Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ZeroAccess rootkit infection - Removal Instructions Needed


  • This topic is locked This topic is locked
39 replies to this topic

#1 beacon2020

beacon2020

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:02 PM

Posted 31 October 2013 - 01:23 PM

My computer has been infested with conduit.com malware. I have removed a mixi dj toolbar and the conduit.com program from the control panel, and two rogue files cftmon.exe. I have run scans with Norton Power Erasure, Microsoft Malicious Tool Remover, Kapersky, Malwarebytes and about 10 other programs (many of these multiple times), but have been unable to remove the primary problem. When I type anything in the address bar of a browser (Firefox) often the malware wipes it out. And if I am able to bring up a desired web page, after a minute or so address reverts to the initial web page that I opened in that browser window. Or once I pull up a web page from the search, the address will then revert to some previous page. If I type something in a Google Search field, the malware will often (but not always) wipe it out. Or if I start an email message, it will wipe out the text. Or if I'm in a Word document, before long it will wipe out the text. This all has been going on for weeks. By the was my Dell has a OS System Restore feature which I've tried 5 or 6 times, but each time the problem returns.

 

In the following initial discussion, the conclusion by Broni was that my unit has a ZeroAccess rootkit infection, based on positive ID thru Malwarebytes Anti-Rootkit tool. The discussion contains all the steps taken in order to identify the problem. I also searched my computer and found numerous files msvcp100.dll and msvcr100.dll in other locations/folders, but these were not identified as malware by the Malwarebytes Anti-Rootkit tool.

 

Infected: C:\WINDOWS\System64 --> [Trojan.0Access]
Infected: C:\WINDOWS\System64\msvcp100.dll --> [Trojan.0Access]
Infected: C:\WINDOWS\System64\msvcr100.dll --> [Trojan.0Access]
 

I need guidance on how to remove this problem. Here is the link to the initial discussion

 

http://www.bleepingcomputer.com/forums/t/512271/hijacked-browser-remnants/

 

I have attached two DDS logs (they are zipped together).  

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by Georg Kremer at 18:55:58 on 2013-10-30
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3574.2320 [GMT -5:00]
.
AV: Norton AntiVirus *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *Enabled*
.
============== Running Processes ================
.
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Norton AntiVirus\Engine\21.1.0.18\NAV.exe
C:\Program Files\Norton Identity Safe\Engine\2014.6.0.27\NST.exe
C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
C:\Program Files\Norton AntiVirus\Engine\21.1.0.18\NAV.exe
C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
C:\Program Files\Norton Identity Safe\Engine\2014.6.0.27\NST.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
BHO: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\program files\norton antivirus\engine\21.1.0.18\ips\ipsbho.dll
BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Norton Identity Protection: {AB4C7833-A6EC-433f-B9FE-6B14B1A2F836} - c:\program files\norton identity safe\engine\2014.6.0.27\coieplg.dll
TB: Norton Identity Safe Toolbar: {A13C2648-91D4-4BF3-BC6D-0079707C4389} - c:\program files\norton identity safe\engine\2014.6.0.27\coieplg.dll
TB: Norton Identity Safe Toolbar: {A13C2648-91D4-4bf3-BC6D-0079707C4389} - c:\program files\norton identity safe\engine\2014.6.0.27\coieplg.dll
TB: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [AvastUI.exe] "c:\program files\avast software\avast\AvastUI.exe" /nogui
mRunOnce: [ (A0)] cmd /c "c:\documents and settings\georg kremer\desktop\mbar\mbar.exe" /rdv /s
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
TCP: NameServer = 192.168.254.254
TCP: Interfaces\{1CD74573-C744-408B-BD94-DBA6F330976D} : DHCPNameServer = 192.168.254.254
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\georg kremer\application data\mozilla\firefox\profiles\ssu4jaf3.default-1381553949015\
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_9_900_117.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
FF - ExtSQL: 2013-10-10 10:31; {BBDA0591-3099-440a-AA10-41764D9DB4DB}; c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_21.0.2.1\IPSFF
FF - ExtSQL: 2013-10-11 23:56; {F04D2D30-776C-4d02-8627-8E4385ECA58D}; c:\documents and settings\all users\application data\norton\{92622aad-05e8-4459-b256-765ce1e929fb}\nst_2014.5.0.67\coFFPlgn
FF - ExtSQL: 2013-10-28 23:23; wrc@avast.com; c:\program files\avast software\avast\webrep\FF
.
============= SERVICES / DRIVERS ===============
.
R0 49328214;49328214;c:\windows\system32\drivers\49328214.sys [2013-10-27 133208]
R0 aswRvrt;avast! Revert;c:\windows\system32\drivers\aswRvrt.sys [2013-10-28 49944]
R0 aswVmm;avast! VM Monitor;c:\windows\system32\drivers\aswVmm.sys [2013-10-28 178304]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nav\1501000.012\symds.sys [2013-10-13 367704]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1501000.012\symefa.sys [2013-10-13 935512]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2013-10-28 774392]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2013-10-28 403440]
R1 BHDrvx86;BHDrvx86;c:\program files\norton antivirus\nortondata\21.0.2.1\definitions\bashdefs\20131022.001\BHDrvx86.sys [2013-10-22 1096280]
R1 ccSet_NAV;NAV Settings Manager;c:\windows\system32\drivers\nav\1501000.012\ccsetx86.sys [2013-10-13 127064]
R1 ccSet_NST;Norton Identity Safe Settings Manager;c:\windows\system32\drivers\nst\7de06000.01b\ccsetx86.sys [2013-10-9 127064]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nav\1501000.012\ironx86.sys [2013-10-13 206936]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2013-10-4 532224]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2013-10-10 120088]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2013-10-28 35656]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2013-10-28 70384]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2013-10-28 50344]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2013-10-10 418376]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2013-10-10 701512]
R2 NAV;Norton AntiVirus;c:\program files\norton antivirus\engine\21.1.0.18\nav.exe [2013-10-13 262288]
R2 NCO;Norton Identity Safe;c:\program files\norton identity safe\engine\2014.6.0.27\nst.exe [2013-10-9 129424]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\spybot - search & destroy 2\SDFSSvc.exe [2013-10-8 1817560]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\spybot - search & destroy 2\SDUpdSvc.exe [2013-10-8 1033688]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2013-10-4 108120]
R3 IDSxpx86;IDSxpx86;c:\program files\norton antivirus\nortondata\21.0.2.1\definitions\ipsdefs\20131029.002\IDSXpx86.sys [2013-10-30 380824]
R3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2013-10-29 47064]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-10-10 22856]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys [2013-10-29 105176]
R3 NAVENG;NAVENG;c:\program files\norton antivirus\nortondata\21.0.2.1\definitions\virusdefs\20131030.001\NAVENG.SYS [2013-10-30 93272]
R3 NAVEX15;NAVEX15;c:\program files\norton antivirus\nortondata\21.0.2.1\definitions\virusdefs\20131030.001\NAVEX15.SYS [2013-10-30 1612376]
S2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\spybot - search & destroy 2\SDWSCSvc.exe [2013-10-8 171928]
.
=============== Created Last 30 ================
.
2013-10-30 02:57:01    --------    d-----w-    c:\documents and settings\all users\application data\Malwarebytes' Anti-Malware (portable)
2013-10-30 02:56:59    105176    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2013-10-30 02:56:16    47064    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2013-10-29 14:39:03    208896    ----a-w-    c:\windows\MBR.exe
2013-10-29 14:39:02    98816    ----a-w-    c:\windows\sed.exe
2013-10-29 14:39:02    256000    ----a-w-    c:\windows\PEV.exe
2013-10-29 14:38:21    --------    d-s---w-    C:\ComboFix
2013-10-29 04:26:38    --------    d-----w-    c:\documents and settings\georg kremer\application data\AVAST Software
2013-10-29 04:23:34    178304    ----a-w-    c:\windows\system32\drivers\aswVmm.sys
2013-10-29 04:23:30    49944    ----a-w-    c:\windows\system32\drivers\aswRvrt.sys
2013-10-29 04:23:29    774392    ----a-w-    c:\windows\system32\drivers\aswSnx.sys
2013-10-29 04:23:27    70384    ----a-w-    c:\windows\system32\drivers\aswMonFlt.sys
2013-10-29 04:23:13    43152    ----a-w-    c:\windows\avastSS.scr
2013-10-29 04:22:42    --------    d-----w-    c:\program files\AVAST Software
2013-10-29 04:21:47    403440    ----a-w-    c:\windows\system32\drivers\dbrskzbk.sys
2013-10-29 04:21:44    --------    d-----w-    c:\documents and settings\all users\application data\AVAST Software
2013-10-29 02:11:25    --------    d-----w-    c:\documents and settings\georg kremer\application data\SUPERAntiSpyware.com
2013-10-29 02:10:46    --------    d-----w-    c:\program files\SUPERAntiSpyware
2013-10-29 02:10:46    --------    d-----w-    c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2013-10-27 16:37:01    133208    ----a-w-    c:\windows\system32\drivers\49328214.sys
2013-10-26 04:58:02    139264    ----a-w-    c:\windows\system32\igfxres.dll
2013-10-26 04:14:11    --------    d-----w-    c:\documents and settings\all users\application data\{CED89F1A-945F-46EC-B23C-5EAF6D2DB12A}
2013-10-26 04:13:51    --------    d-----w-    c:\documents and settings\georg kremer\AppData
2013-10-26 04:07:40    --------    d-----w-    c:\documents and settings\all users\application data\IObit
2013-10-26 04:07:16    --------    d-----w-    c:\documents and settings\georg kremer\application data\IObit
2013-10-26 04:07:09    --------    d-----w-    c:\program files\IObit
2013-10-16 15:41:52    --------    d-----w-    c:\documents and settings\georg kremer\application data\LibreOffice
2013-10-15 14:11:08    87552    ----a-w-    c:\windows\system32\VACFix.exe
2013-10-15 14:11:08    82944    ----a-w-    c:\windows\system32\IEDFix.exe
2013-10-15 14:11:08    82944    ----a-w-    c:\windows\system32\IEDFix.C.exe
2013-10-15 14:11:08    82432    ----a-w-    c:\windows\system32\404Fix.exe
2013-10-15 14:11:08    80384    ----a-w-    c:\windows\system32\o4Patch.exe
2013-10-15 14:11:08    78336    ----a-w-    c:\windows\system32\Agent.OMZ.Fix.exe
2013-10-15 14:11:08    75776    ----a-w-    c:\windows\system32\WS2Fix.exe
2013-10-15 14:11:08    289144    ----a-w-    c:\windows\system32\VCCLSID.exe
2013-10-15 14:11:07    53248    ----a-w-    c:\windows\system32\Process.exe
2013-10-15 14:11:07    51200    ----a-w-    c:\windows\system32\dumphive.exe
2013-10-15 14:11:07    288417    ----a-w-    c:\windows\system32\SrchSTS.exe
2013-10-14 16:29:56    --------    d-----w-    c:\documents and settings\georg kremer\SmitfraudFix
2013-10-13 15:23:33    1252    ----a-w-    c:\windows\system32\tmp.reg
2013-10-13 15:04:39    421592    ----a-w-    c:\windows\system32\drivers\nav\1501000.012\symtdi.sys
2013-10-13 15:04:39    383576    ----a-w-    c:\windows\system32\drivers\nav\1501000.012\symtdiv.sys
2013-10-13 15:04:38    935512    ----a-w-    c:\windows\system32\drivers\nav\1501000.012\symefa.sys
2013-10-13 15:04:38    651352    ----a-w-    c:\windows\system32\drivers\nav\1501000.012\srtsp.sys
2013-10-13 15:04:38    446552    ----a-w-    c:\windows\system32\drivers\nav\1501000.012\symnets.sys
2013-10-13 15:04:38    367704    ----a-r-    c:\windows\system32\drivers\nav\1501000.012\symds.sys
2013-10-13 15:04:38    32344    ----a-r-    c:\windows\system32\drivers\nav\1501000.012\srtspx.sys
2013-10-13 15:04:38    21520    ----a-r-    c:\windows\system32\drivers\nav\1501000.012\symelam.sys
2013-10-13 15:04:38    206936    ----a-r-    c:\windows\system32\drivers\nav\1501000.012\ironx86.sys
2013-10-13 15:04:38    127064    ----a-w-    c:\windows\system32\drivers\nav\1501000.012\ccsetx86.sys
2013-10-13 15:04:07    14818    ----a-w-    c:\windows\system32\drivers\nav\1501000.012\symvtcer.dat
2013-10-13 15:04:07    --------    d-----w-    c:\windows\system32\drivers\nav\1501000.012
2013-10-12 05:41:05    --------    d-----w-    c:\windows\system32\appmgmt
2013-10-12 05:24:57    --------    d-----w-    c:\documents and settings\georg kremer\local settings\application data\NPE
2013-10-12 05:05:57    --------    d-----w-    c:\documents and settings\georg kremer\local settings\application data\Google
2013-10-11 00:28:42    --------    d-----w-    c:\documents and settings\georg kremer\application data\Malwarebytes
2013-10-11 00:28:31    --------    d-----w-    c:\documents and settings\all users\application data\Malwarebytes
2013-10-11 00:28:30    22856    ----a-w-    c:\windows\system32\drivers\mbam.sys
2013-10-11 00:28:30    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2013-10-10 17:16:08    --------    d-----w-    c:\documents and settings\all users\application data\NCOTEMP
2013-10-09 18:02:17    --------    d-----w-    c:\documents and settings\georg kremer\application data\DriverCure
2013-10-09 18:02:16    --------    d-----w-    c:\documents and settings\georg kremer\application data\SparkTrust
2013-10-09 18:02:00    --------    d-----w-    c:\program files\common files\SparkTrust
2013-10-09 18:01:54    --------    d-----w-    c:\program files\SparkTrust
2013-10-09 18:01:54    --------    d-----w-    c:\documents and settings\all users\application data\SparkTrust
2013-10-09 17:18:27    127064    ----a-w-    c:\windows\system32\drivers\nst\7de06000.01b\ccsetx86.sys
2013-10-09 17:18:10    --------    d-----w-    c:\windows\system32\drivers\nst\7DE06000.01B
2013-10-08 12:22:06    15224    ----a-w-    c:\windows\system32\sdnclean.exe
2013-10-08 12:21:56    --------    d-----w-    c:\program files\Spybot - Search & Destroy 2
2013-10-06 15:38:12    --------    d-----w-    c:\documents and settings\all users\application data\Spybot - Search & Destroy
2013-10-05 17:48:51    --------    d-----w-    c:\program files\Program Files
2013-10-05 04:57:25    --------    d-----w-    c:\documents and settings\georg kremer\local settings\application data\Adobe
2013-10-05 04:27:32    --------    d-----w-    c:\windows\system32\drivers\NST
2013-10-05 04:27:30    --------    d-----w-    c:\program files\Norton Identity Safe
2013-10-05 04:27:12    142936    ----a-w-    c:\windows\system32\drivers\SYMEVENT.SYS
2013-10-05 04:27:12    --------    d-----w-    c:\program files\Symantec
2013-10-05 04:27:12    --------    d-----w-    c:\program files\common files\Symantec Shared
2013-10-05 04:26:39    --------    d-----w-    c:\windows\system32\drivers\NAV
2013-10-05 04:26:37    --------    d-----w-    c:\program files\Norton AntiVirus
2013-10-05 04:26:04    --------    d-----w-    c:\program files\NortonInstaller
2013-10-05 04:26:04    --------    d-----w-    c:\documents and settings\all users\application data\NortonInstaller
2013-10-05 04:21:08    --------    d-----w-    c:\documents and settings\all users\application data\Norton
2013-10-05 00:57:21    --------    d-----w-    c:\documents and settings\georg kremer\application data\CheckPoint
2013-10-05 00:57:01    --------    d-----w-    c:\program files\CheckPoint
2013-10-05 00:56:54    1238528    ----a-w-    c:\windows\system32\zpeng25.dll
2013-10-05 00:56:54    --------    d-----w-    c:\windows\system32\ZoneLabs
2013-10-05 00:56:52    --------    d-----w-    c:\program files\Zone Labs
2013-10-05 00:55:03    --------    d-----w-    c:\windows\Internet Logs
2013-10-05 00:54:39    --------    d-----w-    c:\documents and settings\georg kremer\local settings\application data\Sun
2013-10-05 00:50:07    --------    d-sh--w-    c:\documents and settings\georg kremer\PrivacIE
.
==================== Find3M  ====================
.
2013-10-05 05:19:34    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-10-05 05:19:34    692616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
.
============= FINISH: 18:56:28.51 ===============
 

Attached Files


Edited by Noviciate, 31 October 2013 - 03:22 PM.
Log added from attachment.


BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:09:02 PM

Posted 01 November 2013 - 04:16 AM

Hello! Welcome to BleepingComputer Forums! :welcome:
My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:

  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.

 

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
  • I'll catch you tomorror sinice I need my sleep. :)

 

 

Regards,
Georgi


cXfZ4wS.png


#3 beacon2020

beacon2020
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:02 PM

Posted 01 November 2013 - 11:28 PM

Hello Georgi

I have run the FRST and paste the 2 logs below.

Thank you for your efforts to help.

Georg

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 31-10-2013
Ran by Georg Kremer at 2013-11-01 23:22:12
Running from C:\Documents and Settings\Georg Kremer\My Documents\Downloads
Boot Mode: Normal
==========================================================


==================== Security Center ========================

AV: Norton AntiVirus (Disabled - Up to date) {E10A9785-9598-4754-B552-92431C1C35F8}
AV: avast! Antivirus (Disabled - Up to date) {7591DB91-41F0-48A3-B128-1A293FD8233D}
Could not list Security Center items. Check WMI.


==================== Installed Programs ======================

7-Zip 9.20
Adobe Flash Player 11 ActiveX (Version: 11.9.900.117)
Adobe Flash Player 11 Plugin (Version: 11.9.900.117)
Adobe Reader XI (11.0.05) (Version: 11.0.05)
avast! Free Antivirus (Version: 9.0.2006)
Intel® Graphics Media Accelerator Driver (Version: 6.14.10.4543)
K-Lite Mega Codec Pack 9.4.0 (Version: 9.4.0)
LibreOffice 4.0.0.3 (Version: 4.0.0.3)
Malwarebytes Anti-Malware version 1.75.0.1300 (Version: 1.75.0.1300)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft FrontPage 2002 (Version: 10.0.2627.01)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Mozilla Firefox 24.0 (x86 en-US) (Version: 24.0)
Mozilla Maintenance Service (Version: 24.0)
Norton AntiVirus (Version: 21.1.0.18)
Norton Identity Safe (Version: 2014.6.0.27)
SparkTrust PC Cleaner Plus (Version: 3.1.10.0)
Spybot - Search & Destroy (Version: 2.1.21)
SUPERAntiSpyware (Version: 5.6.1040)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)
Update for Windows XP (KB2345886) (Version: 1)
Update for Windows XP (KB2467659) (Version: 1)
Update for Windows XP (KB2661254-v2) (Version: 2)
Update for Windows XP (KB2749655) (Version: 1)
Update for Windows XP (KB898461) (Version: 1)
Update for Windows XP (KB951978) (Version: 1)
Update for Windows XP (KB955704) (Version: 1)
Update for Windows XP (KB968389) (Version: 1)
Update for Windows XP (KB973687) (Version: 1)
VLC media player 2.0.5 (Version: 2.0.5)
WebFldrs XP (Version: 9.50.7523)
Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray (Version: 1.0)
Windows Internet Explorer 7 (Version: 20070813.185237)
Windows Internet Explorer 8 (Version: 20090308.140743)
ZoneAlarm (Version: 9.2.057.000)
ZoneAlarm Free Firewall (Version: 11.0.768.000)
ZoneAlarm Security Toolbar  (Version: 1.8.22.0)
ZoneAlarm Toolbar

==================== Restore Points  =========================

05-10-2013 00:49:04 System Checkpoint
05-10-2013 05:21:18 Installed Microsoft FrontPage 2002
07-10-2013 17:47:35 System Checkpoint
08-10-2013 19:01:14 System Checkpoint
10-10-2013 16:38:47 System Checkpoint
11-10-2013 03:20:45 SparkTrust PC Cleaner Plus Restore Point
12-10-2013 05:40:32 Removed Java 7 Update 13
29-10-2013 04:22:42 avast! antivirus system restore point
30-10-2013 07:28:06 System Checkpoint
01-11-2013 04:26:09 System Checkpoint

==================== Hosts content: ==========================

2013-06-12 10:39 - 2013-10-28 21:49 - 00000000 ____N C:\WINDOWS\system32\Drivers\etc\hosts

==================== Scheduled Tasks (whitelisted) =============

Task: C:\WINDOWS\Tasks\Adobe Flash Player Updater.job => C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\WINDOWS\Tasks\Check for updates (Spybot - Search & Destroy).job => C:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe
Task: C:\WINDOWS\Tasks\Refresh immunization (Spybot - Search & Destroy).job => C:\Program Files\Spybot - Search & Destroy 2\SDImmunize.exe
Task: C:\WINDOWS\Tasks\Scan the system (Spybot - Search & Destroy).job => C:\Program Files\Spybot - Search & Destroy 2\SDScan.exe
Task: C:\WINDOWS\Tasks\SparkTrust PC Cleaner Plus.job => C:\Program Files\SparkTrust\SparkTrust PC Cleaner Plus\SparkTrustPCCleanerPlus.exe
Task: C:\WINDOWS\Tasks\SparkTrust Registration3.job => C:\Program Files\Common Files\SparkTrust\UUS3\UUS3.dll
Task: C:\WINDOWS\Tasks\SparkTrust Update Version3 Startup Task.job => C:\Program Files\Common Files\SparkTrust\UUS3\Update3.exe
Task: C:\WINDOWS\Tasks\SparkTrust Update Version3.job => C:\Program Files\Common Files\SparkTrust\UUS3\Update3.exe

==================== Loaded Modules (whitelisted) =============

2013-10-08 07:22 - 2013-05-16 10:55 - 00113496 _____ () C:\Program Files\Spybot - Search & Destroy 2\snlThirdParty150.bpl
2013-10-08 07:22 - 2013-05-16 10:55 - 00416600 _____ () C:\Program Files\Spybot - Search & Destroy 2\DEC150.bpl
2013-11-01 22:43 - 2013-11-01 14:55 - 02137088 _____ () C:\Program Files\AVAST Software\Avast\defs\13110101\algo.dll
2013-10-08 07:22 - 2013-05-16 10:55 - 00161112 _____ () C:\Program Files\Spybot - Search & Destroy 2\snlFileFormats150.bpl
2013-10-08 07:22 - 2012-08-23 10:38 - 00574840 _____ () C:\Program Files\Spybot - Search & Destroy 2\sqlite3.dll
2013-10-08 07:22 - 2012-04-03 17:06 - 00565640 _____ () C:\Program Files\Spybot - Search & Destroy 2\av\BDSmartDB.dll
2013-10-28 23:23 - 2013-10-28 23:23 - 19336120 _____ () C:\Program Files\AVAST Software\Avast\libcef.dll
2013-10-04 23:34 - 2013-09-10 21:26 - 03279768 _____ () C:\Program Files\Mozilla Firefox\mozjs.dll

==================== Safe Mode (whitelisted) ===================

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PEVSystemStart => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PEVSystemStart => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\procexp90.Sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vsmon => ""="Service"

==================== Faulty Device Manager Devices =============

Name:
Description:
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.


==================== Event log errors: =========================

Application errors:
==================
Error: (11/01/2013 11:02:04 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.

Error: (10/29/2013 11:08:15 PM) (Source: Application Error) (User: )
Description: Faulting application explorer.exe, version 6.0.2900.5512, faulting module unknown, version 0.0.0.0, fault address 0x027c0fef.
Processing media-specific event for [explorer.exe!ws!]

Error: (10/29/2013 10:00:35 AM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root certificate from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/5D003860F002ED829DEAA41868F788186D62127F.crt> with error: The specified server cannot perform the requested operation.

Error: (10/29/2013 10:00:34 AM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root certificate from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/5D003860F002ED829DEAA41868F788186D62127F.crt> with error: This operation returned because the timeout period expired.

Error: (10/05/2013 04:20:51 AM) (Source: Application Error) (User: )
Description: Faulting application , version 0.0.0.0, faulting module unknown, version 0.0.0.0, fault address 0x00000000.
Processing media-specific event for [!ws!]

Error: (10/05/2013 04:15:25 AM) (Source: Application Error) (User: )
Description: Windows cannot access the file D:\ADOBE PHOTOSHOP 6.EXE for one of the following reasons:
there is a problem with the network connection, the disk that the file is stored on, or the storage
drivers installed on this computer; or the disk is missing.
Windows closed the program ADOBE PHOTOSHOP 6.EXE because of this error.

Program: ADOBE PHOTOSHOP 6.EXE
File: D:\ADOBE PHOTOSHOP 6.EXE

The error value is listed in the Additional Data section.
User Action
1. Open the file again.
This situation might be a temporary problem that corrects itself when the program runs again.
2.
If the file still cannot be accessed and
    - It is on the network,
your network administrator should verify that there is not a problem with the network and that the server can be contacted.
    - It is on a removable disk, for example, a floppy disk or CD-ROM, verify that the disk is fully inserted into the computer.
3. Check and repair the file system by running CHKDSK. To run CHKDSK, click Start, click Run, type CMD, and then click OK. At the command prompt, type CHKDSK /F, and then press ENTER.
4. If the problem persists, restore the file from a backup copy.
5. Determine whether other files on the same disk can be opened. If not, the disk might be damaged. If it is a hard disk, contact your administrator or computer hardware vendor for
further assistance.
Additional Data
Error value: C000009C
Disk type: 5

Error: (10/05/2013 04:01:24 AM) (Source: Application Error) (User: )
Description: Faulting application , version 0.0.0.0, faulting module unknown, version 0.0.0.0, fault address 0x00000000.
Processing media-specific event for [!ws!]

Error: (10/05/2013 03:58:29 AM) (Source: Application Error) (User: )
Description: Faulting application , version 0.0.0.0, faulting module unknown, version 0.0.0.0, fault address 0x00000000.
Processing media-specific event for [!ws!]

Error: (10/05/2013 03:56:08 AM) (Source: Application Error) (User: )
Description: Windows cannot access the file D:\ADOBE PHOTOSHOP 6.EXE for one of the following reasons:
there is a problem with the network connection, the disk that the file is stored on, or the storage
drivers installed on this computer; or the disk is missing.
Windows closed the program ADOBE PHOTOSHOP 6.EXE because of this error.

Program: ADOBE PHOTOSHOP 6.EXE
File: D:\ADOBE PHOTOSHOP 6.EXE

The error value is listed in the Additional Data section.
User Action
1. Open the file again.
This situation might be a temporary problem that corrects itself when the program runs again.
2.
If the file still cannot be accessed and
    - It is on the network,
your network administrator should verify that there is not a problem with the network and that the server can be contacted.
    - It is on a removable disk, for example, a floppy disk or CD-ROM, verify that the disk is fully inserted into the computer.
3. Check and repair the file system by running CHKDSK. To run CHKDSK, click Start, click Run, type CMD, and then click OK. At the command prompt, type CHKDSK /F, and then press ENTER.
4. If the problem persists, restore the file from a backup copy.
5. Determine whether other files on the same disk can be opened. If not, the disk might be damaged. If it is a hard disk, contact your administrator or computer hardware vendor for
further assistance.
Additional Data
Error value: C000009C
Disk type: 5

Error: (10/05/2013 03:52:42 AM) (Source: Application Error) (User: )
Description: Windows cannot access the file D:\ADOBE PHOTOSHOP 6.EXE for one of the following reasons:
there is a problem with the network connection, the disk that the file is stored on, or the storage
drivers installed on this computer; or the disk is missing.
Windows closed the program ADOBE PHOTOSHOP 6.EXE because of this error.

Program: ADOBE PHOTOSHOP 6.EXE
File: D:\ADOBE PHOTOSHOP 6.EXE

The error value is listed in the Additional Data section.
User Action
1. Open the file again.
This situation might be a temporary problem that corrects itself when the program runs again.
2.
If the file still cannot be accessed and
    - It is on the network,
your network administrator should verify that there is not a problem with the network and that the server can be contacted.
    - It is on a removable disk, for example, a floppy disk or CD-ROM, verify that the disk is fully inserted into the computer.
3. Check and repair the file system by running CHKDSK. To run CHKDSK, click Start, click Run, type CMD, and then click OK. At the command prompt, type CHKDSK /F, and then press ENTER.
4. If the problem persists, restore the file from a backup copy.
5. Determine whether other files on the same disk can be opened. If not, the disk might be damaged. If it is a hard disk, contact your administrator or computer hardware vendor for
further assistance.
Additional Data
Error value: C000009C
Disk type: 5


System errors:
=============
Error: (11/01/2013 11:14:51 PM) (Source: Service Control Manager) (User: )
Description: The Spybot-S&D 2 Security Center Service service failed to start due to the following error:
%%1053

Error: (11/01/2013 11:14:51 PM) (Source: Service Control Manager) (User: )
Description: Timeout (30000 milliseconds) waiting for the Spybot-S&D 2 Security Center Service service to connect.

Error: (11/01/2013 11:02:27 PM) (Source: Service Control Manager) (User: )
Description: The Spybot-S&D 2 Security Center Service service failed to start due to the following error:
%%1053

Error: (11/01/2013 11:02:27 PM) (Source: Service Control Manager) (User: )
Description: Timeout (30000 milliseconds) waiting for the Spybot-S&D 2 Security Center Service service to connect.

Error: (11/01/2013 10:43:22 PM) (Source: Windows Update Agent) (User: )
Description: Unable to Connect: Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the set schedule. Windows will continue to try to establish a connection.

Error: (11/01/2013 10:43:00 PM) (Source: Dhcp) (User: )
Description: Your computer has lost the lease to its IP address 192.168.254.18 on the
Network Card with network address 00188B14D89E.

Error: (10/31/2013 06:01:28 PM) (Source: Dhcp) (User: )
Description: Your computer has lost the lease to its IP address 192.168.254.18 on the
Network Card with network address 00188B14D89E.

Error: (10/30/2013 00:27:12 PM) (Source: Dhcp) (User: )
Description: Your computer has lost the lease to its IP address 192.168.254.18 on the
Network Card with network address 00188B14D89E.

Error: (10/30/2013 07:55:29 AM) (Source: Windows Update Agent) (User: )
Description: Unable to Connect: Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the set schedule. Windows will continue to try to establish a connection.

Error: (10/29/2013 11:27:31 PM) (Source: PlugPlayManager) (User: )
Description: The device Root\LEGACY_SMR410\0000 disappeared from the system without first being prepared for removal.


Microsoft Office Sessions:
=========================
Error: (11/01/2013 11:02:04 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThis operation returned because the timeout period expired.

Error: (10/29/2013 11:08:15 PM) (Source: Application Error)(User: )
Description: explorer.exe6.0.2900.5512unknown0.0.0.0027c0fef

Error: (10/29/2013 10:00:35 AM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/5D003860F002ED829DEAA41868F788186D62127F.crtThe specified server cannot perform the requested operation.

Error: (10/29/2013 10:00:34 AM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/5D003860F002ED829DEAA41868F788186D62127F.crtThis operation returned because the timeout period expired.

Error: (10/05/2013 04:20:51 AM) (Source: Application Error)(User: )
Description: 0.0.0.0unknown0.0.0.000000000

Error: (10/05/2013 04:15:25 AM) (Source: Application Error)(User: )
Description: D:\ADOBE PHOTOSHOP 6.EXEADOBE PHOTOSHOP 6.EXEC000009C5

Error: (10/05/2013 04:01:24 AM) (Source: Application Error)(User: )
Description: 0.0.0.0unknown0.0.0.000000000

Error: (10/05/2013 03:58:29 AM) (Source: Application Error)(User: )
Description: 0.0.0.0unknown0.0.0.000000000

Error: (10/05/2013 03:56:08 AM) (Source: Application Error)(User: )
Description: D:\ADOBE PHOTOSHOP 6.EXEADOBE PHOTOSHOP 6.EXEC000009C5

Error: (10/05/2013 03:52:42 AM) (Source: Application Error)(User: )
Description: D:\ADOBE PHOTOSHOP 6.EXEADOBE PHOTOSHOP 6.EXEC000009C5


==================== Memory info ===========================

Percentage of memory in use: 26%
Total physical RAM: 3574.07 MB
Available physical RAM: 2638.38 MB
Total Pagefile: 4928.11 MB
Available Pagefile: 3762.16 MB
Total Virtual: 2047.88 MB
Available Virtual: 1947.68 MB

==================== Drives ================================

Drive c: (Windows) (Fixed) (Total:34.31 GB) (Free:19.88 GB) NTFS ==>[Drive with boot components (Windows XP)]
Drive e: (FreeAgent Drive) (Fixed) (Total:465.76 GB) (Free:391.8 GB) NTFS

==================== MBR & Partition Table ==================

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 31-10-2013
Ran by Georg Kremer (administrator) on BEACON on 01-11-2013 23:20:01
Running from C:\Documents and Settings\Georg Kremer\My Documents\Downloads
Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal

==================== Processes (Whitelisted) ===================

(Check Point Software Technologies LTD) C:\WINDOWS\system32\ZoneLabs\vsmon.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Check Point Software Technologies) C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
(Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
(Symantec Corporation) C:\Program Files\Norton AntiVirus\Engine\21.1.0.18\NAV.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
(Symantec Corporation) C:\Program Files\Norton Identity Safe\Engine\2014.6.0.27\NST.exe
(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
(Symantec Corporation) C:\Program Files\Norton AntiVirus\Engine\21.1.0.18\NAV.exe
(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
(Symantec Corporation) C:\Program Files\Norton Identity Safe\Engine\2014.6.0.27\NST.exe
(Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe
(Check Point Software Technologies LTD) C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
(SUPERAntiSpyware) C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
(Intel Corporation) C:\WINDOWS\system32\igfxsrvc.exe
(Check Point Software Technologies) C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [AvastUI.exe] - C:\Program Files\AVAST Software\Avast\avastui.exe [3567800 2013-10-28] (AVAST Software)
HKLM\...\Run: [ZoneAlarm Client] - C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe [1043968 2010-06-23] (Check Point Software Technologies LTD)
HKLM\...\Run: [ISW] - C:\Program Files\CheckPoint\ZAForceField\ForceField.exe [730600 2010-05-26] (Check Point Software Technologies)
HKCU\...\Run: [SUPERAntiSpyware] - C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [5707544 2013-10-10] (SUPERAntiSpyware)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
ShortcutTarget: Microsoft Office.lnk -> C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
BootExecute: autocheck autochk * sdnclean.exe

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
SearchScopes: HKCU - {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL = http://nortonsafe.search.ask.com/web?q={SEARCHTERMS}&o=APN10506&l=dis&prt=IDSSNAV&chn=retail&geo=US&ver=2014&locale=en_US&gct=sb&qsrc=2869
BHO: Zonealarm Helper Object - {2A841F7A-A014-4DA5-B6D9-8B913DFB7A8C} - C:\Program Files\Check Point Software Technologies LTD\zonealarm\1.8.22.0\bh\zonealarm.dll (Check Point Software Technologies LTD)
BHO: Norton Vulnerability Protection - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\21.1.0.18\ips\ipsbho.dll (Symantec Corporation)
BHO: ZoneAlarm Security Engine Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\Trustchecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
BHO: avast! Online Security - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
BHO: Norton Identity Protection - {AB4C7833-A6EC-433f-B9FE-6B14B1A2F836} - C:\Program Files\Norton Identity Safe\Engine\2014.6.0.27\coieplg.dll (Symantec Corporation)
Toolbar: HKLM - Norton Identity Safe Toolbar - {A13C2648-91D4-4bf3-BC6D-0079707C4389} - C:\Program Files\Norton Identity Safe\Engine\2014.6.0.27\coieplg.dll (Symantec Corporation)
Toolbar: HKLM - avast! Online Security - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
Toolbar: HKLM - ZoneAlarm Security Toolbar - {438FAE3E-BDEF-44D3-AB8B-0C7C8350DF59} - C:\Program Files\Check Point Software Technologies LTD\zonealarm\1.8.22.0\zonealarmTlbr.dll (Check Point Software Technologies LTD)
Toolbar: HKLM - ZoneAlarm Security Engine - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\Trustchecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
Toolbar: HKCU - ZoneAlarm Security Engine - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\Trustchecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
Toolbar: HKCU - Norton Identity Safe Toolbar - {A13C2648-91D4-4BF3-BC6D-0079707C4389} - C:\Program Files\Norton Identity Safe\Engine\2014.6.0.27\coieplg.dll (Symantec Corporation)
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL (Microsoft Corporation)
ShellExecuteHooks: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [115440 2013-05-07] (SuperAdBlocker.com)
Tcpip\Parameters: [DhcpNameServer] 192.168.254.254

FireFox:
========
FF ProfilePath: C:\Documents and Settings\Georg Kremer\Application Data\Mozilla\Firefox\Profiles\ssu4jaf3.default-1381553949015
FF user.js: detected! => C:\Documents and Settings\Georg Kremer\Application Data\Mozilla\Firefox\Profiles\ssu4jaf3.default-1381553949015\user.js
FF Homepage: bleep
FF Plugin: @adobe.com/FlashPlayer - C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_9_900_117.dll ()
FF Plugin: @checkpoint.com/FFApi - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\npFFApi.dll ()
FF Plugin: @java.com/DTPlugin,version=10.13.2 - C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @videolan.org/vlc,version=2.0.5 - C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF SearchPlugin: C:\Documents and Settings\Georg Kremer\Application Data\Mozilla\Firefox\Profiles\ssu4jaf3.default-1381553949015\searchplugins\zonealarm.xml
FF Extension: zonealarm.com - C:\Documents and Settings\Georg Kremer\Application Data\Mozilla\Firefox\Profiles\ssu4jaf3.default-1381553949015\Extensions\ffxtlbr@zonealarm.com
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF HKLM\...\Firefox\Extensions: [{F04D2D30-776C-4d02-8627-8E4385ECA58D}] - C:\Documents and Settings\All Users\Application Data\Norton\{92622AAD-05E8-4459-B256-765CE1E929FB}\NST_2014.5.0.67\coFFPlgn\
FF Extension: Norton Identity Safe Toolbar - C:\Documents and Settings\All Users\Application Data\Norton\{92622AAD-05E8-4459-B256-765CE1E929FB}\NST_2014.5.0.67\coFFPlgn\
FF HKLM\...\Firefox\Extensions: [{BBDA0591-3099-440a-AA10-41764D9DB4DB}] - C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_21.0.2.1\IPSFF
FF Extension: Norton Vulnerability Protection - C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_21.0.2.1\IPSFF
FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: avast! Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF HKLM\...\Firefox\Extensions: [{FFB96CC1-7EB3-449D-B827-DB661701C6BB}] - C:\Program Files\CheckPoint\ZAForceField\TrustChecker
FF Extension: ZoneAlarm Security Engine - C:\Program Files\CheckPoint\ZAForceField\TrustChecker

Chrome:
=======
CHR Extension: (Google Docs) - C:\DOCUME~1\GEORGK~1\LOCALS~1\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.5_1
CHR Extension: (Google Drive) - C:\DOCUME~1\GEORGK~1\LOCALS~1\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.3_0
CHR Extension: (YouTube) - C:\DOCUME~1\GEORGK~1\LOCALS~1\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_1
CHR Extension: (Google Search) - C:\DOCUME~1\GEORGK~1\LOCALS~1\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_1
CHR Extension: (avast! Online Security) - C:\DOCUME~1\GEORGK~1\LOCALS~1\Application Data\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki\9.0.2005.45_0
CHR Extension: (Chrome In-App Payments service) - C:\DOCUME~1\GEORGK~1\LOCALS~1\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.4.11_1
CHR Extension: (Norton Identity Protection) - C:\DOCUME~1\GEORGK~1\LOCALS~1\Application Data\Google\Chrome\User Data\Default\Extensions\nppllibpnmahfaklnpggkibhkapjkeob\2014.6.0.27_1
CHR HKLM\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx
CHR HKLM\...\Chrome\Extension: [nppllibpnmahfaklnpggkibhkapjkeob] - C:\Program Files\Norton Identity Safe\Engine\2014.6.0.27\Exts\Chrome.crx

========================== Services (Whitelisted) =================

R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE.EXE [120088 2013-10-10] (SUPERAntiSpyware.com)
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [50344 2013-10-28] (AVAST Software)
R2 IswSvc; C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe [493032 2010-05-26] (Check Point Software Technologies)
R2 MBAMScheduler; C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
R2 NAV; C:\Program Files\Norton AntiVirus\Engine\21.1.0.18\diMaster.dll [567600 2013-10-08] (Symantec Corporation)
R2 NCO; C:\Program Files\Norton Identity Safe\Engine\2014.6.0.27\diMaster.dll [567600 2013-10-03] (Symantec Corporation)
R2 SDScannerService; C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe [1817560 2013-05-16] (Safer-Networking Ltd.)
R2 SDUpdateService; C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe [1033688 2013-05-16] (Safer-Networking Ltd.)
S2 SDWSCService; C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2013-05-15] (Safer-Networking Ltd.)
R2 vsmon; C:\WINDOWS\system32\ZoneLabs\vsmon.exe [2435592 2010-06-23] (Check Point Software Technologies LTD)

==================== Drivers (Whitelisted) ====================

R0 49328214; C:\Windows\System32\DRIVERS\49328214.sys [133208 2013-10-22] (Kaspersky Lab ZAO)
R2 aswFsBlk; C:\WINDOWS\system32\drivers\aswFsBlk.sys [35656 2013-10-28] (AVAST Software)
R2 aswMonFlt; C:\WINDOWS\system32\drivers\aswMonFlt.sys [70384 2013-10-28] (AVAST Software)
R1 aswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [54832 2013-10-28] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [49944 2013-10-28] ()
R1 aswSnx; C:\WINDOWS\system32\drivers\aswSnx.sys [774392 2013-10-28] (AVAST Software)
R1 aswSP; C:\WINDOWS\system32\drivers\aswSP.sys [403440 2013-10-28] (AVAST Software)
R1 aswTdi; C:\WINDOWS\system32\drivers\aswTdi.sys [57672 2013-10-28] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [178304 2013-10-28] ()
R3 b57w2k; C:\Windows\System32\DRIVERS\b57xp32.sys [224808 2010-07-30] (Broadcom Corporation)
R1 BHDrvx86; C:\Program Files\Norton AntiVirus\NortonData\21.0.2.1\Definitions\BASHDefs\20131022.001\BHDrvx86.sys [1096280 2013-10-22] (Symantec Corporation)
R1 ccSet_NAV; C:\Windows\system32\drivers\NAV\1501000.012\ccSetx86.sys [127064 2013-09-25] (Symantec Corporation)
R1 ccSet_NST; C:\Windows\system32\drivers\NST\7DE06000.01B\ccSetx86.sys [127064 2013-09-27] (Symantec Corporation)
R1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [376920 2013-10-12] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [108120 2013-10-12] (Symantec Corporation)
R3 ialm; C:\Windows\System32\DRIVERS\ialmnt5.sys [1166972 2012-06-15] (Intel Corporation)
R3 IDSxpx86; C:\Program Files\Norton AntiVirus\NortonData\21.0.2.1\Definitions\IPSDefs\20131031.001\IDSxpx86.sys [380824 2013-10-28] (Symantec Corporation)
R2 ISWKL; C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys [26352 2010-05-26] (Check Point Software Technologies)
R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [22856 2013-04-04] (Malwarebytes Corporation)
R3 NAVENG; C:\Program Files\Norton AntiVirus\NortonData\21.0.2.1\Definitions\VirusDefs\20131101.018\NAVENG.SYS [93272 2013-10-12] (Symantec Corporation)
R3 NAVEX15; C:\Program Files\Norton AntiVirus\NortonData\21.0.2.1\Definitions\VirusDefs\20131101.018\NAVEX15.SYS [1612376 2013-10-12] (Symantec Corporation)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [12880 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [67664 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R3 senfilt; C:\Windows\System32\drivers\senfilt.sys [732928 2012-06-15] (Creative Technology Ltd.)
R3 SRTSP; C:\Windows\System32\Drivers\NAV\1501000.012\SRTSP.SYS [651352 2013-09-26] (Symantec Corporation)
R1 SRTSPX; C:\Windows\system32\drivers\NAV\1501000.012\SRTSPX.SYS [32344 2013-07-30] (Symantec Corporation)
R0 SymDS; C:\Windows\System32\drivers\NAV\1501000.012\SYMDS.SYS [367704 2013-07-31] (Symantec Corporation)
R0 SymEFA; C:\Windows\System32\drivers\NAV\1501000.012\SYMEFA.SYS [935512 2013-09-26] (Symantec Corporation)
R3 SymEvent; C:\WINDOWS\system32\Drivers\SYMEVENT.SYS [142936 2013-10-04] (Symantec Corporation)
R1 SymIRON; C:\Windows\system32\drivers\NAV\1501000.012\Ironx86.SYS [206936 2013-07-30] (Symantec Corporation)
R1 SYMTDI; C:\Windows\System32\Drivers\NAV\1501000.012\SYMTDI.SYS [421592 2013-09-25] (Symantec Corporation)
R1 vsdatant; C:\Windows\System32\vsdatant.sys [532224 2010-05-13] (Check Point Software Technologies LTD)
S4 IntelIde; No ImagePath
U5 Tcpip6; C:\Windows\System32\Drivers\Tcpip6.sys [226880 2012-06-29] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-11-01 23:09 - 2013-11-01 23:09 - 00004212 ____H C:\WINDOWS\system32\zllictbl.dat
2013-11-01 23:09 - 2013-11-01 23:09 - 00000738 _____ C:\Documents and Settings\Georg Kremer\Desktop\ZoneAlarm Security.lnk
2013-11-01 23:09 - 2013-11-01 23:09 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\ZoneAlarm
2013-11-01 23:09 - 2010-06-23 13:51 - 00103936 _____ (Check Point Software Technologies LTD) C:\WINDOWS\system32\zlcommdb.dll
2013-11-01 23:09 - 2010-06-23 13:51 - 00069120 _____ (Check Point Software Technologies LTD) C:\WINDOWS\system32\zlcomm.dll
2013-11-01 23:09 - 2010-06-23 13:51 - 00058368 _____ (Check Point Software Technologies LTD) C:\WINDOWS\system32\vsregexp.dll
2013-11-01 23:09 - 2010-06-23 13:51 - 00043008 _____ (Check Point Software Technologies LTD) C:\WINDOWS\system32\vswmi.dll
2013-11-01 23:08 - 2013-11-01 23:11 - 00421442 _____ C:\WINDOWS\system32\vsconfig.xml
2013-11-01 23:08 - 2013-11-01 23:10 - 00000000 ____D C:\WINDOWS\system32\ZoneLabs
2013-11-01 23:08 - 2013-11-01 23:08 - 00000000 ____D C:\Program Files\Zone Labs
2013-11-01 23:08 - 2010-06-23 13:51 - 01238528 _____ (Check Point Software Technologies LTD) C:\WINDOWS\system32\zpeng25.dll
2013-11-01 23:08 - 2010-06-23 13:51 - 00302592 _____ (Check Point Software Technologies LTD) C:\WINDOWS\system32\vspubapi.dll
2013-11-01 23:08 - 2010-06-23 13:51 - 00112128 _____ (Check Point Software Technologies LTD) C:\WINDOWS\system32\vsdata.dll
2013-11-01 23:08 - 2010-06-23 13:51 - 00110080 _____ (Check Point Software Technologies LTD) C:\WINDOWS\system32\vsxml.dll
2013-11-01 23:08 - 2010-06-23 13:51 - 00108032 _____ (Check Point Software Technologies LTD) C:\WINDOWS\system32\vsmonapi.dll
2013-11-01 23:08 - 2010-05-13 10:02 - 00532224 _____ (Check Point Software Technologies LTD) C:\WINDOWS\system32\vsdatant.sys
2013-11-01 23:07 - 2010-06-23 13:51 - 00713728 _____ (Check Point Software Technologies LTD) C:\WINDOWS\system32\vsutil.dll
2013-11-01 23:07 - 2010-06-23 13:51 - 00228864 _____ (Check Point Software Technologies LTD) C:\WINDOWS\system32\vsinit.dll
2013-11-01 22:58 - 2013-11-01 22:58 - 00000000 ____D C:\FRST
2013-11-01 22:56 - 2013-11-01 22:56 - 00000000 ____D C:\Program Files\Check Point Software Technologies LTD
2013-11-01 22:56 - 2013-11-01 22:56 - 00000000 ____D C:\Documents and Settings\Georg Kremer\Application Data\Check Point Software Technologies LTD
2013-11-01 22:56 - 2013-11-01 22:56 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\CheckPoint
2013-10-30 21:34 - 2013-10-30 21:34 - 00000000 ____D C:\Program Files\7-Zip
2013-10-30 21:34 - 2013-10-30 21:34 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\7-Zip
2013-10-30 18:51 - 2013-10-30 18:56 - 00016273 _____ C:\Documents and Settings\Georg Kremer\Desktop\dds.txt
2013-10-30 18:51 - 2013-10-30 18:56 - 00004137 _____ C:\Documents and Settings\Georg Kremer\Desktop\attach.txt
2013-10-29 22:29 - 2013-10-29 22:31 - 00002520 _____ C:\Documents and Settings\Georg Kremer\Desktop\Rkill.txt
2013-10-29 21:57 - 2013-10-30 19:24 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2013-10-29 21:56 - 2013-10-30 18:34 - 00105176 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2013-10-29 21:56 - 2013-10-30 14:13 - 00047064 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2013-10-29 21:55 - 2013-10-30 19:24 - 00000000 ____D C:\Documents and Settings\Georg Kremer\Desktop\mbar
2013-10-29 09:39 - 2011-06-26 01:45 - 00256000 _____ C:\WINDOWS\PEV.exe
2013-10-29 09:39 - 2010-11-07 12:20 - 00208896 _____ C:\WINDOWS\MBR.exe
2013-10-29 09:39 - 2009-04-19 23:56 - 00060416 _____ (NirSoft) C:\WINDOWS\NIRCMD.exe
2013-10-29 09:39 - 2000-08-30 19:00 - 00518144 _____ (SteelWerX) C:\WINDOWS\SWREG.exe
2013-10-29 09:39 - 2000-08-30 19:00 - 00406528 _____ (SteelWerX) C:\WINDOWS\SWSC.exe
2013-10-29 09:39 - 2000-08-30 19:00 - 00212480 _____ (SteelWerX) C:\WINDOWS\SWXCACLS.exe
2013-10-29 09:39 - 2000-08-30 19:00 - 00098816 _____ C:\WINDOWS\sed.exe
2013-10-29 09:39 - 2000-08-30 19:00 - 00080412 _____ C:\WINDOWS\grep.exe
2013-10-29 09:39 - 2000-08-30 19:00 - 00068096 _____ C:\WINDOWS\zip.exe
2013-10-29 09:38 - 2013-10-29 09:39 - 00000000 ___SD C:\ComboFix
2013-10-29 09:37 - 2013-10-29 09:38 - 00000000 ____D C:\Qoobox
2013-10-29 09:36 - 2013-10-29 09:38 - 00000000 ___SD C:\32788R22FWJFW
2013-10-29 09:36 - 2013-10-29 09:36 - 00000000 ____D C:\WINDOWS\erdnt
2013-10-28 23:26 - 2013-10-28 23:26 - 00000000 ____D C:\Documents and Settings\Georg Kremer\Application Data\AVAST Software
2013-10-28 23:24 - 2013-10-28 23:24 - 00001740 _____ C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
2013-10-28 23:24 - 2013-10-28 23:24 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Avast
2013-10-28 23:23 - 2013-10-28 23:23 - 00774392 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswSnx.sys
2013-10-28 23:23 - 2013-10-28 23:23 - 00403440 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswSP.sys
2013-10-28 23:23 - 2013-10-28 23:23 - 00269216 _____ (AVAST Software) C:\WINDOWS\system32\aswBoot.exe
2013-10-28 23:23 - 2013-10-28 23:23 - 00178304 _____ C:\WINDOWS\system32\Drivers\aswVmm.sys
2013-10-28 23:23 - 2013-10-28 23:23 - 00070384 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswMonFlt.sys
2013-10-28 23:23 - 2013-10-28 23:23 - 00057672 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswTdi.sys
2013-10-28 23:23 - 2013-10-28 23:23 - 00054832 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswRdr.sys
2013-10-28 23:23 - 2013-10-28 23:23 - 00049944 _____ C:\WINDOWS\system32\Drivers\aswRvrt.sys
2013-10-28 23:23 - 2013-10-28 23:23 - 00043152 _____ (AVAST Software) C:\WINDOWS\avastSS.scr
2013-10-28 23:23 - 2013-10-28 23:23 - 00035656 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswFsBlk.sys
2013-10-28 23:22 - 2013-10-28 23:22 - 00000000 ____D C:\Program Files\AVAST Software
2013-10-28 23:21 - 2013-10-28 23:22 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\AVAST Software
2013-10-28 23:21 - 2013-10-28 23:21 - 00403440 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\dbrskzbk.sys
2013-10-28 21:11 - 2013-10-28 21:11 - 00000000 ____D C:\Documents and Settings\Georg Kremer\Application Data\SUPERAntiSpyware.com
2013-10-28 21:10 - 2013-10-28 21:11 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2013-10-28 21:10 - 2013-10-28 21:10 - 00001685 _____ C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
2013-10-28 21:10 - 2013-10-28 21:10 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\SUPERAntiSpyware
2013-10-28 21:10 - 2013-10-28 21:10 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2013-10-27 23:24 - 2013-10-27 23:25 - 00000000 ___SD C:\Documents and Settings\Georg Kremer\My Documents\My Webs
2013-10-27 11:37 - 2013-10-22 05:28 - 00133208 _____ (Kaspersky Lab ZAO) C:\WINDOWS\system32\Drivers\49328214.sys
2013-10-26 00:36 - 2013-10-26 00:36 - 00004622 _____ C:\Documents and Settings\Georg Kremer\My Documents\hijackthis9
2013-10-25 23:58 - 2012-06-15 17:17 - 00139264 _____ (Intel Corporation) C:\WINDOWS\system32\igfxres.dll
2013-10-25 23:14 - 2013-10-25 23:14 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\{CED89F1A-945F-46EC-B23C-5EAF6D2DB12A}
2013-10-25 23:13 - 2013-10-25 23:13 - 00000000 ____D C:\Documents and Settings\Georg Kremer\Application Data\Apple Computer
2013-10-25 23:07 - 2013-10-25 23:29 - 00000000 ____D C:\Documents and Settings\Georg Kremer\Application Data\IObit
2013-10-25 23:07 - 2013-10-25 23:14 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\IObit
2013-10-25 23:07 - 2013-10-25 23:13 - 00000000 ____D C:\Program Files\IObit
2013-10-16 11:43 - 2013-10-16 11:43 - 00004776 _____ C:\Documents and Settings\Georg Kremer\My Documents\hijackthis8
2013-10-16 10:41 - 2013-10-16 10:41 - 00000000 ____D C:\Documents and Settings\Georg Kremer\Application Data\LibreOffice
2013-10-15 09:18 - 2013-10-15 09:18 - 00004776 _____ C:\Documents and Settings\Georg Kremer\My Documents\hijackthis5
2013-10-15 09:11 - 2009-06-02 11:17 - 00075776 _____ C:\WINDOWS\system32\WS2Fix.exe
2013-10-15 09:11 - 2008-12-12 02:57 - 00078336 _____ (S!Ri.URZ) C:\WINDOWS\system32\Agent.OMZ.Fix.exe
2013-10-15 09:11 - 2008-11-29 19:58 - 00082944 _____ (S!Ri.URZ) C:\WINDOWS\system32\IEDFix.C.exe
2013-10-15 09:11 - 2008-10-01 15:51 - 00087552 _____ (S!Ri.URZ) C:\WINDOWS\system32\VACFix.exe
2013-10-15 09:11 - 2008-09-20 12:45 - 00080384 _____ (S!Ri.URZ) C:\WINDOWS\system32\o4Patch.exe
2013-10-15 09:11 - 2008-08-18 12:19 - 00082432 _____ (S!Ri.URZ) C:\WINDOWS\system32\404Fix.exe
2013-10-15 09:11 - 2008-05-18 21:40 - 00082944 _____ (S!Ri.URZ) C:\WINDOWS\system32\IEDFix.exe
2013-10-15 09:11 - 2007-09-06 00:22 - 00289144 _____ (S!Ri) C:\WINDOWS\system32\VCCLSID.exe
2013-10-15 09:11 - 2006-04-27 17:49 - 00288417 _____ (S!Ri) C:\WINDOWS\system32\SrchSTS.exe
2013-10-15 09:11 - 2006-01-09 11:36 - 00040960 _____ C:\WINDOWS\system32\swsc.exe
2013-10-15 09:11 - 2004-07-31 18:50 - 00051200 _____ C:\WINDOWS\system32\dumphive.exe
2013-10-15 09:11 - 2003-06-05 21:13 - 00053248 _____ (http://www.beyondlogic.org) C:\WINDOWS\system32\Process.exe
2013-10-15 08:58 - 2013-10-15 08:58 - 00004869 _____ C:\Documents and Settings\Georg Kremer\My Documents\hijackthis4
2013-10-14 11:54 - 2013-10-14 11:54 - 00004675 _____ C:\Documents and Settings\Georg Kremer\My Documents\hijackthis3
2013-10-14 11:50 - 2013-10-14 11:50 - 00004708 _____ C:\Documents and Settings\Georg Kremer\My Documents\hijackthis2
2013-10-14 11:41 - 2013-10-15 08:55 - 00004809 _____ C:\Documents and Settings\Georg Kremer\My Documents\hijackthis.log
2013-10-14 11:29 - 2013-10-28 21:50 - 00000000 ____D C:\Documents and Settings\Georg Kremer\SmitfraudFix
2013-10-13 11:47 - 2013-10-13 11:47 - 00065536 _____ C:\WINDOWS\Minidump\Mini101313-01.dmp
2013-10-13 11:47 - 2013-10-13 11:47 - 00000000 ____D C:\WINDOWS\Minidump
2013-10-13 10:23 - 2013-10-28 21:50 - 00002371 _____ C:\rapport.txt
2013-10-13 10:23 - 2013-10-28 21:49 - 00001252 _____ C:\WINDOWS\system32\tmp.reg
2013-10-13 10:23 - 2013-10-28 21:49 - 00000000 _____ C:\WINDOWS\system32\tmp.txt
2013-10-13 10:21 - 2013-10-13 12:29 - 00000000 ____D C:\Documents and Settings\Georg Kremer\My Documents\SmitfraudFix
2013-10-12 08:09 - 2013-10-13 10:22 - 00000000 _____ C:\Documents and Settings\Georg Kremer\My Documents\hijacked.txt
2013-10-12 00:41 - 2013-10-12 00:41 - 00000000 ____D C:\WINDOWS\system32\appmgmt
2013-10-12 00:24 - 2013-10-29 10:07 - 00000000 ____D C:\Documents and Settings\Georg Kremer\Local Settings\Application Data\NPE
2013-10-12 00:05 - 2013-10-29 06:40 - 00000000 ____D C:\Program Files\Google
2013-10-12 00:05 - 2013-10-12 00:07 - 00000000 ____D C:\Documents and Settings\Georg Kremer\Local Settings\Application Data\Google
2013-10-10 22:16 - 2013-11-01 23:13 - 00000464 _____ C:\WINDOWS\Tasks\SparkTrust Update Version3 Startup Task.job
2013-10-10 22:16 - 2013-10-30 05:19 - 00000512 _____ C:\WINDOWS\Tasks\SparkTrust PC Cleaner Plus.job
2013-10-10 22:16 - 2013-10-29 05:30 - 00000412 _____ C:\WINDOWS\Tasks\SparkTrust Update Version3.job
2013-10-10 22:16 - 2013-10-16 09:51 - 00001013 _____ C:\Documents and Settings\Georg Kremer\Desktop\SparkTrust PC Cleaner Plus.lnk
2013-10-10 19:28 - 2013-10-29 22:15 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-10-10 19:28 - 2013-10-10 19:28 - 00000791 _____ C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2013-10-10 19:28 - 2013-10-10 19:28 - 00000000 ____D C:\Documents and Settings\Georg Kremer\Application Data\Malwarebytes
2013-10-10 19:28 - 2013-10-10 19:28 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
2013-10-10 19:28 - 2013-10-10 19:28 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes
2013-10-10 19:28 - 2013-04-04 14:50 - 00022856 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbam.sys
2013-10-09 13:02 - 2013-10-26 18:00 - 00000454 _____ C:\WINDOWS\Tasks\SparkTrust Registration3.job
2013-10-09 13:02 - 2013-10-09 13:02 - 00000000 ____D C:\Program Files\Common Files\SparkTrust
2013-10-09 13:02 - 2013-10-09 13:02 - 00000000 ____D C:\Documents and Settings\Georg Kremer\Start Menu\Programs\SparkTrust
2013-10-09 13:02 - 2013-10-09 13:02 - 00000000 ____D C:\Documents and Settings\Georg Kremer\Application Data\SparkTrust
2013-10-09 13:02 - 2013-10-09 13:02 - 00000000 ____D C:\Documents and Settings\Georg Kremer\Application Data\DriverCure
2013-10-09 13:01 - 2013-10-09 13:02 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\SparkTrust
2013-10-09 13:01 - 2013-10-09 13:01 - 00000000 ____D C:\Program Files\SparkTrust
2013-10-09 12:58 - 2013-10-09 12:58 - 00026192 _____ C:\Documents and Settings\Georg Kremer\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2013-10-09 12:58 - 2013-10-09 12:58 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Lavasoft
2013-10-08 07:22 - 2013-11-01 23:14 - 00000644 _____ C:\WINDOWS\Tasks\Check for updates (Spybot - Search & Destroy).job
2013-10-08 07:22 - 2013-10-08 07:22 - 00001849 _____ C:\Documents and Settings\All Users\Start Menu\Programs\Spybot-S&D Start Center.lnk
2013-10-08 07:22 - 2013-10-08 07:22 - 00001843 _____ C:\Documents and Settings\All Users\Desktop\Spybot-S&D Start Center.lnk
2013-10-08 07:22 - 2013-10-08 07:22 - 00000616 _____ C:\WINDOWS\Tasks\Refresh immunization (Spybot - Search & Destroy).job
2013-10-08 07:22 - 2013-10-08 07:22 - 00000446 _____ C:\WINDOWS\Tasks\Scan the system (Spybot - Search & Destroy).job
2013-10-08 07:22 - 2013-10-08 07:22 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Spybot - Search & Destroy 2
2013-10-08 07:22 - 2009-01-25 13:14 - 00015224 _____ (Safer Networking Limited) C:\WINDOWS\system32\sdnclean.exe
2013-10-08 07:21 - 2013-10-08 07:22 - 00000000 ____D C:\Program Files\Spybot - Search & Destroy 2
2013-10-08 07:15 - 2013-10-08 07:15 - 00000079 _____ C:\WINDOWS\wininit.ini
2013-10-06 10:38 - 2013-10-29 05:42 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2013-10-06 10:37 - 2013-11-01 23:12 - 00196608 _____ C:\WINDOWS\system32\config\SpybotSD.evt
2013-10-06 10:26 - 2013-10-10 12:43 - 00000000 ____D C:\Documents and Settings\Georg Kremer\Application Data\vlc
2013-10-05 00:56 - 2013-10-25 23:51 - 00001324 _____ C:\WINDOWS\system32\d3d9caps.dat
2013-10-05 00:23 - 2013-10-05 00:23 - 00000376 _____ C:\WINDOWS\ODBC.INI
2013-10-05 00:22 - 2013-10-27 23:24 - 00002465 _____ C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft FrontPage.lnk
2013-10-05 00:22 - 2013-10-05 00:22 - 00002002 _____ C:\Documents and Settings\All Users\Start Menu\Open Office Document.lnk
2013-10-05 00:22 - 2013-10-05 00:22 - 00001992 _____ C:\Documents and Settings\All Users\Start Menu\New Office Document.lnk
2013-10-05 00:22 - 2013-10-05 00:22 - 00000000 ____D C:\Program Files\Common Files\Designer
2013-10-05 00:22 - 2013-10-05 00:22 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Office Tools
2013-10-05 00:21 - 2013-10-05 00:21 - 00000000 ____D C:\Program Files\Microsoft Office
2013-10-05 00:01 - 2013-10-05 00:01 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\McAfee
2013-10-04 23:57 - 2013-10-13 11:37 - 00000000 ____D C:\Documents and Settings\Georg Kremer\Local Settings\Application Data\Adobe
2013-10-04 23:34 - 2013-10-30 04:34 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-10-04 23:34 - 2013-10-04 23:34 - 00000737 _____ C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk
2013-10-04 23:34 - 2013-10-04 23:34 - 00000731 _____ C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
2013-10-04 23:34 - 2013-10-04 23:34 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2013-10-04 23:34 - 2013-10-04 23:34 - 00000000 ____D C:\Documents and Settings\Georg Kremer\Local Settings\Application Data\Mozilla
2013-10-04 23:34 - 2013-10-04 23:34 - 00000000 ____D C:\Documents and Settings\Georg Kremer\Application Data\Mozilla
2013-10-04 23:34 - 2013-10-04 23:34 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Mozilla
2013-10-04 23:29 - 2013-10-04 23:29 - 00000000 ____D C:\Documents and Settings\Georg Kremer\My Documents\Symantec
2013-10-04 23:27 - 2013-10-13 11:28 - 00001892 _____ C:\Documents and Settings\All Users\Desktop\Norton AntiVirus.LNK
2013-10-04 23:27 - 2013-10-10 12:16 - 00000000 ____D C:\WINDOWS\system32\Drivers\NST
2013-10-04 23:27 - 2013-10-10 12:16 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Norton Identity Safe
2013-10-04 23:27 - 2013-10-04 23:29 - 00000000 ____D C:\Program Files\Common Files\Symantec Shared
2013-10-04 23:27 - 2013-10-04 23:27 - 00142936 _____ (Symantec Corporation) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
2013-10-04 23:27 - 2013-10-04 23:27 - 00008194 _____ C:\WINDOWS\system32\Drivers\SYMEVENT.CAT
2013-10-04 23:27 - 2013-10-04 23:27 - 00000000 ____D C:\Program Files\Symantec
2013-10-04 23:27 - 2013-10-04 23:27 - 00000000 ____D C:\Program Files\Norton Identity Safe
2013-10-04 23:26 - 2013-10-13 11:29 - 00000000 ____D C:\WINDOWS\system32\Drivers\NAV
2013-10-04 23:26 - 2013-10-13 11:28 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Norton AntiVirus
2013-10-04 23:26 - 2013-10-04 23:26 - 00000000 ____D C:\Program Files\Norton AntiVirus
2013-10-04 23:21 - 2013-10-12 00:25 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Norton
2013-10-04 23:21 - 2013-10-04 23:30 - 00000000 ____D C:\Documents and Settings\Georg Kremer\Start Menu\Programs\Norton
2013-10-04 23:21 - 2013-10-04 23:21 - 00000000 ____D C:\Documents and Settings\All Users\Documents\Norton
2013-10-04 19:57 - 2013-11-01 22:56 - 00000000 ____D C:\Program Files\CheckPoint
2013-10-04 19:57 - 2013-10-04 19:57 - 00000000 ____D C:\Documents and Settings\Georg Kremer\My Documents\ForceField Shared Files
2013-10-04 19:57 - 2013-10-04 19:57 - 00000000 ____D C:\Documents and Settings\Georg Kremer\Application Data\CheckPoint
2013-10-04 19:54 - 2013-10-04 19:54 - 00000000 ____D C:\Documents and Settings\Georg Kremer\Local Settings\Application Data\Sun
2013-10-04 19:50 - 2013-10-13 11:37 - 00000000 ____D C:\Documents and Settings\Georg Kremer\Application Data\Adobe
2013-10-04 19:50 - 2013-10-04 19:50 - 00000000 __SHD C:\Documents and Settings\Georg Kremer\PrivacIE
2013-10-04 19:50 - 2013-10-04 19:50 - 00000000 ____D C:\Documents and Settings\Georg Kremer\Application Data\Macromedia
2013-10-04 19:49 - 2013-11-01 23:12 - 00000178 ___SH C:\Documents and Settings\Georg Kremer\ntuser.ini
2013-10-04 19:49 - 2013-10-28 21:48 - 00000000 ____D C:\Documents and Settings\Georg Kremer
2013-10-04 19:49 - 2013-10-09 13:02 - 00001606 _____ C:\Documents and Settings\Georg Kremer\Start Menu\Programs\Remote Assistance.lnk
2013-10-04 19:49 - 2013-10-04 19:49 - 00000810 _____ C:\Documents and Settings\Georg Kremer\Start Menu\Programs\Internet Explorer.lnk
2013-10-04 19:49 - 2013-10-04 19:49 - 00000799 _____ C:\Documents and Settings\Georg Kremer\Start Menu\Programs\Windows Media Player.lnk
2013-10-04 19:49 - 2013-10-04 19:49 - 00000793 _____ C:\Documents and Settings\Georg Kremer\Desktop\Windows Media Player.lnk
2013-10-04 19:49 - 2013-10-04 19:49 - 00000745 _____ C:\Documents and Settings\Georg Kremer\Start Menu\Programs\Outlook Express.lnk
2013-10-04 19:49 - 2013-06-12 11:56 - 00000000 _____ C:\Documents and Settings\Georg Kremer\TempWmicBatchFile.bat
2013-10-04 19:49 - 2013-06-12 10:20 - 00000000 ____D C:\Documents and Settings\Georg Kremer\Application Data\Sun
2013-10-04 19:49 - 2013-06-12 10:07 - 00000000 __SHD C:\Documents and Settings\Georg Kremer\IETldCache
2013-10-04 19:49 - 2013-06-12 10:07 - 00000000 ___RD C:\Documents and Settings\Georg Kremer\Start Menu\Programs\Accessories
2013-10-04 19:49 - 2012-06-15 17:24 - 00221184 _____ (Microsoft Corporation) C:\WINDOWS\system32\wmpns.dll
2013-10-04 19:48 - 2013-06-12 12:03 - 00000178 ___SH C:\Documents and Settings\Default User\ntuser.ini
2013-10-04 19:48 - 2013-06-12 11:56 - 00000000 _____ C:\Documents and Settings\Default User\TempWmicBatchFile.bat
2013-10-04 19:48 - 2013-06-12 10:37 - 00000810 _____ C:\Documents and Settings\Default User\Start Menu\Programs\Internet Explorer.lnk
2013-10-04 19:48 - 2013-06-12 10:20 - 00000000 ____D C:\Documents and Settings\Default User\Application Data\Sun
2013-10-04 19:48 - 2013-06-12 10:07 - 00000000 __SHD C:\Documents and Settings\Default User\IETldCache
2013-10-04 19:48 - 2013-06-12 09:58 - 00000745 _____ C:\Documents and Settings\Default User\Start Menu\Programs\Outlook Express.lnk
2013-10-04 19:44 - 2008-04-14 05:15 - 00026368 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\USBSTOR.SYS

==================== One Month Modified Files and Folders =======

2013-11-01 23:19 - 2013-06-12 10:22 - 00000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2013-11-01 23:16 - 2013-06-12 09:52 - 01409649 _____ C:\WINDOWS\WindowsUpdate.log
2013-11-01 23:14 - 2013-10-08 07:22 - 00000644 _____ C:\WINDOWS\Tasks\Check for updates (Spybot - Search & Destroy).job
2013-11-01 23:13 - 2013-10-10 22:16 - 00000464 _____ C:\WINDOWS\Tasks\SparkTrust Update Version3 Startup Task.job
2013-11-01 23:13 - 2013-06-12 09:58 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2013-11-01 23:12 - 2013-10-06 10:37 - 00196608 _____ C:\WINDOWS\system32\config\SpybotSD.evt
2013-11-01 23:12 - 2013-10-04 19:49 - 00000178 ___SH C:\Documents and Settings\Georg Kremer\ntuser.ini
2013-11-01 23:12 - 2013-06-12 09:58 - 00032558 _____ C:\WINDOWS\SchedLgU.Txt
2013-11-01 23:11 - 2013-11-01 23:08 - 00421442 _____ C:\WINDOWS\system32\vsconfig.xml
2013-11-01 23:10 - 2013-11-01 23:08 - 00000000 ____D C:\WINDOWS\system32\ZoneLabs
2013-11-01 23:09 - 2013-11-01 23:09 - 00004212 ____H C:\WINDOWS\system32\zllictbl.dat
2013-11-01 23:09 - 2013-11-01 23:09 - 00000738 _____ C:\Documents and Settings\Georg Kremer\Desktop\ZoneAlarm Security.lnk
2013-11-01 23:09 - 2013-11-01 23:09 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\ZoneAlarm
2013-11-01 23:08 - 2013-11-01 23:08 - 00000000 ____D C:\Program Files\Zone Labs
2013-11-01 22:59 - 2013-06-12 04:49 - 00000216 _____ C:\WINDOWS\wiadebug.log
2013-11-01 22:59 - 2013-06-12 04:49 - 00000050 _____ C:\WINDOWS\wiaservc.log
2013-11-01 22:58 - 2013-11-01 22:58 - 00000000 ____D C:\FRST
2013-11-01 22:56 - 2013-11-01 22:56 - 00000000 ____D C:\Program Files\Check Point Software Technologies LTD
2013-11-01 22:56 - 2013-11-01 22:56 - 00000000 ____D C:\Documents and Settings\Georg Kremer\Application Data\Check Point Software Technologies LTD
2013-11-01 22:56 - 2013-11-01 22:56 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\CheckPoint
2013-11-01 22:56 - 2013-10-04 19:57 - 00000000 ____D C:\Program Files\CheckPoint
2013-11-01 22:54 - 2013-06-12 10:39 - 00002206 _____ C:\WINDOWS\system32\wpa.dbl
2013-10-30 21:34 - 2013-10-30 21:34 - 00000000 ____D C:\Program Files\7-Zip
2013-10-30 21:34 - 2013-10-30 21:34 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\7-Zip
2013-10-30 19:24 - 2013-10-29 21:57 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2013-10-30 19:24 - 2013-10-29 21:55 - 00000000 ____D C:\Documents and Settings\Georg Kremer\Desktop\mbar
2013-10-30 18:56 - 2013-10-30 18:51 - 00016273 _____ C:\Documents and Settings\Georg Kremer\Desktop\dds.txt
2013-10-30 18:56 - 2013-10-30 18:51 - 00004137 _____ C:\Documents and Settings\Georg Kremer\Desktop\attach.txt
2013-10-30 18:34 - 2013-10-29 21:56 - 00105176 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2013-10-30 18:33 - 2013-06-12 10:31 - 00000000 ____D C:\WINDOWS\System64
2013-10-30 14:13 - 2013-10-29 21:56 - 00047064 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2013-10-30 05:19 - 2013-10-10 22:16 - 00000512 _____ C:\WINDOWS\Tasks\SparkTrust PC Cleaner Plus.job
2013-10-30 04:34 - 2013-10-04 23:34 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-10-29 22:31 - 2013-10-29 22:29 - 00002520 _____ C:\Documents and Settings\Georg Kremer\Desktop\Rkill.txt
2013-10-29 22:15 - 2013-10-10 19:28 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-10-29 10:07 - 2013-10-12 00:24 - 00000000 ____D C:\Documents and Settings\Georg Kremer\Local Settings\Application Data\NPE
2013-10-29 09:39 - 2013-10-29 09:38 - 00000000 ___SD C:\ComboFix
2013-10-29 09:38 - 2013-10-29 09:37 - 00000000 ____D C:\Qoobox
2013-10-29 09:38 - 2013-10-29 09:36 - 00000000 ___SD C:\32788R22FWJFW
2013-10-29 09:36 - 2013-10-29 09:36 - 00000000 ____D C:\WINDOWS\erdnt
2013-10-29 06:40 - 2013-10-12 00:05 - 00000000 ____D C:\Program Files\Google
2013-10-29 05:42 - 2013-10-06 10:38 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2013-10-29 05:30 - 2013-10-10 22:16 - 00000412 _____ C:\WINDOWS\Tasks\SparkTrust Update Version3.job
2013-10-28 23:26 - 2013-10-28 23:26 - 00000000 ____D C:\Documents and Settings\Georg Kremer\Application Data\AVAST Software
2013-10-28 23:24 - 2013-10-28 23:24 - 00001740 _____ C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
2013-10-28 23:24 - 2013-10-28 23:24 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Avast
2013-10-28 23:23 - 2013-10-28 23:23 - 00774392 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswSnx.sys
2013-10-28 23:23 - 2013-10-28 23:23 - 00403440 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswSP.sys
2013-10-28 23:23 - 2013-10-28 23:23 - 00269216 _____ (AVAST Software) C:\WINDOWS\system32\aswBoot.exe
2013-10-28 23:23 - 2013-10-28 23:23 - 00178304 _____ C:\WINDOWS\system32\Drivers\aswVmm.sys
2013-10-28 23:23 - 2013-10-28 23:23 - 00070384 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswMonFlt.sys
2013-10-28 23:23 - 2013-10-28 23:23 - 00057672 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswTdi.sys
2013-10-28 23:23 - 2013-10-28 23:23 - 00054832 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswRdr.sys
2013-10-28 23:23 - 2013-10-28 23:23 - 00049944 _____ C:\WINDOWS\system32\Drivers\aswRvrt.sys
2013-10-28 23:23 - 2013-10-28 23:23 - 00043152 _____ (AVAST Software) C:\WINDOWS\avastSS.scr
2013-10-28 23:23 - 2013-10-28 23:23 - 00035656 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswFsBlk.sys
2013-10-28 23:22 - 2013-10-28 23:22 - 00000000 ____D C:\Program Files\AVAST Software
2013-10-28 23:22 - 2013-10-28 23:21 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\AVAST Software
2013-10-28 23:21 - 2013-10-28 23:21 - 00403440 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\dbrskzbk.sys
2013-10-28 21:50 - 2013-10-14 11:29 - 00000000 ____D C:\Documents and Settings\Georg Kremer\SmitfraudFix
2013-10-28 21:50 - 2013-10-13 10:23 - 00002371 _____ C:\rapport.txt
2013-10-28 21:50 - 2013-06-12 04:45 - 00216716 _____ C:\WINDOWS\setupact.log
2013-10-28 21:49 - 2013-10-13 10:23 - 00001252 _____ C:\WINDOWS\system32\tmp.reg
2013-10-28 21:49 - 2013-10-13 10:23 - 00000000 _____ C:\WINDOWS\system32\tmp.txt
2013-10-28 21:48 - 2013-10-04 19:49 - 00000000 ____D C:\Documents and Settings\Georg Kremer
2013-10-28 21:39 - 2013-06-12 04:45 - 00156360 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2013-10-28 21:37 - 2013-06-12 10:39 - 00000231 _____ C:\WINDOWS\system.ini
2013-10-28 21:37 - 2013-06-12 04:45 - 00329980 _____ C:\WINDOWS\setupapi.log
2013-10-28 21:11 - 2013-10-28 21:11 - 00000000 ____D C:\Documents and Settings\Georg Kremer\Application Data\SUPERAntiSpyware.com
2013-10-28 21:11 - 2013-10-28 21:10 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2013-10-28 21:10 - 2013-10-28 21:10 - 00001685 _____ C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
2013-10-28 21:10 - 2013-10-28 21:10 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\SUPERAntiSpyware
2013-10-28 21:10 - 2013-10-28 21:10 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2013-10-27 23:25 - 2013-10-27 23:24 - 00000000 ___SD C:\Documents and Settings\Georg Kremer\My Documents\My Webs
2013-10-27 23:24 - 2013-10-05 00:22 - 00002465 _____ C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft FrontPage.lnk
2013-10-26 18:00 - 2013-10-09 13:02 - 00000454 _____ C:\WINDOWS\Tasks\SparkTrust Registration3.job
2013-10-26 00:36 - 2013-10-26 00:36 - 00004622 _____ C:\Documents and Settings\Georg Kremer\My Documents\hijackthis9
2013-10-25 23:51 - 2013-10-05 00:56 - 00001324 _____ C:\WINDOWS\system32\d3d9caps.dat
2013-10-25 23:29 - 2013-10-25 23:07 - 00000000 ____D C:\Documents and Settings\Georg Kremer\Application Data\IObit
2013-10-25 23:14 - 2013-10-25 23:14 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\{CED89F1A-945F-46EC-B23C-5EAF6D2DB12A}
2013-10-25 23:14 - 2013-10-25 23:07 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\IObit
2013-10-25 23:13 - 2013-10-25 23:13 - 00000000 ____D C:\Documents and Settings\Georg Kremer\Application Data\Apple Computer
2013-10-25 23:13 - 2013-10-25 23:07 - 00000000 ____D C:\Program Files\IObit
2013-10-22 05:28 - 2013-10-27 11:37 - 00133208 _____ (Kaspersky Lab ZAO) C:\WINDOWS\system32\Drivers\49328214.sys
2013-10-16 11:43 - 2013-10-16 11:43 - 00004776 _____ C:\Documents and Settings\Georg Kremer\My Documents\hijackthis8
2013-10-16 10:41 - 2013-10-16 10:41 - 00000000 ____D C:\Documents and Settings\Georg Kremer\Application Data\LibreOffice
2013-10-16 09:51 - 2013-10-10 22:16 - 00001013 _____ C:\Documents and Settings\Georg Kremer\Desktop\SparkTrust PC Cleaner Plus.lnk
2013-10-15 09:18 - 2013-10-15 09:18 - 00004776 _____ C:\Documents and Settings\Georg Kremer\My Documents\hijackthis5
2013-10-15 08:58 - 2013-10-15 08:58 - 00004869 _____ C:\Documents and Settings\Georg Kremer\My Documents\hijackthis4
2013-10-15 08:55 - 2013-10-14 11:41 - 00004809 _____ C:\Documents and Settings\Georg Kremer\My Documents\hijackthis.log
2013-10-14 11:54 - 2013-10-14 11:54 - 00004675 _____ C:\Documents and Settings\Georg Kremer\My Documents\hijackthis3
2013-10-14 11:50 - 2013-10-14 11:50 - 00004708 _____ C:\Documents and Settings\Georg Kremer\My Documents\hijackthis2
2013-10-13 12:29 - 2013-10-13 10:21 - 00000000 ____D C:\Documents and Settings\Georg Kremer\My Documents\SmitfraudFix
2013-10-13 11:47 - 2013-10-13 11:47 - 00065536 _____ C:\WINDOWS\Minidump\Mini101313-01.dmp
2013-10-13 11:47 - 2013-10-13 11:47 - 00000000 ____D C:\WINDOWS\Minidump
2013-10-13 11:37 - 2013-10-04 23:57 - 00000000 ____D C:\Documents and Settings\Georg Kremer\Local Settings\Application Data\Adobe
2013-10-13 11:37 - 2013-10-04 19:50 - 00000000 ____D C:\Documents and Settings\Georg Kremer\Application Data\Adobe
2013-10-13 11:29 - 2013-10-04 23:26 - 00000000 ____D C:\WINDOWS\system32\Drivers\NAV
2013-10-13 11:28 - 2013-10-04 23:27 - 00001892 _____ C:\Documents and Settings\All Users\Desktop\Norton AntiVirus.LNK
2013-10-13 11:28 - 2013-10-04 23:26 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Norton AntiVirus
2013-10-13 10:22 - 2013-10-12 08:09 - 00000000 _____ C:\Documents and Settings\Georg Kremer\My Documents\hijacked.txt
2013-10-12 00:41 - 2013-10-12 00:41 - 00000000 ____D C:\WINDOWS\system32\appmgmt
2013-10-12 00:25 - 2013-10-04 23:21 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Norton
2013-10-12 00:07 - 2013-10-12 00:05 - 00000000 ____D C:\Documents and Settings\Georg Kremer\Local Settings\Application Data\Google
2013-10-10 19:28 - 2013-10-10 19:28 - 00000791 _____ C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2013-10-10 19:28 - 2013-10-10 19:28 - 00000000 ____D C:\Documents and Settings\Georg Kremer\Application Data\Malwarebytes
2013-10-10 19:28 - 2013-10-10 19:28 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
2013-10-10 19:28 - 2013-10-10 19:28 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes
2013-10-10 12:43 - 2013-10-06 10:26 - 00000000 ____D C:\Documents and Settings\Georg Kremer\Application Data\vlc
2013-10-10 12:16 - 2013-10-04 23:27 - 00000000 ____D C:\WINDOWS\system32\Drivers\NST
2013-10-10 12:16 - 2013-10-04 23:27 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Norton Identity Safe
2013-10-09 13:02 - 2013-10-09 13:02 - 00000000 ____D C:\Program Files\Common Files\SparkTrust
2013-10-09 13:02 - 2013-10-09 13:02 - 00000000 ____D C:\Documents and Settings\Georg Kremer\Start Menu\Programs\SparkTrust
2013-10-09 13:02 - 2013-10-09 13:02 - 00000000 ____D C:\Documents and Settings\Georg Kremer\Application Data\SparkTrust
2013-10-09 13:02 - 2013-10-09 13:02 - 00000000 ____D C:\Documents and Settings\Georg Kremer\Application Data\DriverCure
2013-10-09 13:02 - 2013-10-09 13:01 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\SparkTrust
2013-10-09 13:02 - 2013-10-04 19:49 - 00001606 _____ C:\Documents and Settings\Georg Kremer\Start Menu\Programs\Remote Assistance.lnk
2013-10-09 13:02 - 2013-06-12 09:54 - 00001614 _____ C:\Documents and Settings\All Users\Start Menu\Set Program Access and Defaults.lnk
2013-10-09 13:02 - 2013-06-12 09:54 - 00001514 _____ C:\Documents and Settings\All Users\Start Menu\Windows Update.lnk
2013-10-09 13:01 - 2013-10-09 13:01 - 00000000 ____D C:\Program Files\SparkTrust
2013-10-09 12:58 - 2013-10-09 12:58 - 00026192 _____ C:\Documents and Settings\Georg Kremer\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2013-10-09 12:58 - 2013-10-09 12:58 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Lavasoft
2013-10-08 07:22 - 2013-10-08 07:22 - 00001849 _____ C:\Documents and Settings\All Users\Start Menu\Programs\Spybot-S&D Start Center.lnk
2013-10-08 07:22 - 2013-10-08 07:22 - 00001843 _____ C:\Documents and Settings\All Users\Desktop\Spybot-S&D Start Center.lnk
2013-10-08 07:22 - 2013-10-08 07:22 - 00000616 _____ C:\WINDOWS\Tasks\Refresh immunization (Spybot - Search & Destroy).job
2013-10-08 07:22 - 2013-10-08 07:22 - 00000446 _____ C:\WINDOWS\Tasks\Scan the system (Spybot - Search & Destroy).job
2013-10-08 07:22 - 2013-10-08 07:22 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Spybot - Search & Destroy 2
2013-10-08 07:22 - 2013-10-08 07:21 - 00000000 ____D C:\Program Files\Spybot - Search & Destroy 2
2013-10-08 07:15 - 2013-10-08 07:15 - 00000079 _____ C:\WINDOWS\wininit.ini
2013-10-05 00:23 - 2013-10-05 00:23 - 00000376 _____ C:\WINDOWS\ODBC.INI
2013-10-05 00:22 - 2013-10-05 00:22 - 00002002 _____ C:\Documents and Settings\All Users\Start Menu\Open Office Document.lnk
2013-10-05 00:22 - 2013-10-05 00:22 - 00001992 _____ C:\Documents and Settings\All Users\Start Menu\New Office Document.lnk
2013-10-05 00:22 - 2013-10-05 00:22 - 00000000 ____D C:\Program Files\Common Files\Designer
2013-10-05 00:22 - 2013-10-05 00:22 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Office Tools
2013-10-05 00:22 - 2013-06-12 04:46 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared
2013-10-05 00:21 - 2013-10-05 00:21 - 00000000 ____D C:\Program Files\Microsoft Office
2013-10-05 00:19 - 2013-06-12 10:22 - 00692616 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2013-10-05 00:19 - 2013-06-12 10:22 - 00071048 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2013-10-05 00:19 - 2013-06-12 04:43 - 00000000 ____D C:\WINDOWS\system
2013-10-05 00:01 - 2013-10-05 00:01 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\McAfee
2013-10-05 00:00 - 2013-06-12 10:24 - 00002347 _____ C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader XI.lnk
2013-10-04 23:59 - 2013-06-12 10:24 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Adobe
2013-10-04 23:34 - 2013-10-04 23:34 - 00000737 _____ C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk
2013-10-04 23:34 - 2013-10-04 23:34 - 00000731 _____ C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
2013-10-04 23:34 - 2013-10-04 23:34 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2013-10-04 23:34 - 2013-10-04 23:34 - 00000000 ____D C:\Documents and Settings\Georg Kremer\Local Settings\Application Data\Mozilla
2013-10-04 23:34 - 2013-10-04 23:34 - 00000000 ____D C:\Documents and Settings\Georg Kremer\Application Data\Mozilla
2013-10-04 23:34 - 2013-10-04 23:34 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Mozilla
2013-10-04 23:30 - 2013-10-04 23:21 - 00000000 ____D C:\Documents and Settings\Georg Kremer\Start Menu\Programs\Norton
2013-10-04 23:29 - 2013-10-04 23:29 - 00000000 ____D C:\Documents and Settings\Georg Kremer\My Documents\Symantec
2013-10-04 23:29 - 2013-10-04 23:27 - 00000000 ____D C:\Program Files\Common Files\Symantec Shared
2013-10-04 23:27 - 2013-10-04 23:27 - 00142936 _____ (Symantec Corporation) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
2013-10-04 23:27 - 2013-10-04 23:27 - 00008194 _____ C:\WINDOWS\system32\Drivers\SYMEVENT.CAT
2013-10-04 23:27 - 2013-10-04 23:27 - 00000000 ____D C:\Program Files\Symantec
2013-10-04 23:27 - 2013-10-04 23:27 - 00000000 ____D C:\Program Files\Norton Identity Safe
2013-10-04 23:26 - 2013-10-04 23:26 - 00000000 ____D C:\Program Files\Norton AntiVirus
2013-10-04 23:21 - 2013-10-04 23:21 - 00000000 ____D C:\Documents and Settings\All Users\Documents\Norton
2013-10-04 19:59 - 2013-06-12 04:43 - 00000000 ____D C:\WINDOWS\security
2013-10-04 19:57 - 2013-10-04 19:57 - 00000000 ____D C:\Documents and Settings\Georg Kremer\My Documents\ForceField Shared Files
2013-10-04 19:57 - 2013-10-04 19:57 - 00000000 ____D C:\Documents and Settings\Georg Kremer\Application Data\CheckPoint
2013-10-04 19:54 - 2013-10-04 19:54 - 00000000 ____D C:\Documents and Settings\Georg Kremer\Local Settings\Application Data\Sun
2013-10-04 19:50 - 2013-10-04 19:50 - 00000000 __SHD C:\Documents and Settings\Georg Kremer\PrivacIE
2013-10-04 19:50 - 2013-10-04 19:50 - 00000000 ____D C:\Documents and Settings\Georg Kremer\Application Data\Macromedia
2013-10-04 19:49 - 2013-10-04 19:49 - 00000810 _____ C:\Documents and Settings\Georg Kremer\Start Menu\Programs\Internet Explorer.lnk
2013-10-04 19:49 - 2013-10-04 19:49 - 00000799 _____ C:\Documents and Settings\Georg Kremer\Start Menu\Programs\Windows Media Player.lnk
2013-10-04 19:49 - 2013-10-04 19:49 - 00000793 _____ C:\Documents and Settings\Georg Kremer\Desktop\Windows Media Player.lnk
2013-10-04 19:49 - 2013-10-04 19:49 - 00000745 _____ C:\Documents and Settings\Georg Kremer\Start Menu\Programs\Outlook Express.lnk
2013-10-04 19:49 - 2013-06-12 09:52 - 00000000 ____D C:\WINDOWS\system32\Restore
2013-10-04 19:49 - 2013-06-12 09:51 - 00001326 _____ C:\WINDOWS\wmsetup.log
2013-10-04 19:48 - 2013-06-12 10:39 - 00000211 __RSH C:\boot.ini
2013-10-04 19:47 - 2013-06-12 09:52 - 00002063 _____ C:\WINDOWS\sessmgr.setup.log
2013-10-04 19:47 - 2013-06-12 09:51 - 00000626 _____ C:\WINDOWS\DtcInstall.log
2013-10-04 19:47 - 2013-06-12 09:51 - 00000000 ____D C:\WINDOWS\Registration
2013-10-04 19:47 - 2013-06-12 04:46 - 00175096 _____ C:\WINDOWS\iis6.log
2013-10-04 19:47 - 2013-06-12 04:46 - 00065561 _____ C:\WINDOWS\tsoc.log
2013-10-04 19:46 - 2013-06-12 04:46 - 00004444 _____ C:\WINDOWS\system32\pid.PNF
2013-10-04 19:46 - 2013-06-12 04:46 - 00002312 _____ C:\WINDOWS\regopt.log
2013-10-04 19:46 - 2013-06-12 04:43 - 00000000 ____D C:\WINDOWS\Help

Files to move or delete:
====================
C:\Documents and Settings\Administrator\TempWmicBatchFile.bat
C:\Documents and Settings\Default User\TempWmicBatchFile.bat
C:\Documents and Settings\Georg Kremer\TempWmicBatchFile.bat


Some content of TEMP:
====================
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\tbinst.exe


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe
[2013-06-12 10:39] - [2012-06-29 11:57] - 0110592 ____A (Microsoft Corporation) 020ceaaedc8eb655b6506b8c70d53bb6

C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== End Of Log =============

 

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 37 GB) (Disk ID: 4467E93B)
Partition 1: (Active) - (Size=3 GB) - (Type=27)
Partition 2: (Not Active) - (Size=34 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 466 GB) (Disk ID: 917F4382)
Partition 1: (Not Active) - (Size=466 GB) - (Type=07 NTFS)

==================== End Of Log ============================



#4 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:09:02 PM

Posted 02 November 2013 - 07:20 PM

edited


Edited by B-boy/StyLe/, 02 November 2013 - 07:25 PM.

cXfZ4wS.png


#5 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:09:02 PM

Posted 02 November 2013 - 07:25 PM

Hello,

 

I am sorry about the delay. I was in place with no internet connection...

 

 

I do not recommend that you have more than one anti virus product installed and running on your computer at a time.  The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms".  It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either Norton AntiVirus or avast!. (also you should consider to uninstall ZoneAlarm as well if you use the version with antivirus included).

 

 

Next please download the following file => and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

 

Also

  • Please re-run FRST again and type the following in the edit box after Search: services.exe; sfcfiles.dll
  • Click the Search button
  • It will make a log (Search.txt)- please post the log into your reply to me.

 

 

Regards,

Georgi


Edited by B-boy/StyLe/, 02 November 2013 - 07:26 PM.

cXfZ4wS.png


#6 beacon2020

beacon2020
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:02 PM

Posted 03 November 2013 - 01:13 AM

Hi Georgi. I have uninstalled Avast. The Norton product that I use is a stand alone antivirus so I left Zone Alarms running.

 

I ran the FRST fix and FRS Search. The logs are posted below. It seems that the problems with the browser are at least partially fixed, but some problems persist. I ran the Malawarebytes antirootkit tool, which found the original malware still located in file windows/system64. It also shows a new threat in a 2nd folder.

 

C:\Documents and Settings\Georg Kremer\My Documents\Downloads\SmitfraudFix\UIFix.exe

C:\Windows\System64

C:\Windows\System64\msvcp.dll

C:\Windows\System64\msvcr.dll

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 31-10-2013
Ran by Georg Kremer at 2013-11-03 00:16:32 Run:1
Running from C:\Documents and Settings\Georg Kremer\My Documents\Downloads
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
start
Unlock: C:\Windows\system64
DeleteJunctionsInDirectory: C:\Windows\system64
cmd: Dir /s /a:l C:\Windows\*
C:\Documents and Settings\Georg Kremer\Local Settings\Temp
end
*****************

"C:\Windows\system64" => File/Diroctory unlocked successfully.
"C:\Windows\system64" => Deleting reparse point and unlocking started.
"C:\Windows\system64" => Deleting reparse point and unlocking completed.

=========  Dir /s /a:l C:\Windows\* =========

 Volume in drive C is Windows
 Volume Serial Number is 044F-333D

 Directory of C:\Windows\assembly\GAC_32\System.EnterpriseServices

06/12/2013  10:45    <JUNCTION>     2.0.0.0__b03f5f7f11d50a3a
               0 File(s)              0 bytes

 Directory of C:\Windows\assembly\GAC_MSIL\IEExecRemote

06/12/2013  10:46    <JUNCTION>     2.0.0.0__b03f5f7f11d50a3a
               0 File(s)              0 bytes

     Total Files Listed:
               0 File(s)              0 bytes
               2 Dir(s)  22,276,513,792 bytes free

========= End of CMD: =========


"C:\Documents and Settings\Georg Kremer\Local Settings\Temp" directory move:

Could not move "C:\Documents and Settings\Georg Kremer\Local Settings\Temp\etilqs_nIYPliYW52dAasl" => Scheduled to move on reboot.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\HaZx8EPd.exe.part => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\hXK9Ipau.exe.part => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\isw_acc_80100000 => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\N1Psxee9.exe.part => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\tbinst.exe => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\users00 => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\W2lTcrkg.exe.part => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\XDSFsjhD.exe.part => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\~DF123E.tmp => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\~DF2982.tmp => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\~DF37FA.tmp => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\~DF4175.tmp => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\~DF57AC.tmp => Moved successfully.
Could not move "C:\Documents and Settings\Georg Kremer\Local Settings\Temp\~DFA26A.tmp" => Scheduled to move on reboot.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\~DFDCE4.tmp => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\~DFDD5F.tmp => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\~DFEC77.tmp => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\AvBasesCheck.exe => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\avSetupWeb.exe => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\backup.xml => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\Clean_tool.exe => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\Clean_tool64.exe => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\contents.xml => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\CUninstallerZA.exe => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\dotNetFx35setup.exe => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\FeatureBehavioralScan.xml => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\FeatureExpertMode.xml => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\FeatureRiskwareScan.xml => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\Firewall.msi => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\handlecmsg.exe => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\Install.exe => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\Install.log => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\Launcher.exe => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\Legacy.xml => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\osfwrules.xml => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\protection.xml => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\Uninst.exe => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\vcredist_x86.exe => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\vistalib32.dll => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\vistalib64.dll => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\vsdrinst.exe => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\vsdrinst64.exe => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\Windows6.0-KB929547-v2-x64.msu => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\Windows6.0-KB946776-x86.msu => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\Windows6.0-KB981889-v2-x64.msu => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\Windows6.0-KB981889-v2-x86.msu => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\Windows6.1-KB981889-x64.msu => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\Windows6.1-KB981889-x86.msu => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\WindowsXP-KB943232-x86-ENU.exe => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\zatb.exe => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\ZoneAlarm.msi => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\zonealarm_base.exe => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\IT\Install.xml => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\IT\License.html => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\IT\License.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\FR\Install.xml => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\FR\License.html => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\FR\License.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\ES\Install.xml => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\ES\License.html => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\ES\License.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\EN\Install.xml => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\EN\instimg1.png => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\EN\instimg2.png => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\EN\instimg3.png => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\EN\instimg4.png => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\EN\instimg5.png => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\EN\License.html => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\EN\License.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\DE\Install.xml => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\DE\License.html => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\DE\License.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\WER7327.dir00\explorer.exe.hdmp => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\WER7327.dir00\explorer.exe.mdmp => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\WER67b0.dir00\explorer.exe.hdmp => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\WER67b0.dir00\explorer.exe.mdmp => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\Temporary Directory 1 for tdsskiller(1).zip\TDSSKiller.exe => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\SUPERSetup\setup.db3 => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\SUPERSetup\setup.dll => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\AVDisplayName.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\AVscanstatus.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\AVupdatestatus.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\BHO.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\check.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\checkup.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\defragcheck.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\defragcheck2.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\defragcheck3.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\defragcheck4.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\ff2.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\ff3.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\flash.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\flash2.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\flash3.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\flash4.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\flash5.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\flashcheck.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\flashx64.bat => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\fw1.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\fw2.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\hostcopy.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\IEversion.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\IEVersion2.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\IEVersion3.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\install.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\MSEx64.bat => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\notcheckup.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\notcheckup10.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\notcheckup11.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\notcheckup12.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\notcheckup13.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\notcheckup14.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\notcheckup15.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\notcheckup16.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\notcheckup17.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\notcheckup18.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\notcheckup19.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\notcheckup2.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\notcheckup20.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\notcheckup21.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\notcheckup22.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\notcheckup23.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\notcheckup24.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\notcheckup25.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\notcheckup26.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\notcheckup27.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\notcheckup28.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\notcheckup29.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\notcheckup3.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\notcheckup30.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\notcheckup31.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\notcheckup32.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\notcheckup4.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\notcheckup5.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\notcheckup6.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\notcheckup7.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\notcheckup8.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\notcheckup9.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\Objlist.exe => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\OS1check.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\OS1check2.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\OS2check.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\prelimcheckup.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\prelimcheckup2.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\prelimcheckup3.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\prelimproccheck.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\prelimspycheck.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\prelimspycheck2.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\process.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\process10.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\process11.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\process12.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\process13.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\process14.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\process15.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\process16.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\process17.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\process18.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\process19.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\process2.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\process20.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\process21.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\process22.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\process23.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\process24.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\process25.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\process26.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\process27.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\process28.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\process29.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\process30.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\process31.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\process32.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\process33.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\process34.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\process35.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\process36.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\process37.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\process38.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\process39.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\process4.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\process40.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\process5.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\process6.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\process7.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\process8.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\process9.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\rc2.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\rc3.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\runprocesses.exe => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\SecurityCheck.bat => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\tb2.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\UAC.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\UAC2.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\uninstalllist.exe => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\wscsvc1.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\x64SPcheck.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\Other\cmdinfo.exe => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\Other\Copyright Information.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\Other\nircmdc.exe => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\Other\sed.exe => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\Other\swreg.exe => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\RarSFX2\SecurityCheck\Other\Update History.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\IswTmp\isw_acc_10100000 => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\IswTmp\WH\0 => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\IswTmp\Shared\FFCleanupPolicy_main.ptp => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\IswTmp\PA\2f7fb469b38f8ae1e9c72c2b0e209141 => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\IswTmp\Logs\AltFFApi.swl => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\IswTmp\Logs\CPLic.swl => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\IswTmp\Logs\CPLic.swl.old => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\IswTmp\Logs\FFApi.swl => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\IswTmp\Logs\FFApi.swl.old => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\IswTmp\Logs\ISWDMP.swl => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\IswTmp\Logs\ISWDMP.swl.old => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\IswTmp\Logs\ISWFWMON.swl => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\IswTmp\Logs\ISWFWMON.swl.old => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\IswTmp\Logs\ISWGUI.swl => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\IswTmp\Logs\ISWGUI.swl.old => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\IswTmp\Logs\ISWINST.swl => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\IswTmp\Logs\ISWMENUS.swl => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\IswTmp\Logs\ISWMENUS.swl.old => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\IswTmp\Logs\ISWSHEX.swl => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\IswTmp\Logs\ISWSHEX.swl.old => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\IswTmp\Logs\ISWSTATS.swl => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\IswTmp\Logs\ISWSTATS.swl.old => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\IswTmp\Logs\ISWUILIB.swl => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\IswTmp\Logs\ISWUILIB.swl.old => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\IswTmp\Logs\ISWUL.swl => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\IswTmp\Logs\ISWUL.swl.old => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\IswTmp\Logs\ISWUL_MIN.swl => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\IswTmp\Logs\ISWUL_MIN.swl.old => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\IswTmp\Logs\ISWUPD.swl => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\IswTmp\Logs\ISWUPD.swl.old => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\IswTmp\Logs\LChk.swl => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\IswTmp\Logs\SiteChecker.swl => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\IswTmp\Logs\SiteChecker.swl.old => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\IswTmp\Logs\TrustcheckerIEPlugin.swl => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\IswTmp\Logs\TrustcheckerIEPlugin.swl.old => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\conduit\inet_status.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\conduit\installing.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\conduit\toolbar_status.txt => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\acrord32_sbx\Temporary Internet Files\Content.IE5\desktop.ini => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\acrord32_sbx\Temporary Internet Files\Content.IE5\index.dat => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\acrord32_sbx\Temporary Internet Files\Content.IE5\RDTN55NT\desktop.ini => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\acrord32_sbx\Temporary Internet Files\Content.IE5\QUNEL1DX\desktop.ini => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\acrord32_sbx\Temporary Internet Files\Content.IE5\CG9Y4BBK\desktop.ini => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\acrord32_sbx\Temporary Internet Files\Content.IE5\0AETAWLW\desktop.ini => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\acrord32_sbx\History\History.IE5\desktop.ini => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\acrord32_sbx\History\History.IE5\index.dat => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\acrord32_sbx\Cookies\index.dat => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\1944_6939\crl-set => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\1944_6939\manifest.fingerprint => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\1944_6939\manifest.json => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\110113230758\CertCheck.dll => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\110113230758\cpes_clean.exe => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\110113230758\GLF10.tmp => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\110113230758\GLF11.tmp => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\110113230758\GLF12.tmp => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\110113230758\RDBValidate.exe => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\110113230758\V90Check.dll => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\110113230758\vsxml.dll => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\110113230758\z4barSpInstall.exe => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\110113230758\ZAFFSetup.exe => Moved successfully.
Could not move "C:\Documents and Settings\Georg Kremer\Local Settings\Temp" directory. => Scheduled to move on reboot.


=========== Result of Scheduled Files to move ===========

C:\Documents and Settings\Georg Kremer\Local Settings\Temp\etilqs_nIYPliYW52dAasl => Is moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp\~DFA26A.tmp => Moved successfully.
C:\Documents and Settings\Georg Kremer\Local Settings\Temp => Moved successfully.

==== End of Fixlog ====

 

Farbar Recovery Scan Tool (x86) Version: 31-10-2013
Ran by Georg Kremer at 2013-11-03 00:24:17
Running from C:\Documents and Settings\Georg Kremer\My Documents\Downloads
Boot Mode: Normal

================== Search: "services.exe; sfcfiles.dll" ===================

C:\WINDOWS\system32\services.exe
[2013-06-12 10:39] - [2012-06-29 11:57] - 0110592 ____A (Microsoft Corporation) 020ceaaedc8eb655b6506b8c70d53bb6

C:\WINDOWS\system32\sfcfiles.dll
[2013-06-12 10:39] - [2012-06-29 12:05] - 1614848 ____A (Microsoft Corporation) 57ff046bf5f22b29aee0177449139565

C:\WINDOWS\system32\dllcache\services.exe
[2013-06-12 10:39] - [2012-06-29 11:57] - 0110592 ___AC (Microsoft Corporation) 020ceaaedc8eb655b6506b8c70d53bb6

=== End Of Search ===



#7 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:09:02 PM

Posted 03 November 2013 - 03:57 AM

Hi,

 

 

I know that the folder is still there. I wanted to remove the junction point prior the folder deletion. Please, don't run any tools unless they are required. :)

So your version of ZoneAlarm have antivirus included, right?

 

 

STEP 1


We are going to need to download a file to extract the system files from.

Please go here and download WindowsXP-KB936929-SP3-x86-ENU.exe to your desktop.

Next open notepad and copy/paste the text in the codebox below into it:
 

@echo Unpacking files ...
@echo (This window will close when it's done)
@echo off
MKdir C:\SP3
WindowsXP-KB936929-SP3-x86-ENU.exe -x: C:\SP3 /quiet
cd C:\SP3\i386
expand services.ex_ C:\SP3\services.exe
expand sfcfiles.dl_ C:\SP3\sfcfiles.dll
del %0


Save this as expand.bat
Choose to "Save type as - All Files"
Save it on your desktop.
It should look like this: bat_icon.gif
Double click on expand.bat & allow it to run.
A folder C:\SP3\i386 will be created with all the files in Service pack 3 in it.
A couple of files will be expanded to C:\SP3.

 

 

STEP 2

 

 

Next please download the following file => and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

 

 

Regards,

Georgi


cXfZ4wS.png


#8 beacon2020

beacon2020
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:02 PM

Posted 03 November 2013 - 05:35 AM

Hi Georgi. I have followed these instructions. I will reboot and let you know the status.

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 31-10-2013
Ran by Georg Kremer at 2013-11-03 04:31:59 Run:2
Running from C:\Documents and Settings\Georg Kremer\My Documents\Downloads
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
start
C:\Windows\System64\msvcp.dll
C:\Windows\System64\msvcr.dll
C:\Windows\system64
Replace: c:\SP3\services.exe C:\WINDOWS\system32\services.exe
Replace: c:\SP3\services.exe C:\WINDOWS\system32\dllcache\services.exe
Replace: c:\SP3\sfcfiles.dll C:\WINDOWS\system32\sfcfiles.dll
Replace: c:\SP3\sfcfiles.dll C:\WINDOWS\system32\dllcache\sfcfiles.dll
end
 



#9 beacon2020

beacon2020
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:02 PM

Posted 03 November 2013 - 07:20 AM

Hi Georgi.Upon reboot, the folder windows\sysem64 no longer appears inhe directory. however the problem with xt diappearing persists.



#10 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:09:02 PM

Posted 03 November 2013 - 07:51 AM

Hi,

 

Please post the latest fixlog.txt.

Also it is possible that the problem with your browser is caused from some of the tools you ran on your own than ZeroAcess itself.

Did you try to reinstall Mozilla Firefox in order to try fix the problem?

Also please zip and attach all of the logs from the tools you ran  on your own (if possible).

 

Also ctfmon.exe is usually a legit system file used by language bar (if located in C:\Windows\System32) so I hope you didn't ruin your Windows by deleting files on your own lol.

 

My computer has been infested with conduit.com malware. I have removed a mixi dj toolbar and the conduit.com program from the control panel, and two rogue files cftmon.exe.

 

You've even run powerful tools like Combofix without supervision. Doing so can severely cripple or render your computer.

 

2013-10-29 14:38:21    --------    d-s---w-    C:\ComboFix

 

 

Please include the log from Combofix in your next reply!

 

 

 

Regards,

Georgi


Edited by B-boy/StyLe/, 03 November 2013 - 07:57 AM.

cXfZ4wS.png


#11 beacon2020

beacon2020
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:02 PM

Posted 03 November 2013 - 12:58 PM

Hi Georgi, The fixlog.txt was posted above. It is also below.

 

Most of the tools that I ran previously did not generate logs. I downloaded combofix but did not run it. Mostly what I ran was scans which didn't find anything to fix. Other tools related to adware removal. And I ran hijackthis and an analyzer which directed me to remove cftmon,

 

One tool that I ran that concerns me is Smitfraudfix, specifically the following file.

C:\Documents and Settings\Georg Kremer\My Documents\Downloads\SmitfraudFix\UIFix.exe

 

I am working on a laptop that I borrowed from a friend because my machine is very difficult to write on. Please note that I was trying to fix my machine for a month before I found Bleeping Computers.

 

The authentic cftmon is still installed in its proper folder. What I removed were 2 other files with that name but not valid that were in different folders.

 

Content of fixlist:
*****************
start
C:\Windows\System64\msvcp.dll
C:\Windows\System64\msvcr.dll
C:\Windows\system64
Replace: c:\SP3\services.exe C:\WINDOWS\system32\services.exe
Replace: c:\SP3\services.exe C:\WINDOWS\system32\dllcache\services.exe
Replace: c:\SP3\sfcfiles.dll C:\WINDOWS\system32\sfcfiles.dll
Replace: c:\SP3\sfcfiles.dll C:\WINDOWS\system32\dllcache\sfcfiles.dll
end



#12 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:09:02 PM

Posted 03 November 2013 - 03:40 PM

Hi,

 

Ok, no worries but the log is cut off. Is this is the full fixlog.txt? Can you please verify again?

 

 

Regards,

Georgi


cXfZ4wS.png


#13 beacon2020

beacon2020
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:02 PM

Posted 03 November 2013 - 05:43 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 31-10-2013
Ran by Georg Kremer at 2013-11-03 16:42:28 Run:3
Running from C:\Documents and Settings\Georg Kremer\My Documents\Downloads
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
start
C:\Windows\System64\msvcp.dll
C:\Windows\System64\msvcr.dll
C:\Windows\system64
Replace: c:\SP3\services.exe C:\WINDOWS\system32\services.exe
Replace: c:\SP3\services.exe C:\WINDOWS\system32\dllcache\services.exe
Replace: c:\SP3\sfcfiles.dll C:\WINDOWS\system32\sfcfiles.dll
Replace: c:\SP3\sfcfiles.dll C:\WINDOWS\system32\dllcache\sfcfiles.dll
end


*****************

 

"C:\Windows\System64\msvcp.dll" => File/Directory not found.
"C:\Windows\System64\msvcr.dll" => File/Directory not found.
"C:\Windows\system64" => File/Directory not found.
Could not find c:\SP3\services.exe
Could not find c:\SP3\services.exe
Could not find c:\SP3\sfcfiles.dll
Could not find C:\WINDOWS\system32\dllcache\sfcfiles.dll
Could not find c:\SP3\sfcfiles.dll

==== End of Fixlog ====



#14 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:09:02 PM

Posted 03 November 2013 - 07:10 PM

Hi,

 

It seem that you ran the fix twice...

 

Ran by Georg Kremer at 2013-11-03 16:42:28 Run:3

 

I need the full fixlog from your second run which was cut off:

 

Ran by Georg Kremer at 2013-11-03 04:31:59 Run:2

 

 

Regards,

Georgi


Edited by B-boy/StyLe/, 03 November 2013 - 07:11 PM.

cXfZ4wS.png


#15 beacon2020

beacon2020
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:02 PM

Posted 03 November 2013 - 08:32 PM

Hi.

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 31-10-2013
Ran by Georg Kremer at 2013-11-03 19:04:58 Run:5
Running from C:\Documents and Settings\Georg Kremer\Desktop
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
start
Replace: c:\SP3\services.exe C:\WINDOWS\system32\services.exe
Replace: c:\SP3\services.exe C:\WINDOWS\system32\dllcache\services.exe
Replace: c:\SP3\sfcfiles.dll C:\WINDOWS\system32\sfcfiles.dll
Replace: c:\SP3\sfcfiles.dll C:\WINDOWS\system32\dllcache\sfcfiles.dll
end
*****************

Could not find c:\SP3\services.exe
Could not find c:\SP3\services.exe
Could not find c:\SP3\sfcfiles.dll
Could not find C:\WINDOWS\system32\dllcache\sfcfiles.dll
Could not find c:\SP3\sfcfiles.dll

==== End of Fixlog ====






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users