dllhost.exe/com surrogate issue

bon825 · November 17, 2014

Reading this forum, it seems that have run into the dreaded multiple dllhost.exe/com surrogate issue that a few people are having. Before I knew of this issue, I ran a regular Malwarebytes malware scan and it seems to have gotten rid of a few viruses and everything seem back to normal for a day. However the computer has started to get bogged down again and it seems that multiple processes have started running on top of the dllhost.exe. For example, dvdupgrd.exe, wextract.exe, wiaacmgr.exe on just few of the processes that suddenly pop up and bog the computer down. Any help will be appreciated.

Thanks,

Al

Below is copy of the FRST.txt scan. The Addition.txt copy is right after it.

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 16-11-2014 03
Ran by Admin (administrator) on PS04 on 17-11-2014 09:21:05
Running from C:\Users\Admin.PEOPLESTAFFING\Desktop
Loaded Profile: Admin (Available profiles: admin & Admin & mpozo & eordonez & ysmall & jgarcia)
Platform: Microsoft Windows 7 Professional Service Pack 1 (X86) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG10\avgchsvx.exe
(Wave Systems Corp.) C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmService.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG10\avgwdsvc.exe
(Symantec Corporation) C:\Program Files\Symantec\Backup Exec\RAWS\bedbg.exe
(CrypKey (Canada) Ltd.) C:\Windows\System32\Crypserv.exe
(Microsoft Corporation) C:\Windows\System32\wbem\unsecapp.exe
(Microsoft Corp.) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
(Symantec Corporation) C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG10\avgam.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG10\avgcsrvx.exe
(Microsoft Corp.) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
(UPEK Inc.) C:\Program Files\Common Files\SPBA\upeksvr.exe
(Realtek Semiconductor Corp.) C:\Program Files\Realtek\Audio\HDA\RtDCpl.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(CyberLink Corp.) C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe
() C:\Program Files\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG10\avgtray.exe
(CANON INC.) C:\Program Files\Canon\Solution Menu EX\CNSEMAIN.EXE
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG10\avgrsx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG10\avgcsrvx.exe
(Microsoft Corporation.) C:\Program Files\Microsoft\BingBar\7.3.132.0\SeaPort.EXE
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RtDCpl.exe [2691072 2009-08-26] (Realtek Semiconductor Corp.)
HKLM\...\Run: [RemoteControl9] => C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe [87336 2009-07-06] (CyberLink Corp.)
HKLM\...\Run: [PDVD9LanguageShortcut] => C:\Program Files\CyberLink\PowerDVD9\Language\Language.exe [50472 2010-04-29] (CyberLink Corp.)
HKLM\...\Run: [] => [X]
HKLM\...\Run: [RoxWatchTray] => C:\Program Files\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe [240112 2010-11-25] (Sonic Solutions)
HKLM\...\Run: [Desktop Disc Tool] => C:\Program Files\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe [514544 2010-11-17] ()
HKLM\...\Run: [AVG_TRAY] => C:\Program Files\AVG\AVG10\avgtray.exe [2345592 2012-08-01] (AVG Technologies CZ, s.r.o.)
HKLM\...\Run: [CanonSolutionMenuEx] => C:\Program Files\Canon\Solution Menu EX\CNSEMAIN.EXE [1185112 2010-04-02] (CANON INC.)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-05-11] (Adobe Systems Incorporated)
HKLM\...\RunOnce: [!DPLauncher] => C:\Program Files\Microsoft\DefaultPack\DPLauncher.EXE [60040 2014-10-29] (© 2012 Microsoft Corporation)
Winlogon\Notify\spba: C:\Program Files\Common Files\SPBA\homefus2.dll (UPEK Inc.)
Lsa: [Authentication Packages] msv1_0 wvauth
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Outlook 2010.lnk
ShortcutTarget: Microsoft Outlook 2010.lnk -> C:\Windows\Installer\{90140000-0012-0000-0000-0000000FF1CE}\outicon.exe ()
ShellIconOverlayIdentifiers: [EnabledUnlockedFDEIconOverlay] -> {30D3C2AF-9709-4D05-9CF4-13335F3C1E4A} => C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmIconOverlay.dll (Wave Systems Corp.)
ShellIconOverlayIdentifiers: [uninitializedFdeIconOverlay] -> {CF08DA3E-C97D-4891-A66B-E39B28DD270F} => C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmIconOverlay.dll (Wave Systems Corp.)
BootExecute: autocheck autochk * C:\PROGRA~1\AVG\AVG10\avgchsvx.exe /syncC:\PROGRA~1\AVG\AVG10\avgrsx.exe /sync /restart

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-525341378-2078367883-2772001530-1156\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-525341378-2078367883-2772001530-1156\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Windows Live Messenger Companion Helper -> {9FDDE16B-836F-4806-AB1F-1455CBEFF289} -> C:\Program Files\Windows Live\Companion\companioncore.dll (Microsoft Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Bing Bar Helper -> {d2ce3e00-f94a-4740-988e-03dc2f38c34f} -> C:\Program Files\Microsoft\BingBar\7.3.132.0\BingExt.dll (Microsoft Corporation.)
Toolbar: HKLM - Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\Microsoft\BingBar\7.3.132.0\BingExt.dll (Microsoft Corporation.)
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{AC3FE2F2-07EA-444A-8451-9397923F6742}: [NameServer] 192.168.1.2

FireFox:
========
FF ProfilePath: C:\Users\Admin.PEOPLESTAFFING\AppData\Roaming\Mozilla\Firefox\Profiles\r2632st5.default
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~4\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~4\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

Chrome:
=======

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 avgwd; C:\Program Files\AVG\AVG10\avgwdsvc.exe [269520 2011-02-08] (AVG Technologies CZ, s.r.o.)
R2 BackupExecAgentAccelerator; C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe [1270640 2011-04-02] (Symantec Corporation)
R2 bedbg; C:\Program Files\Symantec\Backup Exec\RAWS\bedbg.exe [223088 2011-03-28] (Symantec Corporation)
R2 Crypkey License; C:\Windows\system32\crypserv.exe [122880 2007-05-23] (CrypKey (Canada) Ltd.) [File not signed]
R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [44032 2010-01-18] (Hewlett-Packard) [File not signed]
S3 PDVFSService; C:\Program Files\Symantec\Backup Exec\RAWS\PDVFSService.exe [194200 2011-03-31] ()
R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [53760 2010-01-18] (Hewlett-Packard) [File not signed]
S3 RoxMediaDB12OEM; C:\Program Files\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [1116656 2010-11-25] (Sonic Solutions)
S2 RoxWatch12; C:\Program Files\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [219632 2010-11-25] (Sonic Solutions)
S3 SecureStorageService; C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Secure Storage Manager\SecureStorageService.exe [1477632 2010-11-03] (Wave Systems Corp.) [File not signed]
S2 tcsd_win32.exe; C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe [1629696 2010-07-13] () [File not signed]
R2 TdmService; C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmService.exe [2336104 2010-10-16] (Wave Systems Corp.)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R0 AVGIDSEH; C:\Windows\System32\DRIVERS\AVGIDSEH.Sys [22992 2011-02-22] (AVG Technologies CZ, s.r.o. )
R1 Avgldx86; C:\Windows\System32\DRIVERS\avgldx86.sys [255968 2012-11-12] (AVG Technologies CZ, s.r.o.)
R1 Avgmfx86; C:\Windows\System32\DRIVERS\avgmfx86.sys [34896 2011-03-01] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx86; C:\Windows\System32\DRIVERS\avgrkx86.sys [32592 2011-03-16] (AVG Technologies CZ, s.r.o.)
S3 Blfp; C:\Windows\System32\DRIVERS\basp.sys [84992 2009-05-11] (Broadcom Corporation)
S3 HPFXBULK; C:\Windows\System32\drivers\hpfxbulk.sys [17432 2007-07-16] (Hewlett Packard)
R3 IntcAzAudAddService; C:\Windows\System32\drivers\RTDVHDA.sys [2748064 2009-11-16] (Realtek Semiconductor Corp.)
S3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [114904 2014-11-17] (Malwarebytes Corporation)
R1 NetworkX; C:\Windows\system32\ckldrv.sys [16896 2007-05-01] () [File not signed]
R0 PBADRV; C:\Windows\System32\DRIVERS\PBADRV.sys [26608 2008-06-04] (Dell Inc)
R1 PDVFSDriver; C:\Windows\System32\drivers\pdfsd.sys [64056 2011-02-15] (Symantec Corporation)
R3 VirtFile; C:\Windows\System32\DRIVERS\VirtFile.sys [71480 2011-03-01] (Symantec Corporation)
S4 PDVFSNP; No ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-11-17 09:21 - 2014-11-17 09:21 - 00010736 _____ () C:\Users\Admin.PEOPLESTAFFING\Desktop\FRST.txt
2014-11-17 09:20 - 2014-11-17 09:21 - 00000000 ____D () C:\FRST
2014-11-17 09:20 - 2014-11-17 09:20 - 01108992 _____ (Farbar) C:\Users\Admin.PEOPLESTAFFING\Desktop\FRST.exe
2014-11-17 09:18 - 2014-11-17 09:18 - 00001119 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2014-11-17 09:18 - 2014-11-17 09:18 - 00001107 _____ () C:\Users\Public\Desktop\Mozilla Firefox.lnk
2014-11-17 09:18 - 2014-11-17 09:18 - 00000000 ____D () C:\Users\Admin.PEOPLESTAFFING\AppData\Roaming\Mozilla
2014-11-17 09:18 - 2014-11-17 09:18 - 00000000 ____D () C:\Users\Admin.PEOPLESTAFFING\AppData\Local\Mozilla
2014-11-17 09:18 - 2014-11-17 09:18 - 00000000 ____D () C:\ProgramData\Mozilla
2014-11-17 09:18 - 2014-11-17 09:18 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2014-11-17 09:17 - 2014-11-17 09:18 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2014-11-14 13:08 - 2014-11-14 13:08 - 00000000 ____D () C:\ProgramData\AMMYY
2014-11-14 13:07 - 2014-11-14 13:07 - 00000000 __SHD () C:\Users\Admin.PEOPLESTAFFING\AppData\Local\EmieBrowserModeList
2014-11-12 10:48 - 2014-11-13 08:20 - 00015688 ____N () C:\Users\jgarcia\Documents\INFORMATION.xlsx
2014-11-12 09:02 - 2014-11-12 09:02 - 00000000 __SHD () C:\Users\jgarcia\AppData\Local\EmieBrowserModeList
2014-11-12 03:07 - 2014-10-17 20:33 - 00571904 _____ (Microsoft Corporation) C:\Windows\system32\oleaut32.dll
2014-11-12 03:06 - 2014-08-11 20:36 - 00701440 ____N (Microsoft Corporation) C:\Windows\system32\IMJP10K.DLL
2014-11-12 03:05 - 2014-10-02 20:44 - 00475136 _____ (Microsoft Corporation) C:\Windows\system32\audiosrv.dll
2014-11-12 03:05 - 2014-10-02 20:44 - 00442880 _____ (Microsoft Corporation) C:\Windows\system32\AUDIOKSE.dll
2014-11-12 03:05 - 2014-10-02 20:44 - 00374784 _____ (Microsoft Corporation) C:\Windows\system32\AudioEng.dll
2014-11-12 03:05 - 2014-10-02 20:44 - 00275968 _____ (Microsoft Corporation) C:\Windows\system32\EncDump.dll
2014-11-12 03:05 - 2014-10-02 20:44 - 00195584 _____ (Microsoft Corporation) C:\Windows\system32\AudioSes.dll
2014-11-12 03:05 - 2014-08-21 01:26 - 01237504 ____N (Microsoft Corporation) C:\Windows\system32\msxml3.dll
2014-11-12 03:05 - 2014-08-21 01:23 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\msxml3r.dll
2014-11-12 03:04 - 2014-10-09 19:45 - 02379264 ____N (Microsoft Corporation) C:\Windows\system32\win32k.sys
2014-11-12 03:03 - 2014-09-19 04:23 - 00550912 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2014-11-12 03:03 - 2014-09-19 04:23 - 00259584 ____N (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2014-11-12 03:03 - 2014-09-19 04:23 - 00248832 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2014-11-12 03:03 - 2014-09-19 04:23 - 00221184 ____N (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2014-11-12 03:03 - 2014-09-19 04:23 - 00172032 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2014-11-12 03:03 - 2014-09-19 04:23 - 00065536 ____N (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2014-11-12 03:03 - 2014-09-19 04:23 - 00017408 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2014-11-12 03:02 - 2014-10-24 20:32 - 00067584 _____ (Microsoft Corporation) C:\Windows\system32\packager.dll
2014-11-12 03:01 - 2014-10-13 20:56 - 00136632 ____N (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2014-11-12 03:01 - 2014-10-13 20:50 - 01059840 ____N (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2014-11-12 03:01 - 2014-10-13 20:50 - 00523776 _____ (Microsoft Corporation) C:\Windows\system32\termsrv.dll
2014-11-12 03:01 - 2014-10-13 20:47 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2014-11-12 03:01 - 2014-10-13 20:46 - 00681984 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2014-11-12 03:00 - 2014-11-07 14:23 - 00341168 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2014-11-12 03:00 - 2014-11-05 22:28 - 02724864 ____N (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-11-12 03:00 - 2014-11-05 22:28 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2014-11-12 03:00 - 2014-11-05 22:13 - 00501248 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2014-11-12 03:00 - 2014-11-05 22:13 - 00062464 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-11-12 03:00 - 2014-11-05 22:12 - 00047616 ____N (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2014-11-12 03:00 - 2014-11-05 22:10 - 19781632 ____N (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-11-12 03:00 - 2014-11-05 22:10 - 00064000 ____N (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2014-11-12 03:00 - 2014-11-05 22:05 - 02277376 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-11-12 03:00 - 2014-11-05 22:04 - 00047104 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-11-12 03:00 - 2014-11-05 22:03 - 00030720 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-11-12 03:00 - 2014-11-05 22:00 - 00478208 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-11-12 03:00 - 2014-11-05 21:59 - 00115712 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-11-12 03:00 - 2014-11-05 21:59 - 00102912 ____N (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2014-11-12 03:00 - 2014-11-05 21:58 - 00620032 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2014-11-12 03:00 - 2014-11-05 21:51 - 00667648 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2014-11-12 03:00 - 2014-11-05 21:48 - 00418304 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2014-11-12 03:00 - 2014-11-05 21:42 - 00060416 ____N (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2014-11-12 03:00 - 2014-11-05 21:37 - 00168960 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-11-12 03:00 - 2014-11-05 21:36 - 00076288 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-11-12 03:00 - 2014-11-05 21:34 - 00285696 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2014-11-12 03:00 - 2014-11-05 21:22 - 00688640 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-11-12 03:00 - 2014-11-05 21:22 - 00683008 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-11-12 03:00 - 2014-11-05 21:21 - 04298240 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-11-12 03:00 - 2014-11-05 21:21 - 02051072 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-11-12 03:00 - 2014-11-05 21:20 - 01155072 ____N (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2014-11-12 03:00 - 2014-11-05 21:03 - 12819456 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-11-12 03:00 - 2014-11-05 20:52 - 01892864 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-11-12 03:00 - 2014-11-05 20:48 - 01310208 ____N (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-11-12 03:00 - 2014-11-05 20:47 - 00708096 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2014-11-10 12:31 - 2014-11-11 13:19 - 00000402 ____N () C:\DelFix.txt
2014-11-10 11:25 - 2014-11-10 11:25 - 00000000 __SHD () C:\Users\Admin.PEOPLESTAFFING\AppData\Local\EmieUserList
2014-11-10 11:25 - 2014-11-10 11:25 - 00000000 __SHD () C:\Users\Admin.PEOPLESTAFFING\AppData\Local\EmieSiteList
2014-11-10 11:09 - 2014-11-10 11:18 - 00000060 _____ () C:\Users\jgarcia\AppData\Roaming\svc-gxon.exe.bat
2014-11-10 10:42 - 2014-11-13 14:54 - 00058368 ____N () C:\Users\jgarcia\Documents\Copy of Christian Dior 11-10-14.xls
2014-11-10 08:48 - 2014-11-10 10:43 - 00058368 ____N () C:\Users\jgarcia\Desktop\Copy of Christian Dior 11-10-14.xls
2014-11-10 08:08 - 2014-11-16 13:49 - 00001364 _____ () C:\Windows\errord.log
2014-11-09 12:39 - 2014-11-09 12:39 - 00000000 __SHD () C:\Users\jgarcia\AppData\Local\EmieUserList
2014-11-09 12:39 - 2014-11-09 12:39 - 00000000 __SHD () C:\Users\jgarcia\AppData\Local\EmieSiteList
2014-11-09 12:31 - 2014-11-09 12:31 - 00645120 ____N (Microsoft Corporation) C:\Windows\system32\jsIntl.dll
2014-11-09 12:31 - 2014-11-09 12:31 - 00194048 _____ (Microsoft Corporation) C:\Windows\system32\elshyph.dll
2014-11-09 12:30 - 2014-11-09 12:30 - 00616104 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dat
2014-11-09 12:30 - 2014-11-09 12:30 - 00610304 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2014-11-09 12:30 - 2014-11-09 12:30 - 00337408 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2014-11-09 12:30 - 2014-11-09 12:30 - 00233472 _____ (Microsoft Corporation) C:\Windows\system32\url.dll
2014-11-09 12:30 - 2014-11-09 12:30 - 00208384 _____ (Microsoft Corporation) C:\Windows\system32\webcheck.dll
2014-11-09 12:30 - 2014-11-09 12:30 - 00182272 ____N (Microsoft Corporation) C:\Windows\system32\msls31.dll
2014-11-09 12:30 - 2014-11-09 12:30 - 00151552 _____ (Microsoft Corporation) C:\Windows\system32\iexpress.exe
2014-11-09 12:30 - 2014-11-09 12:30 - 00139264 _____ (Microsoft Corporation) C:\Windows\system32\wextract.exe
2014-11-09 12:30 - 2014-11-09 12:30 - 00127488 _____ (Microsoft Corporation) C:\Windows\system32\occache.dll
2014-11-09 12:30 - 2014-11-09 12:30 - 00116736 _____ (Microsoft Corporation) C:\Windows\system32\iepeers.dll
2014-11-09 12:30 - 2014-11-09 12:30 - 00111616 _____ (Microsoft Corporation) C:\Windows\system32\IEAdvpack.dll
2014-11-09 12:30 - 2014-11-09 12:30 - 00086016 ____N (Microsoft Corporation) C:\Windows\system32\iesysprep.dll
2014-11-09 12:30 - 2014-11-09 12:30 - 00083456 ____N (Microsoft Corporation) C:\Windows\system32\inseng.dll
2014-11-09 12:30 - 2014-11-09 12:30 - 00074240 _____ (Microsoft Corporation) C:\Windows\system32\SetIEInstalledDate.exe
2014-11-09 12:30 - 2014-11-09 12:30 - 00071680 ____N (Microsoft Corporation) C:\Windows\system32\RegisterIEPKEYs.exe
2014-11-09 12:30 - 2014-11-09 12:30 - 00069120 _____ (Microsoft Corporation) C:\Windows\system32\icardie.dll
2014-11-09 12:30 - 2014-11-09 12:30 - 00062464 _____ (Microsoft Corporation) C:\Windows\system32\tdc.ocx
2014-11-09 12:30 - 2014-11-09 12:30 - 00056832 _____ (Microsoft Corporation) C:\Windows\system32\pngfilt.dll
2014-11-09 12:30 - 2014-11-09 12:30 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\mshtmler.dll
2014-11-09 12:30 - 2014-11-09 12:30 - 00043008 ____N (Microsoft Corporation) C:\Windows\system32\msfeedsbs.dll
2014-11-09 12:30 - 2014-11-09 12:30 - 00036352 _____ (Microsoft Corporation) C:\Windows\system32\imgutil.dll
2014-11-09 12:30 - 2014-11-09 12:30 - 00024576 _____ (Microsoft Corporation) C:\Windows\system32\licmgr10.dll
2014-11-09 12:30 - 2014-11-09 12:30 - 00013312 ____N (Microsoft Corporation) C:\Windows\system32\mshta.exe
2014-11-09 12:30 - 2014-11-09 12:30 - 00012800 ____N (Microsoft Corporation) C:\Windows\system32\msfeedssync.exe
2014-11-09 12:27 - 2014-11-09 12:32 - 00008932 _____ () C:\Windows\IE11_main.log
2014-11-09 12:14 - 2014-10-09 20:44 - 00396288 ____N (Microsoft Corporation) C:\Windows\system32\aepdu.dll
2014-11-09 12:14 - 2014-10-09 20:44 - 00230912 ____N (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2014-11-09 12:14 - 2014-10-09 20:39 - 00302592 ____N (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2014-11-09 12:13 - 2014-09-17 20:32 - 02363904 _____ (Microsoft Corporation) C:\Windows\system32\msi.dll
2014-11-09 12:13 - 2014-09-04 20:52 - 05703168 _____ (Microsoft Corporation) C:\Windows\system32\mstscax.dll
2014-11-09 11:47 - 2014-11-09 11:47 - 00000160 ____H () C:\ProgramData\@system3.att
2014-11-09 11:46 - 2014-11-10 11:48 - 00000000 ____D () C:\Users\jgarcia\AppData\Roaming\FrameworkUpdate7
2014-11-09 11:46 - 2014-11-09 11:46 - 00000896 ____H () C:\Users\jgarcia\AppData\Roaming\麽鎒駓覜
2014-11-09 11:46 - 2014-11-09 11:46 - 00000424 _____ () C:\ProgramData\@system.temp
2014-11-09 11:40 - 2014-11-17 08:30 - 00554368 _____ () C:\Windows\error.log
2014-11-09 11:40 - 2014-11-17 08:30 - 00001120 _____ () C:\Windows\setupact.log
2014-11-09 11:40 - 2014-11-10 12:18 - 00005638 _____ () C:\Windows\PFRO.log
2014-11-09 11:40 - 2014-11-09 11:40 - 00000000 _____ () C:\Windows\setuperr.log
2014-11-09 10:27 - 2014-11-10 11:09 - 00000000 ____D () C:\ProgramData\Windows Genuine Advantage
2014-11-09 10:27 - 2014-11-09 10:30 - 00037316 _____ () C:\Users\jgarcia\AppData\Roaming\893686b8
2014-11-09 10:27 - 2014-11-09 10:30 - 00030524 _____ () C:\ProgramData\893686b8
2014-11-09 10:27 - 2014-11-09 10:30 - 00023063 _____ () C:\Users\jgarcia\AppData\Local\893686b8
2014-11-04 11:17 - 2014-11-04 11:17 - 00056320 ____N () C:\Users\jgarcia\Documents\Copy of Christian Dior 11-02-14.xls
2014-11-03 11:22 - 2014-11-03 11:29 - 00057344 ____N () C:\Users\jgarcia\Documents\Copy of Christian Dior 11-2-14.xls

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-11-17 09:17 - 2014-07-25 16:07 - 01577341 _____ () C:\Windows\WindowsUpdate.log
2014-11-17 09:15 - 2011-06-02 10:54 - 00003920 _____ () C:\Windows\system32\esnecil.ind
2014-11-17 09:15 - 2011-06-02 10:54 - 00000004 _____ () C:\Windows\vx86036.dat
2014-11-17 08:38 - 2009-07-13 23:34 - 00025424 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-11-17 08:38 - 2009-07-13 23:34 - 00025424 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-11-17 08:31 - 2011-06-23 09:35 - 00000000 ____D () C:\Users\Admin.PEOPLESTAFFING\Documents\Outlook Files
2014-11-17 08:30 - 2011-06-02 08:33 - 00000152 _____ () C:\Windows\system32\config\netlogon.ftl
2014-11-17 08:30 - 2009-07-13 23:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-11-17 08:28 - 2014-07-30 11:24 - 00114904 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-11-17 02:00 - 2011-06-02 12:40 - 00000000 ____D () C:\Windows\system32\Drivers\AVG
2014-11-14 20:29 - 2012-01-23 15:16 - 00000000 ___HD () C:\Backup Exec AOFO Store
2014-11-13 17:14 - 2009-07-13 23:53 - 00032554 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-11-13 16:13 - 2011-06-02 08:36 - 00139784 _____ () C:\Users\Admin.PEOPLESTAFFING\AppData\Local\GDIPFONTCACHEV1.DAT
2014-11-13 10:46 - 2011-06-02 10:11 - 00000000 ____D () C:\COATS
2014-11-12 07:58 - 2013-12-09 12:06 - 00139784 _____ () C:\Users\jgarcia\AppData\Local\GDIPFONTCACHEV1.DAT
2014-11-12 03:48 - 2009-07-13 21:37 - 00000000 ____D () C:\Windows\rescache
2014-11-12 03:17 - 2009-07-13 21:37 - 00000000 ____D () C:\Windows\Microsoft.NET
2014-11-12 03:11 - 2009-07-13 23:33 - 00511344 ____N () C:\Windows\system32\FNTCACHE.DAT
2014-11-12 03:07 - 2011-06-02 11:06 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-11-10 11:49 - 2009-07-13 21:37 - 00000000 ____D () C:\Windows\schemas
2014-11-10 11:25 - 2014-10-14 16:14 - 00000922 ____N () C:\Users\Public\Desktop\COATSsql.lnk
2014-11-10 11:21 - 2011-05-13 12:20 - 00000000 ____D () C:\ProgramData\Sonic
2014-11-09 12:36 - 2011-05-13 14:37 - 00000000 ____D () C:\Windows\Panther
2014-11-09 12:33 - 2014-05-06 11:23 - 00000000 ___SD () C:\Windows\system32\CompatTel
2014-11-09 12:26 - 2013-08-15 15:51 - 00000000 ____D () C:\Windows\system32\MRT
2014-11-09 12:16 - 2011-06-01 15:23 - 100290944 ____N (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-11-09 11:47 - 2011-05-13 12:04 - 00782510 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-11-09 11:05 - 2009-07-13 21:37 - 00000000 ____D () C:\Windows\Help
2014-11-09 10:42 - 2014-07-30 11:24 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-11-09 10:42 - 2014-07-30 11:24 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-11-09 10:39 - 2011-06-02 08:36 - 00000856 __RSH () C:\Users\Admin.PEOPLESTAFFING\ntuser.pol
2014-11-09 10:39 - 2011-06-02 08:36 - 00000000 ____D () C:\Users\Admin.PEOPLESTAFFING
2014-10-28 16:02 - 2013-12-09 12:06 - 00000856 __RSH () C:\Users\jgarcia\ntuser.pol
2014-10-28 16:02 - 2013-12-09 12:06 - 00000000 ____D () C:\Users\jgarcia
2014-10-24 15:32 - 2011-06-02 10:12 - 00000375 _____ () C:\Windows\ODBC.INI
2014-10-24 15:22 - 2011-06-02 08:34 - 00046534 __RSH () C:\ProgramData\ntuser.pol
2014-10-24 15:04 - 2009-07-13 21:37 - 00000000 ___HD () C:\Windows\system32\GroupPolicy

Some content of TEMP:
====================
C:\Users\Admin.PEOPLESTAFFING\AppData\Local\Temp\Quarantine.exe
C:\Users\Admin.PEOPLESTAFFING\AppData\Local\Temp\sqlite3.dll

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2014-11-15 00:03

==================== End Of Log ============================

Addition.txt results

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 16-11-2014 03
Ran by Admin at 2014-11-17 09:21:53
Running from C:\Users\Admin.PEOPLESTAFFING\Desktop
Boot Mode: Normal
==========================================================

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: AVG File Server Edition 2011 (Enabled - Up to date) {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
AS: AVG File Server Edition 2011 (Enabled - Up to date) {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

32 Bit HP CIO Components Installer (Version: 7.1.4 - Hewlett-Packard) Hidden
Adobe Flash Player 14 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 14.0.0.176 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.03) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.03 - Adobe Systems Incorporated)
AVG 2011 (HKLM\...\AVG) (Version: 10.0.1432 - AVG Technologies)
AVG 2011 (Version: 10.0.1432 - AVG Technologies) Hidden
AVG 2011 (Version: 10.0.4189 - AVG Technologies) Hidden
Bing Bar (HKLM\...\{3365E735-48A6-4194-9988-CE59AC5AE503}) (Version: 7.3.132.0 - Microsoft Corporation)
Bing Rewards Client Installer (Version: 16.0.345.0 - Microsoft Corporation) Hidden
BioAPI Framework (Version: 1.0.2 - Dell Inc.) Hidden
Broadcom NetXtreme-I Netlink Driver and Management Installer (HKLM\...\{2E98C5B7-D64C-4D7E-BFC3-A7D078569F28}) (Version: 12.25.02 - Broadcom Corporation)
Canon CanoScan LiDE 210 User Registration (HKLM\...\Canon CanoScan LiDE 210 User Registration) (Version: - )
Canon MP Navigator EX 4.0 (HKLM\...\MP Navigator EX 4.0) (Version: - )
Canon Solution Menu EX (HKLM\...\CanonSolutionMenuEX) (Version: - )
CanoScan LiDE 210 Scanner Driver (HKLM\...\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_CNQ4809) (Version: - )
CCleaner (HKLM\...\CCleaner) (Version: 3.24 - Piriform)
COATS Standard (HKLM\...\{F2136B5A-0273-4434-946F-EBA61DB00634}) (Version: 9.0.1 - COATS)
COATS Standard (Version: 9.0.1 - COATS) Hidden
COATSsql (HKLM\...\{0C8B1B47-6BAD-42F8-A238-6FE81E52AE85}) (Version: 4.3.0 - COATS)
COATSsql (Version: 4.3.0 - COATS) Hidden
Custom (Version: 12.34.56.789 - Wave Systems Corp.) Hidden
CyberLink PowerDVD 9.5 (HKLM\...\InstallShield_{A8516AC9-AAF1-47F9-9766-03E2D4CDBCF8}) (Version: 9.5.1.3225 - CyberLink Corp.)
D3DX10 (Version: 15.4.2368.0902 - Microsoft) Hidden
Dell Backup and Recovery Manager (HKLM\...\{4688EB75-28E2-4731-9BCB-55E624F7CD45}) (Version: 1.3 - Dell Inc.)
Dell Data Protection | Access (HKLM\...\{A7D91856-258D-4C87-8041-B170851CE432}) (Version: 2.0.00000.154 - Dell Inc.)
Dell Data Protection | Access (Version: 01.00.00.154 - Wave Systems Corp) Hidden
Dell Data Protection | Access | Drivers (HKLM\...\{4E4E65EE-C456-45AC-B5AD-C62C3A325BD0}) (Version: 1.00.011 - Dell Inc.)
Dell Data Protection | Access | Middleware (HKLM\...\{841CBDD5-4BB5-403E-AEE3-2FADC3890BE8}) (Version: 1.00.005 - Dell Inc.)
Dell Edoc Viewer (HKLM\...\{3138EAD3-700B-4A10-B617-B3F8096EE30D}) (Version: 1.0.0 - Dell Inc)
DellAccess (Version: 01.00.00.078 - Wave Systems Corp.) Hidden
DirectX 9 Runtime (Version: 1.00.0000 - Sonic Solutions) Hidden
EMBASSY Security Center (Version: 04.02.00.072 - Wave Systems Corp.) Hidden
Gemalto (Version: 01.01.01.0000 - Wave Systems Corp) Hidden
HP LaserJet P2050 Series 6.0 (HKLM\...\{6F801026-6AF0-4520-9153-4C9B4CAAB361}) (Version: 6.0 - HP)
hppFonts (Version: 001.001.00061 - Hewlett-Packard) Hidden
hppQFolderP2050 (Version: 1.00.0000 - Hewlett-Packard) Hidden
Intel® Graphics Media Accelerator Driver (HKLM\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 8.15.10.2182 - Intel Corporation)
Junk Mail filter update (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Malwarebytes Anti-Malware version 2.0.3.1025 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.3.1025 - Malwarebytes Corporation)
Mesh Runtime (Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Messenger Companion (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft Office Standard 2010 (HKLM\...\Office14.STANDARD) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (HKLM\...\{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}) (Version: 9.0.30729.5570 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Mozilla Firefox 33.1.1 (x86 en-US) (HKLM\...\Mozilla Firefox 33.1.1 (x86 en-US)) (Version: 33.1.1 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 33.1.1 - Mozilla)
MSVCRT (Version: 15.4.2862.0708 - Microsoft) Hidden
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
NTRU TCG Software Stack (Version: 2.1.34 - Security Innovation) Hidden
PC-CCID (Version: 2.0.0 - Gemalto) Hidden
PhotoShowExpress (Version: 2.0.063 - Sonic Solutions) Hidden
Preboot Manager (Version: 03.02.00.066 - Wave Systems Corp.) Hidden
Private Information Manager (Version: 07.00.00.026 - Wave Systems Corp.) Hidden
Realtek High Definition Audio Driver (HKLM\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.5876 - Realtek Semiconductor Corp.)
Roxio Creator Starter (HKLM\...\{6F0BBEFE-BE1C-419B-BA1F-D36C9E7915BC}) (Version: 12.1.77.0 - Roxio)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM\...\{90140000-0012-0000-0000-0000000FF1CE}_Office14.STANDARD_{DE28B448-32E8-4E8F-84F0-A52B21A49B5B}) (Version: - Microsoft)
Sonic CinePlayer Decoder Pack (Version: 4.3.0 - Sonic Solutions) Hidden
SPBA 5.9 (Version: 5.9.4.6686 - UPEK Inc.) Hidden
Symantec Backup Exec Remote Agent for Windows Systems (HKLM\...\Remote Agent for Windows Servers) (Version: 13.0.5204 - Symantec Corporation)
Symantec Backup Exec Remote Agent for Windows Systems (Version: 13.0.5204 - Symantec Corporation) Hidden
Trusted Drive Manager (Version: 4.0.0.512 - Wave Systems Corp.) Hidden
Upek Touchchip Fingerprint Reader (Version: 1.2.004 - Dell Inc.) Hidden
Wave Infrastructure Installer (Version: 07.02.40.0008 - Wave Systems Corp) Hidden
Wave Support Software Installer (Version: 05.12.00.012 - Wave Systems Corp) Hidden
WebReg (Version: 100.0.170.000 - Hewlett-Packard) Hidden
Windows Driver Package - Dell Inc. PBADRV System (09/11/2009 1.0.1.6) (HKLM\...\9512AA21B791B05A54E27065C45BBC417AB282DF) (Version: 09/11/2009 1.0.1.6 - Dell Inc.)
Windows Live Essentials (HKLM\...\WinLiveSuite) (Version: 15.4.3508.1109 - Microsoft Corporation)
Windows Live Mesh ActiveX Control for Remote Connections (HKLM\...\{2902F983-B4C1-44BA-B85D-5C6D52E2C441}) (Version: 15.4.5722.2 - Microsoft Corporation)
Windows Small Business Server 2011 Standard ClientAgent (HKLM\...\{3032BC7D-E713-452D-AAF7-F5ED073226C8}) (Version: 6.1.7900.1 - Microsoft Corporation)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

==================== Restore Points =========================

10-11-2014 17:31:36 End of disinfection
12-11-2014 08:00:17 Windows Update

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 21:04 - 2009-06-10 16:39 - 00000824 ____N C:\Windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {5B0CF61D-06A7-43CA-AB92-41A6662768AE} - System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask => Sc.exe start osppsvc
Task: {EC0DF0A4-2CD8-4C42-A186-80E3036A3B51} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2012-10-24] (Piriform Ltd)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

==================== Loaded Modules (whitelisted) =============

2013-09-05 00:14 - 2013-09-05 00:14 - 04300456 ____N () C:\Program Files\Common Files\Microsoft Shared\office14\Cultures\office.odf
2010-11-17 10:35 - 2010-11-17 10:35 - 00514544 ____N () C:\Program Files\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe
2010-11-24 22:44 - 2010-11-24 22:44 - 00375280 ____N () c:\program files\common files\roxio shared\dllshared\SQLite352.dll
2014-11-17 09:17 - 2014-11-13 21:42 - 03649648 _____ () C:\Program Files\Mozilla Firefox\mozjs.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)

==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

========================= Accounts: ==========================

admin (S-1-5-21-1037510535-3347336556-3311436275-1000 - Administrator - Enabled) => C:\Users\admin
Administrator (S-1-5-21-1037510535-3347336556-3311436275-500 - Administrator - Disabled)
Guest (S-1-5-21-1037510535-3347336556-3311436275-501 - Limited - Disabled)

==================== Faulty Device Manager Devices =============

==================== Event log errors: =========================

Application errors:
==================
Error: (11/13/2014 08:05:25 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program coats.exe version 9.1.2.0 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 824

Start Time: 01cfff418c2c1233

Termination Time: 278

Application Path: C:\COATS\coats.exe

Report Id: 31adca54-6b35-11e4-94e1-14feb5dcba33

Error: (11/10/2014 02:13:27 PM) (Source: Windows Search Service) (EventID: 1019) (User: )
Description: Windows Search Service failed to process the list of included and excluded locations with the error <10, 0x80070005, "">.

Error: (11/10/2014 00:31:35 PM) (Source: VSS) (EventID: 8194) (User: )
Description: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface. hr = 0x80070005, Access is denied.
.
This is often caused by incorrect security settings in either the writer or requestor process.

Operation:
   Gathering Writer Data

Context:
   Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
   Writer Name: System Writer
   Writer Instance ID: {d33e4b19-91d2-4bd4-8b91-6bdce1078e74}

System errors:
=============
Error: (11/17/2014 08:30:52 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The NTRU TSS v1.2.1.34 TCS service depends on the TPM Base Services service which failed to start because of the following error:
%%0

Error: (11/17/2014 08:28:17 AM) (Source: DCOM) (EventID: 10010) (User: )
Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

Error: (11/14/2014 11:26:18 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The NTRU TSS v1.2.1.34 TCS service depends on the TPM Base Services service which failed to start because of the following error:
%%0

Error: (11/14/2014 11:13:26 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The NTRU TSS v1.2.1.34 TCS service depends on the TPM Base Services service which failed to start because of the following error:
%%0

Error: (11/14/2014 08:34:08 AM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 40. The internal error state is 252.

Error: (11/14/2014 08:34:08 AM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 40. The internal error state is 252.

Error: (11/14/2014 08:12:33 AM) (Source: DCOM) (EventID: 10010) (User: )
Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

Error: (11/13/2014 05:26:10 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The NTRU TSS v1.2.1.34 TCS service depends on the TPM Base Services service which failed to start because of the following error:
%%0

Error: (11/13/2014 05:18:50 PM) (Source: Service Control Manager) (EventID: 7032) (User: )
Description: The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Audio Endpoint Builder service, but this action failed with the following error:
%%1056

Error: (11/13/2014 05:17:50 PM) (Source: Service Control Manager) (EventID: 7032) (User: )
Description: The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Program Compatibility Assistant Service service, but this action failed with the following error:
%%1056

Microsoft Office Sessions:
=========================
Error: (11/13/2014 08:05:25 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: coats.exe9.1.2.082401cfff418c2c1233278C:\COATS\coats.exe31adca54-6b35-11e4-94e1-14feb5dcba33

Error: (11/10/2014 02:13:27 PM) (Source: Windows Search Service) (EventID: 1019) (User: )
Description: 100x80070005

Error: (11/10/2014 00:31:35 PM) (Source: VSS) (EventID: 8194) (User: )
Description: 0x80070005, Access is denied.

Operation:
   Gathering Writer Data

Context:
   Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
   Writer Name: System Writer
   Writer Instance ID: {d33e4b19-91d2-4bd4-8b91-6bdce1078e74}

CodeIntegrity Errors:
===================================
Date: 2014-10-28 17:26:07.544
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\sirenacm.dll because the set of per-page image hashes could not be found on the system.

Date: 2014-10-28 17:26:07.466
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

Date: 2012-03-27 15:45:19.131
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\sirenacm.dll because the set of per-page image hashes could not be found on the system.

Date: 2012-03-27 15:45:19.084
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

==================== Memory info ===========================

Processor: Pentium® Dual-Core CPU E5800 @ 3.20GHz
Percentage of memory in use: 56%
Total physical RAM: 2011.65 MB
Available physical RAM: 867.89 MB
Total Pagefile: 4023.3 MB
Available Pagefile: 2633.54 MB
Total Virtual: 2047.88 MB
Available Virtual: 1898.03 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:222.55 GB) (Free:177.9 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 232.9 GB) (Disk ID: 17907D67)
Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)
Partition 2: (Active) - (Size=10.3 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=222.6 GB) - (Type=07 NTFS)

==================== End Of Log ============================

TwinHeadedEagle · November 17, 2014

Hello,

They call me TwinHeadedEagle around here, and I'll be working with you.

Before we start please read and note the following:

Limit your internet access to posting here, some infections just wait to steal typed-in passwords.
Please be patient. I know it is frustrating when your PC isn't working properly, but malware removal takes time.
Don't run any scripts or tools on your own, unsupervised usage may cause more harm than good.
Do not paste the logs in your posts, attachments make my work easier. There is a More reply options button, that gives you Upload Files option below which you can use to attach your reports. Always attach reports from all tools.
Always execute my instructions in given order. If for some reason you cannot completely follow one instruction, inform me about that.
Stay with me to the end, the absence of symptoms doesn't mean that your machine is fully operational.
Note that we may live in totally different time zones, what may cause some delays between answers.
Do not ask for help for your business PC. Companies are making revenue via computers, so it is good thing to pay someone to repair it.
If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.

I can't foresee everything, so if anything unexpected happens, please stop and inform me!
There are no silly questions. Never be afraid to ask if in doubt!

Rules and policies

We won't support any piracy.
That being told, if any evidence of illegal OS, software, cracks/keygens or any other will be revealed, any further assistance will be suspended. If you are aware that there is this kind of stuff on your machine, remove it before proceeding!
The same applies to any use of P2P software: uTorrent, BitTorrent, Vuze, Kazaa, Ares... We don't provide any help for P2P, except for their removal. All P2P software has to be uninstalled or at least fully disabled before proceeding!

Failure to follow these guidelines will result with closing your topic and withdrawning any assistance.

Download Malwarebytes Anti-Rootkit to your desktop.

Double-click the icon to start the tool.
It will ask you where to extract it, then it will start.
Warning! Malwarebytes Anti-Rootkit needs to be run from an account with administrator rights.
Click in the introduction screen "next" to continue.
Click in the following screen "Update" to obtain the latest malware definitions.
Once the update is complete select "Next" and click "Scan".
When the scan is finished and no malware has been found select "Exit".
If malware was detected, make sure to check all the items and click "Cleanup". Reboot your computer.
Open the MBAR folder and paste the content of the following files in your next reply:
- "mbar-log-{date} (xx-xx-xx).txt"
- "system-log.txt"

Scan with Farbar Recovery Scan Tool

Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.

Right-click on icon and select Run as Administrator to start the tool.
(XP users click run after receipt of Windows Security Warning - Open File).
Make sure that Addition option is checked.
Press Scan button and wait.
The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please include their content into your next reply.

bon825 · November 17, 2014

Attached is the logs that you requested. Thanks.

FRST.txt

Addition.txt

mbar-log-2014-11-17 (10-04-24).txt

system-log.txt

TwinHeadedEagle · November 17, 2014

Fix with Farbar Recovery Scan Tool

This fix was created for this user for use on that particular machine.
Running it on another one may cause damage and render the system unstable.

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

Right-click on icon and select Run as Administrator to start the tool.
(XP users click run after receipt of Windows Security Warning - Open File).
Press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.

fixlist.txt

bon825 · November 17, 2014

Attached is the Fixlog. Thanks.

Fixlog.txt

TwinHeadedEagle · November 17, 2014

Good. How is your PC now?

bon825 · November 17, 2014

Unfortunately when I logged on to the account infected on the computer that was infected, the task Processes tab lit up again with all kinds of .exe files again. I took the liberty of running Malwarebytes rootkit and found 1 malware again. I "cleaned it up" and also ran Farbar again. Attached are the reports. Let me know what you want me to do from here.

Also TwinHeadedEagle, I want to say thanks for your help in this ongoing matter. I really appreciate it.

Even now when I am writing this reply, the Process tab in the task manager is popping up with more files.

Al

mbar-log-2014-11-17 (12-29-56).txt

system-log.txt

Addition.txt

FRST.txt

bon825 · November 17, 2014

I was logged on as a admin because it does not seem to be affected by the issues that are slowing down the computer. The infected user account doesn't allow me to do anything because it is running to slow. The rogue programs running the background seem to come all at once and then leave. Then come back again. I will try to do all the work on the infected user's account.

TwinHeadedEagle · November 17, 2014

Fix with Farbar Recovery Scan Tool

This fix was created for this user for use on that particular machine.
Running it on another one may cause damage and render the system unstable.

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

Right-click on icon and select Run as Administrator to start the tool.
(XP users click run after receipt of Windows Security Warning - Open File).
Press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.

fixlist.txt

bon825 · November 17, 2014

Attached is the Fixlog.

Fixlog.txt

bon825 · November 18, 2014

So far the computer looks free of the malware.

Thanks for your help TwinHeadedEagle. I really appreciate it.

Enjoy a few beers, on me.

Thanks again,

Al

TwinHeadedEagle · November 18, 2014

Glad I could help. We will delete all used tools and I'll give you some tips to harden your security and learn how to protect yourself

Recommended reading:

MUST READ - security tips:

Computer Security - a short guide to staying safer online.

Simple and easy ways to keep your computer safe and secure on the Internet

MUST READ - general maintenance:

What to do if your Computer is running slowly?

The Importance of Software Updating:

In order to stay protected it is very important that you regularly update all of your software. Cybercriminals depend on the apathy of users around software updates to keep their malicious endeavor running.

Operating systems, such as Windows, and applications, such as Adobe Reader or JAVA, are used by tens of millions of computers and devices around the world, making them a huge target for cybercriminals. Downloading updates and installing them can sometimes be tedious, but the advantages you get from the updates are certainly worth it.

Recommended additional software:

TFC - to clean unneeded temporary files.
Malwarebytes' Anti-Malware - to scan your system from time to time in search for malware.
Malwarebytes' Anti-Exploit - to prevent plenty of mostly exploited vulnerabilities.
McShield - to prevent infections spread by removable media.
Unchecky - to prevent from installing additional foistware, implemented in legitimate installations.
FiheHippo.com Update Checker - to keep your programs up-to-date.
Adblock - to surf the web without annoying ads!

Post-cleanup procedures:

Download DelFix by Xplode and save it to your desktop.

Run the tool by right click on the icon and Run as administrator option.
Make sure that these ones are checked:
- Remove disinfection tools
- Purge system restore
- Reset system settings
Push Run.
The program will run for a few seconds and display a notepad report. You do not need to attach it.

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

My help is free for everybody.

If you're happy with the help provided and/or wish to buy me a beer for the assistance you received, then you can consider a donation:

Thank you!

Stay safe,
TwinHeadedEagle

AdvancedSetup · November 30, 2014

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

dllhost.exe/com surrogate issue

Recommended Posts

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Recently Browsing 0 members

Important Information