Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Looks like I've gotten into the ZeroAccess Trojan - HELP!


  • Please log in to reply
20 replies to this topic

#1 bpatters3309

bpatters3309

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:56 PM

Posted 07 August 2013 - 03:31 PM

I have Win7 Home Premium 64-bit and, although I've stopped the "white screen" (the screen where you can do nothing but Ctrl+Alt+Del and still not have Task Manager), the infection has turned off numerous services and, apparently, substituted infected files.  What to do?



BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,758 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:11:56 AM

Posted 07 August 2013 - 03:42 PM

I'll report this topic to appropriate helpers.

Hold on there....


My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#3 bpatters3309

bpatters3309
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:56 PM

Posted 07 August 2013 - 04:06 PM

Thank you.



#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,843 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:56 PM

Posted 07 August 2013 - 08:26 PM

Hi and welcome.
 
Lets give it a try.

Please download Farbar Recovery Scan Tool and save it to a flash drive.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

Plug the flash drive into the infected PC.

  • If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.

    If you are using Vista or Windows 7 enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
  • Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.
    To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html



    To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
  • On the System Recovery Options menu you will get the following options:
  • Startup Repair
  • System Restore
  • Windows Complete PC Restore
  • Windows Memory Diagnostic Tool
  • Command Prompt
  • Select Command Prompt

    Once in the Command Prompt:
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,534 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:56 PM

Posted 07 August 2013 - 08:29 PM

Hello, just letting you know I moved this topic o here in the Virus, Trojan, Spyware, and Malware Removal Logs forum where it will stay.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 bpatters3309

bpatters3309
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:56 PM

Posted 08 August 2013 - 04:48 PM

Thanks again for the help!

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 07-08-2013
Ran by SYSTEM on 08-08-2013 16:37:24
Running from L:\
Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM-x32\...\RunOnce: [Malwarebytes Anti-Malware] - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent [532040 2013-04-04] (Malwarebytes Corporation)
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox]  ATTENTION! ====> ZeroAccess?
HKU\Default\...\RunOnce: [ScrSav] - C:\Program Files (x86)\eMachines\Screensaver\run_eMachines.exe [162336 2009-07-21] ()
HKU\Default User\...\RunOnce: [ScrSav] - C:\Program Files (x86)\eMachines\Screensaver\run_eMachines.exe [162336 2009-07-21] ()
HKU\Destinylm7\...\RunOnce: [FlashPlayerUpdate] - C:\Windows\system32\Macromed\Flash\FlashUtil64_11_1_102_ActiveX.exe [461984 2012-01-15] (Adobe Systems, Inc.)
HKU\Destinylm7\...\Policies\system: [LogonHoursAction] 2
HKU\Destinylm7\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
HKU\Destinylm7\...\Winlogon: [Shell] explorer.exe,C:\Users\Destinylm7\AppData\Roaming\skype.dat <==== ATTENTION

==================== Services (Whitelisted) =================

S4 Greg_Service; C:\Program Files (x86)\eMachines\Registration\GregHSRW.exe [1150496 2009-08-28] (Acer Incorporated)
S2 Updater Service; C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe [240160 2009-07-03] (Acer)
S2 BasicServe Service; "C:\Program Files (x86)\BasicServe\basicserve.exe" "C:\Program Files (x86)\BasicServe\basicserve.dll" logudizomi wodubocu [x]
S4 GamesAppService; "C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe" [x]
S4 PCPitstop Scheduling; C:\Program Files (x86)\PCPitstop\PCPitstopScheduleService.exe [x]

==================== Drivers (Whitelisted) ====================

S3 hitmanpro37; C:\Windows\system32\drivers\hitmanpro37.sys [32000 2013-08-05] ()
S3 ltmodem5; C:\Windows\System32\DRIVERS\ltmdm64.sys [543744 2009-06-10] (Agere Systems)

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-08-07 13:50 - 2013-08-07 13:50 - 00001078 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-08-07 13:50 - 2013-08-07 13:50 - 00000000 ____D C:\Users\Destinylm7\AppData\Roaming\Malwarebytes
2013-08-07 13:50 - 2013-08-07 13:50 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-08-07 13:50 - 2013-08-07 13:50 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-08-07 13:50 - 2013-08-07 13:49 - 10285040 _____ (Malwarebytes Corporation                                    ) C:\Users\Destinylm7\Desktop\mbam-setup-1.75.0.1300.exe
2013-08-07 10:00 - 2013-08-07 10:00 - 00000000 ____D C:\ProgramData\HitmanPro
2013-08-07 07:12 - 2013-08-07 07:12 - 00027256 _____ (Symantec Corporation) C:\Windows\System32\Drivers\FixZeroAccess.sys
2013-08-06 17:54 - 2013-08-06 17:54 - 00000000 ____D C:\FRST
2013-08-06 15:28 - 2013-08-07 10:35 - 00007250 _____ C:\Users\Destinylm7\Desktop\Rkill.txt
2013-08-06 15:28 - 2013-08-06 15:28 - 01036416 _____ (Bleeping Computer, LLC) C:\Users\Destinylm7\Desktop\iExplore64.exe
2013-08-06 15:28 - 2013-08-06 15:24 - 01893504 _____ (Bleeping Computer, LLC) C:\Users\Destinylm7\Desktop\iExplore.exe
2013-08-06 12:36 - 2013-08-06 12:36 - 00000000 ____D C:\Windows\pss
2013-08-06 12:35 - 2013-08-06 12:35 - 00003020 _____ C:\Windows\System32\Tasks\LAUNCH CDRegclean
2013-08-05 13:31 - 2013-08-05 13:31 - 00032000 _____ C:\Windows\System32\Drivers\hitmanpro37.sys
2013-08-05 11:23 - 2013-08-05 11:23 - 00001392 _____ C:\HitmanPro_20130805_1421.log
2013-08-03 11:22 - 2013-08-03 11:22 - 00016896 ___SH C:\Users\Destinylm7\Documents\Thumbs.db
2013-07-22 18:49 - 2013-07-22 18:49 - 00000000 ____D C:\Users\Destinylm7\AppData\Local\Symantec
2013-07-22 08:22 - 2013-08-08 12:49 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-07-22 08:22 - 2013-07-22 08:22 - 00692104 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-07-22 08:22 - 2013-07-22 08:22 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2013-07-22 08:20 - 2013-08-08 13:00 - 00000346 ____H C:\Windows\Tasks\{506D3836-95AF-40AA-9A3A-90DFE5B2CEED}.job
2013-07-22 08:20 - 2013-07-22 08:20 - 00003098 _____ C:\Windows\System32\Tasks\{506D3836-95AF-40AA-9A3A-90DFE5B2CEED}
2013-07-22 08:20 - 2013-07-22 08:20 - 00000000 _____ C:\Users\Destinylm7\msconfig.exe
2013-07-22 08:20 - 2013-07-22 08:20 - 00000000 _____ C:\Users\Destinylm7\java.exe
2013-07-22 08:20 - 2013-07-22 08:20 - 00000000 _____ C:\Users\Destinylm7\ctfmon.exe
2013-07-22 08:20 - 2013-07-22 08:20 - 00000000 _____ C:\Users\Destinylm7\csrss.exe
2013-07-22 08:20 - 2013-07-22 08:20 - 00000000 _____ C:\Users\Destinylm7\conhost.exe
2013-07-22 08:20 - 2013-07-22 08:20 - 00000000 _____ C:\Users\Destinylm7\chrome.exe
2013-07-21 00:01 - 2013-07-21 00:04 - 00000000 ____D C:\Windows\System32\MRT
2013-07-18 09:05 - 2013-07-18 09:35 - 00000000 ____D C:\Users\Destinylm7\Downloads\New folder (2)
2013-07-18 08:46 - 2013-08-06 13:31 - 00000000 ____D C:\Users\Destinylm7\AppData\Local\DownloadTerms
2013-07-18 08:46 - 2013-08-06 13:28 - 00000000 ____D C:\Program Files (x86)\DefaultTab
2013-07-18 08:45 - 2013-08-08 10:07 - 00000376 _____ C:\Windows\Tasks\AmiUpdXp.job
2013-07-18 08:45 - 2013-08-06 13:34 - 00000000 ____D C:\Program Files (x86)\Fast Free Converter
2013-07-18 08:45 - 2013-08-02 22:46 - 00000000 ____D C:\Users\Destinylm7\AppData\Local\SwvUpdater
2013-07-18 08:45 - 2013-07-18 08:45 - 00003406 _____ C:\Windows\System32\Tasks\AmiUpdXp
2013-07-18 08:45 - 2013-07-18 08:45 - 00000000 ____D C:\Users\Destinylm7\AppData\Roaming\DefaultTab
2013-07-12 15:51 - 2013-07-12 15:52 - 00000000 ____D C:\Users\Destinylm7\Documents\My Projects
2013-07-11 01:56 - 2013-06-04 19:34 - 03153920 _____ (Microsoft Corporation) C:\Windows\System32\win32k.sys
2013-07-11 01:56 - 2013-06-03 22:00 - 00624128 _____ (Microsoft Corporation) C:\Windows\System32\qedit.dll
2013-07-11 01:56 - 2013-06-03 20:53 - 00509440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\qedit.dll
2013-07-11 01:56 - 2013-05-05 22:03 - 01887744 _____ (Microsoft Corporation) C:\Windows\System32\WMVDECOD.DLL
2013-07-11 01:56 - 2013-05-05 20:56 - 01620480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WMVDECOD.DLL
2013-07-11 01:55 - 2013-04-09 15:34 - 01247744 _____ (Microsoft Corporation) C:\Windows\SysWOW64\DWrite.dll
2013-07-11 01:55 - 2013-04-02 14:51 - 01643520 _____ (Microsoft Corporation) C:\Windows\System32\DWrite.dll

==================== One Month Modified Files and Folders =======

2013-08-08 13:00 - 2013-07-22 08:20 - 00000346 ____H C:\Windows\Tasks\{506D3836-95AF-40AA-9A3A-90DFE5B2CEED}.job
2013-08-08 12:49 - 2013-07-22 08:22 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-08-08 12:24 - 2011-02-14 14:29 - 00000906 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-08-08 10:07 - 2013-07-18 08:45 - 00000376 _____ C:\Windows\Tasks\AmiUpdXp.job
2013-08-08 09:00 - 2011-10-31 18:36 - 00000472 _____ C:\Windows\Tasks\FixCleaner Scan.job
2013-08-08 09:00 - 2010-10-28 11:28 - 00000568 _____ C:\Windows\Tasks\Norton Internet Security - Destinylm7 - Full System Scan.job
2013-08-08 05:04 - 2010-10-27 14:14 - 00003966 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{B880A822-1AA6-42EE-8CE5-4339D7DCDF3E}
2013-08-07 16:23 - 2011-02-14 14:29 - 00000902 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-08-07 16:00 - 2010-09-25 11:43 - 00000276 _____ C:\Windows\Tasks\RMSchedule.job
2013-08-07 13:50 - 2013-08-07 13:50 - 00001078 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-08-07 13:50 - 2013-08-07 13:50 - 00000000 ____D C:\Users\Destinylm7\AppData\Roaming\Malwarebytes
2013-08-07 13:50 - 2013-08-07 13:50 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-08-07 13:50 - 2013-08-07 13:50 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-08-07 13:50 - 2009-07-13 21:13 - 00726270 _____ C:\Windows\System32\PerfStringBackup.INI
2013-08-07 13:49 - 2013-08-07 13:50 - 10285040 _____ (Malwarebytes Corporation                                    ) C:\Users\Destinylm7\Desktop\mbam-setup-1.75.0.1300.exe
2013-08-07 13:45 - 2009-07-13 20:45 - 00009920 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-08-07 13:45 - 2009-07-13 20:45 - 00009920 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-08-07 13:38 - 2011-10-31 18:36 - 00002848 _____ C:\Windows\System32\Tasks\FixCleaner Startup
2013-08-07 13:38 - 2011-10-31 18:36 - 00000412 _____ C:\Windows\Tasks\FixCleaner Startup.job
2013-08-07 13:38 - 2009-12-30 00:23 - 01832499 _____ C:\Windows\WindowsUpdate.log
2013-08-07 13:37 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-08-07 10:35 - 2013-08-06 15:28 - 00007250 _____ C:\Users\Destinylm7\Desktop\Rkill.txt
2013-08-07 10:00 - 2013-08-07 10:00 - 00000000 ____D C:\ProgramData\HitmanPro
2013-08-07 10:00 - 2009-10-29 04:49 - 00490824 _____ C:\Windows\PFRO.log
2013-08-07 07:58 - 2011-10-07 19:08 - 00000000 ____D C:\Users\Destinylm7\AppData\Local\Conduit
2013-08-07 07:26 - 2011-06-28 14:27 - 00000000 ____D C:\Windows\Minidump
2013-08-07 07:12 - 2013-08-07 07:12 - 00027256 _____ (Symantec Corporation) C:\Windows\System32\Drivers\FixZeroAccess.sys
2013-08-06 17:54 - 2013-08-06 17:54 - 00000000 ____D C:\FRST
2013-08-06 15:28 - 2013-08-06 15:28 - 01036416 _____ (Bleeping Computer, LLC) C:\Users\Destinylm7\Desktop\iExplore64.exe
2013-08-06 15:24 - 2013-08-06 15:28 - 01893504 _____ (Bleeping Computer, LLC) C:\Users\Destinylm7\Desktop\iExplore.exe
2013-08-06 14:34 - 2013-06-25 11:18 - 00000000 ____D C:\ProgramData\Trymedia
2013-08-06 14:34 - 2013-06-21 19:39 - 00000000 ____D C:\Users\Destinylm7\AppData\Local\Pokki
2013-08-06 14:34 - 2010-03-27 18:28 - 00000694 _____ C:\Windows\wininit.ini
2013-08-06 14:31 - 2013-06-25 11:16 - 00000000 ____D C:\Program Files (x86)\RealArcade
2013-08-06 14:29 - 2011-01-19 13:49 - 00000000 ____D C:\Users\Destinylm7\AppData\Local\CrashDumps
2013-08-06 13:51 - 2009-10-29 04:47 - 00000000 ____D C:\ProgramData\Norton
2013-08-06 13:45 - 2010-06-20 13:20 - 00000000 ____D C:\Program Files (x86)\Crawler
2013-08-06 13:34 - 2013-07-18 08:45 - 00000000 ____D C:\Program Files (x86)\Fast Free Converter
2013-08-06 13:31 - 2013-07-18 08:46 - 00000000 ____D C:\Users\Destinylm7\AppData\Local\DownloadTerms
2013-08-06 13:28 - 2013-07-18 08:46 - 00000000 ____D C:\Program Files (x86)\DefaultTab
2013-08-06 12:36 - 2013-08-06 12:36 - 00000000 ____D C:\Windows\pss
2013-08-06 12:35 - 2013-08-06 12:35 - 00003020 _____ C:\Windows\System32\Tasks\LAUNCH CDRegclean
2013-08-06 12:35 - 2012-08-12 14:09 - 00003112 _____ C:\Windows\System32\Tasks\MaxMySpeed Registry Cleaner
2013-08-06 12:33 - 2009-07-13 20:51 - 00080270 _____ C:\Windows\setupact.log
2013-08-05 14:03 - 2011-06-28 14:27 - 393116506 _____ C:\Windows\MEMORY.DMP
2013-08-05 13:31 - 2013-08-05 13:31 - 00032000 _____ C:\Windows\System32\Drivers\hitmanpro37.sys
2013-08-05 11:23 - 2013-08-05 11:23 - 00001392 _____ C:\HitmanPro_20130805_1421.log
2013-08-03 11:22 - 2013-08-03 11:22 - 00016896 ___SH C:\Users\Destinylm7\Documents\Thumbs.db
2013-08-02 22:46 - 2013-07-18 08:45 - 00000000 ____D C:\Users\Destinylm7\AppData\Local\SwvUpdater
2013-08-02 22:46 - 2010-02-06 17:23 - 00000000 ____D C:\users\Destinylm7
2013-08-01 11:05 - 2009-07-13 21:08 - 00032566 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2013-07-22 18:49 - 2013-07-22 18:49 - 00000000 ____D C:\Users\Destinylm7\AppData\Local\Symantec
2013-07-22 18:22 - 2012-01-30 17:11 - 00000266 _____ C:\Windows\SysWOW64\AppLog.log
2013-07-22 08:22 - 2013-07-22 08:22 - 00692104 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-07-22 08:22 - 2013-07-22 08:22 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2013-07-22 08:22 - 2011-09-28 08:21 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-07-22 08:20 - 2013-07-22 08:20 - 00003098 _____ C:\Windows\System32\Tasks\{506D3836-95AF-40AA-9A3A-90DFE5B2CEED}
2013-07-22 08:20 - 2013-07-22 08:20 - 00000000 _____ C:\Users\Destinylm7\msconfig.exe
2013-07-22 08:20 - 2013-07-22 08:20 - 00000000 _____ C:\Users\Destinylm7\java.exe
2013-07-22 08:20 - 2013-07-22 08:20 - 00000000 _____ C:\Users\Destinylm7\ctfmon.exe
2013-07-22 08:20 - 2013-07-22 08:20 - 00000000 _____ C:\Users\Destinylm7\csrss.exe
2013-07-22 08:20 - 2013-07-22 08:20 - 00000000 _____ C:\Users\Destinylm7\conhost.exe
2013-07-22 08:20 - 2013-07-22 08:20 - 00000000 _____ C:\Users\Destinylm7\chrome.exe
2013-07-21 15:51 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NDF
2013-07-21 00:04 - 2013-07-21 00:01 - 00000000 ____D C:\Windows\System32\MRT
2013-07-18 09:35 - 2013-07-18 09:05 - 00000000 ____D C:\Users\Destinylm7\Downloads\New folder (2)
2013-07-18 08:46 - 2010-02-07 10:57 - 00000632 __RSH C:\Users\Destinylm7\ntuser.pol
2013-07-18 08:46 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\GroupPolicy
2013-07-18 08:45 - 2013-07-18 08:45 - 00003406 _____ C:\Windows\System32\Tasks\AmiUpdXp
2013-07-18 08:45 - 2013-07-18 08:45 - 00000000 ____D C:\Users\Destinylm7\AppData\Roaming\DefaultTab
2013-07-14 19:59 - 2010-03-22 14:39 - 00000000 ____D C:\Users\Destinylm7\AppData\Local\Vivitar Experience Image Manager
2013-07-12 16:19 - 2011-02-14 14:29 - 00003902 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2013-07-12 16:18 - 2011-02-14 14:29 - 00003650 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2013-07-12 16:14 - 2009-07-13 20:45 - 00343552 _____ C:\Windows\System32\FNTCACHE.DAT
2013-07-12 16:13 - 2013-03-13 00:00 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2013-07-12 16:13 - 2013-03-13 00:00 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2013-07-12 16:13 - 2009-07-13 23:45 - 00000000 ____D C:\Program Files\Windows Journal
2013-07-12 16:13 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Defender
2013-07-12 16:13 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files (x86)\Windows Defender
2013-07-12 15:53 - 2010-02-06 17:35 - 00000346 _____ C:\Users\Destinylm7\AppData\Roaming\wklnhst.dat
2013-07-12 15:52 - 2013-07-12 15:51 - 00000000 ____D C:\Users\Destinylm7\Documents\My Projects
2013-07-12 00:54 - 2009-10-29 04:25 - 00000000 ____D C:\ProgramData\Microsoft Help

ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$aa0edf15250ca2cdcdb4b9d6eff73bb6
C:\$Recycle.Bin\S-1-5-18\$aa0edf15250ca2cdcdb4b9d6eff73bb6\L\00000004.@
C:\$Recycle.Bin\S-1-5-18\$aa0edf15250ca2cdcdb4b9d6eff73bb6\L\201d3dde
C:\$Recycle.Bin\S-1-5-18\$aa0edf15250ca2cdcdb4b9d6eff73bb6\L\6715e287
C:\$Recycle.Bin\S-1-5-18\$aa0edf15250ca2cdcdb4b9d6eff73bb6\L\76603ac3

ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$aa0edf15250ca2cdcdb4b9d6eff73bb6
C:\$Recycle.Bin\S-1-5-18\$aa0edf15250ca2cdcdb4b9d6eff73bb6\L\00000004.@
C:\$Recycle.Bin\S-1-5-18\$aa0edf15250ca2cdcdb4b9d6eff73bb6\L\201d3dde
C:\$Recycle.Bin\S-1-5-18\$aa0edf15250ca2cdcdb4b9d6eff73bb6\L\6715e287
C:\$Recycle.Bin\S-1-5-18\$aa0edf15250ca2cdcdb4b9d6eff73bb6\L\76603ac3

Files to move or delete:
====================
C:\Users\Destinylm7\chrome.exe
C:\Users\Destinylm7\conhost.exe
C:\Users\Destinylm7\csrss.exe
C:\Users\Destinylm7\ctfmon.exe
C:\Users\Destinylm7\java.exe
C:\Users\Destinylm7\msconfig.exe
C:\Windows\Tasks\{506D3836-95AF-40AA-9A3A-90DFE5B2CEED}.job

==================== Known DLLs (Whitelisted) ================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
C:\Program Files\Windows Defender\mpsvc.dll => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Windows Defender

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

==================== Memory info ===========================

Percentage of memory in use: 18%
Total physical RAM: 3839.23 MB
Available physical RAM: 3148.13 MB
Total Pagefile: 3837.38 MB
Available Pagefile: 3146.02 MB
Total Virtual: 8192 MB
Available Virtual: 8191.87 MB

==================== Drives ================================

Drive c: (eMachines) (Fixed) (Total:685.54 GB) (Free:629.05 GB) NTFS (Disk=0 Partition=3)
Drive e: (PQSERVICE) (Fixed) (Total:13 GB) (Free:4 GB) NTFS (Disk=0 Partition=1)
Drive l: (HITMANPRO) (Removable) (Total:3.62 GB) (Free:3.59 GB) FAT32 (Disk=6 Partition=1)
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS (Disk=0 Partition=2) ==>[System with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 699 GB) (Disk ID: 7FB1FA54)
Partition 1: (Not Active) - (Size=13 GB) - (Type=27)
Partition 2: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=686 GB) - (Type=07 NTFS)

========================================================
Disk: 6 (Size: 4 GB) (Disk ID: FC3B29BA)
Partition 1: (Active) - (Size=4 GB) - (Type=0B)

LastRegBack: 2013-08-07 11:17

==================== End Of Log ============================



#7 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,843 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:56 PM

Posted 08 August 2013 - 10:54 PM

Download the enclosed file. [attachment=140652:fixlist.txt]

 

Save it next to FRST in the flashdrive.

 

Run FRST in the Recovery environment as you did, except that this time around, click on the Fix button and wait.

 

The tool will make a log in the flashdrive (Fixlog.txt) please post it to your reply.
 

Boot in Normal mode and follow the next set of steps.

 


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,843 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:56 PM

Posted 08 August 2013 - 11:02 PM

Rename the Fixlog.txt to just log.txt in the flash drive, as it will be overwritten with the following steps:

 

Download the enclosed file. [attachment=140653:fixlist.txt]

 

Save it next to FRST in the flashdrive overwtiting the existing one.

 

Run FRST in Normal Mode and click on the Fix button and wait.

 

The tool will make a log in the flashdrive (Fixlog.txt) please post it to your reply along with the (log.txt).
 

Restart the computer.

 

thisisujrt.gif  Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

 

 

Download AdwCleaner from here to your desktop
Run AdwCleaner and select Delete

AdwCleaner.GIF

Once done it will ask to reboot, allow this
On reboot a log will be produced at C:\ADWCleaner[XX].txt please post it in your next reply.

 

bf_new.gif Please download Malwarebytes' Anti-Malware from Here.

Launch and update Malwarebytes' Anti-Malware

 

  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.
 

 

 

 

 


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 bpatters3309

bpatters3309
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:56 PM

Posted 09 August 2013 - 07:16 PM

The first FRST Fix log...

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 07-08-2013
Ran by SYSTEM at 2013-08-09 16:35:21 Run:1
Running from L:\
Boot Mode: Recovery
==============================================

HKLM\Software\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\\Default => Value was restored successfully.
HKU\Destinylm7\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully.
BasicServe Service => Service deleted successfully.
GamesAppService => Service deleted successfully.
PCPitstop Scheduling => Service deleted successfully.
C:\Windows\Tasks\{506D3836-95AF-40AA-9A3A-90DFE5B2CEED}.job => Moved successfully.
C:\Windows\Tasks\AmiUpdXp.job => Moved successfully.
C:\Windows\Tasks\FixCleaner Scan.job => Moved successfully.
C:\Windows\Tasks\FixCleaner Startup.job => Moved successfully.
C:\Windows\System32\Tasks\FixCleaner Startup => Moved successfully.
C:\$Recycle.Bin\S-1-5-18\$aa0edf15250ca2cdcdb4b9d6eff73bb6 => Moved successfully.
C:\Users\Destinylm7\chrome.exe => Moved successfully.
C:\Users\Destinylm7\conhost.exe => Moved successfully.
C:\Users\Destinylm7\csrss.exe => Moved successfully.
C:\Users\Destinylm7\ctfmon.exe => Moved successfully.
C:\Users\Destinylm7\java.exe => Moved successfully.
C:\Users\Destinylm7\msconfig.exe => Moved successfully.
"C:\Windows\Tasks\{506D3836-95AF-40AA-9A3A-90DFE5B2CEED}.job" => File/Directory not found.

==== End of Fixlog ====

----------------------------------------------------------------------------------

The second FRST Fix log....

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 07-08-2013
Ran by Destinylm7 at 2013-08-09 16:44:32 Run:2
Running from J:\
Boot Mode: Normal
==============================================

"C:\Program Files\Windows Defender" => Deleting reparse point and unlocking started.
"C:\Program Files\Windows Defender\MpClient.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpRTP.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpSvc.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender" => Deleting reparse point and unlocking completed.

==== End of Fixlog ====

----------------------------------------------------------------------------------

The Junk Removal Tool Log....

 

Junkware Removal Tool (JRT) by Thisisu
Version: 5.3.9 (08.09.2013:1)
OS: Windows 7 Home Premium x64
Ran by Destinylm7 on Fri 08/09/2013 at 16:55:29.92
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

 

~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\\Search Bar
Successfully deleted: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{D4027C7F-154A-4066-A1AD-4243D8127440}

 

~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\defaulttabbho.dll
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{9AFB8248-617F-460D-9366-D71CDEDA3179}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{CC99A798-FD3D-4AB4-969E-6071612524F9}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\fixcleaner
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\yahoopartnertoolbar
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\software\conduit
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\software\conduitsearchscopes
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\software\freecause
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\software\fun web products
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\software\funwebproducts
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\software\mywebsearch
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\software\pricegong
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\software\smartbar
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-6E41-4FD3-8538-502F5495E5FC}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8736C681-37A0-40C6-A0F0-4C083409151C}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8F0B76E1-4E46-427B-B55B-B90593468AC6}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CC99A798-FD3D-4AB4-969E-6071612524F9}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\conduit
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\fixcleaner
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\freeze.com
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\defaulttabbho.defaulttabbrowser
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\defaulttabbho.defaulttabbrowser.1
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\defaulttabbho.defaulttabbrowseractivex
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\defaulttabbho.defaulttabbrowseractivex.1
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\imside1egate.application.1
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\updater.amiupd
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\updater.amiupd.1
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Toolbar.CT2399412
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Toolbar.CT3042917
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{055EC385-A4AC-4345-B1E3-11C86307FE24}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{443789B7-F39C-4b5c-9287-DA72D38F4FE6}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{4E4F4543-5BBA-451A-931E-267F83FAF127}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{5AA2BA46-9913-4DC7-9620-69AB0FA17AE7}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{b0441a0e-a49a-4e16-afc1-74ecced1921f}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{b0441a0e-a49a-4e16-afc1-74ecced1921f}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2C4BA31C-0C15-11E2-90C7-9BFCBEB168B3}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7F6AFBF1-E065-4627-A2FD-810366367D01}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E38FA08E-F56A-4169-ABF5-5C71E3C153A1}

 

~~~ Files

Successfully deleted [File] C:\Windows\tasks\rmschedule.job
Successfully deleted: [File] "C:\Windows\wininit.ini"

 

~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\trymedia"
Successfully deleted: [Folder] "C:\ProgramData\wondershare"
Successfully deleted: [Folder] "C:\Users\Destinylm7\AppData\Roaming\defaulttab"
Successfully deleted: [Folder] "C:\Users\Destinylm7\AppData\Roaming\fixcleaner"
Successfully deleted: [Folder] "C:\Users\Destinylm7\appdata\local\conduit"
Successfully deleted: [Folder] "C:\Users\Destinylm7\appdata\local\downloadterms"
Successfully deleted: [Folder] "C:\Users\Destinylm7\appdata\local\swvupdater"
Successfully deleted: [Folder] "C:\Users\Destinylm7\appdata\local\wondershare"
Successfully deleted: [Folder] "C:\Users\Destinylm7\appdata\locallow\puredefmusic"
Successfully deleted: [Folder] "C:\Program Files (x86)\conduit"
Successfully deleted: [Folder] "C:\Program Files (x86)\crawler"
Successfully deleted: [Folder] "C:\Program Files (x86)\dailybibleguideei"
Successfully deleted: [Folder] "C:\Program Files (x86)\defaulttab"
Successfully deleted: [Folder] "C:\Program Files (x86)\fast free converter"
Successfully deleted: [Folder] "C:\Program Files (x86)\fixcleaner"
Successfully deleted: [Folder] "C:\Program Files (x86)\puredefmusic"
Successfully deleted: [Folder] "C:\Program Files (x86)\wondershare"
Successfully deleted: [Folder] "C:\Program Files (x86)\Common Files\software update utility"
Successfully deleted: [Folder] "C:\Program Files (x86)\Common Files\wondershare"

 

~~~ FireFox

Failed to delete: [File] "C:\Program Files (x86)\Mozilla Firefox\searchplugins\crawlersrch.xml"
Successfully deleted: [File] "C:\Program Files (x86)\Mozilla Firefox\searchplugins\crawlersrch.xml"
Successfully deleted: [File] C:\Users\Destinylm7\AppData\Roaming\mozilla\firefox\profiles\1arwsphf.default\user.js
Successfully deleted: [File] C:\Users\Destinylm7\AppData\Roaming\mozilla\firefox\profiles\1arwsphf.default\searchplugins\mywebsearch.xml
Successfully deleted: [Folder] "C:\Program Files (x86)\Mozilla Firefox\extensions\cxfnl@nxazbwxrbgsgfqqp.net"
Successfully deleted: [Folder] C:\Users\Destinylm7\AppData\Roaming\mozilla\firefox\profiles\1arwsphf.default\extensions\addon@defaulttab.com
Successfully deleted: [Folder] C:\Users\Destinylm7\AppData\Roaming\mozilla\firefox\profiles\1arwsphf.default\extensions\{7AFFBFAE-C4E2-4915-8C0F-00FA3EC610A1}
Successfully deleted: [Registry Value] HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\m3ffxtbr@mywebsearch.com
Successfully deleted the following from C:\Users\Destinylm7\AppData\Roaming\mozilla\firefox\profiles\1arwsphf.default\prefs.js

user_pref("aol_toolbar.search.searchtype", "web");
user_pref("browser.search.defaulturl", "hxxp://slirsredirect.search.aol.com/redirector/sredir?sredir=843&q={searchTerms}&s_it=amonetizetest1-ff&tb_uuid=75285778FE2047F99DA78B6
user_pref("extensions.MapsGalaxy_39.openSearchURL", "hxxp://search.mywebsearch.com/mywebsearch/opensearch.jhtml?id=UXxdm002YYus&ptnrS=UXxdm002YYus&ptb=250902DB-E8C9-42C7-B859-
user_pref("extensions.defaulttab.active.affiliate", 4006);
user_pref("extensions.defaulttab.active.overridechromesearch", false);
user_pref("extensions.defaulttab.active.overridekeywordsearch", false);
user_pref("extensions.defaulttab.browserID", "ffff3ca0314b35cc2bcaa2b0edbcf7d8");
user_pref("extensions.defaulttab.firstrun", false);
user_pref("extensions.defaulttab.installedVersion", "2.0");
user_pref("extensions.newAddons", "{7affbfae-c4e2-4915-8c0f-00fa3ec610a1},addon@defaulttab.com,{740B3FD5-4483-469D-BE7F-8555B153BD04},cxfnl@nxazbwxrbgsgfqqp.net");
user_pref("keyword.URL", "hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=RGxdm029YRUS&fl=0&ptb=LJBR.hNEVAStLOWkZtfgbA&url=hxxp://search.mywebsearch.com/mywebsearch/GGmain.jh

 

~~~ Event Viewer Logs were cleared

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Fri 08/09/2013 at 16:59:08.92
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The AdwCleaner Log....

 

# AdwCleaner v2.306 - Logfile created 08/09/2013 at 19:02:04
# Updated 19/07/2013 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : Destinylm7 - DESTINYLM7-PC
# Boot Mode : Normal
# Running from : C:\Users\Destinylm7\Desktop\AdwCleaner.exe
# Option [Delete]

***** [Services] *****

***** [Files / Folders] *****

***** [Registry] *****

***** [Internet Browsers] *****

-\\ Internet Explorer v10.0.9200.16521

[OK] Registry is clean.

-\\ Mozilla Firefox v3.6.12 (en-US)

File : C:\Users\Destinylm7\AppData\Roaming\Mozilla\Firefox\Profiles\1arwsphf.default\prefs.js

[OK] File is clean.

-\\ Google Chrome v28.0.1500.95

File : C:\Users\Destinylm7\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [13720 octets] - [09/08/2013 18:05:05]
AdwCleaner[S2].txt - [897 octets] - [09/08/2013 19:02:04]

########## EOF - C:\AdwCleaner[S2].txt - [956 octets] ##########

----------------------------------------------------------------------------------------------------------------------------

And, last but not least, the MBAM Log...

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.08.09.07

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16521
Destinylm7 :: DESTINYLM7-PC [administrator]

8/9/2013 6:54:51 PM
mbam-log-2013-08-09 (18-54-51).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 218352
Time elapsed: 3 minute(s), 11 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 3
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{47AE1BA9-0BD1-44F4-88AE-45F8F7B605EF} (PUP.Zwangi) -> Quarantined and deleted successfully.
HKCR\AppID\GamevanceText.DLL (Adware.GameVance) -> Quarantined and deleted successfully.
HKCU\Software\AppDataLow\gvtl (Adware.GameVance) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 7
C:\Users\Destinylm7\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@gamevance.com (Adware.GamesVance) -> Quarantined and deleted successfully.
C:\Users\Destinylm7\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@gamevance.com\chrome (Adware.GamesVance) -> Quarantined and deleted successfully.
C:\Users\Destinylm7\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@gamevance.com\components (Adware.GamesVance) -> Quarantined and deleted successfully.
C:\Program Files (x86)\Mozilla Firefox\extensions\{740B3FD5-4483-469D-BE7F-8555B153BD04} (PUP.Zwangi) -> Quarantined and deleted successfully.
C:\Program Files (x86)\Mozilla Firefox\extensions\{740B3FD5-4483-469D-BE7F-8555B153BD04}\chrome (PUP.Zwangi) -> Quarantined and deleted successfully.
C:\Program Files (x86)\Mozilla Firefox\extensions\{740B3FD5-4483-469D-BE7F-8555B153BD04}\defaults (PUP.Zwangi) -> Quarantined and deleted successfully.
C:\Program Files (x86)\Mozilla Firefox\extensions\{740B3FD5-4483-469D-BE7F-8555B153BD04}\defaults\preferences (PUP.Zwangi) -> Quarantined and deleted successfully.

Files Detected: 8
C:\Users\Destinylm7\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@gamevance.com\chrome.manifest (Adware.GamesVance) -> Quarantined and deleted successfully.
C:\Users\Destinylm7\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@gamevance.com\install.rdf (Adware.GamesVance) -> Quarantined and deleted successfully.
C:\Users\Destinylm7\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@gamevance.com\chrome\gvtextlinks.jar (Adware.GamesVance) -> Quarantined and deleted successfully.
C:\Users\Destinylm7\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@gamevance.com\components\FFTextLinks.xpt (Adware.GamesVance) -> Quarantined and deleted successfully.
C:\Program Files (x86)\Mozilla Firefox\extensions\{740B3FD5-4483-469D-BE7F-8555B153BD04}\chrome.manifest (PUP.Zwangi) -> Quarantined and deleted successfully.
C:\Program Files (x86)\Mozilla Firefox\extensions\{740B3FD5-4483-469D-BE7F-8555B153BD04}\install.rdf (PUP.Zwangi) -> Quarantined and deleted successfully.
C:\Program Files (x86)\Mozilla Firefox\extensions\{740B3FD5-4483-469D-BE7F-8555B153BD04}\chrome\basicserve.jar (PUP.Zwangi) -> Quarantined and deleted successfully.
C:\Program Files (x86)\Mozilla Firefox\extensions\{740B3FD5-4483-469D-BE7F-8555B153BD04}\defaults\preferences\prefs.js (PUP.Zwangi) -> Quarantined and deleted successfully.

(end)

-------------------------------------------------------------------------------------------------



#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,843 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:56 PM

Posted 09 August 2013 - 10:05 PM

Nice going. How is the computer doing?


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#11 bpatters3309

bpatters3309
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:56 PM

Posted 10 August 2013 - 09:05 AM

Hi, thanks.  It's doing okay but it "goes to sleep" or some such malady where all I can do is press the power button 'til it goes off.  I've checked the BIOS and it has no settings that make a problem like that.  I've tried to check the Control Panel Power Settings but it won't open up.  I'll check the service since this ZeroAccess thing disabled most services.  Any hints? 



#12 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,843 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:56 PM

Posted 10 August 2013 - 11:54 AM

Run FRST as you did before.

Type the following in the edit box on FRST, after "Search:".

powercfg.cpl

It then should look like:

Search: powercfg.cpl

Click Search button and post the log (Search.txt) it makes on the USB drive in your next reply.

 

Please download Farbar Service Scanner and run it on the computer with the issue.

  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#13 bpatters3309

bpatters3309
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:56 PM

Posted 12 August 2013 - 10:17 AM

Thanks for hanging with me.  I do this as I can - wish I could do it all at once.

 

Here's the Search.txt log....

 

Farbar Recovery Scan Tool (x64) Version: 11-08-2013 02
Ran by Destinylm7 at 2013-08-12 09:59:25
Running from C:\Users\Destinylm7\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KPZT9UOM
Boot Mode: Normal

================== Search: "powercfg.cpl" ===================

C:\Windows\winsxs\x86_microsoft-windows-powercfg_31bf3856ad364e35_6.1.7601.17514_none_5faf24b6d52ba3de\powercfg.cpl
[2011-06-23 11:35] - [2010-11-20 07:16] - 0142336 ____A (Microsoft Corporation) D8868258E3F26B40ECB8E945C2DA8BD9

C:\Windows\winsxs\x86_microsoft-windows-powercfg_31bf3856ad364e35_6.1.7600.16385_none_5d7e10eed83d2044\powercfg.cpl
[2009-07-13 18:41] - [2009-07-13 20:14] - 0142336 ____A (Microsoft Corporation) 72937754FCC2ADB1CDB83473D3FDC084

C:\Windows\winsxs\amd64_microsoft-windows-powercfg_31bf3856ad364e35_6.1.7601.17514_none_bbcdc03a8d891514\powercfg.cpl
[2011-06-23 11:36] - [2010-11-20 08:24] - 0173568 ____A (Microsoft Corporation) AC2170D1DDEEA5CEDE106DA188F18138

C:\Windows\winsxs\amd64_microsoft-windows-powercfg_31bf3856ad364e35_6.1.7600.16385_none_b99cac72909a917a\powercfg.cpl
[2009-07-13 18:56] - [2009-07-13 20:38] - 0173568 ____A (Microsoft Corporation) 75E5DCA0C6D5FFB0C9C069D258D31B4C

C:\Windows\SysWOW64\powercfg.cpl
[2011-06-23 11:35] - [2010-11-20 07:16] - 0142336 ____A (Microsoft Corporation) D8868258E3F26B40ECB8E945C2DA8BD9

C:\Windows\System32\powercfg.cpl
[2011-06-23 11:36] - [2010-11-20 08:24] - 0173568 ____A (Microsoft Corporation) AC2170D1DDEEA5CEDE106DA188F18138

====== End Of Search ======

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

 

Here's the FSS.txt log....

 

Farbar Service Scanner Version: 04-08-2013
Ran by Destinylm7 (administrator) on 12-08-2013 at 10:05:08
Running from "C:\Users\Destinylm7\Desktop"
Microsoft Windows 7 Home Premium  Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.

MpsSvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.

bfe Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.

Firewall Disabled Policy:
==================

System Restore:
============
SDRSVC Service is not running. Checking service configuration:
The start type of SDRSVC service is set to Disabled. The default start type is 3.
The ImagePath of SDRSVC service is OK.
The ServiceDll of SDRSVC service is OK.

VSS Service is not running. Checking service configuration:
The start type of VSS service is set to Disabled. The default start type is 3.
The ImagePath of VSS service is OK.

System Restore Disabled Policy:
========================

Action Center:
============

wscsvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.

Windows Update:
============
wuauserv Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.

BITS Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.

Windows Autoupdate Disabled Policy:
============================

Other Services:
==============
Checking Start type of SharedAccess: ATTENTION!=====> Unable to retrieve start type of SharedAccess. The value does not exist.
Checking ImagePath of SharedAccess: ATTENTION!=====> Unable to retrieve ImagePath of SharedAccess. The value does not exist.
Checking ServiceDll of SharedAccess: ATTENTION!=====> Unable to retrieve ServiceDll of SharedAccess. The value does not exist.
Checking Start type of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.
Checking ImagePath of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.
Checking ServiceDll of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.

File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit

**** End of log ****

------------------------------------------------------------------------------------



#14 bpatters3309

bpatters3309
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:56 PM

Posted 12 August 2013 - 10:23 AM

Windows Update not working either - so many of the Services are Disabled (Services.msc).



#15 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,843 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:56 PM

Posted 12 August 2013 - 11:58 AM

Download the ESET services repair tool, extract the file to your desktop.

  • Double-click ServicesRepair.exe.

  • If security notifications appear, click Continue or Run and then click Yes when asked if you want to proceed.

  • Once the tool has finished, you will be prompted to restart your computer. Click Yes to restart.

  • A log will be saved in the CCSupport folder the tool created on your desktop, please post the content in your next reply.

 

Run the Farbar Service Scanner once again and post its report.

 


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users