13 PM

One of my client WIN7 PC reported as slow, task manager full of dllhost.exe COM surrogates, have tried malware bytes, junkware removal tool, combofix (hung at stage 50 for 2 hours before I rebooted) and awdcleaner without luck.  In reading forum I have downloaded FRST and here are the logs: (thanks in advance for assistance!)

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 23-10-2014
Ran by JLutz (administrator) on INSPIRION-531 on 26-10-2014 15:13:00
Running from C:\Users\jlutz\Desktop\tools
Loaded Profile: JLutz (Available profiles: JLutz & ctdean)
Platform: Microsoft Windows 7 Professional  Service Pack 1 (X86) OS Language: English (United States)
Internet Explorer Version 9
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(AMD) C:\Windows\System32\atiesrxx.exe
(Andrea Electronics Corporation) C:\Windows\System32\AERTSrv.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Exploit\mbae-svc.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Realtek Semiconductor) C:\Windows\RtHDVCpl.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Adobe Systems Incorporated) C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Exploit\mbae.exe
(Dropbox, Inc.) C:\Users\jlutz\AppData\Roaming\Dropbox\bin\Dropbox.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE
(Microsoft Corporation) C:\Windows\System32\taskmgr.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [BCSSync] => C:\Program Files\Microsoft Office\Office14\BCSSync.exe [91520 2010-03-13] (Microsoft Corporation)
HKLM\...\Run: [RtHDVCpl] => C:\Windows\RtHDVCpl.exe [4907008 2008-01-17] (Realtek Semiconductor)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [931200 2012-03-26] (Microsoft Corporation)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [843712 2012-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [Malwarebytes Anti-Exploit] => C:\Program Files\Malwarebytes Anti-Exploit\mbae.exe [440632 2014-08-29] (Malwarebytes Corporation)
HKLM\...\Policies\Explorer: [NoWelcomeScreen] 1
Startup: C:\Users\jlutz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\jlutz\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
Startup: C:\Users\jlutz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blrieke.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0xB6A440644639CD01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
BHO: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 10.10.10.100
 
FireFox:
========
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKCU: @nsroblox.roblox.com/launcher -> C:\Users\jlutz\AppData\Local\Roblox\Versions\version-e029025a3614426d\\NPRobloxProxy.dll ( Roblox Corporation)
 
Chrome: 
=======
 
========================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 AERTFilters; C:\Windows\system32\AERTSrv.exe [77824 2007-12-05] (Andrea Electronics Corporation)
R2 MbaeSvc; C:\Program Files\Malwarebytes Anti-Exploit\mbae-svc.exe [441144 2014-08-29] (Malwarebytes Corporation)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [11552 2012-03-26] (Microsoft Corporation)
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [214952 2012-03-26] (Microsoft Corporation)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R0 amacpi; C:\Windows\System32\DRIVERS\null.sys [4608 2009-07-13] (Microsoft Corporation)
R1 ESProtectionDriver; C:\Program Files\Malwarebytes Anti-Exploit\mbae.sys [47896 2014-08-30] ()
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [171064 2012-03-20] (Microsoft Corporation)
S3 catchme; \??\C:\Users\jlutz\AppData\Local\Temp\catchme.sys [X]
S1 giqxgtsf; \??\C:\Windows\system32\drivers\giqxgtsf.sys [X]
S1 nieceujp; \??\C:\Windows\system32\drivers\nieceujp.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2014-10-26 14:38 - 2014-10-26 14:38 - 00001064 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-10-26 14:37 - 2014-05-14 11:23 - 01973728 _____ (Microsoft Corporation) C:\Windows\system32\wuaueng.dll
2014-10-26 14:37 - 2014-05-14 11:23 - 00054240 _____ (Microsoft Corporation) C:\Windows\system32\wuauclt.exe
2014-10-26 14:37 - 2014-05-14 11:23 - 00045536 _____ (Microsoft Corporation) C:\Windows\system32\wups2.dll
2014-10-26 14:37 - 2014-05-14 11:17 - 02425856 _____ (Microsoft Corporation) C:\Windows\system32\wucltux.dll
2014-10-26 14:36 - 2014-05-14 09:23 - 00179656 _____ (Microsoft Corporation) C:\Windows\system32\wuwebv.dll
2014-10-26 14:36 - 2014-05-14 09:17 - 00033792 _____ (Microsoft Corporation) C:\Windows\system32\wuapp.exe
2014-10-26 12:25 - 2014-10-26 13:28 - 00000000 ___SD () C:\ComboFix
2014-10-21 13:37 - 2014-10-21 13:37 - 00000000 ____D () C:\Program Files\ESET
2014-10-21 13:29 - 2014-10-26 15:13 - 00000000 ____D () C:\FRST
2014-10-21 13:24 - 2014-10-26 15:13 - 00000000 ____D () C:\Users\jlutz\Desktop\tools
2014-10-20 20:02 - 2014-10-26 14:58 - 00002338 _____ () C:\Users\jlutz\Desktop\Rkill.txt
2014-10-20 19:48 - 2014-10-20 19:48 - 00034808 _____ () C:\Windows\system32\Drivers\TrueSight.sys
2014-10-20 19:47 - 2014-10-20 19:48 - 00000000 ____D () C:\ProgramData\RogueKiller
2014-10-20 19:43 - 2014-10-20 19:43 - 00007607 _____ () C:\Users\jlutz\AppData\Local\Resmon.ResmonCfg
2014-10-12 16:48 - 2014-10-12 17:04 - 00001988 ____H () C:\Users\jlutz\Documents\Default.rdp
2014-10-12 16:37 - 2014-10-20 20:04 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Exploit
2014-10-12 16:37 - 2014-10-20 20:04 - 00000000 ____D () C:\ProgramData\Malwarebytes Anti-Exploit
2014-10-12 16:36 - 2014-10-20 20:04 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Exploit
2014-10-12 16:36 - 2011-06-11 01:58 - 00773968 _____ (Microsoft Corporation) C:\Windows\system32\msvcr100.dll
2014-10-12 16:36 - 2011-06-11 01:58 - 00421200 _____ (Microsoft Corporation) C:\Windows\system32\msvcp100.dll
2014-10-12 16:22 - 2014-10-12 16:22 - 00000000 ____D () C:\Windows\ERUNT
2014-10-12 16:20 - 2014-10-12 16:20 - 00000000 ____D () C:\Malware tools 10-2014
2014-10-12 16:16 - 2014-10-13 13:02 - 00000000 ____D () C:\Users\jlutz\AppData\Roaming\Afxeeg
2014-10-12 16:11 - 2014-10-13 13:02 - 00000000 ____D () C:\ProgramData\j9tbgsdger04r
2014-10-12 15:32 - 2011-06-26 01:45 - 00256000 _____ () C:\Windows\PEV.exe
2014-10-12 15:32 - 2010-11-07 12:20 - 00208896 _____ () C:\Windows\MBR.exe
2014-10-12 15:32 - 2009-04-19 23:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2014-10-12 15:32 - 2000-08-30 19:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2014-10-12 15:32 - 2000-08-30 19:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2014-10-12 15:32 - 2000-08-30 19:00 - 00098816 _____ () C:\Windows\sed.exe
2014-10-12 15:32 - 2000-08-30 19:00 - 00080412 _____ () C:\Windows\grep.exe
2014-10-12 15:32 - 2000-08-30 19:00 - 00068096 _____ () C:\Windows\zip.exe
2014-10-12 15:29 - 2014-10-12 15:32 - 00000000 ____D () C:\Qoobox
2014-10-12 15:29 - 2014-10-12 15:29 - 00000000 ____D () C:\Windows\erdnt
2014-10-12 15:24 - 2014-10-12 15:26 - 00000000 ____D () C:\AdwCleaner
2014-10-09 15:49 - 2014-10-10 15:19 - 00000000 ____D () C:\Users\jlutz\AppData\Roaming\Uxzyky
2014-10-09 15:49 - 2014-10-10 15:19 - 00000000 ____D () C:\Users\jlutz\AppData\Roaming\Iqislusu
2014-10-09 15:47 - 2014-10-09 15:47 - 00000000 _____ () C:\Users\jlutz\AppData\Roaming\qucxx.dll
2014-10-09 15:44 - 2014-10-09 15:44 - 00049152 _____ () C:\Users\jlutz\AppData\Roaming\pgppk.dll
2014-10-09 15:43 - 2014-10-09 15:44 - 00039424 _____ () C:\Users\jlutz\AppData\Roaming\xvadhmh.dll
2014-10-09 15:08 - 2014-10-10 15:19 - 00000000 ____D () C:\Users\jlutz\AppData\Roaming\Gugaaxy
2014-10-09 14:02 - 2014-10-12 15:27 - 00000000 ____D () C:\Users\jlutz\AppData\Roaming\Qisoduuq
2014-10-09 12:40 - 2014-10-12 15:27 - 00000000 __SHD () C:\Users\jlutz\AppData\Local\Fontcore
2014-10-09 12:40 - 2014-10-10 15:19 - 00000000 __SHD () C:\Users\jlutz\AppData\Roaming\MobileOptionPack
2014-10-08 16:05 - 2014-10-09 13:21 - 00000000 ____D () C:\Users\jlutz\AppData\Roaming\Fyepadaz
2014-10-08 16:01 - 2014-10-09 13:24 - 00000000 ____D () C:\Users\jlutz\AppData\Roaming\Ugdeezly
2014-10-08 15:54 - 2014-10-12 16:11 - 00000000 ____D () C:\ProgramData\Windows Genuine Advantage
2014-10-08 14:03 - 2014-10-09 13:21 - 00000000 ____D () C:\Users\jlutz\AppData\Roaming\Uvkopoi
2014-10-08 11:46 - 2014-10-09 13:24 - 00000000 ____D () C:\Users\jlutz\AppData\Roaming\Nowuabli
2014-10-02 11:10 - 2014-10-02 11:10 - 00011192 _____ () C:\Users\jlutz\Documents\Clark Retaining Walls.xlsx
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2014-10-26 14:48 - 2012-05-04 17:53 - 01944882 _____ () C:\Windows\WindowsUpdate.log
2014-10-26 14:42 - 2012-05-18 21:26 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-10-26 14:38 - 2014-07-22 07:30 - 00114904 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-10-26 14:38 - 2014-07-22 07:29 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-10-26 14:38 - 2014-07-22 07:29 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-10-26 14:38 - 2009-07-13 23:34 - 00013456 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-10-26 14:38 - 2009-07-13 23:34 - 00013456 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-10-26 14:36 - 2012-05-04 17:55 - 00729688 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-10-26 14:34 - 2013-01-07 09:37 - 00000000 ___RD () C:\Users\jlutz\Dropbox
2014-10-26 14:34 - 2013-01-07 09:34 - 00000000 ____D () C:\Users\jlutz\AppData\Roaming\Dropbox
2014-10-26 14:31 - 2012-05-18 16:42 - 00025584 _____ () C:\Windows\PFRO.log
2014-10-26 14:31 - 2009-07-13 23:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-10-26 14:31 - 2009-07-13 23:39 - 00031920 _____ () C:\Windows\setupact.log
2014-10-23 19:49 - 2009-07-13 21:37 - 00000000 ____D () C:\Windows\system32\NDF
2014-10-20 20:00 - 2012-05-23 19:39 - 00000128 _____ () C:\Windows\system32\config\netlogon.ftl
2014-10-12 15:27 - 2009-07-13 21:37 - 00000000 ____D () C:\Windows\Branding
2014-10-09 13:24 - 2009-07-13 21:37 - 00000000 ____D () C:\Windows\Registration
2014-10-06 16:35 - 2013-01-07 09:37 - 00000979 _____ () C:\Users\jlutz\Desktop\Dropbox.lnk
2014-10-06 16:35 - 2013-01-07 09:36 - 00000000 ____D () C:\Users\jlutz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox
2014-10-01 11:11 - 2014-07-22 07:29 - 00075480 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-10-01 11:11 - 2014-07-22 07:29 - 00051928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-10-01 11:11 - 2012-05-23 19:47 - 00023256 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
 
Some content of TEMP:
====================
C:\Users\jlutz\AppData\Local\Temp\catchme.dll
C:\Users\jlutz\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpis8kzz.dll
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2014-10-16 00:07
 
==================== End Of Log ===========================
 
 
 
Addition:
 
Additional scan result of Farbar Recovery Scan Tool (x86) Version: 23-10-2014
Ran by JLutz at 2014-10-26 15:13:36
Running from C:\Users\jlutz\Desktop\tools
Boot Mode: Normal
==========================================================
 
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Microsoft Security Essentials (Disabled - Up to date) {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Microsoft Security Essentials (Disabled - Up to date) {2C040BB5-2B06-7275-5A21-2B969A740B4B}
 
==================== Installed Programs ======================
 
(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
Adobe Flash Player 15 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 15.0.0.167 - Adobe Systems Incorporated)
Adobe Reader X (10.1.3) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AA1000000001}) (Version: 10.1.3 - Adobe Systems Incorporated)
Constellation Crystal Report Viewer (HKLM\...\{2E8A4872-968B-4859-A2E2-04432ED9A4FB}) (Version: 1.00.0000 - Constellation HomeBuilder Systems)
Constellation Crystal Schedule Report Viewer (HKLM\...\{AFAB0D3A-20FB-4D05-B5FE-93E44F613D9A}) (Version: 1.00.0000 - Constellation HomeBuilder)
Crystal Reports Basic Runtime for Visual Studio 2008 (HKLM\...\{CE26F10F-C80F-4377-908B-1B7882AE2CE3}) (Version: 10.5.2.0 - Business Objects)
Dropbox (HKCU\...\Dropbox) (Version: 2.10.30 - Dropbox, Inc.)
ESET Online Scanner v3 (HKLM\...\ESET Online Scanner) (Version:  - )
Kyocera Product Library (HKLM\...\Kyocera Product Library) (Version: 4.2.1909 - KYOCERA Document Solutions Inc.)
Malwarebytes Anti-Exploit version 1.04.1.1012 (HKLM\...\Malwarebytes Anti-Exploit_is1) (Version: 1.04.1.1012 - Malwarebytes)
Malwarebytes Anti-Malware version 2.0.3.1025 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.3.1025 - Malwarebytes Corporation)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Office 2010 Service Pack 1 (SP1) (HKLM\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{047B0968-E622-4FAA-9B4B-121FA109EDDE}) (Version:  - Microsoft)
Microsoft Office Professional Plus 2010 (HKLM\...\Office14.PROPLUSR) (Version: 14.0.6029.1000 - Microsoft Corporation)
Microsoft Project Professional 2010 (HKLM\...\Office14.PRJPROR) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.0.1526.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{A49F249F-0C91-497F-86DF-B2585E8E76B7}) (Version: 8.0.50727.42 - Microsoft Corporation)
Newstar Enterprise Workstation Drivers 1.0 (HKLM\...\{258E5069-5D68-49CF-BA00-53674FE99BE8}) (Version: 1.0.0.0 - Constellation HomeBuilder Systems)
OpenEdge 10.2A Shared Network Installation (HKLM\...\{24A3AE14-3E31-4BAA-920E-4BB9DB8D229C}) (Version: 10.2A - PSC)
Realtek High Definition Audio Driver (HKLM\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version:  - )
REMSDocView (HKLM\...\{FE84E494-4855-4809-BD73-57D16201D82A}) (Version: 1.00.0000 - Constellation Homebuilder Systems)
Roblox for jlutz (HKCU\...\{373B1718-8CC5-4567-8EE2-9033AD08A680}) (Version:  - ROBLOX Corporation)
RW-240 PLOTCLIENT (HKLM\...\{87E2A179-E36D-4B19-8CAF-EFD8D33DABD3}) (Version: 3.7.110 - RW-240)
XML 2 PDF (HKLM\...\{FFFCFFF3-425D-4C3D-A0B7-999F879152A4}) (Version: 1.00.0000 - Constellation HomeBuilder Systems)
 
==================== Custom CLSID (selected items): ==========================
 
(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)
 
CustomCLSID: HKU\S-1-5-21-1426127766-2644728579-1882971675-1237_Classes\CLSID\{005A3A96-BAC4-4B0A-94EA-C0CE100EA736}\localserver32 -> C:\Users\jlutz\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-1426127766-2644728579-1882971675-1237_Classes\CLSID\{76D50904-6780-4c8b-8986-1A7EE0B1716D}\InprocServer32 -> C:\Users\jlutz\AppData\Local\Roblox\Versions\version-e029025a3614426d\RobloxProxy.dll (ROBLOX Corporation)
CustomCLSID: HKU\S-1-5-21-1426127766-2644728579-1882971675-1237_Classes\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\jlutz\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-1426127766-2644728579-1882971675-1237_Classes\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\jlutz\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-1426127766-2644728579-1882971675-1237_Classes\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\jlutz\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-1426127766-2644728579-1882971675-1237_Classes\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\jlutz\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-1426127766-2644728579-1882971675-1237_Classes\CLSID\{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\jlutz\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-1426127766-2644728579-1882971675-1237_Classes\CLSID\{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\jlutz\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-1426127766-2644728579-1882971675-1237_Classes\CLSID\{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\jlutz\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-1426127766-2644728579-1882971675-1237_Classes\CLSID\{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\jlutz\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-1426127766-2644728579-1882971675-1237_Classes\CLSID\{FE0D8F60-5A07-40a1-85EC-4FFB7E0F2306}\localserver32 -> C:\Users\jlutz\AppData\Local\Roblox\Versions\version-e029025a3614426d\RobloxApp.exe (ROBLOX Corporation)
 
==================== Restore Points  =========================
 
24-10-2014 01:11:37 Windows Update
26-10-2014 17:25:15 ComboFix created restore point
26-10-2014 19:36:26 Windows Update
 
==================== Hosts content: ==========================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2009-07-13 21:04 - 2009-06-10 16:39 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts
 
==================== Scheduled Tasks (whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)
 
Task: {2FAC5872-C0E3-4DE4-8158-379922406B36} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2014-09-23] (Adobe Systems Incorporated)
Task: {71F272A1-0269-4CD6-9AC5-87A108B31CA0} - System32\Tasks\{35F6FD2A-E346-2F72-AFFE-47A35EDB6C99} => C:\Users\jlutz\AppData\Roaming\pgppk.dll [2014-10-09] () <==== ATTENTION
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
 
==================== Loaded Modules (whitelisted) =============
 
2014-10-26 14:32 - 2014-10-26 14:32 - 00043008 _____ () c:\users\jlutz\appdata\local\temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpis8kzz.dll
2013-08-23 14:01 - 2013-08-23 14:01 - 25100288 _____ () C:\Users\jlutz\AppData\Roaming\Dropbox\bin\libcef.dll
2011-03-17 00:11 - 2011-03-17 00:11 - 04297568 _____ () C:\Program Files\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF
2010-10-20 15:45 - 2010-10-20 15:45 - 08801120 _____ () C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll
 
==================== Alternate Data Streams (whitelisted) =========
 
(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)
 
 
==================== Safe Mode (whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PEVSystemStart => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PEVSystemStart => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\procexp90.Sys => ""="Driver"
 
==================== EXE Association (whitelisted) =============
 
(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)
 
 
==================== MSCONFIG/TASK MANAGER disabled items =========
 
(Currently there is no automatic fix for this section.)
 
 
========================= Accounts: ==========================
 
Administrator (S-1-5-21-1652041402-110610488-1201771938-500 - Administrator - Disabled)
ctdean (S-1-5-21-1652041402-110610488-1201771938-1000 - Administrator - Enabled) => C:\Users\ctdean
Guest (S-1-5-21-1652041402-110610488-1201771938-501 - Limited - Disabled)
 
==================== Faulty Device Manager Devices =============
 
Name: Null
Description: Null
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer: 
Service: Null
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (10/26/2014 02:38:19 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 4107) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.
 
Error: (10/23/2014 10:32:12 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 4107) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.
 
Error: (10/23/2014 10:32:12 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 4107) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.
 
Error: (10/23/2014 10:32:12 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 4107) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.
 
Error: (10/23/2014 10:32:09 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 4107) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.
 
Error: (10/23/2014 10:32:05 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 4107) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.
 
Error: (10/23/2014 10:32:05 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 4107) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.
 
Error: (10/23/2014 10:31:59 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 4107) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.
 
Error: (10/23/2014 10:31:55 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 4107) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.
 
Error: (10/23/2014 10:31:50 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 4107) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.
 
 
System errors:
=============
Error: (10/26/2014 02:48:10 PM) (Source: Microsoft Antimalware) (EventID: 2001) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.
 
New Signature Version: 
 
Previous Signature Version: 1.187.361.0
 
Update Source: %NT AUTHORITY59
 
Update Stage: 4.0.1526.00
 
Source Path: 4.0.1526.01
 
Signature Type: %NT AUTHORITY602
 
Update Type: %NT AUTHORITY604
 
User: NT AUTHORITY\SYSTEM
 
Current Engine Version: %NT AUTHORITY605
 
Previous Engine Version: %NT AUTHORITY606
 
Error code: %NT AUTHORITY607
 
Error description: %NT AUTHORITY608
 
Error: (10/26/2014 02:33:34 PM) (Source: TermService) (EventID: 1067) (User: )
Description: The terminal server cannot register 'TERMSRV' Service Principal Name to be used for server authentication. The following error occured: The specified domain either does not exist or could not be contacted.
.
 
Error: (10/26/2014 02:32:18 PM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1129) (User: BLRIEKE)
Description: The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.
 
Error: (10/26/2014 02:31:38 PM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1129) (User: NT AUTHORITY)
Description: The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.
 
Error: (10/26/2014 02:31:27 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load: 
Null
 
Error: (10/26/2014 02:31:22 PM) (Source: NETLOGON) (EventID: 5719) (User: )
Description: This computer was not able to set up a secure session with a domain
controller in domain BLRIEKE due to the following: 
%%1311
 
This may lead to authentication problems. Make sure that this
computer is connected to the network. If the problem persists,
please contact your domain administrator.
 
 
 
ADDITIONAL INFO
 
If this computer is a domain controller for the specified domain, it
sets up the secure session to the primary domain controller emulator in the specified
domain. Otherwise, this computer sets up the secure session to any domain controller
in the specified domain.
 
Error: (10/26/2014 01:26:44 PM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: The PEVSystemStart service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.
 
Error: (10/26/2014 00:32:55 PM) (Source: Microsoft Antimalware) (EventID: 2001) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.
 
New Signature Version: 
 
Previous Signature Version: 1.187.361.0
 
Update Source: %NT AUTHORITY59
 
Update Stage: 4.0.1526.00
 
Source Path: 4.0.1526.01
 
Signature Type: %NT AUTHORITY602
 
Update Type: %NT AUTHORITY604
 
User: NT AUTHORITY\SYSTEM
 
Current Engine Version: %NT AUTHORITY605
 
Previous Engine Version: %NT AUTHORITY606
 
Error code: %NT AUTHORITY607
 
Error description: %NT AUTHORITY608
 
Error: (10/26/2014 00:27:31 PM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: The PEVSystemStart service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.
 
Error: (10/26/2014 00:23:51 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: {005A3A96-BAC4-4B0A-94EA-C0CE100EA736}
 
 
Microsoft Office Sessions:
=========================
Error: (10/26/2014 02:38:19 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 4107) (User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
 
Error: (10/23/2014 10:32:12 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 4107) (User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
 
Error: (10/23/2014 10:32:12 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 4107) (User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
 
Error: (10/23/2014 10:32:12 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 4107) (User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
 
Error: (10/23/2014 10:32:09 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 4107) (User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
 
Error: (10/23/2014 10:32:05 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 4107) (User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
 
Error: (10/23/2014 10:32:05 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 4107) (User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
 
Error: (10/23/2014 10:31:59 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 4107) (User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
 
Error: (10/23/2014 10:31:55 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 4107) (User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
 
Error: (10/23/2014 10:31:50 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 4107) (User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
 
 
==================== Memory info =========================== 
 
Processor: AMD Athlon™ 64 X2 Dual Core Processor 5000+
Percentage of memory in use: 47%
Total physical RAM: 2046.49 MB
Available physical RAM: 1081.13 MB
Total Pagefile: 4092.98 MB
Available Pagefile: 2979.79 MB
Total Virtual: 2047.88 MB
Available Virtual: 1889.82 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:297.94 GB) (Free:205.37 GB) NTFS
Drive i: (CORSAIR) (Removable) (Total:15.11 GB) (Free:6.39 GB) FAT32
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298.1 GB) (Disk ID: 58000000)
Partition 1: (Not Active) - (Size=55 MB) - (Type=DE)
Partition 2: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=297.9 GB) - (Type=07 NTFS)
 
========================================================
Disk: 5 (MBR Code: Windows XP) (Size: 15.1 GB) (Disk ID: C3072E18)
Partition 1: (Active) - (Size=15.1 GB) - (Type=0C)
 
==================== End Of Log ============================
 


BC AdBot (Login to Remove)

 


#2 ctdeanks

ctdeanks
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:08 PM

Posted 26 October 2014 - 04:42 PM

RougeKiller report:

 

RogueKiller V10.0.2.0 [Oct 16 2014] by Adlice Software
 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : JLutz [Administrator]
Mode : Scan -- Date : 10/26/2014  16:39:20
 
¤¤¤ Processes : 2 ¤¤¤
[Proc.Svchost] svchost.exe -- C:\Windows\system32\svchost.exe[7] -> Killed [TermProc]
[Proc.Svchost] svchost.exe -- C:\Windows\system32\svchost.exe[7] -> Killed [TermThr]
 
¤¤¤ Registry : 13 ¤¤¤
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\catchme (\??\C:\Users\jlutz\AppData\Local\Temp\catchme.sys) -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\catchme (\??\C:\Users\jlutz\AppData\Local\Temp\catchme.sys) -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\catchme (\??\C:\Users\jlutz\AppData\Local\Temp\catchme.sys) -> Found
[PUM.HomePage] HKEY_USERS\S-1-5-21-1426127766-2644728579-1882971675-1237\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.blrieke.com/  -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 10.10.10.100  -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 10.10.10.100  -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 10.10.10.100  -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{690DD755-A271-40D9-B3E6-672CFF3C30FF} | DhcpNameServer : 10.10.10.100  -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{690DD755-A271-40D9-B3E6-672CFF3C30FF} | DhcpNameServer : 10.10.10.100  -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{690DD755-A271-40D9-B3E6-672CFF3C30FF} | DhcpNameServer : 10.10.10.100  -> Found
[PUM.StartMenu] HKEY_USERS\S-1-5-21-1426127766-2644728579-1882971675-1237\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found
 
¤¤¤ Tasks : 1 ¤¤¤
[Suspicious.Path] \\{35F6FD2A-E346-2F72-AFFE-47A35EDB6C99} -- C:\Windows\system32\regsvr32.exe (/s "C:\Users\jlutz\AppData\Roaming\pgppk.dll") -> Found
 
¤¤¤ Files : 0 ¤¤¤
 
¤¤¤ Hosts File : 0 ¤¤¤
 
¤¤¤ Antirootkit : 3 (Driver: Loaded) ¤¤¤
[IAT:Addr] (explorer.exe @ POWRPROF.dll) SETUPAPI.dll - CM_Get_DevNode_Status : C:\Windows\system32\CFGMGR32.dll @ 0x75ce7498
[IAT:Addr] (explorer.exe @ POWRPROF.dll) SETUPAPI.dll - CM_Get_Device_IDW : C:\Windows\system32\CFGMGR32.dll @ 0x75ce86ef
[IAT:Addr] (explorer.exe @ acppage.dll) sfc.dll - SfcIsFileProtected : C:\Windows\system32\sfc_os.DLL @ 0x71bf1e56
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: Hitachi HDT725032VLA SCSI Disk Device +++++
--- User ---
[MBR] ba76c12c13198a3a923bb4197122cde6
[BSP] 03f896d43fd327991aba875e0b041025 : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 54 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 112640 | Size: 100 MB
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 317440 | Size: 305089 MB
User = LL1 ... OK
Error reading LL2 MBR! ([1] Incorrect function. )
 
+++++ PhysicalDrive1: DELL USB   HS-CF Card USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )
 
+++++ PhysicalDrive2: DELL USB   HS-xD/SM USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )
 
+++++ PhysicalDrive3: DELL USB   HS-MS Card USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )
 
+++++ PhysicalDrive4: DELL USB   HS-SD Card USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )
 
 
============================================
RKreport_DEL_10202014_195717.log - RKreport_SCN_10202014_195635.log


#3 ctdeanks

ctdeanks
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:08 PM

Posted 27 October 2014 - 04:37 AM

***FIXED***

My hat is off to the ESET online scanner, it found and quarantined the following (over 6 hour scan) and the PC is now running  normally with no more dllhosts popping up.  Hope this will help someone out there.

 

C:\Users\jlutz\AppData\Local\Temp\1f5c\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F28DMDY2\mc8xgcdunx[1].htm JS/Exploit.Agent.NHP trojan cleaned by deleting - quarantined
C:\Users\jlutz\AppData\Local\Temp\39e0\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2E0Y44YM\37_220_9_236[1].htm Win32/Wigon.OV trojan cleaned by deleting - quarantined
C:\Users\jlutz\AppData\Local\Temp\39e0\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\520X9O94\37_220_9_236[2].htm a variant of Win32/Kryptik.CNML trojan cleaned by deleting - quarantined
C:\Users\jlutz\AppData\Local\Temp\39e0\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\54DK8BH3\37_220_9_236[1].htm a variant of Win32/Injector.BNKW trojan cleaned by deleting - quarantined
C:\Users\jlutz\AppData\Local\Temp\39e0\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\54DK8BH3\37_220_9_236[2].htm a variant of Win32/Injector.BNKT trojan cleaned by deleting - quarantined
C:\Users\jlutz\AppData\Local\Temp\39e0\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5PU1TW8J\37_220_9_236[1].htm a variant of Win32/Injector.BNKT trojan cleaned by deleting - quarantined
C:\Users\jlutz\AppData\Local\Temp\94bc\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\96XQLK83\r[1].htm JS/Tivso.Gen trojan cleaned by deleting - quarantined
C:\Users\jlutz\AppData\Roaming\pgppk.dll a variant of MSIL/Injector.FWI trojan cleaned by deleting - quarantined
C:\Users\jlutz\AppData\Roaming\xvadhmh.dll a variant of MSIL/Injector.FWI trojan cleaned by deleting - quarantined
Operating memory a variant of Win32/TrojanDownloader.Cerabit.A trojan 



#4 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,703 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:08 PM

Posted 31 October 2014 - 03:15 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/553426 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#5 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,703 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:08 PM

Posted 05 November 2014 - 04:20 PM

Hello again!

I haven't heard from you in 5 days. Therefore, I am going to assume that you no longer need our help, and close this topic.

If you do still need help, please send a Private Message to any Moderator within the next five days. Be sure to include a link to your topic in your Private Message.

Thank you for using Bleeping Computer, and have a great day!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users