Jump to content

Infected with Bitcoin mining software


Guest techhead287
 Share

Recommended Posts

Guest techhead287

Hey,

 

I was on my dad's laptop and I noticed that every time I logged on, I saw this command prompt window pop up that would stick around for a while and then disappear. It seemed to be running a process called 'jsheded.exe' located in the Java update folder. I looked up this process and saw it was malicious (the normal Java update process is called 'jusched.exe'). I disabled it in msconfig and it kept re-enabling itself, and then stopped after a few days (whew). I decided to look in the Java update folder and I saw an executable called 'csrss.exe', a batch file and a bunch of DLLs. I looked at the 'csrss.exe' file and it had no description (which should be 'Client Server Runtime Process'), it did not have the Microsoft copyrights, and it was not owned by TrustedInstaller. This was suspicious. I took a look at the batch file, and it had instructions to run the executable and it had a few tags talking about a Russian Bitcoin email address and a Russian Bitcoin site. It immediately came to me that this was a virus that mined Bitcoins for an attacker (in Russia, obviously) using MY computer and MY resources. And it had overtaken Java.

 

Now, the real reason I posted this was because Malwarebytes (with the latest updates and everything) does NOT detect it. Do you really think this is a virus? If so, how do I remove it?

 

Thanks,

techhead287

Link to post
Share on other sites

Welcome to the forum, please start HERE

Post back the 2 logs here.....DDS.txt and Attach.txt

(please don't put logs in code or quotes and use the default font)

General P2P/Piracy Warning:

1. If you're using Peer 2 Peer software such uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

2. If you have illegal/cracked software, cracks, keygens, custom (Adobe) host file, etc. on the system, please remove or uninstall them now and read the policy on Piracy.

Failure to remove such software will result in your topic being closed and no further assistance being provided.

<====><====><====><====><====><====><====><====>

Next................

Please download and run RogueKiller 32 bit to your desktop.

RogueKiller<---use this one for 64 bit systems

Which system am I using?

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

(please don't put logs in code or quotes and use the default font)

MrC

Note:

Please read all of my instructions completely including these.

Make sure system restore is turned on and running

Make sure you're subscribed to this topic: Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly

Removing malware can be unpredictable...unlikely but things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive

<+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>The removal of malware isn't instantaneous, please be patient.

<+>When we are done, I'll give to instructions on how to cleanup all the tools and logs

<+>Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that.

------->Your topic will be closed if you haven't replied within 3 days!<--------

(If I don't respond within 24 hours, please send me a PM)

Link to post
Share on other sites

Guest techhead287

attach.txt below...

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Professional 
Boot Device: \Device\HarddiskVolume1
Install Date: 24/11/2010 9:38:24 AM
System Uptime: 6/11/2013 5:25:12 PM (0 hours ago)
.
Motherboard: TOSHIBA |  | NSWAA
Processor: Intel® Core i3 CPU       M 330  @ 2.13GHz | CPU | 2133/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 454 GiB total, 329.423 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e971-e325-11ce-bfc1-08002be10318}
Description: Photosmart B110 series
Device ID: ROOT\MULTIFUNCTION\0000
Manufacturer: HP
Name: Photosmart B110 series
PNP Device ID: ROOT\MULTIFUNCTION\0000
Service: 
.
Class GUID: {4d36e971-e325-11ce-bfc1-08002be10318}
Description: Photosmart B110 series
Device ID: ROOT\MULTIFUNCTION\0001
Manufacturer: HP
Name: Photosmart B110 series
PNP Device ID: ROOT\MULTIFUNCTION\0001
Service: 
.
==== System Restore Points ===================
.
RP393: 9/10/2013 5:18:30 PM - Windows Update
RP394: 10/10/2013 7:22:05 AM - Windows Update
RP395: 17/10/2013 9:17:53 PM - Scheduled Checkpoint
RP396: 25/10/2013 7:53:57 PM - Scheduled Checkpoint
RP397: 31/10/2013 5:49:42 PM - Installed iTunes
RP398: 31/10/2013 6:01:49 PM - Installed iTunes
RP399: 6/11/2013 5:31:50 PM - Malware Removal
.
==== Installed Programs ======================
.
32 Bit HP CIO Components Installer
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader 9.1
Amazon Send to Kindle
Anti-Spyware (Sunbelt4)
Apple Application Support
Apple Mobile Device Support
B110
Bejeweled 2 Deluxe
BigPond (BIUS)
Bigpond Desktop
BigPond Security
Bing Bar
Bluetooth Stack for Windows by Toshiba
Bonjour
BufferChm
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center Graphics Previews Vista
Catalyst Control Center InstallProxy
Catalyst Control Center Localization All
ccc-core-static
ccc-utility
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
Chuzzle Deluxe
Citrix Online Launcher
Coupon Printer for Windows
D3DX10
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
Destinations
DeviceDiscovery
Direct DiscRecorder
DVD MovieFactory for TOSHIBA
ESP
FATE
ffdshow [rev 2527] [2008-12-19]
Firewall (User)
GameXN GO
Google Talk Plugin
Google Toolbar for Internet Explorer
Google Update Helper
GoToMeeting 5.9.0.1216
GPBaseService2
Haali Media Splitter
HDAUDIO Soft Data Fax Modem with SmartCP
HP Customer Participation Program 14.0
HP Imaging Device Functions 14.0
HP Photo Creations
HP Photosmart Wireless B110 All-In-One Driver Software 14.0 Rel. 7
HP Smart Web Printing 4.60
HP Solution Center 14.0
HP Update
HPAppStudio
HPPhotoGadget
HPProductAssistant
HPSSupply
HyperCam 2
ImgBurn
Intel® Control Center
Intel® Management Engine Components
Intel® Rapid Storage Technology
iTunes
Java 6 Update 14
Junk Mail filter update
Magic Match - The Genie's Journey
Malwarebytes Anti-Malware version 1.75.0.1300
MarketResearch
Messenger Companion
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Chart Controls for Microsoft .NET Framework 3.5 (KB2500170)
Microsoft Corporation
Microsoft IntelliPoint 8.0
Microsoft LifeCam
Microsoft Office 2010 Service Pack 1 (SP1)
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Groove MUI (English) 2010
Microsoft Office InfoPath MUI (English) 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook Connector
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Professional Plus 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Word MUI (English) 2010
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Monopoly
Mozilla Firefox 24.0 (x86 en-US)
Mozilla Maintenance Service
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MYOB AccountRight Plus v19.6
MYOB ODBC Direct v10 AUS
Netsweeper Parental Controls
Network
Norton Internet Security
Oracle VM VirtualBox 4.2.0
Peggle
Pivot Stickfigure Animator version 2.2.6
PlayReady PC Runtime x86
Polar Bowler
Polar Golfer
Primo
Project ROME
PS_AIO_07_B110_SW_Min
QuickTime
QuickTransfer
Realtek Ethernet Controller Driver For Windows Vista and Later
Realtek High Definition Audio Driver
Realtek USB 2.0 Card Reader
Realtek WLAN Driver
RealWorld Cursor Editor
Runtime
SafeCentral Security Suite Web Install Helper
Scan
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2804576)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2835393)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2858302v2)
Security Update for Microsoft Excel 2010 (KB2826033) 32-Bit Edition
Security Update for Microsoft InfoPath 2010 (KB2687422) 32-Bit Edition
Security Update for Microsoft InfoPath 2010 (KB2760406) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2553371) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2598243) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2687276) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2687423) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2687510) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2826023) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2826035) 32-Bit Edition
Security Update for Microsoft Outlook 2010 (KB2794707) 32-Bit Edition
Security Update for Microsoft Publisher 2010 (KB2553147) 32-Bit Edition
Security Update for Microsoft Visio 2010 (KB2810068) 32-Bit Edition
Shop for HP Supplies
Skype Click to Call
Skype™ 6.10
SmartWebPrinting
SolutionCenter
Sony Picture Utility
Sophos Anti-Virus
Sophos AutoUpdate
Sophos Remote Management System
Status
Synaptics Pointing Device Driver
Task Coach 1.3.33
TeamViewer 8
Third Party Prerequisites
Toolbox
TOSHIBA Assist
TOSHIBA Disc Creator
TOSHIBA DVD PLAYER
TOSHIBA eco Utility
TOSHIBA Extended Tiles for Windows Mobility Center
TOSHIBA Face Recognition
TOSHIBA Flash Cards Support Utility
TOSHIBA Hardware Setup
TOSHIBA HDD/SSD Alert
TOSHIBA Internal Modem Region Select Utility
TOSHIBA PC Health Monitor
TOSHIBA Recovery Media Creator
TOSHIBA Service Station
TOSHIBA Speech System Applications
TOSHIBA Speech System SR Engine(U.S.) Version1.0
TOSHIBA Speech System TTS Engine(U.S.) Version1.0
TOSHIBA Supervisor Password
TOSHIBA Value Added Package
TOSHIBA Web Camera Application
TrayApp
TrueCrypt
TweetDeck
Uninstall Dual Mode Camera (V25)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939v3)
Update for Microsoft Access 2010 (KB2553446) 32-Bit Edition
Update for Microsoft Filter Pack 2.0 (KB2810071) 32-Bit Edition
Update for Microsoft Office 2010 (KB2494150)
Update for Microsoft Office 2010 (KB2553065)
Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553267) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition
Update for Microsoft Office 2010 (KB2566458)
Update for Microsoft Office 2010 (KB2589298) 32-Bit Edition
Update for Microsoft Office 2010 (KB2589375) 32-Bit Edition
Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition
Update for Microsoft Office 2010 (KB2598242) 32-Bit Edition
Update for Microsoft Office 2010 (KB2687503) 32-Bit Edition
Update for Microsoft Office 2010 (KB2760598) 32-Bit Edition
Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition
Update for Microsoft Office 2010 (KB2767886) 32-Bit Edition
Update for Microsoft Office 2010 (KB2794737) 32-Bit Edition
Update for Microsoft Office 2010 (KB2825640) 32-Bit Edition
Update for Microsoft Office 2010 (KB2826026) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2810072) 32-Bit Edition
Update for Microsoft Outlook 2010 (KB2687623) 32-Bit Edition
Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition
Update for Microsoft PowerPoint 2010 (KB2553145) 32-Bit Edition
Update for Microsoft SharePoint Workspace 2010 (KB2589371) 32-Bit Edition
Update for Microsoft Visio Viewer 2010 (KB2810066) 32-Bit Edition
Update for Microsoft Word 2010 (KB2827323) 32-Bit Edition
Utility Common Driver
Vivitar Experience Image Manager
Web Filtering (Netsweeper)
WebReg
WildTangent Games
WildTangent ORB Game Console
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Mail
Windows Live Messenger
Windows Live Messenger Companion Core
Windows Live MIME IFilter
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live Sync
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
Zuma Deluxe
.
==== Event Viewer Messages From Past Week ========
removed to shorten post
==== End Of File ===========================
Link to post
Share on other sites

Guest techhead287
DDS.txt below...

 

DDS (Ver_2012-11-20.01) - NTFS_x86 

Internet Explorer: 10.0.9200.16720

Run by steveni at 17:33:54 on 2013-11-06

Microsoft Windows 7 Professional   6.1.7601.1.1252.61.1033.18.3062.1526 [GMT 8:00]

.

AV: BP Security AntiMalware *Enabled/Outdated* {BE5DD172-7F42-7948-1A60-E6A720288F81}

AV: Sophos Anti-Virus *Enabled/Outdated* {479CCF92-4960-B3E0-7373-BF453B467D2C}

SP: Sophos Anti-Virus *Enabled/Outdated* {FCFD2E76-6F5A-BC6E-49C3-843740C13791}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: BP Security AntiMalware *Enabled/Outdated* {053C3096-5978-76C6-20D0-DDD55BAFC53C}

.

============== Running Processes ================

.

C:\windows\system32\wininit.exe

C:\windows\system32\lsm.exe

C:\windows\system32\atiesrxx.exe

C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe

C:\windows\System32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\Program Files\Bigpond\ESP Elements\AuthElementsSvc.exe

c:\Program Files\bigpond\security\App\syssvcnt.exe

C:\Program Files\Microsoft\BingBar\7.2.241.0\BBSvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe

C:\Program Files\Microsoft LifeCam\MSCamS32.exe

c:\Program Files\Netsweeper Parental Controls\nsfxsrv.exe

C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe

C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe

C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe

C:\Program Files\Sophos\AutoUpdate\ALsvc.exe

C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe

C:\windows\system32\TODDSrv.exe

C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe

C:\Program Files\TOSHIBA\TECO\TecoService.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

c:\Program Files\Common Files\Sunbelt\SBAMSvc.exe

C:\windows\system32\atieclxx.exe

C:\windows\system32\taskhost.exe

C:\windows\system32\Dwm.exe

C:\windows\Explorer.EXE

C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe

C:\Program Files\TOSHIBA\Utilities\KeNotify.exe

C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe

C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe

C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\Program Files\Netsweeper Parental Controls\nsfx.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\HP\HP Software Update\hpwuschd2.exe

C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

C:\windows\system32\SearchIndexer.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\bigpond\security\App\Console.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

C:\Program Files\TOSHIBA\TPHM\TPCHViewer.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe

C:\Program Files\TOSHIBA\RSelect\RSelSvc.exe

C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe

C:\windows\System32\mobsync.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtKbd.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtBty.exe

C:\windows\system32\sppsvc.exe

C:\windows\system32\wbem\wmiprvse.exe

C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe

C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe

c:\Program Files\Bigpond\ESP Elements\bigpond.exe

C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe

C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe

C:\windows\system32\SearchProtocolHost.exe

C:\windows\system32\vssvc.exe

C:\windows\system32\SearchProtocolHost.exe

C:\windows\system32\SearchFilterHost.exe

\\?\C:\windows\system32\wbem\WMIADAP.EXE

C:\windows\system32\conhost.exe

C:\windows\system32\wbem\wmiprvse.exe

C:\windows\system32\taskeng.exe

C:\Users\steveni\AppData\Local\Google\Update\GoogleUpdate.exe

C:\windows\system32\svchost.exe -k DcomLaunch

C:\windows\system32\svchost.exe -k RPCSS

C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\windows\system32\svchost.exe -k LocalService

C:\windows\system32\svchost.exe -k netsvcs

C:\windows\system32\svchost.exe -k NetworkService

C:\windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\windows\system32\svchost.exe -k hpdevmgmt

C:\windows\system32\svchost.exe -k HsfXAudioService

C:\windows\System32\svchost.exe -k HPZ12

C:\windows\System32\svchost.exe -k HPZ12

C:\windows\system32\svchost.exe -k imgsvc

C:\windows\system32\svchost.exe -k HPService

C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\windows\System32\svchost.exe -k swprv

.

============== Pseudo HJT Report ===============

.

 

 

uURLSearchHooks: {CA3EB689-8F09-4026-AA10-B9534C691CE0} - <orphaned>

BHO: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll

BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Bing Bar Helper: {1dad3af3-ef2f-4f64-ac4b-11789189fcb6} - c:\program files\microsoft\bingbar\7.2.241.0\BingExt.dll

BHO: Sophos Web Content Scanner: {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - c:\program files\sophos\sophos anti-virus\SophosBHO.dll

BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office14\GROOVEEX.DLL

BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - c:\program files\windows live\companion\companioncore.dll

BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL

BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: Bing Bar: {eec0f710-38b5-4aba-99bf-ec87564a4e13} - c:\program files\microsoft\bingbar\7.2.241.0\BingExt.dll

EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll

EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll

uRun: [OfficeSyncProcess] "c:\program files\microsoft office\office14\MSOSYNC.EXE"

uRun: [Google Update] "c:\users\steveni\appdata\local\google\update\GoogleUpdate.exe" /c

uRun: [skype] "c:\program files\skype\phone\Skype.exe" /minimized /regrun

uRun: [sophos] c:\users\steveni\appdata\roaming\eeuhrrsj\tvjbwcca.exe

mRun: [iAStorIcon] c:\program files\intel\intel® rapid storage technology\IAStorIcon.exe

mRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun

mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s

mRun: [sVPWUTIL] c:\program files\toshiba\utilities\SVPWUTIL.exe SVPwUTIL

mRun: [HWSetup] "c:\program files\toshiba\utilities\HWSetup.exe" hwSetUP

mRun: [KeNotify] c:\program files\toshiba\utilities\KeNotify.exe

mRun: [TPwrMain] c:\program files\toshiba\power saver\TPwrMain.EXE

mRun: [HSON] c:\program files\toshiba\tbs\HSON.exe

mRun: [smoothView] c:\program files\toshiba\smoothview\SmoothView.exe

mRun: [00TCrdMain] c:\program files\toshiba\flashcards\TCrdMain.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [iTSecMng] c:\program files\toshiba\bluetooth toshiba stack\ItSecMng.exe /START

mRun: [smartFaceVWatcher] c:\program files\toshiba\smartfacev\SmartFaceVWatcher.exe

mRun: [TosSENotify] c:\program files\toshiba\toshiba hdd ssd alert\TosWaitSrv.exe

mRun: [TosWaitSrv] c:\program files\toshiba\tphm\TosWaitSrv.exe

mRun: [bCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices

mRun: [intelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"

mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"

mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"

mRun: [ESP] "c:\program files\bigpond\security\app\start.exe"

mRun: [NetSweeperAgent] c:\program files\netsweeper parental controls\nsfx.exe

mRun: [NetSweeperLSPReset] "c:\program files\netsweeper parental controls\instlsp.exe" -a -z "msafd tcpip" -n "liger" -d "c:\windows\system32\liger.dll"

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

dRunOnce: [sPReview] "c:\windows\system32\spreview\SPReview.exe" /sp:1 /errorfwlink:"http://go.microsoft.com/fwlink/?LinkID=122915" /build:7601

StartupFolder: c:\users\steveni\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office14\ONENOTEM.EXE

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

uPolicies-Explorer: NoDriveTypeAutoRun = dword:145

mPolicies-System: ConsentPromptBehaviorUser = dword:3

mPolicies-System: EnableUIADesktopToggle = dword:0

mPolicies-System: RunStartupScriptSync = dword:1

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105

IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

LSP: c:\windows\system32\liger.dll

 

 

 

TCP: NameServer = 192.168.1.1

TCP: Interfaces\{6C9F5191-26A8-4188-9605-1883AFFC6A20} : DHCPNameServer = 192.168.1.1

TCP: Interfaces\{817060E5-D02D-4DB6-8227-F4CC15440472} : DHCPNameServer = 192.168.1.1

TCP: Interfaces\{817060E5-D02D-4DB6-8227-F4CC15440472}\2456C6B696E6F5E4F575962756C6563737F5235343544344 : DHCPNameServer = 192.168.2.1

TCP: Interfaces\{817060E5-D02D-4DB6-8227-F4CC15440472}\24967605F6E64663938333 : DHCPNameServer = 10.0.0.138

TCP: Interfaces\{817060E5-D02D-4DB6-8227-F4CC15440472}\45548435F5234433341393 : DHCPNameServer = 192.168.0.1

TCP: Interfaces\{817060E5-D02D-4DB6-8227-F4CC15440472}\945627163696 : DHCPNameServer = 192.168.0.1

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll

AppInit_DLLs= c:\progra~1\sophos\sophos~1\SOPHOS~1.DLL

SSODL: WebCheck - <orphaned>

SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office14\GROOVEEX.DLL

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\users\steveni\appdata\roaming\mozilla\firefox\profiles\2mjd049g.default\

FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL

FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL

FF - plugin: c:\program files\google\update\1.3.21.165\npGoogleUpdate3.dll

FF - plugin: c:\program files\microsoft silverlight\5.1.20913.0\npctrlui.dll

FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

FF - plugin: c:\users\steveni\appdata\local\citrix\plugins\104\npappdetector.dll

FF - plugin: c:\users\steveni\appdata\local\google\update\1.3.21.165\npGoogleUpdate3.dll

FF - plugin: c:\users\steveni\appdata\roaming\mozilla\plugins\npgoogletalk.dll

FF - plugin: c:\users\steveni\appdata\roaming\mozilla\plugins\npgtpo3dautoplugin.dll

FF - plugin: c:\users\steveni\appdata\roaming\mozilla\plugins\npo1d.dll

FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_9_900_117.dll

FF - ExtSQL: !HIDDEN! 2011-08-13 16:20; smartwebprinting@hp.com; c:\program files\hp\digital imaging\smart web printing\MozillaAddOn3

.

============= SERVICES / DRIVERS ===============

.

R1 SAVOnAccess;SAVOnAccess;c:\windows\system32\drivers\savonaccess.sys [2010-11-26 122360]

R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-5-21 172032]

R2 AuthElementsSvc;AuthElementsSvc;c:\program files\bigpond\esp elements\AuthElementsSvc.exe [2013-3-12 244008]

R2 BBSvc;BingBar Service;c:\program files\microsoft\bingbar\7.2.241.0\BBSvc.EXE [2013-7-23 193696]

R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2010-6-14 69976]

R2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\drivers\TVALZFL.sys [2009-6-20 12920]

R3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\drivers\nx6000.sys [2010-12-13 30576]

R3 PGEffect;Pangu effect driver;c:\windows\system32\drivers\PGEffect.sys [2010-11-24 24064]

R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2010-5-21 230912]

R3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;c:\windows\system32\drivers\rtl8192se.sys [2010-5-21 862208]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]

S3 BBUpdate;BBUpdate;c:\program files\microsoft\bingbar\7.2.241.0\SeaPort.EXE [2013-7-23 240288]

S3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\drivers\ivusb.sys [2010-7-29 25112]

S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2010-5-21 174592]

S3 sdcfilter;sdcfilter;c:\windows\system32\drivers\sdcfilter.sys [2010-11-24 23928]

S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-14 207360]

S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-14 980992]

S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-14 661504]

S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-6-21 52224]

S3 VBoxUSB;VirtualBox USB;c:\windows\system32\drivers\VBoxUSB.sys [2012-9-13 84312]

S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2010-11-24 22536]

.

=============== Created Last 30 ================

.

2013-10-31 10:04:43 26840 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys

2013-10-31 10:03:55 -------- d-----w- c:\program files\iPod

2013-10-31 10:03:54 -------- d-----w- c:\programdata\188F1432-103A-4ffb-80F1-36B633C5C9E1

2013-10-31 10:03:54 -------- d-----w- c:\program files\iTunes

2013-10-31 01:31:39 -------- d-----w- c:\windows\pss

2013-10-30 08:17:27 -------- d-----w- c:\program files\TaskCoach

2013-10-26 02:47:41 -------- d-----w- c:\users\steveni\appdata\roaming\TrueCrypt

2013-10-26 02:47:25 231760 ----a-w- c:\windows\system32\drivers\truecrypt.sys

2013-10-26 02:47:24 -------- d-----w- c:\program files\TrueCrypt

2013-10-18 22:05:09 -------- d-----w- c:\users\steveni\appdata\local\Citrix

2013-10-09 09:31:49 -------- d-----w- C:\0278119867465c0d7bc20d

2013-10-09 09:29:05 2706432 ----a-w- c:\windows\system32\mshtml.tlb

2013-10-09 09:29:03 2876928 ----a-w- c:\windows\system32\jscript9.dll

2013-10-09 09:29:02 217600 ----a-w- c:\program files\internet explorer\sqmapi.dll

2013-10-09 09:29:02 108032 ----a-w- c:\program files\internet explorer\jsdebuggeride.dll

2013-10-09 09:29:01 61440 ----a-w- c:\windows\system32\iesetup.dll

2013-10-09 04:09:31 530432 ----a-w- c:\windows\system32\comctl32.dll

2013-10-09 04:08:59 434688 ----a-w- c:\windows\system32\scavengeui.dll

2013-10-09 04:08:55 2348544 ----a-w- c:\windows\system32\win32k.sys

2013-10-09 04:08:50 146816 ----a-w- c:\windows\system32\drivers\usbvideo.sys

2013-10-09 04:08:49 80896 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys

2013-10-09 04:08:48 86016 ----a-w- c:\windows\system32\drivers\usbcir.sys

2013-10-09 04:08:43 205824 ----a-w- c:\windows\system32\WebClnt.dll

2013-10-09 04:08:42 81920 ----a-w- c:\windows\system32\davclnt.dll

2013-10-09 04:08:41 527064 ----a-w- c:\windows\system32\drivers\Wdf01000.sys

2013-10-09 04:08:41 115712 ----a-w- c:\windows\system32\drivers\mrxdav.sys

2013-10-09 02:58:02 4879744 ----a-w- c:\program files\mozilla firefox\extensions\{82af8dca-6de9-405d-bd5e-43525bdad38a}\components\SkypeFfComponent.dll

2013-10-09 02:58:02 4879744 ----a-w- c:\program files\mozilla firefox\browser\extensions\{82af8dca-6de9-405d-bd5e-43525bdad38a}\components\SkypeFfComponent.dll

2013-10-07 10:51:43 -------- d-----w- C:\31070c33d333f0edd6a5

.

==================== Find3M  ====================

.

2013-10-09 08:50:51 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2013-10-09 08:50:51 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2013-10-09 08:50:46 17813896 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe

2013-10-05 23:19:44 155 ----a-w- C:\SAPI_TTS.vbs

2013-09-22 23:28:06 1767936 ----a-w- c:\windows\system32\wininet.dll

2013-09-22 23:27:48 109056 ----a-w- c:\windows\system32\iesysprep.dll

2013-09-21 02:39:47 71680 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe

2013-09-14 00:48:58 338944 ----a-w- c:\windows\system32\drivers\afd.sys

2013-09-08 02:07:12 1294272 ----a-w- c:\windows\system32\drivers\tcpip.sys

2013-09-08 02:03:58 231424 ----a-w- c:\windows\system32\mswsock.dll

2013-09-04 01:15:32 258560 ----a-w- c:\windows\system32\drivers\usbhub.sys

2013-09-04 01:14:52 76288 ----a-w- c:\windows\system32\drivers\usbccgp.sys

2013-09-04 01:14:52 284672 ----a-w- c:\windows\system32\drivers\usbport.sys

2013-09-04 01:14:45 43008 ----a-w- c:\windows\system32\drivers\usbehci.sys

2013-09-04 01:14:45 20480 ----a-w- c:\windows\system32\drivers\usbohci.sys

2013-09-04 01:14:43 24064 ----a-w- c:\windows\system32\drivers\usbuhci.sys

2013-09-04 01:14:40 6016 ----a-w- c:\windows\system32\drivers\usbd.sys

2013-08-29 01:51:45 3969472 ----a-w- c:\windows\system32\ntkrnlpa.exe

2013-08-29 01:51:45 3914176 ----a-w- c:\windows\system32\ntoskrnl.exe

2013-08-29 01:50:30 1289096 ----a-w- c:\windows\system32\ntdll.dll

2013-08-29 01:50:16 619520 ----a-w- c:\windows\system32\tdh.dll

2013-08-29 01:48:17 640512 ----a-w- c:\windows\system32\advapi32.dll

.

============= FINISH: 17:36:22.22 ===============

 

Link to post
Share on other sites

Guest techhead287

Finished RougeKiller scan...forgot to quit Skype but that doesn't matter because the scan completed successfully.

 

RKreport[0]_S_11062013_193926.txt below...

 

RogueKiller V8.7.6 [Oct 28 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com
 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : steveni [Admin rights]
Mode : Scan -- Date : 11/06/2013 19:39:26
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 0 ¤¤¤
 
¤¤¤ Registry Entries : 5 ¤¤¤
[RUN][sUSP PATH] HKCU\[...]\Run : Sophos (C:\Users\steveni\AppData\Roaming\eeuhrrsj\tvjbwcca.exe [x]) -> FOUND
[RUN][sUSP PATH] HKUS\S-1-5-21-4063401489-1788381713-3267365910-1141\[...]\Run : Sophos (C:\Users\steveni\AppData\Roaming\eeuhrrsj\tvjbwcca.exe [x]) -> FOUND
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
 
¤¤¤ Scheduled tasks : 0 ¤¤¤
 
¤¤¤ Startup Entries : 0 ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ Particular Files / Folders: ¤¤¤
 
¤¤¤ Driver : [LOADED] ¤¤¤
[inline] IAT @explorer.exe (CoCreateInstance) : ole32.dll -> HOOKED (C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL @ 0x751A7860)
[inline] EAT @explorer.exe (CopyFileExW) : kernel32.dll -> HOOKED (C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL @ 0x751A75A0)
[inline] EAT @explorer.exe (MoveFileWithProgressW) : kernel32.dll -> HOOKED (C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL @ 0x751A7460)
[inline] EAT @explorer.exe (CoCreateInstance) : ole32.dll -> HOOKED (C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL @ 0x751A7860)
 
¤¤¤ External Hives: ¤¤¤
 
¤¤¤ Infection :  ¤¤¤
 
¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts
 
 
 
 
¤¤¤ MBR Check: ¤¤¤
 
+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) TOSHIBA MK5055GSXN +++++
--- User ---
[MBR] e8408abdac884cffe85743a8de14514e
[bSP] 22463b1a9687f188739ad02a5aed0a02 : Windows Vista MBR Code
Partition table:
0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 464406 Mo
2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 954177536 | Size: 11033 Mo
User = LL1 ... OK!
User = LL2 ... OK!
 
Finished : << RKreport[0]_S_11062013_193926.txt >>
 
 
 
 
Will continue with your next set of instructions tomorrow.
Link to post
Share on other sites

Guest techhead287

Just wanted to ask something... in the log I see a found registry key with the name Sophos pointing to C:\Users\steveni\AppData\Roaming\eeuhrrsj\tvjbwcca.exe, is that a malicious program pretending to be Sophos? I know that viruses like to hide an AppData...

Link to post
Share on other sites

Run RogueKiller again and click Scan
When the scan completes > click on the Registry tab
Put a check next to all of these and uncheck the rest: (if found)
 

[RUN][sUSP PATH] HKCU\[...]\Run : Sophos (C:\Users\steveni\AppData\Roaming\eeuhrrsj\tvjbwcca.exe [x]) -> FOUND
[RUN][sUSP PATH] HKUS\S-1-5-21-4063401489-1788381713-3267365910-1141\[...]\Run : Sophos (C:\Users\steveni\AppData\Roaming\eeuhrrsj\tvjbwcca.exe [x]) -> FOUND


Now click Delete on the right hand column under Options

-------------

Delete this folder if found: (enable hidden files to see it)

C:\Users\steveni\AppData\Roaming\eeuhrrsj

Then we have to run this scan to delete the malware:

Please download Farbar Recovery Scan Tool and save it to a folder. (use correct version for your system.....Which system am I using?)

Please make sure you click download buttons that look like this, not "sponsored ad links":

bleep-crop.jpg

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

MrC

Link to post
Share on other sites

Guest techhead287

FRST.txt below...

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 31-10-2013
Ran by steveni (administrator) on AUSNB015 on 08-11-2013 15:52:11
Running from C:\Users\steveni\Desktop\Malware Removal\FRST
Microsoft Windows 7 Professional  Service Pack 1 (X86) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Normal

==================== Processes (Whitelisted) ===================

(AMD) C:\windows\system32\atiesrxx.exe
(Sophos Plc) C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Wontok, Inc.) c:\Program Files\Bigpond\ESP Elements\AuthElementsSvc.exe
(Authentium, Inc.) c:\Program Files\bigpond\security\App\syssvcnt.exe
(Microsoft Corporation.) C:\Program Files\Microsoft\BingBar\7.2.241.0\BBSvc.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Microsoft Corporation) C:\Program Files\Microsoft LifeCam\MSCamS32.exe
(wontok) c:\Program Files\Netsweeper Parental Controls\nsfxsrv.exe
(Sophos Plc) C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
(Skype Technologies S.A.) C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
(Sophos Plc) C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
(Sophos Plc) C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
(Sophos Plc) C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe
(TOSHIBA Corporation) C:\windows\system32\TODDSrv.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TECO\TecoService.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
(Sunbelt Software) c:\Program Files\Common Files\Sunbelt\SBAMSvc.exe
(AMD) C:\windows\system32\atieclxx.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(Advanced Micro Devices Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
(TOSHIBA CORPORATION) C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TPHM\TosWaitSrv.exe
(Microsoft Corporation) C:\Program Files\Microsoft IntelliPoint\ipoint.exe
(wontok) C:\Program Files\Netsweeper Parental Controls\nsfx.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(ATI Technologies Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Hewlett-Packard) C:\Program Files\HP\HP Software Update\hpwuschd2.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TPHM\TPCHViewer.exe
(Wontok, Inc.) C:\Program Files\bigpond\security\App\Console.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Skype Technologies S.A.) C:\Program Files\Skype\Phone\Skype.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe
(TOSHIBA CORPORATION.) C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
(Hewlett-Packard Co.) C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
(Microsoft Corporation) C:\windows\System32\mobsync.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\RSelect\RSelSvc.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe
(Wontok, Inc.) c:\Program Files\Bigpond\ESP Elements\bigpond.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe
(TOSHIBA CORPORATION) C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
(TOSHIBA CORPORATION.) C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
(TOSHIBA CORPORATION.) C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
(Skype Technologies) C:\Program Files\Skype\Updater\Updater.exe
(TOSHIBA CORPORATION.) C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
(TOSHIBA CORPORATION.) C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtKbd.exe
(TOSHIBA CORPORATION.) C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtBty.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [iAStorIcon] - C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284696 2009-10-03] (Intel Corporation)
HKLM\...\Run: [startCCC] - C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [98304 2009-09-09] (Advanced Micro Devices, Inc.)
HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [7858720 2009-10-22] (Realtek Semiconductor)
HKLM\...\Run: [sVPWUTIL] - C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe [352256 2009-08-13] (TOSHIBA CORPORATION)
HKLM\...\Run: [HWSetup] - C:\Program Files\TOSHIBA\Utilities\HWSetup.exe [425984 2009-06-03] (TOSHIBA Electronics, Inc.)
HKLM\...\Run: [KeNotify] - C:\Program Files\TOSHIBA\Utilities\KeNotify.exe [34088 2009-01-14] (TOSHIBA CORPORATION)
HKLM\...\Run: [TPwrMain] - C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe [480608 2009-10-30] (TOSHIBA Corporation)
HKLM\...\Run: [HSON] - C:\Program Files\TOSHIBA\TBS\HSON.exe [55160 2009-03-10] (TOSHIBA Corporation)
HKLM\...\Run: [smoothView] - C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe [460088 2009-07-29] (TOSHIBA Corporation)
HKLM\...\Run: [00TCrdMain] - C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe [742712 2009-10-27] (TOSHIBA Corporation)
HKLM\...\Run: [synTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1586472 2009-10-16] (Synaptics Incorporated)
HKLM\...\Run: [iTSecMng] - C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe [83336 2009-07-23] (TOSHIBA CORPORATION)
HKLM\...\Run: [smartFaceVWatcher] - C:\Program Files\TOSHIBA\SmartFaceV\SmartFaceVWatcher.exe [163840 2009-10-20] (TOSHIBA Corporation)
HKLM\...\Run: [TosSENotify] - C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe [611672 2009-11-06] (TOSHIBA Corporation)
HKLM\...\Run: [TosWaitSrv] - C:\Program Files\TOSHIBA\TPHM\TosWaitSrv.exe [611672 2009-10-31] (TOSHIBA Corporation)
HKLM\...\Run: [bCSSync] - C:\Program Files\Microsoft Office\Office14\BCSSync.exe [91520 2010-03-13] (Microsoft Corporation)
HKLM\...\Run: [intelliPoint] - C:\Program Files\Microsoft IntelliPoint\ipoint.exe [1797008 2010-07-21] (Microsoft Corporation)
HKLM\...\Run: [] - [x]
HKLM\...\Run: [APSDaemon] - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-09-13] (Apple Inc.)
HKLM\...\Run: [LifeCam] - C:\Program Files\Microsoft LifeCam\LifeExp.exe [135536 2010-12-13] (Microsoft Corporation)
HKLM\...\Run: [ESP] - C:\Program Files\bigpond\security\App\start.exe [62952 2012-10-01] (Authentium, Inc.)
HKLM\...\Run: [NetSweeperAgent] - C:\Program Files\Netsweeper Parental Controls\nsfx.exe [333744 2012-08-31] (wontok)
HKLM\...\Run: [NetSweeperLSPReset] - C:\Program Files\Netsweeper Parental Controls\instlsp.exe [106416 2012-08-31] (wontok)
HKLM\...\Run: [iTunesHelper] - C:\Program Files\iTunes\iTunesHelper.exe [152392 2013-10-23] (Apple Inc.)
HKLM\...\Run: [HP Software Update] - C:\Program Files\HP\HP Software Update\hpwuschd2.exe [54576 2009-11-18] (Hewlett-Packard)
HKCU\...\Run: [OfficeSyncProcess] - C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE [720064 2013-04-22] (Microsoft Corporation)
HKCU\...\Run: [Google Update] - C:\Users\steveni\AppData\Local\Google\Update\GoogleUpdate.exe [136176 2011-10-19] (Google Inc.)
HKCU\...\Run: [skype] - C:\Program Files\Skype\Phone\Skype.exe [20549280 2013-10-21] (Skype Technologies S.A.)
HKU\gracei\...\Run: [msnmsgr] - C:\Program Files\Windows Live\Messenger\msnmsgr.exe [ 2012-03-08] (Microsoft Corporation)
HKU\joshuai\...\Run: [skype] - C:\Program Files\Skype\Phone\Skype.exe [ 2013-10-21] (Skype Technologies S.A.)
HKU\joshuai\...\Run: [OfficeSyncProcess] - C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE [ 2013-04-22] (Microsoft Corporation)
HKU\princi\...\Run: [msnmsgr] - C:\Program Files\Windows Live\Messenger\msnmsgr.exe [ 2012-03-08] (Microsoft Corporation)
HKU\remote\...\Run: [skype] - C:\Program Files\Skype\Phone\Skype.exe [ 2013-10-21] (Skype Technologies S.A.)
AppInit_DLLs: C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL [ 2012-11-12] (Sophos Plc)
Startup: C:\Users\steveni\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com.au/
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/redirectdomain?brand=TSAU&bmod=TSAU
URLSearchHook: HKCU - (No Name) - {CA3EB689-8F09-4026-AA10-B9534C691CE0} -  No File
BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\smart web printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)
BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO: Bing Bar Helper - {1dad3af3-ef2f-4f64-ac4b-11789189fcb6} - C:\Program Files\Microsoft\BingBar\7.2.241.0\BingExt.dll (Microsoft Corporation.)
BHO: Sophos Web Content Scanner - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dll (Sophos Plc)
BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Windows Live Messenger Companion Helper - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files\Windows Live\Companion\companioncore.dll (Microsoft Corporation)
BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO: Skype Browser Helper - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\smart web printing\hpswp_BHO.dll (Hewlett-Packard Co.)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKLM - Bing Bar - {eec0f710-38b5-4aba-99bf-ec87564a4e13} - C:\Program Files\Microsoft\BingBar\7.2.241.0\BingExt.dll (Microsoft Corporation.)
Toolbar: HKCU - Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Winsock: Catalog9 01 c:\windows\system32\liger.dll [238000] (wontok)
Winsock: Catalog9 02 c:\windows\system32\liger.dll [238000] (wontok)
Winsock: Catalog9 03 c:\windows\system32\liger.dll [238000] (wontok)
Winsock: Catalog9 04 c:\windows\system32\liger.dll [238000] (wontok)
Winsock: Catalog9 05 c:\windows\system32\liger.dll [238000] (wontok)
Winsock: Catalog9 06 c:\windows\system32\liger.dll [238000] (wontok)
Winsock: Catalog9 17 c:\windows\system32\liger.dll [238000] (wontok)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF ProfilePath: C:\Users\steveni\AppData\Roaming\Mozilla\Firefox\Profiles\2mjd049g.default
FF Plugin: @adobe.com/FlashPlayer - C:\windows\system32\Macromed\Flash\NPSWF32_11_9_900_117.dll ()
FF Plugin: @Apple.com/iTunes,version=1.0 - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin: @microsoft.com/GENUINE - disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 - C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=15.4.3502.0922 - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=15.4.3555.0308 - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 - C:\Program Files\Google\Update\1.3.21.165\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 - C:\Program Files\Google\Update\1.3.21.165\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKCU: @citrixonline.com/appdetectorplugin - C:\Users\steveni\AppData\Local\Citrix\Plugins\104\npappdetector.dll (Citrix Online)
FF Plugin HKCU: @talk.google.com/GoogleTalkPlugin - C:\Users\steveni\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll (Google)
FF Plugin HKCU: @talk.google.com/O1DPlugin - C:\Users\steveni\AppData\Roaming\Mozilla\plugins\npo1d.dll (Google)
FF Plugin HKCU: @talk.google.com/O3DPlugin - C:\Users\steveni\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll ()
FF Plugin HKCU: @tools.google.com/Google Update;version=3 - C:\Users\steveni\AppData\Local\Google\Update\1.3.21.165\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKCU: @tools.google.com/Google Update;version=9 - C:\Users\steveni\AppData\Local\Google\Update\1.3.21.165\npGoogleUpdate3.dll (Google Inc.)
FF Extension: Skype Click to Call - C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
FF Extension: Skype Click to Call - C:\Program Files\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
FF HKLM\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF Extension: HP Smart Web Printing - C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF HKCU\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF Extension: HP Smart Web Printing - C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3

========================== Services (Whitelisted) =================

R2 AuthElementsSvc; c:\Program Files\Bigpond\ESP Elements\AuthElementsSvc.exe [244008 2013-03-12] (Wontok, Inc.)
R2 AuthSysSvc; c:\Program Files\bigpond\security\App\syssvcnt.exe [112160 2012-10-01] (Authentium, Inc.)
S3 GameConsoleService; C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe [238328 2009-08-28] (WildTangent, Inc.)
R2 NSFXSrv; c:\Program Files\Netsweeper Parental Controls\nsfxsrv.exe [59824 2012-08-31] (wontok)
R2 RSELSVC; C:\Program Files\TOSHIBA\RSelect\RSelSvc.exe [62832 2009-07-08] (TOSHIBA Corporation)
R2 SAVAdminService; C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [163056 2010-11-26] (Sophos Plc)
R2 SAVService; C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe [97520 2010-11-26] (Sophos Plc)
R2 SBAMSvc; c:\Program Files\Common Files\Sunbelt\SBAMSvc.exe [2763080 2010-08-20] (Sunbelt Software)
R2 Skype C2C Service; C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe [3275136 2013-10-09] (Skype Technologies S.A.)
R2 Sophos Agent; C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe [282624 2010-11-26] (Sophos Plc)
R2 Sophos AutoUpdate Service; C:\Program Files\Sophos\AutoUpdate\ALsvc.exe [232472 2012-04-11] (Sophos Plc)
S2 Sophos Message Router; C:\Program Files\Sophos\Remote Management System\RouterNT.exe [806912 2010-11-26] (Sophos Plc)
R2 swi_service; C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe [1543704 2012-02-21] (Sophos Plc)
S3 TMachInfo; C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [51512 2009-10-07] (TOSHIBA Corporation)
R2 TOSHIBA eco Utility Service; C:\Program Files\TOSHIBA\TECO\TecoService.exe [185712 2009-09-29] (TOSHIBA Corporation)
R3 TOSHIBA HDD SSD Alert Service; C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [111960 2009-11-06] (TOSHIBA Corporation)
R3 TPCHSrv; C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe [677232 2009-10-31] (TOSHIBA Corporation)
S4 aspnet_state; %SystemRoot%\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe [x]

==================== Drivers (Whitelisted) ====================

S3 ivusb; C:\Windows\System32\DRIVERS\ivusb.sys [25112 2010-07-29] (Initio Corporation)
S3 JL2005C; C:\Windows\System32\Drivers\jl2005c.sys [69098 2009-05-25] (Windows ® 2000 DDK provider)
R0 LPCFilter; C:\Windows\System32\DRIVERS\LPCFilter.sys [36208 2009-07-31] (COMPAL ELECTRONIC INC.)
R3 PGEffect; C:\Windows\System32\DRIVERS\pgeffect.sys [24064 2009-06-22] (TOSHIBA Corporation)
R3 RTHDMIAzAudService; C:\Windows\System32\drivers\RtHDMIV.sys [157536 2009-05-21] (Realtek Semiconductor Corp.)
R1 SAVOnAccess; C:\Windows\System32\DRIVERS\savonaccess.sys [122360 2010-11-26] (Sophos Plc)
R2 sbapifs; C:\Windows\System32\DRIVERS\sbapifs.sys [69976 2010-06-14] (Sunbelt Software)
S3 sdcfilter; C:\Windows\System32\DRIVERS\sdcfilter.sys [23928 2010-11-24] (Sophos Plc)
S4 SophosBootDriver; C:\Windows\System32\DRIVERS\SophosBootDriver.sys [22536 2010-11-24] (Sophos Plc)
R2 TVALZFL; C:\Windows\System32\DRIVERS\TVALZFL.sys [12920 2009-06-20] (TOSHIBA Corporation)
S1 SBRE; \??\C:\windows\system32\drivers\SBREdrv.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-11-08 15:52 - 2013-11-08 15:52 - 00000000 ____D C:\FRST
2013-11-06 19:35 - 2013-11-07 17:31 - 00000000 ____D C:\Users\steveni\Desktop\RK_Quarantine
2013-11-06 17:32 - 2013-11-07 17:27 - 00000000 ____D C:\Users\steveni\Desktop\Malware Removal
2013-11-02 11:16 - 2013-11-02 11:16 - 00000000 ____D C:\Users\steveni\Downloads\AssaultCubePortable
2013-11-02 11:13 - 2013-11-02 11:14 - 47303240 _____ (PortableApps.com) C:\Users\steveni\Downloads\AssaultCubePortable_1.2.0.0_English.paf.exe
2013-11-02 10:42 - 2013-11-02 10:42 - 00000000 ____D C:\Users\gracei\AppData\Local\{4711F54F-56C9-45D5-AECE-D0F4717F5FD1}
2013-10-31 18:04 - 2013-10-31 18:04 - 00001724 _____ C:\Users\Public\Desktop\iTunes.lnk
2013-10-31 18:04 - 2012-08-21 13:01 - 00026840 _____ (GEAR Software Inc.) C:\windows\system32\Drivers\GEARAspiWDM.sys
2013-10-31 18:03 - 2013-10-31 18:04 - 00000000 ____D C:\ProgramData\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-10-31 18:03 - 2013-10-31 18:04 - 00000000 ____D C:\Program Files\iTunes
2013-10-31 18:03 - 2013-10-31 18:03 - 00000000 ____D C:\Program Files\iPod
2013-10-31 17:39 - 2013-10-31 17:41 - 98660176 _____ (Apple Inc.) C:\Users\steveni\Downloads\iTunesSetup.exe
2013-10-31 09:31 - 2013-10-31 19:19 - 00000000 ____D C:\windows\pss
2013-10-30 16:17 - 2013-10-30 16:17 - 00000952 _____ C:\Users\steveni\Desktop\Task Coach.lnk
2013-10-30 16:17 - 2013-10-30 16:17 - 00000000 ____D C:\Program Files\TaskCoach
2013-10-26 10:49 - 2013-10-26 10:49 - 1073741824 _____ C:\Users\steveni\Desktop\Encrypted Files
2013-10-26 10:47 - 2013-10-26 10:48 - 00000000 ____D C:\Users\steveni\AppData\Roaming\TrueCrypt
2013-10-26 10:47 - 2013-10-26 10:47 - 00231760 _____ (TrueCrypt Foundation) C:\windows\system32\Drivers\truecrypt.sys
2013-10-26 10:47 - 2013-10-26 10:47 - 00001003 _____ C:\Users\Public\Desktop\TrueCrypt.lnk
2013-10-26 10:47 - 2013-10-26 10:47 - 00000000 ____D C:\Program Files\TrueCrypt
2013-10-26 10:46 - 2013-10-26 10:46 - 03466248 _____ (TrueCrypt Foundation) C:\Users\steveni\Downloads\TrueCrypt Setup 7.1a.exe
2013-10-19 06:05 - 2013-11-08 07:46 - 00000000 ____D C:\Users\steveni\AppData\Local\Citrix
2013-10-16 17:34 - 2013-10-16 17:36 - 00000000 ____D C:\Users\steveni\Desktop\TweetAside
2013-10-16 17:03 - 2013-10-16 17:20 - 00481230 _____ C:\Users\steveni\Desktop\PRESENTATION FRIENDSHIP.pptx
2013-10-13 12:59 - 2013-10-13 13:21 - 00064478 _____ C:\Users\steveni\Downloads\linksel.ani
2013-10-13 12:50 - 2013-10-13 13:21 - 00004286 _____ C:\Users\steveni\Downloads\normal.cur
2013-10-13 12:49 - 2013-10-13 13:21 - 00206180 _____ C:\Users\steveni\Downloads\working in background.ani
2013-10-13 12:46 - 2013-10-13 13:21 - 00206180 _____ C:\Users\steveni\Downloads\busy.ani
2013-10-09 17:31 - 2013-10-09 17:31 - 00000000 ____D C:\0278119867465c0d7bc20d
2013-10-09 17:29 - 2013-09-23 07:27 - 02876928 _____ (Microsoft Corporation) C:\windows\system32\jscript9.dll
2013-10-09 17:29 - 2013-09-23 07:27 - 00690688 _____ (Microsoft Corporation) C:\windows\system32\jscript.dll
2013-10-09 17:29 - 2013-09-23 07:27 - 00391168 _____ (Microsoft Corporation) C:\windows\system32\ieui.dll
2013-10-09 17:29 - 2013-09-23 07:27 - 00061440 _____ (Microsoft Corporation) C:\windows\system32\iesetup.dll
2013-10-09 17:29 - 2013-09-23 07:27 - 00039424 _____ (Microsoft Corporation) C:\windows\system32\jsproxy.dll
2013-10-09 17:29 - 2013-09-21 11:30 - 02706432 _____ (Microsoft Corporation) C:\windows\system32\mshtml.tlb
2013-10-09 17:28 - 2013-09-23 07:28 - 01767936 _____ (Microsoft Corporation) C:\windows\system32\wininet.dll
2013-10-09 17:28 - 2013-09-23 07:28 - 01141248 _____ (Microsoft Corporation) C:\windows\system32\urlmon.dll
2013-10-09 17:28 - 2013-09-23 07:28 - 00042496 _____ (Microsoft Corporation) C:\windows\system32\ie4uinit.exe
2013-10-09 17:28 - 2013-09-23 07:27 - 14335488 _____ (Microsoft Corporation) C:\windows\system32\mshtml.dll
2013-10-09 17:28 - 2013-09-23 07:27 - 13761024 _____ (Microsoft Corporation) C:\windows\system32\ieframe.dll
2013-10-09 17:28 - 2013-09-23 07:27 - 02048512 _____ (Microsoft Corporation) C:\windows\system32\iertutil.dll
2013-10-09 17:28 - 2013-09-23 07:27 - 00493056 _____ (Microsoft Corporation) C:\windows\system32\msfeeds.dll
2013-10-09 17:28 - 2013-09-23 07:27 - 00109056 _____ (Microsoft Corporation) C:\windows\system32\iesysprep.dll
2013-10-09 17:28 - 2013-09-23 07:27 - 00033280 _____ (Microsoft Corporation) C:\windows\system32\iernonce.dll
2013-10-09 17:28 - 2013-09-21 10:39 - 00071680 _____ (Microsoft Corporation) C:\windows\system32\RegisterIEPKEYs.exe
2013-10-09 12:09 - 2013-09-14 08:48 - 00338944 _____ (Microsoft Corporation) C:\windows\system32\Drivers\afd.sys
2013-10-09 12:09 - 2013-09-08 10:07 - 01294272 _____ (Microsoft Corporation) C:\windows\system32\Drivers\tcpip.sys
2013-10-09 12:09 - 2013-09-08 10:03 - 00231424 _____ (Microsoft Corporation) C:\windows\system32\mswsock.dll
2013-10-09 12:09 - 2013-09-04 09:15 - 00258560 _____ (Microsoft Corporation) C:\windows\system32\Drivers\usbhub.sys
2013-10-09 12:09 - 2013-09-04 09:14 - 00284672 _____ (Microsoft Corporation) C:\windows\system32\Drivers\usbport.sys
2013-10-09 12:09 - 2013-09-04 09:14 - 00076288 _____ (Microsoft Corporation) C:\windows\system32\Drivers\usbccgp.sys
2013-10-09 12:09 - 2013-09-04 09:14 - 00043008 _____ (Microsoft Corporation) C:\windows\system32\Drivers\usbehci.sys
2013-10-09 12:09 - 2013-09-04 09:14 - 00024064 _____ (Microsoft Corporation) C:\windows\system32\Drivers\usbuhci.sys
2013-10-09 12:09 - 2013-09-04 09:14 - 00020480 _____ (Microsoft Corporation) C:\windows\system32\Drivers\usbohci.sys
2013-10-09 12:09 - 2013-09-04 09:14 - 00006016 _____ (Microsoft Corporation) C:\windows\system32\Drivers\usbd.sys
2013-10-09 12:09 - 2013-08-29 09:51 - 03969472 _____ (Microsoft Corporation) C:\windows\system32\ntkrnlpa.exe
2013-10-09 12:09 - 2013-08-29 09:51 - 03914176 _____ (Microsoft Corporation) C:\windows\system32\ntoskrnl.exe
2013-10-09 12:09 - 2013-08-29 09:50 - 01289096 _____ (Microsoft Corporation) C:\windows\system32\ntdll.dll
2013-10-09 12:09 - 2013-08-29 09:50 - 00619520 _____ (Microsoft Corporation) C:\windows\system32\tdh.dll
2013-10-09 12:09 - 2013-08-29 09:48 - 00640512 _____ (Microsoft Corporation) C:\windows\system32\advapi32.dll
2013-10-09 12:09 - 2013-08-01 19:03 - 00729024 _____ (Microsoft Corporation) C:\windows\system32\Drivers\dxgkrnl.sys
2013-10-09 12:09 - 2013-07-20 18:33 - 00102608 _____ (Microsoft Corporation) C:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2013-10-09 12:09 - 2013-07-04 19:50 - 00530432 _____ (Microsoft Corporation) C:\windows\system32\comctl32.dll
2013-10-09 12:09 - 2013-07-03 11:36 - 00055808 _____ (Microsoft Corporation) C:\windows\system32\Drivers\hidclass.sys
2013-10-09 12:09 - 2013-07-03 11:36 - 00025728 _____ (Microsoft Corporation) C:\windows\system32\Drivers\hidparse.sys
2013-10-09 12:09 - 2013-06-06 12:52 - 00026112 _____ (Microsoft Corporation) C:\windows\system32\lpk.dll
2013-10-09 12:09 - 2013-06-06 12:51 - 00070656 _____ (Microsoft Corporation) C:\windows\system32\fontsub.dll
2013-10-09 12:09 - 2013-06-06 12:50 - 00010240 _____ (Microsoft Corporation) C:\windows\system32\dciman32.dll
2013-10-09 12:09 - 2013-06-06 11:01 - 00295424 _____ (Adobe Systems Incorporated) C:\windows\system32\atmfd.dll
2013-10-09 12:09 - 2013-06-06 11:01 - 00034304 _____ (Adobe Systems) C:\windows\system32\atmlib.dll
2013-10-09 12:08 - 2013-08-28 09:04 - 02348544 _____ (Microsoft Corporation) C:\windows\system32\win32k.sys
2013-10-09 12:08 - 2013-08-28 08:57 - 00434688 _____ (Microsoft Corporation) C:\windows\system32\scavengeui.dll
2013-10-09 12:08 - 2013-07-12 18:08 - 00146816 _____ (Microsoft Corporation) C:\windows\system32\Drivers\usbvideo.sys
2013-10-09 12:08 - 2013-07-12 18:07 - 00086016 _____ (Microsoft Corporation) C:\windows\system32\Drivers\usbcir.sys
2013-10-09 12:08 - 2013-07-12 18:07 - 00080896 _____ (Microsoft Corporation) C:\windows\system32\Drivers\USBAUDIO.sys
2013-10-09 12:08 - 2013-07-04 19:57 - 00205824 _____ (Microsoft Corporation) C:\windows\system32\WebClnt.dll
2013-10-09 12:08 - 2013-07-04 19:51 - 00081920 _____ (Microsoft Corporation) C:\windows\system32\davclnt.dll
2013-10-09 12:08 - 2013-07-04 17:48 - 00115712 _____ (Microsoft Corporation) C:\windows\system32\Drivers\mrxdav.sys
2013-10-09 12:08 - 2013-06-26 06:56 - 00527064 _____ (Microsoft Corporation) C:\windows\system32\Drivers\Wdf01000.sys

==================== One Month Modified Files and Folders =======

2013-11-08 15:53 - 2010-05-21 14:03 - 02027623 _____ C:\windows\WindowsUpdate.log
2013-11-08 15:52 - 2013-11-08 15:52 - 00000000 ____D C:\FRST
2013-11-08 15:50 - 2013-02-03 11:28 - 00000830 _____ C:\windows\Tasks\Adobe Flash Player Updater.job
2013-11-08 15:50 - 2011-05-19 18:32 - 00000884 _____ C:\windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-11-08 15:49 - 2009-07-14 12:53 - 00000006 ____H C:\windows\Tasks\SA.DAT
2013-11-08 15:48 - 2009-07-14 12:39 - 00182167 _____ C:\windows\setupact.log
2013-11-08 07:53 - 2011-05-19 18:31 - 00000000 ____D C:\Users\steveni\AppData\Roaming\Skype
2013-11-08 07:46 - 2013-10-19 06:05 - 00000000 ____D C:\Users\steveni\AppData\Local\Citrix
2013-11-08 07:36 - 2011-05-19 18:32 - 00000888 _____ C:\windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-11-08 07:35 - 2011-12-20 16:22 - 00000916 _____ C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4063401489-1788381713-3267365910-1141UA.job
2013-11-08 06:54 - 2013-07-18 20:02 - 00000000 ____D C:\Program Files\Common Files\Authentium Shared
2013-11-08 06:44 - 2009-07-14 12:34 - 00017504 ____H C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-11-08 06:44 - 2009-07-14 12:34 - 00017504 ____H C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-11-07 19:47 - 2012-08-24 11:01 - 00000000 ____D C:\Users\steveni\Desktop\G&J Best Stuff
2013-11-07 17:31 - 2013-11-06 19:35 - 00000000 ____D C:\Users\steveni\Desktop\RK_Quarantine
2013-11-07 17:27 - 2013-11-06 17:32 - 00000000 ____D C:\Users\steveni\Desktop\Malware Removal
2013-11-07 06:34 - 2011-12-20 16:22 - 00000864 _____ C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4063401489-1788381713-3267365910-1141Core.job
2013-11-07 06:24 - 2012-05-30 07:28 - 00000204 _____ C:\windows\MYOBP.INI
2013-11-07 06:23 - 2012-05-30 07:28 - 00000039 _____ C:\windows\MYOB.INI
2013-11-06 19:48 - 2009-11-10 19:51 - 00786054 _____ C:\windows\system32\PerfStringBackup.INI
2013-11-06 06:34 - 2011-05-19 18:31 - 00000000 ___RD C:\Program Files\Skype
2013-11-06 06:34 - 2011-05-19 18:30 - 00000000 ____D C:\ProgramData\Skype
2013-11-05 18:58 - 2012-08-09 07:45 - 00000000 ____D C:\Users\steveni\AppData\Local\CrashDumps
2013-11-02 11:16 - 2013-11-02 11:16 - 00000000 ____D C:\Users\steveni\Downloads\AssaultCubePortable
2013-11-02 11:14 - 2013-11-02 11:13 - 47303240 _____ (PortableApps.com) C:\Users\steveni\Downloads\AssaultCubePortable_1.2.0.0_English.paf.exe
2013-11-02 10:52 - 2013-04-23 09:42 - 00000000 ____D C:\Users\gracei\Desktop\3D Items
2013-11-02 10:42 - 2013-11-02 10:42 - 00000000 ____D C:\Users\gracei\AppData\Local\{4711F54F-56C9-45D5-AECE-D0F4717F5FD1}
2013-11-02 10:42 - 2012-04-03 19:35 - 00000000 ____D C:\Users\gracei\Tracing
2013-11-01 19:16 - 2009-07-14 12:53 - 00032560 _____ C:\windows\Tasks\SCHEDLGU.TXT
2013-10-31 19:19 - 2013-10-31 09:31 - 00000000 ____D C:\windows\pss
2013-10-31 18:05 - 2010-11-24 14:55 - 00000000 ____D C:\Users\steveni\AppData\Roaming\Apple Computer
2013-10-31 18:04 - 2013-10-31 18:04 - 00001724 _____ C:\Users\Public\Desktop\iTunes.lnk
2013-10-31 18:04 - 2013-10-31 18:03 - 00000000 ____D C:\ProgramData\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-10-31 18:04 - 2013-10-31 18:03 - 00000000 ____D C:\Program Files\iTunes
2013-10-31 18:03 - 2013-10-31 18:03 - 00000000 ____D C:\Program Files\iPod
2013-10-31 18:03 - 2010-11-24 13:27 - 00000000 ____D C:\Program Files\Common Files\Apple
2013-10-31 17:51 - 2009-07-14 12:52 - 00000000 ____D C:\windows\system32\FxsTmp
2013-10-31 17:41 - 2013-10-31 17:39 - 98660176 _____ (Apple Inc.) C:\Users\steveni\Downloads\iTunesSetup.exe
2013-10-31 09:28 - 2013-09-26 17:30 - 00000000 ____D C:\Users\steveni\AppData\Roaming\Task Coach
2013-10-30 16:17 - 2013-10-30 16:17 - 00000952 _____ C:\Users\steveni\Desktop\Task Coach.lnk
2013-10-30 16:17 - 2013-10-30 16:17 - 00000000 ____D C:\Program Files\TaskCoach
2013-10-29 06:14 - 2010-11-24 11:18 - 00000530 _____ C:\windows\Tasks\Default Scheduled SCAN.job
2013-10-26 10:49 - 2013-10-26 10:49 - 1073741824 _____ C:\Users\steveni\Desktop\Encrypted Files
2013-10-26 10:48 - 2013-10-26 10:47 - 00000000 ____D C:\Users\steveni\AppData\Roaming\TrueCrypt
2013-10-26 10:47 - 2013-10-26 10:47 - 00231760 _____ (TrueCrypt Foundation) C:\windows\system32\Drivers\truecrypt.sys
2013-10-26 10:47 - 2013-10-26 10:47 - 00001003 _____ C:\Users\Public\Desktop\TrueCrypt.lnk
2013-10-26 10:47 - 2013-10-26 10:47 - 00000000 ____D C:\Program Files\TrueCrypt
2013-10-26 10:46 - 2013-10-26 10:46 - 03466248 _____ (TrueCrypt Foundation) C:\Users\steveni\Downloads\TrueCrypt Setup 7.1a.exe
2013-10-24 20:31 - 2013-05-11 11:58 - 00000000 ___RD C:\Users\steveni\Desktop\Share
2013-10-24 19:35 - 2012-10-11 06:54 - 00000000 ____D C:\Users\steveni\AppData\Roaming\Mozilla
2013-10-21 09:39 - 2013-09-04 22:46 - 00000000 ____D C:\Users\steveni\Desktop\Payslips 5 Sep
2013-10-16 17:36 - 2013-10-16 17:34 - 00000000 ____D C:\Users\steveni\Desktop\TweetAside
2013-10-16 17:20 - 2013-10-16 17:03 - 00481230 _____ C:\Users\steveni\Desktop\PRESENTATION FRIENDSHIP.pptx
2013-10-13 13:29 - 2012-04-10 20:44 - 00000000 ____D C:\Users\steveni\AppData\Local\Windows Live
2013-10-13 13:21 - 2013-10-13 12:59 - 00064478 _____ C:\Users\steveni\Downloads\linksel.ani
2013-10-13 13:21 - 2013-10-13 12:50 - 00004286 _____ C:\Users\steveni\Downloads\normal.cur
2013-10-13 13:21 - 2013-10-13 12:49 - 00206180 _____ C:\Users\steveni\Downloads\working in background.ani
2013-10-13 13:21 - 2013-10-13 12:46 - 00206180 _____ C:\Users\steveni\Downloads\busy.ani
2013-10-11 08:40 - 2010-11-24 12:01 - 00000000 ____D C:\Users\steveni
2013-10-10 20:57 - 2009-07-14 10:37 - 00000000 ____D C:\windows\rescache
2013-10-10 09:05 - 2009-07-14 12:33 - 00446144 _____ C:\windows\system32\FNTCACHE.DAT
2013-10-10 07:27 - 2010-05-21 14:45 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-10-09 22:46 - 2009-07-14 10:37 - 00000000 ____D C:\windows\Microsoft.NET
2013-10-09 17:31 - 2013-10-09 17:31 - 00000000 ____D C:\0278119867465c0d7bc20d
2013-10-09 17:31 - 2013-07-15 05:50 - 00000000 ____D C:\windows\system32\MRT
2013-10-09 17:31 - 2010-11-24 15:49 - 78106760 _____ (Microsoft Corporation) C:\windows\system32\MRT.exe
2013-10-09 17:31 - 2010-05-21 14:39 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2013-10-09 16:50 - 2013-08-22 06:50 - 17813896 _____ (Adobe Systems Incorporated) C:\windows\system32\FlashPlayerInstaller.exe
2013-10-09 16:50 - 2012-05-01 16:35 - 00692616 _____ (Adobe Systems Incorporated) C:\windows\system32\FlashPlayerApp.exe
2013-10-09 16:50 - 2012-05-01 16:35 - 00071048 _____ (Adobe Systems Incorporated) C:\windows\system32\FlashPlayerCPLApp.cpl
2013-10-09 13:07 - 2013-07-16 07:58 - 00000000 ____D C:\Users\steveni\AppData\Roaming\TeamViewer

Files to move or delete:
====================
C:\Users\joshuai\simple.bat
C:\Users\steveni\simple.bat

Some content of TEMP:
====================
C:\Users\administrator\AppData\Local\Temp\lockdll.dll
C:\Users\administrator\AppData\Local\Temp\regrepair.exe
C:\Users\gracei\AppData\Local\Temp\SkypeSetup.exe
C:\Users\joshuai\AppData\Local\Temp\bbcap.dll
C:\Users\joshuai\AppData\Local\Temp\bbchlp.dll
C:\Users\joshuai\AppData\Local\Temp\FlashBackDriverInstaller.exe
C:\Users\joshuai\AppData\Local\Temp\MemorexLOCK v2.30.exe
C:\Users\joshuai\AppData\Local\Temp\msgE59F.exe
C:\Users\joshuai\AppData\Local\Temp\OutlookConnector.exe
C:\Users\joshuai\AppData\Local\Temp\Pivot Stickfigure.exe
C:\Users\joshuai\AppData\Local\Temp\SkypeSetup.exe
C:\Users\joshuai\AppData\Local\Temp\somoto-master.exe
C:\Users\remote\AppData\Local\Temp\SkypeSetup.exe
C:\Users\steveni\AppData\Local\Temp\7-zip.dll
C:\Users\steveni\AppData\Local\Temp\7z.dll
C:\Users\steveni\AppData\Local\Temp\7z.exe
C:\Users\steveni\AppData\Local\Temp\7zFM.exe
C:\Users\steveni\AppData\Local\Temp\7zG.exe
C:\Users\steveni\AppData\Local\Temp\AskSLib.dll
C:\Users\steveni\AppData\Local\Temp\deletedr.exe
C:\Users\steveni\AppData\Local\Temp\FB6E.tmp.exe
C:\Users\steveni\AppData\Local\Temp\FlashBackDriverInstaller.exe
C:\Users\steveni\AppData\Local\Temp\fp_pl_pfs_installer-1.exe
C:\Users\steveni\AppData\Local\Temp\fp_pl_pfs_installer-2.exe
C:\Users\steveni\AppData\Local\Temp\fp_pl_pfs_installer-3.exe
C:\Users\steveni\AppData\Local\Temp\fp_pl_pfs_installer-4.exe
C:\Users\steveni\AppData\Local\Temp\fp_pl_pfs_installer-5.exe
C:\Users\steveni\AppData\Local\Temp\fp_pl_pfs_installer-6.exe
C:\Users\steveni\AppData\Local\Temp\fp_pl_pfs_installer.exe
C:\Users\steveni\AppData\Local\Temp\GoogleToolbarInstaller.exe
C:\Users\steveni\AppData\Local\Temp\HC2SetupPvt.exe
C:\Users\steveni\AppData\Local\Temp\incredibar_installer.exe
C:\Users\steveni\AppData\Local\Temp\MemorexLOCK v2.30.exe
C:\Users\steveni\AppData\Local\Temp\Microsoft Office 2013 Setup.exe
C:\Users\steveni\AppData\Local\Temp\msg118F.exe
C:\Users\steveni\AppData\Local\Temp\msg205F.exe
C:\Users\steveni\AppData\Local\Temp\msg31FB.exe
C:\Users\steveni\AppData\Local\Temp\msg63E7.exe
C:\Users\steveni\AppData\Local\Temp\msg6734.exe
C:\Users\steveni\AppData\Local\Temp\ntdll_dump.dll
C:\Users\steveni\AppData\Local\Temp\OfficeSetup.exe
C:\Users\steveni\AppData\Local\Temp\PuTTY.exe
C:\Users\steveni\AppData\Local\Temp\Recuva.exe
C:\Users\steveni\AppData\Local\Temp\Refresh.exe
C:\Users\steveni\AppData\Local\Temp\sj44s0yd.dll
C:\Users\steveni\AppData\Local\Temp\SkypeSetup.exe
C:\Users\steveni\AppData\Local\Temp\TeamViewer.exe
C:\Users\steveni\AppData\Local\Temp\TeamViewer_Resource_en.dll
C:\Users\steveni\AppData\Local\Temp\TV.dll
C:\Users\steveni\AppData\Local\Temp\Unlocker.exe
C:\Users\steveni\AppData\Local\Temp\UnlockerAssistant.exe
C:\Users\steveni\AppData\Local\Temp\UnlockerHook.dll
C:\Users\steveni\AppData\Local\Temp\vfd.dll
C:\Users\steveni\AppData\Local\Temp\vfd.exe
C:\Users\steveni\AppData\Local\Temp\vfdwin.exe
C:\Users\steveni\AppData\Local\Temp\_is23C7.exe
C:\Users\steveni\AppData\Local\Temp\_is3FDE.exe
C:\Users\steveni\AppData\Local\Temp\_is4FA7.exe
C:\Users\steveni\AppData\Local\Temp\_is8556.exe
C:\Users\steveni\AppData\Local\Temp\_isAEC6.exe

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

LastRegBack: 2013-10-31 00:15

==================== End Of Log ============================

Link to post
Share on other sites

Guest techhead287

Addition.txt below...

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 31-10-2013
Ran by steveni at 2013-11-08 16:00:15
Running from C:\Users\steveni\Desktop\Malware Removal\FRST
Boot Mode: Normal
==========================================================

==================== Security Center ========================

AV: BP Security AntiMalware (Enabled - Up to date) {BE5DD172-7F42-7948-1A60-E6A720288F81}
AV: Sophos Anti-Virus (Enabled - Out of date) {479CCF92-4960-B3E0-7373-BF453B467D2C}
AS: Sophos Anti-Virus (Enabled - Out of date) {FCFD2E76-6F5A-BC6E-49C3-843740C13791}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: BP Security AntiMalware (Enabled - Up to date) {053C3096-5978-76C6-20D0-DDD55BAFC53C}

==================== Installed Programs ======================

32 Bit HP CIO Components Installer (Version: 7.1.4)
Adobe AIR (Version: 2.7.1.19610)
Adobe Flash Player 11 ActiveX (Version: 11.9.900.117)
Adobe Flash Player 11 Plugin (Version: 11.9.900.117)
Adobe Reader 9.1 (Version: 9.1.0)
Amazon Send to Kindle (Version: 1.0.0.192)
Anti-Spyware (Sunbelt4) (Version: 3.003.0002)
Apple Application Support (Version: 2.3.6)
Apple Mobile Device Support (Version: 7.0.0.117)
B110 (Version: 140.0.283.000)
Bejeweled 2 Deluxe (Version: 2.2.0.82)
BigPond (BIUS) (Version: 3.000.0002)
Bigpond Desktop (Version: 4.000.0377)
BigPond Security (Version: 3.00.001.0412)
Bing Bar (Version: 7.2.241.0)
Bluetooth Stack for Windows by Toshiba (Version: v7.00.15(T))
Bonjour (Version: 3.0.0.10)
BufferChm (Version: 140.0.212.000)
Catalyst Control Center - Branding (Version: 1.00.0000)
Catalyst Control Center Core Implementation (Version: 2009.0908.2225.38429)
Catalyst Control Center Graphics Full Existing (Version: 2009.0908.2225.38429)
Catalyst Control Center Graphics Full New (Version: 2009.0908.2225.38429)
Catalyst Control Center Graphics Light (Version: 2009.0908.2225.38429)
Catalyst Control Center Graphics Previews Common (Version: 2009.0908.2225.38429)
Catalyst Control Center Graphics Previews Vista (Version: 2009.0908.2225.38429)
Catalyst Control Center InstallProxy (Version: 2009.0908.2225.38429)
Catalyst Control Center Localization All (Version: 2009.0908.2225.38429)
CCC Help Chinese Standard (Version: 2009.0908.2224.38429)
CCC Help Chinese Traditional (Version: 2009.0908.2224.38429)
CCC Help Czech (Version: 2009.0908.2224.38429)
CCC Help Danish (Version: 2009.0908.2224.38429)
CCC Help Dutch (Version: 2009.0908.2224.38429)
CCC Help English (Version: 2009.0908.2224.38429)
CCC Help Finnish (Version: 2009.0908.2224.38429)
CCC Help French (Version: 2009.0908.2224.38429)
CCC Help German (Version: 2009.0908.2224.38429)
CCC Help Greek (Version: 2009.0908.2224.38429)
CCC Help Hungarian (Version: 2009.0908.2224.38429)
CCC Help Italian (Version: 2009.0908.2224.38429)
CCC Help Japanese (Version: 2009.0908.2224.38429)
CCC Help Korean (Version: 2009.0908.2224.38429)
CCC Help Norwegian (Version: 2009.0908.2224.38429)
CCC Help Polish (Version: 2009.0908.2224.38429)
CCC Help Portuguese (Version: 2009.0908.2224.38429)
CCC Help Russian (Version: 2009.0908.2224.38429)
CCC Help Spanish (Version: 2009.0908.2224.38429)
CCC Help Swedish (Version: 2009.0908.2224.38429)
CCC Help Thai (Version: 2009.0908.2224.38429)
CCC Help Turkish (Version: 2009.0908.2224.38429)
ccc-core-static (Version: 2009.0908.2225.38429)
ccc-utility (Version: 2009.0908.2225.38429)
Chuzzle Deluxe (Version: 2.2.0.82)
Citrix Online Launcher (Version: 1.0.141)
Coupon Printer for Windows (Version: 5.0.0.0)
D3DX10 (Version: 15.4.2368.0902)
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
Destinations (Version: 140.0.77.000)
DeviceDiscovery (Version: 140.0.212.000)
Direct DiscRecorder (Version: 1.00.0000)
DVD MovieFactory for TOSHIBA (Version: 7.0.0)
ESP (Version: 3.001.0043)
FATE (Version: 2.2.0.82)
ffdshow [rev 2527] [2008-12-19] (Version: 1.0)
Firewall (User) (Version: 3.000.0007)
GameXN GO
Google Talk Plugin (Version: 4.8.2.15856)
Google Toolbar for Internet Explorer (Version: 1.0.0)
Google Toolbar for Internet Explorer (Version: 7.4.3607.2246)
Google Update Helper (Version: 1.3.21.165)
GoToMeeting 5.9.0.1216 (HKCU Version: 5.9.0.1216)
GPBaseService2 (Version: 140.0.211.000)
Haali Media Splitter
HDAUDIO Soft Data Fax Modem with SmartCP (Version: 7.80.4.50)
HP Customer Participation Program 14.0 (Version: 14.0)
HP Imaging Device Functions 14.0 (Version: 14.0)
HP Photo Creations (Version: 1.0.0.2024)
HP Photosmart Wireless B110 All-In-One Driver Software 14.0 Rel. 7 (Version: 14.0)
HP Smart Web Printing 4.60 (Version: 4.60)
HP Solution Center 14.0 (Version: 14.0)
HP Update (Version: 5.002.002.002)
HPAppStudio (Version: 140.0.95.000)
HPPhotoGadget (Version: 140.0.524.000)
HPProductAssistant (Version: 140.0.212.000)
HPSSupply (Version: 140.0.211.000)
HyperCam 2 (Version: 2.26.00)
ImgBurn (Version: 2.5.7.0)
Intel® Control Center (Version: 1.2.0.1006)
Intel® Management Engine Components (Version: 6.0.0.1179)
Intel® Rapid Storage Technology (Version: 9.5.0.1037)
iTunes (Version: 11.1.2.32)
Java 6 Update 14 (Version: 6.0.140)
Junk Mail filter update (Version: 15.4.3502.0922)
Magic Match - The Genie's Journey (Version: 2.2.0.82)
Malwarebytes Anti-Malware version 1.75.0.1300 (Version: 1.75.0.1300)
MarketResearch (Version: 140.0.212.000)
Messenger Companion (Version: 15.4.3502.0922)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft Application Error Reporting (Version: 12.0.6012.5000)
Microsoft Chart Controls for Microsoft .NET Framework 3.5 (KB2500170) (Version: 3.5.30730.0)
Microsoft Corporation (Version: 9.1.0.0)
Microsoft IntelliPoint 8.0 (Version: 8.0.225.0)
Microsoft LifeCam (Version: 3.60.253.0)
Microsoft Office 2010 Service Pack 1 (SP1)
Microsoft Office Access MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Groove MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office InfoPath MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Outlook Connector (Version: 14.0.6123.5001)
Microsoft Office Outlook MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Professional Plus 2010 (Version: 14.0.6029.1000)
Microsoft Office Proof (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Proof (French) 2010 (Version: 14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (Version: 14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Silverlight (Version: 5.1.20913.0)
Microsoft SQL Server 2005 Compact Edition [ENU] (Version: 3.1.0000)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (Version: 9.0.21022)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Monopoly (Version: 2.2.0.82)
Mozilla Firefox 24.0 (x86 en-US) (Version: 24.0)
Mozilla Maintenance Service (Version: 24.0)
MSVCRT (Version: 15.4.2862.0708)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MYOB AccountRight Plus v19.6 (Version: 19.6.0)
MYOB ODBC Direct v10 AUS (Version: 10.0.0)
Netsweeper Parental Controls (Version: 3.20.6.1)
Network (Version: 140.0.215.000)
Norton Internet Security (Version: 19.0.0.128)
Oracle VM VirtualBox 4.2.0 (Version: 4.2.0)
Peggle (Version: 2.2.0.82)
Pivot Stickfigure Animator version 2.2.6 (Version: 2.2.6)
PlayReady PC Runtime x86 (Version: 1.3.0)
Polar Bowler (Version: 2.2.0.82)
Polar Golfer (Version: 2.2.0.82)
Primo (Version: 1.00.0000)
Project ROME (Version: 0.9.0 (157403))
Project ROME (Version: 0.9.0)
PS_AIO_07_B110_SW_Min (Version: 140.0.142.000)
QuickTime (Version: 7.68.75.0)
QuickTransfer (Version: 140.0.98.000)
Realtek Ethernet Controller Driver For Windows Vista and Later (Version: 1.00.0011)
Realtek High Definition Audio Driver (Version: 6.0.1.5964)
Realtek USB 2.0 Card Reader (Version: 6.1.7600.30105)
Realtek WLAN Driver (Version: 2.00.0006)
RealWorld Cursor Editor (Version: 12.1.0)
Runtime (Version: 1.00.0000)
SafeCentral Security Suite Web Install Helper
Scan (Version: 140.0.80.000)
Shop for HP Supplies (Version: 14.0)
Skype Click to Call (Version: 6.13.13771)
Skype™ 6.10 (Version: 6.10.104)
SmartWebPrinting (Version: 140.0.186.000)
SolutionCenter (Version: 140.0.214.000)
Sony Picture Utility (Version: 4.2.00.11130)
Sophos Anti-Virus (Version: 9.5.7)
Sophos AutoUpdate (Version: 2.5.13)
Sophos Remote Management System (Version: 3.2.0)
Status (Version: 140.0.256.000)
Synaptics Pointing Device Driver (Version: 14.0.11.0)
Task Coach 1.3.33
TeamViewer 8 (Version: 8.0.19617)
Third Party Prerequisites (Version: 3.0.0)
Toolbox (Version: 140.0.428.000)
TOSHIBA Assist (Version: 2.01.12)
TOSHIBA Disc Creator (Version: 2.1.0.2)
TOSHIBA DVD PLAYER (Version: 3.01.1.04-A)
TOSHIBA eco Utility (Version: 1.1.12.0)
TOSHIBA Extended Tiles for Windows Mobility Center (Version: 1.01.00)
TOSHIBA Face Recognition (Version: 3.1.3.32)
TOSHIBA Flash Cards Support Utility (Version: 1.63.0.4C)
TOSHIBA Hardware Setup (Version: 1.63.0.16C)
TOSHIBA HDD/SSD Alert (Version: 3.1.0.4)
TOSHIBA Internal Modem Region Select Utility (Version: 2.3.0.01)
TOSHIBA PC Health Monitor (Version: 1.5.0.0)
TOSHIBA Recovery Media Creator (Version: 2.1.0.4)
TOSHIBA Service Station (Version: 2.1.40)
TOSHIBA Speech System Applications (Version: 1.00.2518)
TOSHIBA Speech System SR Engine(U.S.) Version1.0
TOSHIBA Speech System TTS Engine(U.S.) Version1.0
TOSHIBA Supervisor Password (Version: 1.63.0.7C)
TOSHIBA Value Added Package (Version: 1.2.32)
TOSHIBA Web Camera Application (Version: 1.1.1.9)
TrayApp (Version: 140.0.212.000)
TrueCrypt (Version: 7.1a)
TweetDeck (Version: 1.5.3)
Uninstall Dual Mode Camera (V25)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939v3) (Version: 3)
Update for Microsoft Access 2010 (KB2553446) 32-Bit Edition
Update for Microsoft Filter Pack 2.0 (KB2810071) 32-Bit Edition
Update for Microsoft Office 2010 (KB2494150)
Update for Microsoft Office 2010 (KB2553065)
Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553267) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition
Update for Microsoft Office 2010 (KB2566458)
Update for Microsoft Office 2010 (KB2589298) 32-Bit Edition
Update for Microsoft Office 2010 (KB2589375) 32-Bit Edition
Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition
Update for Microsoft Office 2010 (KB2598242) 32-Bit Edition
Update for Microsoft Office 2010 (KB2687503) 32-Bit Edition
Update for Microsoft Office 2010 (KB2760598) 32-Bit Edition
Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition
Update for Microsoft Office 2010 (KB2767886) 32-Bit Edition
Update for Microsoft Office 2010 (KB2794737) 32-Bit Edition
Update for Microsoft Office 2010 (KB2825640) 32-Bit Edition
Update for Microsoft Office 2010 (KB2826026) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2810072) 32-Bit Edition
Update for Microsoft Outlook 2010 (KB2687623) 32-Bit Edition
Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition
Update for Microsoft PowerPoint 2010 (KB2553145) 32-Bit Edition
Update for Microsoft SharePoint Workspace 2010 (KB2589371) 32-Bit Edition
Update for Microsoft Visio Viewer 2010 (KB2810066) 32-Bit Edition
Update for Microsoft Word 2010 (KB2827323) 32-Bit Edition
Utility Common Driver (Version: 1.0.50.27C)
Vivitar Experience Image Manager
Web Filtering (Netsweeper) (Version: 3.000.0005)
WebReg (Version: 140.0.212.017)
WildTangent Games (Version: 1.0.0.80)
WildTangent ORB Game Console
Windows Live Communications Platform (Version: 15.4.3502.0922)
Windows Live Essentials (Version: 15.4.3502.0922)
Windows Live Essentials (Version: 15.4.3555.0308)
Windows Live ID Sign-in Assistant (Version: 7.250.4232.0)
Windows Live Installer (Version: 15.4.3502.0922)
Windows Live Mail (Version: 15.4.3502.0922)
Windows Live Messenger (Version: 15.4.3538.0513)
Windows Live Messenger Companion Core (Version: 15.4.3502.0922)
Windows Live MIME IFilter (Version: 15.4.3502.0922)
Windows Live Movie Maker (Version: 15.4.3502.0922)
Windows Live Photo Common (Version: 15.4.3502.0922)
Windows Live Photo Gallery (Version: 15.4.3502.0922)
Windows Live PIMT Platform (Version: 15.4.3508.1109)
Windows Live SOXE (Version: 15.4.3502.0922)
Windows Live SOXE Definitions (Version: 15.4.3502.0922)
Windows Live Sync (Version: 14.0.8089.726)
Windows Live UX Platform (Version: 15.4.3502.0922)
Windows Live UX Platform Language Pack (Version: 15.4.3508.1109)
Windows Live Writer (Version: 15.4.3502.0922)
Windows Live Writer Resources (Version: 15.4.3502.0922)
Zuma Deluxe (Version: 2.2.0.82)

==================== Restore Points  =========================

09-10-2013 23:22:05 Windows Update
17-10-2013 13:17:53 Scheduled Checkpoint
25-10-2013 11:53:57 Scheduled Checkpoint
31-10-2013 09:49:42 Installed iTunes
31-10-2013 10:01:49 Installed iTunes
06-11-2013 09:31:50 Malware Removal

==================== Hosts content: ==========================

2009-07-14 10:04 - 2009-06-11 05:39 - 00000824 ____N C:\windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (whitelisted) =============

Task: {031C97D2-A37B-4970-8F0E-B4C01FC17CF3} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-4063401489-1788381713-3267365910-1141UA => C:\Users\steveni\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-19] (Google Inc.)
Task: {2C95144E-45E7-4C0D-BFDB-C837BA4438E3} - System32\Tasks\{0F450414-97A1-41A6-BCE7-8F56F4290202} => C:\Program Files\Windows Live\Mail\wlmail.exe [2012-03-08] (Microsoft Corporation)
Task: {4C3EB34A-8AD8-471E-BD0B-93E99948CAFA} - System32\Tasks\{97236862-2F32-426D-ADF9-2779BE771B36} => C:\Program Files\Skype\\Phone\Skype.exe [2013-10-21] (Skype Technologies S.A.)
Task: {5F68A461-4DE5-4BA7-A0CD-A7043AAC0C75} - System32\Tasks\{B9E2BE5B-9BDA-47ED-B2B4-9E65A862E510} => C:\Program Files\Windows Live\Mail\wlmail.exe [2012-03-08] (Microsoft Corporation)
Task: {73CBADB1-4F69-4CBD-992B-E779A924E8F9} - System32\Tasks\Microsoft_Hardware_Launch_IPoint_exe => C:\Program Files\Microsoft IntelliPoint\ipoint.exe [2010-07-21] (Microsoft Corporation)
Task: {78CD1645-7252-4589-91AB-D8493FC423F8} - System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask => Sc.exe start osppsvc
Task: {834AEC84-53FA-4372-982C-6CF8918AD873} - System32\Tasks\{3FD2BC05-0263-4C57-A031-F30A1BE251C3} => C:\Program Files\Windows Live\Mail\wlmail.exe [2012-03-08] (Microsoft Corporation)
Task: {93D04A05-F994-4B52-8500-1ED912C447AE} - System32\Tasks\Default Scheduled SCAN => C:\Program Files\Sophos\Sophos Anti-Virus\BackgroundScanClient.exe [2010-11-26] (Sophos Plc)
Task: {B7EA961C-FAD3-44E6-A2F5-EEAD095F907C} - System32\Tasks\{F138DF46-F2EB-44B7-AF33-2FED03BE1094} => C:\Program Files\Windows Live\Mail\wlmail.exe [2012-03-08] (Microsoft Corporation)
Task: {D9C76A3A-59A0-48E3-AF63-03339233A4DE} - System32\Tasks\{3C5807ED-88DE-4091-B44B-EE0E6D5A37E0} => C:\Program Files\Windows Live\Mail\wlmail.exe [2012-03-08] (Microsoft Corporation)
Task: {DA3D196B-029C-4141-8337-147F85EE1597} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-10-09] (Adobe Systems Incorporated)
Task: {E6F58A96-56B2-4DF0-809E-DDFC21395CE7} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-4063401489-1788381713-3267365910-1141Core => C:\Users\steveni\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-19] (Google Inc.)
Task: {F67F6425-EFD8-4D22-AAC2-AA447D95A40B} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2011-05-19] (Google Inc.)
Task: {F92B9274-7FBB-4C5A-A9DA-2A2FA666B59F} - System32\Tasks\{525D4BCE-491D-4519-9377-84AAC9FD0267} => C:\Program Files\Windows Live\Mail\wlmail.exe [2012-03-08] (Microsoft Corporation)
Task: {FBDC6839-91A5-4364-9BA9-C9FF3170F45D} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2011-05-19] (Google Inc.)
Task: C:\windows\Tasks\Adobe Flash Player Updater.job => C:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\windows\Tasks\Default Scheduled SCAN.job => C:\Program Files\Sophos\Sophos Anti-Virus\BackgroundScanClient.exe
Task: C:\windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4063401489-1788381713-3267365910-1141Core.job => C:\Users\steveni\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4063401489-1788381713-3267365910-1141UA.job => C:\Users\steveni\AppData\Local\Google\Update\GoogleUpdate.exe

==================== Loaded Modules (whitelisted) =============

2011-03-17 00:11 - 2011-03-17 00:11 - 04297568 _____ () C:\Program Files\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF
2010-10-20 15:45 - 2010-10-20 15:45 - 08801120 _____ () C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll
2009-10-19 06:20 - 2009-10-19 06:20 - 07980344 _____ () C:\Program Files\TOSHIBA\FlashCards\BlackPng.dll
2009-11-04 04:26 - 2009-11-04 04:26 - 00058680 _____ () C:\Program Files\TOSHIBA\FlashCards\Hotkey\FnZ.dll
2009-11-10 19:16 - 2009-06-23 07:38 - 00015160 _____ () C:\Program Files\TOSHIBA\TOSHIBA Assist\NotifyX.dll
2009-03-13 10:08 - 2009-03-13 10:08 - 00049152 _____ () C:\Program Files\Toshiba\PCDiag\NotifyPCD.dll
2009-07-26 02:07 - 2009-07-26 02:07 - 00058704 _____ () C:\Program Files\TOSHIBA\TOSHIBA Disc Creator\NotifyTDC.dll
2009-07-30 06:35 - 2009-07-30 06:35 - 00014648 _____ () C:\Program Files\Toshiba\TBS\NotifyTBS.dll
2012-02-20 21:29 - 2012-02-20 21:29 - 00087912 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
2012-02-20 21:28 - 2012-02-20 21:28 - 01242472 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
2009-05-05 01:45 - 2009-05-05 01:45 - 00016384 ____R () C:\Program Files\ATI Technologies\ATI.ACE\Branding\Branding.dll
2010-05-21 14:05 - 2010-05-21 14:05 - 00270336 _____ () C:\windows\assembly\GAC_MSIL\CLI.Aspect.CrossDisplay.Graphics.Dashboard\1.0.0.0__90ba9c70f846762e\CLI.Aspect.CrossDisplay.Graphics.Dashboard.dll

==================== Alternate Data Streams (whitelisted) =========

==================== Safe Mode (whitelisted) ===================

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SBAMSvc => ""="Service"

==================== Faulty Device Manager Devices =============

Name: Photosmart B110 series
Description: Photosmart B110 series
Class Guid: {4d36e971-e325-11ce-bfc1-08002be10318}
Manufacturer: HP
Service:
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: Photosmart B110 series
Description: Photosmart B110 series
Class Guid: {4d36e971-e325-11ce-bfc1-08002be10318}
Manufacturer: HP
Service:
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

==================== Event log errors: =========================

Application errors:
==================
Error: (11/07/2013 05:23:30 PM) (Source: Sophos Message Router) (User: NT AUTHORITY)
Description: The network identity (also known as the Interoperable Object Reference or IOR) of the local computer is invalid.%%3

Error: (11/07/2013 05:23:29 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 33712518

Error: (11/07/2013 05:23:29 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 33712518

Error: (11/07/2013 05:23:29 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (11/07/2013 05:23:28 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 33711317

Error: (11/07/2013 05:23:28 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 33711317

Error: (11/07/2013 05:23:28 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (11/07/2013 05:23:27 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 33710178

Error: (11/07/2013 05:23:27 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 33710178

Error: (11/07/2013 05:23:27 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second

System errors:
=============
Error: (11/08/2013 04:00:41 PM) (Source: Service Control Manager) (User: )
Description: The Sophos Message Router service terminated unexpectedly.  It has done this 12 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.

Error: (11/08/2013 03:59:40 PM) (Source: Service Control Manager) (User: )
Description: The Sophos Message Router service terminated unexpectedly.  It has done this 11 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.

Error: (11/08/2013 03:58:40 PM) (Source: Service Control Manager) (User: )
Description: The Sophos Message Router service terminated unexpectedly.  It has done this 10 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.

Error: (11/08/2013 03:57:39 PM) (Source: Service Control Manager) (User: )
Description: The Sophos Message Router service terminated unexpectedly.  It has done this 9 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.

Error: (11/08/2013 03:56:39 PM) (Source: Service Control Manager) (User: )
Description: The Sophos Message Router service terminated unexpectedly.  It has done this 8 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.

Error: (11/08/2013 03:55:36 PM) (Source: Service Control Manager) (User: )
Description: The Sophos Message Router service terminated unexpectedly.  It has done this 7 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.

Error: (11/08/2013 03:54:36 PM) (Source: Service Control Manager) (User: )
Description: The Sophos Message Router service terminated unexpectedly.  It has done this 6 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.

Error: (11/08/2013 03:54:22 PM) (Source: TermService) (User: )
Description: The terminal server cannot register 'TERMSRV' Service Principal Name to be used for server authentication. The following error occured: The specified domain either does not exist or could not be contacted.
.

Error: (11/08/2013 03:53:34 PM) (Source: Service Control Manager) (User: )
Description: The Sophos Message Router service terminated unexpectedly.  It has done this 5 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.

Error: (11/08/2013 03:52:32 PM) (Source: Service Control Manager) (User: )
Description: The Sophos Message Router service terminated unexpectedly.  It has done this 4 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.

Microsoft Office Sessions:
=========================
Error: (11/07/2013 05:23:30 PM) (Source: Sophos Message Router)(User: NT AUTHORITY)
Description:

Error: (11/07/2013 05:23:29 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 33712518

Error: (11/07/2013 05:23:29 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledEvent 33712518

Error: (11/07/2013 05:23:29 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (11/07/2013 05:23:28 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 33711317

Error: (11/07/2013 05:23:28 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledEvent 33711317

Error: (11/07/2013 05:23:28 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (11/07/2013 05:23:27 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 33710178

Error: (11/07/2013 05:23:27 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledEvent 33710178

Error: (11/07/2013 05:23:27 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: Continuously busy for more than a second

CodeIntegrity Errors:
===================================
  Date: 2013-10-31 17:38:18.240
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\PROGRA~1\COMMON~1\ULEADS~1\vio\DVACM.acm because the set of per-page image hashes could not be found on the system.

  Date: 2013-10-31 17:38:18.059
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

  Date: 2013-10-31 17:38:17.875
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\sirenacm.dll because the set of per-page image hashes could not be found on the system.

  Date: 2013-10-31 17:31:55.833
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\PROGRA~1\COMMON~1\ULEADS~1\vio\DVACM.acm because the set of per-page image hashes could not be found on the system.

  Date: 2013-10-31 17:31:55.557
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

  Date: 2013-10-31 17:31:55.286
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\sirenacm.dll because the set of per-page image hashes could not be found on the system.

  Date: 2013-10-21 18:16:05.539
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\PROGRA~1\COMMON~1\ULEADS~1\vio\DVACM.acm because the set of per-page image hashes could not be found on the system.

  Date: 2013-10-21 18:16:05.271
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

  Date: 2013-10-21 18:16:04.981
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\sirenacm.dll because the set of per-page image hashes could not be found on the system.

  Date: 2013-10-14 15:37:54.042
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\PROGRA~1\COMMON~1\ULEADS~1\vio\DVACM.acm because the set of per-page image hashes could not be found on the system.

==================== Memory info ===========================

Percentage of memory in use: 44%
Total physical RAM: 3061.61 MB
Available physical RAM: 1704.9 MB
Total Pagefile: 6121.5 MB
Available Pagefile: 4384.52 MB
Total Virtual: 2047.88 MB
Available Virtual: 1833.31 MB

==================== Drives ================================

Drive c: (S3A8425D005) (Fixed) (Total:453.52 GB) (Free:330.12 GB) NTFS ==>[system with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 466 GB) (Disk ID: D934D6EE)
Partition 1: (Active) - (Size=1 GB) - (Type=27)
Partition 2: (Not Active) - (Size=454 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=11 GB) - (Type=17)

==================== End Of Log ============================

Link to post
Share on other sites

Download the attached fixlist.txt to the same folder as FRST.
Run FRST.exe and click Fix only once and wait
The tool will create a log (Fixlog.txt) in the folder, please post it to your reply.

Then......

Uninstall Java™ 6 Update 14 from your add/remove programs.

Download and install the latest version (Java™ 7 Update 45) from Here. Uncheck the box to install the Ask toolbar!!! and any other free "stuff".

Go here and follow the instructions to clear your Java Cache

 

Last.....

 

Please download and run ComboFix.
 

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please make sure you click download buttons that look like this, not "sponsored ad links":

bleep-crop.jpg

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found [url=http://www.bleepingcomputer.com/forums/topic114351.html]Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.
 

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites

Guest techhead287

OK before I apply this fixlist, I just wanted to ask a question...

 

I was looking at the fixlist.txt you made, and I saw there was a line pointing to C:\Users\steveni\simple.bat and C:\Users\joshuai\simple.bat. I assume these are to be deleted. Could you please remove these from the fixlist, as these are batch files that I made, and they are not malicious.

 

Thanks.

Link to post
Share on other sites

Guest techhead287

Hey,

 

Sorry for the wait.

 

I have run the Farbar fix, and I still have to run ComboFix. I will do so this afternoon.

 

Here is the status:
C:\Users\steveni\AppData\Roaming\eeuhrrsj\tvjbwcca.exe is gone

C:\Users\steveni\AppData\Roaming\Java\Update\Download\Cache\csrss.exe is still there

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.