MDYoung Posted July 27, 2013 ID:707837 Share Posted July 27, 2013 Have a niggling feeling that something slipped past Webroot and Malwarebytes. The computer has been sluggish and I keep spotting DOS boxes pop up at odd times. Haven't been able to do a screen capture since the DOS box is there and gone, so I'm not sure if they're legitimate updates or what. Anyway, here are the resultes of dds. DDS (Ver_2012-11-20.01) - NTFS_AMD64Internet Explorer: 10.0.9200.16537 BrowserJavaVersion: 10.25.2Run by DandD at 10:20:40 on 2013-07-27Microsoft Windows 8 6.2.9200.0.1252.1.1033.18.5580.4182 [GMT -5:00].AV: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}AV: Webroot SecureAnywhere *Enabled/Updated* {9C0666FC-6C7D-3E97-3C40-0C6B33FC7401}SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}SP: Webroot SecureAnywhere *Enabled/Updated* {27678718-4A47-3119-06F0-3719487B3EBC}.============== Running Processes ===============.C:\windows\system32\svchost.exe -k DcomLaunchC:\Program Files\Webroot\WRSA.exeC:\windows\system32\svchost.exe -k RPCSSC:\windows\system32\atiesrxx.exeC:\windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\windows\system32\dwm.exeC:\windows\system32\svchost.exe -k netsvcsC:\windows\system32\svchost.exe -k LocalServiceC:\windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\windows\system32\atieclxx.exeC:\windows\system32\svchost.exe -k NetworkServiceC:\windows\System32\spoolsv.exeC:\windows\system32\svchost.exe -k LocalServiceNoNetworkC:\Program Files\SUPERAntiSpyware\SASCORE64.EXEC:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeC:\Program Files\Realtek\Audio\HDA\AERTSr64.EXEC:\windows\system32\svchost.exe -k apphostC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files (x86)\FUJIFILM\FUJIFILM PC AutoSave\PCAutoSaveSv.exeC:\windows\system32\lxeccoms.exeC:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exeC:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exeC:\windows\system32\svchost.exe -k imgsvcC:\windows\system32\svchost.exe -k NetworkServiceNetworkRestrictedC:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonationC:\windows\System32\svchost.exe -k LocalServicePeerNetC:\windows\system32\dashost.exeC:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exec:\Program Files (x86)\Hewlett-Packard\HP Connected Remote\HPConnectedRemoteService.exeC:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exeC:\windows\system32\SearchIndexer.exeC:\Program Files\Windows Media Player\wmpnetwk.exeC:\windows\system32\taskhostex.exeC:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exeC:\windows\Explorer.EXEC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.0.1119.516_x64__8wekyb3d8bbwe\LiveComm.exeC:\Windows\System32\RuntimeBroker.exeC:\Program Files\Webroot\WRSA.exeC:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exeC:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXEC:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exeC:\Program Files (x86)\Hewlett-Packard\HP Keyboard\BATINDICATOR.exeC:\Program Files (x86)\Hewlett-Packard\HP Keyboard\BATINDICATOR_HIDList.exeC:\Program Files (x86)\Hewlett-Packard\HP Keyboard\CNYHKEY.exeC:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeC:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exec:\Program Files (x86)\Hewlett-Packard\HP Connected Remote\HPConnectedRemoteUser.exec:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exeC:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exeC:\windows\system32\SearchProtocolHost.exeC:\windows\system32\SearchFilterHost.exeC:\windows\system32\wbem\wmiprvse.exeC:\windows\System32\cscript.exe.============== Pseudo HJT Report ===============.mWinlogon: Userinit = userinit.exeBHO: Do Not Track Me: {6E45F3E8-2683-4824-A6BE-08108022FB36} - C:\Program Files (x86)\DoNotTrackPlus\IE\DNTPAddon.dllBHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dllBHO: Webroot Vault: {c8d5d964-2be8-4c5b-8cf5-6e975aa88504} - C:\ProgramData\WRData\PKG\LPBar.dllBHO: WOT Helper: {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files (x86)\WOT\WOT.dllBHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dllBHO: HP Network Check Helper: {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dllTB: WOT: {71576546-354D-41C9-AAE8-31F2EC22BF0D} - C:\Program Files (x86)\WOT\WOT.dllTB: Webroot Toolbar: {97ab88ef-346b-4179-a0b1-7445896547a5} - C:\ProgramData\WRData\PKG\LPBar.dllTB: WOT: {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files (x86)\WOT\WOT.dlluRun: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeuRun: [Power2GoExpress8] NAmRun: [startCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRunmRun: [CLMLServer_For_P2G8] "c:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe"mRun: [CLVirtualDrive] "c:\Program Files (x86)\CyberLink\Power2Go8\VirtualDrive.exe" /RmRun: [bATINDICATOR] C:\Program Files (x86)\Hewlett-Packard\HP Keyboard\BATINDICATOR.exemRun: [bATINDICATORHL] C:\Program Files (x86)\Hewlett-Packard\HP Keyboard\BATINDICATOR_HIDList.exemRun: [OSDTool] C:\Program Files (x86)\Hewlett-Packard\HP Keyboard\CNYHKEY.exemRun: [WRSVC] "C:\Program Files\Webroot\WRSA.exe" -ulmRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"StartupFolder: C:\Users\DandD\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\DandD\AppData\Roaming\Dropbox\bin\Dropbox.exeStartupFolder: C:\Users\DandD\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\RCADET~1.LNK - C:\Users\DandD\Documents\RCA Detective\RCADetective.exeStartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\StartUp\INSTAL~2.LNK - C:\Program Files (x86)\Common Files\wruninstall.exeStartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\StartUp\INSTAL~1.LNK - C:\Program Files (x86)\Common Files\wruninstall.exeStartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\StartUp\SETFUJ~1.LNK - C:\Program Files (x86)\FUJIFILM\FUJIFILM PC AutoSave\Manager.exeuPolicies-Explorer: NoDriveTypeAutoRun = dword:145IE: {25510184-5A38-4A99-B273-DCA8EEF6CD08} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\NCLauncherFromIE.exeIE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {c8d5d964-2be8-4c5b-8cf5-6e975aa88504} - C:\ProgramData\WRData\PKG\LPBar.dllIE: {6E45F3E8-2683-4824-A6BE-08108022FB36} - {23249465-AA46-4DED-BD4B-8EFB20F968FE} - C:\Program Files (x86)\DoNotTrackPlus\IE\DNTPAddon.dllTCP: NameServer = 68.105.28.12 68.105.29.12 68.105.28.11TCP: Interfaces\{9609E145-7AD3-499F-8E0A-51A197DBCDD7} : DHCPNameServer = 68.105.28.12 68.105.29.12 68.105.28.11Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dllHandler: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files (x86)\WOT\WOT.dllSSODL: WebCheck - <orphaned>x64-BHO: Webroot Vault: {c8d5d964-2be8-4c5b-8cf5-6e975aa88504} - C:\ProgramData\WRData\PKG\LPBar64.dllx64-BHO: WOT Helper: {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dllx64-TB: Webroot Toolbar: {97ab88ef-346b-4179-a0b1-7445896547a5} - C:\ProgramData\WRData\PKG\LPBar64.dllx64-TB: WOT: {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dllx64-Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe -sx64-IE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {c8d5d964-2be8-4c5b-8cf5-6e975aa88504} - C:\ProgramData\WRData\PKG\LPBar64.dllx64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>x64-Handler: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dllx64-SSODL: WebCheck - <orphaned>.================= FIREFOX ===================.FF - ProfilePath - C:\Users\DandD\AppData\Roaming\Mozilla\Firefox\Profiles\err6paj2.default-1368540370859\FF - prefs.js: browser.search.selectedEngine - YahooFF - prefs.js: browser.startup.homepage - www.refdesk.comFF - plugin: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dllFF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dllFF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.20513.0\npctrlui.dllFF - plugin: C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\1\NP_wtapp.dllFF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dllFF - plugin: C:\Program Files\Tracker Software\PDF Viewer\Win32\npPDFXCviewNPPlugin.dllFF - plugin: C:\windows\SysWOW64\Macromed\Flash\NPSWF32_11_8_800_94.dllFF - plugin: C:\windows\SysWOW64\npDeployJava1.dllFF - plugin: C:\windows\SysWOW64\npmproxy.dll.============= SERVICES / DRIVERS ===============.R0 amd_sata;amd_sata;C:\windows\System32\Drivers\amd_sata.sys [2013-3-31 80552]R0 amd_xata;amd_xata;C:\windows\System32\Drivers\amd_xata.sys [2013-3-31 26280]R0 WRkrn;WRkrn;C:\windows\System32\Drivers\WRkrn.sys [2013-4-16 114120]R1 CLVirtualDrive;CLVirtualDrive;C:\windows\System32\Drivers\CLVirtualDrive.sys [2013-2-19 92536]R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2012-7-11 140672]R2 AERTFilters;Andrea RT Filters Service;C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe [2009-11-17 98208]R2 AMD External Events Utility;AMD External Events Utility;C:\windows\System32\atiesrxx.exe [2012-8-8 239616]R2 FFPCAutoSave;FUJIFILM PC AutoSave;C:\Program Files (x86)\FUJIFILM\FUJIFILM PC AutoSave\PCAutoSaveSv.exe [2013-2-28 94208]R2 HP Support Assistant Service;HP Support Assistant Service;C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe [2012-9-27 86528]R2 HPConnectedRemote;HP Connected Remote Service;C:\Program Files (x86)\Hewlett-Packard\HP Connected Remote\HPConnectedRemoteService.exe [2012-8-29 35232]R2 IconMan_R;IconMan_R;C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe [2013-2-19 2451456]R2 lxec_device;lxec_device;C:\windows\System32\lxeccoms.exe -service --> C:\windows\System32\lxeccoms.exe -service [?]R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-4-16 418376]R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2013-4-16 701512]R2 WRSVC;WRSVC;C:\Program Files\Webroot\WRSA.exe [2013-4-16 742344]R3 MBAMProtector;MBAMProtector;C:\windows\System32\Drivers\mbam.sys [2013-4-16 25928]R3 netr28x;Ralink 802.11n Extensible Wireless Driver;C:\windows\System32\Drivers\netr28x.sys [2013-4-15 2482960]R3 RSPCIESTOR;Realtek PCIE CardReader Driver;C:\windows\System32\Drivers\RtsPStor.sys [2012-7-4 339600]R3 RTL8168;Realtek 8168 NT Driver;C:\windows\System32\Drivers\Rt630x64.sys [2013-7-18 723088]R3 usbfilter;AMD USB Filter Driver;C:\windows\System32\Drivers\usbfilter.sys [2012-3-31 56448]S2 HPRegistrationSvc;HP Registration Service;C:\Program Files (x86)\Hewlett-Packard\HP Registration Service\HPRegistrationService.exe [2012-7-18 205216]S3 GamesAppService;GamesAppService;C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]S3 RDID1061;UA-4FX;C:\windows\System32\Drivers\Rdwm1061.sys [2013-4-26 201728]S3 WUDFWpdMtp;WUDFWpdMtp;C:\windows\System32\Drivers\WUDFRd.sys [2012-7-25 198656].=============== File Associations ===============.FileExt: .txt: txtfile=C:\windows\System32\NOTEPAD.EXE %1 [userChoice].=============== Created Last 30 ================.2013-07-21 22:38:52 -------- d-----w- C:\Users\DandD\AppData\Local\HP Quick Start2013-07-20 23:16:19 -------- d-----w- C:\Users\DandD\AppData\Local\Temp2013-07-18 18:49:02 -------- d-----w- C:\windows\System32\MRT2013-07-18 16:11:18 -------- d-----w- C:\windows\LastGood.Tmp2013-07-18 16:11:02 74344 ----a-w- C:\windows\System32\RtNicProp64.dll2013-07-18 16:11:02 723088 ----a-w- C:\windows\System32\drivers\Rt630x64.sys2013-07-18 16:10:46 -------- d-----w- C:\Users\DandD\AppData\Roaming\WinBatch2013-07-18 16:04:58 -------- d-----w- C:\ProgramData\{9BF4D58B-C6D6-467B-BC5A-FD0C1278F4AF}2013-07-11 12:34:04 2035200 ----a-w- C:\Program Files\Common Files\Microsoft Shared\ink\InkObj.dll2013-07-11 12:34:04 1617920 ----a-w- C:\Program Files\Windows Journal\NBDoc.DLL2013-07-11 12:34:04 1413632 ----a-w- C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\InkObj.dll2013-07-11 12:34:04 1318912 ----a-w- C:\Program Files\Windows Journal\JNWDRV.dll2013-07-11 12:34:04 1306112 ----a-w- C:\Program Files\Windows Journal\JNTFiltr.dll2013-07-11 12:34:04 1272320 ----a-w- C:\Program Files\Common Files\Microsoft Shared\ink\journal.dll2013-07-11 12:34:04 1029632 ----a-w- C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\journal.dll2013-06-27 16:17:25 92056 ----a-w- C:\Program Files (x86)\Mozilla Firefox\webapprt-stub.exe.==================== Find3M ====================.2013-06-27 22:04:51 78200 ----a-w- C:\windows\SysWow64\FlashPlayerCPLApp.cpl2013-06-27 22:04:51 693112 ----a-w- C:\windows\SysWow64\FlashPlayerApp.exe2013-06-20 13:11:42 151664 ----a-w- C:\windows\SysWow64\WRusr.dll2013-06-20 13:11:42 114120 ----a-w- C:\windows\System32\drivers\WRkrn.sys2013-06-20 13:11:42 104296 ----a-w- C:\windows\System32\WRusr.dll2013-06-16 22:41:31 997632 ----a-w- C:\windows\System32\drivers\ndis.sys2013-06-13 02:48:23 867240 ----a-w- C:\windows\SysWow64\npDeployJava1.dll2013-06-13 02:48:17 789416 ----a-w- C:\windows\SysWow64\deployJava1.dll2013-06-13 02:47:57 96168 ----a-w- C:\windows\SysWow64\WindowsAccessBridge-32.dll2013-06-11 23:43:37 1767936 ----a-w- C:\windows\SysWow64\wininet.dll2013-06-11 23:43:00 2877440 ----a-w- C:\windows\SysWow64\jscript9.dll2013-06-11 23:26:20 2241024 ----a-w- C:\windows\System32\wininet.dll2013-06-11 23:25:16 3958784 ----a-w- C:\windows\System32\jscript9.dll2013-06-01 11:54:16 194816 ----a-w- C:\windows\System32\drivers\sdbus.sys2013-06-01 11:54:10 125184 ----a-w- C:\windows\System32\drivers\dumpsd.sys2013-06-01 11:34:21 2391280 ----a-w- C:\windows\explorer.exe2013-06-01 11:33:13 2233600 ----a-w- C:\windows\System32\drivers\tcpip.sys2013-06-01 11:29:35 337152 ----a-w- C:\windows\System32\drivers\USBXHCI.SYS2013-06-01 11:29:35 213248 ----a-w- C:\windows\System32\drivers\UCX01000.SYS2013-06-01 11:26:33 327936 ----a-w- C:\windows\System32\drivers\volsnap.sys2013-06-01 11:26:31 6987008 ----a-w- C:\windows\System32\ntoskrnl.exe2013-06-01 10:24:46 2106176 ----a-w- C:\windows\SysWow64\explorer.exe2013-06-01 09:25:52 364544 ----a-w- C:\windows\SysWow64\XpsGdiConverter.dll2013-06-01 09:25:05 67584 ----a-w- C:\windows\SysWow64\samlib.dll2013-06-01 09:25:03 496640 ----a-w- C:\windows\SysWow64\qedit.dll2013-06-01 09:24:19 493056 ----a-w- C:\windows\SysWow64\mscms.dll2013-06-01 09:24:09 850944 ----a-w- C:\windows\SysWow64\mfasfsrcsnk.dll2013-06-01 09:24:09 1453568 ----a-w- C:\windows\SysWow64\mfcore.dll2013-06-01 09:23:46 1842176 ----a-w- C:\windows\SysWow64\dwmcore.dll2013-06-01 09:23:06 680960 ----a-w- C:\windows\System32\vds.exe2013-06-01 09:22:47 80896 ----a-w- C:\windows\System32\MbaeParserTask.exe2013-06-01 09:22:33 523264 ----a-w- C:\windows\System32\XpsGdiConverter.dll2013-06-01 09:22:33 446976 ----a-w- C:\windows\System32\wwansvc.dll2013-06-01 09:22:09 190976 ----a-w- C:\windows\System32\vdsutil.dll2013-06-01 09:21:39 729600 ----a-w- C:\windows\System32\samsrv.dll2013-06-01 09:21:39 106496 ----a-w- C:\windows\System32\samlib.dll2013-06-01 09:21:34 595968 ----a-w- C:\windows\System32\qedit.dll2013-06-01 09:20:45 583168 ----a-w- C:\windows\System32\mscms.dll2013-06-01 09:20:34 1527808 ----a-w- C:\windows\System32\mfcore.dll2013-06-01 09:20:34 1048576 ----a-w- C:\windows\System32\mfasfsrcsnk.dll2013-06-01 09:20:04 2219520 ----a-w- C:\windows\System32\dwmcore.dll2013-06-01 09:19:58 207872 ----a-w- C:\windows\System32\DeviceSetupManager.dll2013-06-01 09:19:42 785408 ----a-w- C:\windows\System32\audiosrv.dll2013-06-01 03:08:57 37632 ----a-w- C:\windows\System32\drivers\BthAvrcpTg.sys2013-05-30 23:14:23 4036096 ----a-w- C:\windows\System32\win32k.sys2013-05-24 22:09:20 1403296 ----a-w- C:\windows\System32\winload.efi2013-05-24 22:09:20 1271584 ----a-w- C:\windows\System32\winload.exe2013-05-24 22:09:20 1217352 ----a-w- C:\windows\System32\winresume.efi2013-05-24 22:09:20 1093904 ----a-w- C:\windows\System32\winresume.exe2013-05-23 23:01:46 1300992 ----a-w- C:\windows\System32\gdi32.dll2013-05-23 22:27:05 1022464 ----a-w- C:\windows\SysWow64\gdi32.dll2013-05-15 22:37:03 44032 ----a-w- C:\windows\SysWow64\UXInit.dll2013-05-15 22:35:49 53760 ----a-w- C:\windows\System32\UXInit.dll2013-05-15 22:35:47 144384 ----a-w- C:\windows\System32\tssdisai.dll2013-05-15 02:25:59 888320 ----a-w- C:\windows\System32\autochk.exe2013-05-15 02:25:44 542208 ----a-w- C:\windows\System32\untfs.dll2013-05-15 02:24:10 793088 ----a-w- C:\windows\SysWow64\autochk.exe2013-05-15 02:24:01 482816 ----a-w- C:\windows\SysWow64\untfs.dll2013-05-14 13:14:01 2706432 ----a-w- C:\windows\System32\mshtml.tlb2013-05-14 09:23:31 2706432 ----a-w- C:\windows\SysWow64\mshtml.tlb2013-05-04 07:58:17 120736 ----a-w- C:\windows\System32\AuthHost.exe2013-05-04 07:34:17 446720 ----a-w- C:\windows\System32\drivers\USBHUB3.SYS2013-05-04 07:34:15 284416 ----a-w- C:\windows\System32\drivers\spaceport.sys2013-05-04 06:59:56 39424 ----a-w- C:\windows\System32\wuapp.exe2013-05-04 06:59:51 1483776 ----a-w- C:\windows\System32\VSSVC.exe2013-05-04 06:59:36 812544 ----a-w- C:\windows\System32\Magnify.exe2013-05-04 06:59:25 98304 ----a-w- C:\windows\System32\wudriver.dll2013-05-04 06:59:25 251904 ----a-w- C:\windows\System32\WUSettingsProvider.dll2013-05-04 06:59:25 141824 ----a-w- C:\windows\System32\wuwebv.dll2013-05-04 06:59:24 1619968 ----a-w- C:\windows\System32\wucltux.dll2013-05-04 06:59:21 2842112 ----a-w- C:\windows\System32\WMVDECOD.DLL2013-05-04 06:59:08 13644288 ----a-w- C:\windows\System32\Windows.UI.Xaml.dll2013-05-04 06:58:54 328192 ----a-w- C:\windows\System32\ubpm.dll2013-05-04 06:58:54 10116096 ----a-w- C:\windows\System32\twinui.dll2013-05-04 06:58:49 173568 ----a-w- C:\windows\System32\storewuauth.dll2013-05-04 06:58:49 1332736 ----a-w- C:\windows\System32\sysmain.dll2013-05-04 06:58:48 330240 ----a-w- C:\windows\System32\stobject.dll2013-05-04 06:58:28 93696 ----a-w- C:\windows\System32\psmsrv.dll2013-05-04 06:58:02 470528 ----a-w- C:\windows\System32\netprofmsvc.dll2013-05-04 06:58:02 151552 ----a-w- C:\windows\System32\netprofm.dll2013-05-04 06:58:01 169984 ----a-w- C:\windows\System32\netplwiz.dll2013-05-04 06:57:59 17408 ----a-w- C:\windows\System32\muifontsetup.dll2013-05-04 06:57:46 560640 ----a-w- C:\windows\System32\mfmp4srcsnk.dll2013-05-04 06:57:15 501760 ----a-w- C:\windows\System32\DevicePairing.dll2013-05-04 06:57:05 179712 ----a-w- C:\windows\System32\bisrv.dll2013-05-04 06:57:05 122368 ----a-w- C:\windows\System32\biwinrt.dll2013-05-04 06:57:04 389120 ----a-w- C:\windows\System32\BCP47Langs.dll2013-05-04 06:57:04 2305024 ----a-w- C:\windows\System32\authui.dll2013-05-04 06:57:00 708096 ----a-w- C:\windows\System32\AppXDeploymentExtensions.dll2013-05-04 06:57:00 1131520 ----a-w- C:\windows\System32\AppXDeploymentServer.dll2013-05-04 06:56:53 419840 ----a-w- C:\windows\System32\intl.cpl2013-05-04 04:58:34 34304 ----a-w- C:\windows\SysWow64\wuapp.exe2013-05-04 04:58:14 758784 ----a-w- C:\windows\SysWow64\Magnify.exe2013-05-04 04:58:02 83968 ----a-w- C:\windows\SysWow64\wudriver.dll2013-05-04 04:58:02 125952 ----a-w- C:\windows\SysWow64\wuwebv.dll2013-05-04 04:57:58 2620928 ----a-w- C:\windows\SysWow64\WMVDECOD.DLL2013-05-04 04:57:49 10788864 ----a-w- C:\windows\SysWow64\Windows.UI.Xaml.dll2013-05-04 04:57:39 8857088 ----a-w- C:\windows\SysWow64\twinui.dll2013-05-04 04:57:39 247296 ----a-w- C:\windows\SysWow64\ubpm.dll2013-05-04 04:57:35 303616 ----a-w- C:\windows\SysWow64\stobject.dll.============= FINISH: 10:20:53.34 =============== .UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.IF REQUESTED, ZIP IT UP & ATTACH IT.DDS (Ver_2012-11-20.01).Microsoft Windows 8Boot Device: \Device\HarddiskVolume2Install Date: 4/16/2013 10:13:28 AMSystem Uptime: 7/27/2013 7:49:35 AM (3 hours ago).Motherboard: PEGATRON CORPORATION | | 2AEEProcessor: AMD A6-5400K APU with Radeon HD Graphics | P0 | 3600/100mhz.==== Disk Partitions =========================.C: is FIXED (NTFS) - 910 GiB total, 845.815 GiB free.D: is FIXED (NTFS) - 20 GiB total, 2.535 GiB free.E: is CDROM ()F: is Removable.==== Disabled Device Manager Items =============.==== System Restore Points ===================.RP19: 7/8/2013 4:06:05 PM - Installed LibreOffice 4.0.4.2RP20: 7/13/2013 6:13:33 PM - Windows UpdateRP21: 7/16/2013 12:15:12 PM - HPSF Restore PointRP22: 7/18/2013 11:05:06 AM - Installed HP Support AssistantRP23: 7/26/2013 12:59:52 PM - Scheduled Checkpoint.==== Installed Programs ======================.4 Elements II7-Zip 9.20 (x64 edition)Adobe Flash Player 11 PluginAdobe Reader XI (11.0.03)AMD APP SDK RuntimeAMD Catalyst Install ManagerAMD VISION Engine Control CenterAudacity 2.0.3Bejeweled 3BonjourBuild-a-lot 4 - Power SourceCatalyst Control Center - BrandingCatalyst Control Center Graphics Previews CommonCatalyst Control Center InstallProxyCatalyst Control Center Localization Allccc-utility64CCC Help Chinese StandardCCC Help Chinese TraditionalCCC Help CzechCCC Help DanishCCC Help DutchCCC Help EnglishCCC Help FinnishCCC Help FrenchCCC Help GermanCCC Help GreekCCC Help HungarianCCC Help ItalianCCC Help JapaneseCCC Help KoreanCCC Help NorwegianCCC Help PolishCCC Help PortugueseCCC Help RussianCCC Help SpanishCCC Help SwedishCCC Help ThaiCCC Help TurkishCCleanerChuzzle DeluxeContent ManagerCradle Of Egypt Collector's EditionCradle of Rome 2CyberLink LabelPrintCyberLink Media Suite 10CyberLink PhotoDirectorCyberLink Power2Go 8CyberLink PowerDirector 10CyberLink PowerDVDCyberLink YouCamD3DX10DefragglerDo Not Track Me Add-on 2.2.8.122DropboxEnergy StarFarm FrenzyFATE: The Cursed KingFinal Drive FuryFlatOut 2FUJIFILM MyFinePix Studio 4.2aFUJIFILM PC AutoSaveGovernor of Poker 2 Premium EditionHewlett-Packard ACLM.NET v1.2.1.1Hoyle Card GamesHP Connected Music (Meridian - installer)HP Connected RemoteHP Customer Experience EnhancementsHP GamesHP KeyboardHP MyRoomHP Postscript ConverterHP Quick StartHP Registration ServiceHP Support AssistantHP Support InformationIrfanView (remove only)Java 7 Update 25Java Auto UpdaterJewel Match 3John Deere Drive GreenLAME v3.99.3 (for Windows)LibreOffice 4.0 Help Pack (English)LibreOffice 4.0.4.2Luxor EvolvedMagic Set Editor 2.0.0Mahjongg Dimensions Deluxe: Tiles in TimeMailWasherProMalwarebytes Anti-Malware version 1.75.0.1300Microsoft Application Error ReportingMicrosoft OfficeMicrosoft SilverlightMicrosoft SkyDriveMicrosoft SQL Server 2005 Compact Edition [ENU]Microsoft Visual C++ 2005 RedistributableMicrosoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219Mortimer Beckett and the Crimson Thief Premium EditionMovie MakerMozilla Firefox 22.0 (x86 en-US)Mozilla Maintenance ServiceMozilla Thunderbird 17.0.7 (x86 en-US)MSVCRTMSVCRT110MSVCRT110_amd64Mystery P.I. - Curious Case of Counterfeit CoveOpenOffice.org 3.4.1Opera 12.15PDF-ViewerPeggle NightsPenguins!Photo CommonPhoto GalleryPolar BowlerPolar GolferRalink RT5390R 802.11bgn Wi-Fi AdapterRCA Detective™ 3.0.4.0RCA easyRip 2.6.1.0RCA Updater 2.1.7.1Realtek Ethernet Controller DriverRealtek High Definition Audio DriverRealtek PCIE Card ReaderRecovery ManagerRecuvaRoads of Rome 3SpeccySUPERAntiSpywareTales of LagoonaUA-4FX DriverUpdate Installer for WildTangent Games AppVacation Quest™ - AustraliaWebroot SecureAnywhereWildTangent GamesWildTangent Games AppWindows Live Communications PlatformWindows Live EssentialsWindows Live InstallerWindows Live Photo CommonWindows Live PIMT PlatformWindows Live SOXEWindows Live SOXE DefinitionsWindows Live UX PlatformWindows Live UX Platform Language PackWOT for Internet ExplorerZuma's Revenge.==== Event Viewer Messages From Past Week ========.7/27/2013 8:30:53 AM, Error: Schannel [36870] - A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0x8009030D. The internal error state is 10001.7/27/2013 7:49:54 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the HP Registration Service service to connect.7/27/2013 7:49:54 AM, Error: Service Control Manager [7000] - The HP Registration Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion..==== End Of File =========================== Hopefully it's just paranoia kicking inThanks for the help. Link to post Share on other sites More sharing options...
MrCharlie Posted July 27, 2013 ID:707861 Share Posted July 27, 2013 Welcome to the forum. Please download and run RogueKiller 32 Bit to your desktop. RogueKiller 64 Bit <---use this one for 64 bit systems Quit all running programs. For Windows XP, double-click to start. For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run. Click Scan to scan the system. When the scan completes > Close out the program > Don't Fix anything! Don't run any other options, they're not all bad!!!!!!! Post back the report which should be located on your desktop. (please don't put logs in code or quotes) P2P/Piracy Warning: 1. If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here. Failure to remove or disable such software will result in your topic being closed and no further assistance being provided. 2. If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy. MrC Note: Please read all of my instructions completely including these. Make sure you're subscribed to this topic: Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly Removing malware can be unpredictable...unlikely but things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive <+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you. <+>The removal of malware isn't instantaneous, please be patient. <+>When we are done, I'll give to instructions on how to cleanup all the tools and logs <+>Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that. ------->Your topic will be closed if you haven't replied within 3 days!<-------- (If I don't respond within 24 hours, please send me a PM) Link to post Share on other sites More sharing options...
MDYoung Posted July 27, 2013 Author ID:707902 Share Posted July 27, 2013 Here's what came back. RogueKiller V8.6.3 _x64_ [Jul 17 2013] by Tigzymail : tigzyRK<at>gmail<dot>comFeedback : http://www.adlice.com/forum/Website : http://www.adlice.com/softwares/roguekiller/Blog : http://tigzyrk.blogspot.com/Operating System : Windows 8 (6.2.9200 ) 64 bits versionStarted in : Normal modeUser : DandD [Admin rights]Mode : Scan -- Date : 07/27/2013 13:39:30| ARK || FAK || MBR |¤¤¤ Bad processes : 0 ¤¤¤¤¤¤ Registry Entries : 3 ¤¤¤[HJ SMENU] HKCU\[...]\Advanced : Start_TrackProgs (0) -> FOUND[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND¤¤¤ Scheduled tasks : 0 ¤¤¤¤¤¤ Startup Entries : 0 ¤¤¤¤¤¤ Web browsers : 0 ¤¤¤¤¤¤ Particular Files / Folders: ¤¤¤¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤¤¤¤ External Hives: ¤¤¤¤¤¤ Infection : ¤¤¤¤¤¤ HOSTS File: ¤¤¤--> %SystemRoot%\System32\drivers\etc\hosts¤¤¤ MBR Check: ¤¤¤+++++ PhysicalDrive0: ST1000DM 003-9YN162 SATA Disk Device +++++--- User ---[MBR] 1881c99c77804483d61d450d66cb9d13[bSP] e3b874270256f5b61de19273c45b6b2c : Empty MBR CodePartition table:0 - [XXXXXX] UNKNOWN (0x00) [VISIBLE] Offset (sectors): 1 | Size: 2097152 MoUser = LL1 ... OK!User = LL2 ... OK!Finished : << RKreport[0]_S_07272013_133930.txt >> Link to post Share on other sites More sharing options...
MrCharlie Posted July 28, 2013 ID:707961 Share Posted July 28, 2013 That looks OK, a lot of the tools we use won't run on W8 yet but we'll see what we can do. Download Malwarebytes Anti-Rootkit from HEREUnzip the contents to a folder in a convenient location.Open the folder where the contents were unzipped and run mbar.exeFollow the instructions in the wizard to update and allow the program to scan your computer for threats.Click on the Cleanup button to remove any threats and reboot if prompted to do so.Wait while the system shuts down and the cleanup process is performed.Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txtTo attach a log if needed: Bottom right corner of this page. New window that comes up. ~~~~~~~~~~~~~~~~~~~~~~~ Note: If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional: Internet access Windows Update Windows Firewall If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot. It's located in the Plugins folder which is in the MBAR folder. Just run fixdamage.exe. Verify that they are now functioning normally. MrC Link to post Share on other sites More sharing options...
MDYoung Posted July 28, 2013 Author ID:708055 Share Posted July 28, 2013 OK, I ran MBAR last night and received a "clean" report. I did not shut down other process as I have with previous steps. If I need to rerun this, shutting other things down, let me know. I've attached the two files as indicated. Thanks for your help with this.mbar-log-2013-07-27 (21-03-05).txtsystem-log.txt Link to post Share on other sites More sharing options...
MrCharlie Posted July 28, 2013 ID:708066 Share Posted July 28, 2013 OK...Next: Please download and run ComboFix. The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop. Please visit this webpage for download links, and instructions for running ComboFix http://www.bleepingcomputer.com/combofix/how-to-use-combofix Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Information on disabling your malware programs can be found Here. Make sure you run ComboFix from your desktop. Give it at least 30-45 minutes to finish if needed. Please include the C:\ComboFix.txt in your next reply for further review. ---------->NOTE<----------If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed. MrC Link to post Share on other sites More sharing options...
MrCharlie Posted July 30, 2013 ID:708886 Share Posted July 30, 2013 How are we doing?? Do you still need help or can I close this post?? MrC Link to post Share on other sites More sharing options...
MDYoung Posted July 30, 2013 Author ID:708923 Share Posted July 30, 2013 My apologies. I'd meant to ask you to close the case. Problem seems to have been solved. Thank you very much for your help. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted July 31, 2013 Root Admin ID:709057 Share Posted July 31, 2013 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts