Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Infected with Antivirus Security Pro, will not let me start in safe mode


  • This topic is locked This topic is locked
36 replies to this topic

#1 Guest_fuisce_*

Guest_fuisce_*

  • Guests
  • OFFLINE
  •  

Posted 26 September 2013 - 02:13 PM

Hi,

 

I have a laptop running windows 7 that has been infected with Antivirus Security Pro.  When I try to start in Safe Mode the computer keeps restarting before I can do anything.

 

I can not download any malware removal or any other software.

 

I can not seem to start any programs.



BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male

Posted 26 September 2013 - 04:28 PM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

 

Scan with FRST (Recovery Environment)


To run FRST on Vista and Windows7:



Plug the flashdrive into the infected PC.

Enter System Recovery Options.


To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.



To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.


On the System Recovery Options menu you will get the following options:

  • Startup Repair
  • System Restore
  • Windows Complete PC Restore
  • Windows Memory Diagnostic Tool
  • Command Prompt
  • Select Command Prompt


  • In the command window:
  • type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
  • Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.

It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 Guest_fuisce_*

Guest_fuisce_*

  • Guests
  • OFFLINE
  •  

Posted 26 September 2013 - 05:32 PM

Hi Marius, I made a mistake, the laptop is actually running Vista.

 

I got into the bios but I don't see an option to Repair your computer menu option.



#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:13 AM

Posted 27 September 2013 - 04:06 AM

Read my instructions carefully!

If you are running vista, you need the vista disc to boot into the recovery environment.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 Guest_fuisce_*

Guest_fuisce_*

  • Guests
  • OFFLINE
  •  

Posted 27 September 2013 - 06:33 AM

Hi Mauius, thank you for the quick reply, results here:

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 26-09-2013
Ran by SYSTEM on MINWINPC on 27-09-2013 12:30:02
Running from E:\
Windows Vista ™ Home Premium (X86) OS Language: English(US)
Internet Explorer Version 7
Boot Mode: Recovery

The current controlset is ControlSet002
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [HotKeysCmds] - C:\Windows\system32\hkcmd.exe [ ] ()
HKLM\...\Run: [vProt] - C:\Program Files\AVG Secure Search\vprot.exe [2314416 2013-08-23] ()
HKLM\...\Run: [OEM02Mon.exe] - C:\Windows\OEM02Mon.exe [36864 2007-05-09] (Creative Technology Ltd.)
HKLM\...\Run: [CoreChipTiManager] - C:\Windows\diskediag.exe [3339264 2012-08-18] (GP Systems Integration)
HKLM\...\Run: [Adobe Reader Speed Launcher] - C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [41056 2013-05-08] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [HP Software Update] - C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [49208 2011-10-28] (Hewlett-Packard)
HKLM\...\Run: [] - [x]
HKLM\...\Run: [MSC] - c:\Program Files\Microsoft Security Client\msseces.exe [995184 2013-07-18] ()
HKLM\...\Run: [AS2014] - C:\ProgramData\Xl3Vrn37\Xl3Vrn37.exe [737280 2013-09-18] ()
HKLM\...\Winlogon: [Userinit] C:\Windows\system32\userinit.exe,,C:\ProgramData\Xl3Vrn37\Xl3Vrn37.exe -sm,
HKU\Admin\...\Run: [Yontoo Desktop] - C:\Users\Admin\AppData\Roaming\Yontoo\YontooDesktop.exe [ 2013-01-31] (Yontoo LLC)
HKU\Admin\...\Run: [Google Update] - C:\Users\Admin\AppData\Local\Google\Update\GoogleUpdate.exe [ 2012-07-17] (Google Inc.)
HKU\Admin\...\Run: [WMPNSCFG] - C:\Program Files\Windows Media Player\WMPNSCFG.exe [ 2008-01-20] (Microsoft Corporation)
HKU\Admin\...\Run: [Facebook Update] - C:\Users\Admin\AppData\Local\Facebook\Update\FacebookUpdate.exe [ 2013-08-07] (Facebook Inc.)
HKU\Admin\...\Run: [Google Update] - C:\Users\Admin\AppData\Local\Google\Update\GoogleUpdate.exe [ 2012-07-17] (Google Inc.)
HKU\Admin\...\Run: [AS2014] - C:\ProgramData\Xl3Vrn37\Xl3Vrn37.exe [ 2013-09-18] ()
HKU\Default\...\Run: [WindowsWelcomeCenter] - rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\Default User\...\Run: [WindowsWelcomeCenter] - rundll32.exe oobefldr.dll,ShowWelcomeCenter
Startup: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> (No File)

========================== Services (Whitelisted) =================

S2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22216 2013-07-18] ()
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [295376 2013-07-18] ()
S2 Skype C2C Service; C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe [3273088 2013-09-16] (Skype Technologies S.A.)
S2 vToolbarUpdater15.5.0; C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.5.0\ToolbarUpdater.exe [1643184 2013-08-23] (AVG Secure Search)
S2 *etadpug; "C:\Program Files\Google\Desktop\Install\{39eba293-b980-744e-ebef-8715204916f6}\ \...\???\{39eba293-b980-744e-ebef-8715204916f6}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)

==================== Drivers (Whitelisted) ====================

S1 avgtp; C:\Windows\system32\drivers\avgtpx86.sys [37664 2013-08-23] (AVG Technologies)
S0 CLFS; C:\Windows\System32\CLFS.sys [247352 2008-01-20] (Microsoft Corporation)
S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [211560 2013-06-18] (Microsoft Corporation)
S3 IpInIp; system32\DRIVERS\ipinip.sys [x]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [x]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-09-27 12:29 - 2013-09-27 12:29 - 00000000 ____D C:\FRST
2013-09-26 10:42 - 2013-09-27 03:16 - 00001614 _____ C:\Users\Admin\Desktop\Antivirus Security Pro.lnk
2013-09-26 10:42 - 2013-09-27 03:16 - 00000118 _____ C:\Users\Admin\Desktop\Antivirus Security Pro support.url
2013-09-26 10:34 - 2013-09-26 10:34 - 03723656 _____ (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerInstaller.exe
2013-09-26 10:26 - 2013-09-26 10:22 - 10285040 _____ (Malwarebytes Corporation ) C:\Users\Admin\Desktop\explorer.exe.exe
2013-09-18 09:42 - 2007-08-24 17:00 - 00172032 _____ (Intel Corporation) C:\Windows\System32\igfxres.dll
2013-09-18 02:50 - 2013-09-18 09:43 - 00000000 ____D C:\ProgramData\Xl3Vrn37
2013-09-18 02:50 - 2013-09-18 02:50 - 00000000 ____D C:\Program Files\Google
2013-09-08 10:05 - 2013-09-08 10:05 - 00000000 ____D C:\Program Files\Microsoft.NET
2013-09-06 01:06 - 2013-09-06 01:06 - 00000000 ____D C:\ProgramData\AVG Secure Search
2013-09-05 14:06 - 2013-09-05 14:06 - 00000000 ____D C:\ProgramData\WindowsSearch
2013-09-05 13:46 - 2013-09-14 01:18 - 00000000 ____D C:\Windows\System32\MRT
2013-09-05 13:32 - 2013-05-02 07:28 - 00238872 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
2013-09-05 13:18 - 2013-09-05 13:18 - 00002154 _____ C:\Windows\epplauncher.mif
2013-09-05 13:18 - 2013-09-05 13:18 - 00000000 ____D C:\Program Files\Microsoft Security Client
2013-09-05 12:02 - 2013-09-05 12:02 - 00842240 _____ (Western Digital Corporation ) C:\Users\Admin\AppData\Roaming\B2AB.tmp

==================== One Month Modified Files and Folders =======

2013-09-27 12:29 - 2013-09-27 12:29 - 00000000 ____D C:\FRST
2013-09-27 03:16 - 2013-09-26 10:42 - 00001614 _____ C:\Users\Admin\Desktop\Antivirus Security Pro.lnk
2013-09-27 03:16 - 2013-09-26 10:42 - 00000118 _____ C:\Users\Admin\Desktop\Antivirus Security Pro support.url
2013-09-27 03:16 - 2013-05-20 12:24 - 00000000 ____D C:\Users\Admin\AppData\Roaming\Dropbox
2013-09-27 03:16 - 2013-02-03 10:26 - 00000000 ____D C:\Users\Admin\AppData\Roaming\Yontoo
2013-09-27 03:16 - 2012-07-10 14:25 - 00001356 _____ C:\Users\Admin\AppData\Local\d3d9caps.dat
2013-09-27 03:16 - 2006-11-02 04:47 - 00003712 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2013-09-27 03:16 - 2006-11-02 04:47 - 00003712 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2013-09-27 03:10 - 2013-05-23 08:38 - 00000000 ___RD C:\Users\Admin\Dropbox
2013-09-26 14:40 - 2006-11-02 02:33 - 00703198 _____ C:\Windows\System32\PerfStringBackup.INI
2013-09-26 10:34 - 2013-09-26 10:34 - 03723656 _____ (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerInstaller.exe
2013-09-26 10:34 - 2012-07-17 13:23 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2013-09-26 10:34 - 2012-07-17 13:23 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2013-09-26 10:22 - 2013-09-26 10:26 - 10285040 _____ (Malwarebytes Corporation ) C:\Users\Admin\Desktop\explorer.exe.exe
2013-09-26 10:18 - 2012-07-28 06:46 - 00000000 ___RD C:\Program Files\Skype
2013-09-26 10:18 - 2012-07-28 06:46 - 00000000 ____D C:\ProgramData\Skype
2013-09-26 09:25 - 2008-01-20 17:35 - 01091643 _____ C:\Windows\WindowsUpdate.log
2013-09-18 09:43 - 2013-09-18 02:50 - 00000000 ____D C:\ProgramData\Xl3Vrn37
2013-09-18 02:50 - 2013-09-18 02:50 - 00000000 ____D C:\Program Files\Google
2013-09-18 02:50 - 2012-07-17 09:40 - 00000000 ____D C:\Users\Admin\AppData\Local\Google
2013-09-15 12:59 - 2012-08-08 03:31 - 00006680 _____ C:\Users\Admin\AppData\Roaming\wklnhst.dat
2013-09-15 11:47 - 2012-08-08 03:08 - 00002595 _____ C:\Users\Admin\Desktop\Microsoft Word.lnk
2013-09-15 10:35 - 2012-07-10 14:56 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2013-09-15 08:41 - 2012-09-07 00:04 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-09-14 01:18 - 2013-09-05 13:46 - 00000000 ____D C:\Windows\System32\MRT
2013-09-14 01:14 - 2006-11-02 02:24 - 76725432 _____ (Microsoft Corporation) C:\Windows\System32\mrt.exe
2013-09-13 11:11 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\Microsoft.NET
2013-09-08 10:42 - 2013-01-28 13:19 - 00002042 _____ C:\Users\Admin\Desktop\Google Chrome.lnk
2013-09-08 10:05 - 2013-09-08 10:05 - 00000000 ____D C:\Program Files\Microsoft.NET
2013-09-06 01:06 - 2013-09-06 01:06 - 00000000 ____D C:\ProgramData\AVG Secure Search
2013-09-05 14:06 - 2013-09-05 14:06 - 00000000 ____D C:\ProgramData\WindowsSearch
2013-09-05 13:50 - 2012-07-18 17:56 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2013-09-05 13:18 - 2013-09-05 13:18 - 00002154 _____ C:\Windows\epplauncher.mif
2013-09-05 13:18 - 2013-09-05 13:18 - 00000000 ____D C:\Program Files\Microsoft Security Client
2013-09-05 13:15 - 2008-01-20 18:47 - 00040460 _____ C:\Windows\PFRO.log
2013-09-05 13:09 - 2012-09-21 08:14 - 00000000 ____D C:\ProgramData\AVG2013
2013-09-05 13:09 - 2012-08-08 03:13 - 00000000 ____D C:\ProgramData\MFAData
2013-09-05 12:59 - 2006-11-02 02:22 - 30408704 _____ C:\Windows\System32\config\software_previous
2013-09-05 12:59 - 2006-11-02 02:22 - 27787264 _____ C:\Windows\System32\config\components_previous
2013-09-05 12:59 - 2006-11-02 02:22 - 16252928 _____ C:\Windows\System32\config\system_previous
2013-09-05 12:59 - 2006-11-02 02:22 - 00262144 _____ C:\Windows\System32\config\security_previous
2013-09-05 12:59 - 2006-11-02 02:22 - 00262144 _____ C:\Windows\System32\config\sam_previous
2013-09-05 12:59 - 2006-11-02 02:22 - 00262144 _____ C:\Windows\System32\config\default_previous
2013-09-05 12:58 - 2012-08-08 04:17 - 00000000 ____D C:\Program Files\Common Files\AVG Secure Search
2013-09-05 12:58 - 2012-07-10 14:25 - 00000000 ____D C:\users\Admin
2013-09-05 12:58 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\System32\spool
2013-09-05 12:58 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\System32\Msdtc
2013-09-05 12:58 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\registration
2013-09-05 12:02 - 2013-09-05 12:02 - 00842240 _____ (Western Digital Corporation ) C:\Users\Admin\AppData\Roaming\B2AB.tmp
2013-09-05 00:56 - 2012-07-18 17:55 - 00000000 ____D C:\Users\Admin\AppData\Roaming\HpUpdate

Files to move or delete:
====================
ZeroAccess:
C:\Users\Admin\AppData\Local\Google\Desktop\Install
ZeroAccess:
C:\Program Files\Google\Desktop\Install


Some content of TEMP:
====================
C:\Users\Admin\AppData\Local\Temp\avguidx.dll
C:\Users\Admin\AppData\Local\Temp\CommonInstaller.exe
C:\Users\Admin\AppData\Local\Temp\InstallFlashPlayer.exe
C:\Users\Admin\AppData\Local\Temp\jre-6u33-windows-i586-iftw.exe
C:\Users\Admin\AppData\Local\Temp\MachineIdCreator.exe
C:\Users\Admin\AppData\Local\Temp\minibar-master.exe
C:\Users\Admin\AppData\Local\Temp\oi_{34565135-9354-40A6-9F5D-00D5ACB4769C}.exe
C:\Users\Admin\AppData\Local\Temp\oi_{F75CC6CB-3BAD-46ED-A33F-A0D626E7F7CE}.exe
C:\Users\Admin\AppData\Local\Temp\OptimizerPro.exe
C:\Users\Admin\AppData\Local\Temp\SkypeSetup.exe
C:\Users\Admin\AppData\Local\Temp\ToolbarInstaller.exe
C:\Users\Admin\AppData\Local\Temp\UDPV264.EXE
C:\Users\Admin\AppData\Local\Temp\uninst1.exe
C:\Users\Admin\AppData\Local\Temp\UNINSTALL.EXE
C:\Users\Admin\AppData\Local\Temp\UpdateCheckerSetup.exe
C:\Users\Admin\AppData\Local\Temp\vlc-2.0.2-win32.exe
C:\Users\Admin\AppData\Local\Temp\YontooSetup-S.exe
C:\Users\Admin\AppData\Local\Temp\{5B5DDE51-CF5F-4ADF-98DB-7D0F81EEC384}-25.0.1364.97_24.0.1312.57_chrome_updater.exe


==================== Known DLLs (Whitelisted) ============


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
C:\Program Files\Windows Defender\mpsvc.dll => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
C:\Program Files\Microsoft Security Client\MsMpEng.exe => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Microsoft Security Client

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2013-08-05 15:00:19
Restore point made on: 2013-08-06 05:42:26
Restore point made on: 2013-08-08 01:15:32
Restore point made on: 2013-08-09 04:12:16
Restore point made on: 2013-08-28 14:39:47
Restore point made on: 2013-08-29 10:50:25
Restore point made on: 2013-08-30 02:24:12
Restore point made on: 2013-08-30 15:00:12
Restore point made on: 2013-09-01 01:31:42
Restore point made on: 2013-09-05 03:14:18
Restore point made on: 2013-09-05 13:06:14
Restore point made on: 2013-09-05 13:08:46
Restore point made on: 2013-09-05 13:17:32
Restore point made on: 2013-09-05 13:32:12
Restore point made on: 2013-09-05 13:45:25
Restore point made on: 2013-09-06 00:10:06
Restore point made on: 2013-09-08 10:03:32
Restore point made on: 2013-09-08 10:11:39
Restore point made on: 2013-09-12 06:52:48
Restore point made on: 2013-09-13 09:55:35
Restore point made on: 2013-09-14 01:14:38
Restore point made on: 2013-09-15 01:35:52
Restore point made on: 2013-09-16 03:51:55
Restore point made on: 2013-09-16 04:57:00
Restore point made on: 2013-09-17 01:28:20
Restore point made on: 2013-09-17 10:31:50
Restore point made on: 2013-09-18 01:28:42

==================== Memory info ===========================

Percentage of memory in use: 21%
Total physical RAM: 2037.43 MB
Available physical RAM: 1604.04 MB
Total Pagefile: 1845.88 MB
Available Pagefile: 1659.79 MB
Total Virtual: 2047.88 MB
Available Virtual: 1971.24 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:232.88 GB) (Free:172.75 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: (VISTA_32_PREMIUM) (CDROM) (Total:2.84 GB) (Free:0 GB) CDFS
Drive e: () (Removable) (Total:0.95 GB) (Free:0.83 GB) FAT
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 233 GB) (Disk ID: 06A08A20)
Partition 1: (Active) - (Size=233 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 972 MB) (Disk ID: 00000000)
Partition 1: (Not Active) - (Size=972 MB) - (Type=06)


LastRegBack: 2013-09-26 14:38

==================== End Of Log ============================



#6 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male

Posted 27 September 2013 - 08:31 AM

Fix with FRST (Recovery Environment)

[*]Open notepad (Start =>All Programs => Accessories => Notepad).
[*] Please copy the entire contents of the code box below.
(To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

HKLM\...\Run: [CoreChipTiManager] - C:\Windows\diskediag.exe [3339264 2012-08-18] (GP Systems Integration)
HKLM\...\Run: [AS2014] - C:\ProgramData\Xl3Vrn37\Xl3Vrn37.exe [737280 2013-09-18] ()
HKLM\...\Winlogon: [Userinit] C:\Windows\system32\userinit.exe,,C:\ProgramData\Xl3Vrn37\Xl3Vrn37.exe -sm,
HKU\Admin\...\Run: [Yontoo Desktop] - C:\Users\Admin\AppData\Roaming\Yontoo\YontooDesktop.exe [ 2013-01-31] (Yontoo LLC)
HKU\Admin\...\Run: [AS2014] - C:\ProgramData\Xl3Vrn37\Xl3Vrn37.exe [ 2013-09-18] ()

S2 *etadpug; "C:\Program Files\Google\Desktop\Install\{39eba293-b980-744e-ebef-8715204916f6}\ \...\???\{39eba293-b980-744e-ebef-8715204916f6}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)

C:\ProgramData\Xl3Vrn37
C:\Users\Admin\AppData\Roaming\Yontoo
C:\Program Files\Google\Desktop
C:\Users\Admin\AppData\Local\Google\Desktop
C:\Users\Admin\Desktop\Antivirus Security Pro.lnk
C:\Users\Admin\Desktop\Antivirus Security Pro support.url
C:\Users\Admin\AppData\Local\Temp\avguidx.dll
C:\Users\Admin\AppData\Local\Temp\CommonInstaller.exe
C:\Users\Admin\AppData\Local\Temp\InstallFlashPlayer.exe
C:\Users\Admin\AppData\Local\Temp\jre-6u33-windows-i586-iftw.exe
C:\Users\Admin\AppData\Local\Temp\MachineIdCreator.exe
C:\Users\Admin\AppData\Local\Temp\minibar-master.exe
C:\Users\Admin\AppData\Local\Temp\oi_{34565135-9354-40A6-9F5D-00D5ACB4769C}.exe
C:\Users\Admin\AppData\Local\Temp\oi_{F75CC6CB-3BAD-46ED-A33F-A0D626E7F7CE}.exe
C:\Users\Admin\AppData\Local\Temp\OptimizerPro.exe
C:\Users\Admin\AppData\Local\Temp\SkypeSetup.exe
C:\Users\Admin\AppData\Local\Temp\ToolbarInstaller.exe
C:\Users\Admin\AppData\Local\Temp\UDPV264.EXE
C:\Users\Admin\AppData\Local\Temp\uninst1.exe
C:\Users\Admin\AppData\Local\Temp\UNINSTALL.EXE
C:\Users\Admin\AppData\Local\Temp\UpdateCheckerSetup.exe
C:\Users\Admin\AppData\Local\Temp\vlc-2.0.2-win32.exe
C:\Users\Admin\AppData\Local\Temp\YontooSetup-S.exe
C:\Users\Admin\AppData\Local\Temp\{5B5DDE51-CF5F-4ADF-98DB-7D0F81EEC384}-25.0.1364.97_24.0.1312.57_chrome_updater.exe
DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
DeleteJunctionsIndirectory: C:\Program Files\Microsoft Security Client


NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options again.


[*]Run frst.exe (on 64bit, run frst64.exe) and press the Fix button just once and wait.
[*]The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.
[/LIST]

 

 

 

Now boot into windows!

 

 

 

Run FRST64.exe from your flash drive and hit scan.

Post up the log when ready.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#7 Guest_fuisce_*

Guest_fuisce_*

  • Guests
  • OFFLINE
  •  

Posted 27 September 2013 - 10:52 AM

Hi,

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 26-09-2013
Ran by SYSTEM at 2013-09-27 16:50:47 Run:1
Running from E:\
Boot Mode: Recovery

==============================================

Content of fixlist:
*****************
HKLM\...\Run: [CoreChipTiManager] - C:\Windows\diskediag.exe [3339264 2012-08-18] (GP Systems Integration)
HKLM\...\Run: [AS2014] - C:\ProgramData\Xl3Vrn37\Xl3Vrn37.exe [737280 2013-09-18] ()
HKLM\...\Winlogon: [Userinit] C:\Windows\system32\userinit.exe,,C:\ProgramData\Xl3Vrn37\Xl3Vrn37.exe -sm,
HKU\Admin\...\Run: [Yontoo Desktop] - C:\Users\Admin\AppData\Roaming\Yontoo\YontooDesktop.exe [ 2013-01-31] (Yontoo LLC)
HKU\Admin\...\Run: [AS2014] - C:\ProgramData\Xl3Vrn37\Xl3Vrn37.exe [ 2013-09-18] ()

S2 *etadpug; "C:\Program Files\Google\Desktop\Install\{39eba293-b980-744e-ebef-8715204916f6}\ \...\???\{39eba293-b980-744e-ebef-8715204916f6}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)

C:\ProgramData\Xl3Vrn37
C:\Users\Admin\AppData\Roaming\Yontoo
C:\Program Files\Google\Desktop
C:\Users\Admin\AppData\Local\Google\Desktop
C:\Users\Admin\Desktop\Antivirus Security Pro.lnk
C:\Users\Admin\Desktop\Antivirus Security Pro support.url
C:\Users\Admin\AppData\Local\Temp\avguidx.dll
C:\Users\Admin\AppData\Local\Temp\CommonInstaller.exe
C:\Users\Admin\AppData\Local\Temp\InstallFlashPlayer.exe
C:\Users\Admin\AppData\Local\Temp\jre-6u33-windows-i586-iftw.exe
C:\Users\Admin\AppData\Local\Temp\MachineIdCreator.exe
C:\Users\Admin\AppData\Local\Temp\minibar-master.exe
C:\Users\Admin\AppData\Local\Temp\oi_{34565135-9354-40A6-9F5D-00D5ACB4769C}.exe
C:\Users\Admin\AppData\Local\Temp\oi_{F75CC6CB-3BAD-46ED-A33F-A0D626E7F7CE}.exe
C:\Users\Admin\AppData\Local\Temp\OptimizerPro.exe
C:\Users\Admin\AppData\Local\Temp\SkypeSetup.exe
C:\Users\Admin\AppData\Local\Temp\ToolbarInstaller.exe
C:\Users\Admin\AppData\Local\Temp\UDPV264.EXE
C:\Users\Admin\AppData\Local\Temp\uninst1.exe
C:\Users\Admin\AppData\Local\Temp\UNINSTALL.EXE
C:\Users\Admin\AppData\Local\Temp\UpdateCheckerSetup.exe
C:\Users\Admin\AppData\Local\Temp\vlc-2.0.2-win32.exe
C:\Users\Admin\AppData\Local\Temp\YontooSetup-S.exe
C:\Users\Admin\AppData\Local\Temp\{5B5DDE51-CF5F-4ADF-98DB-7D0F81EEC384}-25.0.1364.97_24.0.1312.57_chrome_updater.exe
DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
DeleteJunctionsIndirectory: C:\Program Files\Microsoft Security Client
*****************

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\CoreChipTiManager => Value deleted successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\AS2014 => Value deleted successfully.
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Userinit => Value was restored successfully.
HKU\Admin\Software\Microsoft\Windows\CurrentVersion\Run\\Yontoo Desktop => Value deleted successfully.
HKU\Admin\Software\Microsoft\Windows\CurrentVersion\Run\\AS2014 => Value deleted successfully.
*etadpug => Unable to delete service
*etadpug => Service should be removed with FRST outside recovery mode.
C:\ProgramData\Xl3Vrn37 => Moved successfully.
C:\Users\Admin\AppData\Roaming\Yontoo => Moved successfully.
"C:\Program Files\Google\Desktop" => Could not move.
"C:\Users\Admin\AppData\Local\Google\Desktop" => Could not move.
C:\Users\Admin\Desktop\Antivirus Security Pro.lnk => Moved successfully.
C:\Users\Admin\Desktop\Antivirus Security Pro support.url => Moved successfully.
C:\Users\Admin\AppData\Local\Temp\avguidx.dll => Moved successfully.
C:\Users\Admin\AppData\Local\Temp\CommonInstaller.exe => Moved successfully.
C:\Users\Admin\AppData\Local\Temp\InstallFlashPlayer.exe => Moved successfully.
C:\Users\Admin\AppData\Local\Temp\jre-6u33-windows-i586-iftw.exe => Moved successfully.
C:\Users\Admin\AppData\Local\Temp\MachineIdCreator.exe => Moved successfully.
C:\Users\Admin\AppData\Local\Temp\minibar-master.exe => Moved successfully.
C:\Users\Admin\AppData\Local\Temp\oi_{34565135-9354-40A6-9F5D-00D5ACB4769C}.exe => Moved successfully.
C:\Users\Admin\AppData\Local\Temp\oi_{F75CC6CB-3BAD-46ED-A33F-A0D626E7F7CE}.exe => Moved successfully.
C:\Users\Admin\AppData\Local\Temp\OptimizerPro.exe => Moved successfully.
C:\Users\Admin\AppData\Local\Temp\SkypeSetup.exe => Moved successfully.
C:\Users\Admin\AppData\Local\Temp\ToolbarInstaller.exe => Moved successfully.
C:\Users\Admin\AppData\Local\Temp\UDPV264.EXE => Moved successfully.
C:\Users\Admin\AppData\Local\Temp\uninst1.exe => Moved successfully.
C:\Users\Admin\AppData\Local\Temp\UNINSTALL.EXE => Moved successfully.
C:\Users\Admin\AppData\Local\Temp\UpdateCheckerSetup.exe => Moved successfully.
C:\Users\Admin\AppData\Local\Temp\vlc-2.0.2-win32.exe => Moved successfully.
C:\Users\Admin\AppData\Local\Temp\YontooSetup-S.exe => Moved successfully.
C:\Users\Admin\AppData\Local\Temp\{5B5DDE51-CF5F-4ADF-98DB-7D0F81EEC384}-25.0.1364.97_24.0.1312.57_chrome_updater.exe => Moved successfully.
Error: DeleteJunctionsIndirectory: C:\Program Files\Windows Defender => entry should be fixed outside recovery mode.
Error: DeleteJunctionsIndirectory: C:\Program Files\Microsoft Security Client => entry should be fixed outside recovery mode.

==== End of Fixlog ====



#8 Guest_fuisce_*

Guest_fuisce_*

  • Guests
  • OFFLINE
  •  

Posted 27 September 2013 - 11:02 AM

Hi, I booted into windows and ran the scan tool and it gave me two files, a FRST file and and addition file, first one here:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 26-09-2013
Ran by Admin (administrator) on ADMIN-PC on 27-09-2013 16:55:12
Running from E:\
Microsoft® Windows Vista™ Home Premium Service Pack 1 (X86) OS Language: English(US)
Internet Explorer Version 7
Boot Mode: Normal

==================== Processes (Whitelisted) ===================

(Microsoft Corporation) C:\Windows\system32\SLsvc.exe
(Microsoft Corporation.) C:\Program Files\Microsoft\BingBar\7.2.241.0\BBSvc.exe
(Skype Technologies S.A.) C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
(Skype Technologies) C:\Program Files\Skype\Updater\Updater.exe
(AVG Secure Search) C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.5.0\ToolbarUpdater.exe
() C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.5.0\loggingserver.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
() C:\Program Files\AVG Secure Search\vprot.exe
(Creative Technology Ltd.) C:\Windows\OEM02Mon.exe
(Adobe Systems Incorporated) C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
(Hewlett-Packard) C:\Program Files\HP\HP Software Update\hpwuschd2.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
(Microsoft Corporation) C:\Program Files\Windows Media Player\wmpnscfg.exe
(Intel Corporation) C:\Windows\system32\igfxsrvc.exe
(Dropbox, Inc.) C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe
(Microsoft Corporation) C:\Windows\System32\mobsync.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [HotKeysCmds] - C:\Windows\system32\hkcmd.exe [ ] ()
HKLM\...\Run: [vProt] - C:\Program Files\AVG Secure Search\vprot.exe [2314416 2013-08-23] ()
HKLM\...\Run: [OEM02Mon.exe] - C:\Windows\OEM02Mon.exe [36864 2007-05-09] (Creative Technology Ltd.)
HKLM\...\Run: [Adobe Reader Speed Launcher] - C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [41056 2013-05-08] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [HP Software Update] - C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [49208 2011-10-28] (Hewlett-Packard)
HKLM\...\Run: [] - [x]
HKLM\...\Run: [MSC] - c:\Program Files\Microsoft Security Client\msseces.exe [995184 2013-07-18] ()
HKCU\...\Run: [Google Update] - C:\Users\Admin\AppData\Local\Google\Update\GoogleUpdate.exe [116648 2012-07-17] (Google Inc.)
HKCU\...\Run: [WMPNSCFG] - C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-21] (Microsoft Corporation)
HKCU\...\Run: [Facebook Update] - C:\Users\Admin\AppData\Local\Facebook\Update\FacebookUpdate.exe [138096 2013-08-07] (Facebook Inc.)
HKCU\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path)
MountPoints2: {1260a4d6-cadd-11e1-b9cd-806e6f6e6963} - D:\setup.exe
HKU\Default\...\Run: [WindowsWelcomeCenter] - rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\Default User\...\Run: [WindowsWelcomeCenter] - rundll32.exe oobefldr.dll,ShowWelcomeCenter
Startup: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
URLSearchHook: UsProvider Class - {539F76FD-084E-4858-86D5-62F02F54AE86} - C:\Program Files\Minibar\Minibar.dll (KangoExtensions)
SearchScopes: HKLM - {a5b9c0f5-5616-47cd-a95f-e43b488faccf} URL = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=XPxdm049YYie&ptnrS=XPxdm049YYie&si=2271&ptb=7632B854-6642-4BDF-8D65-7DC481E8B119&psa=&ind=2012091610&st=sb&n=77ee14da&searchfor={searchTerms}
SearchScopes: HKCU - {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} URL = http://search.babylon.com/?q={searchTerms}&affID=109220&tt=5112_8&babsrc=SP_ss&mntrId=1e9bad8800000000000000219bcc4c98
SearchScopes: HKCU - {a5b9c0f5-5616-47cd-a95f-e43b488faccf} URL = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=XPxdm049YYie&ptnrS=XPxdm049YYie&si=2271&ptb=7632B854-6642-4BDF-8D65-7DC481E8B119&psa=&ind=2012091610&st=sb&n=77ee14da&searchfor={searchTerms}
BHO: No Name - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
BHO: MinibarBHO - {AA74D58F-ACD0-450D-A85E-6C04B171C044} - C:\Program Files\Minibar\Minibar.dll (KangoExtensions)
BHO: Skype Browser Helper - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
BHO: Bing Bar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\Microsoft\BingBar\7.2.241.0\BingExt.dll (Microsoft Corporation.)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO: Yontoo - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files\Yontoo\YontooIEClient.dll (Yontoo LLC)
Toolbar: HKLM - Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\Microsoft\BingBar\7.2.241.0\BingExt.dll (Microsoft Corporation.)
Toolbar: HKCU - No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No File
Toolbar: HKCU -&Links - {F2CF5485-4E02-4F68-819C-B92DE9277049} - C:\Windows\system32\ieframe.dll (Microsoft Corporation)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL (Microsoft Corporation)
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll No File
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies)
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files\Common Files\AVG Secure Search\ViProtocolInstaller\15.5.0\ViProtocol.dll (AVG Secure Search)
Tcpip\Parameters: [DhcpNameServer] 192.168.2.1

FireFox:
========
FF ProfilePath: C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mvtk21d7.default
FF user.js: detected! => C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mvtk21d7.default\user.js

FF NetworkProxy: "type", 0
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF32_11_8_800_168.dll ()
FF Plugin: @avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin - C:\Program Files\Common Files\AVG Secure Search\SiteSafetyInstaller\15.5.0\\npsitesafety.dll (AVG Technologies)
FF Plugin: @java.com/DTPlugin,version=1.6.0_33 - C:\Windows\system32\npdeployJava1.dll (Sun Microsystems, Inc.)
FF Plugin: @java.com/JavaPlugin - C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.20513.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @RIM.com/WebSLLauncher,version=1.0 - C:\Program Files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll ()
FF Plugin: @rocketlife.com/RocketLife Secure Plug-In Layer;version=1.0.5 - C:\ProgramData\Visan\plugins\npRLSecurePluginLayer.dll (RocketLife, LLP)
FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKCU: @Skype Limited.com/Facebook Video Calling Plugin - C:\Users\Admin\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll (Skype Limited)
FF Plugin HKCU: @tools.google.com/Google Update;version=3 - C:\Users\Admin\AppData\Local\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKCU: @tools.google.com/Google Update;version=9 - C:\Users\Admin\AppData\Local\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF SearchPlugin: C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mvtk21d7.default\searchplugins\babylon1.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\babylon.xml
FF Extension: Yontoo - C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mvtk21d7.default\Extensions\plugin@yontoo.com
FF Extension: freehdsport - C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mvtk21d7.default\Extensions\freehdsport@freehdsport.tv.xpi
FF Extension: Skype Click to Call - C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}
FF Extension: Skype Click to Call - C:\Program Files\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF Extension: Microsoft .NET Framework Assistant - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

Chrome:
=======


CHR DefaultSearchURL: (Google) - {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}{google:omniboxStartMarginParameter}ie={inputEncoding}
CHR DefaultSuggestURL: (Google) - {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client={google:suggestClient}&q={searchTerms}&{google:cursorPosition}{google:zeroPrefixUrl}sugkey={google:suggestAPIKeyParameter}
CHR Plugin: (Remoting Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Users\Admin\AppData\Local\Google\Chrome\Application\29.0.1547.66\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Users\Admin\AppData\Local\Google\Chrome\Application\29.0.1547.66\pdf.dll ()
CHR Plugin: (Shockwave Flash) - C:\Users\Admin\AppData\Local\Google\Chrome\Application\29.0.1547.66\gcswf32.dll No File
CHR Plugin: (Shockwave Flash) - C:\Windows\system32\Macromed\Flash\NPSWF32.dll No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (Java Deployment Toolkit 6.0.220.4) - C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll No File
CHR Plugin: (Java™ Platform SE 6 U22) - C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll No File
CHR Plugin: (Google Update) - C:\Users\Admin\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll No File
CHR Extension: (FreeHDSport.TV) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\bgnnidmnbdkmhfkjgdnngciimpdgohok\1.2_0
CHR Extension: (Skype Click to Call) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl\5.9.0.9216_1
CHR Extension: (Yontoo) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\niapdbllcanepiiimjjndipklodoedlc\1.0.3_0
CHR Extension: (Chrome In-App Payments service) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.4.11_0
CHR HKLM\...\Chrome\Extension: [bgnnidmnbdkmhfkjgdnngciimpdgohok] - C:\Program Files\IlemiTVApp.com\stv12.crx
CHR HKLM\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files\Skype\Toolbars\Skype for Chromium\skype_chrome_extension.crx
CHR HKLM\...\Chrome\Extension: [ndibdjnfmopecpmkdieinmbadjfpblof] - C:\ProgramData\\ChromeExt\\avg.crx
CHR HKLM\...\Chrome\Extension: [niapdbllcanepiiimjjndipklodoedlc] - C:\Program Files\Yontoo\YontooLayers.crx
CHR StartMenuInternet: Google Chrome - C:\Users\Admin\AppData\Local\Google\Chrome\Application\chrome.exe

========================== Services (Whitelisted) =================

S2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22216 2013-07-18] ()
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [295376 2013-07-18] ()
R2 Skype C2C Service; C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe [3273088 2013-09-16] (Skype Technologies S.A.)
R2 vToolbarUpdater15.5.0; C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.5.0\ToolbarUpdater.exe [1643184 2013-08-23] (AVG Secure Search)
U2 *etadpug; "C:\Program Files\Google\Desktop\Install\{39eba293-b980-744e-ebef-8715204916f6}\ \...\???\{39eba293-b980-744e-ebef-8715204916f6}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)

==================== Drivers (Whitelisted) ====================

R1 avgtp; C:\Windows\system32\drivers\avgtpx86.sys [37664 2013-08-23] (AVG Technologies)
R0 CLFS; C:\Windows\System32\CLFS.sys [247352 2008-01-21] (Microsoft Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [211560 2013-06-18] (Microsoft Corporation)
S3 IpInIp; system32\DRIVERS\ipinip.sys [x]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [x]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-09-27 21:29 - 2013-09-27 21:29 - 00000000 ____D C:\FRST
2013-09-27 16:42 - 2013-09-27 16:42 - 00135120 _____ C:\Windows\Minidump\Mini092713-01.dmp
2013-09-26 19:34 - 2013-09-26 19:34 - 03723656 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerInstaller.exe
2013-09-18 18:42 - 2007-08-25 02:00 - 00172032 _____ (Intel Corporation) C:\Windows\system32\igfxres.dll
2013-09-18 11:56 - 2013-09-18 11:56 - 00000000 ____D C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Antivirus Security Pro
2013-09-18 11:50 - 2013-09-18 11:50 - 00000000 ____D C:\Program Files\Google
2013-09-08 19:05 - 2013-09-08 19:05 - 00000000 ____D C:\Program Files\Microsoft.NET
2013-09-06 10:06 - 2013-09-06 10:06 - 00000000 ____D C:\ProgramData\AVG Secure Search
2013-09-05 23:06 - 2013-09-05 23:06 - 00000000 ____D C:\ProgramData\WindowsSearch
2013-09-05 22:46 - 2013-09-14 10:18 - 00000000 ____D C:\Windows\system32\MRT
2013-09-05 22:32 - 2013-05-02 16:28 - 00238872 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2013-09-05 22:18 - 2013-09-05 22:18 - 00002154 _____ C:\Windows\epplauncher.mif
2013-09-05 22:18 - 2013-09-05 22:18 - 00000000 ____D C:\Program Files\Microsoft Security Client
2013-09-05 21:02 - 2013-09-05 21:02 - 00842240 _____ (Western Digital Corporation ) C:\Users\Admin\AppData\Roaming\B2AB.tmp

==================== One Month Modified Files and Folders =======

2013-09-27 21:29 - 2013-09-27 21:29 - 00000000 ____D C:\FRST
2013-09-27 16:55 - 2006-11-02 13:52 - 00044964 _____ C:\Windows\setupact.log
2013-09-27 16:54 - 2013-06-07 21:29 - 00000350 _____ C:\Windows\Tasks\AVG-Secure-Search-Update_JUNE2013_HP_rmv.job
2013-09-27 16:54 - 2013-06-03 14:23 - 00000350 _____ C:\Windows\Tasks\AVG-Secure-Search-Update_JUNE2013_TB_rmv.job
2013-09-27 16:54 - 2013-05-23 17:38 - 00000000 ___RD C:\Users\Admin\Dropbox
2013-09-27 16:54 - 2013-05-20 21:24 - 00000000 ____D C:\Users\Admin\AppData\Roaming\Dropbox
2013-09-27 16:54 - 2012-07-10 23:25 - 00001356 _____ C:\Users\Admin\AppData\Local\d3d9caps.dat
2013-09-27 16:54 - 2006-11-02 14:01 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-09-27 16:54 - 2006-11-02 13:47 - 00003712 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2013-09-27 16:54 - 2006-11-02 13:47 - 00003712 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2013-09-27 16:43 - 2006-11-02 14:01 - 00032634 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2013-09-27 16:42 - 2013-09-27 16:42 - 00135120 _____ C:\Windows\Minidump\Mini092713-01.dmp
2013-09-27 16:42 - 2012-07-10 23:30 - 00000000 ____D C:\Windows\Minidump
2013-09-26 23:40 - 2006-11-02 11:33 - 00703198 _____ C:\Windows\system32\PerfStringBackup.INI
2013-09-26 23:34 - 2012-07-17 22:23 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-09-26 21:19 - 2012-07-17 18:40 - 00000908 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3679710135-1723486687-3366708624-1000UA.job
2013-09-26 20:26 - 2012-07-19 05:51 - 00000338 _____ C:\Windows\Tasks\HP Photo Creations Communicator.job
2013-09-26 19:34 - 2013-09-26 19:34 - 03723656 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerInstaller.exe
2013-09-26 19:34 - 2012-07-17 22:23 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2013-09-26 19:34 - 2012-07-17 22:23 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2013-09-26 19:19 - 2012-07-18 01:56 - 00000418 ____H C:\Windows\Tasks\User_Feed_Synchronization-{88DCFA00-C0F9-4767-AF90-E1DC3DF8C4A8}.job
2013-09-26 19:18 - 2012-07-28 15:46 - 00000000 ___RD C:\Program Files\Skype
2013-09-26 19:18 - 2012-07-28 15:46 - 00000000 ____D C:\ProgramData\Skype
2013-09-26 18:25 - 2008-01-21 02:35 - 01091643 _____ C:\Windows\WindowsUpdate.log
2013-09-18 12:28 - 2013-08-07 21:23 - 00000928 _____ C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3679710135-1723486687-3366708624-1000UA.job
2013-09-18 11:56 - 2013-09-18 11:56 - 00000000 ____D C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Antivirus Security Pro
2013-09-18 11:50 - 2013-09-18 11:50 - 00000000 ____D C:\Program Files\Google
2013-09-18 11:50 - 2012-07-17 18:40 - 00000000 ____D C:\Users\Admin\AppData\Local\Google
2013-09-17 21:28 - 2013-08-07 21:23 - 00000906 _____ C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3679710135-1723486687-3366708624-1000Core.job
2013-09-17 15:19 - 2012-07-17 18:40 - 00000856 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3679710135-1723486687-3366708624-1000Core.job
2013-09-15 21:59 - 2012-08-08 12:31 - 00006680 _____ C:\Users\Admin\AppData\Roaming\wklnhst.dat
2013-09-15 20:47 - 2012-08-08 12:08 - 00002595 _____ C:\Users\Admin\Desktop\Microsoft Word.lnk
2013-09-15 19:35 - 2012-07-10 23:56 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2013-09-15 17:41 - 2012-09-07 09:04 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-09-14 10:18 - 2013-09-05 22:46 - 00000000 ____D C:\Windows\system32\MRT
2013-09-14 10:14 - 2006-11-02 11:24 - 76725432 _____ (Microsoft Corporation) C:\Windows\system32\mrt.exe
2013-09-13 20:11 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\Microsoft.NET
2013-09-08 19:42 - 2013-01-28 22:19 - 00002042 _____ C:\Users\Admin\Desktop\Google Chrome.lnk
2013-09-08 19:05 - 2013-09-08 19:05 - 00000000 ____D C:\Program Files\Microsoft.NET
2013-09-06 10:06 - 2013-09-06 10:06 - 00000000 ____D C:\ProgramData\AVG Secure Search
2013-09-05 23:06 - 2013-09-05 23:06 - 00000000 ____D C:\ProgramData\WindowsSearch
2013-09-05 22:50 - 2012-07-19 02:56 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2013-09-05 22:18 - 2013-09-05 22:18 - 00002154 _____ C:\Windows\epplauncher.mif
2013-09-05 22:18 - 2013-09-05 22:18 - 00000000 ____D C:\Program Files\Microsoft Security Client
2013-09-05 22:15 - 2008-01-21 03:47 - 00040460 _____ C:\Windows\PFRO.log
2013-09-05 22:09 - 2012-09-21 17:14 - 00000000 ____D C:\ProgramData\AVG2013
2013-09-05 22:09 - 2012-08-08 12:13 - 00000000 ____D C:\ProgramData\MFAData
2013-09-05 21:59 - 2006-11-02 11:22 - 30408704 _____ C:\Windows\system32\config\software_previous
2013-09-05 21:59 - 2006-11-02 11:22 - 27787264 _____ C:\Windows\system32\config\components_previous
2013-09-05 21:59 - 2006-11-02 11:22 - 16252928 _____ C:\Windows\system32\config\system_previous
2013-09-05 21:59 - 2006-11-02 11:22 - 00262144 _____ C:\Windows\system32\config\security_previous
2013-09-05 21:59 - 2006-11-02 11:22 - 00262144 _____ C:\Windows\system32\config\sam_previous
2013-09-05 21:59 - 2006-11-02 11:22 - 00262144 _____ C:\Windows\system32\config\default_previous
2013-09-05 21:58 - 2012-08-08 13:17 - 00000000 ____D C:\Program Files\Common Files\AVG Secure Search
2013-09-05 21:58 - 2012-07-10 23:25 - 00000000 ____D C:\Users\Admin
2013-09-05 21:58 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\system32\spool
2013-09-05 21:58 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\system32\Msdtc
2013-09-05 21:58 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\registration
2013-09-05 21:02 - 2013-09-05 21:02 - 00842240 _____ (Western Digital Corporation ) C:\Users\Admin\AppData\Roaming\B2AB.tmp
2013-09-05 09:56 - 2012-07-19 02:55 - 00000000 ____D C:\Users\Admin\AppData\Roaming\HpUpdate

Files to move or delete:
====================
ZeroAccess:
C:\Users\Admin\AppData\Local\Google\Desktop\Install
ZeroAccess:
C:\Program Files\Google\Desktop\Install


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
C:\Program Files\Windows Defender\mpsvc.dll => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
C:\Program Files\Microsoft Security Client\MsMpEng.exe => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Microsoft Security Client


LastRegBack: 2013-09-26 23:38

==================== End Of Log ============================


Additon file:

 

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 26-09-2013
Ran by Admin at 2013-09-27 16:56:10
Running from E:\
Boot Mode: Normal
==========================================================


==================== Security Center ========================

AV: Microsoft Security Essentials (Enabled - Up to date) {641105E6-77ED-3F35-A304-765193BCB75F}
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Microsoft Security Essentials (Enabled - Up to date) {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}

==================== Installed Programs ======================

Acrobat.com (Version: 1.6.65)
Adobe AIR (Version: 1.5.0.7220)
Adobe Flash Player 11 ActiveX (Version: 11.8.800.175)
Adobe Flash Player 11 Plugin (Version: 11.8.800.168)
Adobe Reader 9.5.5 (Version: 9.5.5)
Antivirus Security Pro
Bing Bar (Version: 7.2.241.0)
Bing Rewards Client Installer (Version: 16.0.345.0)
BlackBerry Device Software v5.0.0 for the BlackBerry 8520 smartphone (Version: 5.0.0.1036 (Platform 5.2.0.104))
BlackBerry Device Software v5.0.0 for the BlackBerry 8520 smartphone (Version: 5.0.0.681 (Platform 5.2.0.67))
Coupon Printer for Windows (Version: 5.0.0.0)
Dell Resource CD (Version: 1.00.0000)
Dropbox (HKCU Version: 2.0.22)
Facebook Video Calling 1.2.0.287 (Version: 1.2.287)
Google Chrome (HKCU Version: 29.0.1547.66)
Google Chrome Extension Updater 1.12.02 (Version: 1.12.02)
HP Deskjet 3070 B611 series Basic Device Software (Version: 25.0.571.0)
HP Deskjet 3070 B611 series Help (Version: 140.0.2.2)
HP Deskjet 3070 B611 series Product Improvement Study (Version: 25.0.571.0)
HP Photo Creations (Version: 1.0.0.8812)
HP Update (Version: 5.005.000.002)
HPDiagnosticAlert (Version: 1.00.0000)
IlemiTVApp (Version: 2.1 Build 26473)
Intel® Graphics Media Accelerator Driver (Version: 8.15.10.1930)
Intel® TV Wizard
Java Auto Updater (Version: 2.0.7.1)
Java™ 6 Update 33 (Version: 6.0.330)
Laptop Integrated Webcam Driver (1.04.01.1011)
LayoutsExpress
Marvell Miniport Driver (Version: 10.22.6.3)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft Digital Image Library 9 - Blocker (Version: 9.00.0000)
Microsoft Photo Premium 10 (Version: 10.0.0707)
Microsoft Picture It! Library 10 (Version: 10.0.0707)
Microsoft Security Client (Version: 4.3.0216.0)
Microsoft Security Essentials (Version: 4.3.216.0)
Microsoft Silverlight (Version: 5.1.20513.0)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (Version: 10.0.40219)
Microsoft Word 2002 (Version: 10.0.2627.01)
Microsoft Works (Version: 08.04.0623)
Microsoft Works 2005 Setup Launcher
Microsoft Works Suite Add-in for Microsoft Word (Version: 8.0.0.0000)
Mozilla Firefox 23.0.1 (x86 en-US) (Version: 23.0.1)
Mozilla Maintenance Service (Version: 23.0.1)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
OpenOffice.org 3.3 (Version: 3.3.9567)
Skype Click to Call (Version: 6.12.13601)
Skype™ 6.0 (Version: 6.0.126)
Spelling Dictionaries Support For Adobe Reader 9 (Version: 9.0.0)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)
WinRAR 4.20 beta 1 (32-bit) (Version: 4.20.1)
Works Upgrade (Version: 8.0.0.0000)
Yontoo 1.10.03 (Version: 1.10.03)

==================== Restore Points =========================

05-08-2013 23:00:04 Scheduled Checkpoint
06-08-2013 13:42:13 Scheduled Checkpoint
08-08-2013 09:15:19 Scheduled Checkpoint
09-08-2013 12:12:02 Scheduled Checkpoint
28-08-2013 22:39:36 Scheduled Checkpoint
29-08-2013 18:50:13 Scheduled Checkpoint
30-08-2013 10:24:00 Scheduled Checkpoint
30-08-2013 23:00:00 Scheduled Checkpoint
01-09-2013 09:31:31 Scheduled Checkpoint
05-09-2013 11:14:06 Scheduled Checkpoint
05-09-2013 21:06:00 Removed AVG 2013
05-09-2013 21:08:41 Removed AVG 2013
05-09-2013 21:17:03 Windows Update
05-09-2013 21:31:55 Windows Update
05-09-2013 21:45:11 Windows Update
06-09-2013 08:09:49 Windows Update
08-09-2013 18:02:28 Windows Update
08-09-2013 18:11:21 Windows Update
12-09-2013 14:51:57 Windows Update
13-09-2013 17:55:13 Windows Update
14-09-2013 09:14:21 Windows Update
15-09-2013 09:35:33 Windows Update
16-09-2013 11:51:44 Scheduled Checkpoint
16-09-2013 12:56:51 Windows Update
17-09-2013 09:28:08 Scheduled Checkpoint
17-09-2013 18:31:29 Windows Update
18-09-2013 09:28:29 Scheduled Checkpoint

==================== Hosts content: ==========================

2006-11-02 11:23 - 2006-09-18 22:41 - 00000761 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1 localhost
::1 localhost

==================== Scheduled Tasks (whitelisted) =============

Task: {0EC1DD1A-3F59-4B62-AECB-C90D135D9105} - System32\Tasks\HPCustParticipation HP Deskjet 3070 B611 series => C:\Program Files\HP\HP Deskjet 3070 B611 series\Bin\HPCustPartic.exe [2011-06-09] (Hewlett-Packard Co.)
Task: {135762EC-1E56-45DD-9CD7-626778A86C65} - System32\Tasks\User_Feed_Synchronization-{88DCFA00-C0F9-4767-AF90-E1DC3DF8C4A8} => C:\Windows\system32\msfeedssync.exe [2008-01-21] (Microsoft Corporation)
Task: {144C2E48-3307-47CD-A7B1-EE2467B3DE18} - System32\Tasks\AVG-Secure-Search-Update_JUNE2013_HP_rmv => C:\Windows\TEMP\{48D540E9-6621-42D3-93D4-81C86E01CE2F}.exe
Task: {1A8266FA-4AE9-4E39-AC47-ACA1A5AD8B3E} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3679710135-1723486687-3366708624-1000Core => C:\Users\Admin\AppData\Local\Google\Update\GoogleUpdate.exe [2012-07-17] (Google Inc.)
Task: {1CC81347-6204-4B83-900C-01E02F50F067} - System32\Tasks\Microsoft\Windows\MobilePC\TMM
Task: {2565F64F-034A-46B8-B34C-6402C41FE300} - System32\Tasks\FacebookUpdateTaskUserS-1-5-21-3679710135-1723486687-3366708624-1000Core => C:\Users\Admin\AppData\Local\Facebook\Update\FacebookUpdate.exe [2013-08-07] (Facebook Inc.)
Task: {2D24291D-0BB8-48BB-843A-864B1E3EE55E} - System32\Tasks\FacebookUpdateTaskUserS-1-5-21-3679710135-1723486687-3366708624-1000UA => C:\Users\Admin\AppData\Local\Facebook\Update\FacebookUpdate.exe [2013-08-07] (Facebook Inc.)
Task: {320124A7-D70F-41DE-A9D1-D5E8E19D5D91} - System32\Tasks\Microsoft\Windows\NetworkAccessProtection\NAPStatus UI
Task: {3BCDF251-CA5C-4045-A1FC-8FCEF9FBDC93} - System32\Tasks\Microsoft\Windows\Shell\CrawlStartPages
Task: {44980BEE-7809-44A9-AC24-D6E578A3B7DF} - System32\Tasks\Microsoft\Windows\RAC\RACAgent => C:\Windows\system32\RacAgent.exe [2008-01-21] (Microsoft Corporation)
Task: {88752860-04C5-41FB-B68B-9771BBD4B202} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-09-26] (Adobe Systems Incorporated)
Task: {92437052-6C3D-4159-A5FC-0B4F1098EBC9} - System32\Tasks\0 => Chrome.exe
Task: {991795F8-9727-44DD-8B76-914C31E229B5} - System32\Tasks\HP Photo Creations Communicator => C:\ProgramData\HP Photo Creations\Communicator.exe [2012-07-19] ()
Task: {A40C9DA6-B42F-4C19-B906-5B688A5C1DE7} - System32\Tasks\Microsoft\Microsoft Antimalware\Microsoft Antimalware Scheduled Scan => c:\Program Files\Microsoft Security Client\MpCmdRun.exe [2013-07-18] ()
Task: {A728AE6B-5AB8-4223-AD3E-E6341441A01C} - System32\Tasks\Microsoft\Windows\PLA\System\ConvertLogEntries => C:\Windows\system32\pla.dll [2008-01-21] (Microsoft Corporation)
Task: {CEDFFDED-2799-472A-9133-F01C192B6FDD} - System32\Tasks\Microsoft\Windows\RestartManager\{E2F85F37-4A79-4aca-BC39-778B3923DD3C} => C:\Windows\system32\rmclient.exe [2006-11-02] (Microsoft Corporation)
Task: {E5150B95-F9B4-4D5D-95A2-7EC1ACBA95F8} - System32\Tasks\Microsoft\Windows\Wireless\GatherWirelessInfo => C:\Windows\system32\gatherWirelessInfo.vbs [2008-01-21] ()
Task: {E6A1A9CD-0937-42AF-BE16-3E5DDBBFA297} - System32\Tasks\AVG-Secure-Search-Update_JUNE2013_TB_rmv => C:\Windows\TEMP\{7E8A46EB-DB2E-46B7-946E-AF013A48FDCD}.exe
Task: {F87862AE-67B9-48B8-AC70-7E323A85ACBD} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3679710135-1723486687-3366708624-1000UA => C:\Users\Admin\AppData\Local\Google\Update\GoogleUpdate.exe [2012-07-17] (Google Inc.)
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\AVG-Secure-Search-Update_JUNE2013_HP_rmv.job => C:\Windows\TEMP\{48D540E9-6621-42D3-93D4-81C86E01CE2F}.exe
Task: C:\Windows\Tasks\AVG-Secure-Search-Update_JUNE2013_TB_rmv.job => C:\Windows\TEMP\{7E8A46EB-DB2E-46B7-946E-AF013A48FDCD}.exe
Task: C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3679710135-1723486687-3366708624-1000Core.job => C:\Users\Admin\AppData\Local\Facebook\Update\FacebookUpdate.exe
Task: C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3679710135-1723486687-3366708624-1000UA.job => C:\Users\Admin\AppData\Local\Facebook\Update\FacebookUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3679710135-1723486687-3366708624-1000Core.job => C:\Users\Admin\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3679710135-1723486687-3366708624-1000UA.job => C:\Users\Admin\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\HP Photo Creations Communicator.job => C:\ProgramData\HP Photo Creations\Communicator.exe
Task: C:\Windows\Tasks\User_Feed_Synchronization-{88DCFA00-C0F9-4767-AF90-E1DC3DF8C4A8}.job => C:\Windows\system32\msfeedssync.exe

==================== Loaded Modules (whitelisted) =============

2013-05-17 15:45 - 2013-05-17 15:45 - 00130736 _____ (Dropbox, Inc.) C:\Users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
2013-08-23 16:07 - 2013-08-23 16:05 - 00521904 _____ () C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.5.0\log4cplusU.dll
2013-08-23 16:07 - 2013-08-23 16:05 - 00144560 _____ () C:\Program Files\Common Files\AVG Secure Search\SiteSafetyInstaller\15.5.0\SiteSafety.dll
2012-11-14 00:32 - 2012-11-14 00:32 - 03558400 _____ (wxWidgets development team) C:\Users\Admin\AppData\Roaming\Dropbox\bin\wxmsw28uh_vc.dll
2013-03-13 21:48 - 2013-03-13 21:48 - 24978944 _____ () C:\Users\Admin\AppData\Roaming\Dropbox\bin\libcef.dll
2013-03-13 21:48 - 2013-03-13 21:48 - 09956864 _____ (The ICU Project) C:\Users\Admin\AppData\Roaming\Dropbox\bin\icudt.dll

==================== Alternate Data Streams (whitelisted) =========

AlternateDataStreams: C:\ProgramData\TEMP:8927A071

==================== Safe Mode (whitelisted) ===================


==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (09/27/2013 04:55:19 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (09/27/2013 04:39:52 PM) (Source: Application Error) (User: )
Description: Faulting application GoogleUpdate.exe, version 0.0.0.0, time stamp 0x52394973, faulting module GoogleUpdate.exe, version 0.0.0.0, time stamp 0x52394973, exception code 0xc0000005, fault offset 0x00001eb3,
process id 0xb20, application start time 0xGoogleUpdate.exe0.

Error: (09/27/2013 04:39:50 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (09/27/2013 00:17:45 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (09/27/2013 00:10:59 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (09/27/2013 00:08:12 PM) (Source: Software Licensing Service) (User: )
Description: The Software Licensing service failed to start. hr=0x80070002, [2, 4]

Error: (09/27/2013 00:05:42 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (09/26/2013 11:34:37 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (09/26/2013 11:31:47 PM) (Source: Software Licensing Service) (User: )
Description: The Software Licensing service failed to start. hr=0x80070002, [2, 4]

Error: (09/26/2013 07:43:38 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


System errors:
=============
Error: (09/27/2013 04:56:12 PM) (Source: WMPNetworkSvc) (User: )
Description: WMPNetworkSvc0x80070424

Error: (09/27/2013 04:55:19 PM) (Source: Service Control Manager) (User: )
Description: Microsoft Network Inspection SystemBFE

Error: (09/27/2013 04:55:19 PM) (Source: Service Control Manager) (User: )
Description: IKE and AuthIP IPsec Keying ModulesBFE

Error: (09/27/2013 04:55:19 PM) (Source: Service Control Manager) (User: )
Description: Computer Browser%%1060

Error: (09/27/2013 04:55:19 PM) (Source: Service Control Manager) (User: )
Description: Parallel port driver%%1058

Error: (09/27/2013 04:55:19 PM) (Source: Service Control Manager) (User: )
Description: Microsoft Antimalware Service%%5

Error: (09/27/2013 04:54:11 PM) (Source: WMPNetworkSvc) (User: )
Description: WMPNetworkSvc0x80070424

Error: (09/27/2013 04:54:03 PM) (Source: HTTP) (User: )
Description: \Device\Http\ReqQueueKerberos

Error: (09/27/2013 04:54:03 PM) (Source: HTTP) (User: )
Description: \Device\Http\ReqQueue0.0.0.0:4482

Error: (09/27/2013 04:54:05 PM) (Source: Print) (User: NT AUTHORITY)
Description: The print spooler failed to share printer HP Deskjet 3070 B611 series (Network) with shared resource name HP Deskjet 3070 B611 series (Network). Error 1753. The printer cannot be used by others on the network.


Microsoft Office Sessions:
=========================
Error: (09/27/2013 04:55:19 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (09/27/2013 04:39:52 PM) (Source: Application Error)(User: )
Description: GoogleUpdate.exe0.0.0.052394973GoogleUpdate.exe0.0.0.052394973c000000500001eb3b2001cebb97ca1af46a

Error: (09/27/2013 04:39:50 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (09/27/2013 00:17:45 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (09/27/2013 00:10:59 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (09/27/2013 00:08:12 PM) (Source: Software Licensing Service)(User: )
Description: hr=0x80070002, [2, 4]

Error: (09/27/2013 00:05:42 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (09/26/2013 11:34:37 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (09/26/2013 11:31:47 PM) (Source: Software Licensing Service)(User: )
Description: hr=0x80070002, [2, 4]

Error: (09/26/2013 07:43:38 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


CodeIntegrity Errors:
===================================
Date: 2013-09-27 16:55:42.943
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys because the set of per-page image hashes could not be found on the system.

Date: 2013-09-27 16:55:42.880
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys because the set of per-page image hashes could not be found on the system.

Date: 2013-09-27 16:55:42.818
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys because the set of per-page image hashes could not be found on the system.

Date: 2013-09-27 16:55:42.740
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys because the set of per-page image hashes could not be found on the system.

Date: 2013-09-27 16:55:42.677
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys because the set of per-page image hashes could not be found on the system.

Date: 2013-09-27 16:55:42.584
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys because the set of per-page image hashes could not be found on the system.

Date: 2013-09-27 16:55:42.521
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys because the set of per-page image hashes could not be found on the system.

Date: 2013-09-27 16:55:42.428
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys because the set of per-page image hashes could not be found on the system.

Date: 2013-09-27 16:43:27.797
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys because the set of per-page image hashes could not be found on the system.

Date: 2013-09-27 16:43:27.657
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys because the set of per-page image hashes could not be found on the system.


==================== Memory info ===========================

Percentage of memory in use: 34%
Total physical RAM: 2037.31 MB
Available physical RAM: 1328.75 MB
Total Pagefile: 4309.9 MB
Available Pagefile: 3615.87 MB
Total Virtual: 2047.88 MB
Available Virtual: 1902.84 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:232.88 GB) (Free:172.84 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: (VISTA_32_PREMIUM) (CDROM) (Total:2.84 GB) (Free:0 GB) CDFS
Drive e: () (Removable) (Total:0.95 GB) (Free:0.83 GB) FAT

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 233 GB) (Disk ID: 06A08A20)
Partition 1: (Active) - (Size=233 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 972 MB) (Disk ID: 00000000)
Partition 1: (Not Active) - (Size=972 MB) - (Type=06)

==================== End Of Log ============================



#9 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:13 AM

Posted 27 September 2013 - 12:07 PM

Fix with FRST (normal mode)

  • Open notepad (Start =>All Programs => Accessories => Notepad).
  • Please copy the entire contents of the code box below.
    (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste).
  • Save it to the same direction as frst.exe (or frst64.exe) as fixlist.txt.

    HKCU\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path)
    URLSearchHook: UsProvider Class - {539F76FD-084E-4858-86D5-62F02F54AE86} - C:\Program Files\Minibar\Minibar.dll (KangoExtensions)
    SearchScopes: HKLM - {a5b9c0f5-5616-47cd-a95f-e43b488faccf} URL = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=XPxdm049YYie&ptnrS=XPxdm049YYie&si=2271&ptb=7632B854-6642-4BDF-8D65-7DC481E8B119&psa=&ind=2012091610&st=sb&n=77ee14da&searchfor={searchTerms}
    SearchScopes: HKCU - {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} URL = http://search.babylon.com/?q={searchTerms}&affID=109220&tt=5112_8&babsrc=SP_ss&mntrId=1e9bad8800000000000000219bcc4c98
    SearchScopes: HKCU - {a5b9c0f5-5616-47cd-a95f-e43b488faccf} URL = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=XPxdm049YYie&ptnrS=XPxdm049YYie&si=2271&ptb=7632B854-6642-4BDF-8D65-7DC481E8B119&psa=&ind=2012091610&st=sb&n=77ee14da&searchfor={searchTerms}
    BHO: No Name - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: MinibarBHO - {AA74D58F-ACD0-450D-A85E-6C04B171C044} - C:\Program Files\Minibar\Minibar.dll (KangoExtensions)
    BHO: Yontoo - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files\Yontoo\YontooIEClient.dll (Yontoo LLC)
    Toolbar: HKCU - No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No File
    FF SearchPlugin: C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mvtk21d7.default\searchplugins\babylon1.xml
    FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\babylon.xml
    FF Extension: Yontoo - C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mvtk21d7.default\Extensions\plugin@yontoo.com
    FF Extension: freehdsport - C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mvtk21d7.default\Extensions\freehdsport@freehdsport.tv.xpi
    CHR Extension: (FreeHDSport.TV) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\bgnnidmnbdkmhfkjgdnngciimpdgohok\1.2_0
    CHR Extension: (Yontoo) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\niapdbllcanepiiimjjndipklodoedlc\1.0.3_0
    CHR HKLM\...\Chrome\Extension: [bgnnidmnbdkmhfkjgdnngciimpdgohok] - C:\Program Files\IlemiTVApp.com\stv12.crx
    CHR HKLM\...\Chrome\Extension: [niapdbllcanepiiimjjndipklodoedlc] - C:\Program Files\Yontoo\YontooLayers.crx
    
    U2 *etadpug; "C:\Program Files\Google\Desktop\Install\{39eba293-b980-744e-ebef-8715204916f6}\ \...\???\{39eba293-b980-744e-ebef-8715204916f6}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)
    
    C:\Program Files\Minibar
    C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mvtk21d7.default\Extensions\freehdsport@freehdsport.tv.xpi
    C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\bgnnidmnbdkmhfkjgdnngciimpdgohok
    C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\niapdbllcanepiiimjjndipklodoedlc\
    C:\Program Files\Yontoo
    C:\Program Files\IlemiTVApp.com
    C:\Program Files\Google\Desktop
    C:\Users\Admin\AppData\Local\Google\Desktop
    
    DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
    DeleteJunctionsIndirectory: C:\Program Files\Microsoft Security Client
    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
  • Run frst.exe (on 64bit, run frst64.exe) and press the Fix button just once and wait.
  • The tool will make a log (Fixlog.txt) which you find where you saved FRST. Please post it to your reply.

 

 

 

Full System Scan with Malwarebytes Antimalware

  • If not existing, please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.


If the program is already installed:
  • Run Malwarebytes Antimalware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform fullscan, place a checkmark on all hard drives, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Post that log back here.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#10 Guest_fuisce_*

Guest_fuisce_*

  • Guests
  • OFFLINE
  •  

Posted 27 September 2013 - 02:07 PM

Fixlog:

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 26-09-2013
Ran by Admin at 2013-09-27 18:43:53 Run:2
Running from E:\
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
HKCU\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path)
URLSearchHook: UsProvider Class - {539F76FD-084E-4858-86D5-62F02F54AE86} - C:\Program Files\Minibar\Minibar.dll (KangoExtensions)
SearchScopes: HKLM - {a5b9c0f5-5616-47cd-a95f-e43b488faccf} URL = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=XPxdm049YYie&ptnrS=XPxdm049YYie&si=2271&ptb=7632B854-6642-4BDF-8D65-7DC481E8B119&psa=&ind=2012091610&st=sb&n=77ee14da&searchfor={searchTerms}
SearchScopes: HKCU - {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} URL = http://search.babylon.com/?q={searchTerms}&affID=109220&tt=5112_8&babsrc=SP_ss&mntrId=1e9bad8800000000000000219bcc4c98
SearchScopes: HKCU - {a5b9c0f5-5616-47cd-a95f-e43b488faccf} URL = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=XPxdm049YYie&ptnrS=XPxdm049YYie&si=2271&ptb=7632B854-6642-4BDF-8D65-7DC481E8B119&psa=&ind=2012091610&st=sb&n=77ee14da&searchfor={searchTerms}
BHO: No Name - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: MinibarBHO - {AA74D58F-ACD0-450D-A85E-6C04B171C044} - C:\Program Files\Minibar\Minibar.dll (KangoExtensions)
BHO: Yontoo - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files\Yontoo\YontooIEClient.dll (Yontoo LLC)
Toolbar: HKCU - No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No File
FF SearchPlugin: C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mvtk21d7.default\searchplugins\babylon1.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\babylon.xml
FF Extension: Yontoo - C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mvtk21d7.default\Extensions\plugin@yontoo.com
FF Extension: freehdsport - C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mvtk21d7.default\Extensions\freehdsport@freehdsport.tv.xpi
CHR Extension: (FreeHDSport.TV) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\bgnnidmnbdkmhfkjgdnngciimpdgohok\1.2_0
CHR Extension: (Yontoo) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\niapdbllcanepiiimjjndipklodoedlc\1.0.3_0
CHR HKLM\...\Chrome\Extension: [bgnnidmnbdkmhfkjgdnngciimpdgohok] - C:\Program Files\IlemiTVApp.com\stv12.crx
CHR HKLM\...\Chrome\Extension: [niapdbllcanepiiimjjndipklodoedlc] - C:\Program Files\Yontoo\YontooLayers.crx

U2 *etadpug; "C:\Program Files\Google\Desktop\Install\{39eba293-b980-744e-ebef-8715204916f6}\ \...\???\{39eba293-b980-744e-ebef-8715204916f6}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)

C:\Program Files\Minibar
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mvtk21d7.default\Extensions\freehdsport@freehdsport.tv.xpi
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\bgnnidmnbdkmhfkjgdnngciimpdgohok
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\niapdbllcanepiiimjjndipklodoedlc\
C:\Program Files\Yontoo
C:\Program Files\IlemiTVApp.com
C:\Program Files\Google\Desktop
C:\Users\Admin\AppData\Local\Google\Desktop

DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
DeleteJunctionsIndirectory: C:\Program Files\Microsoft Security Client
*****************

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\Google Update* => Value deleted successfully.
HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\\{539F76FD-084E-4858-86D5-62F02F54AE86} => Value deleted successfully.
HKCR\CLSID\{539F76FD-084E-4858-86D5-62F02F54AE86} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{a5b9c0f5-5616-47cd-a95f-e43b488faccf} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{a5b9c0f5-5616-47cd-a95f-e43b488faccf} => Key not found.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} => Key not found.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{a5b9c0f5-5616-47cd-a95f-e43b488faccf} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{a5b9c0f5-5616-47cd-a95f-e43b488faccf} => Key not found.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670} => Key deleted successfully.
HKCR\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670} => Key not found.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA74D58F-ACD0-450D-A85E-6C04B171C044} => Key deleted successfully.
HKCR\CLSID\{AA74D58F-ACD0-450D-A85E-6C04B171C044} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8} => Key deleted successfully.
HKCR\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8} => Key deleted successfully.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} => Value deleted successfully.
HKCR\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} => Key deleted successfully.
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mvtk21d7.default\searchplugins\babylon1.xml => Moved successfully.
C:\Program Files\mozilla firefox\searchplugins\babylon.xml => Moved successfully.
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mvtk21d7.default\Extensions\plugin@yontoo.com => Moved successfully.
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mvtk21d7.default\Extensions\freehdsport@freehdsport.tv.xpi => Moved successfully.
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\bgnnidmnbdkmhfkjgdnngciimpdgohok => Moved successfully.
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\niapdbllcanepiiimjjndipklodoedlc => Moved successfully.
HKLM\SOFTWARE\Google\Chrome\Extensions\bgnnidmnbdkmhfkjgdnngciimpdgohok => Key deleted successfully.
C:\Program Files\IlemiTVApp.com\stv12.crx => Moved successfully.
HKLM\SOFTWARE\Google\Chrome\Extensions\niapdbllcanepiiimjjndipklodoedlc => Key deleted successfully.
C:\Program Files\Yontoo\YontooLayers.crx => Moved successfully.
*etadpug => Service deleted successfully.

"C:\Program Files\Minibar" directory move:

C:\Program Files\Minibar\config.xml => Moved successfully.
C:\Program Files\Minibar\extension_info.json => Moved successfully.
C:\Program Files\Minibar\initial_config.json => Moved successfully.
C:\Program Files\Minibar\main.js => Moved successfully.
C:\Program Files\Minibar\Minibar.dll => Moved successfully.
C:\Program Files\Minibar\minibar\actions.js => Moved successfully.
C:\Program Files\Minibar\minibar\cachedxhr.js => Moved successfully.
C:\Program Files\Minibar\minibar\config.js => Moved successfully.
C:\Program Files\Minibar\minibar\macros.js => Moved successfully.
C:\Program Files\Minibar\minibar\minibar.js => Moved successfully.
C:\Program Files\Minibar\kango-ui\commandbar_button.js => Moved successfully.
C:\Program Files\Minibar\kango-ui\toolbar.js => Moved successfully.
C:\Program Files\Minibar\kango-ui\toolbar_stub.html => Moved successfully.
C:\Program Files\Minibar\kango-ui\ui.js => Moved successfully.
C:\Program Files\Minibar\kango-ui\theme\bubble\bottom-left.png => Moved successfully.
C:\Program Files\Minibar\kango-ui\theme\bubble\bottom-middle.png => Moved successfully.
C:\Program Files\Minibar\kango-ui\theme\bubble\bottom-right.png => Moved successfully.
C:\Program Files\Minibar\kango-ui\theme\bubble\middle-left.png => Moved successfully.
C:\Program Files\Minibar\kango-ui\theme\bubble\middle-right.png => Moved successfully.
C:\Program Files\Minibar\kango-ui\theme\bubble\tail-bottom.png => Moved successfully.
C:\Program Files\Minibar\kango-ui\theme\bubble\tail-left.png => Moved successfully.
C:\Program Files\Minibar\kango-ui\theme\bubble\tail-right.png => Moved successfully.
C:\Program Files\Minibar\kango-ui\theme\bubble\tail-top.png => Moved successfully.
C:\Program Files\Minibar\kango-ui\theme\bubble\top-left.png => Moved successfully.
C:\Program Files\Minibar\kango-ui\theme\bubble\top-middle.png => Moved successfully.
C:\Program Files\Minibar\kango-ui\theme\bubble\top-right.png => Moved successfully.
C:\Program Files\Minibar\kango\browser.js => Moved successfully.
C:\Program Files\Minibar\kango\console.js => Moved successfully.
C:\Program Files\Minibar\kango\event_listener.js => Moved successfully.
C:\Program Files\Minibar\kango\initialize.js => Moved successfully.
C:\Program Files\Minibar\kango\io.js => Moved successfully.
C:\Program Files\Minibar\kango\json.js => Moved successfully.
C:\Program Files\Minibar\kango\jsonstorage.js => Moved successfully.
C:\Program Files\Minibar\kango\kango.js => Moved successfully.
C:\Program Files\Minibar\kango\lang.js => Moved successfully.
C:\Program Files\Minibar\kango\md5.js => Moved successfully.
C:\Program Files\Minibar\kango\messaging.js => Moved successfully.
C:\Program Files\Minibar\kango\storage.js => Moved successfully.
C:\Program Files\Minibar\kango\userscript_engine.js => Moved successfully.
C:\Program Files\Minibar\kango\utils.js => Moved successfully.
C:\Program Files\Minibar\kango\xhr.js => Moved successfully.
C:\Program Files\Minibar\icons\icon128.png => Moved successfully.
C:\Program Files\Minibar\icons\icon16.ico => Moved successfully.
C:\Program Files\Minibar\icons\icon19.ico => Moved successfully.
C:\Program Files\Minibar\icons\icon19.png => Moved successfully.
C:\Program Files\Minibar\icons\icon32.png => Moved successfully.
C:\Program Files\Minibar\icons\icon48.png => Moved successfully.
"C:\Program Files\Minibar" => Directory moved successfully.

"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mvtk21d7.default\Extensions\freehdsport@freehdsport.tv.xpi" => File/Directory not found.
"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\bgnnidmnbdkmhfkjgdnngciimpdgohok" => File/Directory not found.
"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\niapdbllcanepiiimjjndipklodoedlc\" => File/Directory not found.

"C:\Program Files\Yontoo" directory move:

C:\Program Files\Yontoo\OptChrome.exe => Moved successfully.
C:\Program Files\Yontoo\YontooIEClient.dll => Moved successfully.
"C:\Program Files\Yontoo" => Directory moved successfully.

C:\Program Files\IlemiTVApp.com => Moved successfully.

"C:\Program Files\Google\Desktop" directory move:

Could not move "C:\Program Files\Google\Desktop" directory. => Scheduled to move on reboot.


"C:\Users\Admin\AppData\Local\Google\Desktop" directory move:

Could not move "C:\Users\Admin\AppData\Local\Google\Desktop" directory. => Scheduled to move on reboot.

"C:\Program Files\Windows Defender" => Deleting reparse point and unlocking started.
"C:\Program Files\Windows Defender\en-US" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpAsDesc.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpClient.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpCmdRun.exe" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpEvMsg.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpOAV.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpRtMon.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpRtPlug.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpSigDwn.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpSoftEx.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpSvc.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MSASCui.exe" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MsMpCom.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MsMpLics.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MsMpRes.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender" => Deleting reparse point and unlocking completed.
"C:\Program Files\Microsoft Security Client" => Deleting reparse point and unlocking started.
"C:\Program Files\Microsoft Security Client\Backup" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\DbgHelp.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\Drivers" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\en-us" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\EppManifest.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\MpAsDesc.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\MpClient.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\MpCmdRun.exe" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\MpCommu.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\mpevmsg.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\MpOAv.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\MpRTP.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\MpSvc.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\MsMpCom.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\MsMpEng.exe" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\MsMpLics.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\MsMpRes.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\msseces.exe" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\MsseWat.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\NisIpsPlugin.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\NisLog.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\NisSrv.exe" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\NisWFP.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\Setup.exe" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\SetupRes.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\shellext.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\SqmApi.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\SymSrv.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\SymSrv.yes" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client" => Deleting reparse point and unlocking completed.

=========== Result of Scheduled Files to move ===========

"C:\Program Files\Google\Desktop" => Directory could not move.
"C:\Users\Admin\AppData\Local\Google\Desktop" => Directory could not move.

==== End of Fixlog ====



#11 Guest_fuisce_*

Guest_fuisce_*

  • Guests
  • OFFLINE
  •  

Posted 27 September 2013 - 02:11 PM

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.09.27.05

Windows Vista Service Pack 1 x86 NTFS
Internet Explorer 7.0.6001.18000
Admin :: ADMIN-PC [administrator]

9/27/2013 6:47:58 PM
mbam-log-2013-09-27 (18-47-58).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 293434
Time elapsed: 1 hour(s), 4 minute(s), 40 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 14
HKCR\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB} (PUP.Optional.BabylonToolBar.A) -> Quarantined and deleted successfully.
HKCR\CLSID\{60EACC1A-33FA-443D-9846-17B28E2C9BDB} (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
HKCR\CLSID\{AAA38851-3CFF-475F-B5E0-720D3645E4A5} (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
HKCR\TypeLib\{F13D3582-1359-4F8F-9A48-EF3AE9F5701C} (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
HKCR\Interface\{06E50566-0AB7-431C-841D-62794727DAF9} (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{AAA38851-3CFF-475F-B5E0-720D3645E4A5} (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AAA38851-3CFF-475F-B5E0-720D3645E4A5} (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{AA74D58F-ACD0-450D-A85E-6C04B171C044} (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{889DF117-14D1-44EE-9F31-C5FB5D47F68B} (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.
HKCU\Software\1ClickDownload (PUP.Optional.1ClickDownload.A) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\BI (PUP.Optional.FilesFrog.A) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\SWEETIM (PUP.Optional.SweetIM.A) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\MINIBAR (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\SWEETIM (PUP.Optional.SweetIM.A) -> Quarantined and deleted successfully.

Registry Values Detected: 5
HKCU\Control Panel\don't load|wscui.cpl (Hijack.SecurityCenter) -> Data: No -> Quarantined and deleted successfully.
HKCU\Software\BI|ui_path_filesfrog (PUP.Optional.FilesFrog.A) -> Data: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FilesFrog Update Checker -> Quarantined and deleted successfully.
HKCU\Software\SweetIM|simapp_id (PUP.Optional.SweetIM.A) -> Data: 11111111 -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Minibar|NoDns (PUP.Optional.MiniBar.A) -> Data: true -> Quarantined and deleted successfully.
HKLM\Software\SweetIM|simapp_id (PUP.Optional.SweetIM.A) -> Data: 11111111 -> Quarantined and deleted successfully.

Registry Data Items Detected: 3
HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

Folders Detected: 28
C:\Users\Admin\AppData\Roaming\Babylon (PUP.Optional.Babylon.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\chrome (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\chrome\icons (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\chrome\includes (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\chrome\kango (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\chrome\kango-ui (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\chrome\minibar (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\firefox (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\firefox\chrome (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\firefox\chrome\content (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\firefox\chrome\content\icons (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\firefox\chrome\content\kango (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\firefox\chrome\content\kango-ui (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\firefox\chrome\content\kango-ui\theme (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\firefox\chrome\content\kango-ui\theme\bubble (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\firefox\chrome\content\minibar (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\firefox\plugins (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\ProgramData\Tarma Installer (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.
C:\ProgramData\Tarma Installer\{361E80BE-388B-4270-BF54-A10C2B756504} (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.
C:\ProgramData\Tarma Installer\{361E80BE-388B-4270-BF54-A10C2B756504}\Cache (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.
C:\ProgramData\Tarma Installer\{68F250EA-9638-4DCF-96C4-D68CC340EC48} (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.
C:\ProgramData\Tarma Installer\{68F250EA-9638-4DCF-96C4-D68CC340EC48}\Cache (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.
C:\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B} (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.
C:\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Cache (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Temp\mt_ffx\BabylonToolbar (PUP.Optional.BabylonToolbar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Temp\mt_ffx\BabylonToolbar\BabylonToolbar (PUP.Optional.BabylonToolbar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Temp\mt_ffx\BabylonToolbar\BabylonToolbar\1.8.7.2 (PUP.Optional.BabylonToolbar.A) -> Quarantined and deleted successfully.

Files Detected: 133
C:\FRST\Quarantine\OptChrome.exe (PUP.Optional.OptChrome.A) -> Quarantined and deleted successfully.
C:\FRST\Quarantine\OptimizerPro.exe (PUP.Optional.OptimizePro.A) -> Quarantined and deleted successfully.
C:\FRST\Quarantine\UpdateCheckerSetup.exe (PUP.Optional.FilesFrog.A) -> Quarantined and deleted successfully.
C:\FRST\Quarantine\YontooSetup-S.exe (PUP.Optional.Yontoo.A) -> Quarantined and deleted successfully.
C:\FRST\Quarantine\minibar-master.exe (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\FRST\Quarantine\Minibar.dll (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\FRST\Quarantine\IlemiTVApp.com\IlemiTVApp.exe (PUP.Optional.DealPly.A) -> Quarantined and deleted successfully.
C:\FRST\Quarantine\Xl3Vrn37\Xl3Vrn37.exe (Trojan.FakeAlert.RRE) -> Quarantined and deleted successfully.
c:\program files\google\desktop\install\{39eba293-b980-744e-ebef-8715204916f6}\ \...\???\{39eba293-b980-744e-ebef-8715204916f6}\googleupdate.exe (Trojan.Agent.ED) -> Quarantined and deleted successfully.
C:\ProgramData\Tarma Installer\{68F250EA-9638-4DCF-96C4-D68CC340EC48}\A86207CA0123E3DC._bu (PUP.Optional.OptChrome.A) -> Quarantined and deleted successfully.
C:\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.exe (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Google\Desktop\Install\{39eba293-b980-744e-ebef-8715204916f6}\???\???\???\{39eba293-b980-744e-ebef-8715204916f6}\GoogleUpdate.exe (Trojan.Agent.ED) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Temp\ACF1.tmp (Trojan.Inject.RRE) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Temp\B00C.tmp (Trojan.Inject.RRE) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Roaming\B2AB.tmp (Trojan.FakeAV) -> Quarantined and deleted successfully.
C:\Users\Admin\Downloads\etypesetup.exe (PUP.Optional.Somoto) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Roaming\Babylon\log_file.txt (PUP.Optional.Babylon.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\minibar.crx (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\chrome_installer.js (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\common.js (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\firefox_installer.js (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\ie_installer.js (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\install.json (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\minibar.xpi (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\SettingsHelper.exe (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\Uninstall.exe (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\chrome\background.html (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\chrome\cached_http_request.js (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\chrome\extension_info.json (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\chrome\main.js (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\chrome\manifest.json (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\chrome\MinibarPlugin.dll (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\chrome\popup.html (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\chrome\popup.js (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\chrome\tab.html (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\chrome\tab.js (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\chrome\icons\icon128.png (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\chrome\icons\icon19.png (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\chrome\icons\icon32.png (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\chrome\icons\icon48.png (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\chrome\includes\content.js (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\chrome\includes\content_kango.js (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\chrome\includes\content_menu.js (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\chrome\includes\content_messaging.js (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\chrome\includes\content_pageutils.js (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\chrome\includes\content_popup.js (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\chrome\includes\content_toolbar.js (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\chrome\includes\content_toolbar_customfixes.js (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\chrome\includes\content_userscript.js (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\chrome\kango\browser.js (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\chrome\kango\console.js (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\chrome\kango\event_listener.js (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\chrome\kango\initialize.js (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\chrome\kango\io.js (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\chrome\kango\jsonstorage.js (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\chrome\kango\kango.js (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\chrome\kango\lang.js (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\chrome\kango\messaging.js (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\chrome\kango\userscript_engine.js (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\chrome\kango\xhr.js (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\chrome\kango-ui\button.js (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\chrome\kango-ui\toolbar.js (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\chrome\kango-ui\ui.js (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\chrome\minibar\actions.js (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\chrome\minibar\cachedxhr.js (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\chrome\minibar\config.js (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\chrome\minibar\macros.js (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\chrome\minibar\minibar.js (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\firefox\chrome.manifest (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\firefox\install.rdf (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\firefox\chrome\content\content.xul (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\firefox\chrome\content\extension_info.json (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\firefox\chrome\content\main.js (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\firefox\chrome\content\icons\icon128.png (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\firefox\chrome\content\icons\icon19.png (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\firefox\chrome\content\icons\icon32.png (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\firefox\chrome\content\icons\icon48.png (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\firefox\chrome\content\kango\browser.js (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\firefox\chrome\content\kango\console.js (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\firefox\chrome\content\kango\event_listener.js (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\firefox\chrome\content\kango\initialize.js (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\firefox\chrome\content\kango\io.js (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\firefox\chrome\content\kango\jsonstorage.js (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\firefox\chrome\content\kango\kango.js (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\firefox\chrome\content\kango\lang.js (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\firefox\chrome\content\kango\messaging.js (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\firefox\chrome\content\kango\storage.js (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\firefox\chrome\content\kango\uninstall_observer.js (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\firefox\chrome\content\kango\userscript_engine.js (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\firefox\chrome\content\kango\xhr.js (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\firefox\chrome\content\kango-ui\button.js (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\firefox\chrome\content\kango-ui\popup.js (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\firefox\chrome\content\kango-ui\popup_window.js (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\firefox\chrome\content\kango-ui\popup_window.xul (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\firefox\chrome\content\kango-ui\toolbar.js (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\firefox\chrome\content\kango-ui\toolbar_stub.html (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\firefox\chrome\content\kango-ui\ui.js (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\firefox\chrome\content\kango-ui\theme\bubble\bottom-left.png (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\firefox\chrome\content\kango-ui\theme\bubble\bottom-middle.png (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\firefox\chrome\content\kango-ui\theme\bubble\bottom-right.png (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\firefox\chrome\content\kango-ui\theme\bubble\middle-left.png (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\firefox\chrome\content\kango-ui\theme\bubble\middle-right.png (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\firefox\chrome\content\kango-ui\theme\bubble\style.css (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\firefox\chrome\content\kango-ui\theme\bubble\tail-bottom.png (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\firefox\chrome\content\kango-ui\theme\bubble\tail-left.png (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\firefox\chrome\content\kango-ui\theme\bubble\tail-right.png (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\firefox\chrome\content\kango-ui\theme\bubble\tail-top.png (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\firefox\chrome\content\kango-ui\theme\bubble\top-left.png (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\firefox\chrome\content\kango-ui\theme\bubble\top-middle.png (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\firefox\chrome\content\kango-ui\theme\bubble\top-right.png (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\firefox\chrome\content\minibar\actions.js (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\firefox\chrome\content\minibar\cachedxhr.js (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\firefox\chrome\content\minibar\config.js (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\firefox\chrome\content\minibar\homepage_helper.js (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\firefox\chrome\content\minibar\macros.js (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\firefox\chrome\content\minibar\minibar.js (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\firefox\chrome\content\minibar\search_helper.js (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\firefox\chrome\content\minibar\search_hook.js (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\firefox\chrome\content\minibar\tabpage_helper.js (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\Users\Admin\AppData\Local\Minibar\firefox\plugins\npMinibarPlugin.dll (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\ProgramData\Tarma Installer\{361E80BE-388B-4270-BF54-A10C2B756504}\Setup.dat (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.
C:\ProgramData\Tarma Installer\{361E80BE-388B-4270-BF54-A10C2B756504}\Setup.exe (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.
C:\ProgramData\Tarma Installer\{361E80BE-388B-4270-BF54-A10C2B756504}\Setup.ico (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.
C:\ProgramData\Tarma Installer\{361E80BE-388B-4270-BF54-A10C2B756504}\_Setup.dll (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.
C:\ProgramData\Tarma Installer\{68F250EA-9638-4DCF-96C4-D68CC340EC48}\Setup.dat (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.
C:\ProgramData\Tarma Installer\{68F250EA-9638-4DCF-96C4-D68CC340EC48}\Setup.exe (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.
C:\ProgramData\Tarma Installer\{68F250EA-9638-4DCF-96C4-D68CC340EC48}\Setup.ico (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.
C:\ProgramData\Tarma Installer\{68F250EA-9638-4DCF-96C4-D68CC340EC48}\_Setup.dll (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.
C:\ProgramData\Tarma Installer\{68F250EA-9638-4DCF-96C4-D68CC340EC48}\_Setupx.dll (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.
C:\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.dat (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.
C:\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.ico (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.
C:\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setup.dll (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.
C:\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.

(end)



#12 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male

Posted 28 September 2013 - 11:39 AM

Much better! :)

 

 

Scan with ESET Online Scan

Please go to here to run the online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.

 

 

 

Scan with Farbar´s Service Scanner

Please download Farbar Service Scanner and run it on the computer with the issue.

  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender

  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#13 Guest_fuisce_*

Guest_fuisce_*

  • Guests
  • OFFLINE
  •  

Posted 28 September 2013 - 12:32 PM

C:\FRST\Quarantine\YontooIEClient.dll a variant of Win32/Adware.Yontoo.A application
C:\FRST\Quarantine\niapdbllcanepiiimjjndipklodoedlc\1.0.3_0\back.js JS/Adware.Yontoo.B application
C:\FRST\Quarantine\niapdbllcanepiiimjjndipklodoedlc\1.0.3_0\yl.js JS/Adware.Yontoo.A application
C:\FRST\Quarantine\plugin@yontoo.com\content\overlay.js Win32/Adware.Yontoo application
C:\FRST\Quarantine\Yontoo\YontooDesktop.exe a variant of MSIL/WebCake.B application
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\I02W0STP\paymentprotectioninsurance_ie[1].htm HTML/Iframe.B.Gen virus
C:\Users\Admin\Downloads\GoogleChromeExtensionUpdate_m7.exe multiple threats
C:\Windows\CoreComp\ntdrsys64.dll Win32/Monitor.SSPro application

#14 Guest_fuisce_*

Guest_fuisce_*

  • Guests
  • OFFLINE
  •  

Posted 28 September 2013 - 12:34 PM

Farbar Service Scanner Version: 13-09-2013
Ran by Admin (administrator) on 28-09-2013 at 18:29:20
Running from "C:\Users\Admin\Desktop"
Microsoft® Windows Vista™ Home Premium Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================
"HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" registry key does not exist.


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Security Center Notification Icon =====> Unable to open HKLM\...\ShellServiceObjects\{FD6905CE-952F-41F1-9A6F-135D9C6622CC} key. The key does not exist.


Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is set to Disabled. The default start type is Auto.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.


Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is OK.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============
Checking FirewallRules of SharedAccess: ATTENTION!=====> Unable to open "SharedAccess\Defaults\FirewallPolicy\FirewallRules" registry key. The key does not exist.
Checking FirewallRules of SharedAccess: ATTENTION!=====> Unable to open "SharedAccess\Parameters\FirewallPolicy\FirewallRules" registry key. The key does not exist.

Checking Start type of PolicyAgent: ATTENTION!=====> Unable to open PolicyAgent registry key. The service key does not exist.
Checking ImagePath of PolicyAgent: ATTENTION!=====> Unable to open PolicyAgent registry key. The service key does not exist.
Checking ServiceDll of PolicyAgent: ATTENTION!=====> Unable to open PolicyAgent registry key. The service key does not exist.

Checking Start type of RemoteAccess: ATTENTION!=====> Unable to open RemoteAccess registry key. The service key does not exist.
Checking ImagePath of RemoteAccess: ATTENTION!=====> Unable to open RemoteAccess registry key. The service key does not exist.
Checking ServiceDll of RemoteAccess: ATTENTION!=====> Unable to open RemoteAccess registry key. The service key does not exist.



File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys
[2012-08-11 12:16] - [2011-04-21 14:16] - 0273408 ____A (Microsoft Corporation) 48EB99503533C27AC6135648E5474457

C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys
[2012-08-11 12:17] - [2010-06-16 16:55] - 0902032 ____A (Microsoft Corporation) 6216A954ED7045B62880A92D6C9B9FC7

C:\Windows\system32\dnsrslvr.dll
[2012-08-11 12:15] - [2011-03-02 15:49] - 0086528 ____A (Microsoft Corporation) 4805D9A6D281C7A7DEFD9094DEC6AF7D

C:\Windows\system32\mpssvc.dll
[2008-01-21 03:24] - [2008-01-21 03:24] - 0393216 ____A (Microsoft Corporation) D1639BA315B0D79DEC49A4B0E1FB929B

C:\Windows\system32\bfe.dll
[2012-08-11 12:17] - [2010-06-16 16:09] - 0328704 ____A (Microsoft Corporation) D3E6D78285529962349A7F1617035938

C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe
[2008-01-21 03:23] - [2008-01-21 03:23] - 1054720 ____A (Microsoft Corporation) D5FB73D19C46ADE183F968E13F186B23

C:\Windows\system32\wscsvc.dll
[2008-01-21 03:23] - [2008-01-21 03:23] - 0061440 ____A (Microsoft Corporation) 683DD16B590372F2C9661D277F35E49C

C:\Windows\system32\wbem\WMIsvc.dll
[2008-01-21 03:24] - [2008-01-21 03:24] - 0161792 ____A (Microsoft Corporation) 00B79A7C984678F24CF052E5BEB3A2F5

C:\Windows\system32\wuaueng.dll
[2008-01-21 03:25] - [2008-01-21 03:25] - 1695232 ____A (Microsoft Corporation) D79538B67FA641E986855DEF651E78FE

C:\Windows\system32\qmgr.dll
[2008-01-21 03:25] - [2008-01-21 03:25] - 0758272 ____A (Microsoft Corporation) 02ED7B4DBC2A3232A389106DA7515C3D

C:\Windows\system32\es.dll
[2012-08-11 12:14] - [2008-04-18 06:48] - 0269312 ____A (Microsoft Corporation) 3CB3343D720168B575133A0A20DC2465

C:\Windows\system32\cryptsvc.dll
[2008-01-21 03:24] - [2008-01-21 03:24] - 0128000 ____A (Microsoft Corporation) 6DE363F9F99334514C46AEC02D3E3678

C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll
[2012-08-11 12:18] - [2009-03-03 05:39] - 0551424 ____A (Microsoft Corporation) 301AE00E12408650BADDC04DBC832830



**** End of log ****

#15 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:13 AM

Posted 29 September 2013 - 05:20 AM

Fix with FRST (normal mode)

  • Open notepad (Start =>All Programs => Accessories => Notepad).
  • Please copy the entire contents of the code box below.
    (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste).
  • Save it to the same direction as frst.exe (or frst64.exe) as fixlist.txt.

    C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\I02W0STP\paymentprotectioninsurance_ie[1].htm
    C:\Users\Admin\Downloads\GoogleChromeExtensionUpdate_m7.exe
    C:\Windows\CoreComp\ntdrsys64.dll
    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
  • Run frst.exe (on 64bit, run frst64.exe) and press the Fix button just once and wait.
  • The tool will make a log (Fixlog.txt) which you find where you saved FRST. Please post it to your reply.

     

     

     

    ESET Services Repair

    Download ESET services repair from here and save the file to your desktop.

    Run it by right click --> "run as administrator".

    After the tool is finished, reboot and get a new FSS log to post up here. ;)


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users