Jump to content

Plug and Play/DCOM Server terminations causing constant force restarting.


Recommended Posts

Hi there!

Im a first-timer on these forums, so I apologize if I'm sort of naïve to the workings around here. But to get to my problem, I've recently came across a two-fer of problems on this computer. It started with what I believe is adware, and I'm still having issues removing it despite trying MalwareBytes, and many other antiviruses as well as rootkit killers(?). I'm not too worried about that right now, as I have another problem that has wreaked havoc and barely lets me use my computer for more than 10 minutes at a time.

It doesn't seem to have any correlation with certain programs, but I keep getting an error message that says "Plug and Play/DCOM service has terminated unexpectedly and must now restart." or something along those lines. Sometimes it wont give me a reason and it just says "Windows will shut down in 1 minute" and it will proceed to restart. It can happen immediately when I log onto my computer up to an hour or so after I've logged in and I've been going about my business, but there's no doubt it will happen multiple times in a day no matter what I do or when it happens. It usually happens every 10 minutes.

Is there any way to fix this? I use my computer for work so I can't let this keep happening, and I'm not about to reformat it just yet.  Thanks in advance for any advice or fixes!

Link to post
Share on other sites

Hi there,

please run a FRST scan:


Please download Farbar Recovery Scan Tool and save it to your Desktop.
(If you are not sure which version (32-/64-bit) applies to your system, download and try to start both of them as just the right one will run.)

  • Start FRST with administator privileges.
  • Make sure the option Addition.txt is checked and press the Scan button.
  • When finished, FRST will produce two logs (FRST.txt and Addition.txt) in the same directory the tool was run from.
  • Please copy and paste these logs in your next reply.
Link to post
Share on other sites

Here are the results. And to put things into perspective, it restarted 3 times while I was trying to download and run the FRST scan.

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 04-03-2014 02
Ran by kicker (administrator) on DELL on 04-03-2014 19:56:19
Running from C:\Users\kicker\Desktop
Microsoft Windows 7 Ultimate  Service Pack 1 (X86) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(AMD) C:\Windows\system32\atiesrxx.exe
(Wacom Technology, Corp.) C:\Program Files\WTouch\WTouchService.exe
(AMD) C:\Windows\system32\atieclxx.exe
(Microsoft Corporation) C:\Windows\SYSTEM32\WISPTIS.EXE
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Skype Technologies) C:\Program Files\Skype\Updater\Updater.exe
(Wacom Technology, Corp.) C:\Windows\system32\Pen_Tablet.exe
(Microsoft Corporation) C:\Windows\system32\userinit.exe
(Microsoft Corporation) C:\Windows\SYSTEM32\WISPTIS.EXE
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
(Wacom Technology, Corp.) C:\Program Files\WTouch\WTouchUser.exe
(Microsoft Corporation) C:\Program Files\Microsoft IntelliType Pro\itype.exe
(Adobe Systems Incorporated) C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
(Power Software Ltd) C:\Program Files\PowerISO\PWRISOVM.EXE
(Wacom Technology, Corp.) C:\Windows\system32\WTablet\Pen_TabletUser.exe
(Advanced Micro Devices Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
() C:\Program Files\OtShot\otshot.exe
(Wacom Technology, Corp.) C:\Windows\system32\Pen_Tablet.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Valve Corporation) C:\Program Files\Steam\Steam.exe
(Spotify Ltd) C:\Users\kicker\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
(ooVoo LLC) C:\Program Files\ooVoo\ooVoo.exe
(Skype Technologies S.A.) C:\Program Files\Skype\Phone\Skype.exe
(Adobe Systems Incorporated) C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe
(Spotify Ltd) C:\Users\kicker\AppData\Roaming\Spotify\spotify.exe
(McAfee, Inc.) C:\Program Files\McAfee Security Scan\3.8.141\SSScheduler.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(ATI Technologies Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe


==================== Registry (Whitelisted) ==================

HKLM\...\Run: [startCCC] - C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [343168 2011-10-12] (Advanced Micro Devices, Inc.)
HKLM\...\Run: [itype] - C:\Program Files\Microsoft IntelliType Pro\itype.exe [1313640 2011-08-10] (Microsoft Corporation)
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM\...\Run: [PWRISOVM.EXE] - C:\Program Files\PowerISO\PWRISOVM.EXE [337432 2013-01-27] (Power Software Ltd)
HKLM\...\Run: [APSDaemon] - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM\...\Run: [OtShot] - C:\Program Files\OtShot\otshot.exe [4386816 2012-10-18] ()
HKLM\...\Run: [sunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [253816 2013-03-12] (Oracle Corporation)
HKLM\...\Run: [iTunesHelper] - C:\Program Files\iTunes\iTunesHelper.exe [152392 2013-08-16] (Apple Inc.)
HKLM\...\Run: [amd_dc_opt] - C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe [77824 2008-07-22] (AMD)
HKU\S-1-5-21-3200350536-772790392-1799001443-1000\...\Run: [steam] - C:\Program Files\Steam\Steam.exe [1821888 2014-02-25] (Valve Corporation)
HKU\S-1-5-21-3200350536-772790392-1799001443-1000\...\Run: [spotify Web Helper] - C:\Users\kicker\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe [1171968 2014-01-18] (Spotify Ltd)
HKU\S-1-5-21-3200350536-772790392-1799001443-1000\...\Run: [MobileAppSync] - "C:\Program Files\Mobile App Sync\D2MClient.exe"
HKU\S-1-5-21-3200350536-772790392-1799001443-1000\...\Run: [ChicaPasswordManager] - "C:\Program Files\ChicaLogic\Chica Password Manager\stpass.exe" /autorunned
HKU\S-1-5-21-3200350536-772790392-1799001443-1000\...\Run: [AIM for Windows] - "C:\Users\kicker\AppData\Local\AOL\AIM\aim.exe"
HKU\S-1-5-21-3200350536-772790392-1799001443-1000\...\Run: [ooVoo.exe] - C:\Program Files\ooVoo\oovoo.exe [35253312 2013-09-10] (ooVoo LLC)
HKU\S-1-5-21-3200350536-772790392-1799001443-1000\...\Run: [skype] - C:\Program Files\Skype\Phone\Skype.exe [20728480 2014-01-14] (Skype Technologies S.A.)
HKU\S-1-5-21-3200350536-772790392-1799001443-1000\...\Run: [spotify] - C:\Users\kicker\AppData\Roaming\Spotify\spotify.exe [6118400 2014-01-18] (Spotify Ltd)
HKU\S-1-5-21-3200350536-772790392-1799001443-1000\...\MountPoints2: E - E:\INSTALL.EXE
HKU\S-1-5-21-3200350536-772790392-1799001443-1000\...\MountPoints2: F - F:\setup\rsrc\Autorun.exe
HKU\S-1-5-21-3200350536-772790392-1799001443-1000\...\MountPoints2: {065abda8-7a62-11e2-a34a-001aa0ce7d23} - G:\LaunchU3.exe -a

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
URLSearchHook: HKCU - (No Name) - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} -  No File
URLSearchHook: HKCU - (No Name) - {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} -  No File
SearchScopes: HKLM - DefaultScope {62C50065-6CCB-4D7A-B91C-C8302AF43A8E} URL =
SearchScopes: HKLM - {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2786678
SearchScopes: HKLM - {EEE6C360-6118-11DC-9C72-001320C79847} URL = http://start.sweetpacks.com/?src=6&q={searchTerms}&st=12&crg=3.5000006.10042&barid={4C330969-9D8D-11E2-AD97-001AA0CE7D23}
SearchScopes: HKCU - {3DEAA2C5-C359-4924-AA56-C1B77AD75EFF} URL = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}
SearchScopes: HKCU - {62C50065-6CCB-4D7A-B91C-C8302AF43A8E} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3227981&CUI=UN17312563861949041&UM=2
SearchScopes: HKCU - {95B7759C-8C7F-4BF1-B163-73684A933233} URL = http://mysearch.avg.com/search?cid={86E519EC-EE93-4D08-8EEA-8673F71F1731}&mid=53380b853e0b47d1908fd153e62a94d0-0db7b8a2af2f64e4b2e749b12a0c6cf509053546〈=en&ds=AVG&pr=fr&d=2013-02-17 11:56:50&v=17.0.2.13&pid=safeguard&sg=0&sap=dsp&q={searchTerms}
SearchScopes: HKCU - {CFF4DB9B-135F-47c0-9269-B4C6572FD61A} URL = http://mystart.incredibar.com/mb139/?search={searchTerms}&loc=IB_DS&a=6PQJ9YlVqX&i=26
SearchScopes: HKCU - {EEE6C360-6118-11DC-9C72-001320C79847} URL = http://start.sweetpacks.com/?src=6&q={searchTerms}&st=12&crg=3.5000006.10042&barid={4C330969-9D8D-11E2-AD97-001AA0CE7D23}
BHO: No Name - {02478D38-C3F9-4efb-9B51-7695ECA05670} -  No File
BHO: MSS+ Identifier - {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} - C:\Program Files\McAfee Security Scan\3.8.141\McAfeeMSS_IE.dll (McAfee, Inc.)
BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - No Name - {ae07101b-46d4-4a98-af68-0333ea26e113} -  No File
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254

FireFox:
========
FF ProfilePath: C:\Users\kicker\AppData\Roaming\Mozilla\Firefox\Profiles\izboc4h9.default
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF32_12_0_0_70.dll ()
FF Plugin: @Apple.com/iTunes,version=1.0 - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin: @java.com/DTPlugin,version=10.25.2 - C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.25.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @mcafee.com/McAfeeMssPlugin - C:\Program Files\McAfee Security Scan\3.8.141\npMcAfeeMss.dll (McAfee, Inc.)
FF Plugin: @tools.google.com/Google Update;version=3 - C:\Program Files\Google\Update\1.3.22.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 - C:\Program Files\Google\Update\1.3.22.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKCU: wacom.com/WacomTabletPlugin - C:\Program Files\TabletPlugins\npWacomTabletPlugin.dll No File
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\safeguard-secure-search.xml

Chrome:
=======
CHR Extension: (Google Docs) - C:\Users\kicker\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2013-07-19]
CHR Extension: (Google Drive) - C:\Users\kicker\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2013-07-19]
CHR Extension: (uTorrentBar) - C:\Users\kicker\AppData\Local\Google\Chrome\User Data\Default\Extensions\bejbohlohkkgompgecdcbbglkpjfjgdj [2013-07-19]
CHR Extension: (YouTube) - C:\Users\kicker\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2013-07-19]
CHR Extension: (Google Search) - C:\Users\kicker\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2013-07-19]
CHR Extension: (ADDICT-THING) - C:\Users\kicker\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpiomcokmeokiifblckjbgpeehcccfce [2013-07-19]
CHR Extension: (iSnap - unofficial client for snapchat™) - C:\Users\kicker\AppData\Local\Google\Chrome\User Data\Default\Extensions\hkcinnjkbadjnadeikbfifiifppgebfo [2014-02-10]
CHR Extension: (AVG SafeGuard) - C:\Users\kicker\AppData\Local\Google\Chrome\User Data\Default\Extensions\ndibdjnfmopecpmkdieinmbadjfpblof [2013-07-19]
CHR Extension: (Chrome In-App Payments service) - C:\Users\kicker\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-08-21]
CHR Extension: (Gmail) - C:\Users\kicker\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2013-07-19]
CHR HKLM\...\Chrome\Extension: [bejbohlohkkgompgecdcbbglkpjfjgdj] - C:\Users\kicker\AppData\Local\Temp\crxC997.tmp [2011-11-13]
CHR HKLM\...\Chrome\Extension: [cpiomcokmeokiifblckjbgpeehcccfce] - C:\ProgramData\ADDICT-THING\cpiomcokmeokiifblckjbgpeehcccfce.crx [2012-09-09]
CHR HKLM\...\Chrome\Extension: [dlnembnfbcpjnepmfjmngjenhhajpdfd] - C:\Program Files\Web Assistant\source.crx [2012-09-09]

========================== Services (Whitelisted) =================

S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.8.141\McCHSvc.exe [235696 2014-01-15] (McAfee, Inc.)
R2 WTouchService; C:\Program Files\WTouch\WTouchService.exe [112936 2009-07-15] (Wacom Technology, Corp.)

==================== Drivers (Whitelisted) ====================

S3 A5AGU; C:\Windows\System32\DRIVERS\AGUx86.sys [905728 2008-08-07] (D-Link Corporation)
S3 AtiDCM; C:\AMD\Support\12-10_vista_win7_win8_32_dd_ccc_whql_net4\Bin\atidcmxx.sys [27432 2012-09-28] (Advanced Micro Devices, Inc.)
S3 ManyCam; C:\Windows\System32\DRIVERS\mcvidrv.sys [32000 2012-01-11] (ManyCam LLC)
S3 mcaudrv_simple; C:\Windows\System32\drivers\mcaudrv.sys [22400 2012-02-22] (ManyCam LLC)
R3 rt61x86; C:\Windows\System32\DRIVERS\WMP54Gv41x86.sys [376160 2010-04-07] (Ralink Technology, Corp.)
R1 SCDEmu; C:\Windows\system32\Drivers\SCDEmu.sys [113608 2013-01-27] (Power Software Ltd)
R3 WacomVTHid; C:\Windows\System32\DRIVERS\WacomVTHid.sys [13224 2009-05-20] (Wacom Technology)
S4 nvlddmkm; system32\DRIVERS\nvlddmkm.sys [X]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2014-03-04 19:49 - 2014-03-04 19:56 - 00013352 _____ () C:\Users\kicker\Desktop\FRST.txt
2014-03-04 19:48 - 2014-03-04 19:56 - 00000000 ____D () C:\FRST
2014-03-04 19:44 - 2014-03-04 19:44 - 01145344 _____ (Farbar) C:\Users\kicker\Desktop\FRST.exe
2014-03-04 03:36 - 2014-03-04 03:43 - 01130496 _____ () C:\Users\kicker\Desktop\malebase chief.sai
2014-03-04 01:11 - 2014-03-04 01:11 - 10284816 _____ (Malwarebytes Corporation ) C:\Users\kicker\Desktop\mbam-setup.exe
2014-03-04 00:28 - 2014-03-04 00:32 - 00024212 _____ () C:\Users\kicker\Desktop\Result.txt
2014-03-04 00:21 - 2014-03-04 00:22 - 00982016 _____ (Farbar) C:\Users\kicker\Desktop\MiniToolBox.exe
2014-03-03 23:35 - 2014-03-04 03:41 - 00000000 ____D () C:\Users\kicker\Desktop\PaintTool SAI English Pack
2014-03-02 17:54 - 2014-03-02 17:54 - 00000000 ____S () C:\Windows\system32\axwkt.euw
2014-02-20 13:31 - 2014-02-20 13:31 - 00000000 ____D () C:\Program Files\McAfee Security Scan
2014-02-16 21:14 - 2014-02-22 04:29 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2014-02-10 10:34 - 2014-02-10 10:34 - 00000000 ____D () C:\Users\kicker\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google Chrome
2014-02-06 21:49 - 2014-02-06 21:49 - 00002685 _____ () C:\Users\kicker\Skype.lnk
2014-02-06 21:49 - 2014-02-06 21:49 - 00000000 ____D () C:\Users\kicker\AppData\Local\Skype
2014-02-06 21:49 - 2014-02-06 21:49 - 00000000 ____D () C:\Program Files\Common Files\Skype
2014-02-06 21:48 - 2014-02-06 21:48 - 01659552 _____ (Skype Technologies S.A.) C:\Users\kicker\Downloads\SkypeSetup(1).exe
2014-02-06 21:48 - 2014-02-06 21:48 - 00362029 _____ () C:\Users\kicker\Downloads\sqlite3.dll

==================== One Month Modified Files and Folders =======

2014-03-04 20:01 - 2012-11-08 21:48 - 00000000 ____D () C:\Users\kicker\AppData\Roaming\Spotify
2014-03-04 20:00 - 2011-11-12 22:43 - 00000000 ____D () C:\Program Files\Steam
2014-03-04 20:00 - 2009-07-13 22:34 - 00012816 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-03-04 20:00 - 2009-07-13 22:34 - 00012816 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-03-04 19:56 - 2014-03-04 19:49 - 00013352 _____ () C:\Users\kicker\Desktop\FRST.txt
2014-03-04 19:56 - 2014-03-04 19:48 - 00000000 ____D () C:\FRST
2014-03-04 19:55 - 2013-08-22 00:01 - 00000000 ____D () C:\WTablet
2014-03-04 19:55 - 2013-08-20 16:36 - 00000000 ____D () C:\Users\kicker\AppData\Roaming\WTablet
2014-03-04 19:55 - 2013-07-19 15:29 - 00000882 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-03-04 19:55 - 2009-07-13 22:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-03-04 19:55 - 2009-07-13 22:39 - 00292445 _____ () C:\Windows\setupact.log
2014-03-04 19:54 - 2011-08-20 15:13 - 01148636 _____ () C:\Windows\WindowsUpdate.log
2014-03-04 19:44 - 2014-03-04 19:44 - 01145344 _____ (Farbar) C:\Users\kicker\Desktop\FRST.exe
2014-03-04 19:39 - 2012-07-08 12:12 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-03-04 04:45 - 2012-06-25 11:21 - 00000000 ____D () C:\Users\kicker\AppData\Roaming\Skype
2014-03-04 04:36 - 2013-07-19 15:29 - 00000886 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-03-04 03:43 - 2014-03-04 03:36 - 01130496 _____ () C:\Users\kicker\Desktop\malebase chief.sai
2014-03-04 03:41 - 2014-03-03 23:35 - 00000000 ____D () C:\Users\kicker\Desktop\PaintTool SAI English Pack
2014-03-04 02:50 - 2011-11-07 22:23 - 00116984 _____ () C:\Windows\PFRO.log
2014-03-04 02:50 - 2009-07-13 20:37 - 00000000 ____D () C:\Windows\L2Schemas
2014-03-04 02:48 - 2013-04-04 19:10 - 00000000 ____D () C:\Program Files\SweetIM
2014-03-04 01:17 - 2013-03-05 14:34 - 00001077 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-03-04 01:17 - 2011-11-07 22:35 - 00000000 ____D () C:\Program Files\Malwarebytes' Anti-Malware
2014-03-04 01:11 - 2014-03-04 01:11 - 10284816 _____ (Malwarebytes Corporation ) C:\Users\kicker\Desktop\mbam-setup.exe
2014-03-04 00:32 - 2014-03-04 00:28 - 00024212 _____ () C:\Users\kicker\Desktop\Result.txt
2014-03-04 00:22 - 2014-03-04 00:21 - 00982016 _____ (Farbar) C:\Users\kicker\Desktop\MiniToolBox.exe
2014-03-03 21:57 - 2013-08-26 19:41 - 00000000 __SHD () C:\Windows\system32\AI_RecycleBin
2014-03-03 16:39 - 2012-11-08 21:49 - 00000000 ____D () C:\Users\kicker\AppData\Local\Spotify
2014-03-03 01:20 - 2009-07-13 22:53 - 00032590 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-03-02 17:54 - 2014-03-02 17:54 - 00000000 ____S () C:\Windows\system32\axwkt.euw
2014-02-27 20:49 - 2013-11-28 16:41 - 00001985 _____ () C:\Users\Public\Desktop\McAfee Security Scan Plus.lnk
2014-02-25 19:45 - 2011-11-13 13:53 - 00000000 ____D () C:\Users\kicker\AppData\Roaming\uTorrent
2014-02-22 04:29 - 2014-02-16 21:14 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2014-02-21 01:40 - 2012-07-08 12:12 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2014-02-21 01:40 - 2011-08-20 15:50 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2014-02-20 13:31 - 2014-02-20 13:31 - 00000000 ____D () C:\Program Files\McAfee Security Scan
2014-02-19 04:56 - 2012-12-23 01:50 - 00000000 ____D () C:\Users\kicker\AppData\Local\Firestorm
2014-02-19 01:10 - 2013-01-16 19:13 - 00000000 ____D () C:\Users\kicker\AppData\Local\join.me
2014-02-17 14:35 - 2014-01-30 23:11 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2014-02-10 13:37 - 2013-08-06 12:51 - 00000000 ____D () C:\Users\kicker\AppData\Roaming\.minecraft
2014-02-10 10:34 - 2014-02-10 10:34 - 00000000 ____D () C:\Users\kicker\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google Chrome
2014-02-10 09:04 - 2012-06-19 10:33 - 00000000 ____D () C:\Users\kicker\Downloads\Breathe_Carolina-Hell_Is_What_You_Make_It-2011-MTD
2014-02-06 23:53 - 2011-08-20 15:10 - 00000000 ____D () C:\Users\kicker
2014-02-06 21:49 - 2014-02-06 21:49 - 00002685 _____ () C:\Users\kicker\Skype.lnk
2014-02-06 21:49 - 2014-02-06 21:49 - 00000000 ____D () C:\Users\kicker\AppData\Local\Skype
2014-02-06 21:49 - 2014-02-06 21:49 - 00000000 ____D () C:\Program Files\Common Files\Skype
2014-02-06 21:49 - 2013-02-10 23:46 - 00000000 ___RD () C:\Program Files\Skype
2014-02-06 21:49 - 2012-06-25 11:21 - 00000000 ____D () C:\ProgramData\Skype
2014-02-06 21:48 - 2014-02-06 21:48 - 01659552 _____ (Skype Technologies S.A.) C:\Users\kicker\Downloads\SkypeSetup(1).exe
2014-02-06 21:48 - 2014-02-06 21:48 - 00362029 _____ () C:\Users\kicker\Downloads\sqlite3.dll
2014-02-04 01:02 - 2014-01-18 12:00 - 00000079 _____ () C:\Windows\system32\vkvq.juj

Files to move or delete:
====================
C:\Users\kicker\jagex_cl_loginapplet_LIVE.dat
C:\Users\kicker\jagex_cl_runescape_LIVE.dat
C:\Users\kicker\jagex_cl_runescape_LIVE1.dat
C:\Users\kicker\jagex_cl_runescape_LIVE2.dat
C:\Users\kicker\random.dat


Some content of TEMP:
====================
C:\Users\kicker\AppData\Local\Temp\aol_toolbar.exe
C:\Users\kicker\AppData\Local\Temp\avguidx.dll
C:\Users\kicker\AppData\Local\Temp\chica_silent_2008.exe
C:\Users\kicker\AppData\Local\Temp\CommonInstaller.exe
C:\Users\kicker\AppData\Local\Temp\conduitinstaller.exe
C:\Users\kicker\AppData\Local\Temp\drm_dyndata_7370014.dll
C:\Users\kicker\AppData\Local\Temp\firefoxjre_exe-1.exe
C:\Users\kicker\AppData\Local\Temp\firefoxjre_exe.exe
C:\Users\kicker\AppData\Local\Temp\FP_PL_PFS_INSTALLER_32bit.exe
C:\Users\kicker\AppData\Local\Temp\GenericUninstall.exe
C:\Users\kicker\AppData\Local\Temp\helper.exe
C:\Users\kicker\AppData\Local\Temp\HotShot_installerNewNoStartUp.exe
C:\Users\kicker\AppData\Local\Temp\hsbing_717_active.exe
C:\Users\kicker\AppData\Local\Temp\iGearedHelper.dll
C:\Users\kicker\AppData\Local\Temp\ITPx86_1033.exe
C:\Users\kicker\AppData\Local\Temp\jre-6u32-windows-i586-iftw.exe
C:\Users\kicker\AppData\Local\Temp\jre-7u11-windows-i586-iftw.exe
C:\Users\kicker\AppData\Local\Temp\jre-7u13-windows-i586-iftw.exe
C:\Users\kicker\AppData\Local\Temp\MachineIdCreator.exe
C:\Users\kicker\AppData\Local\Temp\nsmD3BE.tmp.exe
C:\Users\kicker\AppData\Local\Temp\nvStInst.exe
C:\Users\kicker\AppData\Local\Temp\oi_{6E6A9826-03F4-478E-AD7E-F993BAADD1C3}.exe
C:\Users\kicker\AppData\Local\Temp\oi_{9ECDB50B-DF64-42A3-961B-7C241AAE7182}.exe
C:\Users\kicker\AppData\Local\Temp\safeguard.exe
C:\Users\kicker\AppData\Local\Temp\Second Life Setup.exe
C:\Users\kicker\AppData\Local\Temp\Setup-C2.exe
C:\Users\kicker\AppData\Local\Temp\SweetIESetup.exe
C:\Users\kicker\AppData\Local\Temp\tbappb.dll
C:\Users\kicker\AppData\Local\Temp\tbKeyB.dll
C:\Users\kicker\AppData\Local\Temp\tbMixi.dll
C:\Users\kicker\AppData\Local\Temp\tbuTo2.dll
C:\Users\kicker\AppData\Local\Temp\tmp451A.exe
C:\Users\kicker\AppData\Local\Temp\tmp5C33.exe
C:\Users\kicker\AppData\Local\Temp\tmp694D.exe
C:\Users\kicker\AppData\Local\Temp\tmpEE06.exe
C:\Users\kicker\AppData\Local\Temp\ToolbarInstaller.exe
C:\Users\kicker\AppData\Local\Temp\UNINSTALL.exe
C:\Users\kicker\AppData\Local\Temp\uninstaller.exe
C:\Users\kicker\AppData\Local\Temp\WSSetup.exe


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\system32\winlogon.exe => MD5 is legit
C:\Windows\system32\wininit.exe => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\services.exe => MD5 is legit
C:\Windows\system32\User32.dll => MD5 is legit
C:\Windows\system32\userinit.exe => MD5 is legit
C:\Windows\system32\rpcss.dll
[2011-11-05 16:07] - [2010-11-20 06:21] - 0377344 ____A (Microsoft Corporation) 24DD85395000F0CC919CA7FEBA96C091

 ATTENTION ======> If the system is having audio adware rpcss.dll is patched. Google the MD5, if the MD5 is unique the file is infected.
C:\Windows\system32\Drivers\volsnap.sys => MD5 is legit


LastRegBack: 2014-03-02 17:28

==================== End Of Log ============================





Additional scan result of Farbar Recovery Scan Tool (x86) Version: 04-03-2014 02
Ran by kicker at 2014-03-04 20:02:41
Running from C:\Users\kicker\Desktop
Boot Mode: Normal
==========================================================


==================== Security Center ========================

AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

µTorrent (HKLM\...\uTorrent) (Version: 3.3.0.29625 - BitTorrent Inc.)
Adobe AIR (HKLM\...\Adobe AIR) (Version: 3.6.0.6090 - Adobe Systems Incorporated)
Adobe AIR (Version: 3.6.0.6090 - Adobe Systems Incorporated) Hidden
Adobe Flash Player 12 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 12.0.0.70 - Adobe Systems Incorporated)
Adobe Flash Player 12 Plugin (HKLM\...\Adobe Flash Player Plugin) (Version: 12.0.0.70 - Adobe Systems Incorporated)
Adobe Reader X (10.1.4) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AA1000000001}) (Version: 10.1.4 - Adobe Systems Incorporated)
AMD APP SDK Runtime (Version: 2.5.775.2 - Advanced Micro Devices Inc.) Hidden
AMD Catalyst Install Manager (HKLM\...\{2E2253E9-3EAD-D9DF-EDCA-A893551EB081}) (Version: 3.0.847.0 - Advanced Micro Devices, Inc.)
AMD Drag and Drop Transcoding (Version: 2.00.0000 - Advanced Micro Devices, Inc.) Hidden
AMD Media Foundation Decoders (Version: 1.0.61012.1615 - Advanced Micro Devices, Inc.) Hidden
Apple Application Support (HKLM\...\{5D09C772-ECB3-442B-9CC6-B4341C78FDC2}) (Version: 2.3.4 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{E14ADE0E-75F3-4A46-87E5-26692DD626EC}) (Version: 6.1.0.13 - Apple Inc.)
Apple Software Update (HKLM\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
Axife Mouse Recorder DEMO 5.01 (HKLM\...\Axife Mouse Recorder DEMO_is1) (Version:  - Axife Software)
Bamboo (HKLM\...\Pen Tablet Driver) (Version:  - Wacom Technology Corp.)
Belkin USB Wireless Adapter (HKLM\...\InstallShield_{549CE1BD-88E4-4C5E-BF75-B155624714CC}) (Version: 1.0.0.13 - Belkin)
Belkin USB Wireless Adapter (Version: 1.0.0.13 - Belkin) Hidden
Bonjour (HKLM\...\{79155F2B-9895-49D7-8612-D92580E0DE5B}) (Version: 3.0.0.10 - Apple Inc.)
Catalyst Control Center - Branding (Version: 1.00.0000 - ATI) Hidden
Catalyst Control Center (Version: 2011.1012.1625.27603 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Graphics Previews Common (Version: 2011.1012.1625.27603 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center InstallProxy (Version: 2011.1012.1625.27603 - Advanced Micro Devices, Inc.) Hidden
CCC Help English (Version: 2011.1012.1624.27603 - Advanced Micro Devices, Inc.) Hidden
ccc-utility (Version: 2011.1012.1625.27603 - Advanced Micro Devices, Inc.) Hidden
Dual-Core Optimizer (HKLM\...\{9FD6F1A8-5550-46AF-8509-271DF0E768B5}) (Version: 1.1.4.0169 - AMD)
Firestorm-Beta (remove only) (HKLM\...\Firestorm-Beta) (Version: 4.5.1.38838 - The Phoenix Firestorm Project, Inc.)
Google Chrome (HKLM\...\Google Chrome) (Version: 33.0.1750.117 - Google Inc.)
Google Update Helper (Version: 1.3.22.5 - Google Inc.) Hidden
Intel® Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version: 8.15.10.1930 - Intel Corporation)
iTunes (HKLM\...\{9B486871-27EB-49A5-8832-77176E63333C}) (Version: 11.0.5.5 - Apple Inc.)
Java 7 Update 25 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83217025FF}) (Version: 7.0.250 - Oracle)
Java Auto Updater (Version: 2.1.9.5 - Sun Microsystems, Inc.) Hidden
Java 6 Update 32 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83216032FF}) (Version: 6.0.320 - Oracle)
join.me (HKCU\...\JoinMe) (Version: 1.14.0.132 - LogMeIn, Inc.)
Malwarebytes Anti-Malware version 1.75.0.1300 (HKLM\...\Malwarebytes' Anti-Malware_is1) (Version: 1.75.0.1300 - Malwarebytes Corporation)
McAfee Security Scan Plus (HKLM\...\McAfee Security Scan) (Version: 3.8.141.11 - McAfee, Inc.)
Medal of Honor Multiplayer (HKLM\...\Steam App 47830) (Version:  - Electronic Arts)
Medal of Honor Single Player (HKLM\...\Steam App 47790) (Version:  - Electronic Arts)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319 - Microsoft Corporation) Hidden
Microsoft Application Error Reporting (Version: 12.0.6012.5000 - Microsoft Corporation) Hidden
Microsoft IntelliType Pro 8.2 (HKLM\...\Microsoft IntelliType Pro 8.2) (Version: 8.20.469.0 - Microsoft Corporation)
Microsoft IntelliType Pro 8.2 (Version: 8.20.469.0 - Microsoft Corporation) Hidden
Microsoft Office Proof (English) 2007 (Version: 12.0.4518.1014 - Microsoft Corporation) Hidden
Microsoft Office Proof (French) 2007 (Version: 12.0.4518.1014 - Microsoft Corporation) Hidden
Microsoft Office Proof (Spanish) 2007 (Version: 12.0.4518.1014 - Microsoft Corporation) Hidden
Microsoft Office Proofing (English) 2007 (Version: 12.0.4518.1014 - Microsoft Corporation) Hidden
Microsoft Office Shared MUI (English) 2007 (Version: 12.0.4518.1014 - Microsoft Corporation) Hidden
Microsoft Office Shared Setup Metadata MUI (English) 2007 (Version: 12.0.4518.1014 - Microsoft Corporation) Hidden
Microsoft Office Word 2007 (HKLM\...\WORD) (Version: 12.0.4518.1014 - Microsoft Corporation)
Microsoft Office Word 2007 (Version: 12.0.4518.1014 - Microsoft Corporation) Hidden
Microsoft Office Word MUI (English) 2007 (Version: 12.0.4518.1014 - Microsoft Corporation) Hidden
Microsoft Office Word Viewer 2003 (HKLM\...\{90850409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.8173.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Moonbase Alpha (HKLM\...\Steam App 39000) (Version:  - Virtual Heroes)
Mozilla Firefox 27.0.1 (x86 en-US) (HKLM\...\Mozilla Firefox 27.0.1 (x86 en-US)) (Version: 27.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 27.0.1 - Mozilla)
NVIDIA PhysX v8.10.29 (HKLM\...\{D56B0E27-4A3E-46C9-B5C1-D93D580C099C}) (Version: 8.10.29 - NVIDIA Corporation)
ooVoo (HKLM\...\{FAA7F8FF-3C05-4A61-8F14-D8A6E9ED6623}) (Version: 3.5.9060 - ooVoo LLC.)
PowerISO (HKLM\...\PowerISO) (Version: 5.5 - Power Software Ltd)
Ralink RT6x Wireless LAN Card (HKLM\...\{FAB1F336-1B7C-4057-A7BC-2922CD82A781}) (Version: 1.5.4.0 - Ralink)
RuneScape Launcher 1.2.3 (HKLM\...\{FAE99C85-0732-4C58-9C6B-10B5B12FA2E9}) (Version: 1.2.3 - Jagex Ltd)
Skype™ 6.13 (HKLM\...\{7A3C7E05-EE37-47D6-99E1-2EB05A3DA3F7}) (Version: 6.13.104 - Skype Technologies S.A.)
Spotify (HKCU\...\Spotify) (Version: 0.9.7.16.g4b197456 - Spotify AB)
Steam (HKLM\...\{048298C9-A4D3-490B-9FF9-AB023A9238F3}) (Version: 1.0.0.0 - Valve Corporation)
TeamSpeak 3 Client (HKLM\...\TeamSpeak 3 Client) (Version: 3.0.10 - TeamSpeak Systems GmbH)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (HKLM\...\{3C3901C5-3455-3E0A-A214-0B093A5070A6}.KB2468871) (Version: 1 - Microsoft Corporation)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (HKLM\...\{3C3901C5-3455-3E0A-A214-0B093A5070A6}.KB2533523) (Version: 1 - Microsoft Corporation)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (HKLM\...\{3C3901C5-3455-3E0A-A214-0B093A5070A6}.KB2600217) (Version: 1 - Microsoft Corporation)

==================== Restore Points  =========================

Could not list Restore Points. Check "winmgmt" service or repair WMI.


==================== Hosts content: ==========================

2009-07-13 20:04 - 2009-06-10 15:39 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (whitelisted) =============

Task: {56B6A2F3-9F50-4849-9A4A-D2561EFFF0EA} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2013-07-19] (Google Inc.)
Task: {7B7B9054-F8B1-4893-95BA-D7B19B6C4ADA} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: {B938FF64-8081-4B8C-A2FE-6A6523B08815} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2013-07-19] (Google Inc.)
Task: {C23D5BA6-590C-48C0-9447-89924F680BBC} - System32\Tasks\Microsoft_Hardware_Launch_IType_exe => C:\Program Files\Microsoft IntelliType Pro\IType.exe [2011-08-10] (Microsoft Corporation)
Task: {C817D7E5-C41D-401C-8759-C6D5BBBAE59B} - System32\Tasks\Microsoft\Windows\TabletPC\InputPersonalization => C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe [2009-07-13] (Microsoft Corporation)
Task: {F48A3783-3822-4DEA-842F-BD416A17B271} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2014-02-21] (Adobe Systems Incorporated)
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe

==================== Loaded Modules (whitelisted) =============

2013-01-28 12:08 - 2013-01-28 12:08 - 00087952 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
2013-01-28 12:08 - 2013-01-28 12:08 - 01242512 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
2012-10-18 07:27 - 2012-10-18 07:27 - 04386816 _____ () C:\Program Files\OtShot\otshot.exe
2009-07-24 19:28 - 2009-07-24 19:28 - 00524128 _____ () C:\Windows\system32\LcProxy.ax
2012-11-08 21:49 - 2014-01-18 12:01 - 36967424 _____ () C:\Users\kicker\AppData\Roaming\Spotify\Data\libcef.dll

==================== Alternate Data Streams (whitelisted) =========


==================== Safe Mode (whitelisted) ===================

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sndappv2 => ""="service"

==================== Disabled items from MSCONFIG ==============


==================== Faulty Device Manager Devices =============

Could not list Devices. Check "winmgmt" service or repair WMI.


==================== Event log errors: =========================

Application errors:
==================
Error: (03/04/2014 08:02:43 PM) (Source: Application Error) (User: )
Description: Faulting application name: svchost.exe_DcomLaunch, version: 6.1.7600.16385, time stamp: 0x4a5bc100
Faulting module name: ntdll.dll, version: 6.1.7601.17725, time stamp: 0x4ec49b60
Exception code: 0xc0000005
Fault offset: 0x0002f591
Faulting process id: 0x2c8
Faulting application start time: 0xsvchost.exe_DcomLaunch0
Faulting application path: svchost.exe_DcomLaunch1
Faulting module path: svchost.exe_DcomLaunch2
Report Id: svchost.exe_DcomLaunch3

Error: (03/04/2014 08:00:58 PM) (Source: Application Error) (User: )
Description: Faulting application name: jucheck.exe, version: 2.1.9.4, time stamp: 0x513f4a8f
Faulting module name: USER32.dll, version: 6.1.7601.17514, time stamp: 0x4ce7ba26
Exception code: 0xc0000005
Fault offset: 0x000140a3
Faulting process id: 0x1118
Faulting application start time: 0xjucheck.exe0
Faulting application path: jucheck.exe1
Faulting module path: jucheck.exe2
Report Id: jucheck.exe3

Error: (03/04/2014 07:52:38 PM) (Source: Application Error) (User: )
Description: Faulting application name: svchost.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc100
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x00000000
Faulting process id: 0x2cc
Faulting application start time: 0xsvchost.exe0
Faulting application path: svchost.exe1
Faulting module path: svchost.exe2
Report Id: svchost.exe3

Error: (03/04/2014 07:51:26 PM) (Source: Application Error) (User: )
Description: Faulting application name: jucheck.exe, version: 2.1.9.4, time stamp: 0x513f4a8f
Faulting module name: USER32.dll, version: 6.1.7601.17514, time stamp: 0x4ce7ba26
Exception code: 0xc0000005
Fault offset: 0x000140a3
Faulting process id: 0x12d4
Faulting application start time: 0xjucheck.exe0
Faulting application path: jucheck.exe1
Faulting module path: jucheck.exe2
Report Id: jucheck.exe3

Error: (03/04/2014 07:43:31 PM) (Source: Application Error) (User: )
Description: Faulting application name: svchost.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc100
Faulting module name: ntdll.dll, version: 6.1.7601.17725, time stamp: 0x4ec49b60
Exception code: 0xc0000005
Fault offset: 0x0002f591
Faulting process id: 0x2cc
Faulting application start time: 0xsvchost.exe0
Faulting application path: svchost.exe1
Faulting module path: svchost.exe2
Report Id: svchost.exe3

Error: (03/04/2014 07:42:56 PM) (Source: Application Error) (User: )
Description: Faulting application name: jucheck.exe, version: 2.1.9.4, time stamp: 0x513f4a8f
Faulting module name: USER32.dll, version: 6.1.7601.17514, time stamp: 0x4ce7ba26
Exception code: 0xc0000005
Fault offset: 0x000140a3
Faulting process id: 0x1a70
Faulting application start time: 0xjucheck.exe0
Faulting application path: jucheck.exe1
Faulting module path: jucheck.exe2
Report Id: jucheck.exe3

Error: (03/04/2014 05:11:07 AM) (Source: Application Error) (User: )
Description: Faulting application name: svchost.exe_DcomLaunch, version: 6.1.7600.16385, time stamp: 0x4a5bc100
Faulting module name: ntdll.dll, version: 6.1.7601.17725, time stamp: 0x4ec49b60
Exception code: 0xc0000005
Fault offset: 0x0002f591
Faulting process id: 0x2d4
Faulting application start time: 0xsvchost.exe_DcomLaunch0
Faulting application path: svchost.exe_DcomLaunch1
Faulting module path: svchost.exe_DcomLaunch2
Report Id: svchost.exe_DcomLaunch3

Error: (03/04/2014 04:54:10 AM) (Source: Application Error) (User: )
Description: Faulting application name: jucheck.exe, version: 2.1.9.4, time stamp: 0x513f4a8f
Faulting module name: USER32.dll, version: 6.1.7601.17514, time stamp: 0x4ce7ba26
Exception code: 0xc0000005
Fault offset: 0x000140a3
Faulting process id: 0x1614
Faulting application start time: 0xjucheck.exe0
Faulting application path: jucheck.exe1
Faulting module path: jucheck.exe2
Report Id: jucheck.exe3

Error: (03/04/2014 04:46:23 AM) (Source: Application Error) (User: )
Description: Faulting application name: svchost.exe_DcomLaunch, version: 6.1.7600.16385, time stamp: 0x4a5bc100
Faulting module name: ntdll.dll, version: 6.1.7601.17725, time stamp: 0x4ec49b60
Exception code: 0xc0000005
Fault offset: 0x0002f591
Faulting process id: 0x2d0
Faulting application start time: 0xsvchost.exe_DcomLaunch0
Faulting application path: svchost.exe_DcomLaunch1
Faulting module path: svchost.exe_DcomLaunch2
Report Id: svchost.exe_DcomLaunch3

Error: (03/04/2014 03:50:26 AM) (Source: Application Error) (User: )
Description: Faulting application name: jucheck.exe, version: 2.1.9.4, time stamp: 0x513f4a8f
Faulting module name: USER32.dll, version: 6.1.7601.17514, time stamp: 0x4ce7ba26
Exception code: 0xc0000005
Fault offset: 0x000140a3
Faulting process id: 0x13e0
Faulting application start time: 0xjucheck.exe0
Faulting application path: jucheck.exe1
Faulting module path: jucheck.exe2
Report Id: jucheck.exe3


System errors:
=============
Error: (03/04/2014 08:02:43 PM) (Source: Service Control Manager) (User: )
Description: The Service Control Manager tried to take a corrective action (Reboot the machine) after the unexpected termination of the Plug and Play service, but this action failed with the following error:
%%1190

Error: (03/04/2014 08:02:43 PM) (Source: Service Control Manager) (User: )
Description: The Plug and Play service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Reboot the machine.

Error: (03/04/2014 08:02:43 PM) (Source: Service Control Manager) (User: )
Description: The DCOM Server Process Launcher service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Reboot the machine.

Error: (03/04/2014 07:55:47 PM) (Source: Service Control Manager) (User: )
Description: The Power service terminated with the following error:
%%4203

Error: (03/04/2014 07:53:21 PM) (Source: Service Control Manager) (User: )
Description: The Service Control Manager tried to take a corrective action (Reboot the machine) after the unexpected termination of the DCOM Server Process Launcher service, but this action failed with the following error:
%%1190

Error: (03/04/2014 07:53:20 PM) (Source: Service Control Manager) (User: )
Description: The Plug and Play service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Reboot the machine.

Error: (03/04/2014 07:53:20 PM) (Source: Service Control Manager) (User: )
Description: The DCOM Server Process Launcher service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Reboot the machine.

Error: (03/04/2014 07:48:14 PM) (Source: Schannel) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 40. The internal error state is 107.

Error: (03/04/2014 07:48:14 PM) (Source: Schannel) (User: NT AUTHORITY)
Description: An SSL 3.0 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.

Error: (03/04/2014 07:48:14 PM) (Source: Schannel) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 40. The internal error state is 107.


Microsoft Office Sessions:
=========================

==================== Memory info ===========================

Percentage of memory in use: 44%
Total physical RAM: 2557.61 MB
Available physical RAM: 1413.51 MB
Total Pagefile: 4603.9 MB
Available Pagefile: 2990.39 MB
Total Virtual: 2047.88 MB
Available Virtual: 1913.41 MB

==================== Drives ================================

Drive c: (New Volume) (Fixed) (Total:93.16 GB) (Free:11.29 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive e: (Removable) (Fixed) (Total:186.31 GB) (Free:174.27 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 93 GB) (Disk ID: 2F570BF3)
Partition 1: (Active) - (Size=93 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 186 GB) (Disk ID: 0B675EF0)

Partition: GPT Partition Type.

==================== End Of Log ============================

Link to post
Share on other sites

Hello,

yes the infection is evident.
Let's search for a clean replacement:

 

  • Start FRST with Administrator privileges.
  • Write the following text into the Search: textbox:
    rpcss.dll
  • Click on the Search File(s) button.
  • When finished, a log file (Search.txt) pops up and is saved to the same location the tool was run from.
    Please copy and paste its contents in your next reply.
Link to post
Share on other sites

Farbar Recovery Scan Tool (x86) Version: 04-03-2014 02
Ran by kicker at 2014-03-05 21:48:23
Running from C:\Users\kicker\Desktop
Boot Mode: Normal

================== Search: "rpcss.dll" ===================

C:\Windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_6bd245e79c221747\rpcss.dll
[2011-11-05 16:07] - [2010-11-20 06:21] - 0376832 ____A (Microsoft Corporation) 7660F01D3B38ACA1747E397D21D790AF

C:\Windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7600.16385_none_69a1321f9f3393ad\rpcss.dll
[2009-07-13 17:45] - [2009-07-13 19:16] - 0376320 ____A (Microsoft Corporation) B82CD39E336973359D7C9BF911E8E84F

C:\Windows\System32\rpcss.dll
[2011-11-05 16:07] - [2010-11-20 06:21] - 0377344 ____A (Microsoft Corporation) 24DD85395000F0CC919CA7FEBA96C091

=== End Of Search ===

Link to post
Share on other sites

Ok. Now we're trying to replace the infected file with a clean copy:


Step 1

Please download this attached fixlist.txt and save it in the same directory as FRST.

  • Start FRST with Administrator privileges.
  • Press the Fix button.
  • Allow a reboot if one is requested.
  • When finished, a log file (Fixlog.txt) pops up and is saved to the same location the tool was run from.
    Please copy and paste its contents in your next reply.

 

 

 

Step 2

Start FRST with administator privileges.

  • Press the Scan button.
  • When finished, FRST will produce a log (FRST.txt) in the same directory the tool was run from.
    Please copy and paste this log in your next reply.
Link to post
Share on other sites

Thanks for all of your help so far!  Here are the results.




Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 04-03-2014 02
Ran by kicker at 2014-03-06 03:28:06 Run:1
Running from C:\Users\kicker\Desktop
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
Replace: C:\Windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_6bd245e79c221747\rpcss.dll C:\Windows\System32\rpcss.dll
2014-02-04 01:02 - 2014-01-18 12:00 - 00000079 _____ () C:\Windows\system32\vkvq.juj
2014-03-02 17:54 - 2014-03-02 17:54 - 00000000 ____S () C:\Windows\system32\axwkt.euw
CHR HKLM\...\Chrome\Extension: [dlnembnfbcpjnepmfjmngjenhhajpdfd] - C:\Program Files\Web Assistant\source.crx [2012-09-09]
SearchScopes: HKCU - {62C50065-6CCB-4D7A-B91C-C8302AF43A8E} URL = http://search.condui...ultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3227981&CUI=UN17312563861949041&UM=2
SearchScopes: HKCU - {95B7759C-8C7F-4BF1-B163-73684A933233} URL = http://mysearch.avg.com/search?cid={86E519EC-EE93-4D08-8EEA-8673F71F1731}&mid=53380b853e0b47d1908fd153e62a94d0-0db7b8a2af2f64e4b2e749b12a0c6cf509053546〈=en&ds=AVG&pr=fr&d=2013-02-17 11:56:50&v=17.0.2.13&pid=safeguard&sg=0&sap=dsp&q={searchTerms}
SearchScopes: HKCU - {CFF4DB9B-135F-47c0-9269-B4C6572FD61A} URL = http://mystart.incre.../mb139/?search={searchTerms}&loc=IB_DS&a=6PQJ9YlVqX&i=26
SearchScopes: HKCU - {EEE6C360-6118-11DC-9C72-001320C79847} URL = http://start.sweetpa...s.com/?src=6&q={searchTerms}&st=12&crg=3.5000006.10042&barid={4C330969-9D8D-11E2-AD97-001AA0CE7D23}
SearchScopes: HKLM - {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.condui...ultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2786678
SearchScopes: HKLM - {EEE6C360-6118-11DC-9C72-001320C79847} URL = http://start.sweetpa...s.com/?src=6&q={searchTerms}&st=12&crg=3.5000006.10042&barid={4C330969-9D8D-11E2-AD97-001AA0CE7D23}
C:\Users\kicker\AppData\Local\Temp\*.exe
Reboot:
*****************

C:\Windows\System32\rpcss.dll => Moved successfully.
C:\Windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_6bd245e79c221747\rpcss.dll copied successfully to C:\Windows\System32\rpcss.dll
C:\Windows\system32\vkvq.juj => Moved successfully.
Could not move "C:\Windows\system32\axwkt.euw" => Scheduled to move on reboot.
HKLM\SOFTWARE\Google\Chrome\Extensions\dlnembnfbcpjnepmfjmngjenhhajpdfd => Key deleted successfully.
"C:\Program Files\Web Assistant\source.crx" => File/Directory not found.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{62C50065-6CCB-4D7A-B91C-C8302AF43A8E} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{62C50065-6CCB-4D7A-B91C-C8302AF43A8E} => Key not found.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233} => Key not found.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{CFF4DB9B-135F-47c0-9269-B4C6572FD61A} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{CFF4DB9B-135F-47c0-9269-B4C6572FD61A} => Key not found.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{EEE6C360-6118-11DC-9C72-001320C79847} => Key not found.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{afdbddaa-5d3f-42ee-b79c-185a7020515b} => Key not found.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{EEE6C360-6118-11DC-9C72-001320C79847} => Key not found.
"C:\Users\kicker\AppData\Local\Temp\*.exe" => File/Directory not found.

=> Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2014-03-06 03:31:35)<=

C:\Windows\system32\axwkt.euw => Is moved successfully.

==== End of Fixlog ====





Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 04-03-2014 02
Ran by kicker (administrator) on DELL on 06-03-2014 03:54:52
Running from C:\Users\kicker\Desktop
Microsoft Windows 7 Ultimate  Service Pack 1 (X86) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(AMD) C:\Windows\system32\atiesrxx.exe
(Wacom Technology, Corp.) C:\Program Files\WTouch\WTouchService.exe
(AMD) C:\Windows\system32\atieclxx.exe
(Microsoft Corporation) C:\Windows\SYSTEM32\WISPTIS.EXE
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
(Microsoft Corporation) C:\Windows\SYSTEM32\WISPTIS.EXE
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
(Wacom Technology, Corp.) C:\Program Files\WTouch\WTouchUser.exe
(Microsoft Corporation) C:\Program Files\Microsoft IntelliType Pro\itype.exe
(Adobe Systems Incorporated) C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
(Power Software Ltd) C:\Program Files\PowerISO\PWRISOVM.EXE
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe
(Wacom Technology, Corp.) C:\Windows\system32\Pen_Tablet.exe
(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
(Valve Corporation) C:\Program Files\Steam\Steam.exe
(Spotify Ltd) C:\Users\kicker\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
(McAfee, Inc.) C:\Program Files\McAfee Security Scan\3.8.141\SSScheduler.exe
(Advanced Micro Devices Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe
(Wacom Technology, Corp.) C:\Windows\system32\WTablet\Pen_TabletUser.exe
(Wacom Technology, Corp.) C:\Windows\system32\Pen_Tablet.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(ATI Technologies Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe


==================== Registry (Whitelisted) ==================

HKLM\...\Run: [startCCC] - C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [343168 2011-10-12] (Advanced Micro Devices, Inc.)
HKLM\...\Run: [itype] - C:\Program Files\Microsoft IntelliType Pro\itype.exe [1313640 2011-08-10] (Microsoft Corporation)
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM\...\Run: [PWRISOVM.EXE] - C:\Program Files\PowerISO\PWRISOVM.EXE [337432 2013-01-27] (Power Software Ltd)
HKLM\...\Run: [APSDaemon] - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM\...\Run: [OtShot] - C:\Program Files\OtShot\otshot.exe [4386816 2012-10-18] ()
HKLM\...\Run: [sunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [253816 2013-03-12] (Oracle Corporation)
HKLM\...\Run: [iTunesHelper] - C:\Program Files\iTunes\iTunesHelper.exe [152392 2013-08-16] (Apple Inc.)
HKLM\...\Run: [amd_dc_opt] - C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe [77824 2008-07-22] (AMD)
HKLM\...\Run: [sDTray] - C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe [5624784 2013-07-25] (Safer-Networking Ltd.)
Winlogon\Notify\SDWinLogon: SDWinLogon.dll [X]
HKU\S-1-5-21-3200350536-772790392-1799001443-1000\...\Run: [steam] - C:\Program Files\Steam\Steam.exe [1821888 2014-02-25] (Valve Corporation)
HKU\S-1-5-21-3200350536-772790392-1799001443-1000\...\Run: [spotify Web Helper] - C:\Users\kicker\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe [1171968 2014-01-18] (Spotify Ltd)
HKU\S-1-5-21-3200350536-772790392-1799001443-1000\...\Run: [MobileAppSync] - "C:\Program Files\Mobile App Sync\D2MClient.exe"
HKU\S-1-5-21-3200350536-772790392-1799001443-1000\...\Run: [ChicaPasswordManager] - "C:\Program Files\ChicaLogic\Chica Password Manager\stpass.exe" /autorunned
HKU\S-1-5-21-3200350536-772790392-1799001443-1000\...\Run: [AIM for Windows] - "C:\Users\kicker\AppData\Local\AOL\AIM\aim.exe"
HKU\S-1-5-21-3200350536-772790392-1799001443-1000\...\Run: [ooVoo.exe] - C:\Program Files\ooVoo\oovoo.exe [35253312 2013-09-10] (ooVoo LLC)
HKU\S-1-5-21-3200350536-772790392-1799001443-1000\...\Run: [skype] - C:\Program Files\Skype\Phone\Skype.exe [20728480 2014-01-14] (Skype Technologies S.A.)
HKU\S-1-5-21-3200350536-772790392-1799001443-1000\...\Run: [spotify] - C:\Users\kicker\AppData\Roaming\Spotify\spotify.exe [6118400 2014-01-18] (Spotify Ltd)
HKU\S-1-5-21-3200350536-772790392-1799001443-1000\...\MountPoints2: E - E:\INSTALL.EXE
HKU\S-1-5-21-3200350536-772790392-1799001443-1000\...\MountPoints2: F - F:\setup\rsrc\Autorun.exe
HKU\S-1-5-21-3200350536-772790392-1799001443-1000\...\MountPoints2: {065abda8-7a62-11e2-a34a-001aa0ce7d23} - G:\LaunchU3.exe -a

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
URLSearchHook: HKCU - (No Name) - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} -  No File
URLSearchHook: HKCU - (No Name) - {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} -  No File
SearchScopes: HKLM - DefaultScope {62C50065-6CCB-4D7A-B91C-C8302AF43A8E} URL =
SearchScopes: HKCU - {3DEAA2C5-C359-4924-AA56-C1B77AD75EFF} URL = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}
BHO: No Name - {02478D38-C3F9-4efb-9B51-7695ECA05670} -  No File
BHO: MSS+ Identifier - {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} - C:\Program Files\McAfee Security Scan\3.8.141\McAfeeMSS_IE.dll (McAfee, Inc.)
BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - No Name - {ae07101b-46d4-4a98-af68-0333ea26e113} -  No File
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254

FireFox:
========
FF ProfilePath: C:\Users\kicker\AppData\Roaming\Mozilla\Firefox\Profiles\izboc4h9.default
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF32_12_0_0_70.dll ()
FF Plugin: @Apple.com/iTunes,version=1.0 - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin: @java.com/DTPlugin,version=10.25.2 - C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.25.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @mcafee.com/McAfeeMssPlugin - C:\Program Files\McAfee Security Scan\3.8.141\npMcAfeeMss.dll (McAfee, Inc.)
FF Plugin: @tools.google.com/Google Update;version=3 - C:\Program Files\Google\Update\1.3.22.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 - C:\Program Files\Google\Update\1.3.22.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKCU: wacom.com/WacomTabletPlugin - C:\Program Files\TabletPlugins\npWacomTabletPlugin.dll No File
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\safeguard-secure-search.xml

Chrome:
=======
CHR Extension: (Google Docs) - C:\Users\kicker\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2013-07-19]
CHR Extension: (Google Drive) - C:\Users\kicker\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2013-07-19]
CHR Extension: (uTorrentBar) - C:\Users\kicker\AppData\Local\Google\Chrome\User Data\Default\Extensions\bejbohlohkkgompgecdcbbglkpjfjgdj [2013-07-19]
CHR Extension: (YouTube) - C:\Users\kicker\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2013-07-19]
CHR Extension: (Google Search) - C:\Users\kicker\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2013-07-19]
CHR Extension: (ADDICT-THING) - C:\Users\kicker\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpiomcokmeokiifblckjbgpeehcccfce [2013-07-19]
CHR Extension: (iSnap - unofficial client for snapchat™) - C:\Users\kicker\AppData\Local\Google\Chrome\User Data\Default\Extensions\hkcinnjkbadjnadeikbfifiifppgebfo [2014-02-10]
CHR Extension: (AVG SafeGuard) - C:\Users\kicker\AppData\Local\Google\Chrome\User Data\Default\Extensions\ndibdjnfmopecpmkdieinmbadjfpblof [2013-07-19]
CHR Extension: (Chrome In-App Payments service) - C:\Users\kicker\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-08-21]
CHR Extension: (Gmail) - C:\Users\kicker\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2013-07-19]
CHR HKLM\...\Chrome\Extension: [bejbohlohkkgompgecdcbbglkpjfjgdj] - C:\Users\kicker\AppData\Local\Temp\crxC997.tmp [2013-07-19]
CHR HKLM\...\Chrome\Extension: [cpiomcokmeokiifblckjbgpeehcccfce] - C:\ProgramData\ADDICT-THING\cpiomcokmeokiifblckjbgpeehcccfce.crx [2012-09-09]

========================== Services (Whitelisted) =================

S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.8.141\McCHSvc.exe [235696 2014-01-15] (McAfee, Inc.)
R2 SDScannerService; C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe [3921880 2013-10-15] (Safer-Networking Ltd.)
R2 SDUpdateService; C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe [1042272 2013-09-20] (Safer-Networking Ltd.)
R2 SDWSCService; C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe [171416 2013-09-13] (Safer-Networking Ltd.)
R2 WTouchService; C:\Program Files\WTouch\WTouchService.exe [112936 2009-07-15] (Wacom Technology, Corp.)

==================== Drivers (Whitelisted) ====================

S3 A5AGU; C:\Windows\System32\DRIVERS\AGUx86.sys [905728 2008-08-07] (D-Link Corporation)
S3 AtiDCM; C:\AMD\Support\12-10_vista_win7_win8_32_dd_ccc_whql_net4\Bin\atidcmxx.sys [27432 2012-09-28] (Advanced Micro Devices, Inc.)
S3 ManyCam; C:\Windows\System32\DRIVERS\mcvidrv.sys [32000 2012-01-11] (ManyCam LLC)
S3 MBAMSwissArmy; C:\Windows\system32\drivers\mbamswissarmy.sys [40776 2014-03-06] (Malwarebytes Corporation)
S3 mcaudrv_simple; C:\Windows\System32\drivers\mcaudrv.sys [22400 2012-02-22] (ManyCam LLC)
R3 rt61x86; C:\Windows\System32\DRIVERS\WMP54Gv41x86.sys [376160 2010-04-07] (Ralink Technology, Corp.)
R1 SCDEmu; C:\Windows\system32\Drivers\SCDEmu.sys [113608 2013-01-27] (Power Software Ltd)
R3 WacomVTHid; C:\Windows\System32\DRIVERS\WacomVTHid.sys [13224 2009-05-20] (Wacom Technology)
S4 nvlddmkm; system32\DRIVERS\nvlddmkm.sys [X]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2014-03-06 03:54 - 2014-03-06 03:54 - 00012780 _____ () C:\Users\kicker\Desktop\FRST.txt
2014-03-06 01:54 - 2014-03-06 01:54 - 00040776 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamswissarmy.sys
2014-03-05 21:48 - 2014-03-05 21:58 - 00000863 _____ () C:\Users\kicker\Desktop\Search.txt
2014-03-05 03:38 - 2014-01-15 23:03 - 01982464 _____ () C:\Users\kicker\Desktop\THUNDER.sai
2014-03-05 03:35 - 2014-03-05 03:35 - 00032803 _____ () C:\Users\kicker\Desktop\DxDiag.txt
2014-03-05 03:30 - 2014-03-06 01:52 - 03735552 _____ () C:\Users\kicker\Desktop\Krew.sai
2014-03-05 03:03 - 2014-03-05 03:03 - 01101824 _____ () C:\Users\kicker\Desktop\Bear.sai
2014-03-05 01:00 - 2014-03-05 01:22 - 00491520 _____ () C:\Users\kicker\Desktop\malerefbase.sai
2014-03-05 00:32 - 2014-03-05 00:32 - 00013507 _____ () C:\Users\kicker\Downloads\MemTest.zip
2014-03-04 22:11 - 2009-06-10 15:39 - 00000824 _____ () C:\Windows\system32\Drivers\etc\hosts.20140304-221111.backup
2014-03-04 21:43 - 2014-03-04 21:58 - 00000000 ____D () C:\ProgramData\Spybot - Search & Destroy
2014-03-04 21:43 - 2014-03-04 21:44 - 00000000 ____D () C:\Program Files\Spybot - Search & Destroy 2
2014-03-04 21:43 - 2014-03-04 21:43 - 00002129 _____ () C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk
2014-03-04 21:43 - 2013-09-20 10:49 - 00018968 _____ (Safer Networking Limited) C:\Windows\system32\sdnclean.exe
2014-03-04 21:41 - 2014-03-04 21:42 - 40658208 _____ (Safer-Networking Ltd. ) C:\Users\kicker\Downloads\spybot-2.2.exe
2014-03-04 20:02 - 2014-03-04 20:03 - 00019470 _____ () C:\Users\kicker\Desktop\Addition.txt
2014-03-04 19:48 - 2014-03-06 03:36 - 00000000 ____D () C:\FRST
2014-03-04 19:44 - 2014-03-04 19:44 - 01145344 _____ (Farbar) C:\Users\kicker\Desktop\FRST.exe
2014-03-04 03:36 - 2014-03-05 01:22 - 02056192 _____ () C:\Users\kicker\Desktop\malebase chief.sai
2014-03-04 01:11 - 2014-03-04 01:11 - 10284816 _____ (Malwarebytes Corporation ) C:\Users\kicker\Desktop\mbam-setup.exe
2014-03-04 00:28 - 2014-03-04 00:32 - 00024212 _____ () C:\Users\kicker\Desktop\Result.txt
2014-03-04 00:21 - 2014-03-04 00:22 - 00982016 _____ (Farbar) C:\Users\kicker\Desktop\MiniToolBox.exe
2014-03-03 23:35 - 2014-03-06 03:21 - 00000000 ____D () C:\Users\kicker\Desktop\PaintTool SAI English Pack
2014-02-20 13:31 - 2014-02-20 13:31 - 00000000 ____D () C:\Program Files\McAfee Security Scan
2014-02-16 21:14 - 2014-02-22 04:29 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2014-02-10 10:34 - 2014-02-10 10:34 - 00000000 ____D () C:\Users\kicker\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google Chrome
2014-02-06 21:49 - 2014-02-06 21:49 - 00002685 _____ () C:\Users\kicker\Skype.lnk
2014-02-06 21:49 - 2014-02-06 21:49 - 00000000 ____D () C:\Users\kicker\AppData\Local\Skype
2014-02-06 21:49 - 2014-02-06 21:49 - 00000000 ____D () C:\Program Files\Common Files\Skype
2014-02-06 21:48 - 2014-02-06 21:48 - 01659552 _____ (Skype Technologies S.A.) C:\Users\kicker\Downloads\SkypeSetup(1).exe
2014-02-06 21:48 - 2014-02-06 21:48 - 00362029 _____ () C:\Users\kicker\Downloads\sqlite3.dll

==================== One Month Modified Files and Folders =======

2014-03-06 03:56 - 2014-03-06 03:54 - 00012780 _____ () C:\Users\kicker\Desktop\FRST.txt
2014-03-06 03:56 - 2011-11-12 22:43 - 00000000 ____D () C:\Program Files\Steam
2014-03-06 03:54 - 2012-11-08 21:48 - 00000000 ____D () C:\Users\kicker\AppData\Roaming\Spotify
2014-03-06 03:54 - 2012-06-25 11:21 - 00000000 ____D () C:\Users\kicker\AppData\Roaming\Skype
2014-03-06 03:51 - 2013-08-20 16:36 - 00000000 ____D () C:\Users\kicker\AppData\Roaming\WTablet
2014-03-06 03:51 - 2013-07-19 15:29 - 00000882 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-03-06 03:51 - 2009-07-13 22:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-03-06 03:51 - 2009-07-13 22:39 - 00294461 _____ () C:\Windows\setupact.log
2014-03-06 03:50 - 2011-08-20 15:13 - 01387279 _____ () C:\Windows\WindowsUpdate.log
2014-03-06 03:42 - 2012-07-08 12:12 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-03-06 03:36 - 2014-03-04 19:48 - 00000000 ____D () C:\FRST
2014-03-06 03:36 - 2013-07-19 15:29 - 00000886 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-03-06 03:36 - 2009-07-13 22:34 - 00012816 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-03-06 03:36 - 2009-07-13 22:34 - 00012816 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-03-06 03:21 - 2014-03-03 23:35 - 00000000 ____D () C:\Users\kicker\Desktop\PaintTool SAI English Pack
2014-03-06 03:16 - 2013-08-22 00:01 - 00000000 ____D () C:\WTablet
2014-03-06 01:54 - 2014-03-06 01:54 - 00040776 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamswissarmy.sys
2014-03-06 01:52 - 2014-03-05 03:30 - 03735552 _____ () C:\Users\kicker\Desktop\Krew.sai
2014-03-05 21:58 - 2014-03-05 21:48 - 00000863 _____ () C:\Users\kicker\Desktop\Search.txt
2014-03-05 03:35 - 2014-03-05 03:35 - 00032803 _____ () C:\Users\kicker\Desktop\DxDiag.txt
2014-03-05 03:03 - 2014-03-05 03:03 - 01101824 _____ () C:\Users\kicker\Desktop\Bear.sai
2014-03-05 01:22 - 2014-03-05 01:00 - 00491520 _____ () C:\Users\kicker\Desktop\malerefbase.sai
2014-03-05 01:22 - 2014-03-04 03:36 - 02056192 _____ () C:\Users\kicker\Desktop\malebase chief.sai
2014-03-05 01:01 - 2012-11-08 21:49 - 00000000 ____D () C:\Users\kicker\AppData\Local\Spotify
2014-03-05 00:32 - 2014-03-05 00:32 - 00013507 _____ () C:\Users\kicker\Downloads\MemTest.zip
2014-03-04 21:58 - 2014-03-04 21:43 - 00000000 ____D () C:\ProgramData\Spybot - Search & Destroy
2014-03-04 21:44 - 2014-03-04 21:43 - 00000000 ____D () C:\Program Files\Spybot - Search & Destroy 2
2014-03-04 21:43 - 2014-03-04 21:43 - 00002129 _____ () C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk
2014-03-04 21:42 - 2014-03-04 21:41 - 40658208 _____ (Safer-Networking Ltd. ) C:\Users\kicker\Downloads\spybot-2.2.exe
2014-03-04 20:03 - 2014-03-04 20:02 - 00019470 _____ () C:\Users\kicker\Desktop\Addition.txt
2014-03-04 19:44 - 2014-03-04 19:44 - 01145344 _____ (Farbar) C:\Users\kicker\Desktop\FRST.exe
2014-03-04 02:50 - 2011-11-07 22:23 - 00116984 _____ () C:\Windows\PFRO.log
2014-03-04 02:50 - 2009-07-13 20:37 - 00000000 ____D () C:\Windows\L2Schemas
2014-03-04 02:48 - 2013-04-04 19:10 - 00000000 ____D () C:\Program Files\SweetIM
2014-03-04 01:17 - 2013-03-05 14:34 - 00001077 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-03-04 01:17 - 2011-11-07 22:35 - 00000000 ____D () C:\Program Files\Malwarebytes' Anti-Malware
2014-03-04 01:11 - 2014-03-04 01:11 - 10284816 _____ (Malwarebytes Corporation ) C:\Users\kicker\Desktop\mbam-setup.exe
2014-03-04 00:32 - 2014-03-04 00:28 - 00024212 _____ () C:\Users\kicker\Desktop\Result.txt
2014-03-04 00:22 - 2014-03-04 00:21 - 00982016 _____ (Farbar) C:\Users\kicker\Desktop\MiniToolBox.exe
2014-03-03 21:57 - 2013-08-26 19:41 - 00000000 __SHD () C:\Windows\system32\AI_RecycleBin
2014-03-03 01:20 - 2009-07-13 22:53 - 00032590 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-02-27 20:49 - 2013-11-28 16:41 - 00001985 _____ () C:\Users\Public\Desktop\McAfee Security Scan Plus.lnk
2014-02-25 19:45 - 2011-11-13 13:53 - 00000000 ____D () C:\Users\kicker\AppData\Roaming\uTorrent
2014-02-22 04:29 - 2014-02-16 21:14 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2014-02-21 01:40 - 2012-07-08 12:12 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2014-02-21 01:40 - 2011-08-20 15:50 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2014-02-20 13:31 - 2014-02-20 13:31 - 00000000 ____D () C:\Program Files\McAfee Security Scan
2014-02-19 04:56 - 2012-12-23 01:50 - 00000000 ____D () C:\Users\kicker\AppData\Local\Firestorm
2014-02-19 01:10 - 2013-01-16 19:13 - 00000000 ____D () C:\Users\kicker\AppData\Local\join.me
2014-02-17 14:35 - 2014-01-30 23:11 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2014-02-10 13:37 - 2013-08-06 12:51 - 00000000 ____D () C:\Users\kicker\AppData\Roaming\.minecraft
2014-02-10 10:34 - 2014-02-10 10:34 - 00000000 ____D () C:\Users\kicker\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google Chrome
2014-02-10 09:04 - 2012-06-19 10:33 - 00000000 ____D () C:\Users\kicker\Downloads\Breathe_Carolina-Hell_Is_What_You_Make_It-2011-MTD
2014-02-06 23:53 - 2011-08-20 15:10 - 00000000 ____D () C:\Users\kicker
2014-02-06 21:49 - 2014-02-06 21:49 - 00002685 _____ () C:\Users\kicker\Skype.lnk
2014-02-06 21:49 - 2014-02-06 21:49 - 00000000 ____D () C:\Users\kicker\AppData\Local\Skype
2014-02-06 21:49 - 2014-02-06 21:49 - 00000000 ____D () C:\Program Files\Common Files\Skype
2014-02-06 21:49 - 2013-02-10 23:46 - 00000000 ___RD () C:\Program Files\Skype
2014-02-06 21:49 - 2012-06-25 11:21 - 00000000 ____D () C:\ProgramData\Skype
2014-02-06 21:48 - 2014-02-06 21:48 - 01659552 _____ (Skype Technologies S.A.) C:\Users\kicker\Downloads\SkypeSetup(1).exe
2014-02-06 21:48 - 2014-02-06 21:48 - 00362029 _____ () C:\Users\kicker\Downloads\sqlite3.dll

Files to move or delete:
====================
C:\Users\kicker\jagex_cl_loginapplet_LIVE.dat
C:\Users\kicker\jagex_cl_runescape_LIVE.dat
C:\Users\kicker\jagex_cl_runescape_LIVE1.dat
C:\Users\kicker\jagex_cl_runescape_LIVE2.dat
C:\Users\kicker\random.dat


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\system32\winlogon.exe => MD5 is legit
C:\Windows\system32\wininit.exe => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\services.exe => MD5 is legit
C:\Windows\system32\User32.dll => MD5 is legit
C:\Windows\system32\userinit.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit
C:\Windows\system32\Drivers\volsnap.sys => MD5 is legit


LastRegBack: 2014-03-02 17:28

==================== End Of Log ============================

Link to post
Share on other sites

Great, this worked well!

How is your computer running now? What problems and symptoms are still present?

Please download the ESET Online Scanner and save it to your Desktop.

  • Disable the realtime-protection of your antivirus and anti-malware programs because they might interfere with the scan.
  • Start esetsmartinstaller_enu.exe with administartor privileges.
  • Select the option Yes, I accept the Terms of Use and click on Start.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click on Start. The virus signature database will begin to download. This may take some time.
  • When completed the Online Scan will begin automatically.

    Note: This scan might take a long time! Please be patient.

  • When completed select Uninstall application on close if you so wish, but make sure you copy the logfile first!
  • Now click on Finish
  • A log file is created at C:\Program Files\ESET\EsetOnlineScanner\log.txt.

    Copy and paste the content of this log file in your next reply.

Note: Do not forget to re-enable your antivirus application after running the above scan!
Link to post
Share on other sites

ESETSmartInstaller@High as downloader log:
all ok
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=95188bf0625674469483ffe51c0bc39c
# engine=17337
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2014-03-06 02:06:30
# local_time=2014-03-06 08:06:30 (-0600, Central Standard Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=5893 16776573 100 94 0 145659581 0 0
# scanned=229361
# found=28
# cleaned=0
# scan_time=11107
sh=22ACD828DFFE27574A6B4BAA99B22A50EB4C308F ft=1 fh=082b1540c3109155 vn="Win32/Patched.IB trojan" ac=I fn="C:\FRST\Quarantine\rpcss.dll06-03-2014_03-28-07"
sh=97BCCD25561F44E9B13F05F6EEF083C9CE9BA529 ft=1 fh=641f1fb3d2e699c4 vn="Win32/Toolbar.Conduit.Y potentially unwanted application" ac=I fn="C:\Program Files\Conduit\Community Alerts\Alert.dll"
sh=E50E99F550BFCC295304EBAD2152B657803E6484 ft=0 fh=0000000000000000 vn="JS/SaveValet.A potentially unwanted application" ac=I fn="C:\Program Files\SaveValet\savevalet@savevalet.com.xpi"
sh=FF64E6FBB30CDC57368C4D30A017E4E6BA83919A ft=0 fh=0000000000000000 vn="Win32/Adware.MultiPlug.H application" ac=I fn="C:\ProgramData\ADDICT-THING\background.html"
sh=78BA07696A60ACD07C1725E92B8A9286C94AD87C ft=0 fh=0000000000000000 vn="Win32/Adware.MultiPlug.H application" ac=I fn="C:\ProgramData\ADDICT-THING\cpiomcokmeokiifblckjbgpeehcccfce.crx"
sh=410B32FD3FE4642644AD91AC60C69B86EC2762DD ft=1 fh=0e378a435beab91a vn="a variant of Win32/Adware.Yontoo.B application" ac=I fn="C:\ProgramData\Tarma Installer\{361E80BE-388B-4270-BF54-A10C2B756504}\_Setupx.dll"
sh=FF64E6FBB30CDC57368C4D30A017E4E6BA83919A ft=0 fh=0000000000000000 vn="Win32/Adware.MultiPlug.H application" ac=I fn="C:\Users\All Users\ADDICT-THING\background.html"
sh=78BA07696A60ACD07C1725E92B8A9286C94AD87C ft=0 fh=0000000000000000 vn="Win32/Adware.MultiPlug.H application" ac=I fn="C:\Users\All Users\ADDICT-THING\cpiomcokmeokiifblckjbgpeehcccfce.crx"
sh=410B32FD3FE4642644AD91AC60C69B86EC2762DD ft=1 fh=0e378a435beab91a vn="a variant of Win32/Adware.Yontoo.B application" ac=I fn="C:\Users\All Users\Tarma Installer\{361E80BE-388B-4270-BF54-A10C2B756504}\_Setupx.dll"
sh=9A700010C08F83074F464AB6F05B227095653B19 ft=1 fh=58fe006f738dd3d0 vn="Win32/OpenCandy potentially unsafe application" ac=I fn="C:\Users\kicker\.frostwire5\updates\frostwire-5.5.0.windows.exe"
sh=B1C5D9DC9A6493C66CD50B3767157CCFC4B4985E ft=1 fh=da713123607f778d vn="a variant of Win32/Toolbar.Conduit.AA potentially unwanted application" ac=I fn="C:\Users\kicker\AppData\Local\Google\Chrome\User Data\Default\Extensions\bejbohlohkkgompgecdcbbglkpjfjgdj\10.23.0.822_0\TBHostSupport\TBHostSupport.dll"
sh=397D1DDCC8E38565E30D273A8F5687EFBF9C604C ft=0 fh=0000000000000000 vn="Win32/Adware.MultiPlug.H application" ac=I fn="C:\Users\kicker\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpiomcokmeokiifblckjbgpeehcccfce\1.0_0\bg.js"
sh=397D1DDCC8E38565E30D273A8F5687EFBF9C604C ft=0 fh=0000000000000000 vn="Win32/Adware.MultiPlug.H application" ac=I fn="C:\Users\kicker\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpiomcokmeokiifblckjbgpeehcccfce\1.0_1\bg.js"
sh=397D1DDCC8E38565E30D273A8F5687EFBF9C604C ft=0 fh=0000000000000000 vn="Win32/Adware.MultiPlug.H application" ac=I fn="C:\Users\kicker\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpiomcokmeokiifblckjbgpeehcccfce\1.0_2\bg.js"
sh=397D1DDCC8E38565E30D273A8F5687EFBF9C604C ft=0 fh=0000000000000000 vn="Win32/Adware.MultiPlug.H application" ac=I fn="C:\Users\kicker\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpiomcokmeokiifblckjbgpeehcccfce\1.0_3\bg.js"
sh=397D1DDCC8E38565E30D273A8F5687EFBF9C604C ft=0 fh=0000000000000000 vn="Win32/Adware.MultiPlug.H application" ac=I fn="C:\Users\kicker\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpiomcokmeokiifblckjbgpeehcccfce\1.0_4\bg.js"
sh=397D1DDCC8E38565E30D273A8F5687EFBF9C604C ft=0 fh=0000000000000000 vn="Win32/Adware.MultiPlug.H application" ac=I fn="C:\Users\kicker\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpiomcokmeokiifblckjbgpeehcccfce\1.0_5\bg.js"
sh=397D1DDCC8E38565E30D273A8F5687EFBF9C604C ft=0 fh=0000000000000000 vn="Win32/Adware.MultiPlug.H application" ac=I fn="C:\Users\kicker\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpiomcokmeokiifblckjbgpeehcccfce\1.0_6\bg.js"
sh=14DEA19C346BAA184CD96010C8788D02418D78AB ft=1 fh=2852b0fb4a5772c0 vn="a variant of Win32/Bundled.Toolbar.Ask.E potentially unsafe application" ac=I fn="C:\Users\kicker\Documents\APNSetup.exe"
sh=B99AADB73D40203FC4F2A6103FEB32B9BBC1C26F ft=1 fh=60cc8d1add68196a vn="a variant of Win32/InstallCore.AG potentially unwanted application" ac=I fn="C:\Users\kicker\Downloads\ADLSoft_UnCompressor_v2_3.exe"
sh=9BC90AA27E966329447C6ECADC87AC65A92CE229 ft=1 fh=605cd1ef511c8c7d vn="a variant of Win32/OpenInstall potentially unwanted application" ac=I fn="C:\Users\kicker\Downloads\WinZip165.exe"
sh=48D41D10E99F0FB8DFAC3125160411B783F9FD1C ft=1 fh=07165feb93d764dd vn="a variant of Win32/OpenInstall potentially unwanted application" ac=I fn="C:\Users\kicker\Downloads\WinZip170.exe"
sh=B9FC6A687ACBCB3BE2907E3B3548AE5196486D7F ft=1 fh=b767c8fa0f301040 vn="a variant of Win32/OpenInstall potentially unwanted application" ac=I fn="C:\Users\kicker\Downloads\WinZip180.exe"
sh=DC3C29A963871A9FF0613FFEC4FC39AB04760924 ft=1 fh=aa8756f8c51680cf vn="a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application" ac=I fn="C:\Windows\Installer\MSIC12B.tmp"
sh=5D73F6014ED34892CBF6B7E360EFA927CFCC6B3F ft=1 fh=620342552f740257 vn="a variant of Win32/Injector.AZCW trojan" ac=I fn="C:\Windows\Temp\UpdateFlashPlayer_841caf7a.exe"
sh=845270DDCEAD7C68E4AEA2983C4D6ABA433BE3AB ft=1 fh=7e0971499500f5f1 vn="Win32/Spy.Zbot.ABP trojan" ac=I fn="C:\Windows\Temp\UpdateFlashPlayer_9b56fc82.exe"
sh=53006FA8D5BD24121F82FD2D1E4FBF9B9786AD65 ft=1 fh=de7aae64b102cf0c vn="a variant of Win32/Toolbar.Perion.G potentially unwanted application" ac=I fn="C:\Windows\Temp\INJ001\ExtensionUpdate.exe"
sh=ABC5C5AB7FC0BA47FE8E449E097746965A20DA2C ft=1 fh=e2dd001cd170d0be vn="a variant of Win32/OpenInstall potentially unwanted application" ac=I fn="E:\Ixxy\WinZip170(1).exe"
 

Link to post
Share on other sites

This looks good! No more active malware has been found.
Let's remove some of these remnants and then we're done.


Please download this attached fixlist.txt and save it in the same directory as FRST.

  • Start FRST with Administrator privileges.
  • Press the Fix button.
  • I don't need the log.

 

 

 

 

That's it! Your logs look clean to me at the moment.
We're gonna clean up everything now, close security holes on your computer and in the end I'll provide you with a list of security tips so you hopefully will not need our help anymore in the future.


My help is free for everybody.
If you want to support me fighting against malware or buy me a beer for the assistance you received, then you can consider a donation: btn_donate_SM.gif.
Thank you!



Clean Up

Now we remove all the tools we used (including their logs and quarantine folders), restore your settings and delete old and infected system restorepoints:

  • You can uninstall programs that you had to install (e.g. MBAM or ESET Onlinescanner) in the control panel if you so wish.
  • Download DelFix (by Xplode) and save it to your Desktop.
    • Close all running programs and start delfix.exe.
    • Make sure that all available options are checked.
    • Click on Run
    • DelFix should remove all our tools and delete itself afterwards. I don't need the log file.
  • If there is still something left you can delete it manually.

 

 

 

Closing security holes

Many infections happen via drive-by downloads that run unnoticed in the background while the user visits an infected website. To achieve this malware exploits security holes in installed software (e.g. browser or its plugins). Older versions of such software often have lots of known exploitable holes. Therefor it's very important to always keep your software up-to-date.
The following software is outdated. Make sure you remove all old versions and install the current one instead if you need the program:


Adobe Reader X (10.1.4)
Java 7 Update 25
Java™ 6 Update 32
Internet Explorer Version 9




Tips

I recommend to read and follow the "16 simple and easy ways to keep your computer safe and secure on the Internet" (Link) by Lawrence Abrams.

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.