I have recently experienced a loss of some icons in the notification area of my Task Bar. (Eset and Catalyst Control)
Also have some weird things going on with my two Disk Drives opening and being asked to supply an install disk for PhotoImpact against an unrelated action.
I re-installed Eset and CCC programs to see if If they would autostart in the Task Bar but this didn't work.
The programs appeared to be running in services, and would appear in the Notification area of Task Bar if I manually started them, but would not automatically appear on a restart.
I ran a complete ESET custom scan on C: Drive and it found some potentially unwanted app : IOBIT Toolbar items (4) in asc7-setup.exe of which was in my downloads folder of which program I had uninstalled a long time ago, but that was it.
I ran malwarebytes mbar and it identified -->
Registry Keys Detected: 1
HKCU\SOFTWARE\CLASSES\CLSID\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} (Trojan.Poweliks.B) -> Delete on reboot.
mbar also displayed following action in syslog :
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
File C:\WINDOWS\SYSTEM32\drivers\BazisVirtualCD.sys --> [Forged file]
File C:\WINDOWS\SYSTEM32\drivers\BazisVirtualCD.sys will be destroyed
Done!
(I know it is requested that CD Emulation software be disabled before running GMER, but I am not sure how/if the BazisVirtualCD.sys can be disabled.)
( I have attached a snapshot of where/what a search on the .sys file resulted in)
After a restart I also ran ESETPoweliksCleaner and it indicated Threat Not Found, so mbar must have done an adequate job of the initial removal.
I have run the ESETPowerliksCleaner utility again a few days after some minimal computer use/surfing and still no threat found.
I have tried to get some information about what this particular Trojan could have done on my PC since I am not sure how long I have had it, and also if my Antivirus/Firewall would have most likely prevented any additional progress the Trojan could have made.
I figured it might not be a bad idea to also inquire as to what I should do (if anything) to check to see if there might be any other utilities I should run for safe measure since this is the computer I use for personal banking.
Thanks in advance for your suggestions.
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16609 BrowserJavaVersion: 11.31.2
Run by RCL at 15:39:49 on 2015-02-22
Microsoft® Windows Vista Home Premium 6.0.6002.2.1252.1.1033.18.3053.1547 [GMT -5:00]
.
AV: ESET Smart Security 8.0 *Enabled/Updated* {19259FAE-8396-A113-46DB-15B0E7DFA289}
SP: ESET Smart Security 8.0 *Enabled/Updated* {A2447E4A-A5AC-AE9D-7C6B-2EC29C58E834}
FW: ESET Personal firewall *Enabled* {211E1E8B-C9F9-A04B-6D84-BC85190CE5F2}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\system32\SLsvc.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\GNU\GnuPG\dirmngr.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\PSIService.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
C:\WINDOWS\System32\notepad.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5636E
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.8.0_31\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre1.8.0_31\bin\jp2ssv.dll
uRun: [Google Update] "c:\users\rcl\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [SandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe"
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
StartupFolder: c:\users\rcl\appdata\roaming\microsoft\windows\start menu\programs\startup\OneNote Table Of Contents.onetoc2
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\oemreset.lnk - c:\windows\options\OemReset.exe
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:227
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: SoftwareSASGeneration = dword:3
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.srtest.com/srl_bin/sysreqlab3.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} - hxxp://apps.corel.com/nos_dl_manager_dev/plugin/IEGetPlugin.ocx
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {62789780-B744-11D0-986B-00609731A21D} - hxxp://gis.pinellascounty.org/ActiveX/ver6.5/mgaxctrl.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} - hxxp://support.gateway.com/support/serialharvest/gwCID.CAB
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 65.32.5.111 65.32.5.112
TCP: Interfaces\{961F8D49-B2E8-49C7-B6A1-8FEFF9B20338} : NameServer = 216.106.184.6,64.105.202.138
TCP: Interfaces\{961F8D49-B2E8-49C7-B6A1-8FEFF9B20338} : DHCPNameServer = 65.32.5.111 65.32.5.112
Handler: sacore - <Clsid value has no data>
Notify: igfxcui - igfxdev.dll
LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\40.0.2214.115\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\rcl\appdata\roaming\mozilla\firefox\profiles\s4j9n00x.default\
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.26.9\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre1.8.0_31\bin\dtplugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre1.8.0_31\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.30514.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\users\rcl\appdata\local\google\update\1.3.26.9\npGoogleUpdate3.dll
FF - plugin: c:\users\rcl\appdata\roaming\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\users\rcl\appdata\roaming\mozilla\plugins\npo1d.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1211151.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_16_0_0_305.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: content.notify.ontimer - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.switch.threshold - 750000
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
.
============= SERVICES / DRIVERS ===============
.
R0 epfwwfp;epfwwfp;c:\windows\system32\drivers\epfwwfp.sys [2014-9-18 51288]
R1 eamonm;eamonm;c:\windows\system32\drivers\eamonm.sys [2014-8-18 191928]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2014-8-18 135296]
R1 EpfwLWF;Epfw NDIS LightWeight Filter;c:\windows\system32\drivers\EpfwLWF.sys [2014-8-18 37928]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2013-12-6 209408]
R2 DirMngr;DirMngr;c:\program files\gnu\gnupg\dirmngr.exe [2014-9-3 216576]
R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2014-10-1 1349576]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-10-3 21504]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdLH3.sys [2013-7-5 75264]
R3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys [2009-11-23 19720]
R3 Salmosa03;Razer Salmosa USB Filter Driver;c:\windows\system32\drivers\Salmosa.sys [2013-9-14 9344]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2014-10-14 161288]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2014-4-11 772296]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2014-4-11 103608]
S2 gupdate1ca0252f69b7019;Google Update Service (gupdate1ca0252f69b7019);c:\program files\google\update\GoogleUpdate.exe [2009-7-11 107912]
S3 BazisVirtualCD;Virtual CD driver;c:\windows\system32\drivers\BazisVirtualCD.sys [2009-5-25 53248]
S3 Chroma;Chroma;c:\windows\system32\drivers\Chroma.sys [2007-3-6 44344]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2015-2-20 15968]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2015-2-20 10208]
S3 i1;i1 Pro;c:\windows\system32\drivers\i1.sys [2003-11-27 26045]
S3 IntelDH;IntelDH Driver;c:\windows\system32\drivers\IntelDH.sys [2008-6-25 5504]
S3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;c:\windows\system32\drivers\LGVirHid.sys [2009-11-23 14856]
S3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2006-11-2 2589184]
S3 PACSPTISVR-Sound_Organizer;PACSPTISVR-Sound_Organizer;c:\program files\sony\sound organizer\sony.earth\PACSPTISVR.exe [2012-11-8 174176]
S3 VirtDiskBus;Virtual disk Enumerator;c:\windows\system32\drivers\VirtDiskBus.sys [2009-5-25 55808]
.
=============== File Associations ===============
.
FileExt: .ini: inifile=c:\windows\system32\NOTEPAD.EXE %1 [UserChoice]
.
=============== Created Last 30 ================
.
2015-02-21 17:46:59 114904 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2015-02-21 17:45:35 51928 ----a-w- c:\windows\system32\drivers\mwac.sys
2015-02-21 17:45:35 -------- d-----w- c:\program files\Malwarebytes Anti-Malware
2015-02-20 05:46:29 88160 ----a-w- c:\windows\system32\setupempdrv03.exe
2015-02-20 05:46:29 2502240 ----a-w- c:\windows\system32\BootMan.exe
2015-02-20 05:46:29 21088 ----a-w- c:\windows\system32\EuEpmGdi.dll
2015-02-20 05:46:29 15968 ----a-w- c:\windows\system32\epmntdrv.sys
2015-02-20 05:46:29 10208 ----a-w- c:\windows\system32\EuGdiDrv.sys
2015-02-20 05:38:26 1810944 ----a-w- c:\windows\system32\jscript9.dll
2015-02-12 13:09:03 564224 ----a-w- c:\windows\system32\oleaut32.dll
2015-02-12 13:08:57 2063360 ----a-w- c:\windows\system32\win32k.sys
2015-02-12 13:08:47 974848 ----a-w- c:\windows\system32\WindowsCodecs.dll
2015-01-27 13:41:09 73816 ----a-w- c:\program files\mozilla firefox\wow_helper.exe
2015-01-27 01:25:03 96680 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
.
==================== Find3M ====================
.
2015-02-06 13:08:10 71344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2015-02-06 13:08:10 701616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2015-01-23 11:41:36 875472 ----a-w- c:\windows\system32\msvcr110.dll
2015-01-23 11:41:36 535008 ----a-w- c:\windows\system32\msvcp110.dll
2015-01-15 04:13:11 440760 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2015-01-14 01:49:16 367104 ----a-w- c:\windows\system32\html.iec
2015-01-14 01:42:51 1129472 ----a-w- c:\windows\system32\wininet.dll
2015-01-14 01:42:31 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2015-01-14 01:41:28 421376 ----a-w- c:\windows\system32\vbscript.dll
2015-01-14 01:41:09 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2015-01-14 01:40:35 11776 ----a-w- c:\windows\system32\mshta.exe
2015-01-14 01:40:33 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2014-12-19 00:25:17 115200 ----a-w- c:\windows\system32\drivers\mrxdav.sys
2014-12-08 01:59:34 306176 ----a-w- c:\windows\system32\scesrv.dll
2014-12-06 03:14:51 153600 ----a-w- c:\windows\system32\profsvc.dll
2014-12-06 03:14:36 48640 ----a-w- c:\windows\system32\nlaapi.dll
2014-12-06 03:14:36 174080 ----a-w- c:\windows\system32\nlasvc.dll
2014-12-06 03:14:34 93184 ----a-w- c:\windows\system32\ncsi.dll
2014-12-03 02:06:01 278528 ----a-w- c:\windows\system32\schannel.dll
.
============= FINISH: 15:40:22.71 ===============
Also have some weird things going on with my two Disk Drives opening and being asked to supply an install disk for PhotoImpact against an unrelated action.
I re-installed Eset and CCC programs to see if If they would autostart in the Task Bar but this didn't work.
The programs appeared to be running in services, and would appear in the Notification area of Task Bar if I manually started them, but would not automatically appear on a restart.
I ran a complete ESET custom scan on C: Drive and it found some potentially unwanted app : IOBIT Toolbar items (4) in asc7-setup.exe of which was in my downloads folder of which program I had uninstalled a long time ago, but that was it.
I ran malwarebytes mbar and it identified -->
Registry Keys Detected: 1
HKCU\SOFTWARE\CLASSES\CLSID\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} (Trojan.Poweliks.B) -> Delete on reboot.
mbar also displayed following action in syslog :
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
File C:\WINDOWS\SYSTEM32\drivers\BazisVirtualCD.sys --> [Forged file]
File C:\WINDOWS\SYSTEM32\drivers\BazisVirtualCD.sys will be destroyed
Done!
(I know it is requested that CD Emulation software be disabled before running GMER, but I am not sure how/if the BazisVirtualCD.sys can be disabled.)
( I have attached a snapshot of where/what a search on the .sys file resulted in)
After a restart I also ran ESETPoweliksCleaner and it indicated Threat Not Found, so mbar must have done an adequate job of the initial removal.
I have run the ESETPowerliksCleaner utility again a few days after some minimal computer use/surfing and still no threat found.
I have tried to get some information about what this particular Trojan could have done on my PC since I am not sure how long I have had it, and also if my Antivirus/Firewall would have most likely prevented any additional progress the Trojan could have made.
I figured it might not be a bad idea to also inquire as to what I should do (if anything) to check to see if there might be any other utilities I should run for safe measure since this is the computer I use for personal banking.
Thanks in advance for your suggestions.
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16609 BrowserJavaVersion: 11.31.2
Run by RCL at 15:39:49 on 2015-02-22
Microsoft® Windows Vista Home Premium 6.0.6002.2.1252.1.1033.18.3053.1547 [GMT -5:00]
.
AV: ESET Smart Security 8.0 *Enabled/Updated* {19259FAE-8396-A113-46DB-15B0E7DFA289}
SP: ESET Smart Security 8.0 *Enabled/Updated* {A2447E4A-A5AC-AE9D-7C6B-2EC29C58E834}
FW: ESET Personal firewall *Enabled* {211E1E8B-C9F9-A04B-6D84-BC85190CE5F2}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\system32\SLsvc.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\GNU\GnuPG\dirmngr.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\PSIService.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
C:\WINDOWS\System32\notepad.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5636E
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.8.0_31\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre1.8.0_31\bin\jp2ssv.dll
uRun: [Google Update] "c:\users\rcl\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [SandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe"
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
StartupFolder: c:\users\rcl\appdata\roaming\microsoft\windows\start menu\programs\startup\OneNote Table Of Contents.onetoc2
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\oemreset.lnk - c:\windows\options\OemReset.exe
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:227
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: SoftwareSASGeneration = dword:3
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.srtest.com/srl_bin/sysreqlab3.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} - hxxp://apps.corel.com/nos_dl_manager_dev/plugin/IEGetPlugin.ocx
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {62789780-B744-11D0-986B-00609731A21D} - hxxp://gis.pinellascounty.org/ActiveX/ver6.5/mgaxctrl.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} - hxxp://support.gateway.com/support/serialharvest/gwCID.CAB
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 65.32.5.111 65.32.5.112
TCP: Interfaces\{961F8D49-B2E8-49C7-B6A1-8FEFF9B20338} : NameServer = 216.106.184.6,64.105.202.138
TCP: Interfaces\{961F8D49-B2E8-49C7-B6A1-8FEFF9B20338} : DHCPNameServer = 65.32.5.111 65.32.5.112
Handler: sacore - <Clsid value has no data>
Notify: igfxcui - igfxdev.dll
LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\40.0.2214.115\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\rcl\appdata\roaming\mozilla\firefox\profiles\s4j9n00x.default\
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.26.9\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre1.8.0_31\bin\dtplugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre1.8.0_31\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.30514.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\users\rcl\appdata\local\google\update\1.3.26.9\npGoogleUpdate3.dll
FF - plugin: c:\users\rcl\appdata\roaming\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\users\rcl\appdata\roaming\mozilla\plugins\npo1d.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1211151.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_16_0_0_305.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: content.notify.ontimer - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.switch.threshold - 750000
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
.
============= SERVICES / DRIVERS ===============
.
R0 epfwwfp;epfwwfp;c:\windows\system32\drivers\epfwwfp.sys [2014-9-18 51288]
R1 eamonm;eamonm;c:\windows\system32\drivers\eamonm.sys [2014-8-18 191928]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2014-8-18 135296]
R1 EpfwLWF;Epfw NDIS LightWeight Filter;c:\windows\system32\drivers\EpfwLWF.sys [2014-8-18 37928]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2013-12-6 209408]
R2 DirMngr;DirMngr;c:\program files\gnu\gnupg\dirmngr.exe [2014-9-3 216576]
R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2014-10-1 1349576]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-10-3 21504]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdLH3.sys [2013-7-5 75264]
R3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys [2009-11-23 19720]
R3 Salmosa03;Razer Salmosa USB Filter Driver;c:\windows\system32\drivers\Salmosa.sys [2013-9-14 9344]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2014-10-14 161288]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2014-4-11 772296]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2014-4-11 103608]
S2 gupdate1ca0252f69b7019;Google Update Service (gupdate1ca0252f69b7019);c:\program files\google\update\GoogleUpdate.exe [2009-7-11 107912]
S3 BazisVirtualCD;Virtual CD driver;c:\windows\system32\drivers\BazisVirtualCD.sys [2009-5-25 53248]
S3 Chroma;Chroma;c:\windows\system32\drivers\Chroma.sys [2007-3-6 44344]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2015-2-20 15968]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2015-2-20 10208]
S3 i1;i1 Pro;c:\windows\system32\drivers\i1.sys [2003-11-27 26045]
S3 IntelDH;IntelDH Driver;c:\windows\system32\drivers\IntelDH.sys [2008-6-25 5504]
S3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;c:\windows\system32\drivers\LGVirHid.sys [2009-11-23 14856]
S3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2006-11-2 2589184]
S3 PACSPTISVR-Sound_Organizer;PACSPTISVR-Sound_Organizer;c:\program files\sony\sound organizer\sony.earth\PACSPTISVR.exe [2012-11-8 174176]
S3 VirtDiskBus;Virtual disk Enumerator;c:\windows\system32\drivers\VirtDiskBus.sys [2009-5-25 55808]
.
=============== File Associations ===============
.
FileExt: .ini: inifile=c:\windows\system32\NOTEPAD.EXE %1 [UserChoice]
.
=============== Created Last 30 ================
.
2015-02-21 17:46:59 114904 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2015-02-21 17:45:35 51928 ----a-w- c:\windows\system32\drivers\mwac.sys
2015-02-21 17:45:35 -------- d-----w- c:\program files\Malwarebytes Anti-Malware
2015-02-20 05:46:29 88160 ----a-w- c:\windows\system32\setupempdrv03.exe
2015-02-20 05:46:29 2502240 ----a-w- c:\windows\system32\BootMan.exe
2015-02-20 05:46:29 21088 ----a-w- c:\windows\system32\EuEpmGdi.dll
2015-02-20 05:46:29 15968 ----a-w- c:\windows\system32\epmntdrv.sys
2015-02-20 05:46:29 10208 ----a-w- c:\windows\system32\EuGdiDrv.sys
2015-02-20 05:38:26 1810944 ----a-w- c:\windows\system32\jscript9.dll
2015-02-12 13:09:03 564224 ----a-w- c:\windows\system32\oleaut32.dll
2015-02-12 13:08:57 2063360 ----a-w- c:\windows\system32\win32k.sys
2015-02-12 13:08:47 974848 ----a-w- c:\windows\system32\WindowsCodecs.dll
2015-01-27 13:41:09 73816 ----a-w- c:\program files\mozilla firefox\wow_helper.exe
2015-01-27 01:25:03 96680 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
.
==================== Find3M ====================
.
2015-02-06 13:08:10 71344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2015-02-06 13:08:10 701616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2015-01-23 11:41:36 875472 ----a-w- c:\windows\system32\msvcr110.dll
2015-01-23 11:41:36 535008 ----a-w- c:\windows\system32\msvcp110.dll
2015-01-15 04:13:11 440760 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2015-01-14 01:49:16 367104 ----a-w- c:\windows\system32\html.iec
2015-01-14 01:42:51 1129472 ----a-w- c:\windows\system32\wininet.dll
2015-01-14 01:42:31 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2015-01-14 01:41:28 421376 ----a-w- c:\windows\system32\vbscript.dll
2015-01-14 01:41:09 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2015-01-14 01:40:35 11776 ----a-w- c:\windows\system32\mshta.exe
2015-01-14 01:40:33 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2014-12-19 00:25:17 115200 ----a-w- c:\windows\system32\drivers\mrxdav.sys
2014-12-08 01:59:34 306176 ----a-w- c:\windows\system32\scesrv.dll
2014-12-06 03:14:51 153600 ----a-w- c:\windows\system32\profsvc.dll
2014-12-06 03:14:36 48640 ----a-w- c:\windows\system32\nlaapi.dll
2014-12-06 03:14:36 174080 ----a-w- c:\windows\system32\nlasvc.dll
2014-12-06 03:14:34 93184 ----a-w- c:\windows\system32\ncsi.dll
2014-12-03 02:06:01 278528 ----a-w- c:\windows\system32\schannel.dll
.
============= FINISH: 15:40:22.71 ===============