Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I think I might have ZeroAcess rootkit


  • This topic is locked This topic is locked
31 replies to this topic

#1 tangycandy

tangycandy

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:28 AM

Posted 01 June 2013 - 04:12 PM

Hello,

 

I am new here, and created an account because I need help with my computer. I'm not a computer expert, so please bare with me! :unsure:

I have Windows 7 and use Internet explorer 9. (Feel free to go to the * to skip the back story)

 

Since February of this year, I have been getting fake virus scan malware on 3 or 4 occasions. The first time, I had no protection on my PC, but afterwards had installed Avira and later on MalwareBytes (the free version). I got another fake antivirus pop up, and by then my mother called Bell and they installed an antivirus/firewall/etc. as part of their internet security suite, removing Avira and MalwareBytes in the process. I believe the program they were using was Kaspersky, though I am not 100% sure.

This new program did not help my situtation since some time later, another fake antivirus under a different name came up. That time, I reinstalled MalwareBytes on Safe Mode and ran TDSSKiller (which I had on my computer since Avira) and found no problem with it and my new antivirus.

 

For a while, I had no serious problems, just a couple of cookies here and there.

 

Last month, there was a pop-up from my Firewall that said that a program called InstallFlashPlayer.exe that was not signed, had no name, etc. was trying to access the internet. I tried to block it, but the pop-up came back just as soon as I clicked the red x.

I restarted my computer on Safe Mode and by then, I knew the drill. MB found 2 viruses, and I removed them, restarted on normal, and everything seemed to be going fine.

 

**Yesterday, I had to change my antivirus program because Bell was switching to McAfee and the old one would no longer work by the 31st of May.

Today, I realized that there was yet again another fake antivirus called Internet Security Pro. I scanned my computer with MB, it found two viruses once again, but for some reason McAfee's real time protection keeps turning off when I try to enable it.

I saw that the icon of the fake antivirus was still there (I was still in Safe Mode after the MB scan), and after finding its location in AppData/Roaming, realized it was still installed. I deleted both the file and the desktop icon, but I still wasn't convinced it was completly gone.

 

I've spent the last 3 hours online trying to find a solution and finally did an Rkill scan. In the log, I saw that ZEROACESS rootkit symptoms were found, and that alot of my Windows services (including Windows Firewall) were either missing or not running.

I've tried scanning with MB, McAfee and others, but they can't find any problems. McAfee itself has some problems with it's services that cannot be resolved, and Windows has found problems with updates but no solution.

 

I would really appreciate help on trying to get rid of this rootkit, and some tips on avoiding it in the future.

 

I'll attach the DDS and Rkill logs as well as a screenshot of the InstallFlashPlayer pop-up I received earlier (it's in French).

 

Thank you

Attached Files


Edited by tangycandy, 01 June 2013 - 04:14 PM.


BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:28 AM

Posted 01 June 2013 - 05:16 PM

Hello tangycandy,

  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
      
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
      
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • In the upper right hand corner of the topic you will see a button called Follow This Topic.I suggest you click it and select Immediate E-Mail notification and click on Follow This Topic. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

      
  • Finally, please reply using the Post  button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.
  •   I will be analyzing your log. I will get back to you with instructions.

 

 

Do you have a USB Flash Drive you can use?


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 tangycandy

tangycandy
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:28 AM

Posted 01 June 2013 - 05:44 PM

Yes, I do have a USB



#4 tangycandy

tangycandy
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:28 AM

Posted 01 June 2013 - 05:52 PM

Also, an update: McAfee's real time protection worked when I went back to normal mode, and I saw in the Quarantine that of the 5 viruses quarantined, there were 3 with the name ZeroAccess in it. I've deleted those files, but I'm still not sure everything's okay.

McAfee's firewall, however, doesn't work.



#5 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:28 AM

Posted 01 June 2013 - 05:56 PM


For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.


To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.


On the System Recovery Options menu you will get the following options:Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64)  and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.


 


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#6 tangycandy

tangycandy
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:28 AM

Posted 01 June 2013 - 06:09 PM

I just have a question: will the System recovery delete documents and files (pictures, word docs, etc.)?

Also, I only have one computer at the moment. Can I save Farbar recovery scan tool directly to the computer?



#7 tangycandy

tangycandy
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:28 AM

Posted 01 June 2013 - 06:34 PM

I was following the steps all the way to "In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter" but instead of the tool runing, it said: "The subsystem needed for the image type is not present".

 

I saved Farbar on a USB that was plugged into the infected computer.



#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:28 AM

Posted 01 June 2013 - 09:37 PM

The letter  "e" is supposed to be changed to what ever letter your usb drive is.


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#9 tangycandy

tangycandy
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:28 AM

Posted 01 June 2013 - 10:02 PM

The drive in this case was e:



#10 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:28 AM

Posted 01 June 2013 - 10:07 PM

So your actual drive letter where your usb is plugged in is 'E'?


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#11 tangycandy

tangycandy
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:28 AM

Posted 02 June 2013 - 12:31 PM

yes



#12 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:28 AM

Posted 02 June 2013 - 01:41 PM

Please download Farbar Recovery Scan Tool x64 and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Edited by fireman4it, 02 June 2013 - 01:43 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#13 tangycandy

tangycandy
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:28 AM

Posted 08 June 2013 - 09:54 AM

Sorry for the wait.

 

So I've been trying to download Farbar, but the Smart Screen Filter won't let me use it and is prompting me to delete it because it may harm my computer



#14 tangycandy

tangycandy
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:28 AM

Posted 08 June 2013 - 10:21 AM

Here's the log (It didn't make an Addition.txt log even though I ticked that box before the scan):

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 08-06-2013

Ran by SYSTEM on 08-06-2013 13:15:10

Running from E:\

Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)

Internet Explorer Version 9

Boot Mode: Recovery

The current controlset is ControlSet001

ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [525312 2011-01-25] (IDT, Inc.)

HKLM\...\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe [609144 2011-04-12] (Alps Electric Co., Ltd.)

HKLM\...\Run: [QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe [3668336 2011-03-24] (Dell Inc.)

HKLM\...\Run: [IntelPAN] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel PAN Tray [1935120 2011-07-27] (Intel® Corporation)

HKLM\...\Run: [BTMTrayAgent] rundll32.exe "C:\Program Files (x86)\Intel\Bluetooth\btmshell.dll",TrayApp [10365952 2011-05-19] (Intel Corporation)

HKLM\...\Run: [dleamon.exe] "C:\Program Files (x86)\Dell V310-V510 Series\dleamon.exe" [770728 2011-01-23] ()

HKLM\...\Run: [EzPrint] "C:\Program Files (x86)\Dell V310-V510 Series\ezprint.exe" [139944 2011-01-23] ()

Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\615\G2AWinLogon_x64.dll (Citrix Online, a division of Citrix Systems, Inc.)

HKLM-x32\...\Run: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2 [503942 2011-04-13] (Creative Technology Ltd)

HKLM-x32\...\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [283160 2010-11-06] (Intel Corporation)

HKLM-x32\...\Run: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [113288 2010-11-17] (Renesas Electronics Corporation)

HKLM-x32\...\Run: [] [x]

HKLM-x32\...\Run: [RoxWatchTray] "c:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe" [240112 2010-11-25] (Sonic Solutions)

HKLM-x32\...\Run: [Desktop Disc Tool] "c:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe" [514544 2010-11-17] ()

HKLM-x32\...\Run: [NeroLauncher] C:\Program Files (x86)\Nero\SyncUP\NeroLauncher.exe 900 [67496 2012-08-21] ()

HKLM-x32\...\Run: [Dell DataSafe Online] C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe [1117528 2010-08-25] (Dell, Inc.)

HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [37960 2013-05-10] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [958576 2013-04-04] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2011-11-01] (Apple Inc.)

HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421736 2011-12-08] (Apple Inc.)

HKLM-x32\...\Run: [KiesTrayAgent] C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe [3521424 2012-04-04] (Samsung Electronics Co., Ltd.)

HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [417792 2009-11-10] (Apple Inc.)

HKLM-x32\...\Run: [ConnectionManager] C:\Program Files (x86)\Winsim\ConnectionManager\Simply.SystemTrayIcon.exe [x]

HKLM-x32\...\Run: [mcpltui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey [454600 2013-02-28] (McAfee, Inc.)

HKU\Candide\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2011-12-24] (Google Inc.)

HKU\Candide\...\Run: [lzqw] "C:\Users\Candide\AppData\Roaming\Microsoft\Uklyou\uklyou.exe" [x]

HKU\Candide\...\Run: [RESTART_STICKY_NOTES] C:\WINDOWS\System32\StikyNot.exe [427520 2009-07-13] (Microsoft Corporation)

HKU\Candide\...\Run: [Internet Security] C:\Users\Candide\AppData\Roaming\indefender.exe [x]

==================== Services (Whitelisted) =================

S2 Browser Defender Update Service; C:\Program Files (x86)\PC Tools\PC Tools Security\BDT\BDTUpdateService.exe [575416 2012-05-08] (Threat Expert Ltd.)

S2 dleaCATSCustConnectService; C:\windows\system32\spool\DRIVERS\x64\3\\dleaserv.exe [45224 2010-05-21] ()

S2 dlea_device; C:\windows\system32\dleacoms.exe [1052328 2010-05-21] ( )

S2 HomeNetSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [221296 2013-03-05] (McAfee, Inc.)

S2 McAfee SiteAdvisor Service; c:\PROGRA~2\mcafee\SITEAD~1\mcsacore.exe [103472 2012-12-04] (McAfee, Inc.)

S2 McMPFSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [221296 2013-03-05] (McAfee, Inc.)

S2 McNaiAnn; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [221296 2013-03-05] (McAfee, Inc.)

S3 McODS; C:\Program Files\McAfee\VirusScan\mcods.exe [388680 2013-03-01] (McAfee, Inc.)

S2 mcpltsvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [221296 2013-03-05] (McAfee, Inc.)

S2 McProxy; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [221296 2013-03-05] (McAfee, Inc.)

S2 mfecore; C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe [1017016 2013-02-28] (McAfee, Inc.)

S2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [218760 2013-04-03] (McAfee, Inc.)

S2 mfevtp; C:\windows\system32\mfevtps.exe [182752 2013-04-03] (McAfee, Inc.)

S2 MSK80Service; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [221296 2013-03-05] (McAfee, Inc.)

S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [340240 2011-07-27] ()

==================== Drivers (Whitelisted) ====================

S3 cfwids; C:\Windows\System32\drivers\cfwids.sys [70112 2013-04-03] (McAfee, Inc.)

S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [197264 2012-05-28] (McAfee, Inc.)

S3 mfeapfk; C:\Windows\system32\drivers\mfeapfk.sys [179664 2013-04-03] (McAfee, Inc.)

S3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [309968 2013-04-03] (McAfee, Inc.)

S3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [516608 2013-04-03] (McAfee, Inc.)

S0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [772944 2013-04-03] (McAfee, Inc.)

S3 mfencbdc; C:\Windows\System32\DRIVERS\mfencbdc.sys [337120 2013-02-18] (McAfee, Inc.)

S3 mfencrk; C:\Windows\System32\DRIVERS\mfencrk.sys [95856 2013-02-18] (McAfee, Inc.)

S0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [342416 2013-04-03] (McAfee, Inc.)

S3 PCTBD; System32\Drivers\PCTBD64.sys [x]

==================== NetSvcs (Whitelisted) ===================

 

==================== One Month Created Files and Folders ========

2013-06-08 12:05 - 2013-06-08 12:05 - 00000000 ____D C:\FRST

2013-06-08 09:48 - 2013-06-08 09:52 - 00003792 ____A C:\Users\Candide\Desktop\Rkill.txt

2013-06-06 17:20 - 2013-06-06 21:45 - 00000000 ____D C:\Users\Candide\My Documents\Exchange

2013-06-06 17:20 - 2013-06-06 21:45 - 00000000 ____D C:\Users\Candide\Documents\Exchange

2013-06-01 16:54 - 2013-06-01 16:55 - 00000288 ____A C:\Users\Candide\Desktop\RootkitRemover20130601175451.txt

2013-06-01 16:26 - 2013-06-01 16:26 - 00000000 ____D C:\Users\Candide\Application Data\Creative

2013-06-01 16:26 - 2013-06-01 16:26 - 00000000 ____D C:\Users\Candide\AppData\Roaming\Creative

2013-06-01 15:37 - 2013-06-01 15:37 - 00000193 ____A C:\Windows\WORDPAD.INI

2013-06-01 14:29 - 2013-06-01 14:29 - 00000000 ____D C:\Users\Candide\Application Data\McAfee

2013-06-01 14:29 - 2013-06-01 14:29 - 00000000 ____D C:\Users\Candide\AppData\Roaming\McAfee

2013-06-01 13:58 - 2013-06-01 13:58 - 01804416 ____A (Bleeping Computer, LLC) C:\Users\Candide\Downloads\rkill (1).com

2013-05-31 14:19 - 2013-06-08 07:08 - 00001846 ____A C:\Users\Public\Desktop\McAfee Internet Security.lnk

2013-05-31 14:19 - 2013-06-08 07:08 - 00001846 ____A C:\ProgramData\Desktop\McAfee Internet Security.lnk

2013-05-31 14:13 - 2013-05-31 14:13 - 00000000 ____D C:\Program Files (x86)\McAfee.com

2013-05-31 14:13 - 2013-04-03 12:34 - 00182752 ____A (McAfee, Inc.) C:\Windows\System32\mfevtps.exe

2013-05-31 14:13 - 2012-05-28 09:28 - 00197264 ____A (McAfee, Inc.) C:\Windows\System32\Drivers\HipShieldK.sys

2013-05-31 14:12 - 2013-06-08 06:17 - 00000000 ____D C:\Program Files (x86)\McAfee

2013-05-31 14:12 - 2013-05-31 14:13 - 00000000 ____D C:\Program Files\McAfee

2013-05-31 14:12 - 2013-05-31 14:12 - 00000000 ____D C:\Program Files\McAfee.com

2013-05-31 06:30 - 2013-05-31 14:13 - 00000000 ____D C:\Program Files\Common Files\McAfee

2013-05-28 19:34 - 2013-05-28 19:35 - 00262144 ____A C:\Windows\Minidump\052813-20046-01.dmp

2013-05-26 14:21 - 2013-05-26 14:21 - 00000054 ____A C:\Users\Candide\Application Data\mbam.context.scan

2013-05-26 14:21 - 2013-05-26 14:21 - 00000054 ____A C:\Users\Candide\AppData\Roaming\mbam.context.scan

2013-05-24 22:02 - 2013-05-24 22:02 - 00262144 ____A C:\Windows\Minidump\052413-26239-01.dmp

2013-05-23 17:42 - 2013-05-23 17:42 - 00000000 ____D C:\Program Files\My Dell

2013-05-20 13:15 - 2013-05-20 13:15 - 00000000 __SHD C:\found.002

2013-05-19 08:12 - 2013-05-19 08:12 - 00015281 ____A C:\Users\Candide\Desktop\Ville de Gatineau.htm

2013-05-19 08:12 - 2013-05-19 08:12 - 00000000 ____D C:\Users\Candide\Desktop\Ville de Gatineau_files

2013-05-15 21:39 - 2013-05-05 16:36 - 17818624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2013-05-15 21:39 - 2013-05-05 16:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2013-05-15 21:39 - 2013-05-05 14:25 - 12324864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll

2013-05-15 21:39 - 2013-05-05 14:12 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb

2013-05-15 21:38 - 2013-04-04 20:19 - 10926080 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2013-05-15 21:38 - 2013-04-04 20:08 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2013-05-15 21:38 - 2013-04-04 20:01 - 01346560 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2013-05-15 21:38 - 2013-04-04 20:00 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2013-05-15 21:38 - 2013-04-04 19:59 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl

2013-05-15 21:38 - 2013-04-04 19:58 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

2013-05-15 21:38 - 2013-04-04 19:57 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2013-05-15 21:38 - 2013-04-04 19:56 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe

2013-05-15 21:38 - 2013-04-04 19:55 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2013-05-15 21:38 - 2013-04-04 19:55 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll

2013-05-15 21:38 - 2013-04-04 19:54 - 02147840 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2013-05-15 21:38 - 2013-04-04 19:54 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll

2013-05-15 21:38 - 2013-04-04 19:51 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

2013-05-15 21:38 - 2013-04-04 19:46 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2013-05-15 21:38 - 2013-04-04 17:11 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll

2013-05-15 21:38 - 2013-04-04 17:09 - 09738752 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll

2013-05-15 21:38 - 2013-04-04 17:02 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl

2013-05-15 21:38 - 2013-04-04 17:02 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll

2013-05-15 21:38 - 2013-04-04 17:02 - 01104384 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll

2013-05-15 21:38 - 2013-04-04 17:01 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll

2013-05-15 21:38 - 2013-04-04 16:59 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll

2013-05-15 21:38 - 2013-04-04 16:58 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll

2013-05-15 21:38 - 2013-04-04 16:58 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe

2013-05-15 21:38 - 2013-04-04 16:57 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll

2013-05-15 21:38 - 2013-04-04 16:56 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll

2013-05-15 21:38 - 2013-04-04 16:55 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll

2013-05-15 21:38 - 2013-04-04 16:54 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll

2013-05-15 21:38 - 2013-04-04 16:50 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll

2013-05-15 06:09 - 2013-04-10 01:01 - 00983400 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgkrnl.sys

2013-05-15 06:09 - 2013-04-10 01:01 - 00265064 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgmms1.sys

2013-05-15 06:09 - 2013-04-09 22:30 - 03153920 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2013-05-15 06:09 - 2013-03-19 00:53 - 00230400 ____A (Microsoft Corporation) C:\Windows\System32\wwansvc.dll

2013-05-15 06:09 - 2013-03-19 00:53 - 00048640 ____A (Microsoft Corporation) C:\Windows\System32\wwanprotdim.dll

2013-05-15 06:09 - 2013-02-27 01:02 - 00111448 ____A (Microsoft Corporation) C:\Windows\System32\consent.exe

2013-05-15 06:09 - 2013-02-27 00:52 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll

2013-05-15 06:09 - 2013-02-27 00:52 - 00197120 ____A (Microsoft Corporation) C:\Windows\System32\shdocvw.dll

2013-05-15 06:09 - 2013-02-27 00:48 - 01930752 ____A (Microsoft Corporation) C:\Windows\System32\authui.dll

2013-05-15 06:09 - 2013-02-27 00:47 - 00070144 ____A (Microsoft Corporation) C:\Windows\System32\appinfo.dll

2013-05-15 06:09 - 2013-02-26 23:55 - 12872704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll

2013-05-15 06:09 - 2013-02-26 23:55 - 00180224 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shdocvw.dll

2013-05-15 06:09 - 2013-02-26 23:49 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\authui.dll

2013-05-15 06:09 - 2011-02-03 06:25 - 00144384 ____A (Microsoft Corporation) C:\Windows\System32\cdd.dll

2013-05-14 17:11 - 2013-05-14 17:11 - 00000000 __SHD C:\found.001

2013-05-11 19:13 - 2013-05-12 15:14 - 00016050 ____H C:\Users\Candide\My Documents\~WRL3093.tmp

2013-05-11 19:13 - 2013-05-12 15:14 - 00016050 ____H C:\Users\Candide\Documents\~WRL3093.tmp

==================== One Month Modified Files and Folders =======

2013-06-08 12:05 - 2013-06-08 12:05 - 00000000 ____D C:\FRST

2013-06-08 11:10 - 2009-07-13 23:45 - 00021264 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2013-06-08 11:10 - 2009-07-13 23:45 - 00021264 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2013-06-08 11:08 - 2012-01-09 20:20 - 00122089 ____A C:\ProgramData\dleascan.log

2013-06-08 11:08 - 2012-01-09 20:20 - 00122089 ____A C:\ProgramData\Application Data\dleascan.log

2013-06-08 11:08 - 2011-12-24 23:46 - 00000896 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2013-06-08 11:08 - 2011-12-13 07:33 - 00000000 ____D C:\Users\Default\Local Settings\SoftThinks

2013-06-08 11:08 - 2011-12-13 07:33 - 00000000 ____D C:\Users\Default\Local Settings\Application Data\SoftThinks

2013-06-08 11:08 - 2011-12-13 07:33 - 00000000 ____D C:\Users\Default\AppData\Local\SoftThinks

2013-06-08 11:08 - 2011-12-13 07:33 - 00000000 ____D C:\Users\Default User\Local Settings\SoftThinks

2013-06-08 11:08 - 2011-12-13 07:33 - 00000000 ____D C:\Users\Default User\Local Settings\Application Data\SoftThinks

2013-06-08 11:08 - 2011-12-13 07:33 - 00000000 ____D C:\Users\Default User\AppData\Local\SoftThinks

2013-06-08 11:08 - 2011-12-13 07:22 - 00000000 ____D C:\Program Files (x86)\Dell DataSafe Local Backup

2013-06-08 11:07 - 2009-07-14 00:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2013-06-08 11:07 - 2009-07-13 23:51 - 00116540 ____A C:\Windows\setupact.log

2013-06-08 10:00 - 2011-12-13 06:04 - 01903171 ____A C:\Windows\WindowsUpdate.log

2013-06-08 09:52 - 2013-06-08 09:48 - 00003792 ____A C:\Users\Candide\Desktop\Rkill.txt

2013-06-08 09:52 - 2012-06-20 05:18 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2013-06-08 09:49 - 2009-07-14 00:13 - 00782986 ____A C:\Windows\System32\PerfStringBackup.INI

2013-06-08 09:27 - 2011-12-24 23:46 - 00000900 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2013-06-08 07:19 - 2011-12-20 23:07 - 00000000 ____D C:\Users\Candide\Local Settings\Nero

2013-06-08 07:19 - 2011-12-20 23:07 - 00000000 ____D C:\Users\Candide\Local Settings\Application Data\Nero

2013-06-08 07:19 - 2011-12-20 23:07 - 00000000 ____D C:\Users\Candide\AppData\Local\Nero

2013-06-08 07:08 - 2013-05-31 14:19 - 00001846 ____A C:\Users\Public\Desktop\McAfee Internet Security.lnk

2013-06-08 07:08 - 2013-05-31 14:19 - 00001846 ____A C:\ProgramData\Desktop\McAfee Internet Security.lnk

2013-06-08 06:17 - 2013-05-31 14:12 - 00000000 ____D C:\Program Files (x86)\McAfee

2013-06-08 06:17 - 2010-11-20 22:47 - 00197370 ____A C:\Windows\PFRO.log

2013-06-07 22:02 - 2012-12-08 17:23 - 00000000 ____D C:\Users\Candide\Local Settings\CrashDumps

2013-06-07 22:02 - 2012-12-08 17:23 - 00000000 ____D C:\Users\Candide\Local Settings\Application Data\CrashDumps

2013-06-07 22:02 - 2012-12-08 17:23 - 00000000 ____D C:\Users\Candide\AppData\Local\CrashDumps

2013-06-07 22:01 - 2013-03-30 19:42 - 00000000 ____D C:\Users\Candide\Desktop\Cache holdem

2013-06-06 21:45 - 2013-06-06 17:20 - 00000000 ____D C:\Users\Candide\My Documents\Exchange

2013-06-06 21:45 - 2013-06-06 17:20 - 00000000 ____D C:\Users\Candide\Documents\Exchange

2013-06-03 21:34 - 2013-02-03 14:57 - 00002021 ____A C:\Users\Public\Desktop\Adobe Reader X.lnk

2013-06-03 21:34 - 2013-02-03 14:57 - 00002021 ____A C:\ProgramData\Desktop\Adobe Reader X.lnk

2013-06-02 14:57 - 2013-02-13 21:57 - 00000000 ____D C:\Users\Candide\My Documents\Outlook Files

2013-06-02 14:57 - 2013-02-13 21:57 - 00000000 ____D C:\Users\Candide\Documents\Outlook Files

2013-06-01 16:55 - 2013-06-01 16:54 - 00000288 ____A C:\Users\Candide\Desktop\RootkitRemover20130601175451.txt

2013-06-01 16:26 - 2013-06-01 16:26 - 00000000 ____D C:\Users\Candide\Application Data\Creative

2013-06-01 16:26 - 2013-06-01 16:26 - 00000000 ____D C:\Users\Candide\AppData\Roaming\Creative

2013-06-01 16:21 - 2012-07-05 13:20 - 00000000 ____D C:\Users\Candide\Desktop\Stuff

2013-06-01 15:37 - 2013-06-01 15:37 - 00000193 ____A C:\Windows\WORDPAD.INI

2013-06-01 14:29 - 2013-06-01 14:29 - 00000000 ____D C:\Users\Candide\Application Data\McAfee

2013-06-01 14:29 - 2013-06-01 14:29 - 00000000 ____D C:\Users\Candide\AppData\Roaming\McAfee

2013-06-01 14:28 - 2011-12-13 07:19 - 00000000 ____D C:\ProgramData\McAfee

2013-06-01 14:28 - 2011-12-13 07:19 - 00000000 ____D C:\ProgramData\Application Data\McAfee

2013-06-01 13:58 - 2013-06-01 13:58 - 01804416 ____A (Bleeping Computer, LLC) C:\Users\Candide\Downloads\rkill (1).com

2013-05-31 14:13 - 2013-05-31 14:13 - 00000000 ____D C:\Program Files (x86)\McAfee.com

2013-05-31 14:13 - 2013-05-31 14:12 - 00000000 ____D C:\Program Files\McAfee

2013-05-31 14:13 - 2013-05-31 06:30 - 00000000 ____D C:\Program Files\Common Files\McAfee

2013-05-31 14:12 - 2013-05-31 14:12 - 00000000 ____D C:\Program Files\McAfee.com

2013-05-29 17:35 - 2011-12-25 15:27 - 00000000 ____D C:\Users\Candide\My Documents\New Book

2013-05-29 17:35 - 2011-12-25 15:27 - 00000000 ____D C:\Users\Candide\Documents\New Book

2013-05-28 19:35 - 2013-05-28 19:34 - 00262144 ____A C:\Windows\Minidump\052813-20046-01.dmp

2013-05-28 19:34 - 2013-02-13 21:42 - 588032211 ____A C:\Windows\MEMORY.DMP

2013-05-28 19:34 - 2013-02-13 21:42 - 00000000 ____D C:\Windows\Minidump

2013-05-27 19:56 - 2012-01-10 16:50 - 00052224 ____A C:\Users\Candide\Local Settings\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

2013-05-27 19:56 - 2012-01-10 16:50 - 00052224 ____A C:\Users\Candide\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

2013-05-27 19:56 - 2012-01-10 16:50 - 00052224 ____A C:\Users\Candide\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

2013-05-26 14:21 - 2013-05-26 14:21 - 00000054 ____A C:\Users\Candide\Application Data\mbam.context.scan

2013-05-26 14:21 - 2013-05-26 14:21 - 00000054 ____A C:\Users\Candide\AppData\Roaming\mbam.context.scan

2013-05-25 06:16 - 2011-12-13 06:54 - 00000000 ____D C:\ProgramData\Sonic

2013-05-25 06:16 - 2011-12-13 06:54 - 00000000 ____D C:\ProgramData\Application Data\Sonic

2013-05-24 22:02 - 2013-05-24 22:02 - 00262144 ____A C:\Windows\Minidump\052413-26239-01.dmp

2013-05-23 17:42 - 2013-05-23 17:42 - 00000000 ____D C:\Program Files\My Dell

2013-05-23 17:42 - 2012-04-06 11:30 - 00000000 ____D C:\Program Files\Dell Support Center

2013-05-23 17:42 - 2011-12-25 16:07 - 00000000 ____D C:\ProgramData\PCDr

2013-05-23 17:42 - 2011-12-25 16:07 - 00000000 ____D C:\ProgramData\Application Data\PCDr

2013-05-22 09:50 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\rescache

2013-05-20 14:19 - 2011-12-25 15:27 - 00000000 ___RD C:\Users\Candide\My Documents\Locker-Secrets

2013-05-20 14:19 - 2011-12-25 15:27 - 00000000 ___RD C:\Users\Candide\Documents\Locker-Secrets

2013-05-20 13:15 - 2013-05-20 13:15 - 00000000 __SHD C:\found.002

2013-05-19 08:12 - 2013-05-19 08:12 - 00015281 ____A C:\Users\Candide\Desktop\Ville de Gatineau.htm

2013-05-19 08:12 - 2013-05-19 08:12 - 00000000 ____D C:\Users\Candide\Desktop\Ville de Gatineau_files

2013-05-15 21:50 - 2009-07-13 23:45 - 00461464 ____A C:\Windows\System32\FNTCACHE.DAT

2013-05-15 21:47 - 2011-12-24 23:25 - 00000000 ____D C:\ProgramData\Microsoft Help

2013-05-15 21:47 - 2011-12-24 23:25 - 00000000 ____D C:\ProgramData\Application Data\Microsoft Help

2013-05-15 21:44 - 2013-02-09 19:59 - 75016696 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe

2013-05-15 18:53 - 2012-06-20 05:18 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe

2013-05-15 18:53 - 2011-12-13 06:14 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

2013-05-15 17:53 - 2012-07-08 18:40 - 00000000 ____D C:\ProgramData\Malwarebytes

2013-05-15 17:53 - 2012-07-08 18:40 - 00000000 ____D C:\ProgramData\Application Data\Malwarebytes

2013-05-14 17:11 - 2013-05-14 17:11 - 00000000 __SHD C:\found.001

2013-05-13 13:52 - 2013-03-31 14:15 - 00000000 ____D C:\Program Files (x86)\MALWAREBYTES ANTI-MALWARE

2013-05-12 15:14 - 2013-05-11 19:13 - 00016050 ____H C:\Users\Candide\My Documents\~WRL3093.tmp

2013-05-12 15:14 - 2013-05-11 19:13 - 00016050 ____H C:\Users\Candide\Documents\~WRL3093.tmp

2013-05-11 20:35 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\System32\NDF

ZeroAccess:

C:\Users\Candide\AppData\Local\{b447fc64-ad31-feb5-014c-9170be97d5b2}

C:\Users\Candide\AppData\Local\{b447fc64-ad31-feb5-014c-9170be97d5b2}\@

C:\Users\Candide\AppData\Local\{b447fc64-ad31-feb5-014c-9170be97d5b2}\L

C:\Users\Candide\AppData\Local\{b447fc64-ad31-feb5-014c-9170be97d5b2}\U

Files to move or delete:

====================

C:\Users\Candide\GoToAssistDownloadHelper.exe

==================== Known DLLs (Whitelisted) ================

 

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2013-06-04 18:30:29

==================== Memory info ===========================

Percentage of memory in use: 20%

Total physical RAM: 4003.18 MB

Available physical RAM: 3197.72 MB

Total Pagefile: 4001.38 MB

Available Pagefile: 3190.8 MB

Total Virtual: 8192 MB

Available Virtual: 8191.86 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:451.01 GB) (Free:379.28 GB) NTFS (Disk=0 Partition=3)

Drive e: (Lexar) (Removable) (Total:7.34 GB) (Free:7.24 GB) NTFS (Disk=1 Partition=1)

Drive f: (Recovery) (Fixed) (Total:14.65 GB) (Free:4.74 GB) NTFS (Disk=0 Partition=2) ==>[System with boot components (obtained from reading drive)]

Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================

Disk: 0 (MBR Code: Windows 7 or 8) (Size: 466 GB) (Disk ID: CFE572FD)

Partition 1: (Not Active) - (Size=100 MB) - (Type=DE)

Partition 2: (Active) - (Size=15 GB) - (Type=07 NTFS)

Partition 3: (Not Active) - (Size=451 GB) - (Type=07 NTFS)

========================================================

Disk: 1 (MBR Code: Windows XP) (Size: 7 GB) (Disk ID: C3072E18)

Partition 1: (Active) - (Size=7 GB) - (Type=07 NTFS)

 

LastRegBack: 2013-06-04 18:22

==================== End Of Log ============================



#15 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:28 AM

Posted 08 June 2013 - 07:27 PM

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

HKU\Candide\...\Run: [lzqw] "C:\Users\Candide\AppData\Roaming\Microsoft\Uklyou\uklyou.exe" [x]
HKU\Candide\...\Run: [Internet Security] C:\Users\Candide\AppData\Roaming\indefender.exe [x]
C:\Users\Candide\AppData\Local\{b447fc64-ad31-feb5-014c-9170be97d5b2}
C:\Users\Candide\GoToAssistDownloadHelper.exe
C:\Users\Candide\AppData\Roaming\indefender.exe
C:\Users\Candide\AppData\Roaming\Microsoft\Uklyou\uklyou.exe
 

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.
On Windows XP: Now please boot into the BartPE CD.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users