Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Strange files, errors, unable to turn on windows firewall


  • This topic is locked This topic is locked
10 replies to this topic

#1 Dankaru

Dankaru

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 20 October 2013 - 10:48 AM

Hello, recently i noticed that out of nowhere, my internet was going very slow; loading pages at a very slow pace, and basically 'choosing' when it wanted to load the pages or not. Just some really strange behavior. I ran a full scan and boot time scan about a month or two ago, and it detected an incredible amount of infected files, in the range of about 1,000 - 10,000. Many of them were some type of google update files, folders with crazy amounts of letters and numbers in their name between curly braces '{ 8sdfkjsdf8...etc,etc}'.

 

After quarantining and delting these, the internet problems seemed to dissapear. But ofcourse they come back. A few days ago i ran a boot time scan and it detected about 3,000 viruses. Again, these were mostly those strange google update files/folders. Here is the DDS.txt:

 

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.16660  BrowserJavaVersion: 10.5.0
Run by David at 11:27:40 on 2013-10-20
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.1.1033.18.2038.947 [GMT -4:00]
.
AV: avast! Antivirus *Enabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
SP: avast! Antivirus *Enabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\NETGEAR\WG111v2\WG111v2.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uURLSearchHooks: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - <orphaned>
uURLSearchHooks: {51a86bb3-6602-4c85-92a5-130ee4864f13} - <orphaned>
uURLSearchHooks: {5e5ab302-7f65-44cd-8211-c1d4caaccea3} - <orphaned>
uURLSearchHooks: {687578b9-7132-4a7a-80e4-30ee31099e03} - <orphaned>
uURLSearchHooks: NCH_EN Toolbar: {a87cb3e3-4db9-439d-b96b-576f5ae8459d} -
mURLSearchHooks: NCH_EN Toolbar: {a87cb3e3-4db9-439d-b96b-576f5ae8459d} -
mWinlogon: Userinit = userinit.exe,
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\bin\ssv.dll
BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: NCH_EN Toolbar: {a87cb3e3-4db9-439d-b96b-576f5ae8459d} -
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\bin\jp2ssv.dll
TB: NCH_EN Toolbar: {A87CB3E3-4DB9-439D-B96B-576F5AE8459D} -
TB: NCH_EN Toolbar: {a87cb3e3-4db9-439d-b96b-576f5ae8459d} -
TB: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll
uRunOnce: [FlashPlayerUpdate] C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_7_700_202_Plugin.exe -update plugin
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
dRun: [SearchProtect] \SearchProtect\bin\cltmng.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\NETGEA~1.LNK - C:\Program Files (x86)\NETGEAR\WG111v2\WG111v2.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~3\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~3\Office14\ONBttnIE.dll/105
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
LSP: mswsock.dll
Trusted Zone: aeriagames.com
Trusted Zone: aeriagames.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab
TCP: NameServer = 66.189.0.100 24.159.64.23 24.247.24.53
TCP: Interfaces\{63B71B34-7782-4AE5-9F28-4A28AFEA3A2C} : DHCPNameServer = 66.189.0.100 24.159.64.23 24.247.24.53
TCP: Interfaces\{FA5BA1F4-6285-4CCA-991E-D451F4B225DF} : DHCPNameServer = 172.16.0.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\30.0.1599.101\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: avast! Online Security: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE64.dll
x64-BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
x64-TB: avast! Online Security: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE64.dll
x64-DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
x64-DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
x64-SSODL: WebCheck - <orphaned>
Hosts: 50.31.74.129 www.google-analytics.com.
Hosts: 50.31.74.129 ad-emea.doubleclick.net.
Hosts: 50.31.74.129 www.statcounter.com.
Hosts: 217.23.13.202 www.google-analytics.com.
Hosts: 217.23.13.202 ad-emea.doubleclick.net.
.
Note: multiple HOSTS entries found. Please refer to Attach.txt
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\g3zgmjqi.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3282495&CUI=UN88324832317442291&UM=2&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://google.com/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3282495&SearchSource=2&CUI=UN88324832317442291&UM=2&q=
FF - prefs.js: network.proxy.type - 0
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\bin\plugin2\npjp2.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.165\npGoogleUpdate3.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.20125.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_202.dll
FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
FF - ExtSQL: 2013-09-28 08:44; wrc@avast.com; C:\Program Files\Alwil Software\Avast5\WebRep\FF
.
============= SERVICES / DRIVERS ===============
.
R0 aswRvrt;aswRvrt;C:\Windows\System32\drivers\aswRvrt.sys [2013-9-28 65336]
R0 aswVmm;aswVmm;C:\Windows\System32\drivers\aswVmm.sys [2013-9-28 204880]
R0 SCMNdisP;General NDIS Protocol Driver;C:\Windows\System32\drivers\SCMNdisP.sys [2012-10-23 25312]
R1 aswSnx;aswSnx;C:\Windows\System32\drivers\aswSnx.sys [2013-9-28 1030952]
R1 aswSP;aswSP;C:\Windows\System32\drivers\aswSP.sys [2013-3-18 378944]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\System32\drivers\dtsoftbus01.sys [2012-8-4 283200]
R2 aswFsBlk;aswFsBlk;C:\Windows\System32\drivers\aswFsBlk.sys [2013-3-18 33400]
R2 aswMonFlt;aswMonFlt;C:\Windows\System32\drivers\aswMonFlt.sys [2013-3-18 80816]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2013-9-28 46808]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2011-12-10 646248]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe --> C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [?]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2012-7-9 123856]
S2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-10-20 418376]
S2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2013-10-20 701512]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;C:\Windows\System32\drivers\AtihdW76.sys [2010-11-17 115216]
S3 LVRS64;Logitech RightSound Filter Driver;C:\Windows\System32\drivers\lvrs64.sys [2012-1-18 351136]
S3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;C:\Windows\System32\drivers\ManyCam_x64.sys [2008-3-13 27136]
S3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2013-10-20 25928]
S3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;C:\Windows\System32\drivers\MijXfilt.sys [2012-9-8 121416]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2012-3-13 20992]
S3 RTL8187;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter Vista Driver;C:\Windows\System32\drivers\wg111v2.sys [2012-10-23 450048]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2011-6-9 59392]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-12-13 54784]
S3 USBTINSP;TI-Nspire™ Handheld or TI Network Bridge Device Driver;C:\Windows\System32\drivers\tinspusb.sys [2010-3-29 142848]
S3 VSPerfDrv100;Performance Tools Driver 10.0;C:\Program Files (x86)\Microsoft Visual Studio 10.0\Team Tools\Performance Tools\x64\VSPerfDrv100.sys [2011-1-18 68440]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-2-24 1255736]
S4 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2011-1-4 203776]
S4 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2011-12-9 1431888]
S4 SCM_Service;SCM_Service;C:\Windows\SysWOW64\WinService.exe [2012-10-23 186848]
.
=============== File Associations ===============
.
FileExt: .chm: Applications\iexplore.exe="C:\Program Files\Internet Explorer\iexplore.exe" %1 [UserChoice]
.
=============== Created Last 30 ================
.
2013-10-20 12:26:42    --------    d-----w-    C:\Users\David\AppData\Roaming\Malwarebytes
2013-10-20 12:26:19    --------    d-----w-    C:\ProgramData\Malwarebytes
2013-10-20 12:26:18    25928    ----a-w-    C:\Windows\System32\drivers\mbam.sys
2013-10-20 12:26:18    --------    d-----w-    C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-10-20 12:22:27    --------    d-----w-    C:\Users\David\AppData\Local\Programs
2013-10-12 22:37:23    --------    d-----w-    C:\Users\David\AppData\Local\VirtualStore
2013-10-12 22:22:39    --------    d-----w-    C:\Users\David\AppData\Local\Google
2013-10-10 16:44:58    --------    d-----w-    C:\Users\David\AppData\Local\Aion
2013-10-07 14:03:42    --------    d-----w-    C:\Users\David\AppData\Local\Apple Computer
2013-10-06 12:36:04    --------    d-----w-    C:\Users\David\AppData\Local\Apple
2013-10-05 15:58:28    --------    d-----w-    C:\Users\David\.m2
2013-10-05 15:58:01    --------    d-----w-    C:\Users\David\AppData\Roaming\NetBeans
2013-10-05 15:58:01    --------    d-----w-    C:\Users\David\AppData\Local\NetBeans
2013-09-30 13:43:12    --------    d-----w-    C:\Users\David\AppData\Local\ATI
2013-09-30 13:28:49    --------    d-----w-    C:\Program Files (x86)\Microsoft SQL Server Compact Edition
2013-09-29 22:28:42    --------    d-----w-    C:\Users\David\AppData\Local\Adobe
2013-09-29 22:13:44    --------    d-----w-    C:\Users\David\AppData\Local\Macromedia
2013-09-29 20:00:00    --------    d-----w-    C:\Users\David\Ænima
2013-09-29 19:59:54    --------    d-----w-    C:\Users\David\Undertow
2013-09-29 19:58:37    --------    d-----w-    C:\Users\David\Salival
2013-09-29 19:52:42    --------    d-----w-    C:\Users\David\Opiate
2013-09-29 19:50:20    --------    d-----w-    C:\Users\David\Lateralus
2013-09-29 19:29:31    --------    d-----w-    C:\Users\David\Avast AntiVirus 6.0.11 + Serial Keys - {RedDragon}
2013-09-29 19:28:49    --------    d-----w-    C:\Users\David\AppData\Roaming\Microsoft Corporation
2013-09-29 19:18:49    --------    d-----w-    C:\Users\David\AppData\Local\Microsoft Help
2013-09-29 19:18:48    --------    d-----w-    C:\Users\David\AppData\Local\Microsoft Games
2013-09-29 19:03:22    --------    d-----w-    C:\Users\David\10,000 Days
2013-09-29 18:52:54    --------    d-----w-    C:\Users\David\AppData\Local\Mozilla
2013-09-28 12:46:02    72016    ----a-w-    C:\Windows\System32\drivers\aswRdr2.sys
2013-09-28 12:44:50    1030952    ----a-w-    C:\Windows\System32\drivers\aswSnx.sys
2013-09-28 12:44:49    204880    ----a-w-    C:\Windows\System32\drivers\aswVmm.sys
2013-09-28 12:44:48    65336    ----a-w-    C:\Windows\System32\drivers\aswRvrt.sys
2013-09-22 22:56:55    --------    d-----w-    C:\Program Files (x86)\Dev-Cpp
2013-09-22 22:48:46    --------    d-----w-    C:\Dev-Cpp
.
==================== Find3M  ====================
.
2013-08-30 07:48:09    80816    ----a-w-    C:\Windows\System32\drivers\aswMonFlt.sys
2013-08-30 07:47:40    41664    ----a-w-    C:\Windows\avastSS.scr
2013-07-26 05:13:37    2241024    ----a-w-    C:\Windows\System32\wininet.dll
2013-07-26 05:12:08    3958784    ----a-w-    C:\Windows\System32\jscript9.dll
2013-07-26 05:12:04    136704    ----a-w-    C:\Windows\System32\iesysprep.dll
2013-07-26 05:12:03    67072    ----a-w-    C:\Windows\System32\iesetup.dll
2013-07-26 03:35:08    2706432    ----a-w-    C:\Windows\System32\mshtml.tlb
2013-07-26 03:13:24    1767936    ----a-w-    C:\Windows\SysWow64\wininet.dll
2013-07-26 03:12:04    2877440    ----a-w-    C:\Windows\SysWow64\jscript9.dll
2013-07-26 03:12:00    61440    ----a-w-    C:\Windows\SysWow64\iesetup.dll
2013-07-26 03:12:00    109056    ----a-w-    C:\Windows\SysWow64\iesysprep.dll
2013-07-26 02:49:14    2706432    ----a-w-    C:\Windows\SysWow64\mshtml.tlb
2013-07-26 02:39:38    89600    ----a-w-    C:\Windows\System32\RegisterIEPKEYs.exe
2013-07-26 01:59:38    71680    ----a-w-    C:\Windows\SysWow64\RegisterIEPKEYs.exe
2013-07-25 09:25:54    1888768    ----a-w-    C:\Windows\System32\WMVDECOD.DLL
2013-07-25 08:57:27    1620992    ----a-w-    C:\Windows\SysWow64\WMVDECOD.DLL
.
============= FINISH: 11:30:49.51 ===============
 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:07:44 AM

Posted 23 October 2013 - 03:00 PM

Hello Dankaru, and welcome to Bleeping Computer! :)

My name is bloopie and I'll be helping you with your problems as best I can! :thumbup2:

A few things to keep in mind while we are working together:

  • If you have since resolved the original problem you were having, I would appreciate it if you let me know.
  • If you are unsure about any of the steps just post what you can and I will guide you!
  • Please tell me if you have your original Windows CD/DVD available.
  • Please copy and paste all logs here unless otherwise instructed!
  • Upon completing the steps below I will review your topic an do my best to resolve your issues.
  • Please do not run any other tools without my instruction to do so!

==========

Now, I must warn you...the reason these detections keep coming back is because your machine is infected with the ZeroAccess rootkit:

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. If you still wish to continue with the cleaning process, then please reconnect to your internet and proceed with the following steps below:

==========

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. You will need the 64-bit version.

  • Right click to run as administrator. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will produce a log called FRST.txt in the same directory the tool is run from.
  • Please copy and paste log back here.
  • The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST64.exe). Please also paste that along with the FRST.txt into your reply.

==========

Please post both requested logs in your next reply, and then we'll get to work!! :wink:

bloopie


Edited by bloopie, 28 October 2013 - 05:22 PM.
Specified 64-bit version of FRST


#3 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:07:44 AM

Posted 27 October 2013 - 06:38 PM

Hello again,

Are you with me?

If you still wish to receive help then follow the instructions in my previous post. If you do not respond in another 48 hours I will be forced to close this topic!

bloopie



#4 Dankaru

Dankaru
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 28 October 2013 - 04:56 PM

Hello, sorry, i almost gave up. But luckily i saw that you replied, thank you for not closing this. I am about to follow your procedure right now, and i will get back to you shortly.

 

Thanks again for the help!



#5 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:07:44 AM

Posted 28 October 2013 - 05:26 PM

Hello again,

The help is my pleasure! :)

 

When you get the logs posted up then we'll get to work! If I don't respond to you tonight, I will certainly respond tomorrow, so check back here at least once a day and I'll do my best to get you cleaned up! :thumbup2:

 

bloopie



#6 Dankaru

Dankaru
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 28 October 2013 - 05:59 PM

Okay, the scan is complete and here are the results:

 

FRST.txt:

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 28-10-2013
Ran by David (administrator) on DAVID-PC on 28-10-2013 18:51:44
Running from C:\Users\David\Desktop
Windows 7 Ultimate Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(AVAST Software) C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
() C:\Program Files (x86)\NETGEAR\WG111v2\WG111v2.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Microsoft Corporation) C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
(Microsoft Corporation) C:\Windows\SysWOW64\regsvr32.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
==================== Registry (Whitelisted) ==================
 
Winlogon\Notify\LBTWlgn: C:\Program Files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll (Logitech, Inc.)
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\$Recycle.Bin\S-1-5-18\$84b322f9f1d579365c3c11740b19e71e\n. ATTENTION! ====> ZeroAccess?
HKCU\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path)
HKCU\...\Run: [Adobe] - rundll32 "C:\Users\David\AppData\Local\VirtualStore\Adobe\kohedepc.dll",DllRegisterServer <===== ATTENTION
HKCU\...\Run: [Aion Update] - regsvr32.exe C:\Users\David\AppData\Local\Aion\outlfltr.dll
HKCU\...\RunOnce: [FlashPlayerUpdate] - C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_7_700_202_Plugin.exe -update plugin [813448 2013-05-14] (Adobe Systems Incorporated)
HKCU\...409d6c4515e9\InprocServer32: [Default-shell32] C:\$Recycle.Bin\S-1-5-21-1443715204-4194733328-638700770-1001\$84b322f9f1d579365c3c11740b19e71e\n. ATTENTION! ====> ZeroAccess?
MountPoints2: F - F:\SETUP.EXE
MountPoints2: G - G:\Autorun.exe
MountPoints2: {4fb94d3c-355f-11e0-956a-002618a2becd} - E:\autorun.exe
HKLM-x32\...\Run: [StartCCC] - C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [336384 2011-01-04] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2013-05-31] (Apple Inc.)
BootExecute: autocheck autochk * aswBoot.exe /M:1713d6a34b
 
==================== Internet (Whitelisted) ====================
 
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0x2AD23A12EFB5CC01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
URLSearchHook: HKLM-x32 - NCH_EN Toolbar - {a87cb3e3-4db9-439d-b96b-576f5ae8459d} - C:\Program Files (x86)\NCH_EN\prxtbNCH0.dll No File
URLSearchHook: HKCU - (No Name) - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - No File
URLSearchHook: HKCU - (No Name) - {51a86bb3-6602-4c85-92a5-130ee4864f13} - No File
URLSearchHook: HKCU - (No Name) - {5e5ab302-7f65-44cd-8211-c1d4caaccea3} - No File
URLSearchHook: HKCU - (No Name) - {687578b9-7132-4a7a-80e4-30ee31099e03} - No File
URLSearchHook: HKCU - NCH_EN Toolbar - {a87cb3e3-4db9-439d-b96b-576f5ae8459d} - C:\Program Files (x86)\NCH_EN\prxtbNCH0.dll No File
SearchScopes: HKLM-x32 - DefaultScope {80EE0277-4074-4B9B-A94C-AD092A2F30A4} URL = 
SearchScopes: HKCU - DefaultScope {80EE0277-4074-4B9B-A94C-AD092A2F30A4} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3282495&CUI=UN30041721481840310&UM=2
BHO: avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE64.dll (AVAST Software)
BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO-x32: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\bin\ssv.dll (Oracle Corporation)
BHO-x32: avast! Online Security - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll (AVAST Software)
BHO-x32: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: NCH_EN Toolbar - {a87cb3e3-4db9-439d-b96b-576f5ae8459d} - C:\Program Files (x86)\NCH_EN\prxtbNCH0.dll No File
BHO-x32: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE64.dll (AVAST Software)
Toolbar: HKLM-x32 - NCH_EN Toolbar - {a87cb3e3-4db9-439d-b96b-576f5ae8459d} - C:\Program Files (x86)\NCH_EN\prxtbNCH0.dll No File
Toolbar: HKLM-x32 - avast! Online Security - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll (AVAST Software)
Toolbar: HKCU - No Name - {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} -  No File
Toolbar: HKCU - No Name - {D4027C7F-154A-4066-A1AD-4243D8127440} -  No File
Toolbar: HKCU - No Name - {724D43A0-0D85-11D4-9908-00400523E39A} -  No File
Toolbar: HKCU - No Name - {A87CB3E3-4DB9-439D-B96B-576F5AE8459D} -  No File
DPF: HKLM {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Winsock: Catalog5 01 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5 07 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog9 01 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 02 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 03 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 04 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 05 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 06 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 07 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 08 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 09 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 10 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog5-x64 01 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 07 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog9-x64 01 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9-x64 02 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9-x64 03 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9-x64 04 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9-x64 05 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9-x64 06 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9-x64 07 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9-x64 08 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9-x64 09 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9-x64 10 mswsock.dll File Not found (Microsoft Corporation)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 172.16.0.1
 
FireFox:
========
FF ProfilePath: C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\g3zgmjqi.default
FF Homepage: hxxp://google.com/
FF Keyword.URL: hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3282495&SearchSource=2&CUI=UN88324832317442291&UM=2&q=
FF NetworkProxy: "type", 0
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF64_11_7_700_202.dll ()
FF Plugin: @java.com/DTPlugin,version=10.7.2 - C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.7.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE - disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~1\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_202.dll ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @Google.com/GoogleEarthPlugin - C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin-x32: @java.com/DTPlugin,version=10.5.1 - C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.5.0 - C:\Program Files (x86)\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE - disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files (x86)\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 - C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @nexon.net/NxGame - C:\ProgramData\NexonUS\NGM\npNxGameUS.dll No File
FF Plugin-x32: @pandonetworks.com/PandoWebPlugin - C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
FF Plugin-x32: @tools.google.com/Google Update;version=3 - C:\Program Files (x86)\Google\Update\1.3.21.165\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 - C:\Program Files (x86)\Google\Update\1.3.21.165\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKCU: @tools.google.com/Google Update;version=3 - C:\Users\David\AppData\Local\Google\Update\1.3.21.153\npGoogleUpdate3.dll No File
FF Plugin HKCU: @tools.google.com/Google Update;version=9 - C:\Users\David\AppData\Local\Google\Update\1.3.21.153\npGoogleUpdate3.dll No File
FF Plugin HKCU: pandonetworks.com/PandoWebPlugin - C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
FF SearchPlugin: C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\g3zgmjqi.default\searchplugins\conduit.xml
FF Extension: ezxilwjwsh - C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\g3zgmjqi.default\Extensions\ezxilwjwsh@ezxilwjwsh.org.xpi
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\Alwil Software\Avast5\WebRep\FF
FF Extension: avast! Online Security - C:\Program Files\Alwil Software\Avast5\WebRep\FF
 
Chrome: 
=======
CHR Extension: (Google Docs) - C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.5_0
CHR Extension: (Google Drive) - C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.3_0
CHR Extension: (YouTube) - C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0
CHR Extension: (Google Search) - C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0
CHR Extension: (Chrome In-App Payments service) - C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.4.11_0
CHR Extension: (Gmail) - C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0
CHR HKLM-x32\...\Chrome\Extension: [kiplfnciaokpcennlkldkdaeaaomamof] - C:\Users\David\AppData\Local\Torch\Plugins\TorchPlugin.crx
CHR HKLM-x32\...\Chrome\Extension: [naipdapbimiiikbbgjcpbgmfhnlbagpj] - C:\Users\David\AppData\Local\Temp\ccex.crx
 
==================== Services (Whitelisted) =================
 
S4 astcc; C:\Windows\SysWOW64\AstSrv.exe [385024 2009-05-19] (Nalpeiron Ltd.)
S4 Autodesk Licensing Service; C:\Program Files (x86)\Common Files\Autodesk Shared\Service\AdskScSrv.exe [77944 2012-07-14] (Autodesk)
R2 avast! Antivirus; C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [46808 2013-08-30] (AVAST Software)
S2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
S4 SCM_Service; C:\Windows\SysWOW64\WinService.exe [186848 2010-05-10] ()
S3 ACDaemon; C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [x]
S4 aspnet_state; %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [x]
S2 clr_optimization_v4.0.30319_32; C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [x]
U4 *etadpug; "C:\Program Files (x86)\Google\Desktop\Install\{84b322f9-f1d5-7936-5c3c-11740b19e71e}\   \...\???\{84b322f9-f1d5-7936-5c3c-11740b19e71e}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)
 
==================== Drivers (Whitelisted) ====================
 
R2 aswFsBlk; C:\Windows\System32\Drivers\aswFsBlk.sys [33400 2013-08-30] (AVAST Software)
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [80816 2013-08-30] (AVAST Software)
R1 aswRdr; C:\Windows\System32\Drivers\aswrdr2.sys [72016 2013-08-30] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65336 2013-08-30] ()
R1 aswSnx; C:\Windows\System32\Drivers\aswSnx.sys [1030952 2013-08-30] (AVAST Software)
R1 aswSP; C:\Windows\System32\Drivers\aswSP.sys [378944 2013-08-30] (AVAST Software)
R1 aswTdi; C:\Windows\System32\Drivers\aswTdi.sys [64288 2013-08-30] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [204880 2013-08-30] ()
R1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [283200 2012-08-04] (DT Soft Ltd)
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
R3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [15416 2009-07-16] ()
S3 RTL8187; C:\Windows\System32\DRIVERS\wg111v2.sys [450048 2010-04-06] (NETGEAR Inc.)
S3 USBTINSP; C:\Windows\System32\DRIVERS\tinspusb.sys [142848 2010-03-29] (Texas Instruments)
S3 VSPerfDrv100; C:\Program Files (x86)\Microsoft Visual Studio 10.0\Team Tools\Performance Tools\x64\VSPerfDrv100.sys [68440 2011-01-18] (Microsoft Corporation)
S3 AtiDCM; \??\C:\Users\David\AppData\Local\Temp\atdcm64a.sys [x]
S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [x]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [x]
S3 tsusbhub; system32\drivers\tsusbhub.sys [x]
S3 VGPU; System32\drivers\rdvgkmd.sys [x]
S3 X6va008; \??\C:\Windows\SysWOW64\Drivers\X6va008 [x]
S3 xhunter1; \??\C:\Windows\xhunter1.sys [x]
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2013-10-28 18:51 - 2013-10-28 18:51 - 00000000 ____D C:\FRST
2013-10-28 18:50 - 2013-10-28 18:50 - 00000411 _____ C:\Users\David\Desktop\foodnutes.txt
2013-10-28 18:49 - 2013-10-28 18:49 - 01956538 _____ (Farbar) C:\Users\David\Desktop\FRST64.exe
2013-10-26 16:02 - 2013-10-26 16:02 - 00000315 _____ C:\Users\David\Desktop\virusesdescriptions.txt
2013-10-22 18:01 - 2013-10-22 20:17 - 00000626 _____ C:\Users\David\Desktop\jaja.html
2013-10-20 14:47 - 2013-10-20 14:47 - 00000000 ____D C:\Users\David\Desktop\To Turn In
2013-10-20 13:41 - 2013-10-21 13:33 - 00000000 ____D C:\Users\David\AppData\Roaming\Notepad++
2013-10-20 11:26 - 2013-10-20 11:26 - 00688992 ____R (Swearware) C:\Users\David\Desktop\dds.com
2013-10-20 08:49 - 2013-10-20 11:30 - 00016535 _____ C:\Users\David\Desktop\attach.txt
2013-10-20 08:49 - 2013-10-20 11:30 - 00016424 _____ C:\Users\David\Desktop\dds.txt
2013-10-20 08:33 - 2013-10-20 08:33 - 00688992 ____R (Swearware) C:\Users\David\Desktop\dds.scr
2013-10-20 08:26 - 2013-10-20 08:26 - 00001109 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-10-20 08:26 - 2013-10-20 08:26 - 00000000 ____D C:\Users\David\AppData\Roaming\Malwarebytes
2013-10-20 08:26 - 2013-10-20 08:26 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-10-20 08:26 - 2013-10-20 08:26 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-10-20 08:26 - 2013-04-04 14:50 - 00025928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2013-10-20 08:22 - 2013-10-20 08:22 - 10285040 _____ (Malwarebytes Corporation                                    ) C:\Users\David\Downloads\mbam-setup-1.75.0.1300.exe
2013-10-19 15:02 - 2013-10-28 08:40 - 00003244 _____ C:\Windows\System32\Tasks\IORRT
2013-10-19 14:28 - 2013-10-19 14:44 - 00002220 _____ C:\Users\David\Desktop\unhide.txt
2013-10-19 14:27 - 2013-10-19 14:27 - 00398752 _____ (Bleeping Computer, LLC) C:\Users\David\Downloads\unhide.exe
2013-10-15 16:10 - 2013-10-15 16:10 - 00043476 _____ C:\Users\David\Downloads\tool_reflection.ptb
2013-10-12 18:38 - 2013-10-12 18:38 - 00000000 ____D C:\Users\David\AppData\Roaming\ATI
2013-10-12 18:37 - 2013-10-20 14:09 - 00000000 ____D C:\Users\David\AppData\Local\VirtualStore
2013-10-12 18:37 - 2013-10-12 18:37 - 00000020 ___SH C:\Users\David\ntuser.ini
2013-10-12 18:23 - 2013-10-17 14:02 - 00002183 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2013-10-12 18:22 - 2013-10-12 18:24 - 00000000 ____D C:\Users\David\AppData\Local\Google
2013-10-12 18:22 - 2013-10-12 18:22 - 00784840 _____ (Google Inc.) C:\Users\David\Downloads\ChromeSetup.exe
2013-10-10 12:44 - 2013-10-20 14:23 - 00000000 ____D C:\Users\David\AppData\Local\Aion
2013-10-07 10:03 - 2013-10-07 10:04 - 00000000 ____D C:\Users\David\AppData\Roaming\Apple Computer
2013-10-07 10:03 - 2013-10-07 10:03 - 00000000 ____D C:\Users\David\AppData\Local\Apple Computer
2013-10-07 10:03 - 2013-10-07 10:03 - 00000000 ____D C:\ProgramData\Apple Computer
2013-10-06 21:09 - 2013-10-06 21:09 - 13081608 _____ (Microsoft Corporation) C:\Users\David\Downloads\Silverlight_x64.exe
2013-10-06 21:09 - 2013-10-06 21:09 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2013-10-06 21:09 - 2013-10-06 21:09 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2013-10-06 08:36 - 2013-10-06 08:36 - 00000000 ____D C:\Users\David\AppData\Local\Apple
2013-10-05 11:58 - 2013-10-05 11:58 - 00000000 ____D C:\Users\David\Documents\NetBeansProjects
2013-10-05 11:58 - 2013-10-05 11:58 - 00000000 ____D C:\Users\David\AppData\Roaming\NetBeans
2013-10-05 11:58 - 2013-10-05 11:58 - 00000000 ____D C:\Users\David\AppData\Local\NetBeans
2013-10-05 11:58 - 2013-10-05 11:58 - 00000000 ____D C:\Users\David\.m2
2013-10-05 11:19 - 2013-10-05 11:19 - 00128512 _____ C:\Users\David\Downloads\ifflowpseudo.ppt
2013-09-30 09:43 - 2013-09-30 09:43 - 00000000 ____D C:\Users\David\AppData\Local\ATI
2013-09-30 09:43 - 2013-09-30 09:43 - 00000000 ____D C:\ProgramData\ATI
2013-09-30 09:33 - 2013-09-30 11:28 - 00978944 _____ C:\Users\David\Documents\Database1.accdb
2013-09-30 09:28 - 2013-09-30 09:28 - 00000000 ____D C:\Program Files (x86)\Microsoft SQL Server Compact Edition
2013-09-29 19:43 - 2013-09-29 19:43 - 00002951 _____ C:\Users\David\Desktop\Microsoft Excel 2010.lnk
2013-09-29 19:42 - 2013-09-29 19:42 - 00002693 _____ C:\Users\David\Desktop\Microsoft Office Word 2007.lnk
2013-09-29 18:28 - 2013-09-29 18:28 - 00000000 ____D C:\Users\David\AppData\Local\Adobe
2013-09-29 18:17 - 2013-09-29 18:17 - 00117080 _____ C:\Users\David\AppData\Local\GDIPFONTCACHEV1.DAT
2013-09-29 18:13 - 2013-09-29 18:28 - 00000000 ____D C:\Users\David\AppData\Roaming\Adobe
2013-09-29 18:13 - 2013-09-29 18:13 - 00000000 ____D C:\Users\David\AppData\Roaming\Macromedia
2013-09-29 18:13 - 2013-09-29 18:13 - 00000000 ____D C:\Users\David\AppData\Local\Macromedia
2013-09-29 16:00 - 2013-09-29 16:00 - 00000000 ____D C:\Users\David\Ænima
2013-09-29 15:59 - 2013-09-29 15:59 - 00000000 ____D C:\Users\David\Undertow
2013-09-29 15:58 - 2013-09-29 15:58 - 00000000 ____D C:\Users\David\Salival
2013-09-29 15:52 - 2013-09-29 15:52 - 00000000 ____D C:\Users\David\Opiate
2013-09-29 15:50 - 2013-09-29 15:50 - 00000000 ____D C:\Users\David\Lateralus
2013-09-29 15:42 - 2013-09-29 15:42 - 00000000 ____D C:\Users\David\Desktop\Torrents
2013-09-29 15:40 - 2013-09-29 17:21 - 00000000 ____D C:\Users\David\Desktop\School
2013-09-29 15:37 - 2013-09-29 17:22 - 00000000 ____D C:\Users\David\Desktop\Other
2013-09-29 15:37 - 2013-09-29 15:37 - 00000000 ____D C:\Users\David\Desktop\Meditation
2013-09-29 15:37 - 2013-09-29 15:37 - 00000000 ____D C:\Users\David\Desktop\Game Programming
2013-09-29 15:37 - 2013-07-19 10:33 - 00001783 _____ C:\Users\David\Desktop\iTunes.lnk
2013-09-29 15:37 - 2013-06-13 12:49 - 00000932 _____ C:\Users\David\Desktop\Guitar Pro 5.lnk
2013-09-29 15:37 - 2013-03-18 18:19 - 00001852 _____ C:\Users\David\Desktop\avast! Free Antivirus.lnk
2013-09-29 15:37 - 2013-03-16 15:14 - 00001053 _____ C:\Users\David\Desktop\Notepad++.lnk
2013-09-29 15:37 - 2012-08-06 18:05 - 00002975 _____ C:\Users\David\Desktop\Power Tab Editor 1.7.lnk
2013-09-29 15:37 - 2012-07-12 19:00 - 00001142 _____ C:\Users\David\Desktop\Mozilla Firefox.lnk
2013-09-29 15:32 - 2013-09-29 15:37 - 00000000 ____D C:\Users\David\Desktop\Fitness
2013-09-29 15:31 - 2013-09-29 15:31 - 00000000 ____D C:\Users\David\Desktop\Art
2013-09-29 15:31 - 2013-09-22 18:14 - 00000851 _____ C:\Users\David\Desktop\µTorrent.lnk
2013-09-29 15:29 - 2013-03-18 18:18 - 00000000 ____D C:\Users\David\Avast AntiVirus 6.0.11 + Serial Keys - {RedDragon}
2013-09-29 15:28 - 2013-09-29 15:28 - 00000000 ___RD C:\Users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp
2013-09-29 15:28 - 2013-09-29 15:28 - 00000000 ___RD C:\Users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
2013-09-29 15:28 - 2013-09-29 15:28 - 00000000 ___RD C:\Users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
2013-09-29 15:28 - 2013-09-29 15:28 - 00000000 ___RD C:\Users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2013-09-29 15:28 - 2013-09-29 15:28 - 00000000 ____D C:\Users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WMV9 VCM
2013-09-29 15:28 - 2013-09-29 15:28 - 00000000 ____D C:\Users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Power Tab Software
2013-09-29 15:28 - 2013-09-29 15:28 - 00000000 ____D C:\Users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google Chrome
2013-09-29 15:28 - 2013-09-29 15:28 - 00000000 ____D C:\Users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Games
2013-09-29 15:28 - 2013-09-29 15:28 - 00000000 ____D C:\Users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Game Maker 8 Pro Edition
2013-09-29 15:28 - 2013-09-29 15:28 - 00000000 ____D C:\Users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\FrostWire 5
2013-09-29 15:28 - 2013-09-29 15:28 - 00000000 ____D C:\Users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Apache Friends
2013-09-29 15:28 - 2013-09-29 15:28 - 00000000 ____D C:\Users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Anadelta Software
2013-09-29 15:28 - 2013-09-29 15:28 - 00000000 ____D C:\Users\David\AppData\Roaming\Microsoft Corporation
2013-09-29 15:28 - 2013-09-22 18:14 - 00000831 _____ C:\Users\David\AppData\Roaming\Microsoft\Windows\Start Menu\µTorrent.lnk
2013-09-29 15:28 - 2013-07-21 12:11 - 00000000 ____D C:\Users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AeriaGames
2013-09-29 15:28 - 2013-07-21 12:03 - 00000000 ____D C:\Users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\NCsoft
2013-09-29 15:28 - 2013-05-25 10:14 - 00001413 _____ C:\Users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2013-09-29 15:28 - 2012-12-11 11:57 - 00000000 ____D C:\Users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Notepad++
2013-09-29 15:18 - 2013-09-29 15:18 - 00000000 ____D C:\Users\David\AppData\Local\Microsoft Help
2013-09-29 15:18 - 2013-09-29 15:18 - 00000000 ____D C:\Users\David\AppData\Local\Microsoft Games
2013-09-29 15:03 - 2013-09-29 15:03 - 00000000 ____D C:\Users\David\10,000 Days
2013-09-29 15:03 - 2013-06-09 10:24 - 00000024 _____ C:\Users\David\random.dat
2013-09-29 15:03 - 2013-02-18 10:47 - 00023040 ___SH C:\Users\David\Thumbs.db
2013-09-29 15:02 - 2013-06-09 10:21 - 00000044 _____ C:\Users\David\jagex_cl_runescape_LIVE.dat
2013-09-29 15:02 - 2013-05-20 17:53 - 00000044 _____ C:\Users\David\jagex_cl_oldschool_LIVE.dat
2013-09-29 15:02 - 2013-03-09 17:29 - 764450662 _____ C:\Users\David\Lynda.com HTML Essential Training 2012.rar
2013-09-29 15:02 - 2013-01-26 16:54 - 16456734 _____ C:\Users\David\GM8.7z
2013-09-29 15:02 - 2013-01-03 09:15 - 00000145 _____ C:\Users\David\.appletviewer
2013-09-29 15:02 - 2012-07-13 17:48 - 00000045 _____ C:\Users\David\jagex_cl_runescape_LIVE1.dat
2013-09-29 14:52 - 2012-07-12 19:00 - 00000000 ____D C:\Users\David\AppData\Roaming\Mozilla
2013-09-29 14:52 - 2012-07-12 19:00 - 00000000 ____D C:\Users\David\AppData\Local\Mozilla
2013-09-28 08:46 - 2013-08-30 03:48 - 00072016 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRdr2.sys
2013-09-28 08:44 - 2013-10-19 15:02 - 00004184 _____ C:\Windows\System32\Tasks\avast! Emergency Update
2013-09-28 08:44 - 2013-08-30 03:48 - 01030952 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSnx.sys
2013-09-28 08:44 - 2013-08-30 03:48 - 00204880 _____ C:\Windows\system32\Drivers\aswVmm.sys
2013-09-28 08:44 - 2013-08-30 03:48 - 00065336 _____ C:\Windows\system32\Drivers\aswRvrt.sys
2013-09-28 08:44 - 2013-08-30 03:47 - 00287840 _____ (AVAST Software) C:\Windows\system32\aswBoot.exe
 
==================== One Month Modified Files and Folders =======
 
2013-10-28 18:51 - 2013-10-28 18:51 - 00000000 ____D C:\FRST
2013-10-28 18:50 - 2013-10-28 18:50 - 00000411 _____ C:\Users\David\Desktop\foodnutes.txt
2013-10-28 18:49 - 2013-10-28 18:49 - 01956538 _____ (Farbar) C:\Users\David\Desktop\FRST64.exe
2013-10-28 18:15 - 2011-02-10 15:21 - 00000908 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1443715204-4194733328-638700770-1001UA.job
2013-10-28 18:04 - 2012-07-12 18:15 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-10-28 17:59 - 2013-06-02 12:37 - 00000896 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-10-28 11:15 - 2011-02-10 15:21 - 00000856 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1443715204-4194733328-638700770-1001Core.job
2013-10-28 09:59 - 2013-06-02 12:37 - 00000892 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-10-28 08:40 - 2013-10-19 15:02 - 00003244 _____ C:\Windows\System32\Tasks\IORRT
2013-10-26 16:02 - 2013-10-26 16:02 - 00000315 _____ C:\Users\David\Desktop\virusesdescriptions.txt
2013-10-22 20:17 - 2013-10-22 18:01 - 00000626 _____ C:\Users\David\Desktop\jaja.html
2013-10-21 13:33 - 2013-10-20 13:41 - 00000000 ____D C:\Users\David\AppData\Roaming\Notepad++
2013-10-20 14:47 - 2013-10-20 14:47 - 00000000 ____D C:\Users\David\Desktop\To Turn In
2013-10-20 14:23 - 2013-10-10 12:44 - 00000000 ____D C:\Users\David\AppData\Local\Aion
2013-10-20 14:09 - 2013-10-12 18:37 - 00000000 ____D C:\Users\David\AppData\Local\VirtualStore
2013-10-20 11:30 - 2013-10-20 08:49 - 00016535 _____ C:\Users\David\Desktop\attach.txt
2013-10-20 11:30 - 2013-10-20 08:49 - 00016424 _____ C:\Users\David\Desktop\dds.txt
2013-10-20 11:26 - 2013-10-20 11:26 - 00688992 ____R (Swearware) C:\Users\David\Desktop\dds.com
2013-10-20 08:47 - 2009-07-14 00:45 - 00018224 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-10-20 08:47 - 2009-07-14 00:45 - 00018224 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-10-20 08:40 - 2011-06-08 17:44 - 00340794 _____ C:\Windows\PFRO.log
2013-10-20 08:40 - 2011-06-05 01:00 - 00019970 _____ C:\Windows\setupact.log
2013-10-20 08:40 - 2009-07-14 01:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-10-20 08:33 - 2013-10-20 08:33 - 00688992 ____R (Swearware) C:\Users\David\Desktop\dds.scr
2013-10-20 08:26 - 2013-10-20 08:26 - 00001109 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-10-20 08:26 - 2013-10-20 08:26 - 00000000 ____D C:\Users\David\AppData\Roaming\Malwarebytes
2013-10-20 08:26 - 2013-10-20 08:26 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-10-20 08:26 - 2013-10-20 08:26 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-10-20 08:22 - 2013-10-20 08:22 - 10285040 _____ (Malwarebytes Corporation                                    ) C:\Users\David\Downloads\mbam-setup-1.75.0.1300.exe
2013-10-19 15:02 - 2013-09-28 08:44 - 00004184 _____ C:\Windows\System32\Tasks\avast! Emergency Update
2013-10-19 14:44 - 2013-10-19 14:28 - 00002220 _____ C:\Users\David\Desktop\unhide.txt
2013-10-19 14:27 - 2013-10-19 14:27 - 00398752 _____ (Bleeping Computer, LLC) C:\Users\David\Downloads\unhide.exe
2013-10-17 14:02 - 2013-10-12 18:23 - 00002183 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2013-10-16 07:08 - 2009-07-14 01:13 - 00795010 _____ C:\Windows\system32\PerfStringBackup.INI
2013-10-15 16:10 - 2013-10-15 16:10 - 00043476 _____ C:\Users\David\Downloads\tool_reflection.ptb
2013-10-14 10:11 - 2011-02-10 21:01 - 01165547 _____ C:\Windows\WindowsUpdate.log
2013-10-12 18:38 - 2013-10-12 18:38 - 00000000 ____D C:\Users\David\AppData\Roaming\ATI
2013-10-12 18:37 - 2013-10-12 18:37 - 00000020 ___SH C:\Users\David\ntuser.ini
2013-10-12 18:37 - 2011-02-10 15:11 - 00000000 ____D C:\Users\David
2013-10-12 18:24 - 2013-10-12 18:22 - 00000000 ____D C:\Users\David\AppData\Local\Google
2013-10-12 18:23 - 2012-09-23 10:43 - 00000000 ____D C:\Program Files (x86)\Google
2013-10-12 18:22 - 2013-10-12 18:22 - 00784840 _____ (Google Inc.) C:\Users\David\Downloads\ChromeSetup.exe
2013-10-11 09:54 - 2013-06-02 12:37 - 00003892 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2013-10-11 09:54 - 2013-06-02 12:37 - 00003640 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2013-10-07 10:04 - 2013-10-07 10:03 - 00000000 ____D C:\Users\David\AppData\Roaming\Apple Computer
2013-10-07 10:03 - 2013-10-07 10:03 - 00000000 ____D C:\Users\David\AppData\Local\Apple Computer
2013-10-07 10:03 - 2013-10-07 10:03 - 00000000 ____D C:\ProgramData\Apple Computer
2013-10-06 21:09 - 2013-10-06 21:09 - 13081608 _____ (Microsoft Corporation) C:\Users\David\Downloads\Silverlight_x64.exe
2013-10-06 21:09 - 2013-10-06 21:09 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2013-10-06 21:09 - 2013-10-06 21:09 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2013-10-06 21:06 - 2012-12-12 06:41 - 00000000 ____D C:\Program Files (x86)\Microsoft SDKs
2013-10-06 08:36 - 2013-10-06 08:36 - 00000000 ____D C:\Users\David\AppData\Local\Apple
2013-10-05 11:58 - 2013-10-05 11:58 - 00000000 ____D C:\Users\David\Documents\NetBeansProjects
2013-10-05 11:58 - 2013-10-05 11:58 - 00000000 ____D C:\Users\David\AppData\Roaming\NetBeans
2013-10-05 11:58 - 2013-10-05 11:58 - 00000000 ____D C:\Users\David\AppData\Local\NetBeans
2013-10-05 11:58 - 2013-10-05 11:58 - 00000000 ____D C:\Users\David\.m2
2013-10-05 11:19 - 2013-10-05 11:19 - 00128512 _____ C:\Users\David\Downloads\ifflowpseudo.ppt
2013-09-30 11:28 - 2013-09-30 09:33 - 00978944 _____ C:\Users\David\Documents\Database1.accdb
2013-09-30 09:43 - 2013-09-30 09:43 - 00000000 ____D C:\Users\David\AppData\Local\ATI
2013-09-30 09:43 - 2013-09-30 09:43 - 00000000 ____D C:\ProgramData\ATI
2013-09-30 09:28 - 2013-09-30 09:28 - 00000000 ____D C:\Program Files (x86)\Microsoft SQL Server Compact Edition
2013-09-30 09:28 - 2011-11-11 12:16 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-09-29 19:43 - 2013-09-29 19:43 - 00002951 _____ C:\Users\David\Desktop\Microsoft Excel 2010.lnk
2013-09-29 19:42 - 2013-09-29 19:42 - 00002693 _____ C:\Users\David\Desktop\Microsoft Office Word 2007.lnk
2013-09-29 18:28 - 2013-09-29 18:28 - 00000000 ____D C:\Users\David\AppData\Local\Adobe
2013-09-29 18:28 - 2013-09-29 18:13 - 00000000 ____D C:\Users\David\AppData\Roaming\Adobe
2013-09-29 18:17 - 2013-09-29 18:17 - 00117080 _____ C:\Users\David\AppData\Local\GDIPFONTCACHEV1.DAT
2013-09-29 18:13 - 2013-09-29 18:13 - 00000000 ____D C:\Users\David\AppData\Roaming\Macromedia
2013-09-29 18:13 - 2013-09-29 18:13 - 00000000 ____D C:\Users\David\AppData\Local\Macromedia
2013-09-29 17:55 - 2012-12-12 06:41 - 00000000 ____D C:\Windows\system32\1033
2013-09-29 17:55 - 2012-12-12 06:41 - 00000000 ____D C:\Program Files\Microsoft SQL Server
2013-09-29 17:51 - 2012-12-12 06:40 - 00000000 ____D C:\Program Files (x86)\Microsoft Visual Studio 11.0
2013-09-29 17:43 - 2009-07-13 23:20 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared
2013-09-29 17:29 - 2011-03-21 17:48 - 00000000 ____D C:\Program Files (x86)\InstallShield Installation Information
2013-09-29 17:22 - 2013-09-29 15:37 - 00000000 ____D C:\Users\David\Desktop\Other
2013-09-29 17:21 - 2013-09-29 15:40 - 00000000 ____D C:\Users\David\Desktop\School
2013-09-29 16:00 - 2013-09-29 16:00 - 00000000 ____D C:\Users\David\Ænima
2013-09-29 15:59 - 2013-09-29 15:59 - 00000000 ____D C:\Users\David\Undertow
2013-09-29 15:58 - 2013-09-29 15:58 - 00000000 ____D C:\Users\David\Salival
2013-09-29 15:52 - 2013-09-29 15:52 - 00000000 ____D C:\Users\David\Opiate
2013-09-29 15:50 - 2013-09-29 15:50 - 00000000 ____D C:\Users\David\Lateralus
2013-09-29 15:42 - 2013-09-29 15:42 - 00000000 ____D C:\Users\David\Desktop\Torrents
2013-09-29 15:37 - 2013-09-29 15:37 - 00000000 ____D C:\Users\David\Desktop\Meditation
2013-09-29 15:37 - 2013-09-29 15:37 - 00000000 ____D C:\Users\David\Desktop\Game Programming
2013-09-29 15:37 - 2013-09-29 15:32 - 00000000 ____D C:\Users\David\Desktop\Fitness
2013-09-29 15:31 - 2013-09-29 15:31 - 00000000 ____D C:\Users\David\Desktop\Art
2013-09-29 15:28 - 2013-09-29 15:28 - 00000000 ___RD C:\Users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp
2013-09-29 15:28 - 2013-09-29 15:28 - 00000000 ___RD C:\Users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
2013-09-29 15:28 - 2013-09-29 15:28 - 00000000 ___RD C:\Users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
2013-09-29 15:28 - 2013-09-29 15:28 - 00000000 ___RD C:\Users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2013-09-29 15:28 - 2013-09-29 15:28 - 00000000 ____D C:\Users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WMV9 VCM
2013-09-29 15:28 - 2013-09-29 15:28 - 00000000 ____D C:\Users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Power Tab Software
2013-09-29 15:28 - 2013-09-29 15:28 - 00000000 ____D C:\Users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google Chrome
2013-09-29 15:28 - 2013-09-29 15:28 - 00000000 ____D C:\Users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Games
2013-09-29 15:28 - 2013-09-29 15:28 - 00000000 ____D C:\Users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Game Maker 8 Pro Edition
2013-09-29 15:28 - 2013-09-29 15:28 - 00000000 ____D C:\Users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\FrostWire 5
2013-09-29 15:28 - 2013-09-29 15:28 - 00000000 ____D C:\Users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Apache Friends
2013-09-29 15:28 - 2013-09-29 15:28 - 00000000 ____D C:\Users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Anadelta Software
2013-09-29 15:28 - 2013-09-29 15:28 - 00000000 ____D C:\Users\David\AppData\Roaming\Microsoft Corporation
2013-09-29 15:18 - 2013-09-29 15:18 - 00000000 ____D C:\Users\David\AppData\Local\Microsoft Help
2013-09-29 15:18 - 2013-09-29 15:18 - 00000000 ____D C:\Users\David\AppData\Local\Microsoft Games
2013-09-29 15:03 - 2013-09-29 15:03 - 00000000 ____D C:\Users\David\10,000 Days
2013-09-28 08:44 - 2011-02-23 11:00 - 00000000 _____ C:\Windows\SysWOW64\config.nt
 
ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$84b322f9f1d579365c3c11740b19e71e
 
ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-1443715204-4194733328-638700770-1001\$84b322f9f1d579365c3c11740b19e71e
 
Files to move or delete:
====================
ZeroAccess:
C:\Program Files (x86)\Google\Desktop\Install
C:\Users\David\jagex_cl_oldschool_LIVE.dat
C:\Users\David\jagex_cl_runescape_LIVE.dat
C:\Users\David\jagex_cl_runescape_LIVE1.dat
C:\Users\David\random.dat
 
 
Some content of TEMP:
====================
C:\Users\David\AppData\Local\Temp\84aa80b106ec7fa58feeaf91065fb45b.dll
C:\Users\David\AppData\Local\Temp\AstroburnLite161-0171.exe
C:\Users\David\AppData\Local\Temp\AutoRun.exe
C:\Users\David\AppData\Local\Temp\AutoRunGUI.dll
C:\Users\David\AppData\Local\Temp\bdfilters.dll
C:\Users\David\AppData\Local\Temp\eauninstall.exe
C:\Users\David\AppData\Local\Temp\First15.exe
C:\Users\David\AppData\Local\Temp\InstallFlashPlayer.exe
C:\Users\David\AppData\Local\Temp\lyjpugbr.dll
C:\Users\David\AppData\Local\Temp\NGMDll.dll
C:\Users\David\AppData\Local\Temp\NGMResource.dll
C:\Users\David\AppData\Local\Temp\NGMSetup.exe
C:\Users\David\AppData\Local\Temp\npp.6.3.Installer.exe
C:\Users\David\AppData\Local\Temp\nsaBC1.exe
C:\Users\David\AppData\Local\Temp\nsf146E.exe
C:\Users\David\AppData\Local\Temp\nsp7C00.exe
C:\Users\David\AppData\Local\Temp\nspE9B6.exe
C:\Users\David\AppData\Local\Temp\ose00000.exe
C:\Users\David\AppData\Local\Temp\ose00001.exe
C:\Users\David\AppData\Local\Temp\pylF4D8.tmp.exe
C:\Users\David\AppData\Local\Temp\pylFD71.tmp.exe
C:\Users\David\AppData\Local\Temp\removeKCL.EXE
C:\Users\David\AppData\Local\Temp\removeKTID.EXE
C:\Users\David\AppData\Local\Temp\remTIDShortcut.EXE
C:\Users\David\AppData\Local\Temp\RestorePreviousVersion.EXE
C:\Users\David\AppData\Local\Temp\SPStub.exe
C:\Users\David\AppData\Local\Temp\swt-win32-3349.dll
C:\Users\David\AppData\Local\Temp\swt-win32-3740.dll
C:\Users\David\AppData\Local\Temp\tbuTor.dll
C:\Users\David\AppData\Local\Temp\The Sims 2_uninst.exe
C:\Users\David\AppData\Local\Temp\TI-Nspire_CAS_Student_Software-3.2.0.1219.exe
C:\Users\David\AppData\Local\Temp\ToolbarHelper.exe
C:\Users\David\AppData\Local\Temp\unicows.dll
C:\Users\David\AppData\Local\Temp\Uninstall.exe
C:\Users\David\AppData\Local\Temp\UninstallEADM.dll
C:\Users\David\AppData\Local\Temp\utt50A0.tmp.exe
C:\Users\David\AppData\Local\Temp\VP6Install.exe
C:\Users\David\AppData\Local\Temp\VP6VFW.dll
C:\Users\David\AppData\Local\Temp\writeLogFile.EXE
C:\Users\David\AppData\Local\Temp\xmlUpdater.exe
C:\Users\David\AppData\Local\Temp\_isAAD6.exe
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
C:\Program Files\Windows Defender\mpsvc.dll => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
 
 
LastRegBack: 2013-10-21 00:35
 
==================== End Of Log ============================
 
 
 
 
 
Addition.txt:
 
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 28-10-2013
Ran by David at 2013-10-28 18:52:49
Running from C:\Users\David\Desktop
Boot Mode: Normal
==========================================================
 
 
==================== Security Center ========================
 
AV: avast! Antivirus (Enabled - Up to date) {C37D8F93-0602-E43C-40AA-47DAD597F308}
AS: avast! Antivirus (Enabled - Up to date) {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
7-Zip 9.20 (x32)
7-Zip 9.21 (x32 Version: 9.21.00.0)
Adobe AIR (x32 Version: 2.5.1.17730)
Adobe Flash Player 11 ActiveX (x32 Version: 11.7.700.202)
Adobe Flash Player 11 Plugin (x32 Version: 11.7.700.202)
Adobe Reader X (10.1.6) (x32 Version: 10.1.6)
AMD Drag and Drop Transcoding (Version: 2.00.0000)
Apple Application Support (x32 Version: 2.3.4)
Apple Mobile Device Support (Version: 6.1.0.13)
Apple Software Update (x32 Version: 2.1.3.127)
ATI Catalyst Install Manager (Version: 3.0.808.0)
ATI Catalyst Registration (x32 Version: 3.00.0000)
ATI Stream SDK v2 Developer (Version: 2.3.0.0)
avast! Free Antivirus (x32 Version: 8.0.1497.0)
Bonjour (Version: 3.0.0.10)
Call of Duty® 4 - Modern Warfare™ 1.6 Patch (x32)
Call of Duty® 4 - Modern Warfare™ 1.7 Patch (x32)
Catalyst Control Center - Branding (x32 Version: 1.00.0000)
Catalyst Control Center Graphics Previews Common (x32 Version: 2011.0104.2155.39304)
Catalyst Control Center InstallProxy (x32 Version: 2011.0104.2155.39304)
CCC Help English (x32 Version: 2011.0104.2154.39304)
ccc-core-static (x32 Version: 2011.0104.2155.39304)
ccc-utility64 (Version: 2011.0104.2155.39304)
D3DX10 (x32 Version: 15.4.2368.0902)
DAEMON Tools Lite (x32 Version: 4.45.4.0315)
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition (x32)
Dev-C++ 5 beta 9 release (4.9.9.2) (x32)
FrostWire 5.3.8 (x32 Version: 5.3.8.0)
Google Chrome (HKCU Version: 29.0.1547.76)
Google Chrome (x32 Version: 30.0.1599.101)
Google Earth Plug-in (x32 Version: 7.1.1.1888)
Google Update Helper (x32 Version: 1.3.21.165)
Guitar Pro 5.2 (x32)
iTunes (Version: 11.0.4.4)
Java 7 Update 7 (64-bit) (Version: 7.0.70)
Java SE Development Kit 7 Update 5 (64-bit) (Version: 1.7.0.50)
Java SE Development Kit 7 Update 7 (64-bit) (Version: 1.7.0.70)
Java™ 7 Update 5 (x32 Version: 7.0.50)
JavaFX 2.1.1 (64-bit) (Version: 2.1.1)
JavaFX 2.1.1 SDK (64-bit) (Version: 2.1.1)
Logitech SetPoint 6.32 (Version: 6.32.20)
Malwarebytes Anti-Malware version 1.75.0.1300 (x32 Version: 1.75.0.1300)
Microsoft .NET Framework 1.1 (x32 Version: 1.1.4322)
Microsoft .NET Framework 1.1 (x32)
Microsoft .NET Framework 4 Multi-Targeting Pack (x32 Version: 4.0.30319)
Microsoft .NET Framework 4.5 (Version: 4.5.50709)
Microsoft .NET Framework 4.5 Multi-Targeting Pack (x32 Version: 4.5.50709)
Microsoft .NET Framework 4.5 SDK (x32 Version: 4.5.50709)
Microsoft Access 2010 (x32 Version: 14.0.4763.1000)
Microsoft Application Error Reporting (Version: 12.0.6015.5000)
Microsoft Application Error Reporting (x32 Version: 12.0.6012.5000)
Microsoft ASP.NET MVC 2 - Visual Studio 2010 Tools (x32 Version: 2.0.50217.0)
Microsoft ASP.NET MVC 2 (x32 Version: 2.0.50217.0)
Microsoft DirectX SDK (June 2010) (x32 Version: 9.29.1962.0)
Microsoft Excel 2010 (x32 Version: 14.0.6029.1000)
Microsoft Help Viewer 1.1 (Version: 1.1.40219)
Microsoft Help Viewer 2.0 (x32 Version: 2.0.50727)
Microsoft Office 2007 Service Pack 3 (SP3) (x32)
Microsoft Office 2010 Service Pack 1 (SP1) (x32)
Microsoft Office Access 2010 (x32 Version: 14.0.4763.1000)
Microsoft Office Access MUI (English) 2010 (x32 Version: 14.0.4763.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (x32 Version: 14.0.4763.1000)
Microsoft Office Excel 2010 (x32 Version: 14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (x32 Version: 14.0.6029.1000)
Microsoft Office Office 64-bit Components 2007 (Version: 12.0.6612.1000)
Microsoft Office Office 64-bit Components 2010 (Version: 14.0.6029.1000)
Microsoft Office Proof (English) 2007 (x32 Version: 12.0.6612.1000)
Microsoft Office Proof (English) 2010 (x32 Version: 14.0.6029.1000)
Microsoft Office Proof (French) 2007 (x32 Version: 12.0.6612.1000)
Microsoft Office Proof (French) 2010 (x32 Version: 14.0.6029.1000)
Microsoft Office Proof (Spanish) 2007 (x32 Version: 12.0.6612.1000)
Microsoft Office Proof (Spanish) 2010 (x32 Version: 14.0.6029.1000)
Microsoft Office Proofing (English) 2007 (x32 Version: 12.0.4518.1014)
Microsoft Office Proofing (English) 2010 (x32 Version: 14.0.6029.1000)
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3) (x32)
Microsoft Office Shared 64-bit MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Shared 64-bit MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Shared MUI (English) 2007 (x32 Version: 12.0.6612.1000)
Microsoft Office Shared MUI (English) 2010 (x32 Version: 14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2007 (x32 Version: 12.0.6612.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (x32 Version: 14.0.6029.1000)
Microsoft Office Word 2007 (x32 Version: 12.0.6612.1000)
Microsoft Office Word MUI (English) 2007 (x32 Version: 12.0.6612.1000)
Microsoft Silverlight (Version: 5.1.20125.0)
Microsoft Sync Framework Runtime v1.0 SP1 (x64) (Version: 1.0.3010.0)
Microsoft Sync Framework SDK v1.0 SP1 (x32 Version: 1.0.3010.0)
Microsoft Sync Framework Services v1.0 SP1 (x64) (Version: 1.0.3010.0)
Microsoft Visual C++  Compilers 2010 Standard - enu - x64 (Version: 10.0.40219)
Microsoft Visual C++  Compilers 2010 Standard - enu - x86 (x32 Version: 10.0.40219)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.56336)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (x32 Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (x32 Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (x32 Version: 9.0.30729.6161)
Microsoft Visual C++ 2010  x64 Designtime - 10.0.30319 (Version: 10.0.30319)
Microsoft Visual C++ 2010  x64 Runtime - 10.0.40219 (Version: 10.0.40219)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (x32 Version: 10.0.40219)
Microsoft Visual F# 2.0 Runtime (x32 Version: 10.0.40219)
Microsoft Visual Studio 2010 ADO.NET Entity Framework Tools (x32 Version: 10.0.40219)
Microsoft Visual Studio 2010 IntelliTrace Collection (x64) (Version: 10.0.40219)
Microsoft Visual Studio 2010 Office Developer Tools (x64) (Version: 10.0.40219)
Microsoft Visual Studio 2010 Performance Collection Tools SP1 - ENU (Version: 10.0.40219)
Microsoft Visual Studio 2010 Service Pack 1 (x32 Version: 10.0.40219)
Microsoft Visual Studio 2010 SharePoint Developer Tools (x32 Version: 10.0.40219)
Microsoft Windows Media Video 9 VCM (x32)
Microsoft WSE 3.0 Runtime (x32 Version: 3.0.5305.0)
MotioninJoy DS3 driver version 0.6.0004 (Version: 0.6.0004)
Mozilla Firefox 13.0.1 (x86 en-US) (x32 Version: 13.0.1)
Mozilla Maintenance Service (x32 Version: 13.0.1)
MSVCRT (x32 Version: 15.4.2862.0708)
MSXML 4.0 SP2 (KB954430) (x32 Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (x32 Version: 4.20.9876.0)
NetBeans IDE 7.2 (Version: 7.2)
NETGEAR WG111v2 wireless USB 2.0 adapter (x32 Version: 1.0.0.133)
Notepad++ (x32 Version: 6.3)
Pando Media Booster (x32 Version: 2.6.0.8)
Power Tab Editor 1.7 (x32 Version: 1.7.0)
PowerISO (x32 Version: 4.8)
Realtek Ethernet Controller Driver (x32 Version: 7.49.927.2011)
Realtek HDMI Audio Driver for ATI (x32 Version: 6.0.1.6409)
SimCity 4 Deluxe (x32)
The Lord of the Rings FREE Trial  (x32 Version: 1.00.0000)
TI-Nspire™ CAS Student Software (x32 Version: 3.2.0.1219)
TI-Nspire™ CAS Computer Software Teacher Edition (x32 Version: 1.7.2741)
Update for  (KB2504637) (x32 Version: 1)
Update for 2007 Microsoft Office System (KB967642) (x32)
Update for Microsoft .NET Framework 4.5 (KB2750147) (x32 Version: 1)
Update for Microsoft .NET Framework 4.5 (KB2805221) (x32 Version: 1)
Update for Microsoft .NET Framework 4.5 (KB2805226) (x32 Version: 1)
Update for Microsoft Office 2007 Help for Common Features (KB963673) (x32)
Update for Microsoft Office 2007 suites (KB2596620) 32-Bit Edition (x32)
Update for Microsoft Office 2007 suites (KB2596660) 32-Bit Edition (x32)
Update for Microsoft Office 2007 suites (KB2596848) 32-Bit Edition (x32)
Update for Microsoft Office 2007 suites (KB2687493) 32-Bit Edition (x32)
Update for Microsoft Office 2007 suites (KB2767849) 32-Bit Edition (x32)
Update for Microsoft Office 2007 suites (KB2767916) 32-Bit Edition (x32)
Update for Microsoft Office 2010 (KB2553065) (x32)
Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition (x32)
Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition (x32)
Update for Microsoft Office 2010 (KB2553378) 32-Bit Edition (x32)
Update for Microsoft Office 2010 (KB2566458) (x32)
Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition (x32)
Update for Microsoft Office 2010 (KB2598242) 32-Bit Edition (x32)
Update for Microsoft Office 2010 (KB2687503) 32-Bit Edition (x32)
Update for Microsoft Office 2010 (KB2687509) 32-Bit Edition (x32)
Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition (x32)
Update for Microsoft Office 2010 (KB2767886) 32-Bit Edition (x32)
Update for Microsoft Office Script Editor Help (KB963671) (x32)
Update for Microsoft Office Word 2007 Help (KB963665) (x32)
Update for Microsoft SharePoint Workspace 2010 (KB2589371) 32-Bit Edition (x32)
Update for Microsoft Visual Studio 2012 (KB2781514) (x32 Version: 11.0.50727)
VC80CRTRedist - 8.0.50727.6195 (x32 Version: 1.2.0)
Visual Studio 2010 Prerequisites - English (Version: 10.0.40219)
WCF RIA Services V1.0 SP1 (x32 Version: 4.1.60114.0)
WG111v2 Configuration Utility (x32 Version: 1.00)
Windows Live Communications Platform (x32 Version: 15.4.3502.0922)
Windows Live Essentials (x32 Version: 15.4.3502.0922)
Windows Live Essentials (x32 Version: 15.4.3508.1109)
Windows Live ID Sign-in Assistant (Version: 7.250.4225.0)
Windows Live Installer (x32 Version: 15.4.3502.0922)
Windows Live Language Selector (Version: 15.4.3508.1109)
Windows Live Movie Maker (x32 Version: 15.4.3502.0922)
Windows Live Photo Common (x32 Version: 15.4.3502.0922)
Windows Live Photo Gallery (x32 Version: 15.4.3502.0922)
Windows Live PIMT Platform (x32 Version: 15.4.3508.1109)
Windows Live SOXE (x32 Version: 15.4.3502.0922)
Windows Live SOXE Definitions (x32 Version: 15.4.3502.0922)
Windows Live UX Platform (x32 Version: 15.4.3502.0922)
Windows Live UX Platform Language Pack (x32 Version: 15.4.3508.1109)
WMV9/VC-1 Video Playback (Version: 1.00.0000)
wxDev-C++ (x32)
 
==================== Restore Points  =========================
 
07-10-2013 01:02:32 Removed Microsoft Silverlight
07-10-2013 01:05:08 Removed Microsoft Silverlight 3 SDK
07-10-2013 01:06:01 Removed Microsoft Silverlight 4 SDK
14-10-2013 04:00:03 Scheduled Checkpoint
22-10-2013 04:00:02 Scheduled Checkpoint
 
==================== Hosts content: ==========================
 
2009-07-13 22:34 - 2012-11-19 14:46 - 00001392 _RASH C:\Windows\system32\Drivers\etc\hosts
127.0.0.1       localhost
50.31.74.129 www.google-analytics.com.
50.31.74.129 ad-emea.doubleclick.net.
50.31.74.129 www.statcounter.com.
217.23.13.202 www.google-analytics.com.
217.23.13.202 ad-emea.doubleclick.net.
217.23.13.202 www.statcounter.com.
 
 
==================== Scheduled Tasks (whitelisted) =============
 
Task: {000D8721-9239-4D1E-A5CC-54CB071C0FCF} - System32\Tasks\RunAsStdUser Task => C:\Users\David\AppData\Local\Temp\{86D4B82A-ABED-442A-BE86-96357B70F4FE}\RunIE.exe
Task: {05DD29CE-6620-4982-9D4B-B36DC0E85E95} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-05-14] (Adobe Systems Incorporated)
Task: {14AB7226-97F7-4AB5-9C29-2E87CE6FD604} - System32\Tasks\SidebarExecute => C:\Program Files (x86)\Windows Sidebar\sidebar.exe [2010-11-20] (Microsoft Corporation)
Task: {1524B0EE-BF5C-4AAE-AD3E-342FF2FA6270} - System32\Tasks\{70943C7F-E9D0-4151-A24B-B24A50A11D9B} => C:\Windows\System32\msiexec.exe [2010-11-20] (Microsoft Corporation)
Task: {1D489A16-A652-4A80-A339-328F46DEC492} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-1443715204-4194733328-638700770-1001Core => C:\Users\David\AppData\Local\Google\Update\GoogleUpdate.exe
Task: {3A60838A-2FB0-465F-8D18-A79485907D93} - System32\Tasks\Go to RoboForm Install page => C:\Windows\System32\url.dll [2013-05-25] (Microsoft Corporation)
Task: {3CC5C35E-3B33-44DF-BAB7-480B868E1CC6} - System32\Tasks\{4645E68A-A6E3-45FC-81A1-BF25D2EC4BB1} => C:\Users\David\Desktop\RPGTOOLKIT\vb\setup\setup.exe
Task: {3CD1C36A-F6C1-43FD-BFD7-746907AF6924} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2013-06-02] (Google Inc.)
Task: {510EDD06-2EF3-440D-B734-204E81B4B8C6} - System32\Tasks\task209990481 => C:\Users\David\AppData\Local\Temp\0.2549370918813907.exe
Task: {7DA6D26A-A090-441A-9AA2-1343743DF9CA} - System32\Tasks\avast! Emergency Update => C:\Program Files\Alwil Software\Avast5\AvastEmUpdate.exe [2013-08-30] (AVAST Software)
Task: {8016428A-8DBE-424A-8E30-998D1A72CDE2} - System32\Tasks\{C75394C2-1797-4497-A329-DB54F2BB9341} => C:\Users\David\Desktop\Minecraft Windows.exe
Task: {850AD854-07A9-4AC1-99B1-B54D74821C0F} - System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask => Sc.exe start osppsvc
Task: {A48D5444-56BB-42E5-89AA-9C28CB260D7A} - System32\Tasks\{15EA6EE0-D830-4240-A643-5949C03033A3} => C:\Users\David\Desktop\Battle Gear Trainer.exe
Task: {AA9E91AA-FDF7-4636-9E02-B92D17201114} - System32\Tasks\{AA8F5D2F-EDFC-488C-BBE3-7CDD2C0C3214} => C:\Windows\System32\msiexec.exe [2010-11-20] (Microsoft Corporation)
Task: {AD825DA0-8949-4687-B7C3-2F6B5F54097E} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: {C24C035B-1867-452A-AD1C-FE6CBE089F5C} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-1443715204-4194733328-638700770-1001UA => C:\Users\David\AppData\Local\Google\Update\GoogleUpdate.exe
Task: {D28E6D6D-A8FB-4C77-A27F-599572CDF975} - System32\Tasks\IORRT => C:\IORRT\IORRT.bat [2013-02-16] ()
Task: {D39F513C-536A-4F42-B490-8C79707D723A} - System32\Tasks\Run RoboForm TaskBar Icon => C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
Task: {D7F434FA-D8E2-4370-B08A-1AD864083001} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2013-06-02] (Google Inc.)
Task: {E54108FB-7791-4DB2-B8A2-25718068F96C} - System32\Tasks\{491ABDCE-07F3-4306-AA22-41838CB8709B} => C:\Program Files (x86)\Skype\\Phone\Skype.exe
Task: {EED2A205-D5BF-41E0-BCEF-287389B154EA} - System32\Tasks\{560EEAF0-82B2-4454-994F-10C8CE93C681} => C:\Users\David\Desktop\Minecraft Windows.exe
Task: {FCC74620-9A99-4306-8418-739632027168} - System32\Tasks\Hybrid => C:\IORRT\IORRT.bat [2013-02-16] ()
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1443715204-4194733328-638700770-1001Core.job => C:\Users\David\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1443715204-4194733328-638700770-1001UA.job => C:\Users\David\AppData\Local\Google\Update\GoogleUpdate.exe
 
==================== Loaded Modules (whitelisted) =============
 
2012-06-18 11:24 - 2012-06-18 11:24 - 00222720 _____ () C:\Program Files (x86)\Notepad++\NppShell_05.dll
2011-01-04 22:54 - 2011-01-04 22:54 - 00243712 _____ () C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLI.Aspect.CrossDisplay.Graphics.Dashboard.dll
2013-10-20 08:14 - 2013-10-20 02:07 - 02105856 _____ () C:\Program Files\Alwil Software\Avast5\defs\13102000\algo.dll
2013-10-28 17:34 - 2013-10-28 14:25 - 02105856 _____ () C:\Program Files\Alwil Software\Avast5\defs\13102801\algo.dll
2013-10-17 14:01 - 2013-10-08 20:01 - 00698832 _____ () C:\Program Files (x86)\Google\Chrome\Application\30.0.1599.101\libglesv2.dll
2013-10-17 14:01 - 2013-10-08 20:01 - 00099792 _____ () C:\Program Files (x86)\Google\Chrome\Application\30.0.1599.101\libegl.dll
2013-10-17 14:01 - 2013-10-08 20:02 - 04055504 _____ () C:\Program Files (x86)\Google\Chrome\Application\30.0.1599.101\pdf.dll
2013-10-17 14:01 - 2013-10-08 20:02 - 00415184 _____ () C:\Program Files (x86)\Google\Chrome\Application\30.0.1599.101\ppGoogleNaClPluginChrome.dll
2013-10-17 14:01 - 2013-10-08 20:01 - 01604560 _____ () C:\Program Files (x86)\Google\Chrome\Application\30.0.1599.101\ffmpegsumo.dll
 
==================== Alternate Data Streams (whitelisted) =========
 
AlternateDataStreams: C:\Windows:AstInfo
 
==================== Safe Mode (whitelisted) ===================
 
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (10/19/2013 02:14:00 PM) (Source: Application Error) (User: )
Description: Faulting application name: svchost.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc100
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x7432c9f5
Faulting process id: 0x6f4
Faulting application start time: 0xsvchost.exe0
Faulting application path: svchost.exe1
Faulting module path: svchost.exe2
Report Id: svchost.exe3
 
Error: (10/15/2013 04:10:28 PM) (Source: Application Error) (User: )
Description: Faulting application name: PTEditor.exe, version: 1.7.0.80, time stamp: 0x39c68404
Faulting module name: SHELL32.dll, version: 6.1.7601.18103, time stamp: 0x512d91aa
Exception code: 0xc0000005
Fault offset: 0x0038b09e
Faulting process id: 0xfdc
Faulting application start time: 0xPTEditor.exe0
Faulting application path: PTEditor.exe1
Faulting module path: PTEditor.exe2
Report Id: PTEditor.exe3
 
Error: (09/28/2013 07:56:04 AM) (Source: Application Error) (User: )
Description: Faulting application name: svchost.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc100
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x7565c9f5
Faulting process id: 0xc34
Faulting application start time: 0xsvchost.exe0
Faulting application path: svchost.exe1
Faulting module path: svchost.exe2
Report Id: svchost.exe3
 
Error: (09/28/2013 06:02:02 AM) (Source: Application Error) (User: )
Description: Faulting application name: svchost.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc100
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x7565c9f5
Faulting process id: 0x8a0
Faulting application start time: 0xsvchost.exe0
Faulting application path: svchost.exe1
Faulting module path: svchost.exe2
Report Id: svchost.exe3
 
Error: (09/28/2013 05:18:00 AM) (Source: Application Error) (User: )
Description: Faulting application name: svchost.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc100
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x7565c9f5
Faulting process id: 0xea0
Faulting application start time: 0xsvchost.exe0
Faulting application path: svchost.exe1
Faulting module path: svchost.exe2
Report Id: svchost.exe3
 
Error: (09/27/2013 11:26:52 PM) (Source: Application Error) (User: )
Description: Faulting application name: svchost.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc100
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x7565c9f5
Faulting process id: 0x5bc
Faulting application start time: 0xsvchost.exe0
Faulting application path: svchost.exe1
Faulting module path: svchost.exe2
Report Id: svchost.exe3
 
Error: (09/27/2013 04:44:46 AM) (Source: Application Error) (User: )
Description: Faulting application name: svchost.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc100
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x7565c9f5
Faulting process id: 0xe28
Faulting application start time: 0xsvchost.exe0
Faulting application path: svchost.exe1
Faulting module path: svchost.exe2
Report Id: svchost.exe3
 
Error: (09/26/2013 10:16:42 PM) (Source: Application Error) (User: )
Description: Faulting application name: svchost.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc100
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x7565c9f5
Faulting process id: 0xae0
Faulting application start time: 0xsvchost.exe0
Faulting application path: svchost.exe1
Faulting module path: svchost.exe2
Report Id: svchost.exe3
 
Error: (09/26/2013 03:19:37 PM) (Source: Application Error) (User: )
Description: Faulting application name: svchost.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc100
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x7565c9f5
Faulting process id: 0xe74
Faulting application start time: 0xsvchost.exe0
Faulting application path: svchost.exe1
Faulting module path: svchost.exe2
Report Id: svchost.exe3
 
Error: (09/26/2013 06:34:34 AM) (Source: Application Error) (User: )
Description: Faulting application name: svchost.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc100
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x7565c9f5
Faulting process id: 0x650
Faulting application start time: 0xsvchost.exe0
Faulting application path: svchost.exe1
Faulting module path: svchost.exe2
Report Id: svchost.exe3
 
 
System errors:
=============
Error: (10/25/2013 07:44:05 PM) (Source: Service Control Manager) (User: )
Description: The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to start because of the following error: 
%%-2147024891
 
Error: (10/25/2013 07:44:05 PM) (Source: Service Control Manager) (User: )
Description: The Function Discovery Resource Publication service terminated with the following error: 
%%-2147024891
 
Error: (10/23/2013 01:37:58 PM) (Source: Service Control Manager) (User: )
Description: The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to start because of the following error: 
%%-2147024891
 
Error: (10/23/2013 01:37:58 PM) (Source: Service Control Manager) (User: )
Description: The Function Discovery Resource Publication service terminated with the following error: 
%%-2147024891
 
Error: (10/23/2013 10:34:07 AM) (Source: Service Control Manager) (User: )
Description: The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to start because of the following error: 
%%-2147024891
 
Error: (10/23/2013 10:34:07 AM) (Source: Service Control Manager) (User: )
Description: The Function Discovery Resource Publication service terminated with the following error: 
%%-2147024891
 
Error: (10/22/2013 06:30:03 PM) (Source: Service Control Manager) (User: )
Description: The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to start because of the following error: 
%%-2147024891
 
Error: (10/22/2013 06:30:03 PM) (Source: Service Control Manager) (User: )
Description: The Function Discovery Resource Publication service terminated with the following error: 
%%-2147024891
 
Error: (10/22/2013 06:29:23 PM) (Source: Service Control Manager) (User: )
Description: The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to start because of the following error: 
%%-2147024891
 
Error: (10/22/2013 06:29:23 PM) (Source: Service Control Manager) (User: )
Description: The Function Discovery Resource Publication service terminated with the following error: 
%%-2147024891
 
 
Microsoft Office Sessions:
=========================
 
CodeIntegrity Errors:
===================================
  Date: 2013-02-17 12:29:58.900
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\usbaapl64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2013-02-17 12:29:58.817
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\usbaapl64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
 
==================== Memory info =========================== 
 
Percentage of memory in use: 57%
Total physical RAM: 2038.05 MB
Available physical RAM: 867.43 MB
Total Pagefile: 4420.66 MB
Available Pagefile: 2342.64 MB
Total Virtual: 8192 MB
Available Virtual: 8191.8 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:698.63 GB) (Free:606.2 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: (Ubuntu 13.04 amd) (CDROM) (Total:0.77 GB) (Free:0 GB) CDFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 699 GB) (Disk ID: 283D283D)
Partition 1: (Active) - (Size=699 GB) - (Type=07 NTFS)
 
==================== End Of Log ============================
 


#7 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:07:44 AM

Posted 28 October 2013 - 06:30 PM

Hello again,

Download attached Attached File  fixlist.txt   2.02KB   3 downloads and save it to the same location as FRST.

NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

==========

After posting the above log, please let me know how the computer is running now!

bloopie


Edited by bloopie, 29 October 2013 - 02:36 PM.


#8 Dankaru

Dankaru
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 29 October 2013 - 07:50 PM

I followed the instructions and here is the fixlog.txt:

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 28-10-2013
Ran by David at 2013-10-29 20:47:51 Run:1
Running from C:\Users\David\Desktop
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\$Recycle.Bin\S-1-5-18\$84b322f9f1d579365c3c11740b19e71e\n. ATTENTION! ====> ZeroAccess?
HKCU\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path)
HKCU\...\Run: [Adobe] - rundll32 "C:\Users\David\AppData\Local\VirtualStore\Adobe\kohedepc.dll",DllRegisterServer <===== ATTENTION
C:\$Recycle.Bin\S-1-5-18\$84b322f9f1d579365c3c11740b19e71e\n.
HKCU\...409d6c4515e9\InprocServer32: [Default-shell32] C:\$Recycle.Bin\S-1-5-21-1443715204-4194733328-638700770-1001\$84b322f9f1d579365c3c11740b19e71e\n. ATTENTION! ====> ZeroAccess?
C:\$Recycle.Bin\S-1-5-21-1443715204-4194733328-638700770-1001\$84b322f9f1d579365c3c11740b19e71e\n.
MountPoints2: F - F:\SETUP.EXE
MountPoints2: G - G:\Autorun.exe
MountPoints2: {4fb94d3c-355f-11e0-956a-002618a2becd} - E:\autorun.exe
Winsock: Catalog5 01 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5 07 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5-x64 01 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 07 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
U4 *etadpug; "C:\Program Files (x86)\Google\Desktop\Install\{84b322f9-f1d5-7936-5c3c-11740b19e71e}\   \...\???\{84b322f9-f1d5-7936-5c3c-11740b19e71e}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)
C:\$Recycle.Bin\S-1-5-18\$84b322f9f1d579365c3c11740b19e71e
C:\$Recycle.Bin\S-1-5-21-1443715204-4194733328-638700770-1001\$84b322f9f1d579365c3c11740b19e71e
C:\Program Files (x86)\Google\Desktop\Install
C:\Users\David\jagex_cl_oldschool_LIVE.dat
C:\Users\David\jagex_cl_runescape_LIVE.dat
C:\Users\David\jagex_cl_runescape_LIVE1.dat
C:\Users\David\random.dat
DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
*****************
 
HKLM\Software\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\\Default => Value was restored successfully.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\Google Update* => Value deleted successfully.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\Adobe => Value not found.
"C:\$Recycle.Bin\S-1-5-18\$84b322f9f1d579365c3c11740b19e71e\n." => File/Directory not found.
HKCU\Software\Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} => Key deleted successfully. If the key returned, move the associated file, reboot and list the key for deletion.
"C:\$Recycle.Bin\S-1-5-21-1443715204-4194733328-638700770-1001\$84b322f9f1d579365c3c11740b19e71e\n." => File/Directory not found.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F => Key deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\G => Key deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4fb94d3c-355f-11e0-956a-002618a2becd} => Key deleted successfully.
HKCR\CLSID\{4fb94d3c-355f-11e0-956a-002618a2becd} => Key not found.
Winsock: Catalog5 entry 000000000001\\LibraryPath  was set successfully to %SystemRoot%\system32\NLAapi.dll
Winsock: Catalog5 entry 000000000007\\LibraryPath  was set successfully to %SystemRoot%\System32\mswsock.dll
Winsock: Catalog5-x64 entry 000000000001\\LibraryPath  was set successfully to %SystemRoot%\system32\NLAapi.dll
Winsock: Catalog5-x64 entry 000000000007\\LibraryPath  was set successfully to %SystemRoot%\System32\mswsock.dll
*etadpug => Service deleted successfully.
C:\$Recycle.Bin\S-1-5-18\$84b322f9f1d579365c3c11740b19e71e => Moved successfully.
C:\$Recycle.Bin\S-1-5-21-1443715204-4194733328-638700770-1001\$84b322f9f1d579365c3c11740b19e71e => Moved successfully.
C:\Program Files (x86)\Google\Desktop\Install => Moved successfully.
C:\Users\David\jagex_cl_oldschool_LIVE.dat => Moved successfully.
C:\Users\David\jagex_cl_runescape_LIVE.dat => Moved successfully.
C:\Users\David\jagex_cl_runescape_LIVE1.dat => Moved successfully.
C:\Users\David\random.dat => Moved successfully.
"C:\Program Files\Windows Defender" => Deleting reparse point and unlocking started.
"C:\Program Files\Windows Defender\en-US" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpAsDesc.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpClient.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpCmdRun.exe" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpCommu.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpEvMsg.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpOAV.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpRTP.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpSvc.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MSASCui.exe" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MsMpCom.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MsMpLics.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MsMpRes.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender" => Deleting reparse point and unlocking completed.
 
==== End of Fixlog ====


#9 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:07:44 AM

Posted 29 October 2013 - 08:14 PM

Hello again,
 
That looks good, and it should have removed the rootkit components so that it's not active anymore, but we still have work to do!
 
Now, let's run Combofix to get another log:

Run Combofix

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out here or here

Combofix may need to reboot your computer more than once to do its job...this is normal.

You can download Combofix from one of these links.

  • Close any open browsers or any other programs that are open.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you C:\Combofix.txt. Please include that in your next reply.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

==========

After running the above and posting the log, please let me know how the machine is running now!!

bloopie



#10 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:07:44 AM

Posted 01 November 2013 - 04:31 PM

Hello again,

Are you still with me? :)

This is a 3-Day Bump! If you still wish to receive help, please follow the instructions in my previous post. If you do not respond in another 48 hours, I will be forced to close this topic!

bloopie



#11 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:07:44 AM

Posted 07 November 2013 - 06:56 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users