Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Malware blocking most internet access, possibly patched system files

  • This topic is locked This topic is locked
5 replies to this topic

#1 jack crow

jack crow

  • Members
  • 10 posts
  • Local time:05:58 PM

Posted 18 December 2014 - 07:34 PM

Hi folks,


Broni had been helping me in this thread and he suggested that I run DDS and start a new thread here. Here's what I'd posted earlier:


I think I've got some malware on a Win 7 laptop that's blocking Internet access. Here's why I believe that.


  • Non-web browsers (like Steam) seem to be able to access the internet, albeit slowly. 
  • Web browsers like Firefox and Chrome can't access the internet ("Server not found") for sites like Google, but sites like Bing come up (sometimes) with broken frames.
  • I recently had a Lasoren infection that I thought I'd removed with Malware Bytes.


  • I have a clean Mac that I'm using to transfer files to the infected Windows machine via USB drive.

I've run DDS -- the logs are attached/pasted as requested. Thanks to whoever picks up the ball from here -- it's amazing that so many of you are so willing to volunteer your time like this. Standing by for instructions!






DDS (Ver_2012-11-20.01) - NTFS_AMD64 

Internet Explorer: 11.0.9600.17496  BrowserJavaVersion: 10.67.2
Run by Rizo at 0:25:32 on 2014-12-19
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.44.1033.18.4002.2149 [GMT 0:00]
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
============== Running Processes ===============
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\IDT\WDM\STacSV64.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\IDT\WDM\AESTSr64.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files (x86)\Dokan\DokanLibrary\mounter.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe
C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\Program Files (x86)\Spotflux\services\SpotfluxUpdateService.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\Scheduler\STService.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\Toaster.exe
C:\Program Files\IDT\WDM\sttray64.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://Lasaoren.com/?f=1&a=lrn_frg01_14_38_ch&cd=2XzuyEtN2Y1L1QzuyE0CzztDzytAzytDtD0B0AyEzzyC0DyEtN0D0Tzu0SzyzytBtN1L2XzutAtFtBtFyEtFtBtN1L1CzutCyEtBzytDyD1V1StN1L1G1B1V1N2Y1L1Qzu2StDyEzzyEzyyE0EtCtGyE0C0C0EtGyE0EyCtBtG0AyE0B0FtGyE0AyByCyD0E0DyCyD0F0EyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyCzy0BtCtCyD0BtBtGtDyEtAyCtGyE0D0DyEtGzyyCyCyEtG0F0EzytCtAzytC0AtB0D0ByC2Q&cr=518267123&ir=
mWinlogon: Userinit = userinit.exe,
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\Program Files\mcafee\msk\mskapbho.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
uRun: [Steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent
uRun: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun
mRun: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun: [RoxWatchTray] "c:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe"
mRun: [Desktop Disc Tool] "c:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe"
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRunOnce: [Launcher] C:\Program Files (x86)\Dell DataSafe Local Backup\Components\Scheduler\Launcher.exe
mRunOnce: [DSUpdateLauncher] "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\hstart.exe" /NOCONSOLE /D="C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate" /RUNAS "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe"
mRunOnce: [STToasterLauncher] C:\Program Files (x86)\Dell DataSafe Local Backup\toasterLauncher.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: NameServer =
TCP: Interfaces\{3883EBF5-4B88-4AB9-B2EB-48B43421695A} : DHCPNameServer =
TCP: Interfaces\{DFC67C24-2408-400D-A130-615837D96D82} : DHCPNameServer =
TCP: Interfaces\{EEE3263A-92C0-4DF9-BAD3-D24EBF953E6E} : NameServer =,
TCP: Interfaces\{EEE3263A-92C0-4DF9-BAD3-D24EBF953E6E} : DHCPNameServer =
TCP: Interfaces\{EEE3263A-92C0-4DF9-BAD3-D24EBF953E6E}\6796277696E6D65646961633836383131303 : DHCPNameServer =
TCP: Interfaces\{EEE3263A-92C0-4DF9-BAD3-D24EBF953E6E}\8616E6E61686030313 : DHCPNameServer =
TCP: Interfaces\{EEE3263A-92C0-4DF9-BAD3-D24EBF953E6E}\F4C646F5A457963656 : DHCPNameServer =
SSODL: WebCheck - <orphaned>
x64-BHO: McAfee Phishing Filter: {27B4851A-3207-45A2-B947-BE8AFE6163AB} - 
x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe
x64-Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
x64-Run: [QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe
x64-Run: [IntelWireless] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel Wireless Tray
x64-Run: [BTMTrayAgent] rundll32.exe "C:\Program Files (x86)\Intel\Bluetooth\btmshell.dll",TrayApp
x64-Run: [NvBackend] "C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe"
x64-Run: [ShadowPlay] C:\Windows\System32\rundll32.exe C:\Windows\System32\nvspcap64.dll,ShadowPlayOnSystemStart
x64-DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
x64-DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
x64-DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
================= FIREFOX ===================
FF - ProfilePath - C:\Users\Rizo\AppData\Roaming\Mozilla\Firefox\Profiles\wzidcbov.default\
FF - prefs.js: browser.search.selectedEngine - Lasaoren
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
FF - plugin: C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\npuplaypc.dll
FF - plugin: C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\npuplaypchub.dll
FF - plugin: C:\Users\Rizo\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_13_0_0_206.dll
FF - user.js: extensions.srchlsrn.aflt - lrn_frg01_14_38_ch
FF - user.js: extensions.srchlsrn.instlRef - 142905_b
FF - user.js: extensions.srchlsrn.cr - 518267123
FF - user.js: extensions.srchlsrn.cd - 2XzuyEtN2Y1L1QzuyE0CzztDzytAzytDtD0B0AyEzzyC0DyEtN0D0Tzu0SzyzytBtN1L2XzutAtFtBtFyEtFtBtN1L1CzutCyEtBzytDyD1V1StN1L1G1B1V1N2Y1L1Qzu2StDyEzzyEzyyE0EtCtGyE0C0C0EtGyE0EyCtBtG0AyE0B0FtGyE0AyByCyD0E0DyCyD0F0EyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyCzy0BtCtCyD0BtBtGtDyEtAyCtGyE0D0DyEtGzyyCyCyEtG0F0EzytCtAzytC0AtB0D0ByC2Q
============= SERVICES / DRIVERS ===============
P2 HiPatchService;Hi-Rez Studios Authenticate and Update Service;C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe [2012-9-11 8704]
R0 nvpciflt;nvpciflt;C:\Windows\System32\drivers\nvpciflt.sys [2014-12-6 31560]
R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2012-6-15 55856]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\System32\drivers\dtsoftbus01.sys [2012-8-21 283200]
R1 nvkflt;nvkflt;C:\Windows\System32\drivers\nvkflt.sys [2014-12-6 300352]
R2 AESTFilters;Andrea ST Filters Service;C:\Program Files\IDT\WDM\AESTSr64.exe [2012-6-15 89600]
R2 Bluetooth Device Monitor;Bluetooth Device Monitor;C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe [2010-11-3 897088]
R2 Bluetooth OBEX Service;Bluetooth OBEX Service;C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe [2010-11-3 983104]
R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2013-4-22 822504]
R2 Dokan;Dokan;C:\Windows\System32\drivers\dokan.sys [2011-1-10 120408]
R2 DokanMounter;DokanMounter;C:\Program Files (x86)\Dokan\DokanLibrary\mounter.exe [2011-1-10 14848]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2012-6-15 13336]
R2 NvNetworkService;NVIDIA Network Service;C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [2014-9-17 1720608]
R2 NvStreamSvc;NVIDIA Streamer Service;C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [2014-9-17 18956064]
R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2013-6-26 523944]
R2 SftService;SoftThinks Agent Service;C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe [2012-6-15 689472]
R2 SpotfluxUpdateService;Spotflux Update Service;C:\Program Files (x86)\Spotflux\services\SpotfluxUpdateService.exe [2013-11-25 28160]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2014-12-6 409800]
R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2012-6-15 2655768]
R3 Bluetooth Media Service;Bluetooth Media Service;C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe [2010-11-3 1298496]
R3 btmaux;Intel Bluetooth Auxiliary Service;C:\Windows\System32\drivers\btmaux.sys [2010-11-4 58128]
R3 btmhsf;btmhsf;C:\Windows\System32\drivers\btmhsf.sys [2010-10-19 274432]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;C:\Windows\System32\drivers\CtClsFlt.sys [2012-6-15 175168]
R3 iBtFltCoex;iBtFltCoex;C:\Windows\System32\drivers\iBtFltCoex.sys [2010-11-4 59904]
R3 NvStreamKms;NvStreamKms;C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [2014-9-17 20256]
R3 nvvad_WaveExtensible;NVIDIA Virtual Audio Device (Wave Extensible) (WDM);C:\Windows\System32\drivers\nvvad64v.sys [2014-9-17 40392]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2011-6-10 539240]
R3 Sftfs;Sftfs;C:\Windows\System32\drivers\Sftfslh.sys [2013-6-26 767144]
R3 Sftplay;Sftplay;C:\Windows\System32\drivers\Sftplaylh.sys [2013-6-26 273576]
R3 Sftredir;Sftredir;C:\Windows\System32\drivers\Sftredirlh.sys [2013-6-26 28840]
R3 Sftvol;Sftvol;C:\Windows\System32\drivers\Sftvollh.sys [2013-6-26 23208]
R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2013-6-26 207528]
R3 tapSF0901;Spotflux Virtual Network Device Driver;C:\Windows\System32\drivers\tapSF0901.sys [2013-7-8 39104]
R3 tihub3;TI USB3 Hub Service;C:\Windows\System32\drivers\tihub3.sys [2010-10-28 124080]
R3 tixhci;TI XHCI Service;C:\Windows\System32\drivers\tixhci.sys [2010-10-28 359088]
R3 wdkmd;Intel WiDi KMD;C:\Windows\System32\drivers\WDKMD.sys [2010-12-1 42392]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2013-9-11 124088]
S2 RoxWatch12;Roxio Hard Drive Watcher 12;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-11-25 219632]
S3 Desura Install Service;Desura Install Service;C:\Program Files (x86)\Common Files\Desura\desura_service.exe [2012-7-2 131912]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2014-12-10 114688]
S3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [2010-12-17 340240]
S3 PCDSRVC{1E208CE0-FB7451FF-06020101}_0;PCDSRVC{1E208CE0-FB7451FF-06020101}_0 - PCDR Kernel Mode Service Helper Driver;C:\Program Files\Dell Support Center\pcdsrvc_x64.pkms [2010-7-30 25072]
S3 RoxMediaDB12OEM;RoxMediaDB12OEM;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-11-25 1116656]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\System32\drivers\RtsUStor.sys [2012-6-15 250984]
S3 tapoas;TAP-Win32 Adapter OAS;C:\Windows\System32\drivers\tapoas.sys [2012-7-15 30720]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2013-1-3 59392]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2014-8-15 54784]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2013-1-3 1255736]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\System32\drivers\yk62x64.sys [2009-6-10 389120]
S4 0148491341227297mcinstcleanup;McAfee Application Installer Cleanup (0148491341227297);C:\windows\TEMP\014849~1.EXE C:\PROGRA~2\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> C:\windows\TEMP\014849~1.EXE C:\PROGRA~2\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
=============== Created Last 30 ================
2014-12-18 01:09:34 -------- d-sh--w- C:\Users\Rizo\AppData\Local\EmieBrowserModeList
2014-12-16 00:51:00 -------- d-----w- C:\Users\Rizo\AppData\Roaming\Goldhawk Interactive
2014-12-16 00:51:00 -------- d-----w- C:\ProgramData\Goldhawk Interactive
2014-12-10 03:02:43 24576 ----a-w- C:\Windows\System32\mfpmp.exe
2014-12-10 03:02:43 2048 ----a-w- C:\Windows\SysWow64\mferror.dll
2014-12-10 03:02:43 2048 ----a-w- C:\Windows\System32\mferror.dll
2014-12-10 03:02:42 55808 ----a-w- C:\Windows\System32\rrinstaller.exe
2014-12-10 03:02:42 50176 ----a-w- C:\Windows\SysWow64\rrinstaller.exe
2014-12-10 03:02:42 4121600 ----a-w- C:\Windows\System32\mf.dll
2014-12-10 03:02:42 3209728 ----a-w- C:\Windows\SysWow64\mf.dll
2014-12-10 03:02:42 23040 ----a-w- C:\Windows\SysWow64\mfpmp.exe
2014-12-10 03:02:42 206848 ----a-w- C:\Windows\System32\mfps.dll
2014-12-10 03:02:42 103424 ----a-w- C:\Windows\SysWow64\mfps.dll
2014-12-10 01:21:48 11632448 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{B8D714B3-DA80-407D-BCA9-A3923D4ED919}\mpengine.dll
2014-12-07 22:48:32 -------- d-----w- C:\Users\Rizo\AppData\Roaming\MMFApplications
2014-12-06 16:38:59 -------- d-----w- C:\Windows\SysWow64\NV
2014-12-06 16:38:59 -------- d-----w- C:\Windows\System32\NV
2014-12-06 16:36:51 615624 ----a-w- C:\Windows\SysWow64\nvStreaming.exe
2014-12-06 16:34:04 683520 ----a-w- C:\Windows\System32\termsrv.dll
2014-12-06 16:34:03 681984 ----a-w- C:\Windows\SysWow64\adtschema.dll
2014-12-06 16:34:03 681984 ----a-w- C:\Windows\System32\adtschema.dll
2014-12-06 16:34:02 146432 ----a-w- C:\Windows\SysWow64\msaudite.dll
2014-12-06 16:34:02 146432 ----a-w- C:\Windows\System32\msaudite.dll
2014-12-06 16:32:59 500224 ----a-w- C:\Windows\System32\AUDIOKSE.dll
2014-12-06 16:26:57 3198976 ----a-w- C:\Windows\System32\win32k.sys
2014-12-06 16:25:17 77824 ----a-w- C:\Windows\System32\packager.dll
2014-12-06 16:25:17 67584 ----a-w- C:\Windows\SysWow64\packager.dll
2014-12-06 16:23:25 861696 ----a-w- C:\Windows\System32\oleaut32.dll
2014-12-06 16:23:25 571904 ----a-w- C:\Windows\SysWow64\oleaut32.dll
==================== Find3M  ====================
2014-12-18 11:13:50 96472 ----a-w- C:\Windows\System32\drivers\mbamchameleon.sys
2014-12-18 10:51:34 122584 ----a-w- C:\Windows\System32\drivers\MBAMSwissArmy.sys
2014-11-24 14:04:56 275080 ------w- C:\Windows\System32\MpSigStub.exe
2014-11-22 03:06:23 2724864 ----a-w- C:\Windows\System32\mshtml.tlb
2014-11-22 03:06:11 4096 ----a-w- C:\Windows\System32\ieetwcollectorres.dll
2014-11-22 02:50:39 66560 ----a-w- C:\Windows\System32\iesetup.dll
2014-11-22 02:50:10 580096 ----a-w- C:\Windows\System32\vbscript.dll
2014-11-22 02:49:54 48640 ----a-w- C:\Windows\System32\ieetwproxystub.dll
2014-11-22 02:48:20 88064 ----a-w- C:\Windows\System32\MshtmlDac.dll
2014-11-22 02:35:43 144384 ----a-w- C:\Windows\System32\ieUnatt.exe
2014-11-22 02:35:29 114688 ----a-w- C:\Windows\System32\ieetwcollector.exe
2014-11-22 02:34:51 814080 ----a-w- C:\Windows\System32\jscript9diag.dll
2014-11-22 02:34:07 6039552 ----a-w- C:\Windows\System32\jscript9.dll
2014-11-22 02:26:31 968704 ----a-w- C:\Windows\System32\MsSpellCheckingFacility.exe
2014-11-22 02:20:44 2724864 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2014-11-22 02:14:16 77824 ----a-w- C:\Windows\System32\JavaScriptCollectionAgent.dll
2014-11-22 02:07:43 501248 ----a-w- C:\Windows\SysWow64\vbscript.dll
2014-11-22 02:07:17 62464 ----a-w- C:\Windows\SysWow64\iesetup.dll
2014-11-22 02:06:32 47616 ----a-w- C:\Windows\SysWow64\ieetwproxystub.dll
2014-11-22 02:05:02 64000 ----a-w- C:\Windows\SysWow64\MshtmlDac.dll
2014-11-22 01:55:16 115712 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2014-11-22 01:54:30 620032 ----a-w- C:\Windows\SysWow64\jscript9diag.dll
2014-11-22 01:47:10 1359360 ----a-w- C:\Windows\System32\mshtmlmedia.dll
2014-11-22 01:46:58 2125312 ----a-w- C:\Windows\System32\inetcpl.cpl
2014-11-22 01:40:04 60416 ----a-w- C:\Windows\SysWow64\JavaScriptCollectionAgent.dll
2014-11-22 01:29:26 4299264 ----a-w- C:\Windows\SysWow64\jscript9.dll
2014-11-22 01:28:21 2358272 ----a-w- C:\Windows\System32\wininet.dll
2014-11-22 01:22:49 2052096 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2014-11-22 01:21:57 1155072 ----a-w- C:\Windows\SysWow64\mshtmlmedia.dll
2014-11-22 01:00:20 1888256 ----a-w- C:\Windows\SysWow64\wininet.dll
2014-11-12 21:56:45 6897352 ----a-w- C:\Windows\System32\nvcpl.dll
2014-11-12 21:56:45 3534152 ----a-w- C:\Windows\System32\nvsvc64.dll
2014-11-12 21:56:42 934032 ----a-w- C:\Windows\System32\nvvsvc.exe
2014-11-12 21:56:42 67072 ----a-w- C:\Windows\System32\nv3dappshextr.dll
2014-11-12 21:56:42 62608 ----a-w- C:\Windows\System32\nvshext.dll
2014-11-12 21:56:42 386368 ----a-w- C:\Windows\System32\nvmctray.dll
2014-11-12 21:56:42 2559808 ----a-w- C:\Windows\System32\nvsvcr.dll
2014-11-12 21:56:42 1092752 ----a-w- C:\Windows\System32\nv3dappshext.dll
2014-11-11 10:29:54 4100776 ----a-w- C:\Windows\System32\nvcoproc.bin
2014-11-11 03:09:06 1424384 ----a-w- C:\Windows\System32\WindowsCodecs.dll
2014-11-11 03:08:52 241152 ----a-w- C:\Windows\System32\pku2u.dll
2014-11-11 03:08:48 728064 ----a-w- C:\Windows\System32\kerberos.dll
2014-11-11 02:44:45 1230336 ----a-w- C:\Windows\SysWow64\WindowsCodecs.dll
2014-11-11 02:44:32 186880 ----a-w- C:\Windows\SysWow64\pku2u.dll
2014-11-11 02:44:25 550912 ----a-w- C:\Windows\SysWow64\kerberos.dll
2014-11-11 01:46:26 119296 ----a-w- C:\Windows\System32\drivers\tdx.sys
2014-11-08 03:16:08 2048 ----a-w- C:\Windows\System32\tzres.dll
2014-11-08 02:45:09 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2014-10-30 02:04:21 1480192 ----a-w- C:\Windows\System32\crypt32.dll
2014-10-30 02:03:43 165888 ----a-w- C:\Windows\System32\charmap.exe
2014-10-30 01:46:24 1174528 ----a-w- C:\Windows\SysWow64\crypt32.dll
2014-10-30 01:45:43 155136 ----a-w- C:\Windows\SysWow64\charmap.exe
2014-10-16 16:54:03 1876296 ----a-w- C:\Windows\System32\nvdispco6434448.dll
2014-10-16 16:54:03 1539272 ----a-w- C:\Windows\System32\nvdispgenco6434448.dll
2014-10-14 02:16:37 155064 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
2014-10-14 02:13:00 3241984 ----a-w- C:\Windows\System32\msi.dll
2014-10-14 02:12:57 1460736 ----a-w- C:\Windows\System32\lsasrv.dll
2014-10-14 01:50:47 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
2014-10-14 01:50:41 2363904 ----a-w- C:\Windows\SysWow64\msi.dll
2014-10-14 01:49:38 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
2014-10-03 02:12:23 310272 ----a-w- C:\Windows\System32\WsmWmiPl.dll
2014-10-03 02:12:23 2020352 ----a-w- C:\Windows\System32\WsmSvc.dll
2014-10-03 02:12:22 346624 ----a-w- C:\Windows\System32\WSManMigrationPlugin.dll
2014-10-03 02:12:22 181248 ----a-w- C:\Windows\System32\WsmAuto.dll
2014-10-03 02:11:54 284672 ----a-w- C:\Windows\System32\EncDump.dll
2014-10-03 02:11:51 680960 ----a-w- C:\Windows\System32\audiosrv.dll
2014-10-03 02:11:51 440832 ----a-w- C:\Windows\System32\AudioEng.dll
2014-10-03 02:11:51 296448 ----a-w- C:\Windows\System32\AudioSes.dll
2014-10-03 02:11:49 266240 ----a-w- C:\Windows\System32\WSManHTTPConfig.exe
2014-10-03 01:45:03 248832 ----a-w- C:\Windows\SysWow64\WSManMigrationPlugin.dll
2014-10-03 01:45:03 214016 ----a-w- C:\Windows\SysWow64\WsmWmiPl.dll
2014-10-03 01:45:03 145920 ----a-w- C:\Windows\SysWow64\WsmAuto.dll
2014-10-03 01:45:03 1177088 ----a-w- C:\Windows\SysWow64\WsmSvc.dll
2014-10-03 01:44:42 442880 ----a-w- C:\Windows\SysWow64\AUDIOKSE.dll
2014-10-03 01:44:26 374784 ----a-w- C:\Windows\SysWow64\AudioEng.dll
2014-10-03 01:44:26 195584 ----a-w- C:\Windows\SysWow64\AudioSes.dll
2014-10-03 01:44:25 198656 ----a-w- C:\Windows\SysWow64\WSManHTTPConfig.exe
2014-09-25 02:08:38 371712 ----a-w- C:\Windows\System32\qdvd.dll
2014-09-25 01:40:50 519680 ----a-w- C:\Windows\SysWow64\qdvd.dll
2012-10-15 20:21:40 0 ----a-w- C:\Program Files (x86)\FallenEnchantress.exe
============= FINISH:  0:25:49.12 ===============

Edited by jack crow, 18 December 2014 - 07:42 PM.

BC AdBot (Login to Remove)


#2 jack crow

jack crow
  • Topic Starter

  • Members
  • 10 posts
  • Local time:05:58 PM

Posted 18 December 2014 - 07:41 PM

The forum software didn't like my attachment last time so here's the attach.zip from the DDS logs.

Attached Files

Edited by jack crow, 18 December 2014 - 07:42 PM.

#3 HelpBot


    Bleepin' Binary Bot

  • Bots
  • 12,769 posts
  • Gender:Male
  • Local time:01:58 PM

Posted 23 December 2014 - 07:35 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:


step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/560319 <<< CLICK THIS LINK

If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.


step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.


We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#4 jack crow

jack crow
  • Topic Starter

  • Members
  • 10 posts
  • Local time:05:58 PM

Posted 23 December 2014 - 08:21 PM

Hey there, I do still need help.


I don't have easy access to a Windows 7 disc. I've got one somewhere but it would be a bear to find.

#5 Machiavelli


    Agent 007

  • Malware Response Instructor
  • 4,133 posts
  • Gender:Male
  • Location:Germany
  • Local time:12:58 PM

Posted 24 December 2014 - 03:38 PM

Hello and Welcome on board ,

my Name is Machiavelli and I will assist you with your problem.
If you booted into safe mode on your computer then print my instructions!
I'm in the 'Malware Staff Team' and will provide you with advice:

To remove Malware on a computer can be very complicated. Malware (malicious software) is able to hide and so I may not be able to find it so easily. In order to remove Malware from you Computer, you need to follow my instructions carefully. Don't be worried if you don't know what to do. just ask me! Please stay in contact with me until the problem is fixed.

Below are a few tips:
  • Removing Malware is usually very difficult.
    We need to search and analyse a lot of files. As this is done in our free time, please be patient especially if I don't answer every day!
  • Please follow these instructions
    If you don't follow the instructions your computer may crash. If you fix your PC by yourself, this can be very risky!
  • Please stay in contact with me until your problem is resolved
    As Malware may not be totally removed in one session or in one day, please stay in contact with me until the problem is resolved.
  • Please don't run any other tools without consulting with me as this can complicate finding and removing all Malware
    Don't run any tools while I'm fixing your PC. That is counter productive and again, will only complicate finding and removing all Malware!
  • Read my post completely
    If you don't do so, you may make mistakes that could result in your System crashing by your own actions!

Please download FRST (by Farbar) from the link below and save it to your Desktop.

Download Mirror #1

If you are unsure whether you have 32-Bit or 64-Bit Windows, see here
  • Disable all anti-virus and anti-malware software to prevent them inhibiting FRST in any way. If you are unsure how to do this, see THIS.
  • Double-click FRST.exe/FRST64.exe (depending on which version you downloaded) to run it. (if you have Windows Vista / Windows 7 / Windows 8: Please do a Right click on the FRST icon and select Run as Administrator)
  • When the disclaimer appears, click Yes.
  • Click Scan to start FRST.
  • When FRST finishes scanning, two logs, FRST.txt and Addition.txt will open.
  • Copy (Ctrl+C) and Paste (Ctrl+V) the contents of both of these logs into your next post please.


If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.


#6 Machiavelli


    Agent 007

  • Malware Response Instructor
  • 4,133 posts
  • Gender:Male
  • Location:Germany
  • Local time:12:58 PM

Posted 28 December 2014 - 07:33 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.


If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users