Glad to hear that you were able to run the tool on one of the laptops.
My suspicions was correct.
The FRST log you posted indicates we are dealing with ZeroAccess, a TDL4 infection, as well as a few other things.ZeroAccess (Max++) Rootkit (aka: Sirefef)
is a sophisticated rootkit that uses advanced technology to hide its presence in a system and can infect both x86 and x64 platforms. ZeroAccess is similar to the TDSS rootkit but has more self-protection mechanisms that can be used to disable anti-virus software resulting in "Access Denied" messages whenever you run a security application. For more specific information about this infection, please refer to:
Special thanks to quietman7
for providing the above information.NEXT: One or more of the identified infections is a backdoor trojan and password stealer.
This type of infection allows hackers to access and remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.I highly suggest you take a look at the two links provided below:
If you do any banking or other financial transactions on the PC or if it contains any other sensitive information, then from a clean computer, change all passwords where applicable.
It would also be wise to contact those same financial institutions to appraise them of your situation.
1. How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?
2. When should I re-format? How should I reinstall?We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.NEXT:Running FRST Fix
Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt
HKLM\...\Run:  [x]
HKLM\...\Run: [PC MightyMax 2011 Tray Icon] "C:\Program Files (x86)\PC MightyMax 2011\TrayIcon.exe" [122368 2011-04-08] ()
HKLM\...\Run: [wmuine] rundll32.exe "C:\windows\TEMP\wmuine.dll",CreateRenderToEnvMap [x]
HKLM\...\Run: [octsra] rundll32.exe "C:\windows\TEMP\octsra.dll",BAOCloseFile [x]
HKLM-x32\...\Run: [MyWebSearch Email Plugin] C:\PROGRA~2\MYWEBS~1\bar\2.bin\mwsoemon.exe [32849 2011-04-13] (MyWebSearch.com)
HKLM-x32\...\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~2\MYWEBS~1\bar\2.bin\m3SrchMn.exe" /m=2 /w /h [x]
HKLM-x32\...\Run:  [x]
HKLM-x32\...\Run: [iBryte browseforchange Desktop] C:\Program Files (x86)\iBryte\browseforchange\ibrytedesktop.exe [163840 2011-12-23] (iBryte)
HKLM-x32\...\Run: [iBryte playbryte Desktop] C:\Program Files (x86)\iBryte\playbryte\ibrytedesktop.exe [163840 2011-12-23] (iBryte)
HKLM-x32\...\Run: [configremote] C:\ProgramData\configremote.exe [x]
HKLM-x32\...\Run: [krnlhtml] C:\windows\system32\config\systemprofile\AppData\Roaming\krnlhtml.exe [x]
HKLM-x32\...\Run: [dplaysvr] %LOCALAPPDATA%\dplaysvr.exe [x]
HKU\Haley\...\Run: [MyWebSearch Email Plugin] C:\PROGRA~2\MYWEBS~1\bar\2.bin\mwsoemon.exe [32849 2011-04-13] (MyWebSearch.com)
HKU\Haley\...\Run: [configremote] C:\ProgramData\configremote.exe [x]
HKU\Haley\...\Run: [krnlhtml] C:\windows\system32\config\systemprofile\AppData\Roaming\krnlhtml.exe [x]
HKU\Haley\...\Run: [dplaysvr] C:\windows\system32\config\systemprofile\AppData\Local\dplaysvr.exe [x]
HKU\Haley\...\Run: [Internet Security] C:\ProgramData\isecurity.exe [x]
HKU\Haley\...\CurrentVersion\Windows: [Load] C:\Users\Haley\LOCALS~1\Temp\mssaensm.scr
HKLM\...\Policies\Explorer\Run:  C:\PROGRA~3\LOCALS~1\Temp\msaquvw.bat
HKLM\...\.exe: l??? <===== ATTENTION!
SubSystems: [Windows] ATTENTION! ====> ZeroAccess
TDL4: custom:26000022 <===== ATTENTION!
endNOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
In Windows 7: Now please enter System Recovery Options.
and press the Fix
button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.NEXT:
We need to remove a program. To do this please do the following:
NEXT:Scanning with GMER
- Click Start
- Go to Control Panel
- Double click on Programs and Features
- Find and click the Uninstall button to uninstall the following (if present):
- PC MightyMax 2011
Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
Download GMER Rootkit Scanner
- Extract the contents of the zipped file to desktop.
- Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
- If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
Click the image to enlarge it
- In the right panel, you will see several boxes that have been checked. Uncheck the following ...
- Drives/Partition other than Systemdrive (typically C:\)
- Show All (don't miss this one)
- Then click the Scan button & wait for it to finish.
- Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
- Save it where you can easily find it, such as your desktop, and attach it in your reply.
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries -- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.NEXT:Re-Running OTLWe need to create a New FULL OTL ReportNEXT:Please make sure you include the following items in your next post:
1. Any comments or questions you may have that you'd like for me to answer in my next post to you.It would be helpful if you could answer each question in the order asked, as well as numbering your answers.
2. FRST fixlog.txt
3. GMER.txt log
4. OTL.txt & Extras.txt log files.
5. An update on how your computer is currently running.