Jump to content

Ran Farbar Re Im Infected Instructions


Recommended Posts

Here is the body of FRST, copied and pasted:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:25-07-2014
Ran by Carol (administrator) on BILL on 27-07-2014 02:08:53
Running from C:\Users\Carol\Desktop
Platform: Microsoft® Windows Vista™ Home Basic  Service Pack 2 (X86) OS Language: English (United States)
Internet Explorer Version 9
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Windows\System32\SLsvc.exe
(Nalpeiron Ltd.) C:\Windows\System32\ASTSRV.EXE
(Hauppauge Computer Works) C:\Program Files\WinTV\TVServer\HauppaugeTVServer.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
() C:\Program Files\CyberLink\Shared Files\RichVideo.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
(TeamViewer GmbH) C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe
(Conexant Systems, Inc.) C:\Windows\System32\drivers\XAudio.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Synaptics, Inc.) C:\Program Files\Synaptics\SynTP\SynTPStart.exe
(CyberLink Corp.) C:\Program Files\HP\QuickPlay\QPService.exe
( Hewlett-Packard Development Company, L.P.) C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
(Synaptics, Inc.) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Microsoft Corporation) C:\Program Files\Windows Media Player\wmpnscfg.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Hewlett-Packard) C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Service.exe
() C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
(Synaptics, Inc.) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Microsoft Corporation) C:\Windows\System32\wuauclt.exe
(Microsoft Corporation) C:\Windows\System32\taskmgr.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MpCmdRun.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil32_11_4_402_265_ActiveX.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Windows\System32\wermgr.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\RunOnce: [AvgUninstallURL] => cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVXV1UtV0JEWEMtVllG (the data entry has 391 more characters).
HKLM Group Policy restriction on software: C:\Program Files\AVG\AVG2012 <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Symantec <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\PC Tools <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Malwarebytes <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\McAfee <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\AVG\ <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Common Files\PC Tools <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Common Files\Symantec Shared <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Alwil Software <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\AVG <====== ATTENTION
HKU\S-1-5-21-3482760682-2379212304-40738887-1000\...\Run: [TClockEx] => C:\Program Files\TClockEx\TCLOCKEX.EXE [89088 2000-03-08] (Dale Nurden)
HKU\S-1-5-21-3482760682-2379212304-40738887-1000\...\Run: [Google Update] => C:\Users\Carol\AppData\Local\Google\Update\GoogleUpdate.exe [116648 2013-02-09] (Google Inc.)
HKU\S-1-5-21-3482760682-2379212304-40738887-1000\...\Run: [WMPNSCFG] => C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-20] (Microsoft Corporation)
HKU\S-1-5-21-3482760682-2379212304-40738887-1000\...\RunOnce: [shockwave Updater] => "C:\Windows\System32\Macromed\Shockwave 10\SwHelper_1020023.exe" -Update -1020023 -iexplore.exe9.0
HKU\S-1-5-21-3482760682-2379212304-40738887-1000\...\Policies\Explorer: [NoInstrumentation] 1
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\AutoStart IR.lnk
ShortcutTarget: AutoStart IR.lnk -> C:\Program Files\WinTV\Ir.exe (Hauppauge Computer Works)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\WinTV Recording Status..lnk
ShortcutTarget: WinTV Recording Status..lnk -> C:\Program Files\WinTV\WinTV7\WinTVTray.exe (Hauppauge Computer Works, Inc.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKLM - DefaultScope {95678D8F-8A60-4F82-8D6D-0A0361BD8E2C} URL =
SearchScopes: HKLM - {49691058-B72F-448B-BE1B-A245BBF26BDB} URL = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=hp-pvdt
SearchScopes: HKCU - DefaultScope {95678D8F-8A60-4F82-8D6D-0A0361BD8E2C} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3298573&CUI=UN33272122091153812&UM=2
SearchScopes: HKCU - {1B62CB6C-4104-482A-8AF7-B7C00A7FC01D} URL = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}
SearchScopes: HKCU - {49691058-B72F-448B-BE1B-A245BBF26BDB} URL = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=hp-pvdt
SearchScopes: HKCU - {95678D8F-8A60-4F82-8D6D-0A0361BD8E2C} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3298573&CUI=UN33272122091153812&UM=2
BHO: HP Smart BHO Class -> {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} -> C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)
Toolbar: HKCU - No Name - {472734EA-242A-422B-ADF8-83D1E48CC825} -  No File
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} http://chill.comcast.net/Gameshell/GameHost/1.0/OberonGameHost.cab
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF ProfilePath: C:\Users\Carol\AppData\Roaming\Mozilla\Firefox\Profiles\6j2g9fmw.default-1357757927839
FF Plugin: @java.com/DTPlugin,version=10.7.2 - C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKCU: @citrixonline.com/appdetectorplugin - C:\Users\Carol\AppData\Local\Citrix\Plugins\104\npappdetector.dll (Citrix Online)
FF Plugin HKCU: @talk.google.com/GoogleTalkPlugin - C:\Users\Carol\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll (Google)
FF Plugin HKCU: @talk.google.com/O1DPlugin - C:\Users\Carol\AppData\Roaming\Mozilla\plugins\npo1d.dll (Google)
FF Plugin HKCU: @tools.google.com/Google Update;version=3 - C:\Users\Carol\AppData\Local\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKCU: @tools.google.com/Google Update;version=9 - C:\Users\Carol\AppData\Local\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin ProgramFiles/Appdata: C:\Users\Carol\AppData\Roaming\mozilla\plugins\npgoogletalk.dll (Google)
FF Plugin ProgramFiles/Appdata: C:\Users\Carol\AppData\Roaming\mozilla\plugins\npo1d.dll (Google)
FF HKLM\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn2
FF Extension: HP Smart Web Printing - C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn2 [2008-10-17]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2009-01-31]
FF HKCU\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn2

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 astcc; C:\Windows\system32\astsrv.exe [57344 2008-01-07] (Nalpeiron Ltd.) [File not signed]
S3 Com4Qlb; C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe [110592 2007-03-05] (Hewlett-Packard Development Company, L.P.) [File not signed]
R2 DcomLaunch; C:\Windows\system32\rpcss.dll [551424 2009-04-10] (Microsoft Corporation) [File not signed]
R2 HauppaugeTVServer; C:\Program Files\WinTV\TVServer\HauppaugeTVServer.exe [562176 2011-04-15] (Hauppauge Computer Works) [File not signed]
R2 HP Health Check Service; c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe [65536 2007-09-19] (Hewlett-Packard) [File not signed]
S3 IDriverT; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [69632 2005-04-04] (Macrovision Corporation) [File not signed]
S2 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1809720 2014-05-12] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [860472 2014-05-12] (Malwarebytes Corporation)
S4 MSSQLServerADHelper; c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe [44384 2010-12-10] (Microsoft Corporation)
R2 RichVideo; C:\Program Files\CyberLink\Shared Files\RichVideo.exe [272024 2007-01-09] ()
R2 RpcSs; C:\Windows\system32\rpcss.dll [551424 2009-04-10] (Microsoft Corporation) [File not signed]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 BVRPMPR5; C:\Windows\system32\drivers\BVRPMPR5.SYS [49904 2009-05-03] (Avanquest Software) [File not signed]
S3 HdAudAddService; C:\Windows\System32\drivers\CHDART.sys [176640 2007-09-09] (Conexant Systems Inc.)
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [23256 2014-05-12] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [51928 2014-05-12] (Malwarebytes Corporation)
S3 MxL111SF_AVS_USB; C:\Windows\System32\DRIVERS\hcwC6bda.sys [85248 2011-02-15] (Hauppauge Computer Works, Inc.)
R3 NuidFltr; C:\Windows\System32\DRIVERS\NuidFltr.sys [14736 2009-05-08] (Microsoft Corporation)
R1 ssmdrv; C:\Windows\System32\DRIVERS\ssmdrv.sys [28352 2007-03-01] (Avira GmbH)
U5 AppMgmt; C:\Windows\system32\svchost.exe [21504 2008-01-20] (Microsoft Corporation)
U1 eabfiltr;
U5 hcwC6bda; C:\Windows\System32\Drivers\hcwC6bda.sys [85248 2011-02-15] (Hauppauge Computer Works, Inc.)
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
S3 SymIM; system32\DRIVERS\SymIM.sys [X]
S3 SymIMMP; system32\DRIVERS\SymIM.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-07-27 02:07 - 2014-07-27 02:07 - 01084416 _____ (Farbar) C:\Users\Carol\Desktop\FRST.exe
2014-07-16 12:38 - 2014-07-16 12:38 - 00033280 _____ () C:\Windows\system32\psbgpti.eaz
2014-07-03 13:53 - 2014-07-03 16:52 - 00062464 _____ () C:\Users\Carol\Downloads\Nutrition Facts 2014 - RTG and Select.xls
2014-07-03 13:52 - 2014-07-03 13:53 - 00025596 _____ () C:\Users\Carol\Downloads\Nutrisystem Calories.zip

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-07-27 02:09 - 2013-07-09 07:47 - 00000000 ____D () C:\FRST
2014-07-27 02:08 - 2013-07-09 07:51 - 00013693 _____ () C:\Users\Carol\Desktop\FRST.txt
2014-07-27 02:07 - 2014-07-27 02:07 - 01084416 _____ (Farbar) C:\Users\Carol\Desktop\FRST.exe
2014-07-27 02:06 - 2006-11-02 05:45 - 00003216 _____ () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2014-07-27 02:06 - 2006-11-02 05:45 - 00003216 _____ () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2014-07-27 01:38 - 2013-02-09 19:57 - 00000908 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3482760682-2379212304-40738887-1000UA.job
2014-07-27 01:27 - 2012-07-31 14:15 - 01291239 _____ () C:\Windows\WindowsUpdate.log
2014-07-27 01:14 - 2014-02-14 12:16 - 00000078 _____ () C:\Windows\system32\wcls.aou
2014-07-27 00:44 - 2012-05-03 19:42 - 00000000 ____D () C:\Users\Carol\Documents\Louise
2014-07-27 00:35 - 2014-06-01 21:44 - 00110296 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-07-26 18:14 - 2008-05-29 16:02 - 00027335 _____ () C:\Users\Carol\AppData\Roaming\nvModes.001
2014-07-26 18:14 - 2008-05-04 13:25 - 00000258 _____ () C:\Users\Public\Documents\hpqp.ini
2014-07-26 18:10 - 2006-11-02 05:58 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-07-26 18:03 - 2006-11-02 05:58 - 00032564 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-07-25 08:41 - 2013-02-09 19:57 - 00000856 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3482760682-2379212304-40738887-1000Core.job
2014-07-24 15:07 - 2006-11-02 04:18 - 00000000 ____D () C:\Windows\tracing
2014-07-16 18:36 - 2008-05-29 15:56 - 00027335 _____ () C:\Users\Carol\AppData\Roaming\nvModes.dat
2014-07-16 12:38 - 2014-07-16 12:38 - 00033280 _____ () C:\Windows\system32\psbgpti.eaz
2014-07-16 12:38 - 2014-02-13 17:48 - 00000296 _____ () C:\Windows\system32\zwrqa.dpi
2014-07-14 12:45 - 2009-06-07 10:24 - 00025088 _____ () C:\Users\Carol\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2014-07-14 12:43 - 2013-08-03 10:16 - 00000000 ____D () C:\Users\Carol\Documents\HyperCam3
2014-07-11 14:58 - 2008-05-29 13:41 - 00000000 ____D () C:\Users\Carol\AppData\Local\Microsoft Games
2014-07-03 16:52 - 2014-07-03 13:53 - 00062464 _____ () C:\Users\Carol\Downloads\Nutrition Facts 2014 - RTG and Select.xls
2014-07-03 13:53 - 2014-07-03 13:52 - 00025596 _____ () C:\Users\Carol\Downloads\Nutrisystem Calories.zip

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll
[2009-10-23 18:32] - [2009-04-10 23:28] - 0551424 ____A (Microsoft Corporation) 193EE794A8CF0FBD930B8B53FBEEBE5E

 ATTENTION ======> If the system is having audio adware rpcss.dll is patched. Google the MD5, if the MD5 is unique the file is infected.
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2014-07-26 19:28

==================== End Of Log ============================

 

Here is addition

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 09-07-2013
Ran by Carol at 2013-07-09 07:50:42
Running from C:\Users\Carol\Desktop
Boot Mode: Normal
==========================================================

 Update for Microsoft Office 2007 (KB2508958)
7-Zip 9.20
Activation Assistant for the 2007 Microsoft Office suites
Activation Assistant for the 2007 Microsoft Office suites (Version: 1.0)
Adobe Flash Player 11 ActiveX (Version: 11.4.402.265)
Adobe Photoshop 6.0 (Version: 6.0)
Adobe Reader X (10.1.7) (Version: 10.1.7)
Adobe Shockwave Player (Version: 10.2.0.023)
AIM 6
Atheros Driver Installation Program (Version: 7.1)
Cards_Calendar_OrderGift_DoMorePlugout (Version: 1.00.0000)
CCleaner (Version: 3.12)
Cisco WebEx Meetings
Citrix Online Launcher (Version: 1.0.109)
Compatibility Pack for the 2007 Office system (Version: 12.0.6612.1000)
Conexant HD Audio (Version: 4.36.7.60)
Defraggler (Version: 2.10)
DVD Suite (Version: 5.5.0928)
EPSON Scan
EPSON Stylus NX400 Series Printer Uninstall
Google Talk Plugin (Version: 4.1.3.13728)
GoToMeeting 5.7.0.1172 (HKCU Version: 5.7.0.1172)
Hauppauge WinTV 7 (Version: v7.0.29124 (CD 2.3f))
HDAUDIO Soft Data Fax Modem with SmartCP
Hewlett-Packard Active Check (Version: 1.1.11.0)
Hewlett-Packard Asset Agent for Health Check (Version: 2.0.62.5)
HP Active Support Library (Version: 2.3.0.2)
HP Doc Viewer (Version: 1.02.0001)
HP DVD Play 3.6
HP Easy Setup - Frontend (Version: 5.4.0.2430)
HP Help and Support (Version: 1.5.1)
HP Photosmart Essential 2.5 (Version: 1.02.0000)
HP Photosmart Essential 2.5 (Version: 2.5)
HP Quick Launch Buttons 6.40 B2 (Version: 6.40 B2)
HP Smart Web Printing (Version: 111.0.19071)
HP Total Care Advisor (Version: 1.4.19.2433)
HP User Guides 0091 (Version: 1.00.0000)
HP Wireless Assistant (Version: 3.00 H2)
HPNetworkAssistant (Version: 1.1.70)
HPPhotoSmartDiscLabel_PaperLabel (Version: 2.02.0000)
HPPhotoSmartDiscLabel_PrintOnDisc (Version: 2.02.0000)
HPPhotoSmartDiscLabel_Tattoo (Version: 2.02.0000)
HPPhotoSmartDiscLabelContent1 (Version: 2.02.0000)
hpphotosmartdisclabelplugin (Version: 2.02.0000)
HPPhotoSmartPhotobookHolidayPack1 (Version: 1.00.0000)
HPPhotoSmartPhotobookModernPack1 (Version: 1.00.0000)
HPPhotoSmartPhotobookPlayfulPack1 (Version: 1.00.0000)
HPPhotoSmartPhotobookScrapbookPack1 (Version: 1.00.0000)
HPPhotoSmartPhotobookWebPack1 (Version: 1.00.0000)
Icon Restore 1.0
JetMP3 (Version: 1.0618.1244)
Keynote Mobile Internet Testing Environment 3 (Version: 3.0.9.17)
LabelPrint (Version: 2.20.2128)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Excel MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office File Validation Add-In (Version: 14.0.5130.5003)
Microsoft Office Home and Student 2007 (Version: 12.0.6612.1000)
Microsoft Office OneNote MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office PowerPoint MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office PowerPoint Viewer 2007 (English) (Version: 12.0.6612.1000)
Microsoft Office Professional Edition 2003 (Version: 11.0.8173.0)
Microsoft Office Proof (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proof (French) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proof (Spanish) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proofing (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Shared MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Word MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Silverlight (Version: 4.1.10111.0)
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (SQLEXPRESS) (Version: 9.4.5000.00)
Microsoft SQL Server 2005 Tools Express Edition (Version: 9.4.5000.00)
Microsoft SQL Server Compact 3.5 Design Tools ENU (Version: 3.5.5386.0)
Microsoft SQL Server Compact 3.5 ENU (Version: 3.5.5386.0)
Microsoft SQL Server Native Client (Version: 9.00.5000.00)
Microsoft SQL Server Setup Support Files (English) (Version: 9.00.5000.00)
Microsoft SQL Server VSS Writer (Version: 9.00.5000.00)
Microsoft Visual Basic 2008 Express Edition - ENU
Microsoft Visual Basic 2008 Express Edition - ENU (Version: 9.0.21022)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Windows SDK for Visual Studio 2008 Express Tools for .NET Framework (Version: 3.5.21022)
Microsoft Windows SDK for Visual Studio 2008 Express Tools for Win32 (Version: 6.1.5288.17011)
Microsoft Works (Version: 9.7.0621)
Mozilla Firefox 22.0 (x86 en-US) (Version: 22.0)
MSDN Library for Microsoft Visual Studio 2008 Express Editions
MSDN Library for Microsoft Visual Studio 2008 Express Editions (Version: 9.0.21022)
MSVCRT Redists (Version: 1.0)
MSXML 4.0 SP2 (KB927978) (Version: 4.20.9841.0)
MSXML 4.0 SP2 (KB936181) (Version: 4.20.9848.0)
MSXML 4.0 SP2 (KB941833) (Version: 4.20.9849.0)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
NetWaiting (Version: 2.5.46)
NVIDIA Drivers
Power2Go (Version: 5.6.3327)
PowerDirector (Version: 6.5.2129)
PSSWCORE (Version: 2.02.0000)
RICOH R5C83x/84x Flash Media Controller Driver Ver.3.52.02 (Version: 3.52.02)
Synaptics Pointing Device Driver (Version: 11.0.7.0)
TClockEx
TeamViewer 7 (Version: 7.0.12142)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (Version: 1)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
VC Runtimes MSI (Version: 9.0.21022)
VideoToolkit01 (Version: 100.0.128.000)
Visual C++ 2008 x86 Runtime - (v9.0.30729) (Version: 9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01 (Version: 9.0.30729.01)
Watchtower Library 2001 - English Edition
WeatherBug Gadget (Version: 1.0.0.6)
Windows 7 Upgrade Advisor (Version: 2.0.5000.0)
Windows Movie Maker 2.6 (Version: 2.6.4037.0)
 

==================== Restore Points  =========================

==================== Hosts content: ==========================

2006-11-02 03:23 - 2013-06-21 18:35 - 00000027 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1       localhost

==================== Scheduled Tasks (whitelisted) =============

Task: {18DFD9FC-082E-4E9B-8285-5F21D2B4EDAE} - System32\Tasks\Microsoft\Windows\MobilePC\TMM
Task: {1B98F068-2A01-452D-8958-C00C31DBF424} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3482760682-2379212304-40738887-1000UA => C:\Users\Carol\AppData\Local\Google\Update\GoogleUpdate.exe [2013-02-09] (Google Inc.)
Task: {1BCF4F69-28C3-41F6-BC89-DD281B3F26DC} - System32\Tasks\Microsoft\Windows\RestartManager\{DB73A8C6-C5CE-4788-82A5-83B6424E2B44} => C:\Windows\system32\rmclient.exe [2006-11-02] (Microsoft Corporation)
Task: {3389C687-D42C-4B00-BD3A-B5FCBA7562C7} - System32\Tasks\User_Feed_Synchronization-{9E06FBA6-5435-4F6C-ADE5-BE2D3BE2EA8F} => C:\Windows\system32\msfeedssync.exe [2011-05-19] (Microsoft Corporation)
Task: {430BE4F0-1BE3-4040-88E9-1020DE2473D7} - System32\Tasks\Microsoft\Windows Defender\MP Scheduled Scan => c:\program files\windows defender\MpCmdRun.exe [2008-01-20] (Microsoft Corporation)
Task: {49721CAD-0649-49AF-B7C5-2BFAB6FB2B35} - System32\Tasks\Microsoft\Windows\Tcpip\WSHReset => C:\Windows\system32\schtasks.exe [2008-01-20] (Microsoft Corporation)
Task: {5916F864-469C-4391-8604-E4EA141A2699} - System32\Tasks\Microsoft\Windows\Wireless\GatherWirelessInfo => C:\Windows\system32\gatherWirelessInfo.vbs [2008-01-20] ()
Task: {60460F69-EDDF-41DB-A8C4-992BBE6D1568} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\OptinNotification => C:\Windows\System32\wsqmcons.exe [2008-01-20] (Microsoft Corporation)
Task: {7C5A51E8-1AD7-48C6-8879-257A8A9609F5} - System32\Tasks\Microsoft\Windows\NetworkAccessProtection\NAPStatus UI
Task: {86EDA900-42E1-41C2-86D2-699697BAB55C} - System32\Tasks\Microsoft\Windows Defender\MP Scheduled Signature Update => c:\program files\windows defender\MpCmdRun.exe [2008-01-20] (Microsoft Corporation)
Task: {8B0E6FAB-F43A-4988-AF0A-A21646C212F0} - System32\Tasks\Microsoft\Windows\Shell\CrawlStartPages
Task: {9ED703A9-5FFD-40D5-895A-4385EE1509DE} - System32\Tasks\Microsoft\Windows\RAC\RACAgent => C:\Windows\system32\RacAgent.exe [2008-01-20] (Microsoft Corporation)
Task: {9FA1D586-7634-415C-AF4A-F5045AB1D236} - System32\Tasks\Microsoft\Windows\Defrag\ManualDefrag => C:\Windows\system32\defrag.exe [2008-01-20] (Microsoft Corp.)
Task: {A122570B-64C1-459E-BEF4-B91504733252} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3482760682-2379212304-40738887-1000Core => C:\Users\Carol\AppData\Local\Google\Update\GoogleUpdate.exe [2013-02-09] (Google Inc.)
Task: {B461AA38-8FC0-45F1-8C6F-D9224BB2B1A0} - System32\Tasks\Microsoft\Windows\RestartManager\{307ADEEE-38A6-468f-AC24-1C5FF4BFFA59} => C:\Windows\system32\rmclient.exe [2006-11-02] (Microsoft Corporation)
Task: {D339AEA7-CE0C-414B-9D9E-BA5EF5446981} - System32\Tasks\Ad-Aware Update (Weekly) => C:\Program Files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe No File
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3482760682-2379212304-40738887-1000Core.job => C:\Users\Carol\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3482760682-2379212304-40738887-1000UA.job => C:\Users\Carol\AppData\Local\Google\Update\GoogleUpdate.exe

==================== Faulty Device Manager Devices =============

==================== Event log errors: =========================

Application errors:
==================
Error: (07/08/2013 02:16:48 PM) (Source: Application Error) (User: )
Description: Faulting application Explorer.EXE, version 6.0.6002.18005, time stamp 0x49e01da5, faulting module ShellvRTF.dll, version 1.1.0.8, time stamp 0x46d83e7c, exception code 0xc0000005, fault offset 0x000057ab,
process id 0xb18, application start time 0xExplorer.EXE0.

Error: (07/08/2013 10:26:46 AM) (Source: VSS) (User: )
Description: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface.  hr = 0x80070005.
This is often caused by incorrect security settings in either the writer or requestor process.

Operation:
   Gathering Writer Data

Context:
   Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
   Writer Name: System Writer
   Writer Instance ID: {3c2fcd83-e8ab-451d-af4f-7a21e3bb697e}

Error: (07/08/2013 08:44:06 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (07/07/2013 07:15:10 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (07/06/2013 10:18:02 PM) (Source: Windows Search Service) (User: )
Description: The application cannot be initialized.

Context: Windows Application

Details:
 The content index metadata cannot be read.   (0xc0041801)

Error: (07/06/2013 10:18:02 PM) (Source: Windows Search Service) (User: )
Description: The gatherer object cannot be initialized.

Context: Windows Application, SystemIndex Catalog

Details:
 The content index metadata cannot be read.   (0xc0041801)

Error: (07/06/2013 10:18:02 PM) (Source: Windows Search Service) (User: )
Description: The plug-in in <Search.TripoliIndexer> cannot be initialized.

Context: Windows Application, SystemIndex Catalog

Details:
 Element not found.   (0x80070490)

Error: (07/06/2013 10:18:00 PM) (Source: Windows Search Service) (User: )
Description: The plug-in in <Search.JetPropStore> cannot be initialized.

Context: Windows Application, SystemIndex Catalog

Details:
 The content index metadata cannot be read.   (0xc0041801)

Error: (07/06/2013 10:18:00 PM) (Source: Windows Search Service) (User: )
Description: The Windows Search Service cannot load the property store information.

Context: Windows Application, SystemIndex Catalog

Details:
 0x%08x (0xc0041800 - The content index cannot be read.  )

Error: (07/06/2013 10:18:00 PM) (Source: Windows Search Service) (User: )
Description: The search service has detected corrupted data files in the index. The service will attempt to automatically correct this problem by rebuilding the index.

Details:
 The content index metadata cannot be read.   (0xc0041801)

System errors:
=============
Error: (07/09/2013 07:44:37 AM) (Source: Service Control Manager) (User: )
Description: Windows Image Acquisition (WIA)Shell Hardware Detection%%1058

Error: (07/08/2013 04:21:02 PM) (Source: volsnap) (User: )
Description: The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.

Error: (07/08/2013 01:36:23 PM) (Source: Service Control Manager) (User: )
Description: Windows Image Acquisition (WIA)Shell Hardware Detection%%1058

Error: (07/08/2013 01:36:23 PM) (Source: DCOM) (User: )
Description: 1068stisvc{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error: (07/08/2013 08:44:06 AM) (Source: Service Control Manager) (User: )
Description: Windows Image Acquisition (WIA)Shell Hardware Detection%%1058

Error: (07/08/2013 08:44:06 AM) (Source: Service Control Manager) (User: )
Description: Parallel port driver%%1058

Error: (07/07/2013 10:54:37 PM) (Source: Service Control Manager) (User: )
Description: Windows Update

Error: (07/07/2013 10:53:52 PM) (Source: DCOM) (User: )
Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

Error: (07/07/2013 10:53:04 PM) (Source: Service Control Manager) (User: )
Description: Adobe Acrobat Update Service1

Error: (07/07/2013 07:15:10 AM) (Source: Service Control Manager) (User: )
Description: Windows Image Acquisition (WIA)Shell Hardware Detection%%1058

Microsoft Office Sessions:
=========================

CodeIntegrity Errors:
===================================
  Date: 2013-06-21 02:47:23.787
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22713_none_b39feb737f8937a0\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-06-21 02:47:23.288
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22713_none_b39feb737f8937a0\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-06-21 02:47:22.804
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22713_none_b39feb737f8937a0\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-06-21 02:47:22.320
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22713_none_b39feb737f8937a0\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-06-21 02:47:21.837
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22713_none_b39feb737f8937a0\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-06-21 02:47:21.353
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22713_none_b39feb737f8937a0\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-06-21 02:47:20.714
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22665_none_b36bda857faff8dc\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-06-21 02:47:20.090
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22665_none_b36bda857faff8dc\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-06-21 02:47:19.590
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22665_none_b36bda857faff8dc\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-06-21 02:47:19.091
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22665_none_b36bda857faff8dc\tcpip.sys because the set of per-page image hashes could not be found on the system.

==================== Memory info ===========================

Percentage of memory in use: 61%
Total physical RAM: 3261.99 MB
Available physical RAM: 1253.54 MB
Total Pagefile: 6771.88 MB
Available Pagefile: 4423.11 MB
Total Virtual: 2047.88 MB
Available Virtual: 1911.01 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:100.63 GB) (Free:24.38 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: (PRESARIO_RP) (Fixed) (Total:11.15 GB) (Free:1.88 GB) NTFS ==>[system with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 112 GB) (Disk ID: 89488948)
Partition 1: (Active) - (Size=101 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=11 GB) - (Type=07 NTFS)

==================== End Of Log ============================

Link to post
Share on other sites
  • Replies 89
  • Created
  • Last Reply

Hi & :welcome:

My name is Jürgen and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully. :excl:

  • My native language isn't English. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.
  • Please read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
Step 1

frst.pngfrstsearch.png

  • Start FRST with Administrator privileges.
  • Write the following text into the Search textbox:
rpcss.dll
  • Click on the Search Files button.
  • When finished, a log file (Search.txt) pops up and is saved to the same location the tool was run from.
  • Please copy and paste its contents in your next reply.
Link to post
Share on other sites

Hi Deeprybka,

 

 

Thanx for responding - think we worked together before! :)

 

Farbar Recovery Scan Tool (x86) Version:25-07-2014
Ran by Carol at 2014-07-27 14:06:02
Running from C:\Users\Carol\Desktop
Boot Mode: Normal

================== Search: "rpcss.dll" ===================

C:\Windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.0.6002.18005_none_6bb655083b01c988\rpcss.dll
[2009-10-23 18:32][2009-04-10 23:28] 0550400 ____A () D41D8CD98F00B204E9800998ECF8427E

C:\Windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.0.6001.22389_none_6a06ffcd57365beb\rpcss.dll
[2009-05-24 15:57][2009-03-02 21:32] 0551424 ____A (Microsoft Corporation) 4DFCBDEF3CCAA98F99038DED78945253 [File is signed]

C:\Windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.0.6001.18226_none_69bb41ac3deac876\rpcss.dll
[2009-05-24 15:57][2009-03-02 21:39] 0551424 ____A (Microsoft Corporation) 301AE00E12408650BADDC04DBC832830 [File is signed]

C:\Windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.0.6001.18000_none_69cadbfc3ddffe3c\rpcss.dll
[2008-01-20 19:33][2008-01-20 19:33] 0547328 ____A (Microsoft Corporation) 33FB1F0193EE2051067441492D56113C [File is signed]

C:\Windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.0.6000.21023_none_685b771559e4be8c\rpcss.dll
[2009-05-24 15:57][2009-03-02 21:17] 0550400 ____A (Microsoft Corporation) B1BB45E24717A7F790B4411C4446EF5E [File is signed]

C:\Windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.0.6000.16830_none_67c4315e40d1bb6c\rpcss.dll
[2009-05-24 15:57][2009-03-02 21:19] 0549888 ____A (Microsoft Corporation) 7B981222A257D076885BFFB66F19B7CE [File is signed]

C:\Windows\System32\rpcss.dll
[2009-10-23 18:32][2009-04-10 23:28] 0551424 ____A (Microsoft Corporation) 193EE794A8CF0FBD930B8B53FBEEBE5E

C:\Windows\erdnt\cache\rpcss.dll
[2012-07-20 00:25][2009-04-10 23:28] 0550400 ____A (Microsoft Corporation) 3B5B4D53FEC14F7476CA29A20CC31AC9 [File is signed]

=== End Of Search ===

Link to post
Share on other sites

Hi,

Step 1

frst.pngfrstfix.png
Please download the attached fixlist txt.gif and save it in the same directory as FRST.

  • Start FRST with Administrator privileges.
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) pops up and is saved to the same location the tool was run from.
    Please copy and paste its contents in your next reply.

fixlist.txt

After reboot:

Step 2

Please run a FRST scan. This will help us diagnose your problem.

frst.pngfrstscan.png
Please download Farbar Recovery Scan Tool and save it to your Desktop.
(If you are not sure which version (32-/64-bit) applies to your system, download and try to start both of them as just the right one will run.)

  • Start FRST with administator privileges.
  • Make sure the option Addition.txt is checked and press the Scan button.
  • When finished, FRST will produce two logs (FRST.txt and Addition.txt) in the same directory the tool was run from.
  • Please copy and paste these logs in your next reply.
Link to post
Share on other sites

After I ran FRST, and pressed the FIx button, a popup said, "Close windows before reboot. So I closed IE. On Restart, DOS ran and said the registry was tampered with, and offered a choice to start normally, or run Microsoft Startup Repair. The latter was default. I wish I chose, "normal." This is my sister's tablet on WiFi, and I have to give it back, now. I have to find a library. :(

Link to post
Share on other sites

Ok. Hi. I found a library.

 

My laptop seems wiped. Only the power light was on.The screen was dark, but the cursor connected with usb connector was visible. When I tried to power down the laptop from my keyboard, the laptop did not respond.

I unplugged the usb connector for the mouse, and the cursor disappeared. The laptop did not respond to the power down command from the keyboard. When I plugged in the bluetooth connector for the mouse, the cursor no longer appeared. There is what I believe is a reboot button above the trackpad on the laptop itself. The light turned orange, and the laptop didn't reboot. Control Alt Delete didn't generate any response. Just a dark screen now, and the power light burning. The CD button still makes the CD drive open and close. I let the battery run down. 

Link to post
Share on other sites

Hi,

did you interrupted the startup repair?

 

 

On a clean machine, please download Farbar Recovery Scan Tool and save it to a flash drive.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.

To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html

To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
==========

On the System Recovery Options menu you will get the following options:

Startup Repair

System Restore

Windows Complete PC Restore

Windows Memory Diagnostic Tool

Command Prompt

Select Command Prompt

==========

Once in the Command Prompt:

  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter

    Note: Replace letter e with the drive letter of your flash drive.

  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
Link to post
Share on other sites

Okay, I reread the message. At first I thought, my machine isn't clean, how can I download farbar to my machine, when it isn't clean?

 

I am limited to library computers, for the time being. I will ask a family member, if I can download farbar recovery scan tool, to a their machine, and save it to a flash drive.

Link to post
Share on other sites

Hi,

you need only a computer to download FRST 32 bit on a usb-flash-drive. Then follow the instructions above. If we get a scanlog, then we can fix the issue. I think the infected file would not replaced and is now missing. We try the replacement in the Recovery Environment again.

 

Download for FRST 32bit
 

Link to post
Share on other sites

1. Where are my previous discussions on forums.malwarebytes.org? Not listed in, "My content." From 2013, and back.

 

2. Because software on it saved reports that would enable the computer to boot up again exactly as it was, no matter WHAT interruption, it must have viewed Farbar as changing the registry, which wouldn't allow it to save the info exactly. Do you agree?

Link to post
Share on other sites

Hi,

ad 1.) I don't know. I am only "trusted Advisor" Link

ad 2.) I don't understand! :)
We tried to replace an infected file...

[2009-10-23 18:32] - [2009-04-10 23:28] - 0551424 ____A (Microsoft Corporation) 193EE794A8CF0FBD930B8B53FBEEBE5E ATTENTION ======> If the system is having audio adware rpcss.dll is patched. Google the MD5, if the MD5 is unique the file is infected.

Now we will repeat this operation in the "recovery environment". Afterwards your PC should work normal.

Link to post
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.


Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.