Jump to content

Recommended Posts

She had been running her 6-month-old Toshiba Satellite with no protection when it finally caught up to her as she clicked on a pop-up that then installed itself and took over her laptop.  

 

It took a long time to get into safe mode, but I was eventually able to install and run MBAM. It picked up and removed 5 viruses, none of which were the Win Safety Master. Here's the DDS result: 

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64 MINIMAL
Internet Explorer: 10.0.9200.16537
Run by Kristina at 16:39:50 on 2014-02-02
Microsoft Windows 8  6.2.9200.0.1252.1.1033.18.3980.3165 [GMT -8:00]
.
AV: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AV: Norton Internet Security *Disabled/Outdated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Internet Security *Disabled/Outdated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\system32\dwm.exe
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\Explorer.EXE
C:\windows\system32\ctfmon.exe
C:\Windows\helppane.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uWindow Title = Internet Explorer provided by TOSHIBA
mWindow Title = Internet Explorer provided by TOSHIBA
mWinlogon: Userinit = userinit.exe,
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\20.4.0.40\coieplg.dll
BHO: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\20.4.0.40\ips\ipsbho.dll
uRun: [PrSft] C:\Users\Kristina\AppData\Roaming\svc-vthi.exe
mRun: [Norton Online Backup] C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe
mRun: [ToshibaAppPlace] "C:\Program Files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe"
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mPolicies-System: EnableVirtualization = dword:0
mPolicies-System: EnableLUA = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:0
IE: Add to Google Photos Screensa&ver - C:\windows\System32\GPhotos.scr/200
TCP: Interfaces\{7403AACA-4243-4AD9-B45E-B72B5BE28E58} : DHCPNameServer = 76.14.96.13 76.14.96.14 76.14.0.9
TCP: Interfaces\{7403AACA-4243-4AD9-B45E-B72B5BE28E58}\24563747245797 : DHCPNameServer = 168.94.0.14 168.94.0.15
TCP: Interfaces\{7403AACA-4243-4AD9-B45E-B72B5BE28E58}\46C696E6B6 : DHCPNameServer = 192.168.0.1
TCP: Interfaces\{7403AACA-4243-4AD9-B45E-B72B5BE28E58}\74F6460234C6F65746 : DHCPNameServer = 192.168.0.1
TCP: Interfaces\{7403AACA-4243-4AD9-B45E-B72B5BE28E58}\75051445572656A7 : DHCPNameServer = 168.94.0.14 168.94.0.15
TCP: Interfaces\{7403AACA-4243-4AD9-B45E-B72B5BE28E58}\84F6C69646169794E6E65487072756373702D4F646563747F6 : DHCPNameServer = 75.75.75.75 75.75.76.76 68.94.156.1 68.94.157.1 8.8.8.8
TCP: Interfaces\{92F394D2-24A3-4C09-BAD5-FAC75DF4084D} : DHCPNameServer = 76.14.96.13 76.14.96.14 76.14.0.9
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
IFEO: k9filter.exe - svchost.exe
IFEO: MpCmdRun.exe - svchost.exe
IFEO: MpUXSrv.exe - svchost.exe
IFEO: MSASCui.exe - svchost.exe
IFEO: msconfig.exe - svchost.exe
x64-mWindow Title = Internet Explorer provided by TOSHIBA
x64-Run: [igfxTray] C:\windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\windows\System32\igfxpers.exe
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [sRS Premium Sound HD] "C:\Program Files\SRS Labs\SRS Control Panel\SRSPanel_64.exe"  /f="C:\Program Files\SRS Labs\SRS Control Panel\SRS_Premium_Sound_HD.zip" /h
x64-Run: [TCrdMain] C:\Program Files (x86)\TOSHIBA\Hotkey\TCrdMain_Win8.exe
x64-Run: [TecoResident] C:\Program Files\TOSHIBA\Teco\TecoResident.exe
x64-Run: [TosWaitSrv] C:\Program Files (x86)\TOSHIBA\TPHM\TosWaitSrv.exe
x64-Run: [TSleepSrv] C:\Program Files (x86)\TOSHIBA\System Setting\TSleepSrv.exe
x64-Run: [TODDMain] C:\Program Files (x86)\TOSHIBA\System Setting\TODDMain.exe
x64-mPolicies-System: EnableVirtualization = dword:0
x64-mPolicies-System: EnableLUA = dword:0
x64-mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
x64-mPolicies-System: ConsentPromptBehaviorUser = dword:0
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
x64-IFEO: k9filter.exe - svchost.exe
x64-IFEO: MpCmdRun.exe - svchost.exe
x64-IFEO: MpUXSrv.exe - svchost.exe
x64-IFEO: MSASCui.exe - svchost.exe
x64-IFEO: msconfig.exe - svchost.exe
.
Note: multiple IFEO entries found. Please refer to Attach.txt
.
============= SERVICES / DRIVERS ===============
.
R0 iaStorA;iaStorA;C:\windows\System32\Drivers\iaStorA.sys [2013-6-25 645952]
R0 THAccel;THAccel;C:\windows\System32\Drivers\THAccel.sys [2013-6-25 131520]
R2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;C:\windows\System32\Drivers\TVALZFL.sys [2012-7-21 16768]
R3 FwLnk;FwLnk Driver;C:\windows\System32\Drivers\FwLnk.sys [2013-6-25 9216]
R3 RSUSBVSTOR;RtsUVStor.Sys Realtek USB Card Reader;C:\windows\System32\Drivers\RtsUVStor.sys [2013-6-25 315536]
R3 SmbDrvI;SmbDrvI;C:\windows\System32\Drivers\Smb_driver_Intel.sys [2012-8-16 43832]
R3 tos_sps64;TOSHIBA tos_sps64 Service;C:\windows\System32\Drivers\tos_sps64.sys [2013-6-25 499096]
S1 ccSet_NARA;NARA Settings Manager;C:\windows\System32\Drivers\NARAx64\0401000.00B\ccSetx64.sys [2012-11-12 168608]
S1 ccSet_NAT;Norton Anti-Theft Settings Manager;C:\windows\System32\Drivers\NATx64\010A000.009\ccSetx64.sys [2013-10-25 150104]
S2 Intel® Capability Licensing Service Interface;Intel® Capability Licensing Service Interface;C:\Program Files\Intel\iCLS Client\HeciServer.exe [2012-4-20 635104]
S2 Intel® ME Service;Intel® ME Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [2013-6-25 129856]
S2 jhi_service;Intel® Dynamic Application Loader Host Interface Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe [2013-6-25 166720]
S2 NAT;Norton Anti-Theft;C:\Program Files (x86)\Norton Anti-Theft\Engine\1.10.0.9\NAT.exe [2013-10-25 232424]
S2 NIS;Norton Internet Security;C:\Program Files (x86)\Norton Internet Security\Engine\20.4.0.40\ccsvchst.exe [2013-8-27 144368]
S2 NOBU;Norton Online Backup;C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe [2012-7-11 3939008]
S2 Norton PC Checkup Application Launcher;Norton PC Checkup Application Launcher;C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.18.15\SymcPCCULaunchSvc.exe [2012-11-12 123320]
S2 PCCUJobMgr;Common Client Job Manager Service;C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.18.15\ccSvcHst.exe [2012-11-12 126392]
S2 RtkAudioService;Realtek Audio Service;C:\Program Files\Realtek\Audio\HDA\RTKAUDIOSERVICE64.EXE [2013-6-25 201872]
S2 THAccelSvc;TOSHIBA HDD Accelerator Service;C:\Program Files\Toshiba\HDD Accelerator\THAccelSvc.exe [2012-8-10 214488]
S2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;C:\Program Files\Toshiba\Teco\TecoService.exe [2012-8-24 291240]
S2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2013-6-25 365376]
S3 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.1.0.24\Definitions\BASHDefs\20130903.002\BHDrvx64.sys [2013-9-3 1525336]
S3 ccSet_NIS;Norton Internet Security Settings Manager;C:\windows\System32\Drivers\NISx64\1404000.028\ccsetx64.sys [2013-8-27 169048]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2013-8-30 140376]
S3 GamesAppService;GamesAppService;C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
S3 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.1.0.24\Definitions\IPSDefs\20130921.001\IDSviA64.sys [2013-9-21 520280]
S3 IntcDAud;Intel® Display Audio;C:\windows\System32\Drivers\IntcDAud.sys [2012-6-19 342528]
S3 L1C;NDIS Miniport Driver for Qualcomm Atheros AR81xx PCI-E Ethernet Controller;C:\windows\System32\Drivers\L1C63x64.sys [2012-7-13 103936]
S3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;C:\windows\System32\Drivers\rtwlane.sys [2012-6-29 1498256]
S3 RTWlanE;Realtek Wireless LAN 802.11n PCI-E Network Adapter;C:\windows\System32\Drivers\rtwlane.sys [2012-6-29 1498256]
S3 SymDS;Symantec Data Store;C:\windows\System32\Drivers\NISx64\1404000.028\symds64.sys [2013-8-27 493656]
S3 SymEFA;Symantec Extended File Attributes;C:\windows\System32\Drivers\NISx64\1404000.028\symefa64.sys [2013-8-27 1139800]
S3 SymIRON;Symantec Iron Driver;C:\windows\System32\Drivers\NISx64\1404000.028\ironx64.sys [2013-8-27 224416]
S3 SymNetS;Symantec Network Security WFP Driver;C:\windows\System32\Drivers\NISx64\1404000.028\symnets.sys [2013-8-27 433752]
S3 TMachInfo;TMachInfo;C:\Program Files\Toshiba\TOSHIBA Service Station\TMachInfo.exe [2012-7-27 53384]
S3 TPCHSrv;TPCH Service;C:\Program Files\Toshiba\TPHM\TPCHSrv.exe [2012-7-28 458152]
S3 USBAAPL64;Apple Mobile USB Driver;C:\windows\System32\Drivers\usbaapl64.sys [2012-12-13 54784]
S3 WUDFWpdMtp;WUDFWpdMtp;C:\windows\System32\Drivers\WUDFRd.sys [2012-7-25 198656]
S4 SymELAM;Symantec ELAM Driver;C:\windows\System32\Drivers\NISx64\1404000.028\symelam.sys [2013-8-27 23448]
.
=============== Created Last 30 ================
.
2014-02-02 19:27:16 -------- d-----w- C:\Users\Kristina\AppData\Roaming\Malwarebytes
2014-02-02 19:27:01 25928 ----a-w- C:\windows\System32\drivers\mbam.sys
2014-02-02 19:27:01 -------- d-----w- C:\ProgramData\Malwarebytes
2014-02-02 19:27:01 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2014-02-02 04:14:10 1068544 ----a-w- C:\Users\Kristina\AppData\Roaming\svc-vthi.exe
2014-01-24 15:53:12 246960 ----a-w- C:\ProgramData\Microsoft\Windows\Sqm\Manifest\Sqm10231.bin
2014-01-17 23:12:18 688640 ----a-w- C:\windows\System32\WSShared.dll
2014-01-17 23:12:18 562688 ----a-w- C:\windows\SysWow64\WSShared.dll
2014-01-17 23:12:18 163840 ----a-w- C:\windows\System32\Windows.ApplicationModel.Store.TestingFramework.dll
2014-01-17 23:12:18 124928 ----a-w- C:\windows\SysWow64\Windows.ApplicationModel.Store.TestingFramework.dll
2014-01-16 15:11:05 915968 ----a-w- C:\windows\System32\MPSSVC.dll
2014-01-16 15:11:05 86016 ----a-w- C:\windows\SysWow64\davclnt.dll
2014-01-16 15:11:05 758784 ----a-w- C:\windows\System32\FirewallAPI.dll
2014-01-16 15:11:05 74752 ----a-w- C:\windows\System32\drivers\mpsdrv.sys
2014-01-16 15:11:05 588288 ----a-w- C:\windows\System32\SHCore.dll
2014-01-16 15:11:05 550400 ----a-w- C:\windows\SysWow64\FirewallAPI.dll
2014-01-16 15:11:05 452608 ----a-w- C:\windows\SysWow64\SHCore.dll
2014-01-16 15:11:05 227840 ----a-w- C:\windows\System32\WebClnt.dll
2014-01-16 15:11:05 199168 ----a-w- C:\windows\SysWow64\WebClnt.dll
2014-01-16 15:11:05 104448 ----a-w- C:\windows\System32\davclnt.dll
2014-01-16 15:11:05 100696 ----a-w- C:\windows\System32\drivers\disk.sys
2014-01-11 04:49:35 -------- d-----w- C:\Users\Kristina\AppData\Local\Programs
2014-01-06 19:23:36 4558848 ----a-w- C:\windows\SysWow64\GPhotos.scr
.
==================== Find3M  ====================
.
2014-01-09 08:02:07 78296 ----a-w- C:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-01-09 08:02:07 694240 ----a-w- C:\windows\SysWow64\FlashPlayerApp.exe
2013-11-23 06:43:58 420864 ----a-w- C:\windows\System32\WMPhoto.dll
2013-11-23 05:05:01 368640 ----a-w- C:\windows\SysWow64\WMPhoto.dll
2013-11-06 23:18:57 4036608 ----a-w- C:\windows\System32\win32k.sys
.
============= FINISH: 16:40:51.54 ===============
 
...........................................
...........................................
 
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 8
Boot Device: \Device\HarddiskVolume2
Install Date: 8/24/2013 8:04:42 PM
System Uptime: 2/2/2014 4:29:38 PM (0 hours ago)
.
Motherboard: TOSHIBA |  | Portable PC
Processor: Intel® Core i3-3120M CPU @ 2.50GHz | U3E1 | 2494/100mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 687 GiB total, 614.47 GiB free.
D: is CDROM ()
E: is FIXED (FAT32) - 7 GiB total, 7.402 GiB free.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP22: 1/16/2014 7:15:56 AM - Windows Update
RP23: 1/24/2014 7:28:38 AM - Scheduled Checkpoint
RP24: 1/31/2014 9:19:25 PM - Scheduled Checkpoint
.
==== Image File Execution Options =============
.
IFEO: k9filter.exe - svchost.exe
IFEO: MpCmdRun.exe - svchost.exe
IFEO: MpUXSrv.exe - svchost.exe
IFEO: MSASCui.exe - svchost.exe
IFEO: msconfig.exe - svchost.exe
IFEO: msmpeng.exe - svchost.exe
IFEO: msseces.exe - svchost.exe
x64-IFEO: k9filter.exe - svchost.exe
x64-IFEO: MpCmdRun.exe - svchost.exe
x64-IFEO: MpUXSrv.exe - svchost.exe
x64-IFEO: MSASCui.exe - svchost.exe
x64-IFEO: msconfig.exe - svchost.exe
x64-IFEO: msmpeng.exe - svchost.exe
x64-IFEO: msseces.exe - svchost.exe
.
==== Installed Programs ======================
.
Adobe Reader X (10.1.3)
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Atheros Communications Inc.® AR81Family Gigabit/Fast Ethernet Driver
Bejeweled 3
Bonjour
Canon iP6700D
D3DX10
FATE
Gardenscapes: Mansion Makeover
Google+ Auto Backup
Intel® Management Engine Components
Intel® Processor Graphics
Intel® Rapid Storage Technology
Intel® SDK for OpenCL - CPU Only Runtime Package
Intel® Trusted Connect Service Client
iTunes
Malwarebytes Anti-Malware version 1.75.0.1300
Microsoft Application Error Reporting
Microsoft Office
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
Movie Maker
MSVCRT
MSVCRT110
MSVCRT110_amd64
Norton Anti-Theft
Norton Internet Security
Norton Online Backup
Norton Online Backup ARA
Norton PC Checkup
Norton Security Dashboard
Origin
Penguins!
Photo Common
Photo Gallery
Picasa 3
Plants vs. Zombies - Game of the Year
PlayReady PC Runtime amd64
Polar Bowler
Premium Sound HD
Realtek High Definition Audio Driver
Realtek USB 2.0 Card Reader
Realtek WLAN Driver
Synaptics Pointing Device Driver
Toshiba App Place
TOSHIBA Application Installer
Toshiba Book Place
TOSHIBA Desktop Assist
TOSHIBA eco Utility
TOSHIBA Function Key
TOSHIBA HDD Accelerator
TOSHIBA Password Utility
TOSHIBA PC Health Monitor
TOSHIBA Quality Application
TOSHIBA Recovery Media Creator
TOSHIBA Resolution+ Plug-in for Windows Media Player
TOSHIBA Service Station
TOSHIBA System Driver
TOSHIBA System Settings
TOSHIBA User's Guide
TOSHIBA VIDEO PLAYER
TOSHIBARegistration
Update Installer for WildTangent Games App
Vacation Quest™ - Australia
WildTangent Games
WildTangent Games App (Toshiba Games)
Windows Live Communications Platform
Windows Live Essentials
Windows Live Installer
Windows Live Photo Common
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
Youda Jewel Shop
.
==== Event Viewer Messages From Past Week ========
.
2/2/2014 8:13:58 AM, Error: Service Control Manager [7034]  - The iPod Service service terminated unexpectedly.  It has done this 1 time(s).
2/2/2014 8:04:29 AM, Error: Service Control Manager [7009]  - A timeout was reached (30000 milliseconds) while waiting for the Apple Mobile Device service to connect.
2/2/2014 8:04:29 AM, Error: Service Control Manager [7000]  - The Apple Mobile Device service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.
2/2/2014 4:39:50 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service WSearch with arguments "Unavailable" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
2/2/2014 4:39:50 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "Unavailable" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
2/2/2014 4:35:24 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service WSearch with arguments "Unavailable" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
2/2/2014 4:35:22 PM, Error: Service Control Manager [7001]  - The Network Location Awareness service depends on the DHCP Client service which failed to start because of the following error:  The dependency service or group failed to start.
2/2/2014 4:35:22 PM, Error: Service Control Manager [7001]  - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:  The dependency service or group failed to start.
2/2/2014 4:35:22 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1068" attempting to start the service netprofm with arguments "Unavailable" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
2/2/2014 4:35:13 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service EventSystem with arguments "Unavailable" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
2/2/2014 4:29:52 PM, Error: Service Control Manager [7001]  - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error:  The dependency service or group failed to start.
2/2/2014 4:29:52 PM, Error: Service Control Manager [7001]  - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error:  A device attached to the system is not functioning.
2/2/2014 4:29:52 PM, Error: Service Control Manager [7001]  - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub System service which failed to start because of the following error:  A device attached to the system is not functioning.
2/2/2014 4:29:52 PM, Error: Service Control Manager [7001]  - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error:  The dependency service or group failed to start.
2/2/2014 4:29:52 PM, Error: Service Control Manager [7001]  - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error:  The dependency service or group failed to start.
2/2/2014 4:29:52 PM, Error: Service Control Manager [7001]  - The Network Store Interface Service service depends on the NSI Proxy Service Driver service which failed to start because of the following error:  A device attached to the system is not functioning.
2/2/2014 4:29:52 PM, Error: Service Control Manager [7001]  - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error:  The dependency service or group failed to start.
2/2/2014 4:29:52 PM, Error: Service Control Manager [7001]  - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error:  A device attached to the system is not functioning.
2/2/2014 4:29:52 PM, Error: Service Control Manager [7001]  - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error:  A device attached to the system is not functioning.
2/2/2014 12:52:47 PM, Error: Service Control Manager [7031]  - The Intel® Management and Security Application Local Management Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 10000 milliseconds: Restart the service.
2/2/2014 12:52:37 PM, Error: Service Control Manager [7034]  - The TOSHIBA HDD Accelerator Service service terminated unexpectedly.  It has done this 1 time(s).
2/2/2014 12:52:37 PM, Error: Service Control Manager [7034]  - The Norton PC Checkup Application Launcher service terminated unexpectedly.  It has done this 1 time(s).
2/2/2014 12:52:37 PM, Error: Service Control Manager [7034]  - The Intel® ME Service service terminated unexpectedly.  It has done this 1 time(s).
2/2/2014 12:52:37 PM, Error: Service Control Manager [7034]  - The Intel® Management and Security Application User Notification Service service terminated unexpectedly.  It has done this 1 time(s).
2/2/2014 1:13:24 PM, Error: Service Control Manager [7034]  - The TOSHIBA eco Utility Service service terminated unexpectedly.  It has done this 1 time(s).
2/2/2014 1:13:24 PM, Error: Service Control Manager [7034]  - The Norton Online Backup service terminated unexpectedly.  It has done this 1 time(s).
2/2/2014 1:13:24 PM, Error: Service Control Manager [7034]  - The Intel® Dynamic Application Loader Host Interface Service service terminated unexpectedly.  It has done this 1 time(s).
2/2/2014 1:13:24 PM, Error: Service Control Manager [7031]  - The Norton Anti-Theft service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
2/2/2014 1:13:24 PM, Error: Service Control Manager [7031]  - The Common Client Job Manager Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
2/2/2014 1:13:24 PM, Error: Service Control Manager [7009]  - A timeout was reached (30000 milliseconds) while waiting for the Intel® Capability Licensing Service Interface service to connect.
2/2/2014 1:13:24 PM, Error: Service Control Manager [7000]  - The Intel® Capability Licensing Service Interface service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.
2/2/2014 1:13:23 PM, Error: Service Control Manager [7034]  - The Realtek Audio Service service terminated unexpectedly.  It has done this 1 time(s).
2/2/2014 1:13:23 PM, Error: Service Control Manager [7034]  - The Bonjour Service service terminated unexpectedly.  It has done this 1 time(s).
2/2/2014 1:13:23 PM, Error: Service Control Manager [7034]  - The Adobe Acrobat Update Service service terminated unexpectedly.  It has done this 1 time(s).
2/2/2014 1:13:23 PM, Error: Service Control Manager [7031]  - The Intel® Capability Licensing Service Interface service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 0 milliseconds: Restart the service.
2/2/2014 1:13:23 PM, Error: Service Control Manager [7031]  - The Apple Mobile Device service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
2/1/2014 9:01:39 PM, Error: Service Control Manager [7031]  - The Apple Mobile Device service terminated unexpectedly.  It has done this 17 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
2/1/2014 9:00:39 PM, Error: Service Control Manager [7031]  - The Apple Mobile Device service terminated unexpectedly.  It has done this 16 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
2/1/2014 8:59:39 PM, Error: Service Control Manager [7031]  - The Apple Mobile Device service terminated unexpectedly.  It has done this 15 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
2/1/2014 8:58:39 PM, Error: Service Control Manager [7031]  - The Apple Mobile Device service terminated unexpectedly.  It has done this 14 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
2/1/2014 8:57:38 PM, Error: Service Control Manager [7031]  - The Apple Mobile Device service terminated unexpectedly.  It has done this 13 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
2/1/2014 8:56:38 PM, Error: Service Control Manager [7031]  - The Apple Mobile Device service terminated unexpectedly.  It has done this 12 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
2/1/2014 8:55:38 PM, Error: Service Control Manager [7031]  - The Apple Mobile Device service terminated unexpectedly.  It has done this 11 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
2/1/2014 8:47:37 PM, Error: Service Control Manager [7031]  - The Apple Mobile Device service terminated unexpectedly.  It has done this 10 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
2/1/2014 8:46:37 PM, Error: Service Control Manager [7031]  - The Apple Mobile Device service terminated unexpectedly.  It has done this 9 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
2/1/2014 8:34:39 PM, Error: Service Control Manager [7031]  - The Apple Mobile Device service terminated unexpectedly.  It has done this 8 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
2/1/2014 8:33:39 PM, Error: Service Control Manager [7031]  - The Apple Mobile Device service terminated unexpectedly.  It has done this 7 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
2/1/2014 8:32:39 PM, Error: Service Control Manager [7031]  - The Apple Mobile Device service terminated unexpectedly.  It has done this 6 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
2/1/2014 8:31:39 PM, Error: Service Control Manager [7034]  - The Norton Anti-Theft service terminated unexpectedly.  It has done this 3 time(s).
2/1/2014 8:31:39 PM, Error: Service Control Manager [7034]  - The Common Client Job Manager Service service terminated unexpectedly.  It has done this 3 time(s).
2/1/2014 8:31:39 PM, Error: Service Control Manager [7031]  - The Apple Mobile Device service terminated unexpectedly.  It has done this 5 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
2/1/2014 8:30:39 PM, Error: Service Control Manager [7031]  - The Apple Mobile Device service terminated unexpectedly.  It has done this 4 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
2/1/2014 8:29:39 PM, Error: Service Control Manager [7031]  - The Norton Anti-Theft service terminated unexpectedly.  It has done this 2 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
2/1/2014 8:29:39 PM, Error: Service Control Manager [7031]  - The Common Client Job Manager Service service terminated unexpectedly.  It has done this 2 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
2/1/2014 8:29:39 PM, Error: Service Control Manager [7031]  - The Apple Mobile Device service terminated unexpectedly.  It has done this 3 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
2/1/2014 8:29:14 PM, Error: Service Control Manager [7009]  - A timeout was reached (30000 milliseconds) while waiting for the Intel® Management and Security Application User Notification Service service to connect.
2/1/2014 8:29:14 PM, Error: Service Control Manager [7000]  - The Intel® Management and Security Application User Notification Service service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.
2/1/2014 8:29:12 PM, Error: Service Control Manager [7009]  - A timeout was reached (30000 milliseconds) while waiting for the Norton PC Checkup Application Launcher service to connect.
2/1/2014 8:29:12 PM, Error: Service Control Manager [7009]  - A timeout was reached (30000 milliseconds) while waiting for the Norton Internet Security service to connect.
2/1/2014 8:29:12 PM, Error: Service Control Manager [7000]  - The Norton PC Checkup Application Launcher service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.
2/1/2014 8:29:12 PM, Error: Service Control Manager [7000]  - The Norton Internet Security service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.
2/1/2014 8:28:39 PM, Error: Service Control Manager [7031]  - The Apple Mobile Device service terminated unexpectedly.  It has done this 2 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
2/1/2014 8:25:20 PM, Error: Service Control Manager [7000]  - The Norton Internet Security service failed to start due to the following error:  Access is denied.
2/1/2014 8:18:13 PM, Error: Service Control Manager [7032]  - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Intel® Management and Security Application Local Management Service service, but this action failed with the following error:  An instance of the service is already running.
2/1/2014 8:14:30 PM, Error: Service Control Manager [7009]  - A timeout was reached (30000 milliseconds) while waiting for the Intel® Management and Security Application Local Management Service service to connect.
2/1/2014 8:14:30 PM, Error: Service Control Manager [7000]  - The Intel® Management and Security Application Local Management Service service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.
2/1/2014 8:14:21 PM, Error: Service Control Manager [7034]  - The TPCH Service service terminated unexpectedly.  It has done this 1 time(s).
2/1/2014 8:14:20 PM, Error: Service Control Manager [7034]  - The TMachInfo service terminated unexpectedly.  It has done this 1 time(s).
.
==== End Of File ===========================
 
Thanks in advance for any help you can provide. 
 
 
Link to post
Share on other sites

Welcome to the forum.

Please download and run RogueKiller 32 Bit to your desktop.

RogueKiller 64 Bit <---use this one for 64 bit systems

Which system am I using?

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

(please don't put logs in code or quotes and use the default font)

General Forum P2P/Piracy Warning:

1. If you're using Peer 2 Peer software such uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

2. If you have illegal/cracked software, cracks, keygens, custom (Adobe) host file, etc. on the system, please remove or uninstall them now and read the policy on Piracy.

Failure to remove such software will result in your topic being closed and no further assistance being provided.

MrC

Note:

Please read all of my instructions completely including these.

Make sure system restore is turned on and running, please create a new restore point

Make sure you're subscribed to this topic: Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly

Removing malware can be unpredictable...unlikely but things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive

<+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>The removal of malware isn't instantaneous, please be patient.

<+>When we are done, I'll give to instructions on how to cleanup all the tools and logs

<+>Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that.

------->Your topic will be closed if you haven't replied within 3 days!<--------

(If I don't respond within 24 hours, please send me a PM)

Link to post
Share on other sites

RogueKiller V8.8.4 [Jan 27 2014] by Tigzy

mail : tigzyRK<at>gmail<dot>com




 

Operating System : Windows 8 (6.2.9200 ) 64 bits version

Started in : Safe mode

User : Kristina [Admin rights]

Mode : Scan -- Date : 02/02/2014 18:09:30

| ARK || FAK || MBR |

 

¤¤¤ Bad processes : 0 ¤¤¤

 

¤¤¤ Registry Entries : 10 ¤¤¤

[RUN][sUSP PATH] HKCU\[...]\Run : PrSft (C:\Users\Kristina\AppData\Roaming\svc-vthi.exe [-]) -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-3289189989-4136914159-3274238268-1001\[...]\Run : PrSft (C:\Users\Kristina\AppData\Roaming\svc-vthi.exe [-]) -> FOUND

[HJ POL][PUM] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND

[HJ POL][PUM] HKLM\[...]\System : ConsentPromptBehaviorUser (0) -> FOUND

[HJ POL][PUM] HKLM\[...]\System : EnableLUA (0) -> FOUND

[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND

[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : ConsentPromptBehaviorUser (0) -> FOUND

[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : EnableLUA (0) -> FOUND

[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

 

¤¤¤ Scheduled tasks : 0 ¤¤¤

 

¤¤¤ Startup Entries : 0 ¤¤¤

 

¤¤¤ Web browsers : 0 ¤¤¤

 

¤¤¤ Browser Addons : 0 ¤¤¤

 

¤¤¤ Particular Files / Folders: ¤¤¤

 

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

 

¤¤¤ External Hives: ¤¤¤

 

¤¤¤ Infection :  ¤¤¤

 

¤¤¤ HOSTS File: ¤¤¤

--> %SystemRoot%\System32\drivers\etc\hosts

 

 

 

 

¤¤¤ MBR Check: ¤¤¤

 

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) TOSHIBA MQ01ABD075 +++++

--- User ---

[MBR] a84dd93b5b19931ceaddbccc47850486

[bSP] df4f83c1f72e36823a12b0dfc7617313 : Empty MBR Code

Partition table:

0 - [XXXXXX] UNKNOWN (0x00) [VISIBLE] Offset (sectors): 1 | Size: 2097151 Mo

User = LL1 ... OK!

User = LL2 ... OK!

 

+++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ USB) SanDisk Cruzer Blade USB Device +++++

--- User ---

[MBR] c8909a0891da81a504df8bb6758af481

[bSP] 4b4b5a82fc433a7c7d9e85640453c231 : Empty MBR Code

Partition table:

0 - [XXXXXX] FAT32 (0x0b) [VISIBLE] Offset (sectors): 32 | Size: 7633 Mo

User = LL1 ... OK!

Error reading LL2 MBR! ([0x32] The request is not supported. )

 

Finished : << RKreport[0]_S_02022014_180930.txt >>

RKreport[0]_S_02022014_173147.txt
Link to post
Share on other sites

Run RogueKiller again and click Scan
When the scan completes > click on the Registry tab
Put a check next to all of these and uncheck the rest: (if found)
 

[RUN][sUSP PATH] HKCU\[...]\Run : PrSft (C:\Users\Kristina\AppData\Roaming\svc-vthi.exe [-]) -> FOUND
[RUN][sUSP PATH] HKUS\S-1-5-21-3289189989-4136914159-3274238268-1001\[...]\Run : PrSft (C:\Users\Kristina\AppData\Roaming\svc-vthi.exe [-]) -> FOUND


Now click Delete on the right hand column under Options

-------------

Delete this file if found:
C:\Users\Kristina\AppData\Roaming\svc-vthi.exe

You may have to enable hidden files to see it:
http://www.bleepingcomputer.com/tutorials/show-hidden-files-in-windows-8/

Then............

Please download Farbar Recovery Scan Tool (FRST) and save it to a folder.
(use correct version for your system.....Which system am I using?)
FRST <----for 32 bit systems
FRST64 <----for 64 bit systems

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

If the logs are large, you can attach them:

To attach a log:

Bottom right corner of this page.
reply1.jpg

New window that comes up.
replyer1.jpg

MrC

Link to post
Share on other sites

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 01-02-2014 04

Ran by Kristina (administrator) on K-PC on 02-02-2014 19:31:27

Running from C:\Users\Kristina\Desktop\frst

Windows 8 (X64) OS Language: English(US)

Internet Explorer Version 10

Boot Mode: Safe Mode (minimal)

 

The only official download link for FRST:

Download link for 32-Bit version:

Download link for 64-Bit Version:

Download link from any site other than Bleeping Computer is unpermitted or outdated.


 

==================== Processes (Whitelisted) =================

 

(Microsoft Corporation) C:\Windows\HelpPane.exe

() E:\RogueKiller.exe

 

 

==================== Registry (Whitelisted) ==================

 

HKLM\...\Run: [] - [x]

HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13261456 2012-11-29] (Realtek Semiconductor)

HKLM\...\Run: [sRS Premium Sound HD] - C:\Program Files\SRS Labs\SRS Control Panel\SRSPanel_64.exe [2170784 2012-08-19] (SRS Labs, Inc.)

HKLM\...\Run: [TCrdMain] - C:\Program Files\TOSHIBA\Hotkey\TCrdMain_Win8.exe [2608040 2012-08-13] (TOSHIBA Corporation)

HKLM\...\Run: [TecoResident] - C:\Program Files\TOSHIBA\Teco\TecoResident.exe [169896 2012-08-13] (TOSHIBA Corporation)

HKLM\...\Run: [TosWaitSrv] - C:\Program Files\TOSHIBA\TPHM\TosWaitSrv.exe [356776 2012-07-11] (TOSHIBA Corporation)

HKLM\...\Run: [TSleepSrv] - C:\Program Files (x86)\TOSHIBA\System Setting\TSleepSrv.exe [1548952 2012-08-04] (TOSHIBA Corporation)

HKLM\...\Run: [TODDMain] - C:\Program Files (x86)\TOSHIBA\System Setting\TODDMain.exe [213136 2012-08-04] ()

HKLM-x32\...\Run: [Norton Online Backup] - C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe [2995904 2012-07-11] (Symantec Corporation)

HKLM-x32\...\Run: [ToshibaAppPlace] - C:\Program Files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe [552960 2010-09-23] (Toshiba)

HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)

HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2013-10-23] (Apple Inc.)

Winlogon\Notify\igfxcui: C:\windows\system32\igfxdev.dll (Intel Corporation)

IFEO\k9filter.exe: [Debugger] svchost.exe

IFEO\MpCmdRun.exe: [Debugger] svchost.exe

IFEO\MpUXSrv.exe: [Debugger] svchost.exe

IFEO\MSASCui.exe: [Debugger] svchost.exe

IFEO\msconfig.exe: [Debugger] svchost.exe

IFEO\msmpeng.exe: [Debugger] svchost.exe

IFEO\msseces.exe: [Debugger] svchost.exe

 

==================== Internet (Whitelisted) ====================

 

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://toshiba13.msn.com

HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://toshiba13.msn.com

HKCU\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://mystart.toshiba.com

HKCU\Software\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://mystart.toshiba.com

HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie

HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie

HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://toshiba13.msn.com

HKLM\Software\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://mystart.toshiba.com

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://toshiba13.msn.com

HKLM\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://mystart.toshiba.com

HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = http://toshiba13.msn.com

HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://mystart.toshiba.com

HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://toshiba13.msn.com

HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://mystart.toshiba.com

SearchScopes: HKLM - DefaultScope {E55EA4FB-4632-4212-A221-FA6F9607F5F0} URL = http://www.bing.com/search?q={searchTerms}&form=IE10TR&src=IE10TR&pc=MATBJS

SearchScopes: HKLM - {E55EA4FB-4632-4212-A221-FA6F9607F5F0} URL = http://www.bing.com/search?q={searchTerms}&form=IE10TR&src=IE10TR&pc=MATBJS

SearchScopes: HKLM-x32 - DefaultScope {E55EA4FB-4632-4212-A221-FA6F9607F5F0} URL = http://www.bing.com/search?q={searchTerms}&form=IE10TR&src=IE10TR&pc=MATBJS

SearchScopes: HKLM-x32 - {E55EA4FB-4632-4212-A221-FA6F9607F5F0} URL = http://www.bing.com/search?q={searchTerms}&form=IE10TR&src=IE10TR&pc=MATBJS

SearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = http://www.google.com/search?q={sear

SearchScopes: HKCU - {E55EA4FB-4632-4212-A221-FA6F9607F5F0} URL = 

BHO-x32: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)

BHO-x32: Norton Identity Protection - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\20.4.0.40\coIEPlg.dll (Symantec Corporation)

BHO-x32: Norton Vulnerability Protection - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\20.4.0.40\IPS\IPSBHO.DLL (Symantec Corporation)


Tcpip\Parameters: [DhcpNameServer] 76.14.96.13 76.14.96.14 76.14.0.9

 

==================== Services (Whitelisted) =================

 

S2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [129856 2012-06-27] (Intel Corporation)

S2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [166720 2012-06-25] (Intel Corporation)

S2 NAT; C:\Program Files (x86)\Norton Anti-Theft\Engine\1.10.0.9\NAT.exe [232424 2013-10-11] (Symantec Corporation)

S2 NIS; C:\Program Files (x86)\Norton Internet Security\Engine\20.4.0.40\ccSvcHst.exe [144368 2013-05-20] (Symantec Corporation)

S2 NOBU; C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe [3939008 2012-07-11] (Symantec Corporation)

S2 Norton PC Checkup Application Launcher; C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.18.15\SymcPCCULaunchSvc.exe [123320 2012-07-23] (Symantec Corporation)

S2 PCCUJobMgr; C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.18.15\ccSvcHst.exe [126392 2012-07-23] (Symantec Corporation)

S2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [201872 2012-12-05] (Realtek Semiconductor)

S2 THAccelSvc; C:\Program Files\TOSHIBA\HDD Accelerator\THAccelSvc.exe [214488 2012-08-10] (TOSHIBA CORPORATION)

S4 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [16048 2013-07-01] (Microsoft Corporation)

 

==================== Drivers (Whitelisted) ====================

 

S3 BHDrvx64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.1.0.24\Definitions\BASHDefs\20130903.002\BHDrvx64.sys [1525336 2013-09-03] (Symantec Corporation)

S1 ccSet_NARA; C:\Windows\system32\drivers\NARAx64\0401000.00B\ccSetx64.sys [168608 2012-05-25] (Symantec Corporation)

S1 ccSet_NAT; C:\Windows\system32\drivers\NATx64\010A000.009\ccSetx64.sys [150104 2013-07-29] (Symantec Corporation)

S3 ccSet_NIS; C:\Windows\system32\drivers\NISx64\1404000.028\ccSetx64.sys [169048 2013-04-15] (Symantec Corporation)

S3 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [484952 2013-08-26] (Symantec Corporation)

S3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [140376 2013-08-26] (Symantec Corporation)

S3 IDSVia64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.1.0.24\Definitions\IPSDefs\20130921.001\IDSvia64.sys [520280 2013-08-23] (Symantec Corporation)

S3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.1.0.24\Definitions\VirusDefs\20130923.003\ENG64.SYS [126040 2013-08-29] (Symantec Corporation)

S3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.1.0.24\Definitions\VirusDefs\20130923.003\EX64.SYS [2099288 2013-08-29] (Symantec Corporation)

S3 RTL8192Ce; C:\Windows\system32\DRIVERS\rtwlane.sys [1498256 2012-08-29] (Realtek Semiconductor Corporation                           )

S3 RTWlanE; C:\Windows\system32\DRIVERS\rtwlane.sys [1498256 2012-08-29] (Realtek Semiconductor Corporation                           )

R3 SmbDrvI; C:\Windows\system32\DRIVERS\Smb_driver_Intel.sys [43832 2012-08-16] (Synaptics Incorporated)

S3 SRTSP; C:\Windows\System32\Drivers\NISx64\1404000.028\SRTSP64.SYS [796760 2013-05-15] (Symantec Corporation)

S3 SRTSPX; C:\Windows\system32\drivers\NISx64\1404000.028\SRTSPX64.SYS [36952 2013-03-04] (Symantec Corporation)

S3 SymDS; C:\Windows\system32\drivers\NISx64\1404000.028\SYMDS64.SYS [493656 2013-05-20] (Symantec Corporation)

S3 SymEFA; C:\Windows\system32\drivers\NISx64\1404000.028\SYMEFA64.SYS [1139800 2013-05-22] (Symantec Corporation)

S4 SymELAM; C:\Windows\system32\drivers\NISx64\1404000.028\SymELAM.sys [23448 2012-06-20] (Symantec Corporation)

S3 SymEvent; C:\windows\system32\Drivers\SYMEVENT64x86.SYS [177312 2013-08-27] (Symantec Corporation)

S3 SymIRON; C:\Windows\system32\drivers\NISx64\1404000.028\Ironx64.SYS [224416 2013-03-04] (Symantec Corporation)

S3 SymNetS; C:\Windows\System32\Drivers\NISx64\1404000.028\SYMNETS.SYS [433752 2013-04-24] (Symantec Corporation)

R0 THAccel; C:\Windows\System32\DRIVERS\THAccel.sys [131520 2012-08-10] (TOSHIBA CORPORATION)

R3 Thotkey; C:\Windows\System32\drivers\Thotkey.sys [28632 2012-07-31] (Windows ® Win 7 DDK provider)

 

==================== NetSvcs (Whitelisted) ===================

 

 

==================== One Month Created Files and Folders ========

 

2014-02-02 19:31 - 2014-02-02 19:31 - 00000000 ____D () C:\FRST

2014-02-02 19:29 - 2014-02-02 19:31 - 00000000 ____D () C:\Users\Kristina\Desktop\frst

2014-02-02 19:27 - 2014-02-02 19:27 - 00002710 _____ () C:\Users\Kristina\Desktop\RKreport[0]_D_02022014_192740.txt

2014-02-02 19:25 - 2014-02-02 19:25 - 00002572 _____ () C:\Users\Kristina\Desktop\RKreport[0]_S_02022014_192508.txt

2014-02-02 17:31 - 2014-02-02 17:31 - 00002539 _____ () C:\Users\Kristina\Desktop\RKreport[0]_S_02022014_173147.txt

2014-02-02 17:28 - 2014-02-02 19:27 - 00000000 ____D () C:\Users\Kristina\Desktop\RK_Quarantine

2014-02-02 16:41 - 2014-02-02 16:41 - 00019173 _____ () C:\Users\Kristina\Desktop\attach.txt

2014-02-02 16:41 - 2014-02-02 16:40 - 00012934 _____ () C:\Users\Kristina\Desktop\dds.txt

2014-02-02 12:52 - 2014-02-02 12:52 - 00001306 _____ () C:\Users\Kristina\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Norton Online Backup.lnk

2014-02-02 11:27 - 2014-02-02 11:27 - 00001124 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2014-02-02 11:27 - 2014-02-02 11:27 - 00000000 ____D () C:\Users\Kristina\AppData\Roaming\Malwarebytes

2014-02-02 11:27 - 2014-02-02 11:27 - 00000000 ____D () C:\ProgramData\Malwarebytes

2014-02-02 11:27 - 2014-02-02 11:27 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes' Anti-Malware

2014-02-02 11:27 - 2013-04-04 14:50 - 00025928 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\mbam.sys

2014-02-01 20:19 - 2014-02-01 20:33 - 00002763 _____ () C:\ProgramData\connector.swf

2014-02-01 20:18 - 2014-02-01 20:18 - 00002004 _____ () C:\Users\Kristina\AppData\Roaming\data.sec

2014-02-01 20:14 - 2014-02-01 20:14 - 01068544 _____ () C:\Users\Kristina\AppData\Roaming\svc-vthi.exe

2014-02-01 20:13 - 2014-02-01 20:13 - 00153241 _____ () C:\Users\Kristina\Downloads\setup.exe.vbe

2014-01-17 15:12 - 2013-12-06 22:37 - 00688640 _____ (Microsoft Corporation) C:\windows\system32\WSShared.dll

2014-01-17 15:12 - 2013-12-06 22:37 - 00163840 _____ (Microsoft Corporation) C:\windows\system32\Windows.ApplicationModel.Store.TestingFramework.dll

2014-01-17 15:12 - 2013-12-06 21:15 - 00562688 _____ (Microsoft Corporation) C:\windows\SysWOW64\WSShared.dll

2014-01-17 15:12 - 2013-12-06 21:15 - 00124928 _____ (Microsoft Corporation) C:\windows\SysWOW64\Windows.ApplicationModel.Store.TestingFramework.dll

2014-01-16 07:11 - 2013-10-30 21:56 - 00915968 _____ (Microsoft Corporation) C:\windows\system32\MPSSVC.dll

2014-01-16 07:11 - 2013-10-30 21:56 - 00758784 _____ (Microsoft Corporation) C:\windows\system32\FirewallAPI.dll

2014-01-16 07:11 - 2013-10-30 20:01 - 00550400 _____ (Microsoft Corporation) C:\windows\SysWOW64\FirewallAPI.dll

2014-01-16 07:11 - 2013-10-30 19:42 - 00074752 _____ (Microsoft Corporation) C:\windows\system32\Drivers\mpsdrv.sys

2014-01-16 07:11 - 2013-10-27 21:50 - 00588288 _____ (Microsoft Corporation) C:\windows\system32\SHCore.dll

2014-01-16 07:11 - 2013-10-27 20:05 - 00452608 _____ (Microsoft Corporation) C:\windows\SysWOW64\SHCore.dll

2014-01-16 07:11 - 2013-10-13 12:49 - 00100696 _____ (Microsoft Corporation) C:\windows\system32\Drivers\disk.sys

2014-01-16 07:11 - 2013-08-26 21:21 - 00227840 _____ (Microsoft Corporation) C:\windows\system32\WebClnt.dll

2014-01-16 07:11 - 2013-08-26 21:19 - 00104448 _____ (Microsoft Corporation) C:\windows\system32\davclnt.dll

2014-01-16 07:11 - 2013-08-26 14:29 - 00199168 _____ (Microsoft Corporation) C:\windows\SysWOW64\WebClnt.dll

2014-01-16 07:11 - 2013-08-26 14:28 - 00086016 _____ (Microsoft Corporation) C:\windows\SysWOW64\davclnt.dll

2014-01-10 20:49 - 2014-01-10 20:49 - 00000000 ____D () C:\Users\Kristina\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google+ Auto Backup

2014-01-07 23:19 - 2014-01-07 23:22 - 17478207 _____ () C:\Users\Kristina\Downloads\WinterWoodandChevronbyLagartixa1.rar

2014-01-07 23:19 - 2014-01-07 23:19 - 20804698 _____ () C:\Users\Kristina\Downloads\WinterWoodandChevronbyLagartixa2.rar

2014-01-07 23:18 - 2014-01-07 23:18 - 13639616 _____ () C:\Users\Kristina\Downloads\WinterWoodandChevronbyLagartixa3.rar

2014-01-07 18:42 - 2014-01-07 18:43 - 53866281 _____ () C:\Users\Kristina\Downloads\mturnidge_naturalbeautypp.zip

2014-01-06 11:23 - 2014-01-06 11:23 - 04558848 _____ (Google Inc.) C:\windows\SysWOW64\GPhotos.scr

2014-01-05 20:44 - 2014-01-05 20:45 - 29147174 _____ () C:\Users\Kristina\Downloads\WaffleDay.zip

 

==================== One Month Modified Files and Folders =======

 

2014-02-02 19:31 - 2014-02-02 19:31 - 00000000 ____D () C:\FRST

2014-02-02 19:31 - 2014-02-02 19:29 - 00000000 ____D () C:\Users\Kristina\Desktop\frst

2014-02-02 19:27 - 2014-02-02 19:27 - 00002710 _____ () C:\Users\Kristina\Desktop\RKreport[0]_D_02022014_192740.txt

2014-02-02 19:27 - 2014-02-02 17:28 - 00000000 ____D () C:\Users\Kristina\Desktop\RK_Quarantine

2014-02-02 19:25 - 2014-02-02 19:25 - 00002572 _____ () C:\Users\Kristina\Desktop\RKreport[0]_S_02022014_192508.txt

2014-02-02 18:01 - 2012-07-25 23:22 - 00000006 ____H () C:\windows\Tasks\SA.DAT

2014-02-02 18:00 - 2012-07-26 00:12 - 00000000 ____D () C:\windows\system32\sru

2014-02-02 17:31 - 2014-02-02 17:31 - 00002539 _____ () C:\Users\Kristina\Desktop\RKreport[0]_S_02022014_173147.txt

2014-02-02 17:29 - 2012-07-25 23:28 - 00848230 _____ () C:\windows\system32\PerfStringBackup.INI

2014-02-02 16:41 - 2014-02-02 16:41 - 00019173 _____ () C:\Users\Kristina\Desktop\attach.txt

2014-02-02 16:40 - 2014-02-02 16:41 - 00012934 _____ () C:\Users\Kristina\Desktop\dds.txt

2014-02-02 15:20 - 2012-07-26 00:12 - 00000000 ____D () C:\windows\rescache

2014-02-02 12:52 - 2014-02-02 12:52 - 00001306 _____ () C:\Users\Kristina\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Norton Online Backup.lnk

2014-02-02 12:49 - 2012-07-25 21:26 - 00262144 ___SH () C:\windows\system32\config\ELAM

2014-02-02 11:27 - 2014-02-02 11:27 - 00001124 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2014-02-02 11:27 - 2014-02-02 11:27 - 00000000 ____D () C:\Users\Kristina\AppData\Roaming\Malwarebytes

2014-02-02 11:27 - 2014-02-02 11:27 - 00000000 ____D () C:\ProgramData\Malwarebytes

2014-02-02 11:27 - 2014-02-02 11:27 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes' Anti-Malware

2014-02-02 08:24 - 2012-07-25 23:21 - 00025134 _____ () C:\windows\setupact.log

2014-02-02 08:04 - 2013-08-24 19:04 - 01478318 _____ () C:\windows\WindowsUpdate.log

2014-02-02 08:03 - 2012-07-26 00:12 - 00000000 ____D () C:\windows\AUInstallAgent

2014-02-01 20:33 - 2014-02-01 20:19 - 00002763 _____ () C:\ProgramData\connector.swf

2014-02-01 20:18 - 2014-02-01 20:18 - 00002004 _____ () C:\Users\Kristina\AppData\Roaming\data.sec

2014-02-01 20:15 - 2012-07-25 21:26 - 00262144 ___SH () C:\windows\system32\config\BBI

2014-02-01 20:14 - 2014-02-01 20:14 - 01068544 _____ () C:\Users\Kristina\AppData\Roaming\svc-vthi.exe

2014-02-01 20:13 - 2014-02-01 20:13 - 00153241 _____ () C:\Users\Kristina\Downloads\setup.exe.vbe

2014-01-24 22:00 - 2012-07-26 00:12 - 00000000 ____D () C:\windows\LiveKernelReports

2014-01-23 20:22 - 2013-08-24 19:51 - 00000000 ____D () C:\Users\Kristina\AppData\Local\CrashDumps

2014-01-18 09:15 - 2013-08-26 23:51 - 00000000 ____D () C:\windows\system32\MRT

2014-01-18 09:14 - 2013-08-26 23:50 - 86054176 _____ (Microsoft Corporation) C:\windows\system32\MRT.exe

2014-01-18 09:13 - 2012-07-26 00:12 - 00000000 ____D () C:\windows\WinStore

2014-01-10 20:49 - 2014-01-10 20:49 - 00000000 ____D () C:\Users\Kristina\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google+ Auto Backup

2014-01-09 19:31 - 2012-07-26 00:12 - 00000000 ____D () C:\windows\system32\NDF

2014-01-09 00:02 - 2013-11-23 07:34 - 00694240 _____ (Adobe Systems Incorporated) C:\windows\SysWOW64\FlashPlayerApp.exe

2014-01-09 00:02 - 2013-11-23 07:34 - 00078296 _____ (Adobe Systems Incorporated) C:\windows\SysWOW64\FlashPlayerCPLApp.cpl

2014-01-07 23:22 - 2014-01-07 23:19 - 17478207 _____ () C:\Users\Kristina\Downloads\WinterWoodandChevronbyLagartixa1.rar

2014-01-07 23:19 - 2014-01-07 23:19 - 20804698 _____ () C:\Users\Kristina\Downloads\WinterWoodandChevronbyLagartixa2.rar

2014-01-07 23:18 - 2014-01-07 23:18 - 13639616 _____ () C:\Users\Kristina\Downloads\WinterWoodandChevronbyLagartixa3.rar

2014-01-07 18:43 - 2014-01-07 18:42 - 53866281 _____ () C:\Users\Kristina\Downloads\mturnidge_naturalbeautypp.zip

2014-01-07 18:22 - 2013-11-25 22:46 - 02057087 _____ () C:\Users\Kristina\Downloads\CSTEP_Whimsical-Swirl-Trees-10inch.zip

2014-01-06 11:23 - 2014-01-06 11:23 - 04558848 _____ (Google Inc.) C:\windows\SysWOW64\GPhotos.scr

2014-01-05 20:45 - 2014-01-05 20:44 - 29147174 _____ () C:\Users\Kristina\Downloads\WaffleDay.zip

 

Some content of TEMP:

====================

C:\Users\Kristina\AppData\Local\Temp\ntdll_dump.dll

 

 

==================== Bamital & volsnap Check =================

 

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\rpcss.dll => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

 

 

LastRegBack: 2014-01-27 17:59

 

==================== End Of Log ============================

 


Additional scan result of Farbar Recovery Scan Tool (x64) Version: 01-02-2014 04

Ran by Kristina at 2014-02-02 19:31:54

Running from C:\Users\Kristina\Desktop\frst

Boot Mode: Safe Mode (minimal)

==========================================================

 

 

==================== Security Center ========================

 

AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

AV: Norton Internet Security (Disabled - Out of date) {63DF5164-9100-186D-2187-8DC619EFD8BF}

AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

AS: Norton Internet Security (Disabled - Out of date) {D8BEB080-B73A-17E3-1B37-B6B462689202}

FW: Norton Internet Security (Disabled) {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}

 

==================== Installed Programs ======================

 

Adobe Reader X (10.1.3) (x32 Version: 10.1.3 - Adobe Systems Incorporated)

Apple Application Support (x32 Version: 2.3.6 - Apple Inc.)

Apple Mobile Device Support (Version: 7.0.0.117 - Apple Inc.)

Apple Software Update (x32 Version: 2.1.3.127 - Apple Inc.)

Atheros Communications Inc.® AR81Family Gigabit/Fast Ethernet Driver (x32 Version: 2.1.0.6 - Atheros Communications Inc.)

Bejeweled 3 (x32 Version: 2.2.0.97 - WildTangent) Hidden

Bonjour (Version: 3.0.0.10 - Apple Inc.)

Canon iP6700D (Version:  - )

D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden

FATE (x32 Version: 2.2.0.97 - WildTangent) Hidden

Gardenscapes: Mansion Makeover (x32 Version: 3.0.2.32 - WildTangent) Hidden

Google+ Auto Backup (x32 Version: 1.0.21.81 - Google)

Intel® Management Engine Components (x32 Version: 8.1.0.1252 - Intel Corporation)

Intel® Processor Graphics (x32 Version: 9.17.10.2828 - Intel Corporation)

Intel® Rapid Storage Technology (x32 Version: 11.5.2.1001 - Intel Corporation)

Intel® SDK for OpenCL - CPU Only Runtime Package (x32 Version: 2.0.0.37149 - Intel Corporation)

Intel® Trusted Connect Service Client (Version: 1.24.388.1 - Intel Corporation) Hidden

iTunes (Version: 11.1.2.32 - Apple Inc.)

Malwarebytes Anti-Malware version 1.75.0.1300 (x32 Version: 1.75.0.1300 - Malwarebytes Corporation)

Microsoft Application Error Reporting (Version: 12.0.6015.5000 - Microsoft Corporation) Hidden

Microsoft Office (x32 Version: 15.0.4420.1017 - Microsoft Corporation)

Microsoft Silverlight (Version: 5.1.20913.0 - Microsoft Corporation)

Microsoft SQL Server 2005 Compact Edition [ENU] (x32 Version: 3.1.0000 - Microsoft Corporation)

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (Version: 9.0.30729 - Microsoft Corporation)

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (Version: 9.0.30729.4148 - Microsoft Corporation)

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (Version: 9.0.30729.6161 - Microsoft Corporation)

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (x32 Version: 9.0.30729 - Microsoft Corporation)

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (x32 Version: 9.0.30729.4148 - Microsoft Corporation)

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (x32 Version: 9.0.30729.6161 - Microsoft Corporation)

Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (Version: 10.0.40219 - Microsoft Corporation)

Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (x32 Version: 10.0.40219 - Microsoft Corporation)

Movie Maker (x32 Version: 16.4.3503.0728 - Microsoft Corporation) Hidden

MSVCRT (x32 Version: 15.4.2862.0708 - Microsoft) Hidden

MSVCRT110 (x32 Version: 16.4.1108.0727 - Microsoft) Hidden

MSVCRT110_amd64 (Version: 16.4.1108.0727 - Microsoft) Hidden

Norton Anti-Theft (x32 Version: 1.10.0.9 - Symantec Corporation)

Norton Internet Security (x32 Version: 20.4.0.40 - Symantec Corporation)

Norton Online Backup (x32 Version: 2.2.3.45 - Symantec Corporation)

Norton Online Backup ARA (x32 Version: 4.1.0.11 - Symantec Corporation) Hidden

Norton PC Checkup (x32 Version: 2.0.18.15 - Symantec Corporation)

Norton Security Dashboard (x32 Version: 1.1.1.9 - Symantec Corporation)

Origin (x32 Version: 9.0.15.60 - Electronic Arts, Inc.)

Penguins! (x32 Version: 2.2.0.98 - WildTangent) Hidden

Photo Common (x32 Version: 16.4.3503.0728 - Microsoft Corporation) Hidden

Photo Gallery (x32 Version: 16.4.3503.0728 - Microsoft Corporation) Hidden

Picasa 3 (x32 Version: 3.9 - Google, Inc.)

Plants vs. Zombies - Game of the Year (x32 Version: 2.2.0.98 - WildTangent) Hidden

PlayReady PC Runtime amd64 (Version: 1.3.0 - Microsoft Corporation)

Polar Bowler (x32 Version: 2.2.0.97 - WildTangent) Hidden

Premium Sound HD (Version: 1.12.5000 - SRS Labs, Inc.)

Realtek High Definition Audio Driver (x32 Version: 6.0.1.6794 - Realtek Semiconductor Corp.)

Realtek USB 2.0 Card Reader (x32 Version: 6.1.8400.39030 - Realtek Semiconductor Corp.)

Realtek WLAN Driver (x32 Version: 2.00.0020 - REALTEK Semiconductor Corp.)

Synaptics Pointing Device Driver (Version: 16.2.10.5 - Synaptics Incorporated)

Toshiba App Place (x32 Version: 1.0.6.3 - Toshiba)

TOSHIBA Application Installer (x32 Version: 9.0.1.4 - TOSHIBA)

Toshiba Book Place (x32 Version: 3.1.9534 - K-NFB Reading Technology, Inc.)

TOSHIBA Desktop Assist (Version: 1.00.08.6402 - Toshiba Corporation)

TOSHIBA eco Utility (Version: 2.0.0.6415 - Toshiba Corporation)

TOSHIBA Function Key (Version: 1.00.6425.01 - Toshiba Corporation)

TOSHIBA HDD Accelerator (Version: 1.1.0001 - Toshiba Corporation)

TOSHIBA Password Utility (x32 Version: v1.0.0.8 - TOSHIBA Corporation)

TOSHIBA PC Health Monitor (Version: 1.8.17.640104 - Toshiba Corporation)

TOSHIBA Quality Application (x32 Version: 1.0.8 - TOSHIBA)

TOSHIBA Recovery Media Creator (x32 Version: 2.2.0.54043005 - Toshiba Corporation)

TOSHIBA Resolution+ Plug-in for Windows Media Player (x32 Version: 1.2.2.00 - TOSHIBA Corporation)

TOSHIBA Service Station (Version: 2.4.4 - TOSHIBA)

TOSHIBA System Driver (x32 Version: 1.00.0014 - Toshiba Corporation)

TOSHIBA System Settings (x32 Version: 1.00.0002.32002 - Toshiba Corporation)

TOSHIBA User's Guide (x32 Version: 1.00.02 - TOSHIBA)

TOSHIBA VIDEO PLAYER (Version: 5.1.0.12-A - Toshiba Corporation)

TOSHIBARegistration (x32 Version: 1.1.6 - TOSHIBA)

Update Installer for WildTangent Games App (x32 Version:  - WildTangent) Hidden

Vacation Quest™ - Australia (x32 Version: 3.0.2.32 - WildTangent) Hidden

WildTangent Games (x32 Version: 1.0.3.0 - WildTangent)

WildTangent Games App (Toshiba Games) (x32 Version: 4.0.9.7 - WildTangent) Hidden

Windows Live Communications Platform (x32 Version: 16.4.3503.0728 - Microsoft Corporation) Hidden

Windows Live Essentials (x32 Version: 16.4.3503.0728 - Microsoft Corporation)

Windows Live Essentials (x32 Version: 16.4.3503.0728 - Microsoft Corporation) Hidden

Windows Live Installer (x32 Version: 16.4.3503.0728 - Microsoft Corporation) Hidden

Windows Live Photo Common (x32 Version: 16.4.3503.0728 - Microsoft Corporation) Hidden

Windows Live PIMT Platform (x32 Version: 16.4.3503.0728 - Microsoft Corporation) Hidden

Windows Live SOXE (x32 Version: 16.4.3503.0728 - Microsoft Corporation) Hidden

Windows Live SOXE Definitions (x32 Version: 16.4.3503.0728 - Microsoft Corporation) Hidden

Windows Live UX Platform (x32 Version: 16.4.3503.0728 - Microsoft Corporation) Hidden

Windows Live UX Platform Language Pack (x32 Version: 16.4.3503.0728 - Microsoft Corporation) Hidden

Youda Jewel Shop (x32 Version: 3.0.2.32 - WildTangent) Hidden

 

==================== Restore Points  =========================

 

16-01-2014 15:15:56 Windows Update

24-01-2014 15:28:38 Scheduled Checkpoint

01-02-2014 05:19:25 Scheduled Checkpoint

 

==================== Hosts content: ==========================

 

2012-07-25 21:26 - 2012-07-25 21:26 - 00000824 ____A C:\windows\system32\Drivers\etc\hosts

 

==================== Scheduled Tasks (whitelisted) =============

 

Task: {00050DAF-A111-4535-BF4D-81A749E2FD05} - System32\Tasks\Norton Internet Security\Norton Error Analyzer => C:\Program Files (x86)\Norton Internet Security\Engine\20.4.0.40\SymErr.exe [2013-06-03] (Symantec Corporation)

Task: {1061D1D9-1E8D-4930-A84A-0DAFCAA3FBA9} - System32\Tasks\TOSHIBA\Service Station => C:\Program Files\TOSHIBA\Toshiba Service Station\ToshibaServiceStation.exe [2012-07-27] (TOSHIBA Corporation)

Task: {1AAFF332-5C62-4558-9991-DAA649C4C9C5} - System32\Tasks\Microsoft\Windows\Sysmain\WsSwapAssessmentTask => Rundll32.exe sysmain.dll,PfSvWsSwapAssessmentTask

Task: {23A5D8BE-9196-40EB-BD89-794398B2B073} - System32\Tasks\Microsoft\Windows\WS\WSRefreshBannedAppsListTask => Rundll32.exe WSClient.dll,RefreshBannedAppsList

Task: {2418B7F3-0AF8-4242-94C5-87D8750A4513} - System32\Tasks\Microsoft\Windows\Setup\Windows Upgrade Notification Task => C:\windows\system32\NotificationUI.exe [2013-08-15] (Microsoft Corporation)

Task: {3DD3D020-442D-4D43-BB90-5E0A2079C4FF} - System32\Tasks\Norton Anti-Theft\Norton Error Analyzer => C:\Program Files (x86)\Norton Anti-Theft\Engine\1.10.0.9\SymErr.exe [2013-08-01] (Symantec Corporation)

Task: {71CCF9C1-ADAE-4745-9254-43E940F064CE} - System32\Tasks\Synaptics TouchPad Enhancements => \Program Files\Synaptics\SynTP\SynTPEnh.exe [2012-08-16] (Synaptics Incorporated)

Task: {9387E135-1FBE-4036-A083-1D6B4224C616} - System32\Tasks\Norton Internet Security\Norton Error Processor => C:\Program Files (x86)\Norton Internet Security\Engine\20.4.0.40\SymErr.exe [2013-06-03] (Symantec Corporation)

Task: {A72208BF-7A49-4FB8-B684-252375F3443A} - System32\Tasks\Microsoft\Windows\WS\License Validation => Rundll32.exe WSClient.dll,WSpTLR licensing

Task: {C2812AF5-F444-45A1-827E-68CD9468F80E} - System32\Tasks\Norton WSC Integration => C:\Program Files (x86)\Norton Internet Security\Engine\20.4.0.40\WSCStub.exe [2013-06-03] (Symantec Corporation)

Task: {C6A88F2D-53D2-4805-9D69-443738A1847C} - System32\Tasks\Microsoft\Windows\ApplicationData\CleanupTemporaryState => Rundll32.exe Windows.Storage.ApplicationData.dll,CleanupTemporaryState

Task: {D193907A-B110-4A57-97FC-E47F2B5A7EE7} - System32\Tasks\Microsoft\Windows\Setup\Pre-staged GDR Notification => C:\Windows\system32\NotificationUI.exe [2013-08-15] (Microsoft Corporation)

Task: {E01DF7AF-0642-425D-B9A9-1F8ECB1D4BD3} - System32\Tasks\Norton Anti-Theft\Norton Error Processor => C:\Program Files (x86)\Norton Anti-Theft\Engine\1.10.0.9\SymErr.exe [2013-08-01] (Symantec Corporation)

Task: {EBF06DEC-4228-4813-AC0C-62821AE4E330} - System32\Tasks\Microsoft\Windows\Application Experience\StartupAppTask => Rundll32.exe Startupscan.dll,SusRunTask

 

==================== Loaded Modules (whitelisted) =============

 

 

==================== Alternate Data Streams (whitelisted) =========

 

 

==================== Safe Mode (whitelisted) ===================

 

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Option => "OptionValue"="1"

 

==================== Faulty Device Manager Devices =============

 

 

==================== Event log errors: =========================

 

Could not start eventlog service, could not read events.

 

The requested service has already been started.

 

More help is available by typing NET HELPMSG 2182.

 

 

==================== Memory info =========================== 

 

Percentage of memory in use: 23%

Total physical RAM: 3980.21 MB

Available physical RAM: 3064.26 MB

Total Pagefile: 16268.21 MB

Available Pagefile: 15427.87 MB

Total Virtual: 8192 MB

Available Virtual: 8191.78 MB

 

==================== Drives ================================

 

Drive c: (TI10657300E) (Fixed) (Total:687.42 GB) (Free:614.36 GB) NTFS

Drive e: () (Fixed) (Total:7.45 GB) (Free:7.39 GB) FAT32

 

==================== MBR & Partition Table ==================

 

========================================================

Disk: 0 (Size: 699 GB) (Disk ID: 00000000)

 

Partition: GPT Partition Type

========================================================

Disk: 1 (Size: 7 GB) (Disk ID: A8951C2D)

Partition 1: (Not Active) - (Size=7 GB) - (Type=0B)

 

==================== End Of Log ============================

Link to post
Share on other sites

Download the attached fixlist.txt to the same folder as FRST.

Run FRST.exe and click Fix only once and wait

The tool will create a log (Fixlog.txt) in the folder, please post it to your reply.

Then......

Lets clean out any adware/spyware now: (this will require a reboot so save all your work)

Please download AdwCleaner from HERE or HERE to your desktop.

  • Double click on AdwCleaner.exe to run the tool.

    Vista/Windows 7/8 users right-click and select Run As Administrator

  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • When it's done you'll see: Pending: Please uncheck elements you don't want removed.
  • Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • Look over the log especially under Files/Folders for any program you want to save.
  • If there's a program you may want to save, just uncheck it from AdwCleaner.
  • If you're not sure, post the log for review. (all items found are adware/spyware/foistware)
  • If you're ready to clean it all up.....click the Clean button.
  • After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.
  • Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
  • To restore an item that has been deleted:
  • Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.
Then..................

Open up Malwarebytes > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal.

Please Update and run a FULL Scan with Malwarebytes Anti-Malware, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how computer is running now, MrC

Link to post
Share on other sites

Hi again, Mr. C and thanks so much for the rapid responses and all your help.  Here are the 2 logs and the full scan is running as I write this.  I'll upgrade her to MBAM Pro and was also planning to add AVG to her system.  

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 01-02-2014 04

Ran by Kristina at 2014-02-03 05:08:34 Run:1

Running from E:\k

Boot Mode: Safe Mode (minimal)

==============================================

 

Content of fixlist:

*****************

KLM\...\Run: [] - [x]

IFEO\k9filter.exe: [Debugger] svchost.exe

IFEO\MpCmdRun.exe: [Debugger] svchost.exe

IFEO\MpUXSrv.exe: [Debugger] svchost.exe

IFEO\MSASCui.exe: [Debugger] svchost.exe

IFEO\msconfig.exe: [Debugger] svchost.exe

IFEO\msmpeng.exe: [Debugger] svchost.exe

IFEO\msseces.exe: [Debugger] svchost.exe

C:\Users\Kristina\AppData\Local\Temp\ntdll_dump.dll

C:\ProgramData\connector.swf

C:\Users\Kristina\AppData\Roaming\data.sec

C:\Users\Kristina\AppData\Roaming\svc-vthi.exe

C:\Users\Kristina\Downloads\setup.exe.vbe

 

*****************

 

HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\k9filter.exe => Key deleted successfully.

HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\MpCmdRun.exe => Key deleted successfully.

HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\MpUXSrv.exe => Key deleted successfully.

HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\MSASCui.exe => Key deleted successfully.

HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\msconfig.exe => Key deleted successfully.

HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\msmpeng.exe => Key deleted successfully.

HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\msseces.exe => Key deleted successfully.

C:\Users\Kristina\AppData\Local\Temp\ntdll_dump.dll => Moved successfully.

C:\ProgramData\connector.swf => Moved successfully.

C:\Users\Kristina\AppData\Roaming\data.sec => Moved successfully.

C:\Users\Kristina\AppData\Roaming\svc-vthi.exe => Moved successfully.

C:\Users\Kristina\Downloads\setup.exe.vbe => Moved successfully.

 

==== End of Fixlog ====

 

 


# AdwCleaner v3.018 - Report created 03/02/2014 at 05:11:50

# Updated 28/01/2014 by Xplode

# Operating System : Windows 8  (64 bits)

# Username : Kristina - K-PC

# Running from : E:\k\AdwCleaner.exe

# Option : Clean

 

***** [ Services ] *****

 

 

***** [ Files / Folders ] *****

 

Folder Deleted : C:\ProgramData\boost_interprocess

Folder Deleted : C:\Users\Kristina\AppData\Local\Temp\TempDir

 

***** [ Shortcuts ] *****

 

 

***** [ Registry ] *****

 

 

***** [ Browsers ] *****

 

-\\ Internet Explorer v10.0.9200.16537

 

Setting Restored : HKCU\Software\Microsoft\Internet Explorer\Main [secondary Start Pages]

Setting Restored : HKCU\Software\Microsoft\Internet Explorer\Main [Default_Secondary_Page_URL]

Setting Restored : HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Default_Secondary_Page_URL]

Setting Restored : HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [secondary Start Pages]

Setting Restored : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Default_Secondary_Page_URL]

Setting Restored : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [secondary Start Pages]

 

*************************

 

AdwCleaner[R0].txt - [1428 octets] - [03/02/2014 05:09:09]

AdwCleaner[s0].txt - [1193 octets] - [03/02/2014 05:11:50]

 

########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [1253 octets] ##########

 

Link to post
Share on other sites

Malwarebytes Anti-Malware 1.75.0.1300

www.malwarebytes.org

 

Database version: v2014.02.03.03

 

Windows 8 x64 NTFS

Internet Explorer 10.0.9200.16750

Kristina :: K-PC [administrator]

 

2/3/2014 5:23:41 AM

MBAM-log-2014-02-03 (06-57-35).txt

 

Scan type: Full scan (C:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 364767

Time elapsed: 35 minute(s), 38 second(s)

 

Memory Processes Detected: 0

(No malicious items detected)

 

Memory Modules Detected: 0

(No malicious items detected)

 

Registry Keys Detected: 1

HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\BCKD (Rogue.Agent.WPS) -> No action taken.

 

Registry Values Detected: 1

HKLM\SYSTEM\CurrentControlSet\Services\bckd|ImagePath (Rogue.Agent.WPS) -> Data: 123123.sys -> No action taken.

 

Registry Data Items Detected: 0

(No malicious items detected)

 

Folders Detected: 0

(No malicious items detected)

 

Files Detected: 2

C:\Users\Kristina\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\36JDVETE\IKEA BRIMNES BED FRAME WSTORAGE FU user guide provided through mypdfmanuals.com.exe (PUP.Optional.LiveSoftAction.A) -> No action taken.

C:\Users\Kristina\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K5ZQEDM0\rcpsetup_adgorithms_300_250_ag_2.exe (PUP.Optional.RegCleanPro) -> No action taken.

 

(end)
Link to post
Share on other sites

Good......

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • If you get Unsupported operating system. Aborting now, just reboot and try again.
  • A Notepad document should open automatically called checkup.txt.
  • Please Post the contents of that document.
  • Do Not Attach It!!!
MrC
Link to post
Share on other sites

 Results of screen317's Security Check version 0.99.79 
   x64 (UAC is disabled!) 
 Internet Explorer 10 Out of date!
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled! 
Windows Defender          
Norton Internet Security  
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
 Malwarebytes Anti-Malware version 1.75.0.1300 
 Adobe Reader 10.1.3 Adobe Reader out of Date! 
````````Process Check: objlist.exe by Laurent```````` 
 Norton ccSvcHst.exe
 Symantec Norton Online Backup NOBuAgent.exe 
 Symantec Norton Online Backup NOBuClient.exe 
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:  %
````````````````````End of Log``````````````````````
 

Link to post
Share on other sites

Out dated programs on the system are vulnerable to malware.
Please update or uninstall them:


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Adobe Reader 10.1.3 Adobe Reader out of Date! <---please check for an update if available or uninstall and download and install Foxit Reader which is less vulnerable to malware and much better than Adobe. Don't install any toolbars that may come with it (ASK Toolbar).

--------------------------

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

cf2.jpg

Then hit enter.
This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall or download and run the uninstaller)

---------------------------------

Please download OTC to your desktop. (This will clean up most of the tools and logs)
http://oldtimer.geekstogo.com/OTC.exe

Double-click OTC to run it. (Vista and up users, please right click on OTC and select "Run as an Administrator")
Click on the CleanUp! button and follow the prompts.
(If you get a warning from your firewall or other security programs regarding OTC attempting to contact the Internet, please allow the connection.)
You will be asked to reboot the machine to finish the Cleanup process, choose Yes.
After the reboot all the tools we used should be gone.
Note: Some more recently created tools may not yet be removed by OTC. Feel free to manually delete any tools it leaves behind.

Any other programs or logs you can manually delete. (right click.....Delete)
IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST folder, FRST-OlderVersion folder, MBAR folder, etc....AdwCleaner > just run the program and click uninstall.

Note:
If you used FRST and can't delete the quarantine folder:
Download the fixlist.txt to the same folder as FRST.exe.
Run FRST.exe and click Fix only once and wait
That will delete the quarantine folder created by FRST.
The rest you can manually delete.

-------------------------------

Any questions...please post back.
If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.