Guest techhead287 Posted November 5, 2013 ID:750095 Share Posted November 5, 2013 Hey, I was on my dad's laptop and I noticed that every time I logged on, I saw this command prompt window pop up that would stick around for a while and then disappear. It seemed to be running a process called 'jsheded.exe' located in the Java update folder. I looked up this process and saw it was malicious (the normal Java update process is called 'jusched.exe'). I disabled it in msconfig and it kept re-enabling itself, and then stopped after a few days (whew). I decided to look in the Java update folder and I saw an executable called 'csrss.exe', a batch file and a bunch of DLLs. I looked at the 'csrss.exe' file and it had no description (which should be 'Client Server Runtime Process'), it did not have the Microsoft copyrights, and it was not owned by TrustedInstaller. This was suspicious. I took a look at the batch file, and it had instructions to run the executable and it had a few tags talking about a Russian Bitcoin email address and a Russian Bitcoin site. It immediately came to me that this was a virus that mined Bitcoins for an attacker (in Russia, obviously) using MY computer and MY resources. And it had overtaken Java. Now, the real reason I posted this was because Malwarebytes (with the latest updates and everything) does NOT detect it. Do you really think this is a virus? If so, how do I remove it? Thanks,techhead287 Link to post Share on other sites More sharing options...
MrCharlie Posted November 5, 2013 ID:750126 Share Posted November 5, 2013 Welcome to the forum, please start HERE Post back the 2 logs here.....DDS.txt and Attach.txt (please don't put logs in code or quotes and use the default font) General P2P/Piracy Warning: 1. If you're using Peer 2 Peer software such uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here. Failure to remove or disable such software will result in your topic being closed and no further assistance being provided. 2. If you have illegal/cracked software, cracks, keygens, custom (Adobe) host file, etc. on the system, please remove or uninstall them now and read the policy on Piracy. Failure to remove such software will result in your topic being closed and no further assistance being provided. <====><====><====><====><====><====><====><====> Next................ Please download and run RogueKiller 32 bit to your desktop. RogueKiller<---use this one for 64 bit systems Which system am I using? Quit all running programs. For Windows XP, double-click to start. For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run. Click Scan to scan the system. When the scan completes > Close out the program > Don't Fix anything! Don't run any other options, they're not all bad!!!!!!! Post back the report which should be located on your desktop. (please don't put logs in code or quotes and use the default font) MrC Note: Please read all of my instructions completely including these. Make sure system restore is turned on and running Make sure you're subscribed to this topic: Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly Removing malware can be unpredictable...unlikely but things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive <+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you. <+>The removal of malware isn't instantaneous, please be patient. <+>When we are done, I'll give to instructions on how to cleanup all the tools and logs <+>Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that. ------->Your topic will be closed if you haven't replied within 3 days!<-------- (If I don't respond within 24 hours, please send me a PM) Link to post Share on other sites More sharing options...
Guest techhead287 Posted November 5, 2013 ID:750333 Share Posted November 5, 2013 HeyI don't have time to do anything right now...I will be able to do it at like 5pm west australian timeSee you then Link to post Share on other sites More sharing options...
MrCharlie Posted November 5, 2013 ID:750348 Share Posted November 5, 2013 OK.....MrC Link to post Share on other sites More sharing options...
Guest techhead287 Posted November 6, 2013 ID:750483 Share Posted November 6, 2013 Running dds.com on the machine, waiting for it to finish. Link to post Share on other sites More sharing options...
Guest techhead287 Posted November 6, 2013 ID:750487 Share Posted November 6, 2013 attach.txt below....UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.IF REQUESTED, ZIP IT UP & ATTACH IT.DDS (Ver_2012-11-20.01).Microsoft Windows 7 Professional Boot Device: \Device\HarddiskVolume1Install Date: 24/11/2010 9:38:24 AMSystem Uptime: 6/11/2013 5:25:12 PM (0 hours ago).Motherboard: TOSHIBA | | NSWAAProcessor: Intel® Core i3 CPU M 330 @ 2.13GHz | CPU | 2133/133mhz.==== Disk Partitions =========================.C: is FIXED (NTFS) - 454 GiB total, 329.423 GiB free.D: is CDROM ().==== Disabled Device Manager Items =============.Class GUID: {4d36e971-e325-11ce-bfc1-08002be10318}Description: Photosmart B110 seriesDevice ID: ROOT\MULTIFUNCTION\0000Manufacturer: HPName: Photosmart B110 seriesPNP Device ID: ROOT\MULTIFUNCTION\0000Service: .Class GUID: {4d36e971-e325-11ce-bfc1-08002be10318}Description: Photosmart B110 seriesDevice ID: ROOT\MULTIFUNCTION\0001Manufacturer: HPName: Photosmart B110 seriesPNP Device ID: ROOT\MULTIFUNCTION\0001Service: .==== System Restore Points ===================.RP393: 9/10/2013 5:18:30 PM - Windows UpdateRP394: 10/10/2013 7:22:05 AM - Windows UpdateRP395: 17/10/2013 9:17:53 PM - Scheduled CheckpointRP396: 25/10/2013 7:53:57 PM - Scheduled CheckpointRP397: 31/10/2013 5:49:42 PM - Installed iTunesRP398: 31/10/2013 6:01:49 PM - Installed iTunesRP399: 6/11/2013 5:31:50 PM - Malware Removal.==== Installed Programs ======================.32 Bit HP CIO Components InstallerAdobe AIRAdobe Flash Player 11 ActiveXAdobe Flash Player 11 PluginAdobe Reader 9.1Amazon Send to KindleAnti-Spyware (Sunbelt4)Apple Application SupportApple Mobile Device SupportB110Bejeweled 2 DeluxeBigPond (BIUS)Bigpond DesktopBigPond SecurityBing BarBluetooth Stack for Windows by ToshibaBonjourBufferChmCatalyst Control Center - BrandingCatalyst Control Center Core ImplementationCatalyst Control Center Graphics Full ExistingCatalyst Control Center Graphics Full NewCatalyst Control Center Graphics LightCatalyst Control Center Graphics Previews CommonCatalyst Control Center Graphics Previews VistaCatalyst Control Center InstallProxyCatalyst Control Center Localization Allccc-core-staticccc-utilityCCC Help Chinese StandardCCC Help Chinese TraditionalCCC Help CzechCCC Help DanishCCC Help DutchCCC Help EnglishCCC Help FinnishCCC Help FrenchCCC Help GermanCCC Help GreekCCC Help HungarianCCC Help ItalianCCC Help JapaneseCCC Help KoreanCCC Help NorwegianCCC Help PolishCCC Help PortugueseCCC Help RussianCCC Help SpanishCCC Help SwedishCCC Help ThaiCCC Help TurkishChuzzle DeluxeCitrix Online LauncherCoupon Printer for WindowsD3DX10Definition Update for Microsoft Office 2010 (KB982726) 32-Bit EditionDestinationsDeviceDiscoveryDirect DiscRecorderDVD MovieFactory for TOSHIBAESPFATEffdshow [rev 2527] [2008-12-19]Firewall (User)GameXN GOGoogle Talk PluginGoogle Toolbar for Internet ExplorerGoogle Update HelperGoToMeeting 5.9.0.1216GPBaseService2Haali Media SplitterHDAUDIO Soft Data Fax Modem with SmartCPHP Customer Participation Program 14.0HP Imaging Device Functions 14.0HP Photo CreationsHP Photosmart Wireless B110 All-In-One Driver Software 14.0 Rel. 7HP Smart Web Printing 4.60HP Solution Center 14.0HP UpdateHPAppStudioHPPhotoGadgetHPProductAssistantHPSSupplyHyperCam 2ImgBurnIntel® Control CenterIntel® Management Engine ComponentsIntel® Rapid Storage TechnologyiTunesJava 6 Update 14Junk Mail filter updateMagic Match - The Genie's JourneyMalwarebytes Anti-Malware version 1.75.0.1300MarketResearchMessenger CompanionMicrosoft .NET Framework 4 Client ProfileMicrosoft Application Error ReportingMicrosoft Chart Controls for Microsoft .NET Framework 3.5 (KB2500170)Microsoft CorporationMicrosoft IntelliPoint 8.0Microsoft LifeCamMicrosoft Office 2010 Service Pack 1 (SP1)Microsoft Office Access MUI (English) 2010Microsoft Office Access Setup Metadata MUI (English) 2010Microsoft Office Excel MUI (English) 2010Microsoft Office Groove MUI (English) 2010Microsoft Office InfoPath MUI (English) 2010Microsoft Office OneNote MUI (English) 2010Microsoft Office Outlook ConnectorMicrosoft Office Outlook MUI (English) 2010Microsoft Office PowerPoint MUI (English) 2010Microsoft Office Professional Plus 2010Microsoft Office Proof (English) 2010Microsoft Office Proof (French) 2010Microsoft Office Proof (Spanish) 2010Microsoft Office Proofing (English) 2010Microsoft Office Publisher MUI (English) 2010Microsoft Office Shared MUI (English) 2010Microsoft Office Shared Setup Metadata MUI (English) 2010Microsoft Office Word MUI (English) 2010Microsoft SilverlightMicrosoft SQL Server 2005 Compact Edition [ENU]Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053Microsoft Visual C++ 2005 RedistributableMicrosoft Visual C++ 2008 Redistributable - x86 9.0.21022Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161MonopolyMozilla Firefox 24.0 (x86 en-US)Mozilla Maintenance ServiceMSVCRTMSXML 4.0 SP2 (KB954430)MSXML 4.0 SP2 (KB973688)MYOB AccountRight Plus v19.6MYOB ODBC Direct v10 AUSNetsweeper Parental ControlsNetworkNorton Internet SecurityOracle VM VirtualBox 4.2.0PegglePivot Stickfigure Animator version 2.2.6PlayReady PC Runtime x86Polar BowlerPolar GolferPrimoProject ROMEPS_AIO_07_B110_SW_MinQuickTimeQuickTransferRealtek Ethernet Controller Driver For Windows Vista and LaterRealtek High Definition Audio DriverRealtek USB 2.0 Card ReaderRealtek WLAN DriverRealWorld Cursor EditorRuntimeSafeCentral Security Suite Web Install HelperScanSecurity Update for Microsoft .NET Framework 4 Client Profile (KB2446708)Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)Security Update for Microsoft .NET Framework 4 Client Profile (KB2804576)Security Update for Microsoft .NET Framework 4 Client Profile (KB2835393)Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628)Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628v2)Security Update for Microsoft .NET Framework 4 Client Profile (KB2858302v2)Security Update for Microsoft Excel 2010 (KB2826033) 32-Bit EditionSecurity Update for Microsoft InfoPath 2010 (KB2687422) 32-Bit EditionSecurity Update for Microsoft InfoPath 2010 (KB2760406) 32-Bit EditionSecurity Update for Microsoft Office 2010 (KB2553371) 32-Bit EditionSecurity Update for Microsoft Office 2010 (KB2589320) 32-Bit EditionSecurity Update for Microsoft Office 2010 (KB2598243) 32-Bit EditionSecurity Update for Microsoft Office 2010 (KB2687276) 32-Bit EditionSecurity Update for Microsoft Office 2010 (KB2687423) 32-Bit EditionSecurity Update for Microsoft Office 2010 (KB2687510) 32-Bit EditionSecurity Update for Microsoft Office 2010 (KB2826023) 32-Bit EditionSecurity Update for Microsoft Office 2010 (KB2826035) 32-Bit EditionSecurity Update for Microsoft Outlook 2010 (KB2794707) 32-Bit EditionSecurity Update for Microsoft Publisher 2010 (KB2553147) 32-Bit EditionSecurity Update for Microsoft Visio 2010 (KB2810068) 32-Bit EditionShop for HP SuppliesSkype Click to CallSkype™ 6.10SmartWebPrintingSolutionCenterSony Picture UtilitySophos Anti-VirusSophos AutoUpdateSophos Remote Management SystemStatusSynaptics Pointing Device DriverTask Coach 1.3.33TeamViewer 8Third Party PrerequisitesToolboxTOSHIBA AssistTOSHIBA Disc CreatorTOSHIBA DVD PLAYERTOSHIBA eco UtilityTOSHIBA Extended Tiles for Windows Mobility CenterTOSHIBA Face RecognitionTOSHIBA Flash Cards Support UtilityTOSHIBA Hardware SetupTOSHIBA HDD/SSD AlertTOSHIBA Internal Modem Region Select UtilityTOSHIBA PC Health MonitorTOSHIBA Recovery Media CreatorTOSHIBA Service StationTOSHIBA Speech System ApplicationsTOSHIBA Speech System SR Engine(U.S.) Version1.0TOSHIBA Speech System TTS Engine(U.S.) Version1.0TOSHIBA Supervisor PasswordTOSHIBA Value Added PackageTOSHIBA Web Camera ApplicationTrayAppTrueCryptTweetDeckUninstall Dual Mode Camera (V25)Update for Microsoft .NET Framework 4 Client Profile (KB2468871)Update for Microsoft .NET Framework 4 Client Profile (KB2533523)Update for Microsoft .NET Framework 4 Client Profile (KB2600217)Update for Microsoft .NET Framework 4 Client Profile (KB2836939)Update for Microsoft .NET Framework 4 Client Profile (KB2836939v3)Update for Microsoft Access 2010 (KB2553446) 32-Bit EditionUpdate for Microsoft Filter Pack 2.0 (KB2810071) 32-Bit EditionUpdate for Microsoft Office 2010 (KB2494150)Update for Microsoft Office 2010 (KB2553065)Update for Microsoft Office 2010 (KB2553181) 32-Bit EditionUpdate for Microsoft Office 2010 (KB2553267) 32-Bit EditionUpdate for Microsoft Office 2010 (KB2553310) 32-Bit EditionUpdate for Microsoft Office 2010 (KB2566458)Update for Microsoft Office 2010 (KB2589298) 32-Bit EditionUpdate for Microsoft Office 2010 (KB2589375) 32-Bit EditionUpdate for Microsoft Office 2010 (KB2596964) 32-Bit EditionUpdate for Microsoft Office 2010 (KB2598242) 32-Bit EditionUpdate for Microsoft Office 2010 (KB2687503) 32-Bit EditionUpdate for Microsoft Office 2010 (KB2760598) 32-Bit EditionUpdate for Microsoft Office 2010 (KB2760631) 32-Bit EditionUpdate for Microsoft Office 2010 (KB2767886) 32-Bit EditionUpdate for Microsoft Office 2010 (KB2794737) 32-Bit EditionUpdate for Microsoft Office 2010 (KB2825640) 32-Bit EditionUpdate for Microsoft Office 2010 (KB2826026) 32-Bit EditionUpdate for Microsoft OneNote 2010 (KB2553290) 32-Bit EditionUpdate for Microsoft OneNote 2010 (KB2810072) 32-Bit EditionUpdate for Microsoft Outlook 2010 (KB2687623) 32-Bit EditionUpdate for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit EditionUpdate for Microsoft PowerPoint 2010 (KB2553145) 32-Bit EditionUpdate for Microsoft SharePoint Workspace 2010 (KB2589371) 32-Bit EditionUpdate for Microsoft Visio Viewer 2010 (KB2810066) 32-Bit EditionUpdate for Microsoft Word 2010 (KB2827323) 32-Bit EditionUtility Common DriverVivitar Experience Image ManagerWeb Filtering (Netsweeper)WebRegWildTangent GamesWildTangent ORB Game ConsoleWindows Live Communications PlatformWindows Live EssentialsWindows Live ID Sign-in AssistantWindows Live InstallerWindows Live MailWindows Live MessengerWindows Live Messenger Companion CoreWindows Live MIME IFilterWindows Live Movie MakerWindows Live Photo CommonWindows Live Photo GalleryWindows Live PIMT PlatformWindows Live SOXEWindows Live SOXE DefinitionsWindows Live SyncWindows Live UX PlatformWindows Live UX Platform Language PackWindows Live WriterWindows Live Writer ResourcesZuma Deluxe.==== Event Viewer Messages From Past Week ========removed to shorten post==== End Of File =========================== Link to post Share on other sites More sharing options...
Guest techhead287 Posted November 6, 2013 ID:750488 Share Posted November 6, 2013 DDS.txt below... DDS (Ver_2012-11-20.01) - NTFS_x86 Internet Explorer: 10.0.9200.16720Run by steveni at 17:33:54 on 2013-11-06Microsoft Windows 7 Professional 6.1.7601.1.1252.61.1033.18.3062.1526 [GMT 8:00].AV: BP Security AntiMalware *Enabled/Outdated* {BE5DD172-7F42-7948-1A60-E6A720288F81}AV: Sophos Anti-Virus *Enabled/Outdated* {479CCF92-4960-B3E0-7373-BF453B467D2C}SP: Sophos Anti-Virus *Enabled/Outdated* {FCFD2E76-6F5A-BC6E-49C3-843740C13791}SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}SP: BP Security AntiMalware *Enabled/Outdated* {053C3096-5978-76C6-20D0-DDD55BAFC53C}.============== Running Processes ================.C:\windows\system32\wininit.exeC:\windows\system32\lsm.exeC:\windows\system32\atiesrxx.exeC:\Program Files\Sophos\Sophos Anti-Virus\SavService.exeC:\windows\System32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exec:\Program Files\Bigpond\ESP Elements\AuthElementsSvc.exec:\Program Files\bigpond\security\App\syssvcnt.exeC:\Program Files\Microsoft\BingBar\7.2.241.0\BBSvc.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exeC:\Program Files\Microsoft LifeCam\MSCamS32.exec:\Program Files\Netsweeper Parental Controls\nsfxsrv.exeC:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exeC:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exeC:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exeC:\Program Files\Sophos\AutoUpdate\ALsvc.exeC:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exeC:\windows\system32\TODDSrv.exeC:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exeC:\Program Files\TOSHIBA\TECO\TecoService.exeC:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXEC:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exeC:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exec:\Program Files\Common Files\Sunbelt\SBAMSvc.exeC:\windows\system32\atieclxx.exeC:\windows\system32\taskhost.exeC:\windows\system32\Dwm.exeC:\windows\Explorer.EXEC:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exeC:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exeC:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exeC:\Program Files\TOSHIBA\Utilities\KeNotify.exeC:\Program Files\TOSHIBA\Power Saver\TPwrMain.exeC:\Program Files\TOSHIBA\SmoothView\SmoothView.exeC:\Program Files\TOSHIBA\FlashCards\TCrdMain.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\Microsoft IntelliPoint\ipoint.exeC:\Program Files\Netsweeper Parental Controls\nsfx.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\HP\HP Software Update\hpwuschd2.exeC:\Program Files\Microsoft Office\Office14\MSOSYNC.EXEC:\Program Files\Synaptics\SynTP\SynTPHelper.exeC:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exeC:\windows\system32\SearchIndexer.exeC:\Program Files\iPod\bin\iPodService.exeC:\Program Files\bigpond\security\App\Console.exeC:\Program Files\Skype\Phone\Skype.exeC:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exeC:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeC:\Program Files\Microsoft Office\Office14\ONENOTEM.EXEC:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exeC:\Program Files\TOSHIBA\TPHM\TPCHViewer.exeC:\Program Files\Windows Media Player\wmpnetwk.exeC:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exeC:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exeC:\Program Files\TOSHIBA\RSelect\RSelSvc.exeC:\Program Files\TOSHIBA\TPHM\TPCHSrv.exeC:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exeC:\windows\System32\mobsync.exeC:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtKbd.exeC:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtBty.exeC:\windows\system32\sppsvc.exeC:\windows\system32\wbem\wmiprvse.exeC:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exeC:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exec:\Program Files\Bigpond\ESP Elements\bigpond.exeC:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exeC:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exeC:\windows\system32\SearchProtocolHost.exeC:\windows\system32\vssvc.exeC:\windows\system32\SearchProtocolHost.exeC:\windows\system32\SearchFilterHost.exe\\?\C:\windows\system32\wbem\WMIADAP.EXEC:\windows\system32\conhost.exeC:\windows\system32\wbem\wmiprvse.exeC:\windows\system32\taskeng.exeC:\Users\steveni\AppData\Local\Google\Update\GoogleUpdate.exeC:\windows\system32\svchost.exe -k DcomLaunchC:\windows\system32\svchost.exe -k RPCSSC:\windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\windows\system32\svchost.exe -k LocalServiceC:\windows\system32\svchost.exe -k netsvcsC:\windows\system32\svchost.exe -k NetworkServiceC:\windows\system32\svchost.exe -k LocalServiceNoNetworkC:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonationC:\windows\system32\svchost.exe -k hpdevmgmtC:\windows\system32\svchost.exe -k HsfXAudioServiceC:\windows\System32\svchost.exe -k HPZ12C:\windows\System32\svchost.exe -k HPZ12C:\windows\system32\svchost.exe -k imgsvcC:\windows\system32\svchost.exe -k HPServiceC:\windows\system32\svchost.exe -k NetworkServiceNetworkRestrictedC:\windows\System32\svchost.exe -k swprv.============== Pseudo HJT Report ===============. uURLSearchHooks: {CA3EB689-8F09-4026-AA10-B9534C691CE0} - <orphaned>BHO: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dllBHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dllBHO: Bing Bar Helper: {1dad3af3-ef2f-4f64-ac4b-11789189fcb6} - c:\program files\microsoft\bingbar\7.2.241.0\BingExt.dllBHO: Sophos Web Content Scanner: {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - c:\program files\sophos\sophos anti-virus\SophosBHO.dllBHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office14\GROOVEEX.DLLBHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dllBHO: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - c:\program files\windows live\companion\companioncore.dllBHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dllBHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dllBHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLLBHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dllBHO: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dllTB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dllTB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dllTB: Bing Bar: {eec0f710-38b5-4aba-99bf-ec87564a4e13} - c:\program files\microsoft\bingbar\7.2.241.0\BingExt.dllEB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dllEB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dlluRun: [OfficeSyncProcess] "c:\program files\microsoft office\office14\MSOSYNC.EXE"uRun: [Google Update] "c:\users\steveni\appdata\local\google\update\GoogleUpdate.exe" /cuRun: [skype] "c:\program files\skype\phone\Skype.exe" /minimized /regrunuRun: [sophos] c:\users\steveni\appdata\roaming\eeuhrrsj\tvjbwcca.exemRun: [iAStorIcon] c:\program files\intel\intel® rapid storage technology\IAStorIcon.exemRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRunmRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -smRun: [sVPWUTIL] c:\program files\toshiba\utilities\SVPWUTIL.exe SVPwUTILmRun: [HWSetup] "c:\program files\toshiba\utilities\HWSetup.exe" hwSetUPmRun: [KeNotify] c:\program files\toshiba\utilities\KeNotify.exemRun: [TPwrMain] c:\program files\toshiba\power saver\TPwrMain.EXEmRun: [HSON] c:\program files\toshiba\tbs\HSON.exemRun: [smoothView] c:\program files\toshiba\smoothview\SmoothView.exemRun: [00TCrdMain] c:\program files\toshiba\flashcards\TCrdMain.exemRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exemRun: [iTSecMng] c:\program files\toshiba\bluetooth toshiba stack\ItSecMng.exe /STARTmRun: [smartFaceVWatcher] c:\program files\toshiba\smartfacev\SmartFaceVWatcher.exemRun: [TosSENotify] c:\program files\toshiba\toshiba hdd ssd alert\TosWaitSrv.exemRun: [TosWaitSrv] c:\program files\toshiba\tphm\TosWaitSrv.exemRun: [bCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServicesmRun: [intelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"mRun: [ESP] "c:\program files\bigpond\security\app\start.exe"mRun: [NetSweeperAgent] c:\program files\netsweeper parental controls\nsfx.exemRun: [NetSweeperLSPReset] "c:\program files\netsweeper parental controls\instlsp.exe" -a -z "msafd tcpip" -n "liger" -d "c:\windows\system32\liger.dll"mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exedRunOnce: [sPReview] "c:\windows\system32\spreview\SPReview.exe" /sp:1 /errorfwlink:"http://go.microsoft.com/fwlink/?LinkID=122915" /build:7601StartupFolder: c:\users\steveni\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office14\ONENOTEM.EXEStartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exeStartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exeuPolicies-Explorer: NoDriveTypeAutoRun = dword:145mPolicies-System: ConsentPromptBehaviorUser = dword:3mPolicies-System: EnableUIADesktopToggle = dword:0mPolicies-System: RunStartupScriptSync = dword:1IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dllIE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dllIE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dllIE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dllIE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dllIE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dllLSP: c:\windows\system32\liger.dll TCP: NameServer = 192.168.1.1TCP: Interfaces\{6C9F5191-26A8-4188-9605-1883AFFC6A20} : DHCPNameServer = 192.168.1.1TCP: Interfaces\{817060E5-D02D-4DB6-8227-F4CC15440472} : DHCPNameServer = 192.168.1.1TCP: Interfaces\{817060E5-D02D-4DB6-8227-F4CC15440472}\2456C6B696E6F5E4F575962756C6563737F5235343544344 : DHCPNameServer = 192.168.2.1TCP: Interfaces\{817060E5-D02D-4DB6-8227-F4CC15440472}\24967605F6E64663938333 : DHCPNameServer = 10.0.0.138TCP: Interfaces\{817060E5-D02D-4DB6-8227-F4CC15440472}\45548435F5234433341393 : DHCPNameServer = 192.168.0.1TCP: Interfaces\{817060E5-D02D-4DB6-8227-F4CC15440472}\945627163696 : DHCPNameServer = 192.168.0.1Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLLHandler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dllHandler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dllHandler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dllAppInit_DLLs= c:\progra~1\sophos\sophos~1\SOPHOS~1.DLLSSODL: WebCheck - <orphaned>SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office14\GROOVEEX.DLL.================= FIREFOX ===================.FF - ProfilePath - c:\users\steveni\appdata\roaming\mozilla\firefox\profiles\2mjd049g.default\FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLLFF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLLFF - plugin: c:\program files\google\update\1.3.21.165\npGoogleUpdate3.dllFF - plugin: c:\program files\microsoft silverlight\5.1.20913.0\npctrlui.dllFF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dllFF - plugin: c:\users\steveni\appdata\local\citrix\plugins\104\npappdetector.dllFF - plugin: c:\users\steveni\appdata\local\google\update\1.3.21.165\npGoogleUpdate3.dllFF - plugin: c:\users\steveni\appdata\roaming\mozilla\plugins\npgoogletalk.dllFF - plugin: c:\users\steveni\appdata\roaming\mozilla\plugins\npgtpo3dautoplugin.dllFF - plugin: c:\users\steveni\appdata\roaming\mozilla\plugins\npo1d.dllFF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_9_900_117.dllFF - ExtSQL: !HIDDEN! 2011-08-13 16:20; smartwebprinting@hp.com; c:\program files\hp\digital imaging\smart web printing\MozillaAddOn3.============= SERVICES / DRIVERS ===============.R1 SAVOnAccess;SAVOnAccess;c:\windows\system32\drivers\savonaccess.sys [2010-11-26 122360]R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-5-21 172032]R2 AuthElementsSvc;AuthElementsSvc;c:\program files\bigpond\esp elements\AuthElementsSvc.exe [2013-3-12 244008]R2 BBSvc;BingBar Service;c:\program files\microsoft\bingbar\7.2.241.0\BBSvc.EXE [2013-7-23 193696]R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2010-6-14 69976]R2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\drivers\TVALZFL.sys [2009-6-20 12920]R3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\drivers\nx6000.sys [2010-12-13 30576]R3 PGEffect;Pangu effect driver;c:\windows\system32\drivers\PGEffect.sys [2010-11-24 24064]R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2010-5-21 230912]R3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;c:\windows\system32\drivers\rtl8192se.sys [2010-5-21 862208]S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]S3 BBUpdate;BBUpdate;c:\program files\microsoft\bingbar\7.2.241.0\SeaPort.EXE [2013-7-23 240288]S3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\drivers\ivusb.sys [2010-7-29 25112]S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2010-5-21 174592]S3 sdcfilter;sdcfilter;c:\windows\system32\drivers\sdcfilter.sys [2010-11-24 23928]S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-14 207360]S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-14 980992]S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-14 661504]S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-6-21 52224]S3 VBoxUSB;VirtualBox USB;c:\windows\system32\drivers\VBoxUSB.sys [2012-9-13 84312]S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2010-11-24 22536].=============== Created Last 30 ================.2013-10-31 10:04:43 26840 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys2013-10-31 10:03:55 -------- d-----w- c:\program files\iPod2013-10-31 10:03:54 -------- d-----w- c:\programdata\188F1432-103A-4ffb-80F1-36B633C5C9E12013-10-31 10:03:54 -------- d-----w- c:\program files\iTunes2013-10-31 01:31:39 -------- d-----w- c:\windows\pss2013-10-30 08:17:27 -------- d-----w- c:\program files\TaskCoach2013-10-26 02:47:41 -------- d-----w- c:\users\steveni\appdata\roaming\TrueCrypt2013-10-26 02:47:25 231760 ----a-w- c:\windows\system32\drivers\truecrypt.sys2013-10-26 02:47:24 -------- d-----w- c:\program files\TrueCrypt2013-10-18 22:05:09 -------- d-----w- c:\users\steveni\appdata\local\Citrix2013-10-09 09:31:49 -------- d-----w- C:\0278119867465c0d7bc20d2013-10-09 09:29:05 2706432 ----a-w- c:\windows\system32\mshtml.tlb2013-10-09 09:29:03 2876928 ----a-w- c:\windows\system32\jscript9.dll2013-10-09 09:29:02 217600 ----a-w- c:\program files\internet explorer\sqmapi.dll2013-10-09 09:29:02 108032 ----a-w- c:\program files\internet explorer\jsdebuggeride.dll2013-10-09 09:29:01 61440 ----a-w- c:\windows\system32\iesetup.dll2013-10-09 04:09:31 530432 ----a-w- c:\windows\system32\comctl32.dll2013-10-09 04:08:59 434688 ----a-w- c:\windows\system32\scavengeui.dll2013-10-09 04:08:55 2348544 ----a-w- c:\windows\system32\win32k.sys2013-10-09 04:08:50 146816 ----a-w- c:\windows\system32\drivers\usbvideo.sys2013-10-09 04:08:49 80896 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys2013-10-09 04:08:48 86016 ----a-w- c:\windows\system32\drivers\usbcir.sys2013-10-09 04:08:43 205824 ----a-w- c:\windows\system32\WebClnt.dll2013-10-09 04:08:42 81920 ----a-w- c:\windows\system32\davclnt.dll2013-10-09 04:08:41 527064 ----a-w- c:\windows\system32\drivers\Wdf01000.sys2013-10-09 04:08:41 115712 ----a-w- c:\windows\system32\drivers\mrxdav.sys2013-10-09 02:58:02 4879744 ----a-w- c:\program files\mozilla firefox\extensions\{82af8dca-6de9-405d-bd5e-43525bdad38a}\components\SkypeFfComponent.dll2013-10-09 02:58:02 4879744 ----a-w- c:\program files\mozilla firefox\browser\extensions\{82af8dca-6de9-405d-bd5e-43525bdad38a}\components\SkypeFfComponent.dll2013-10-07 10:51:43 -------- d-----w- C:\31070c33d333f0edd6a5.==================== Find3M ====================.2013-10-09 08:50:51 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl2013-10-09 08:50:51 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe2013-10-09 08:50:46 17813896 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe2013-10-05 23:19:44 155 ----a-w- C:\SAPI_TTS.vbs2013-09-22 23:28:06 1767936 ----a-w- c:\windows\system32\wininet.dll2013-09-22 23:27:48 109056 ----a-w- c:\windows\system32\iesysprep.dll2013-09-21 02:39:47 71680 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe2013-09-14 00:48:58 338944 ----a-w- c:\windows\system32\drivers\afd.sys2013-09-08 02:07:12 1294272 ----a-w- c:\windows\system32\drivers\tcpip.sys2013-09-08 02:03:58 231424 ----a-w- c:\windows\system32\mswsock.dll2013-09-04 01:15:32 258560 ----a-w- c:\windows\system32\drivers\usbhub.sys2013-09-04 01:14:52 76288 ----a-w- c:\windows\system32\drivers\usbccgp.sys2013-09-04 01:14:52 284672 ----a-w- c:\windows\system32\drivers\usbport.sys2013-09-04 01:14:45 43008 ----a-w- c:\windows\system32\drivers\usbehci.sys2013-09-04 01:14:45 20480 ----a-w- c:\windows\system32\drivers\usbohci.sys2013-09-04 01:14:43 24064 ----a-w- c:\windows\system32\drivers\usbuhci.sys2013-09-04 01:14:40 6016 ----a-w- c:\windows\system32\drivers\usbd.sys2013-08-29 01:51:45 3969472 ----a-w- c:\windows\system32\ntkrnlpa.exe2013-08-29 01:51:45 3914176 ----a-w- c:\windows\system32\ntoskrnl.exe2013-08-29 01:50:30 1289096 ----a-w- c:\windows\system32\ntdll.dll2013-08-29 01:50:16 619520 ----a-w- c:\windows\system32\tdh.dll2013-08-29 01:48:17 640512 ----a-w- c:\windows\system32\advapi32.dll.============= FINISH: 17:36:22.22 =============== Link to post Share on other sites More sharing options...
Guest techhead287 Posted November 6, 2013 ID:750491 Share Posted November 6, 2013 Have to go somewhere now...will run RougeKiller later. One question...would you like a screenshot of the folder containing the viruses I'm talking about? Link to post Share on other sites More sharing options...
Guest techhead287 Posted November 6, 2013 ID:750526 Share Posted November 6, 2013 Finished RougeKiller scan...forgot to quit Skype but that doesn't matter because the scan completed successfully. RKreport[0]_S_11062013_193926.txt below... RogueKiller V8.7.6 [Oct 28 2013] by Tigzymail : tigzyRK<at>gmail<dot>comFeedback : http://www.adlice.com/forum/Website : http://www.adlice.com/softwares/roguekiller/Blog : http://tigzyrk.blogspot.com/ Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits versionStarted in : Normal modeUser : steveni [Admin rights]Mode : Scan -- Date : 11/06/2013 19:39:26| ARK || FAK || MBR | ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 5 ¤¤¤[RUN][sUSP PATH] HKCU\[...]\Run : Sophos (C:\Users\steveni\AppData\Roaming\eeuhrrsj\tvjbwcca.exe [x]) -> FOUND[RUN][sUSP PATH] HKUS\S-1-5-21-4063401489-1788381713-3267365910-1141\[...]\Run : Sophos (C:\Users\steveni\AppData\Roaming\eeuhrrsj\tvjbwcca.exe [x]) -> FOUND[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Scheduled tasks : 0 ¤¤¤ ¤¤¤ Startup Entries : 0 ¤¤¤ ¤¤¤ Web browsers : 0 ¤¤¤ ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [LOADED] ¤¤¤[inline] IAT @explorer.exe (CoCreateInstance) : ole32.dll -> HOOKED (C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL @ 0x751A7860)[inline] EAT @explorer.exe (CopyFileExW) : kernel32.dll -> HOOKED (C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL @ 0x751A75A0)[inline] EAT @explorer.exe (MoveFileWithProgressW) : kernel32.dll -> HOOKED (C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL @ 0x751A7460)[inline] EAT @explorer.exe (CoCreateInstance) : ole32.dll -> HOOKED (C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL @ 0x751A7860) ¤¤¤ External Hives: ¤¤¤ ¤¤¤ Infection : ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤--> %SystemRoot%\System32\drivers\etc\hosts ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) TOSHIBA MK5055GSXN +++++--- User ---[MBR] e8408abdac884cffe85743a8de14514e[bSP] 22463b1a9687f188739ad02a5aed0a02 : Windows Vista MBR CodePartition table:0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 464406 Mo2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 954177536 | Size: 11033 MoUser = LL1 ... OK!User = LL2 ... OK! Finished : << RKreport[0]_S_11062013_193926.txt >> Will continue with your next set of instructions tomorrow. Link to post Share on other sites More sharing options...
Guest techhead287 Posted November 6, 2013 ID:750527 Share Posted November 6, 2013 Just wanted to ask something... in the log I see a found registry key with the name Sophos pointing to C:\Users\steveni\AppData\Roaming\eeuhrrsj\tvjbwcca.exe, is that a malicious program pretending to be Sophos? I know that viruses like to hide an AppData... Link to post Share on other sites More sharing options...
Guest techhead287 Posted November 6, 2013 ID:750529 Share Posted November 6, 2013 Typo - at the end where I said I know that viruses like to hide an AppData...I meant IN AppData not an AppData Link to post Share on other sites More sharing options...
MrCharlie Posted November 6, 2013 ID:750571 Share Posted November 6, 2013 Run RogueKiller again and click ScanWhen the scan completes > click on the Registry tabPut a check next to all of these and uncheck the rest: (if found) [RUN][sUSP PATH] HKCU\[...]\Run : Sophos (C:\Users\steveni\AppData\Roaming\eeuhrrsj\tvjbwcca.exe [x]) -> FOUND[RUN][sUSP PATH] HKUS\S-1-5-21-4063401489-1788381713-3267365910-1141\[...]\Run : Sophos (C:\Users\steveni\AppData\Roaming\eeuhrrsj\tvjbwcca.exe [x]) -> FOUNDNow click Delete on the right hand column under Options-------------Delete this folder if found: (enable hidden files to see it)C:\Users\steveni\AppData\Roaming\eeuhrrsjThen we have to run this scan to delete the malware:Please download Farbar Recovery Scan Tool and save it to a folder. (use correct version for your system.....Which system am I using?)Please make sure you click download buttons that look like this, not "sponsored ad links":Double-click to run it. When the tool opens click Yes to disclaimer.Press Scan button.It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.MrC Link to post Share on other sites More sharing options...
Guest techhead287 Posted November 8, 2013 ID:751357 Share Posted November 8, 2013 FRST.txt below... Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 31-10-2013Ran by steveni (administrator) on AUSNB015 on 08-11-2013 15:52:11Running from C:\Users\steveni\Desktop\Malware Removal\FRSTMicrosoft Windows 7 Professional Service Pack 1 (X86) OS Language: English(US)Internet Explorer Version 10Boot Mode: Normal==================== Processes (Whitelisted) ===================(AMD) C:\windows\system32\atiesrxx.exe(Sophos Plc) C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe(Wontok, Inc.) c:\Program Files\Bigpond\ESP Elements\AuthElementsSvc.exe(Authentium, Inc.) c:\Program Files\bigpond\security\App\syssvcnt.exe(Microsoft Corporation.) C:\Program Files\Microsoft\BingBar\7.2.241.0\BBSvc.exe(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe(Intel Corporation) C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe(Microsoft Corporation) C:\Program Files\Microsoft LifeCam\MSCamS32.exe(wontok) c:\Program Files\Netsweeper Parental Controls\nsfxsrv.exe(Sophos Plc) C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe(Skype Technologies S.A.) C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe(Sophos Plc) C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe(Sophos Plc) C:\Program Files\Sophos\AutoUpdate\ALsvc.exe(Sophos Plc) C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe(TOSHIBA Corporation) C:\windows\system32\TODDSrv.exe(TOSHIBA Corporation) C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TECO\TecoService.exe(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe(Sunbelt Software) c:\Program Files\Common Files\Sunbelt\SBAMSvc.exe(AMD) C:\windows\system32\atieclxx.exe(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe(Advanced Micro Devices Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe(TOSHIBA CORPORATION) C:\Program Files\TOSHIBA\Utilities\KeNotify.exe(TOSHIBA Corporation) C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe(TOSHIBA Corporation) C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe(TOSHIBA Corporation) C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TPHM\TosWaitSrv.exe(Microsoft Corporation) C:\Program Files\Microsoft IntelliPoint\ipoint.exe(wontok) C:\Program Files\Netsweeper Parental Controls\nsfx.exe(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe(ATI Technologies Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe(Hewlett-Packard) C:\Program Files\HP\HP Software Update\hpwuschd2.exe(Microsoft Corporation) C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TPHM\TPCHViewer.exe(Wontok, Inc.) C:\Program Files\bigpond\security\App\Console.exe(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe(Skype Technologies S.A.) C:\Program Files\Skype\Phone\Skype.exe(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe(TOSHIBA CORPORATION.) C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe(Hewlett-Packard Co.) C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe(Microsoft Corporation) C:\windows\System32\mobsync.exe(Microsoft Corporation) C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE(TOSHIBA Corporation) C:\Program Files\TOSHIBA\RSelect\RSelSvc.exe(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe(Wontok, Inc.) c:\Program Files\Bigpond\ESP Elements\bigpond.exe(Intel Corporation) C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe(TOSHIBA CORPORATION) C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe(TOSHIBA CORPORATION.) C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe(TOSHIBA CORPORATION.) C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe(Skype Technologies) C:\Program Files\Skype\Updater\Updater.exe(TOSHIBA CORPORATION.) C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe(TOSHIBA CORPORATION.) C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtKbd.exe(TOSHIBA CORPORATION.) C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtBty.exe==================== Registry (Whitelisted) ==================HKLM\...\Run: [iAStorIcon] - C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284696 2009-10-03] (Intel Corporation)HKLM\...\Run: [startCCC] - C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [98304 2009-09-09] (Advanced Micro Devices, Inc.)HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [7858720 2009-10-22] (Realtek Semiconductor)HKLM\...\Run: [sVPWUTIL] - C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe [352256 2009-08-13] (TOSHIBA CORPORATION)HKLM\...\Run: [HWSetup] - C:\Program Files\TOSHIBA\Utilities\HWSetup.exe [425984 2009-06-03] (TOSHIBA Electronics, Inc.)HKLM\...\Run: [KeNotify] - C:\Program Files\TOSHIBA\Utilities\KeNotify.exe [34088 2009-01-14] (TOSHIBA CORPORATION)HKLM\...\Run: [TPwrMain] - C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe [480608 2009-10-30] (TOSHIBA Corporation)HKLM\...\Run: [HSON] - C:\Program Files\TOSHIBA\TBS\HSON.exe [55160 2009-03-10] (TOSHIBA Corporation)HKLM\...\Run: [smoothView] - C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe [460088 2009-07-29] (TOSHIBA Corporation)HKLM\...\Run: [00TCrdMain] - C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe [742712 2009-10-27] (TOSHIBA Corporation)HKLM\...\Run: [synTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1586472 2009-10-16] (Synaptics Incorporated)HKLM\...\Run: [iTSecMng] - C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe [83336 2009-07-23] (TOSHIBA CORPORATION)HKLM\...\Run: [smartFaceVWatcher] - C:\Program Files\TOSHIBA\SmartFaceV\SmartFaceVWatcher.exe [163840 2009-10-20] (TOSHIBA Corporation)HKLM\...\Run: [TosSENotify] - C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe [611672 2009-11-06] (TOSHIBA Corporation)HKLM\...\Run: [TosWaitSrv] - C:\Program Files\TOSHIBA\TPHM\TosWaitSrv.exe [611672 2009-10-31] (TOSHIBA Corporation)HKLM\...\Run: [bCSSync] - C:\Program Files\Microsoft Office\Office14\BCSSync.exe [91520 2010-03-13] (Microsoft Corporation)HKLM\...\Run: [intelliPoint] - C:\Program Files\Microsoft IntelliPoint\ipoint.exe [1797008 2010-07-21] (Microsoft Corporation)HKLM\...\Run: [] - [x]HKLM\...\Run: [APSDaemon] - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-09-13] (Apple Inc.)HKLM\...\Run: [LifeCam] - C:\Program Files\Microsoft LifeCam\LifeExp.exe [135536 2010-12-13] (Microsoft Corporation)HKLM\...\Run: [ESP] - C:\Program Files\bigpond\security\App\start.exe [62952 2012-10-01] (Authentium, Inc.)HKLM\...\Run: [NetSweeperAgent] - C:\Program Files\Netsweeper Parental Controls\nsfx.exe [333744 2012-08-31] (wontok)HKLM\...\Run: [NetSweeperLSPReset] - C:\Program Files\Netsweeper Parental Controls\instlsp.exe [106416 2012-08-31] (wontok)HKLM\...\Run: [iTunesHelper] - C:\Program Files\iTunes\iTunesHelper.exe [152392 2013-10-23] (Apple Inc.)HKLM\...\Run: [HP Software Update] - C:\Program Files\HP\HP Software Update\hpwuschd2.exe [54576 2009-11-18] (Hewlett-Packard)HKCU\...\Run: [OfficeSyncProcess] - C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE [720064 2013-04-22] (Microsoft Corporation)HKCU\...\Run: [Google Update] - C:\Users\steveni\AppData\Local\Google\Update\GoogleUpdate.exe [136176 2011-10-19] (Google Inc.)HKCU\...\Run: [skype] - C:\Program Files\Skype\Phone\Skype.exe [20549280 2013-10-21] (Skype Technologies S.A.)HKU\gracei\...\Run: [msnmsgr] - C:\Program Files\Windows Live\Messenger\msnmsgr.exe [ 2012-03-08] (Microsoft Corporation)HKU\joshuai\...\Run: [skype] - C:\Program Files\Skype\Phone\Skype.exe [ 2013-10-21] (Skype Technologies S.A.)HKU\joshuai\...\Run: [OfficeSyncProcess] - C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE [ 2013-04-22] (Microsoft Corporation)HKU\princi\...\Run: [msnmsgr] - C:\Program Files\Windows Live\Messenger\msnmsgr.exe [ 2012-03-08] (Microsoft Corporation)HKU\remote\...\Run: [skype] - C:\Program Files\Skype\Phone\Skype.exe [ 2013-10-21] (Skype Technologies S.A.)AppInit_DLLs: C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL [ 2012-11-12] (Sophos Plc)Startup: C:\Users\steveni\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnkShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)==================== Internet (Whitelisted) ====================HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com.au/HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/redirectdomain?brand=TSAU&bmod=TSAUURLSearchHook: HKCU - (No Name) - {CA3EB689-8F09-4026-AA10-B9534C691CE0} - No FileBHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\smart web printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)BHO: Bing Bar Helper - {1dad3af3-ef2f-4f64-ac4b-11789189fcb6} - C:\Program Files\Microsoft\BingBar\7.2.241.0\BingExt.dll (Microsoft Corporation.)BHO: Sophos Web Content Scanner - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dll (Sophos Plc)BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)BHO: Windows Live Messenger Companion Helper - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files\Windows Live\Companion\companioncore.dll (Microsoft Corporation)BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)BHO: Skype Browser Helper - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\smart web printing\hpswp_BHO.dll (Hewlett-Packard Co.)Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)Toolbar: HKLM - Bing Bar - {eec0f710-38b5-4aba-99bf-ec87564a4e13} - C:\Program Files\Microsoft\BingBar\7.2.241.0\BingExt.dll (Microsoft Corporation.)Toolbar: HKCU - Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No FileDPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cabHandler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)Winsock: Catalog9 01 c:\windows\system32\liger.dll [238000] (wontok)Winsock: Catalog9 02 c:\windows\system32\liger.dll [238000] (wontok)Winsock: Catalog9 03 c:\windows\system32\liger.dll [238000] (wontok)Winsock: Catalog9 04 c:\windows\system32\liger.dll [238000] (wontok)Winsock: Catalog9 05 c:\windows\system32\liger.dll [238000] (wontok)Winsock: Catalog9 06 c:\windows\system32\liger.dll [238000] (wontok)Winsock: Catalog9 17 c:\windows\system32\liger.dll [238000] (wontok)Tcpip\Parameters: [DhcpNameServer] 192.168.1.1FireFox:========FF ProfilePath: C:\Users\steveni\AppData\Roaming\Mozilla\Firefox\Profiles\2mjd049g.defaultFF Plugin: @adobe.com/FlashPlayer - C:\windows\system32\Macromed\Flash\NPSWF32_11_9_900_117.dll ()FF Plugin: @Apple.com/iTunes,version=1.0 - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()FF Plugin: @microsoft.com/GENUINE - disabled No FileFF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)FF Plugin: @microsoft.com/SharePoint,version=14.0 - C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)FF Plugin: @microsoft.com/WLPG,version=15.4.3502.0922 - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)FF Plugin: @microsoft.com/WLPG,version=15.4.3555.0308 - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)FF Plugin: @tools.google.com/Google Update;version=3 - C:\Program Files\Google\Update\1.3.21.165\npGoogleUpdate3.dll (Google Inc.)FF Plugin: @tools.google.com/Google Update;version=9 - C:\Program Files\Google\Update\1.3.21.165\npGoogleUpdate3.dll (Google Inc.)FF Plugin HKCU: @citrixonline.com/appdetectorplugin - C:\Users\steveni\AppData\Local\Citrix\Plugins\104\npappdetector.dll (Citrix Online)FF Plugin HKCU: @talk.google.com/GoogleTalkPlugin - C:\Users\steveni\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll (Google)FF Plugin HKCU: @talk.google.com/O1DPlugin - C:\Users\steveni\AppData\Roaming\Mozilla\plugins\npo1d.dll (Google)FF Plugin HKCU: @talk.google.com/O3DPlugin - C:\Users\steveni\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll ()FF Plugin HKCU: @tools.google.com/Google Update;version=3 - C:\Users\steveni\AppData\Local\Google\Update\1.3.21.165\npGoogleUpdate3.dll (Google Inc.)FF Plugin HKCU: @tools.google.com/Google Update;version=9 - C:\Users\steveni\AppData\Local\Google\Update\1.3.21.165\npGoogleUpdate3.dll (Google Inc.)FF Extension: Skype Click to Call - C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}FF Extension: Skype Click to Call - C:\Program Files\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}FF HKLM\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3FF Extension: HP Smart Web Printing - C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3FF HKCU\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3FF Extension: HP Smart Web Printing - C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3========================== Services (Whitelisted) =================R2 AuthElementsSvc; c:\Program Files\Bigpond\ESP Elements\AuthElementsSvc.exe [244008 2013-03-12] (Wontok, Inc.)R2 AuthSysSvc; c:\Program Files\bigpond\security\App\syssvcnt.exe [112160 2012-10-01] (Authentium, Inc.)S3 GameConsoleService; C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe [238328 2009-08-28] (WildTangent, Inc.)R2 NSFXSrv; c:\Program Files\Netsweeper Parental Controls\nsfxsrv.exe [59824 2012-08-31] (wontok)R2 RSELSVC; C:\Program Files\TOSHIBA\RSelect\RSelSvc.exe [62832 2009-07-08] (TOSHIBA Corporation)R2 SAVAdminService; C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [163056 2010-11-26] (Sophos Plc)R2 SAVService; C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe [97520 2010-11-26] (Sophos Plc)R2 SBAMSvc; c:\Program Files\Common Files\Sunbelt\SBAMSvc.exe [2763080 2010-08-20] (Sunbelt Software)R2 Skype C2C Service; C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe [3275136 2013-10-09] (Skype Technologies S.A.)R2 Sophos Agent; C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe [282624 2010-11-26] (Sophos Plc)R2 Sophos AutoUpdate Service; C:\Program Files\Sophos\AutoUpdate\ALsvc.exe [232472 2012-04-11] (Sophos Plc)S2 Sophos Message Router; C:\Program Files\Sophos\Remote Management System\RouterNT.exe [806912 2010-11-26] (Sophos Plc)R2 swi_service; C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe [1543704 2012-02-21] (Sophos Plc)S3 TMachInfo; C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [51512 2009-10-07] (TOSHIBA Corporation)R2 TOSHIBA eco Utility Service; C:\Program Files\TOSHIBA\TECO\TecoService.exe [185712 2009-09-29] (TOSHIBA Corporation)R3 TOSHIBA HDD SSD Alert Service; C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [111960 2009-11-06] (TOSHIBA Corporation)R3 TPCHSrv; C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe [677232 2009-10-31] (TOSHIBA Corporation)S4 aspnet_state; %SystemRoot%\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe [x]==================== Drivers (Whitelisted) ====================S3 ivusb; C:\Windows\System32\DRIVERS\ivusb.sys [25112 2010-07-29] (Initio Corporation)S3 JL2005C; C:\Windows\System32\Drivers\jl2005c.sys [69098 2009-05-25] (Windows ® 2000 DDK provider)R0 LPCFilter; C:\Windows\System32\DRIVERS\LPCFilter.sys [36208 2009-07-31] (COMPAL ELECTRONIC INC.)R3 PGEffect; C:\Windows\System32\DRIVERS\pgeffect.sys [24064 2009-06-22] (TOSHIBA Corporation)R3 RTHDMIAzAudService; C:\Windows\System32\drivers\RtHDMIV.sys [157536 2009-05-21] (Realtek Semiconductor Corp.)R1 SAVOnAccess; C:\Windows\System32\DRIVERS\savonaccess.sys [122360 2010-11-26] (Sophos Plc)R2 sbapifs; C:\Windows\System32\DRIVERS\sbapifs.sys [69976 2010-06-14] (Sunbelt Software)S3 sdcfilter; C:\Windows\System32\DRIVERS\sdcfilter.sys [23928 2010-11-24] (Sophos Plc)S4 SophosBootDriver; C:\Windows\System32\DRIVERS\SophosBootDriver.sys [22536 2010-11-24] (Sophos Plc)R2 TVALZFL; C:\Windows\System32\DRIVERS\TVALZFL.sys [12920 2009-06-20] (TOSHIBA Corporation)S1 SBRE; \??\C:\windows\system32\drivers\SBREdrv.sys [x]==================== NetSvcs (Whitelisted) ======================================= One Month Created Files and Folders ========2013-11-08 15:52 - 2013-11-08 15:52 - 00000000 ____D C:\FRST2013-11-06 19:35 - 2013-11-07 17:31 - 00000000 ____D C:\Users\steveni\Desktop\RK_Quarantine2013-11-06 17:32 - 2013-11-07 17:27 - 00000000 ____D C:\Users\steveni\Desktop\Malware Removal2013-11-02 11:16 - 2013-11-02 11:16 - 00000000 ____D C:\Users\steveni\Downloads\AssaultCubePortable2013-11-02 11:13 - 2013-11-02 11:14 - 47303240 _____ (PortableApps.com) C:\Users\steveni\Downloads\AssaultCubePortable_1.2.0.0_English.paf.exe2013-11-02 10:42 - 2013-11-02 10:42 - 00000000 ____D C:\Users\gracei\AppData\Local\{4711F54F-56C9-45D5-AECE-D0F4717F5FD1}2013-10-31 18:04 - 2013-10-31 18:04 - 00001724 _____ C:\Users\Public\Desktop\iTunes.lnk2013-10-31 18:04 - 2012-08-21 13:01 - 00026840 _____ (GEAR Software Inc.) C:\windows\system32\Drivers\GEARAspiWDM.sys2013-10-31 18:03 - 2013-10-31 18:04 - 00000000 ____D C:\ProgramData\188F1432-103A-4ffb-80F1-36B633C5C9E12013-10-31 18:03 - 2013-10-31 18:04 - 00000000 ____D C:\Program Files\iTunes2013-10-31 18:03 - 2013-10-31 18:03 - 00000000 ____D C:\Program Files\iPod2013-10-31 17:39 - 2013-10-31 17:41 - 98660176 _____ (Apple Inc.) C:\Users\steveni\Downloads\iTunesSetup.exe2013-10-31 09:31 - 2013-10-31 19:19 - 00000000 ____D C:\windows\pss2013-10-30 16:17 - 2013-10-30 16:17 - 00000952 _____ C:\Users\steveni\Desktop\Task Coach.lnk2013-10-30 16:17 - 2013-10-30 16:17 - 00000000 ____D C:\Program Files\TaskCoach2013-10-26 10:49 - 2013-10-26 10:49 - 1073741824 _____ C:\Users\steveni\Desktop\Encrypted Files2013-10-26 10:47 - 2013-10-26 10:48 - 00000000 ____D C:\Users\steveni\AppData\Roaming\TrueCrypt2013-10-26 10:47 - 2013-10-26 10:47 - 00231760 _____ (TrueCrypt Foundation) C:\windows\system32\Drivers\truecrypt.sys2013-10-26 10:47 - 2013-10-26 10:47 - 00001003 _____ C:\Users\Public\Desktop\TrueCrypt.lnk2013-10-26 10:47 - 2013-10-26 10:47 - 00000000 ____D C:\Program Files\TrueCrypt2013-10-26 10:46 - 2013-10-26 10:46 - 03466248 _____ (TrueCrypt Foundation) C:\Users\steveni\Downloads\TrueCrypt Setup 7.1a.exe2013-10-19 06:05 - 2013-11-08 07:46 - 00000000 ____D C:\Users\steveni\AppData\Local\Citrix2013-10-16 17:34 - 2013-10-16 17:36 - 00000000 ____D C:\Users\steveni\Desktop\TweetAside2013-10-16 17:03 - 2013-10-16 17:20 - 00481230 _____ C:\Users\steveni\Desktop\PRESENTATION FRIENDSHIP.pptx2013-10-13 12:59 - 2013-10-13 13:21 - 00064478 _____ C:\Users\steveni\Downloads\linksel.ani2013-10-13 12:50 - 2013-10-13 13:21 - 00004286 _____ C:\Users\steveni\Downloads\normal.cur2013-10-13 12:49 - 2013-10-13 13:21 - 00206180 _____ C:\Users\steveni\Downloads\working in background.ani2013-10-13 12:46 - 2013-10-13 13:21 - 00206180 _____ C:\Users\steveni\Downloads\busy.ani2013-10-09 17:31 - 2013-10-09 17:31 - 00000000 ____D C:\0278119867465c0d7bc20d2013-10-09 17:29 - 2013-09-23 07:27 - 02876928 _____ (Microsoft Corporation) C:\windows\system32\jscript9.dll2013-10-09 17:29 - 2013-09-23 07:27 - 00690688 _____ (Microsoft Corporation) C:\windows\system32\jscript.dll2013-10-09 17:29 - 2013-09-23 07:27 - 00391168 _____ (Microsoft Corporation) C:\windows\system32\ieui.dll2013-10-09 17:29 - 2013-09-23 07:27 - 00061440 _____ (Microsoft Corporation) C:\windows\system32\iesetup.dll2013-10-09 17:29 - 2013-09-23 07:27 - 00039424 _____ (Microsoft Corporation) C:\windows\system32\jsproxy.dll2013-10-09 17:29 - 2013-09-21 11:30 - 02706432 _____ (Microsoft Corporation) C:\windows\system32\mshtml.tlb2013-10-09 17:28 - 2013-09-23 07:28 - 01767936 _____ (Microsoft Corporation) C:\windows\system32\wininet.dll2013-10-09 17:28 - 2013-09-23 07:28 - 01141248 _____ (Microsoft Corporation) C:\windows\system32\urlmon.dll2013-10-09 17:28 - 2013-09-23 07:28 - 00042496 _____ (Microsoft Corporation) C:\windows\system32\ie4uinit.exe2013-10-09 17:28 - 2013-09-23 07:27 - 14335488 _____ (Microsoft Corporation) C:\windows\system32\mshtml.dll2013-10-09 17:28 - 2013-09-23 07:27 - 13761024 _____ (Microsoft Corporation) C:\windows\system32\ieframe.dll2013-10-09 17:28 - 2013-09-23 07:27 - 02048512 _____ (Microsoft Corporation) C:\windows\system32\iertutil.dll2013-10-09 17:28 - 2013-09-23 07:27 - 00493056 _____ (Microsoft Corporation) C:\windows\system32\msfeeds.dll2013-10-09 17:28 - 2013-09-23 07:27 - 00109056 _____ (Microsoft Corporation) C:\windows\system32\iesysprep.dll2013-10-09 17:28 - 2013-09-23 07:27 - 00033280 _____ (Microsoft Corporation) C:\windows\system32\iernonce.dll2013-10-09 17:28 - 2013-09-21 10:39 - 00071680 _____ (Microsoft Corporation) C:\windows\system32\RegisterIEPKEYs.exe2013-10-09 12:09 - 2013-09-14 08:48 - 00338944 _____ (Microsoft Corporation) C:\windows\system32\Drivers\afd.sys2013-10-09 12:09 - 2013-09-08 10:07 - 01294272 _____ (Microsoft Corporation) C:\windows\system32\Drivers\tcpip.sys2013-10-09 12:09 - 2013-09-08 10:03 - 00231424 _____ (Microsoft Corporation) C:\windows\system32\mswsock.dll2013-10-09 12:09 - 2013-09-04 09:15 - 00258560 _____ (Microsoft Corporation) C:\windows\system32\Drivers\usbhub.sys2013-10-09 12:09 - 2013-09-04 09:14 - 00284672 _____ (Microsoft Corporation) C:\windows\system32\Drivers\usbport.sys2013-10-09 12:09 - 2013-09-04 09:14 - 00076288 _____ (Microsoft Corporation) C:\windows\system32\Drivers\usbccgp.sys2013-10-09 12:09 - 2013-09-04 09:14 - 00043008 _____ (Microsoft Corporation) C:\windows\system32\Drivers\usbehci.sys2013-10-09 12:09 - 2013-09-04 09:14 - 00024064 _____ (Microsoft Corporation) C:\windows\system32\Drivers\usbuhci.sys2013-10-09 12:09 - 2013-09-04 09:14 - 00020480 _____ (Microsoft Corporation) C:\windows\system32\Drivers\usbohci.sys2013-10-09 12:09 - 2013-09-04 09:14 - 00006016 _____ (Microsoft Corporation) C:\windows\system32\Drivers\usbd.sys2013-10-09 12:09 - 2013-08-29 09:51 - 03969472 _____ (Microsoft Corporation) C:\windows\system32\ntkrnlpa.exe2013-10-09 12:09 - 2013-08-29 09:51 - 03914176 _____ (Microsoft Corporation) C:\windows\system32\ntoskrnl.exe2013-10-09 12:09 - 2013-08-29 09:50 - 01289096 _____ (Microsoft Corporation) C:\windows\system32\ntdll.dll2013-10-09 12:09 - 2013-08-29 09:50 - 00619520 _____ (Microsoft Corporation) C:\windows\system32\tdh.dll2013-10-09 12:09 - 2013-08-29 09:48 - 00640512 _____ (Microsoft Corporation) C:\windows\system32\advapi32.dll2013-10-09 12:09 - 2013-08-01 19:03 - 00729024 _____ (Microsoft Corporation) C:\windows\system32\Drivers\dxgkrnl.sys2013-10-09 12:09 - 2013-07-20 18:33 - 00102608 _____ (Microsoft Corporation) C:\windows\system32\PresentationCFFRasterizerNative_v0300.dll2013-10-09 12:09 - 2013-07-04 19:50 - 00530432 _____ (Microsoft Corporation) C:\windows\system32\comctl32.dll2013-10-09 12:09 - 2013-07-03 11:36 - 00055808 _____ (Microsoft Corporation) C:\windows\system32\Drivers\hidclass.sys2013-10-09 12:09 - 2013-07-03 11:36 - 00025728 _____ (Microsoft Corporation) C:\windows\system32\Drivers\hidparse.sys2013-10-09 12:09 - 2013-06-06 12:52 - 00026112 _____ (Microsoft Corporation) C:\windows\system32\lpk.dll2013-10-09 12:09 - 2013-06-06 12:51 - 00070656 _____ (Microsoft Corporation) C:\windows\system32\fontsub.dll2013-10-09 12:09 - 2013-06-06 12:50 - 00010240 _____ (Microsoft Corporation) C:\windows\system32\dciman32.dll2013-10-09 12:09 - 2013-06-06 11:01 - 00295424 _____ (Adobe Systems Incorporated) C:\windows\system32\atmfd.dll2013-10-09 12:09 - 2013-06-06 11:01 - 00034304 _____ (Adobe Systems) C:\windows\system32\atmlib.dll2013-10-09 12:08 - 2013-08-28 09:04 - 02348544 _____ (Microsoft Corporation) C:\windows\system32\win32k.sys2013-10-09 12:08 - 2013-08-28 08:57 - 00434688 _____ (Microsoft Corporation) C:\windows\system32\scavengeui.dll2013-10-09 12:08 - 2013-07-12 18:08 - 00146816 _____ (Microsoft Corporation) C:\windows\system32\Drivers\usbvideo.sys2013-10-09 12:08 - 2013-07-12 18:07 - 00086016 _____ (Microsoft Corporation) C:\windows\system32\Drivers\usbcir.sys2013-10-09 12:08 - 2013-07-12 18:07 - 00080896 _____ (Microsoft Corporation) C:\windows\system32\Drivers\USBAUDIO.sys2013-10-09 12:08 - 2013-07-04 19:57 - 00205824 _____ (Microsoft Corporation) C:\windows\system32\WebClnt.dll2013-10-09 12:08 - 2013-07-04 19:51 - 00081920 _____ (Microsoft Corporation) C:\windows\system32\davclnt.dll2013-10-09 12:08 - 2013-07-04 17:48 - 00115712 _____ (Microsoft Corporation) C:\windows\system32\Drivers\mrxdav.sys2013-10-09 12:08 - 2013-06-26 06:56 - 00527064 _____ (Microsoft Corporation) C:\windows\system32\Drivers\Wdf01000.sys==================== One Month Modified Files and Folders =======2013-11-08 15:53 - 2010-05-21 14:03 - 02027623 _____ C:\windows\WindowsUpdate.log2013-11-08 15:52 - 2013-11-08 15:52 - 00000000 ____D C:\FRST2013-11-08 15:50 - 2013-02-03 11:28 - 00000830 _____ C:\windows\Tasks\Adobe Flash Player Updater.job2013-11-08 15:50 - 2011-05-19 18:32 - 00000884 _____ C:\windows\Tasks\GoogleUpdateTaskMachineCore.job2013-11-08 15:49 - 2009-07-14 12:53 - 00000006 ____H C:\windows\Tasks\SA.DAT2013-11-08 15:48 - 2009-07-14 12:39 - 00182167 _____ C:\windows\setupact.log2013-11-08 07:53 - 2011-05-19 18:31 - 00000000 ____D C:\Users\steveni\AppData\Roaming\Skype2013-11-08 07:46 - 2013-10-19 06:05 - 00000000 ____D C:\Users\steveni\AppData\Local\Citrix2013-11-08 07:36 - 2011-05-19 18:32 - 00000888 _____ C:\windows\Tasks\GoogleUpdateTaskMachineUA.job2013-11-08 07:35 - 2011-12-20 16:22 - 00000916 _____ C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4063401489-1788381713-3267365910-1141UA.job2013-11-08 06:54 - 2013-07-18 20:02 - 00000000 ____D C:\Program Files\Common Files\Authentium Shared2013-11-08 06:44 - 2009-07-14 12:34 - 00017504 ____H C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A02013-11-08 06:44 - 2009-07-14 12:34 - 00017504 ____H C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A02013-11-07 19:47 - 2012-08-24 11:01 - 00000000 ____D C:\Users\steveni\Desktop\G&J Best Stuff2013-11-07 17:31 - 2013-11-06 19:35 - 00000000 ____D C:\Users\steveni\Desktop\RK_Quarantine2013-11-07 17:27 - 2013-11-06 17:32 - 00000000 ____D C:\Users\steveni\Desktop\Malware Removal2013-11-07 06:34 - 2011-12-20 16:22 - 00000864 _____ C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4063401489-1788381713-3267365910-1141Core.job2013-11-07 06:24 - 2012-05-30 07:28 - 00000204 _____ C:\windows\MYOBP.INI2013-11-07 06:23 - 2012-05-30 07:28 - 00000039 _____ C:\windows\MYOB.INI2013-11-06 19:48 - 2009-11-10 19:51 - 00786054 _____ C:\windows\system32\PerfStringBackup.INI2013-11-06 06:34 - 2011-05-19 18:31 - 00000000 ___RD C:\Program Files\Skype2013-11-06 06:34 - 2011-05-19 18:30 - 00000000 ____D C:\ProgramData\Skype2013-11-05 18:58 - 2012-08-09 07:45 - 00000000 ____D C:\Users\steveni\AppData\Local\CrashDumps2013-11-02 11:16 - 2013-11-02 11:16 - 00000000 ____D C:\Users\steveni\Downloads\AssaultCubePortable2013-11-02 11:14 - 2013-11-02 11:13 - 47303240 _____ (PortableApps.com) C:\Users\steveni\Downloads\AssaultCubePortable_1.2.0.0_English.paf.exe2013-11-02 10:52 - 2013-04-23 09:42 - 00000000 ____D C:\Users\gracei\Desktop\3D Items2013-11-02 10:42 - 2013-11-02 10:42 - 00000000 ____D C:\Users\gracei\AppData\Local\{4711F54F-56C9-45D5-AECE-D0F4717F5FD1}2013-11-02 10:42 - 2012-04-03 19:35 - 00000000 ____D C:\Users\gracei\Tracing2013-11-01 19:16 - 2009-07-14 12:53 - 00032560 _____ C:\windows\Tasks\SCHEDLGU.TXT2013-10-31 19:19 - 2013-10-31 09:31 - 00000000 ____D C:\windows\pss2013-10-31 18:05 - 2010-11-24 14:55 - 00000000 ____D C:\Users\steveni\AppData\Roaming\Apple Computer2013-10-31 18:04 - 2013-10-31 18:04 - 00001724 _____ C:\Users\Public\Desktop\iTunes.lnk2013-10-31 18:04 - 2013-10-31 18:03 - 00000000 ____D C:\ProgramData\188F1432-103A-4ffb-80F1-36B633C5C9E12013-10-31 18:04 - 2013-10-31 18:03 - 00000000 ____D C:\Program Files\iTunes2013-10-31 18:03 - 2013-10-31 18:03 - 00000000 ____D C:\Program Files\iPod2013-10-31 18:03 - 2010-11-24 13:27 - 00000000 ____D C:\Program Files\Common Files\Apple2013-10-31 17:51 - 2009-07-14 12:52 - 00000000 ____D C:\windows\system32\FxsTmp2013-10-31 17:41 - 2013-10-31 17:39 - 98660176 _____ (Apple Inc.) C:\Users\steveni\Downloads\iTunesSetup.exe2013-10-31 09:28 - 2013-09-26 17:30 - 00000000 ____D C:\Users\steveni\AppData\Roaming\Task Coach2013-10-30 16:17 - 2013-10-30 16:17 - 00000952 _____ C:\Users\steveni\Desktop\Task Coach.lnk2013-10-30 16:17 - 2013-10-30 16:17 - 00000000 ____D C:\Program Files\TaskCoach2013-10-29 06:14 - 2010-11-24 11:18 - 00000530 _____ C:\windows\Tasks\Default Scheduled SCAN.job2013-10-26 10:49 - 2013-10-26 10:49 - 1073741824 _____ C:\Users\steveni\Desktop\Encrypted Files2013-10-26 10:48 - 2013-10-26 10:47 - 00000000 ____D C:\Users\steveni\AppData\Roaming\TrueCrypt2013-10-26 10:47 - 2013-10-26 10:47 - 00231760 _____ (TrueCrypt Foundation) C:\windows\system32\Drivers\truecrypt.sys2013-10-26 10:47 - 2013-10-26 10:47 - 00001003 _____ C:\Users\Public\Desktop\TrueCrypt.lnk2013-10-26 10:47 - 2013-10-26 10:47 - 00000000 ____D C:\Program Files\TrueCrypt2013-10-26 10:46 - 2013-10-26 10:46 - 03466248 _____ (TrueCrypt Foundation) C:\Users\steveni\Downloads\TrueCrypt Setup 7.1a.exe2013-10-24 20:31 - 2013-05-11 11:58 - 00000000 ___RD C:\Users\steveni\Desktop\Share2013-10-24 19:35 - 2012-10-11 06:54 - 00000000 ____D C:\Users\steveni\AppData\Roaming\Mozilla2013-10-21 09:39 - 2013-09-04 22:46 - 00000000 ____D C:\Users\steveni\Desktop\Payslips 5 Sep2013-10-16 17:36 - 2013-10-16 17:34 - 00000000 ____D C:\Users\steveni\Desktop\TweetAside2013-10-16 17:20 - 2013-10-16 17:03 - 00481230 _____ C:\Users\steveni\Desktop\PRESENTATION FRIENDSHIP.pptx2013-10-13 13:29 - 2012-04-10 20:44 - 00000000 ____D C:\Users\steveni\AppData\Local\Windows Live2013-10-13 13:21 - 2013-10-13 12:59 - 00064478 _____ C:\Users\steveni\Downloads\linksel.ani2013-10-13 13:21 - 2013-10-13 12:50 - 00004286 _____ C:\Users\steveni\Downloads\normal.cur2013-10-13 13:21 - 2013-10-13 12:49 - 00206180 _____ C:\Users\steveni\Downloads\working in background.ani2013-10-13 13:21 - 2013-10-13 12:46 - 00206180 _____ C:\Users\steveni\Downloads\busy.ani2013-10-11 08:40 - 2010-11-24 12:01 - 00000000 ____D C:\Users\steveni2013-10-10 20:57 - 2009-07-14 10:37 - 00000000 ____D C:\windows\rescache2013-10-10 09:05 - 2009-07-14 12:33 - 00446144 _____ C:\windows\system32\FNTCACHE.DAT2013-10-10 07:27 - 2010-05-21 14:45 - 00000000 ____D C:\ProgramData\Microsoft Help2013-10-09 22:46 - 2009-07-14 10:37 - 00000000 ____D C:\windows\Microsoft.NET2013-10-09 17:31 - 2013-10-09 17:31 - 00000000 ____D C:\0278119867465c0d7bc20d2013-10-09 17:31 - 2013-07-15 05:50 - 00000000 ____D C:\windows\system32\MRT2013-10-09 17:31 - 2010-11-24 15:49 - 78106760 _____ (Microsoft Corporation) C:\windows\system32\MRT.exe2013-10-09 17:31 - 2010-05-21 14:39 - 00000000 ____D C:\Program Files\Microsoft Silverlight2013-10-09 16:50 - 2013-08-22 06:50 - 17813896 _____ (Adobe Systems Incorporated) C:\windows\system32\FlashPlayerInstaller.exe2013-10-09 16:50 - 2012-05-01 16:35 - 00692616 _____ (Adobe Systems Incorporated) C:\windows\system32\FlashPlayerApp.exe2013-10-09 16:50 - 2012-05-01 16:35 - 00071048 _____ (Adobe Systems Incorporated) C:\windows\system32\FlashPlayerCPLApp.cpl2013-10-09 13:07 - 2013-07-16 07:58 - 00000000 ____D C:\Users\steveni\AppData\Roaming\TeamViewerFiles to move or delete:====================C:\Users\joshuai\simple.batC:\Users\steveni\simple.batSome content of TEMP:====================C:\Users\administrator\AppData\Local\Temp\lockdll.dllC:\Users\administrator\AppData\Local\Temp\regrepair.exeC:\Users\gracei\AppData\Local\Temp\SkypeSetup.exeC:\Users\joshuai\AppData\Local\Temp\bbcap.dllC:\Users\joshuai\AppData\Local\Temp\bbchlp.dllC:\Users\joshuai\AppData\Local\Temp\FlashBackDriverInstaller.exeC:\Users\joshuai\AppData\Local\Temp\MemorexLOCK v2.30.exeC:\Users\joshuai\AppData\Local\Temp\msgE59F.exeC:\Users\joshuai\AppData\Local\Temp\OutlookConnector.exeC:\Users\joshuai\AppData\Local\Temp\Pivot Stickfigure.exeC:\Users\joshuai\AppData\Local\Temp\SkypeSetup.exeC:\Users\joshuai\AppData\Local\Temp\somoto-master.exeC:\Users\remote\AppData\Local\Temp\SkypeSetup.exeC:\Users\steveni\AppData\Local\Temp\7-zip.dllC:\Users\steveni\AppData\Local\Temp\7z.dllC:\Users\steveni\AppData\Local\Temp\7z.exeC:\Users\steveni\AppData\Local\Temp\7zFM.exeC:\Users\steveni\AppData\Local\Temp\7zG.exeC:\Users\steveni\AppData\Local\Temp\AskSLib.dllC:\Users\steveni\AppData\Local\Temp\deletedr.exeC:\Users\steveni\AppData\Local\Temp\FB6E.tmp.exeC:\Users\steveni\AppData\Local\Temp\FlashBackDriverInstaller.exeC:\Users\steveni\AppData\Local\Temp\fp_pl_pfs_installer-1.exeC:\Users\steveni\AppData\Local\Temp\fp_pl_pfs_installer-2.exeC:\Users\steveni\AppData\Local\Temp\fp_pl_pfs_installer-3.exeC:\Users\steveni\AppData\Local\Temp\fp_pl_pfs_installer-4.exeC:\Users\steveni\AppData\Local\Temp\fp_pl_pfs_installer-5.exeC:\Users\steveni\AppData\Local\Temp\fp_pl_pfs_installer-6.exeC:\Users\steveni\AppData\Local\Temp\fp_pl_pfs_installer.exeC:\Users\steveni\AppData\Local\Temp\GoogleToolbarInstaller.exeC:\Users\steveni\AppData\Local\Temp\HC2SetupPvt.exeC:\Users\steveni\AppData\Local\Temp\incredibar_installer.exeC:\Users\steveni\AppData\Local\Temp\MemorexLOCK v2.30.exeC:\Users\steveni\AppData\Local\Temp\Microsoft Office 2013 Setup.exeC:\Users\steveni\AppData\Local\Temp\msg118F.exeC:\Users\steveni\AppData\Local\Temp\msg205F.exeC:\Users\steveni\AppData\Local\Temp\msg31FB.exeC:\Users\steveni\AppData\Local\Temp\msg63E7.exeC:\Users\steveni\AppData\Local\Temp\msg6734.exeC:\Users\steveni\AppData\Local\Temp\ntdll_dump.dllC:\Users\steveni\AppData\Local\Temp\OfficeSetup.exeC:\Users\steveni\AppData\Local\Temp\PuTTY.exeC:\Users\steveni\AppData\Local\Temp\Recuva.exeC:\Users\steveni\AppData\Local\Temp\Refresh.exeC:\Users\steveni\AppData\Local\Temp\sj44s0yd.dllC:\Users\steveni\AppData\Local\Temp\SkypeSetup.exeC:\Users\steveni\AppData\Local\Temp\TeamViewer.exeC:\Users\steveni\AppData\Local\Temp\TeamViewer_Resource_en.dllC:\Users\steveni\AppData\Local\Temp\TV.dllC:\Users\steveni\AppData\Local\Temp\Unlocker.exeC:\Users\steveni\AppData\Local\Temp\UnlockerAssistant.exeC:\Users\steveni\AppData\Local\Temp\UnlockerHook.dllC:\Users\steveni\AppData\Local\Temp\vfd.dllC:\Users\steveni\AppData\Local\Temp\vfd.exeC:\Users\steveni\AppData\Local\Temp\vfdwin.exeC:\Users\steveni\AppData\Local\Temp\_is23C7.exeC:\Users\steveni\AppData\Local\Temp\_is3FDE.exeC:\Users\steveni\AppData\Local\Temp\_is4FA7.exeC:\Users\steveni\AppData\Local\Temp\_is8556.exeC:\Users\steveni\AppData\Local\Temp\_isAEC6.exe==================== Bamital & volsnap Check =================C:\Windows\explorer.exe => MD5 is legitC:\Windows\System32\winlogon.exe => MD5 is legitC:\Windows\System32\wininit.exe => MD5 is legitC:\Windows\System32\svchost.exe => MD5 is legitC:\Windows\System32\services.exe => MD5 is legitC:\Windows\System32\User32.dll => MD5 is legitC:\Windows\System32\userinit.exe => MD5 is legitC:\Windows\System32\Drivers\volsnap.sys => MD5 is legitLastRegBack: 2013-10-31 00:15==================== End Of Log ============================ Link to post Share on other sites More sharing options...
Guest techhead287 Posted November 8, 2013 ID:751358 Share Posted November 8, 2013 Addition.txt below... Additional scan result of Farbar Recovery Scan Tool (x86) Version: 31-10-2013Ran by steveni at 2013-11-08 16:00:15Running from C:\Users\steveni\Desktop\Malware Removal\FRSTBoot Mode: Normal============================================================================== Security Center ========================AV: BP Security AntiMalware (Enabled - Up to date) {BE5DD172-7F42-7948-1A60-E6A720288F81}AV: Sophos Anti-Virus (Enabled - Out of date) {479CCF92-4960-B3E0-7373-BF453B467D2C}AS: Sophos Anti-Virus (Enabled - Out of date) {FCFD2E76-6F5A-BC6E-49C3-843740C13791}AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}AS: BP Security AntiMalware (Enabled - Up to date) {053C3096-5978-76C6-20D0-DDD55BAFC53C}==================== Installed Programs ======================32 Bit HP CIO Components Installer (Version: 7.1.4)Adobe AIR (Version: 2.7.1.19610)Adobe Flash Player 11 ActiveX (Version: 11.9.900.117)Adobe Flash Player 11 Plugin (Version: 11.9.900.117)Adobe Reader 9.1 (Version: 9.1.0)Amazon Send to Kindle (Version: 1.0.0.192)Anti-Spyware (Sunbelt4) (Version: 3.003.0002)Apple Application Support (Version: 2.3.6)Apple Mobile Device Support (Version: 7.0.0.117)B110 (Version: 140.0.283.000)Bejeweled 2 Deluxe (Version: 2.2.0.82)BigPond (BIUS) (Version: 3.000.0002)Bigpond Desktop (Version: 4.000.0377)BigPond Security (Version: 3.00.001.0412)Bing Bar (Version: 7.2.241.0)Bluetooth Stack for Windows by Toshiba (Version: v7.00.15(T))Bonjour (Version: 3.0.0.10)BufferChm (Version: 140.0.212.000)Catalyst Control Center - Branding (Version: 1.00.0000)Catalyst Control Center Core Implementation (Version: 2009.0908.2225.38429)Catalyst Control Center Graphics Full Existing (Version: 2009.0908.2225.38429)Catalyst Control Center Graphics Full New (Version: 2009.0908.2225.38429)Catalyst Control Center Graphics Light (Version: 2009.0908.2225.38429)Catalyst Control Center Graphics Previews Common (Version: 2009.0908.2225.38429)Catalyst Control Center Graphics Previews Vista (Version: 2009.0908.2225.38429)Catalyst Control Center InstallProxy (Version: 2009.0908.2225.38429)Catalyst Control Center Localization All (Version: 2009.0908.2225.38429)CCC Help Chinese Standard (Version: 2009.0908.2224.38429)CCC Help Chinese Traditional (Version: 2009.0908.2224.38429)CCC Help Czech (Version: 2009.0908.2224.38429)CCC Help Danish (Version: 2009.0908.2224.38429)CCC Help Dutch (Version: 2009.0908.2224.38429)CCC Help English (Version: 2009.0908.2224.38429)CCC Help Finnish (Version: 2009.0908.2224.38429)CCC Help French (Version: 2009.0908.2224.38429)CCC Help German (Version: 2009.0908.2224.38429)CCC Help Greek (Version: 2009.0908.2224.38429)CCC Help Hungarian (Version: 2009.0908.2224.38429)CCC Help Italian (Version: 2009.0908.2224.38429)CCC Help Japanese (Version: 2009.0908.2224.38429)CCC Help Korean (Version: 2009.0908.2224.38429)CCC Help Norwegian (Version: 2009.0908.2224.38429)CCC Help Polish (Version: 2009.0908.2224.38429)CCC Help Portuguese (Version: 2009.0908.2224.38429)CCC Help Russian (Version: 2009.0908.2224.38429)CCC Help Spanish (Version: 2009.0908.2224.38429)CCC Help Swedish (Version: 2009.0908.2224.38429)CCC Help Thai (Version: 2009.0908.2224.38429)CCC Help Turkish (Version: 2009.0908.2224.38429)ccc-core-static (Version: 2009.0908.2225.38429)ccc-utility (Version: 2009.0908.2225.38429)Chuzzle Deluxe (Version: 2.2.0.82)Citrix Online Launcher (Version: 1.0.141)Coupon Printer for Windows (Version: 5.0.0.0)D3DX10 (Version: 15.4.2368.0902)Definition Update for Microsoft Office 2010 (KB982726) 32-Bit EditionDestinations (Version: 140.0.77.000)DeviceDiscovery (Version: 140.0.212.000)Direct DiscRecorder (Version: 1.00.0000)DVD MovieFactory for TOSHIBA (Version: 7.0.0)ESP (Version: 3.001.0043)FATE (Version: 2.2.0.82)ffdshow [rev 2527] [2008-12-19] (Version: 1.0)Firewall (User) (Version: 3.000.0007)GameXN GOGoogle Talk Plugin (Version: 4.8.2.15856)Google Toolbar for Internet Explorer (Version: 1.0.0)Google Toolbar for Internet Explorer (Version: 7.4.3607.2246)Google Update Helper (Version: 1.3.21.165)GoToMeeting 5.9.0.1216 (HKCU Version: 5.9.0.1216)GPBaseService2 (Version: 140.0.211.000)Haali Media SplitterHDAUDIO Soft Data Fax Modem with SmartCP (Version: 7.80.4.50)HP Customer Participation Program 14.0 (Version: 14.0)HP Imaging Device Functions 14.0 (Version: 14.0)HP Photo Creations (Version: 1.0.0.2024)HP Photosmart Wireless B110 All-In-One Driver Software 14.0 Rel. 7 (Version: 14.0)HP Smart Web Printing 4.60 (Version: 4.60)HP Solution Center 14.0 (Version: 14.0)HP Update (Version: 5.002.002.002)HPAppStudio (Version: 140.0.95.000)HPPhotoGadget (Version: 140.0.524.000)HPProductAssistant (Version: 140.0.212.000)HPSSupply (Version: 140.0.211.000)HyperCam 2 (Version: 2.26.00)ImgBurn (Version: 2.5.7.0)Intel® Control Center (Version: 1.2.0.1006)Intel® Management Engine Components (Version: 6.0.0.1179)Intel® Rapid Storage Technology (Version: 9.5.0.1037)iTunes (Version: 11.1.2.32)Java 6 Update 14 (Version: 6.0.140)Junk Mail filter update (Version: 15.4.3502.0922)Magic Match - The Genie's Journey (Version: 2.2.0.82)Malwarebytes Anti-Malware version 1.75.0.1300 (Version: 1.75.0.1300)MarketResearch (Version: 140.0.212.000)Messenger Companion (Version: 15.4.3502.0922)Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)Microsoft Application Error Reporting (Version: 12.0.6012.5000)Microsoft Chart Controls for Microsoft .NET Framework 3.5 (KB2500170) (Version: 3.5.30730.0)Microsoft Corporation (Version: 9.1.0.0)Microsoft IntelliPoint 8.0 (Version: 8.0.225.0)Microsoft LifeCam (Version: 3.60.253.0)Microsoft Office 2010 Service Pack 1 (SP1)Microsoft Office Access MUI (English) 2010 (Version: 14.0.6029.1000)Microsoft Office Access Setup Metadata MUI (English) 2010 (Version: 14.0.6029.1000)Microsoft Office Excel MUI (English) 2010 (Version: 14.0.6029.1000)Microsoft Office Groove MUI (English) 2010 (Version: 14.0.6029.1000)Microsoft Office InfoPath MUI (English) 2010 (Version: 14.0.6029.1000)Microsoft Office OneNote MUI (English) 2010 (Version: 14.0.6029.1000)Microsoft Office Outlook Connector (Version: 14.0.6123.5001)Microsoft Office Outlook MUI (English) 2010 (Version: 14.0.6029.1000)Microsoft Office PowerPoint MUI (English) 2010 (Version: 14.0.6029.1000)Microsoft Office Professional Plus 2010 (Version: 14.0.6029.1000)Microsoft Office Proof (English) 2010 (Version: 14.0.6029.1000)Microsoft Office Proof (French) 2010 (Version: 14.0.6029.1000)Microsoft Office Proof (Spanish) 2010 (Version: 14.0.6029.1000)Microsoft Office Proofing (English) 2010 (Version: 14.0.6029.1000)Microsoft Office Publisher MUI (English) 2010 (Version: 14.0.6029.1000)Microsoft Office Shared MUI (English) 2010 (Version: 14.0.6029.1000)Microsoft Office Shared Setup Metadata MUI (English) 2010 (Version: 14.0.6029.1000)Microsoft Office Word MUI (English) 2010 (Version: 14.0.6029.1000)Microsoft Silverlight (Version: 5.1.20913.0)Microsoft SQL Server 2005 Compact Edition [ENU] (Version: 3.1.0000)Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (Version: 8.0.50727.4053)Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (Version: 9.0.21022)Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)Monopoly (Version: 2.2.0.82)Mozilla Firefox 24.0 (x86 en-US) (Version: 24.0)Mozilla Maintenance Service (Version: 24.0)MSVCRT (Version: 15.4.2862.0708)MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)MYOB AccountRight Plus v19.6 (Version: 19.6.0)MYOB ODBC Direct v10 AUS (Version: 10.0.0)Netsweeper Parental Controls (Version: 3.20.6.1)Network (Version: 140.0.215.000)Norton Internet Security (Version: 19.0.0.128)Oracle VM VirtualBox 4.2.0 (Version: 4.2.0)Peggle (Version: 2.2.0.82)Pivot Stickfigure Animator version 2.2.6 (Version: 2.2.6)PlayReady PC Runtime x86 (Version: 1.3.0)Polar Bowler (Version: 2.2.0.82)Polar Golfer (Version: 2.2.0.82)Primo (Version: 1.00.0000)Project ROME (Version: 0.9.0 (157403))Project ROME (Version: 0.9.0)PS_AIO_07_B110_SW_Min (Version: 140.0.142.000)QuickTime (Version: 7.68.75.0)QuickTransfer (Version: 140.0.98.000)Realtek Ethernet Controller Driver For Windows Vista and Later (Version: 1.00.0011)Realtek High Definition Audio Driver (Version: 6.0.1.5964)Realtek USB 2.0 Card Reader (Version: 6.1.7600.30105)Realtek WLAN Driver (Version: 2.00.0006)RealWorld Cursor Editor (Version: 12.1.0)Runtime (Version: 1.00.0000)SafeCentral Security Suite Web Install HelperScan (Version: 140.0.80.000)Shop for HP Supplies (Version: 14.0)Skype Click to Call (Version: 6.13.13771)Skype™ 6.10 (Version: 6.10.104)SmartWebPrinting (Version: 140.0.186.000)SolutionCenter (Version: 140.0.214.000)Sony Picture Utility (Version: 4.2.00.11130)Sophos Anti-Virus (Version: 9.5.7)Sophos AutoUpdate (Version: 2.5.13)Sophos Remote Management System (Version: 3.2.0)Status (Version: 140.0.256.000)Synaptics Pointing Device Driver (Version: 14.0.11.0)Task Coach 1.3.33TeamViewer 8 (Version: 8.0.19617)Third Party Prerequisites (Version: 3.0.0)Toolbox (Version: 140.0.428.000)TOSHIBA Assist (Version: 2.01.12)TOSHIBA Disc Creator (Version: 2.1.0.2)TOSHIBA DVD PLAYER (Version: 3.01.1.04-A)TOSHIBA eco Utility (Version: 1.1.12.0)TOSHIBA Extended Tiles for Windows Mobility Center (Version: 1.01.00)TOSHIBA Face Recognition (Version: 3.1.3.32)TOSHIBA Flash Cards Support Utility (Version: 1.63.0.4C)TOSHIBA Hardware Setup (Version: 1.63.0.16C)TOSHIBA HDD/SSD Alert (Version: 3.1.0.4)TOSHIBA Internal Modem Region Select Utility (Version: 2.3.0.01)TOSHIBA PC Health Monitor (Version: 1.5.0.0)TOSHIBA Recovery Media Creator (Version: 2.1.0.4)TOSHIBA Service Station (Version: 2.1.40)TOSHIBA Speech System Applications (Version: 1.00.2518)TOSHIBA Speech System SR Engine(U.S.) Version1.0TOSHIBA Speech System TTS Engine(U.S.) Version1.0TOSHIBA Supervisor Password (Version: 1.63.0.7C)TOSHIBA Value Added Package (Version: 1.2.32)TOSHIBA Web Camera Application (Version: 1.1.1.9)TrayApp (Version: 140.0.212.000)TrueCrypt (Version: 7.1a)TweetDeck (Version: 1.5.3)Uninstall Dual Mode Camera (V25)Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (Version: 1)Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (Version: 1)Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (Version: 1)Update for Microsoft .NET Framework 4 Client Profile (KB2836939) (Version: 1)Update for Microsoft .NET Framework 4 Client Profile (KB2836939v3) (Version: 3)Update for Microsoft Access 2010 (KB2553446) 32-Bit EditionUpdate for Microsoft Filter Pack 2.0 (KB2810071) 32-Bit EditionUpdate for Microsoft Office 2010 (KB2494150)Update for Microsoft Office 2010 (KB2553065)Update for Microsoft Office 2010 (KB2553181) 32-Bit EditionUpdate for Microsoft Office 2010 (KB2553267) 32-Bit EditionUpdate for Microsoft Office 2010 (KB2553310) 32-Bit EditionUpdate for Microsoft Office 2010 (KB2566458)Update for Microsoft Office 2010 (KB2589298) 32-Bit EditionUpdate for Microsoft Office 2010 (KB2589375) 32-Bit EditionUpdate for Microsoft Office 2010 (KB2596964) 32-Bit EditionUpdate for Microsoft Office 2010 (KB2598242) 32-Bit EditionUpdate for Microsoft Office 2010 (KB2687503) 32-Bit EditionUpdate for Microsoft Office 2010 (KB2760598) 32-Bit EditionUpdate for Microsoft Office 2010 (KB2760631) 32-Bit EditionUpdate for Microsoft Office 2010 (KB2767886) 32-Bit EditionUpdate for Microsoft Office 2010 (KB2794737) 32-Bit EditionUpdate for Microsoft Office 2010 (KB2825640) 32-Bit EditionUpdate for Microsoft Office 2010 (KB2826026) 32-Bit EditionUpdate for Microsoft OneNote 2010 (KB2553290) 32-Bit EditionUpdate for Microsoft OneNote 2010 (KB2810072) 32-Bit EditionUpdate for Microsoft Outlook 2010 (KB2687623) 32-Bit EditionUpdate for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit EditionUpdate for Microsoft PowerPoint 2010 (KB2553145) 32-Bit EditionUpdate for Microsoft SharePoint Workspace 2010 (KB2589371) 32-Bit EditionUpdate for Microsoft Visio Viewer 2010 (KB2810066) 32-Bit EditionUpdate for Microsoft Word 2010 (KB2827323) 32-Bit EditionUtility Common Driver (Version: 1.0.50.27C)Vivitar Experience Image ManagerWeb Filtering (Netsweeper) (Version: 3.000.0005)WebReg (Version: 140.0.212.017)WildTangent Games (Version: 1.0.0.80)WildTangent ORB Game ConsoleWindows Live Communications Platform (Version: 15.4.3502.0922)Windows Live Essentials (Version: 15.4.3502.0922)Windows Live Essentials (Version: 15.4.3555.0308)Windows Live ID Sign-in Assistant (Version: 7.250.4232.0)Windows Live Installer (Version: 15.4.3502.0922)Windows Live Mail (Version: 15.4.3502.0922)Windows Live Messenger (Version: 15.4.3538.0513)Windows Live Messenger Companion Core (Version: 15.4.3502.0922)Windows Live MIME IFilter (Version: 15.4.3502.0922)Windows Live Movie Maker (Version: 15.4.3502.0922)Windows Live Photo Common (Version: 15.4.3502.0922)Windows Live Photo Gallery (Version: 15.4.3502.0922)Windows Live PIMT Platform (Version: 15.4.3508.1109)Windows Live SOXE (Version: 15.4.3502.0922)Windows Live SOXE Definitions (Version: 15.4.3502.0922)Windows Live Sync (Version: 14.0.8089.726)Windows Live UX Platform (Version: 15.4.3502.0922)Windows Live UX Platform Language Pack (Version: 15.4.3508.1109)Windows Live Writer (Version: 15.4.3502.0922)Windows Live Writer Resources (Version: 15.4.3502.0922)Zuma Deluxe (Version: 2.2.0.82)==================== Restore Points =========================09-10-2013 23:22:05 Windows Update17-10-2013 13:17:53 Scheduled Checkpoint25-10-2013 11:53:57 Scheduled Checkpoint31-10-2013 09:49:42 Installed iTunes31-10-2013 10:01:49 Installed iTunes06-11-2013 09:31:50 Malware Removal==================== Hosts content: ==========================2009-07-14 10:04 - 2009-06-11 05:39 - 00000824 ____N C:\windows\system32\Drivers\etc\hosts==================== Scheduled Tasks (whitelisted) =============Task: {031C97D2-A37B-4970-8F0E-B4C01FC17CF3} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-4063401489-1788381713-3267365910-1141UA => C:\Users\steveni\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-19] (Google Inc.)Task: {2C95144E-45E7-4C0D-BFDB-C837BA4438E3} - System32\Tasks\{0F450414-97A1-41A6-BCE7-8F56F4290202} => C:\Program Files\Windows Live\Mail\wlmail.exe [2012-03-08] (Microsoft Corporation)Task: {4C3EB34A-8AD8-471E-BD0B-93E99948CAFA} - System32\Tasks\{97236862-2F32-426D-ADF9-2779BE771B36} => C:\Program Files\Skype\\Phone\Skype.exe [2013-10-21] (Skype Technologies S.A.)Task: {5F68A461-4DE5-4BA7-A0CD-A7043AAC0C75} - System32\Tasks\{B9E2BE5B-9BDA-47ED-B2B4-9E65A862E510} => C:\Program Files\Windows Live\Mail\wlmail.exe [2012-03-08] (Microsoft Corporation)Task: {73CBADB1-4F69-4CBD-992B-E779A924E8F9} - System32\Tasks\Microsoft_Hardware_Launch_IPoint_exe => C:\Program Files\Microsoft IntelliPoint\ipoint.exe [2010-07-21] (Microsoft Corporation)Task: {78CD1645-7252-4589-91AB-D8493FC423F8} - System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask => Sc.exe start osppsvcTask: {834AEC84-53FA-4372-982C-6CF8918AD873} - System32\Tasks\{3FD2BC05-0263-4C57-A031-F30A1BE251C3} => C:\Program Files\Windows Live\Mail\wlmail.exe [2012-03-08] (Microsoft Corporation)Task: {93D04A05-F994-4B52-8500-1ED912C447AE} - System32\Tasks\Default Scheduled SCAN => C:\Program Files\Sophos\Sophos Anti-Virus\BackgroundScanClient.exe [2010-11-26] (Sophos Plc)Task: {B7EA961C-FAD3-44E6-A2F5-EEAD095F907C} - System32\Tasks\{F138DF46-F2EB-44B7-AF33-2FED03BE1094} => C:\Program Files\Windows Live\Mail\wlmail.exe [2012-03-08] (Microsoft Corporation)Task: {D9C76A3A-59A0-48E3-AF63-03339233A4DE} - System32\Tasks\{3C5807ED-88DE-4091-B44B-EE0E6D5A37E0} => C:\Program Files\Windows Live\Mail\wlmail.exe [2012-03-08] (Microsoft Corporation)Task: {DA3D196B-029C-4141-8337-147F85EE1597} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-10-09] (Adobe Systems Incorporated)Task: {E6F58A96-56B2-4DF0-809E-DDFC21395CE7} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-4063401489-1788381713-3267365910-1141Core => C:\Users\steveni\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-19] (Google Inc.)Task: {F67F6425-EFD8-4D22-AAC2-AA447D95A40B} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2011-05-19] (Google Inc.)Task: {F92B9274-7FBB-4C5A-A9DA-2A2FA666B59F} - System32\Tasks\{525D4BCE-491D-4519-9377-84AAC9FD0267} => C:\Program Files\Windows Live\Mail\wlmail.exe [2012-03-08] (Microsoft Corporation)Task: {FBDC6839-91A5-4364-9BA9-C9FF3170F45D} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2011-05-19] (Google Inc.)Task: C:\windows\Tasks\Adobe Flash Player Updater.job => C:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exeTask: C:\windows\Tasks\Default Scheduled SCAN.job => C:\Program Files\Sophos\Sophos Anti-Virus\BackgroundScanClient.exeTask: C:\windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exeTask: C:\windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exeTask: C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4063401489-1788381713-3267365910-1141Core.job => C:\Users\steveni\AppData\Local\Google\Update\GoogleUpdate.exeTask: C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4063401489-1788381713-3267365910-1141UA.job => C:\Users\steveni\AppData\Local\Google\Update\GoogleUpdate.exe==================== Loaded Modules (whitelisted) =============2011-03-17 00:11 - 2011-03-17 00:11 - 04297568 _____ () C:\Program Files\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF2010-10-20 15:45 - 2010-10-20 15:45 - 08801120 _____ () C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll2009-10-19 06:20 - 2009-10-19 06:20 - 07980344 _____ () C:\Program Files\TOSHIBA\FlashCards\BlackPng.dll2009-11-04 04:26 - 2009-11-04 04:26 - 00058680 _____ () C:\Program Files\TOSHIBA\FlashCards\Hotkey\FnZ.dll2009-11-10 19:16 - 2009-06-23 07:38 - 00015160 _____ () C:\Program Files\TOSHIBA\TOSHIBA Assist\NotifyX.dll2009-03-13 10:08 - 2009-03-13 10:08 - 00049152 _____ () C:\Program Files\Toshiba\PCDiag\NotifyPCD.dll2009-07-26 02:07 - 2009-07-26 02:07 - 00058704 _____ () C:\Program Files\TOSHIBA\TOSHIBA Disc Creator\NotifyTDC.dll2009-07-30 06:35 - 2009-07-30 06:35 - 00014648 _____ () C:\Program Files\Toshiba\TBS\NotifyTBS.dll2012-02-20 21:29 - 2012-02-20 21:29 - 00087912 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll2012-02-20 21:28 - 2012-02-20 21:28 - 01242472 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll2009-05-05 01:45 - 2009-05-05 01:45 - 00016384 ____R () C:\Program Files\ATI Technologies\ATI.ACE\Branding\Branding.dll2010-05-21 14:05 - 2010-05-21 14:05 - 00270336 _____ () C:\windows\assembly\GAC_MSIL\CLI.Aspect.CrossDisplay.Graphics.Dashboard\1.0.0.0__90ba9c70f846762e\CLI.Aspect.CrossDisplay.Graphics.Dashboard.dll==================== Alternate Data Streams (whitelisted) ============================= Safe Mode (whitelisted) ===================HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc => ""="Service"HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SBAMSvc => ""="Service"==================== Faulty Device Manager Devices =============Name: Photosmart B110 seriesDescription: Photosmart B110 seriesClass Guid: {4d36e971-e325-11ce-bfc1-08002be10318}Manufacturer: HPService:Problem: : This device is disabled. (Code 22)Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.Name: Photosmart B110 seriesDescription: Photosmart B110 seriesClass Guid: {4d36e971-e325-11ce-bfc1-08002be10318}Manufacturer: HPService:Problem: : This device is disabled. (Code 22)Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.==================== Event log errors: =========================Application errors:==================Error: (11/07/2013 05:23:30 PM) (Source: Sophos Message Router) (User: NT AUTHORITY)Description: The network identity (also known as the Interoperable Object Reference or IOR) of the local computer is invalid.%%3Error: (11/07/2013 05:23:29 PM) (Source: Bonjour Service) (User: )Description: Task Scheduling Error: m->NextScheduledSPRetry 33712518Error: (11/07/2013 05:23:29 PM) (Source: Bonjour Service) (User: )Description: Task Scheduling Error: m->NextScheduledEvent 33712518Error: (11/07/2013 05:23:29 PM) (Source: Bonjour Service) (User: )Description: Task Scheduling Error: Continuously busy for more than a secondError: (11/07/2013 05:23:28 PM) (Source: Bonjour Service) (User: )Description: Task Scheduling Error: m->NextScheduledSPRetry 33711317Error: (11/07/2013 05:23:28 PM) (Source: Bonjour Service) (User: )Description: Task Scheduling Error: m->NextScheduledEvent 33711317Error: (11/07/2013 05:23:28 PM) (Source: Bonjour Service) (User: )Description: Task Scheduling Error: Continuously busy for more than a secondError: (11/07/2013 05:23:27 PM) (Source: Bonjour Service) (User: )Description: Task Scheduling Error: m->NextScheduledSPRetry 33710178Error: (11/07/2013 05:23:27 PM) (Source: Bonjour Service) (User: )Description: Task Scheduling Error: m->NextScheduledEvent 33710178Error: (11/07/2013 05:23:27 PM) (Source: Bonjour Service) (User: )Description: Task Scheduling Error: Continuously busy for more than a secondSystem errors:=============Error: (11/08/2013 04:00:41 PM) (Source: Service Control Manager) (User: )Description: The Sophos Message Router service terminated unexpectedly. It has done this 12 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.Error: (11/08/2013 03:59:40 PM) (Source: Service Control Manager) (User: )Description: The Sophos Message Router service terminated unexpectedly. It has done this 11 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.Error: (11/08/2013 03:58:40 PM) (Source: Service Control Manager) (User: )Description: The Sophos Message Router service terminated unexpectedly. It has done this 10 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.Error: (11/08/2013 03:57:39 PM) (Source: Service Control Manager) (User: )Description: The Sophos Message Router service terminated unexpectedly. It has done this 9 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.Error: (11/08/2013 03:56:39 PM) (Source: Service Control Manager) (User: )Description: The Sophos Message Router service terminated unexpectedly. It has done this 8 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.Error: (11/08/2013 03:55:36 PM) (Source: Service Control Manager) (User: )Description: The Sophos Message Router service terminated unexpectedly. It has done this 7 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.Error: (11/08/2013 03:54:36 PM) (Source: Service Control Manager) (User: )Description: The Sophos Message Router service terminated unexpectedly. It has done this 6 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.Error: (11/08/2013 03:54:22 PM) (Source: TermService) (User: )Description: The terminal server cannot register 'TERMSRV' Service Principal Name to be used for server authentication. The following error occured: The specified domain either does not exist or could not be contacted..Error: (11/08/2013 03:53:34 PM) (Source: Service Control Manager) (User: )Description: The Sophos Message Router service terminated unexpectedly. It has done this 5 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.Error: (11/08/2013 03:52:32 PM) (Source: Service Control Manager) (User: )Description: The Sophos Message Router service terminated unexpectedly. It has done this 4 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.Microsoft Office Sessions:=========================Error: (11/07/2013 05:23:30 PM) (Source: Sophos Message Router)(User: NT AUTHORITY)Description:Error: (11/07/2013 05:23:29 PM) (Source: Bonjour Service)(User: )Description: Task Scheduling Error: m->NextScheduledSPRetry 33712518Error: (11/07/2013 05:23:29 PM) (Source: Bonjour Service)(User: )Description: Task Scheduling Error: m->NextScheduledEvent 33712518Error: (11/07/2013 05:23:29 PM) (Source: Bonjour Service)(User: )Description: Task Scheduling Error: Continuously busy for more than a secondError: (11/07/2013 05:23:28 PM) (Source: Bonjour Service)(User: )Description: Task Scheduling Error: m->NextScheduledSPRetry 33711317Error: (11/07/2013 05:23:28 PM) (Source: Bonjour Service)(User: )Description: Task Scheduling Error: m->NextScheduledEvent 33711317Error: (11/07/2013 05:23:28 PM) (Source: Bonjour Service)(User: )Description: Task Scheduling Error: Continuously busy for more than a secondError: (11/07/2013 05:23:27 PM) (Source: Bonjour Service)(User: )Description: Task Scheduling Error: m->NextScheduledSPRetry 33710178Error: (11/07/2013 05:23:27 PM) (Source: Bonjour Service)(User: )Description: Task Scheduling Error: m->NextScheduledEvent 33710178Error: (11/07/2013 05:23:27 PM) (Source: Bonjour Service)(User: )Description: Task Scheduling Error: Continuously busy for more than a secondCodeIntegrity Errors:=================================== Date: 2013-10-31 17:38:18.240 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\PROGRA~1\COMMON~1\ULEADS~1\vio\DVACM.acm because the set of per-page image hashes could not be found on the system. Date: 2013-10-31 17:38:18.059 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system. Date: 2013-10-31 17:38:17.875 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\sirenacm.dll because the set of per-page image hashes could not be found on the system. Date: 2013-10-31 17:31:55.833 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\PROGRA~1\COMMON~1\ULEADS~1\vio\DVACM.acm because the set of per-page image hashes could not be found on the system. Date: 2013-10-31 17:31:55.557 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system. Date: 2013-10-31 17:31:55.286 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\sirenacm.dll because the set of per-page image hashes could not be found on the system. Date: 2013-10-21 18:16:05.539 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\PROGRA~1\COMMON~1\ULEADS~1\vio\DVACM.acm because the set of per-page image hashes could not be found on the system. Date: 2013-10-21 18:16:05.271 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system. Date: 2013-10-21 18:16:04.981 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\sirenacm.dll because the set of per-page image hashes could not be found on the system. Date: 2013-10-14 15:37:54.042 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\PROGRA~1\COMMON~1\ULEADS~1\vio\DVACM.acm because the set of per-page image hashes could not be found on the system.==================== Memory info ===========================Percentage of memory in use: 44%Total physical RAM: 3061.61 MBAvailable physical RAM: 1704.9 MBTotal Pagefile: 6121.5 MBAvailable Pagefile: 4384.52 MBTotal Virtual: 2047.88 MBAvailable Virtual: 1833.31 MB==================== Drives ================================Drive c: (S3A8425D005) (Fixed) (Total:453.52 GB) (Free:330.12 GB) NTFS ==>[system with boot components (obtained from reading drive)]==================== MBR & Partition Table ==========================================================================Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 466 GB) (Disk ID: D934D6EE)Partition 1: (Active) - (Size=1 GB) - (Type=27)Partition 2: (Not Active) - (Size=454 GB) - (Type=07 NTFS)Partition 3: (Not Active) - (Size=11 GB) - (Type=17)==================== End Of Log ============================ Link to post Share on other sites More sharing options...
MrCharlie Posted November 8, 2013 ID:751397 Share Posted November 8, 2013 Download the attached fixlist.txt to the same folder as FRST.Run FRST.exe and click Fix only once and waitThe tool will create a log (Fixlog.txt) in the folder, please post it to your reply.Then......Uninstall Java™ 6 Update 14 from your add/remove programs.Download and install the latest version (Java™ 7 Update 45) from Here. Uncheck the box to install the Ask toolbar!!! and any other free "stuff".Go here and follow the instructions to clear your Java Cache Last..... Please download and run ComboFix. The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.Please visit this webpage for download links, and instructions for running ComboFixhttp://www.bleepingcomputer.com/combofix/how-to-use-combofixPlease make sure you click download buttons that look like this, not "sponsored ad links":Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.Information on disabling your malware programs can be found [url=http://www.bleepingcomputer.com/forums/topic114351.html]Here.Make sure you run ComboFix from your desktop.Give it at least 30-45 minutes to finish if needed.Please include the C:\ComboFix.txt in your next reply for further review. ---------->NOTE<----------If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.MrC Link to post Share on other sites More sharing options...
Guest techhead287 Posted November 8, 2013 ID:751400 Share Posted November 8, 2013 OK before I apply this fixlist, I just wanted to ask a question... I was looking at the fixlist.txt you made, and I saw there was a line pointing to C:\Users\steveni\simple.bat and C:\Users\joshuai\simple.bat. I assume these are to be deleted. Could you please remove these from the fixlist, as these are batch files that I made, and they are not malicious. Thanks. Link to post Share on other sites More sharing options...
MrCharlie Posted November 8, 2013 ID:751408 Share Posted November 8, 2013 Done....MrC Link to post Share on other sites More sharing options...
MrCharlie Posted November 10, 2013 ID:751939 Share Posted November 10, 2013 How are we doing?? Do you still need help or can I close this post?? MrC Link to post Share on other sites More sharing options...
Guest techhead287 Posted November 10, 2013 ID:752109 Share Posted November 10, 2013 Hey, Sorry for the wait. I have run the Farbar fix, and I still have to run ComboFix. I will do so this afternoon. Here is the status:C:\Users\steveni\AppData\Roaming\eeuhrrsj\tvjbwcca.exe is goneC:\Users\steveni\AppData\Roaming\Java\Update\Download\Cache\csrss.exe is still there Link to post Share on other sites More sharing options...
MrCharlie Posted November 12, 2013 ID:752814 Share Posted November 12, 2013 How are we doing?? Do you still need help or can I close this post?? MrC Link to post Share on other sites More sharing options...
Guest techhead287 Posted November 13, 2013 ID:752934 Share Posted November 13, 2013 Hey, I haven't had time to do much with this recently. I still need help with this, seeing that this infection is still here. Should I just delete the folder? Link to post Share on other sites More sharing options...
MrCharlie Posted November 13, 2013 ID:753009 Share Posted November 13, 2013 What folder do you want to delete?? MrC Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 15, 2013 Root Admin ID:754144 Share Posted November 15, 2013 Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts