DCOM/PlugandPlay errors - MBAM blocking svchost.exe

Solved
By FenBranklin
Jan 26, 2014
  1. Hi, not sure if the two things are connected, but here is my story.

    About a week ago my computer started getting DCOM and Plug and play errors that were forcing my computer to shut down and restart. I did some looking online and got MBAM, after running that and Avira, which is the AV I had. The DCOM and plug and play restarts stopped.

    Now, yesterday, my computer restarted as a result of the DCOM error again. When it booted back up I did MBAM and Avira scans. After the scan MBAM is now giving me a notification that it "blocked access to a potentially malicious website" the type is "outgoing" the process is "svchost.exe"

    Any help, advice, explanation is appreciated.
  2. FenBranklin

    FenBranklin Newcomer, in training Topic Starter Posts: 23

    Here is the MBAM log.

    Malwarebytes Anti-Malware (Trial) 1.75.0.1300
    www.malwarebytes.org

    Database version: v2014.01.26.02

    Windows 7 x86 NTFS
    Internet Explorer 8.0.7600.16385
    Portable Poonani :: PORTABLEPOONANI [administrator]

    Protection: Enabled

    1/26/2014 2:26:29 PM
    mbam-log-2014-01-26 (14-26-29).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
    Scan options disabled:
    Objects scanned: 198054
    Time elapsed: 7 minute(s), 35 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)
  3. FenBranklin

    FenBranklin Newcomer, in training Topic Starter Posts: 23

    DDS log: With the zipped "attach" not sure if I'm supposed to include it, but there it is.

    DDS Notepad:
    DDS (Ver_2012-11-20.01) - NTFS_x86
    Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 10.51.2
    Run by Portable Poonani at 14:17:15 on 2014-01-26
    Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3062.1859 [GMT -7:00]
    .
    AV: Avira Desktop *Enabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
    SP: Avira Desktop *Enabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
    SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ================
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\System32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Program Files\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe
    C:\Program Files\Motorola\MotForwardDaemon\ForwardDaemon.exe
    C:\Windows\system32\taskhost.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Windows\System32\hkcmd.exe
    C:\Windows\System32\igfxpers.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Program Files\Motorola Mobility\Motorola Device Manager\MotoHelperAgent.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_43.exe
    C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_43.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
    C:\Windows\system32\NOTEPAD.EXE
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalServicePeerNet
    C:\Windows\System32\svchost.exe -k secsvcs
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    uSearch Page = hxxp://www.google.com
    uDefault_Search_URL = hxxp://www.google.com/ie
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    uURLSearchHooks: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\prxtbVuze.dll
    mURLSearchHooks: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\prxtbVuze.dll
    BHO: Conduit Engine: {30F9B915-B755-4826-820B-08FBA6BD249D} - c:\program files\conduitengine\prxConduitEngine.dll
    BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
    BHO: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\prxtbVuze.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
    TB: Vuze Remote Toolbar: {BA14329E-9550-4989-B3F2-9732E92D17CC} - c:\program files\vuze_remote\prxtbVuze.dll
    TB: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\prxtbVuze.dll
    TB: Conduit Engine: {30F9B915-B755-4826-820B-08FBA6BD249D} - c:\program files\conduitengine\prxConduitEngine.dll
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
    mPolicies-System: ConsentPromptBehaviorUser = dword:3
    mPolicies-System: EnableUIADesktopToggle = dword:0
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
    TCP: NameServer = 68.105.28.12 68.105.29.12 68.105.28.11
    TCP: Interfaces\{623CFF4B-1672-4CD5-8521-B9E783DE9D00} : DHCPNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
    TCP: Interfaces\{623CFF4B-1672-4CD5-8521-B9E783DE9D00}\1444D494E4D20534F5E4564777F627B6 : DHCPNameServer = 192.168.2.1
    TCP: Interfaces\{623CFF4B-1672-4CD5-8521-B9E783DE9D00}\2456C6B696E6F5E4F575962756C6563737F5B456D607163737 : DHCPNameServer = 192.168.2.1
    TCP: Interfaces\{623CFF4B-1672-4CD5-8521-B9E783DE9D00}\2457E6A7160216E646024416E6E6970235475656C656 : DHCPNameServer = 192.168.2.1
    TCP: Interfaces\{623CFF4B-1672-4CD5-8521-B9E783DE9D00}\2656C6B696E6E233264363 : DHCPNameServer = 192.168.2.1
    TCP: Interfaces\{623CFF4B-1672-4CD5-8521-B9E783DE9D00}\2656C6B696E6E2463656 : DHCPNameServer = 192.168.2.1
    TCP: Interfaces\{623CFF4B-1672-4CD5-8521-B9E783DE9D00}\84164737027416D65637 : DHCPNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
    TCP: Interfaces\{623CFF4B-1672-4CD5-8521-B9E783DE9D00}\B49656C69784F6D6565507374716962737 : DHCPNameServer = 192.168.2.1
    TCP: Interfaces\{BDD7F3E6-5C44-416A-860B-D604A7504DA3} : DHCPNameServer = 192.168.2.1
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
    Notify: igfxcui - igfxdev.dll
    SSODL: WebCheck - <orphaned>
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\portable poonani\appdata\roaming\mozilla\firefox\profiles\mdrrt3qo.default\
    FF - prefs.js: browser.search.selectedEngine - YouTube Video Search
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - component: c:\users\portable poonani\appdata\roaming\mozilla\firefox\profiles\mdrrt3qo.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\components\FFExternalAlert.dll
    FF - component: c:\users\portable poonani\appdata\roaming\mozilla\firefox\profiles\mdrrt3qo.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\components\RadioWMPCore.dll
    FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
    FF - plugin: c:\program files\google\update\1.3.22.3\npGoogleUpdate3.dll
    FF - plugin: c:\program files\java\jre7\bin\dtplugin\npdeployJava1.dll
    FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
    FF - plugin: c:\program files\microsoft silverlight\5.1.20513.0\npctrlui.dll
    FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
    FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_12_0_0_43.dll
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: extensions.mixidj.tlbrSrchUrl -
    FF - user.js: extensions.mixidj.id - 6eb94f5e000000000000001fe1833373
    FF - user.js: extensions.mixidj.appId - {A2773ED4-83BD-488A-A186-73590706C916}
    FF - user.js: extensions.mixidj.instlDay - 15837
    FF - user.js: extensions.mixidj.vrsn - 1.8.18.8
    FF - user.js: extensions.mixidj.vrsni - 1.8.18.8
    FF - user.js: extensions.mixidj.vrsnTs - 1.8.18.813:18:39
    FF - user.js: extensions.mixidj.prtnrId - mixidj
    FF - user.js: extensions.mixidj.prdct - mixidj
    FF - user.js: extensions.mixidj.aflt - babsst
    FF - user.js: extensions.mixidj.smplGrp - none
    FF - user.js: extensions.mixidj.tlbrId - base
    FF - user.js: extensions.mixidj.instlRef - sst
    FF - user.js: extensions.mixidj.dfltLng - en
    FF - user.js: extensions.mixidj.excTlbr - false
    FF - user.js: extensions.mixidj.ffxUnstlRst - false
    FF - user.js: extensions.mixidj.admin - false
    FF - user.js: extensions.mixidj.autoRvrt - false
    FF - user.js: extensions.mixidj.rvrt - false
    FF - user.js: extensions.mixidj.newTab - false
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2012-12-17 37352]
    R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2012-12-17 440376]
    R2 AntiVirService;Avira Real-Time Protection;c:\program files\avira\antivir desktop\avguard.exe [2012-12-17 440376]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2012-12-17 90400]
    R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2014-1-18 418376]
    R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2014-1-18 701512]
    R2 Motorola Device Manager;Motorola Device Manager Service;c:\program files\motorola mobility\motorola device manager\MotoHelperService.exe [2013-11-15 137528]
    R2 PST Service;PST Service;c:\program files\motorola\motforwarddaemon\ForwardDaemon.exe [2013-12-7 65657]
    R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2009-7-10 122880]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2014-1-18 22856]
    R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2014-1-26 40776]
    R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2009-7-13 311296]
    S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-9-4 171680]
    S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
    S3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\drivers\motfilt.sys [2013-3-19 6272]
    S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2013-3-19 21376]
    S3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\drivers\Motousbnet.sys [2013-3-19 23936]
    S3 motusbdevice;Motorola USB Dev Driver;c:\windows\system32\drivers\motusbdevice.sys [2013-3-19 11264]
    .
    =============== Created Last 30 ================
    .
    2014-01-26 21:14:24 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2014-01-19 06:52:44 -------- d-----w- c:\users\portable poonani\jagexcache
    2014-01-19 05:43:16 -------- d-----w- c:\users\portable poonani\appdata\roaming\Malwarebytes
    2014-01-19 05:43:05 -------- d-----w- c:\programdata\Malwarebytes
    2014-01-19 05:43:03 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
    2014-01-19 05:43:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2014-01-19 05:40:49 -------- d-----w- c:\users\portable poonani\appdata\local\Programs
    2014-01-16 23:01:12 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
    .
    ==================== Find3M ====================
    .
    2014-01-16 23:02:33 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2014-01-16 23:02:33 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2013-12-18 11:50:34 90400 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2013-12-18 11:50:34 69240 ----a-w- c:\windows\system32\drivers\avnetflt.sys
    2013-11-26 04:21:49 37352 ----a-w- c:\windows\system32\drivers\avkmgr.sys
    .
    ============= FINISH: 14:17:47.65 ===============

    Attached Files:

  4. FenBranklin

    FenBranklin Newcomer, in training Topic Starter Posts: 23

    I misread instructions. Here is the DDS "attach" log. Also sorry for all the posts. If you'd prefer logs not be separate, please let me know.

    DDS "attach" log:
    DDS (Ver_2012-11-20.01) - NTFS_x86
    Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 10.51.2
    Run by Portable Poonani at 14:17:15 on 2014-01-26
    Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3062.1859 [GMT -7:00]
    .
    AV: Avira Desktop *Enabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
    SP: Avira Desktop *Enabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
    SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ================
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\System32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Program Files\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe
    C:\Program Files\Motorola\MotForwardDaemon\ForwardDaemon.exe
    C:\Windows\system32\taskhost.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Windows\System32\hkcmd.exe
    C:\Windows\System32\igfxpers.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Program Files\Motorola Mobility\Motorola Device Manager\MotoHelperAgent.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_43.exe
    C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_43.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
    C:\Windows\system32\NOTEPAD.EXE
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalServicePeerNet
    C:\Windows\System32\svchost.exe -k secsvcs
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    uSearch Page = hxxp://www.google.com
    uDefault_Search_URL = hxxp://www.google.com/ie
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    uURLSearchHooks: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\prxtbVuze.dll
    mURLSearchHooks: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\prxtbVuze.dll
    BHO: Conduit Engine: {30F9B915-B755-4826-820B-08FBA6BD249D} - c:\program files\conduitengine\prxConduitEngine.dll
    BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
    BHO: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\prxtbVuze.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
    TB: Vuze Remote Toolbar: {BA14329E-9550-4989-B3F2-9732E92D17CC} - c:\program files\vuze_remote\prxtbVuze.dll
    TB: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\prxtbVuze.dll
    TB: Conduit Engine: {30F9B915-B755-4826-820B-08FBA6BD249D} - c:\program files\conduitengine\prxConduitEngine.dll
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
    mPolicies-System: ConsentPromptBehaviorUser = dword:3
    mPolicies-System: EnableUIADesktopToggle = dword:0
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
    TCP: NameServer = 68.105.28.12 68.105.29.12 68.105.28.11
    TCP: Interfaces\{623CFF4B-1672-4CD5-8521-B9E783DE9D00} : DHCPNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
    TCP: Interfaces\{623CFF4B-1672-4CD5-8521-B9E783DE9D00}\1444D494E4D20534F5E4564777F627B6 : DHCPNameServer = 192.168.2.1
    TCP: Interfaces\{623CFF4B-1672-4CD5-8521-B9E783DE9D00}\2456C6B696E6F5E4F575962756C6563737F5B456D607163737 : DHCPNameServer = 192.168.2.1
    TCP: Interfaces\{623CFF4B-1672-4CD5-8521-B9E783DE9D00}\2457E6A7160216E646024416E6E6970235475656C656 : DHCPNameServer = 192.168.2.1
    TCP: Interfaces\{623CFF4B-1672-4CD5-8521-B9E783DE9D00}\2656C6B696E6E233264363 : DHCPNameServer = 192.168.2.1
    TCP: Interfaces\{623CFF4B-1672-4CD5-8521-B9E783DE9D00}\2656C6B696E6E2463656 : DHCPNameServer = 192.168.2.1
    TCP: Interfaces\{623CFF4B-1672-4CD5-8521-B9E783DE9D00}\84164737027416D65637 : DHCPNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
    TCP: Interfaces\{623CFF4B-1672-4CD5-8521-B9E783DE9D00}\B49656C69784F6D6565507374716962737 : DHCPNameServer = 192.168.2.1
    TCP: Interfaces\{BDD7F3E6-5C44-416A-860B-D604A7504DA3} : DHCPNameServer = 192.168.2.1
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
    Notify: igfxcui - igfxdev.dll
    SSODL: WebCheck - <orphaned>
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\portable poonani\appdata\roaming\mozilla\firefox\profiles\mdrrt3qo.default\
    FF - prefs.js: browser.search.selectedEngine - YouTube Video Search
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - component: c:\users\portable poonani\appdata\roaming\mozilla\firefox\profiles\mdrrt3qo.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\components\FFExternalAlert.dll
    FF - component: c:\users\portable poonani\appdata\roaming\mozilla\firefox\profiles\mdrrt3qo.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\components\RadioWMPCore.dll
    FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
    FF - plugin: c:\program files\google\update\1.3.22.3\npGoogleUpdate3.dll
    FF - plugin: c:\program files\java\jre7\bin\dtplugin\npdeployJava1.dll
    FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
    FF - plugin: c:\program files\microsoft silverlight\5.1.20513.0\npctrlui.dll
    FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
    FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_12_0_0_43.dll
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: extensions.mixidj.tlbrSrchUrl -
    FF - user.js: extensions.mixidj.id - 6eb94f5e000000000000001fe1833373
    FF - user.js: extensions.mixidj.appId - {A2773ED4-83BD-488A-A186-73590706C916}
    FF - user.js: extensions.mixidj.instlDay - 15837
    FF - user.js: extensions.mixidj.vrsn - 1.8.18.8
    FF - user.js: extensions.mixidj.vrsni - 1.8.18.8
    FF - user.js: extensions.mixidj.vrsnTs - 1.8.18.813:18:39
    FF - user.js: extensions.mixidj.prtnrId - mixidj
    FF - user.js: extensions.mixidj.prdct - mixidj
    FF - user.js: extensions.mixidj.aflt - babsst
    FF - user.js: extensions.mixidj.smplGrp - none
    FF - user.js: extensions.mixidj.tlbrId - base
    FF - user.js: extensions.mixidj.instlRef - sst
    FF - user.js: extensions.mixidj.dfltLng - en
    FF - user.js: extensions.mixidj.excTlbr - false
    FF - user.js: extensions.mixidj.ffxUnstlRst - false
    FF - user.js: extensions.mixidj.admin - false
    FF - user.js: extensions.mixidj.autoRvrt - false
    FF - user.js: extensions.mixidj.rvrt - false
    FF - user.js: extensions.mixidj.newTab - false
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2012-12-17 37352]
    R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2012-12-17 440376]
    R2 AntiVirService;Avira Real-Time Protection;c:\program files\avira\antivir desktop\avguard.exe [2012-12-17 440376]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2012-12-17 90400]
    R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2014-1-18 418376]
    R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2014-1-18 701512]
    R2 Motorola Device Manager;Motorola Device Manager Service;c:\program files\motorola mobility\motorola device manager\MotoHelperService.exe [2013-11-15 137528]
    R2 PST Service;PST Service;c:\program files\motorola\motforwarddaemon\ForwardDaemon.exe [2013-12-7 65657]
    R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2009-7-10 122880]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2014-1-18 22856]
    R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2014-1-26 40776]
    R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2009-7-13 311296]
    S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-9-4 171680]
    S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
    S3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\drivers\motfilt.sys [2013-3-19 6272]
    S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2013-3-19 21376]
    S3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\drivers\Motousbnet.sys [2013-3-19 23936]
    S3 motusbdevice;Motorola USB Dev Driver;c:\windows\system32\drivers\motusbdevice.sys [2013-3-19 11264]
    .
    =============== Created Last 30 ================
    .
    2014-01-26 21:14:24 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2014-01-19 06:52:44 -------- d-----w- c:\users\portable poonani\jagexcache
    2014-01-19 05:43:16 -------- d-----w- c:\users\portable poonani\appdata\roaming\Malwarebytes
    2014-01-19 05:43:05 -------- d-----w- c:\programdata\Malwarebytes
    2014-01-19 05:43:03 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
    2014-01-19 05:43:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2014-01-19 05:40:49 -------- d-----w- c:\users\portable poonani\appdata\local\Programs
    2014-01-16 23:01:12 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
    .
    ==================== Find3M ====================
    .
    2014-01-16 23:02:33 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2014-01-16 23:02:33 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2013-12-18 11:50:34 90400 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2013-12-18 11:50:34 69240 ----a-w- c:\windows\system32\drivers\avnetflt.sys
    2013-11-26 04:21:49 37352 ----a-w- c:\windows\system32\drivers\avkmgr.sys
    .
    ============= FINISH: 14:17:47.65 ===============
  5. Broni

    Broni Malware Annihilator Posts: 46,177   +251

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    =====================================

    You posted DDS.txt log twice. I still need you to paste Attach.txt log.

    Then....

    Please download Rkill (courtesy of BleepingComputer.com) to your Desktop.
    There are 2 different versions. If one of them won't run then download and try to run the other one.
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
    iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    If normal mode still doesn't work, run the tool from safe mode.

    When the scan is done Notepad will open with rKill log.
    Post it in your next reply.

    NOTE. rKill.txt log will also be present on your desktop.
  6. FenBranklin

    FenBranklin Newcomer, in training Topic Starter Posts: 23

    Hi! Sorry, I thought I put it in my last reply, here is the "attach" log.

    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2012-11-20.01)
    .
    Microsoft Windows 7 Ultimate
    Boot Device: \Device\HarddiskVolume1
    Install Date: 4/10/2010 8:42:34 PM
    System Uptime: 1/26/2014 1:57:23 PM (1 hours ago)
    .
    Motherboard: Dell Inc. | |
    Processor: Intel(R) Core(TM)2 Duo CPU T5550 @ 1.83GHz | Microprocessor | 1833/166mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 74 GiB total, 16.555 GiB free.
    D: is CDROM ()
    E: is CDROM ()
    F: is CDROM ()
    G: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID:
    Description: Base System Device
    Device ID: PCI\VEN_1180&DEV_0843&SUBSYS_022F1028&REV_12\4&277C618&0&4AF0
    Manufacturer:
    Name: Base System Device
    PNP Device ID: PCI\VEN_1180&DEV_0843&SUBSYS_022F1028&REV_12\4&277C618&0&4AF0
    Service:
    .
    Class GUID:
    Description: Base System Device
    Device ID: PCI\VEN_1180&DEV_0852&SUBSYS_022F1028&REV_12\4&277C618&0&4CF0
    Manufacturer:
    Name: Base System Device
    PNP Device ID: PCI\VEN_1180&DEV_0852&SUBSYS_022F1028&REV_12\4&277C618&0&4CF0
    Service:
    .
    Class GUID:
    Description: Base System Device
    Device ID: PCI\VEN_1180&DEV_0592&SUBSYS_022F1028&REV_12\4&277C618&0&4BF0
    Manufacturer:
    Name: Base System Device
    PNP Device ID: PCI\VEN_1180&DEV_0592&SUBSYS_022F1028&REV_12\4&277C618&0&4BF0
    Service:
    .
    ==== System Restore Points ===================
    .
    No restore point in system.
    .
    ==== Installed Programs ======================
    .
    2007 Microsoft Office Suite Service Pack 2 (SP2)
    Adobe Flash Player 12 Plugin
    Adobe Reader X (10.1.9)
    Apple Application Support
    Apple Software Update
    Avira Free Antivirus
    BloodRayne
    Canon D400-450
    Canon Inkjet Printer Driver Add-On Module
    Canon MF4320-4350
    Canon MP780
    Canon ScanGear Starter
    Conduit Engine
    Dawn of War Platinum Edition
    Disciples 2 Gold Gallean
    Disciples II Rise of the Elves
    Free M4a to MP3 Converter 7.1
    Google Update Helper
    HP Deskjet 3520 series Basic Device Software
    HP Deskjet 3520 series Setup Guide
    HP Officejet Pro 8600 Basic Device Software
    ImgBurn
    Intel(R) Graphics Media Accelerator Driver
    Intel(R) TV Wizard
    Java 7 Update 51
    Java Auto Updater
    League of Legends
    LG United Mobile Drivers
    Malwarebytes Anti-Malware version 1.75.0.1300
    Matrix-ks
    Media converter
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Professional Plus 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Silverlight
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
    Motorola Device Manager
    Motorola Device Software Update
    Motorola Mobile Drivers Installation 6.3.0
    Mozilla Firefox 26.0 (x86 en-US)
    Mozilla Maintenance Service
    MSXML 4.0 SP3 Parser
    Pando Media Booster
    QuickTime
    RuneScape Launcher 1.2.3
    Skype™ 6.11
    VC80CRTRedist - 8.0.50727.6195
    VLC media player 2.0.7
    Vuze
    Vuze Remote Toolbar
    Windows Media Player Firefox Plugin
    WinRAR archiver
    .
    ==== Event Viewer Messages From Past Week ========
    .
    1/26/2014 1:59:16 PM, Error: Microsoft-Windows-WMPNSS-Service [14332] - Service 'WMPNetworkSvc' did not start correctly because CoCreateInstance(CLSID_UPnPDeviceFinder) encountered error '0x80004005'. Verify that the UPnPHost service is running and that the UPnPHost component of Windows is installed properly.
    1/26/2014 1:58:50 PM, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {C97FCC79-E628-407D-AE68-A06AD6D8B4D1} and APPID {344ED43D-D086-4961-86A6-1106F4ACAD9B} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
    1/26/2014 1:57:48 PM, Error: Service Control Manager [7023] - The Power service terminated with the following error: The WMI request could not be completed and should be retried.
    1/25/2014 12:52:17 PM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Reboot the machine) after the unexpected termination of the DCOM Server Process Launcher service, but this action failed with the following error: A system shutdown has already been scheduled.
    1/25/2014 12:52:17 PM, Error: Service Control Manager [7031] - The Plug and Play service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.
    1/25/2014 12:52:17 PM, Error: Service Control Manager [7031] - The DCOM Server Process Launcher service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.
    1/24/2014 6:02:38 PM, Error: Service Control Manager [7043] - The Group Policy Client service did not shut down properly after receiving a preshutdown control.
    1/24/2014 6:02:38 PM, Error: Service Control Manager [7038] - The WdiServiceHost service was unable to log on as NT AUTHORITY\LocalService with the currently configured password due to the following error: The request is not supported. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
    1/24/2014 6:02:38 PM, Error: Service Control Manager [7038] - The netprofm service was unable to log on as NT AUTHORITY\LocalService with the currently configured password due to the following error: The request is not supported. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
    1/24/2014 6:02:38 PM, Error: Service Control Manager [7000] - The Network List Service service failed to start due to the following error: The service did not start due to a logon failure.
    1/24/2014 6:02:38 PM, Error: Service Control Manager [7000] - The Diagnostic Service Host service failed to start due to the following error: The service did not start due to a logon failure.
    1/24/2014 6:02:38 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1069" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
    1/24/2014 5:59:14 PM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Reboot the machine) after the unexpected termination of the Plug and Play service, but this action failed with the following error: A system shutdown has already been scheduled.
    .
    ==== End Of File ===========================
  7. FenBranklin

    FenBranklin Newcomer, in training Topic Starter Posts: 23

    Ok, used this link - rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/

    Scan started when I clicked on download. Then it "stops working". Here is the log created on the desktop.

    Rkill 2.6.5 by Lawrence Abrams (Grinler)
    http://www.bleepingcomputer.com/
    Copyright 2008-2014 BleepingComputer.com
    More Information about Rkill can be found at this link:
    http://www.bleepingcomputer.com/forums/topic308364.html

    Program started at: 01/26/2014 04:23:13 PM in x86 mode.
    Windows Version: Windows 7 Ultimate

    Checking for Windows services to stop:

    * No malware services found to stop.

    Checking for processes to terminate:

    * No malware processes found to kill.

    Checking Registry for malware related settings:

    * No issues found in the Registry.

    Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

    Performing miscellaneous checks:

    * No issues found.

    Checking Windows Service Integrity:

    * No issues found.

    Searching for Missing Digital Signatures:

    * C:\Windows\System32\rpcss.dll : 376,320 : 07/13/2009 06:16 PM : d6b2974a2273ae74a5510c3310fea4b6 [NoSig]

    The other link does the same thing.
    Last edited: Jan 26, 2014
  8. Broni

    Broni Malware Annihilator Posts: 46,177   +251

    One of your system files (rpcss.dll) is infected.
    We need to find healthy replacement.

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    64-bit users go HERE
    • Double-click SystemLook.exe to run it.
    • Vista users:: Right click on SystemLook.exe, click Run As Administrator
    • Copy the content of the following box and paste it into the main textfield:
    Code:
    :filefind
    rpcss.dll
    
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
  9. FenBranklin

    FenBranklin Newcomer, in training Topic Starter Posts: 23

    SystemLook 30.07.11 by jpshortstuff
    Log created at 21:59 on 26/01/2014 by Portable Poonani
    Administrator - Elevation successful

    ========== filefind ==========

    Searching for "rpcss.dll"
    C:\Windows\System32\rpcss.dll --a---- 376320 bytes [23:45 13/07/2009] [01:16 14/07/2009] D6B2974A2273AE74A5510C3310FEA4B6
    C:\Windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7600.16385_none_69a1321f9f3393ad\rpcss.dll --a---- 376320 bytes [23:45 13/07/2009] [01:16 14/07/2009] (Unable to calculate MD5)

    -= EOF =-
  10. Broni

    Broni Malware Annihilator Posts: 46,177   +251

    We don't have any healthy replacement there.
    Let me fire up my Windows 7 and get a good file from there.
    Hold on...
  11. Broni

    Broni Malware Annihilator Posts: 46,177   +251

    I uploaded rpcss.dll file from my computer here: http://www.sendspace.com/file/vp8oqr
    Download it and paste it into the root C:\ directory.

    Re-run SystemLook with the very same script like in my reply #8 so I can see you placed the file in a right location.
     
  12. FenBranklin

    FenBranklin Newcomer, in training Topic Starter Posts: 23

  13. Broni

    Broni Malware Annihilator Posts: 46,177   +251

    Copy the file from your Desktop.
    Open Windows Explorer, right click on "C" drive and click "Paste".
  14. FenBranklin

    FenBranklin Newcomer, in training Topic Starter Posts: 23

    Ok, thanks. I'm getting
    "error 0x80070522: A required privilege is not held by the client."

    Should I just drag and drop it or will it give me the same message?
  15. Broni

    Broni Malware Annihilator Posts: 46,177   +251

    OK, let the file stay on your Desktop.
    Re-run SystemLook.
  16. FenBranklin

    FenBranklin Newcomer, in training Topic Starter Posts: 23

    SystemLook 30.07.11 by jpshortstuff
    Log created at 22:49 on 26/01/2014 by Portable Poonani
    Administrator - Elevation successful

    ========== filefind ==========

    Searching for "rpcss.dll"
    C:\Users\Portable Poonani\Desktop\rpcss.dll --a---- 376832 bytes [05:38 27/01/2014] [05:38 27/01/2014] 7660F01D3B38ACA1747E397D21D790AF
    C:\Windows\System32\rpcss.dll --a---- 376320 bytes [23:45 13/07/2009] [01:16 14/07/2009] D6B2974A2273AE74A5510C3310FEA4B6
    C:\Windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7600.16385_none_69a1321f9f3393ad\rpcss.dll --a---- 376320 bytes [23:45 13/07/2009] [01:16 14/07/2009] (Unable to calculate MD5)

    -= EOF =-
  17. Broni

    Broni Malware Annihilator Posts: 46,177   +251

    Download BlitzBlank and save it to your desktop.
    Double click on Blitzblank.exe

    • Click OK at the warning.
    • Click the Script tab and copy/paste the following text there:
    Code:
    CopyFile:
    "C:\Users\Portable Poonani\Desktop\rpcss.dll" C:\Windows\System32\rpcss.dll
    "C:\Users\Portable Poonani\Desktop\rpcss.dll" C:\Windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7600.16385_none_69a1321f9f3393ad\rpcss.dll
    
    • Click Execute Now. Your computer will need to reboot in order to replace the files.
    • When done, post the report created by Blitzblank.
      You can find it in the root of the drive, normally C:\
  18. FenBranklin

    FenBranklin Newcomer, in training Topic Starter Posts: 23

    It says
    "Syntax error in line 2, Invalid file path."

    Wait, I tried again, its working. Sorry. Will report back after system reboot.
  19. FenBranklin

    FenBranklin Newcomer, in training Topic Starter Posts: 23

    Ok. Here is the log:

    BlitzBlank 1.0.0.32

    File/Registry Modification Engine native application
    CopyFileOnReboot: sourceFile = "\??\c:\users\portable poonani\desktop\rpcss.dll", destinationFile = "\??\c:\windows\system32\rpcss.dll"CopyFileOnReboot: sourceFile = "\??\c:\users\portable poonani\desktop\rpcss.dll", destinationFile = "\??\c:\windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7600.16385_none_69a1321f9f3393ad\rpcss.dll"

    Just something, not sure if its worth mentioning, but after the computer restarted I went to the Avira system tray icon to disable it, as I believe I'm supposed to do, and I got one a "memory could not be read" errors. The program closed and the Avira icon disappeared. I'm sorry I did not write down the specifics of the error, but I thought I'd mention it happened. Avira started normally from the start menu and I've disabled it.
  20. Broni

    Broni Malware Annihilator Posts: 46,177   +251

    My last post for tonight.

    Please download ComboFix from Here, Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Very Important! Temporarily disable your anti-virus and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
      If the connection is not there use restore point you created prior to running Combofix.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error Illegal operation attempted on a registery key that has been marked for deletion, restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try the following...

    Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Download Rkill (courtesy of BleepingComputer.com) to your desktop.
    There are 2 different versions. If one of them won't run then download and try to run the other one.
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
    iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

    Restart computer in safe mode

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    When the scan is done Notepad will open with rKill.txt log.
    NOTE. rKill.txt log will also be present on your desktop.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    IF you had to run rKill post BOTH logs, rKill.txt and Combofix.txt.
  21. FenBranklin

    FenBranklin Newcomer, in training Topic Starter Posts: 23

    Ok, thanks very much, I'll do all that and post results. Will check for a reply tomorrow.
  22. Broni

    Broni Malware Annihilator Posts: 46,177   +251

    Your computer should be doing better by now.
    Let me know and leave Combofix log for me.
    Night :)
  23. FenBranklin

    FenBranklin Newcomer, in training Topic Starter Posts: 23

    Seems to have gone smoothly. Here is the log:

    ComboFix 14-01-23.02 - Portable Poonani 01/26/2014 23:26:08.1.2 - x86
    Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3062.2150 [GMT -7:00]
    Running from: c:\users\Portable Poonani\Desktop\ComboFix.exe
    AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
    SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    C:\END
    c:\windows\system32\sysprep\cryptbase.dll
    .
    .
    ((((((((((((((((((((((((( Files Created from 2013-12-27 to 2014-01-27 )))))))))))))))))))))))))))))))
    .
    .
    2014-01-27 06:32 . 2014-01-27 06:32 -------- d-----w- c:\users\Portable Poonani\AppData\Local\temp
    2014-01-27 06:32 . 2014-01-27 06:32 -------- d-----w- c:\users\Default\AppData\Local\temp
    2014-01-26 23:07 . 2013-12-16 08:54 7760024 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E58828B2-80A0-48B3-BA7F-C01BFB20A5FF}\mpengine.dll
    2014-01-26 22:04 . 2014-01-26 22:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2014-01-26 22:04 . 2013-04-04 21:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
    2014-01-19 06:52 . 2014-01-19 06:52 -------- d-----w- c:\users\Portable Poonani\jagexcache
    2014-01-19 05:43 . 2014-01-19 05:43 -------- d-----w- c:\users\Portable Poonani\AppData\Roaming\Malwarebytes
    2014-01-19 05:43 . 2014-01-19 05:43 -------- d-----w- c:\programdata\Malwarebytes
    2014-01-19 05:40 . 2014-01-19 05:40 -------- d-----w- c:\users\Portable Poonani\AppData\Local\Programs
    2014-01-16 23:01 . 2013-12-19 04:10 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2014-01-27 05:59 . 2009-07-13 23:45 376832 ----a-w- c:\windows\system32\rpcss.dll
    2014-01-16 23:02 . 2012-04-05 21:39 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2014-01-16 23:02 . 2011-05-15 08:52 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2013-12-18 11:50 . 2013-05-07 21:11 69240 ----a-w- c:\windows\system32\drivers\avnetflt.sys
    2013-12-18 11:50 . 2012-12-17 19:44 90400 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2013-12-18 11:50 . 2012-12-17 19:44 135648 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2013-11-26 04:21 . 2012-12-17 19:44 37352 ----a-w- c:\windows\system32\drivers\avkmgr.sys
    .
    .
    ------- Sigcheck -------
    Note: Unsigned files aren't necessarily malware.
    .
    [-] 2014-01-27 05:59 . !HASH: COULD NOT OPEN FILE !!!!! . 376832 . . [------] . . c:\windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7600.16385_none_69a1321f9f3393ad\rpcss.dll
    [-] 2014-01-27 . 7660F01D3B38ACA1747E397D21D790AF . 376832 . . [6.1.7601.17514] . . c:\windows\System32\rpcss.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "c:\program files\Vuze_Remote\prxtbVuze.dll" [2011-01-03 175400]
    .
    [HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
    2011-01-03 17:16 175400 ----a-w- c:\program files\ConduitEngine\prxConduitEngine.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
    2011-01-03 17:16 175400 ----a-w- c:\program files\Vuze_Remote\prxtbVuze.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "c:\program files\Vuze_Remote\prxtbVuze.dll" [2011-01-03 175400]
    "{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\prxConduitEngine.dll" [2011-01-03 175400]
    .
    [HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
    .
    [HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{BA14329E-9550-4989-B3F2-9732E92D17CC}"= "c:\program files\Vuze_Remote\prxtbVuze.dll" [2011-01-03 175400]
    .
    [HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-10-12 59280]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2013-12-18 684600]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2013-05-01 421888]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-07-02 254336]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-23 141848]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-23 173592]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-23 150552]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2013-09-05 171680]
    R3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\DRIVERS\motfilt.sys [2013-03-20 6272]
    R3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2013-03-19 21376]
    R3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\DRIVERS\Motousbnet.sys [2013-03-19 23936]
    R3 motusbdevice;Motorola USB Dev Driver;c:\windows\system32\DRIVERS\motusbdevice.sys [2013-03-20 11264]
    S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-04-11 691696]
    S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys [2013-11-26 37352]
    S2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2013-12-18 440376]
    S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-04-04 418376]
    S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2013-04-04 701512]
    S2 Motorola Device Manager;Motorola Device Manager Service;c:\program files\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe [2013-11-15 137528]
    S2 PST Service;PST Service;c:\program files\Motorola\MotForwardDaemon\ForwardDaemon.exe [2011-09-02 65657]
    S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2009-07-10 122880]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-04-04 22856]
    S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2009-07-13 311296]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - MBAMPROTECTOR
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2014-01-27 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-05 23:02]
    .
    2014-01-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-12-29 20:27]
    .
    2014-01-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-12-29 20:27]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com
    uDefault_Search_URL = hxxp://www.google.com/ie
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    TCP: DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
    FF - ProfilePath - c:\users\Portable Poonani\AppData\Roaming\Mozilla\Firefox\Profiles\mdrrt3qo.default\
    FF - prefs.js: browser.search.selectedEngine - YouTube Video Search
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - user.js: extensions.mixidj.tlbrSrchUrl -
    FF - user.js: extensions.mixidj.id - 6eb94f5e000000000000001fe1833373
    FF - user.js: extensions.mixidj.appId - {A2773ED4-83BD-488A-A186-73590706C916}
    FF - user.js: extensions.mixidj.instlDay - 15837
    FF - user.js: extensions.mixidj.vrsn - 1.8.18.8
    FF - user.js: extensions.mixidj.vrsni - 1.8.18.8
    FF - user.js: extensions.mixidj.vrsnTs - 1.8.18.813:18
    FF - user.js: extensions.mixidj.prtnrId - mixidj
    FF - user.js: extensions.mixidj.prdct - mixidj
    FF - user.js: extensions.mixidj.aflt - babsst
    FF - user.js: extensions.mixidj.smplGrp - none
    FF - user.js: extensions.mixidj.tlbrId - base
    FF - user.js: extensions.mixidj.instlRef - sst
    FF - user.js: extensions.mixidj.dfltLng - en
    FF - user.js: extensions.mixidj.excTlbr - false
    FF - user.js: extensions.mixidj.ffxUnstlRst - false
    FF - user.js: extensions.mixidj.admin - false
    FF - user.js: extensions.mixidj.autoRvrt - false
    FF - user.js: extensions.mixidj.rvrt - false
    FF - user.js: extensions.mixidj.newTab - false
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2014-01-26 23:33:55
    ComboFix-quarantined-files.txt 2014-01-27 06:33
    .
    Pre-Run: 17,236,221,952 bytes free
    Post-Run: 18,141,425,664 bytes free
    .
    - - End Of File - - BEF5E9B92DF4EDB1D4E538E1CA49BB7E
    A36C5E4F47E84449FF07ED3517B43A31
  24. Broni

    Broni Malware Annihilator Posts: 46,177   +251

    Looks good.

    [​IMG] Download RogueKiller for 32bit or Roguekiller for 64bit to your Desktop.
    • Close all the running programs
    • Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
    • Otherwise just double-click on RogueKiller.exe
    • Pre-scan will start. Let it finish.
    • Click on SCAN button.
    • Wait until the Status box shows Scan Finished
    • Click on Delete.
    • Wait until the Status box shows Deleting Finished.
    • Click on Report and copy/paste the content of the Notepad into your next reply.
    • RKreport.txt could also be found on your desktop.
    • If more than one log is produced post all logs.
    • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

    [​IMG] Create new restore point before proceeding with the next step....
    How to: http://www.smartestcomputing.us.com/topic/63983-how-to-create-new-restore-point-all-windows/

    Download Malwarebytes Anti-Rootkit (MBAR) from HERE
    • Unzip downloaded file.
    • Open the folder where the contents were unzipped and run mbar.exe
    • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
    • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
    • Wait while the system shuts down and the cleanup process is performed.
    • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
    • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log-xxxxx.txt and system-log.txt
  25. FenBranklin

    FenBranklin Newcomer, in training Topic Starter Posts: 23

    Sorry for the delay. Here is the RogueKiller log.
    RogueKiller V8.8.3 [Jan 24 2014] by Tigzy
    mail : tigzyRK<at>gmail<dot>com
    Feedback : http://www.adlice.com/forum/
    Website : http://www.adlice.com/softwares/roguekiller/
    Blog : http://www.adlice.com

    Operating System : Windows 7 (6.1.7600 ) 32 bits version
    Started in : Normal mode
    User : Portable Poonani [Admin rights]
    Mode : Remove -- Date : 01/28/2014 01:24:38
    | ARK || FAK || MBR |

    ¤¤¤ Bad processes : 0 ¤¤¤

    ¤¤¤ Registry Entries : 6 ¤¤¤
    [HJ POL][PUM] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
    [HJ DESK][PUM] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> REPLACED (0)
    [HJ DESK][PUM] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> REPLACED (0)
    [HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
    [HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
    [SCREENSVR][SUSP PATH] HKCU\[...]\Desktop : SCRNSAVE.EXE (C:\Windows\MATRIX~1.SCR [-]) -> REPLACED (C:\Windows\system32\logon.scr)

    ¤¤¤ Scheduled tasks : 10 ¤¤¤
    [V2][SUSP UNIC] {5B88D483-80CF-4643-A788-AF388BF8A224} : C:\Users\Portable Poonani\Desktop\動画ファイル集\DQ動画start.exe [x] -> DELETED
    [V2][SUSP PATH] {6B84CE91-06B2-43A1-9C10-B14825720A61} : C:\Users\Portable Poonani\Desktop\Diablo II\Diablo II.exe [x] -> DELETED
    [V2][SUSP PATH] {897F4311-87FF-4CCB-98EA-2462CBDA0BCC} : C:\Users\Portable Poonani\Desktop\Diablo II\Diablo II.exe [x] -> DELETED
    [V2][SUSP PATH] {92BAE105-318F-40CA-88AE-E6DC45A7FBFF} : C:\Users\Portable Poonani\Desktop\Diablo II\Diablo II.exe [x] -> DELETED
    [V2][SUSP UNIC] {9858C45A-D05C-4CE4-85E9-69435AED092F} : C:\Users\Portable Poonani\Desktop\動画ファイル集\ミ?��ラ男(金).exe [x] -> DELETED
    [V2][SUSP PATH] {CB1614C7-2591-4A41-90B4-69B5E5C2296A} : C:\Users\Portable Poonani\Desktop\Diablo II\Diablo II.exe [x] -> DELETED
    [V2][SUSP UNIC] {D16C3581-5DEB-49F3-96E6-296FE3C60893} : C:\Users\Portable Poonani\Desktop\動画ファイル集\DQ動画start.exe [x] -> DELETED
    [V2][SUSP UNIC] {DC602D86-0220-45CF-8DC6-7784AA1F1358} : C:\Users\Portable Poonani\Desktop\動画ファイル集\DQ動画start.exe [x] -> DELETED
    [V2][SUSP UNIC] {E17D578C-78C9-4BAB-A953-21002463505E} : C:\Users\Portable Poonani\Desktop\動画ファイル集\DQ動画start.exe [x] -> DELETED
    [V2][SUSP PATH] {F10404D9-BDA8-495B-9BC2-862C1384DCEB} : C:\Users\Portable Poonani\Desktop\Diablo II\Diablo II.exe [x] -> DELETED

    ¤¤¤ Startup Entries : 0 ¤¤¤

    ¤¤¤ Web browsers : 0 ¤¤¤

    ¤¤¤ Browser Addons : 0 ¤¤¤

    ¤¤¤ Particular Files / Folders: ¤¤¤

    ¤¤¤ Driver : [LOADED] ¤¤¤
    [Address] SSDT[84] : NtCreateSection @ 0x83086CE3 -> HOOKED (Unknown @ 0x8FAC87F6)
    [Address] SSDT[299] : NtRequestWaitReplyPort @ 0x830CCACB -> HOOKED (Unknown @ 0x8FAC8800)
    [Address] SSDT[316] : NtSetContextThread @ 0x83131D13 -> HOOKED (Unknown @ 0x8FAC87FB)
    [Address] SSDT[347] : NtSetSecurityObject @ 0x8306C025 -> HOOKED (Unknown @ 0x8FAC8805)
    [Address] SSDT[368] : NtSystemDebugControl @ 0x8305F2FC -> HOOKED (Unknown @ 0x8FAC880A)
    [Address] SSDT[370] : NtTerminateProcess @ 0x830B7B3D -> HOOKED (Unknown @ 0x8FAC8797)
    [Address] Shadow SSDT[585] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x8FAC881E)
    [Address] Shadow SSDT[588] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x8FAC8823)
    [Address] IRP[IRP_MJ_CREATE] : C:\Windows\System32\drivers\mountmgr.sys -> HOOKED (Unknown @ 0x8556E1F8)
    [Address] IRP[IRP_MJ_CLOSE] : C:\Windows\System32\drivers\mountmgr.sys -> HOOKED (Unknown @ 0x8556E1F8)
    [Address] IRP[IRP_MJ_DEVICE_CONTROL] : C:\Windows\System32\drivers\mountmgr.sys -> HOOKED (Unknown @ 0x8556E1F8)
    [Address] IRP[IRP_MJ_INTERNAL_DEVICE_CONTROL] : C:\Windows\System32\drivers\mountmgr.sys -> HOOKED (Unknown @ 0x8556E1F8)
    [Address] IRP[IRP_MJ_POWER] : C:\Windows\System32\drivers\mountmgr.sys -> HOOKED (Unknown @ 0x8556E1F8)
    [Address] IRP[IRP_MJ_SYSTEM_CONTROL] : C:\Windows\System32\drivers\mountmgr.sys -> HOOKED (Unknown @ 0x8556E1F8)
    [Address] IRP[IRP_MJ_PNP] : C:\Windows\System32\drivers\mountmgr.sys -> HOOKED (Unknown @ 0x8556E1F8)

    ¤¤¤ External Hives: ¤¤¤

    ¤¤¤ Infection : ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤
    --> %SystemRoot%\System32\drivers\etc\hosts


    127.0.0.1 localhost


    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) WDC WD800BEVS-75RST0 ATA Device +++++
    --- User ---
    [MBR] 1ec39acbc07e6a241cf7d1eeece5d8ee
    [BSP] 7bbe13a9254adb3703e35dbeac8323ea : Windows 7/8 MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
    1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 76217 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    Finished : << RKreport[0]_D_01282014_012438.txt >>
    RKreport[0]_S_01282014_012113.txt


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.