Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with ZeroAccess Rootkit


  • This topic is locked This topic is locked
14 replies to this topic

#1 WhightKnight

WhightKnight

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:12:41 PM

Posted 23 November 2013 - 07:38 PM

Hello,

I have discovered that I am infected with ZeroAccess Rootkit after creating this thread:
http://www.bleepingcomputer.com/forums/t/515097/infected-with-maleware/

 

Currently I am experiencing slow or disabled internet as well as sporadic popups.

 

My DDS logs are as follows:

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by Administrator at 17:57:10 on 2013-11-23
#Option MBR scan  is disabled.
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1015.320 [GMT -6:00]
.
AV: PC Cleaner Pro *Disabled/Updated* {737A8864-C2D9-4337-B49A-B5E35815B9BB}
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\GoZone\GoZone_iSync.exe
C:\Program Files\BasicServe\basicstarter.exe
C:\Program Files\BasicServe\basicstarter.exe
C:\Program Files\Browsebeyond\updateBrowsebeyond.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {6C8DB2EC-499B-4897-A784-0E3186C97E9D} - <orphaned>
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Adobe Acrobat Create PDF Helper: {AE7CD045-E861-484f-8273-0445EE161910} - c:\program files\common files\adobe\acrobat\wcieactivex\AcroIEFavClient.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Adobe Acrobat Create PDF from Selection: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - c:\program files\common files\adobe\acrobat\wcieactivex\AcroIEFavClient.dll
TB: Adobe Acrobat Create PDF Toolbar: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\common files\adobe\acrobat\wcieactivex\AcroIEFavClient.dll
TB: Adobe Acrobat Create PDF Toolbar: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\common files\adobe\acrobat\wcieactivex\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /minimized /regrun
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 11.0\acrobat\Acrotray.exe"
mRunOnce: [ (A0)] cmd /c "c:\documents and settings\administrator\desktop\mbar\mbar.exe" /rdv /s
mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
mRunOnce: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "c:\documents and settings\all users\application data\malwarebytes\malwarebytes' anti-malware\cleanup.dll",ProcessCleanupScript
dRunOnce: [nltide_2] regsvr32 /s /n /i:U shell32
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\gozone~1.lnk - c:\program files\gozone\GoZone_iSync.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: mswsock.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://utilities.pcpitstop.com/Nirvana/controls/pcmatic.cab
DPF: {4D2D3A17-9B46-483C-A5F4-1DC471080009} - hxxps://banacsvr.rusm.rossu.loc/auth/taweb.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1271258425984
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1271258421562
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - <no file>
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\8t6r8xon.default-1383610854031\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\documents and settings\administrator\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\administrator\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\administrator\application data\mozilla\plugins\npo1d.dll
FF - plugin: c:\documents and settings\administrator\local settings\application data\google\update\1.3.21.165\npGoogleUpdate3.dll
FF - plugin: c:\program files\adobe\acrobat 11.0\acrobat\air\nppdf32.dll
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\common files\adobe\oobe\pdapp\ccm\utilities\npAdobeAAMDetect32.dll
FF - plugin: c:\program files\common files\adobe\oobe\pdapp\ccm\utilities\npAdobeAAMDetect64.dll
FF - plugin: c:\program files\google\update\1.3.21.165\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20913.0\npctrlui.dll
FF - ExtSQL: 2013-09-25 16:10; {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}; c:\program files\mozilla firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
FF - ExtSQL: 2013-11-23 15:50; {740B3FD5-4483-469D-BE7F-8555B153BD04}; c:\program files\mozilla firefox\browser\extensions\{740B3FD5-4483-469D-BE7F-8555B153BD04}
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 211560]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2013-11-23 418376]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2013-11-23 701512]
R3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2013-11-23 47064]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-11-23 22856]
RUnknown BasicServe Service;BasicServe Service; [x]
RUnknown Update Browsebeyond;Update Browsebeyond; [x]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 Skype C2C Service;Skype C2C Service;c:\documents and settings\all users\application data\skype\toolbars\skype c2c service\c2c_service.exe [2013-9-16 3273088]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-9-5 171680]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-3 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-7-20 754856]
.
=============== Created Last 30 ================
.
2013-11-23 22:20:07 54016 ----a-w- c:\windows\system32\drivers\ybscpvo.sys
2013-11-23 21:55:25 -------- d-----w- c:\documents and settings\administrator\application data\Malwarebytes
2013-11-23 21:55:07 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-11-23 21:55:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-11-23 21:50:40 -------- d-----w- c:\program files\Browsebeyond
2013-11-23 21:50:31 -------- d-----w- c:\program files\BasicServe
2013-11-23 21:50:31 -------- d-----w- c:\documents and settings\all users\application data\BasicServe
2013-11-23 21:07:48 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2013-11-23 21:07:38 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes' Anti-Malware (portable)
2013-11-23 21:05:12 47064 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2013-11-22 23:39:59 -------- d-----w- c:\windows\Options
2013-11-04 23:45:13 -------- d-----w- c:\program files\ESET
2013-11-04 23:16:24 -------- d-----w- c:\documents and settings\administrator\local settings\application data\ApplicationHistory
2013-11-04 03:00:01 -------- d-----w- c:\program files\MyPC Backup
2013-11-04 02:59:15 5402832 ----a-w- c:\documents and settings\all users\application data\pclunst.exe
2013-11-04 02:59:13 -------- d-----w- c:\documents and settings\all users\application data\PC1Data
2013-11-03 16:35:08 -------- d-----w- c:\documents and settings\all users\application data\PCPitstop
2013-11-03 16:34:26 -------- d-----w- c:\program files\PCPitstop
2013-10-29 22:42:11 62576 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{00fc607b-63ab-424f-912e-889149ac6686}\offreg.dll
2013-10-29 22:39:37 7796464 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{00fc607b-63ab-424f-912e-889149ac6686}\mpengine.dll
2013-10-29 02:46:12 -------- d-----w- c:\program files\Conduit
2013-10-29 02:45:57 -------- d-----w- c:\documents and settings\all users\application data\Conduit
2013-10-29 02:45:53 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Conduit
2013-10-29 01:43:33 7796464 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
.
==================== Find3M  ====================
.
2013-09-23 18:33:58 920064 ----a-w- c:\windows\system32\wininet.dll
2013-09-23 18:33:57 43520 ------w- c:\windows\system32\licmgr10.dll
2013-09-23 18:33:57 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-09-23 18:33:56 18944 ----a-w- c:\windows\system32\corpol.dll
2013-09-23 18:06:48 385024 ------w- c:\windows\system32\html.iec
2013-08-29 01:31:44 1878656 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 17:58:02.51 ===============
 

 

 


Edited by WhightKnight, 23 November 2013 - 08:26 PM.


BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:41 PM

Posted 23 November 2013 - 09:19 PM

Please run the following:

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 WhightKnight

WhightKnight
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:12:41 PM

Posted 24 November 2013 - 01:50 PM

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 24-11-2013
Ran by Administrator (administrator) on UNIVERSI-D50536 on 24-11-2013 12:39:44
Running from C:\Documents and Settings\Administrator\Desktop
Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal

==================== Processes (Whitelisted) ===================

(Logitech Inc.) C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
(Skype Technologies S.A.) C:\Program Files\Skype\Phone\Skype.exe
(Synaptics, Inc.) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Virgin HealthMiles Inc.) C:\Program Files\GoZone\GoZone_iSync.exe
() C:\Program Files\BasicServe\basicstarter.exe
() C:\Program Files\BasicServe\basicstarter.exe
() C:\Program Files\Browsebeyond\updateBrowsebeyond.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [SynTPStart] - C:\Program Files\Synaptics\SynTP\SynTPStart.exe [102400 2007-09-15] (Synaptics, Inc.)
HKLM\...\Run: [MSC] - C:\Program Files\Microsoft Security Client\msseces.exe [995176 2013-08-12] ()
HKLM\...\Run: [AdobeAAMUpdater-1.0] - C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [444904 2012-09-20] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [] - [x]
HKLM\...\Run: [Acrobat Assistant 8.0] - C:\Program Files\Adobe\Acrobat 11.0\Acrobat\acrotray.exe [3478392 2013-09-05] (Adobe Systems Inc.)
HKLM\...\RunOnce: [ (A0)] - cmd /c "C:\Documents and Settings\Administrator\Desktop\mbar\mbar.exe" /rdv /s [1170744 2013-10-07] (Malwarebytes Corporation)
HKLM\...\RunOnce: [Malwarebytes Anti-Malware] - C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent [532040 2013-04-04] (Malwarebytes Corporation)
HKLM\...\Runonce: [Malwarebytes Anti-Malware (cleanup)] - rundll32.exe "C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript
HKCU\...\Run: [Skype] - C:\Program Files\Skype\Phone\Skype.exe [20549280 2013-10-21] (Skype Technologies S.A.)
HKCU\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path)
HKU\Default User\...\RunOnce: [nltide_2] - regsvr32 /s /n /i:U shell32
Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\GoZone iSync.lnk
ShortcutTarget: GoZone iSync.lnk -> C:\Program Files\GoZone\GoZone_iSync.exe (Virgin HealthMiles Inc.)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
BHO: No Name - {6C8DB2EC-499B-4897-A784-0E3186C97E9D} -  No File
BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
BHO: Adobe Acrobat Create PDF Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO: Skype Browser Helper - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
BHO: Adobe Acrobat Create PDF from Selection - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKLM - Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKCU - Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} http://utilities.pcpitstop.com/Nirvana/controls/pcmatic.cab
DPF: {4D2D3A17-9B46-483C-A5F4-1DC471080009} https://banacsvr.rusm.rossu.loc/auth/taweb.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1271258425984
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1271258421562
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Winsock: Catalog5 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5 03 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog9 01 mswsock.dll File Not found ()
Winsock: Catalog9 02 mswsock.dll File Not found ()
Winsock: Catalog9 03 mswsock.dll File Not found ()
Winsock: Catalog9 04 mswsock.dll File Not found ()
Winsock: Catalog9 05 mswsock.dll File Not found ()
Winsock: Catalog9 06 mswsock.dll File Not found ()
Winsock: Catalog9 07 mswsock.dll File Not found ()
Winsock: Catalog9 08 mswsock.dll File Not found ()
Winsock: Catalog9 09 mswsock.dll File Not found ()
Winsock: Catalog9 10 mswsock.dll File Not found ()
Winsock: Catalog9 11 mswsock.dll File Not found ()
Winsock: Catalog9 12 mswsock.dll File Not found ()
Winsock: Catalog9 13 mswsock.dll File Not found ()
Winsock: Catalog9 14 mswsock.dll File Not found ()
Winsock: Catalog9 15 mswsock.dll File Not found ()
Winsock: Catalog9 16 mswsock.dll File Not found ()
Winsock: Catalog9 17 mswsock.dll File Not found ()
Winsock: Catalog9 18 mswsock.dll File Not found ()
Winsock: Catalog9 19 mswsock.dll File Not found ()
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF ProfilePath: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\8t6r8xon.default-1383610854031
FF Homepage: hxxp://www.yahoo.com/
FF Plugin: @adobe.com/FlashPlayer - C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @real.com/nppl3260;version=6.0.11.2852 - C:\Program Files\Magic Burning Studio\Real\browser\plugins\nppl3260.dll No File
FF Plugin: @real.com/nppl3260;version=6.0.12.46 - C:\Program Files\Magic Burning Studio\Real\browser\plugins\nppl3260.dll No File
FF Plugin: @real.com/nprpjplug;version=6.0.12.1662 - C:\Program Files\Magic Burning Studio\Real\browser\plugins\nprpjplug.dll No File
FF Plugin: @real.com/nprpjplug;version=6.0.12.46 - C:\Program Files\Magic Burning Studio\Real\browser\plugins\nprpjplug.dll No File
FF Plugin: @tools.google.com/Google Update;version=3 - C:\Program Files\Google\Update\1.3.21.165\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 - C:\Program Files\Google\Update\1.3.21.165\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: Adobe Acrobat - C:\Program Files\Adobe\Acrobat 11.0\Acrobat\Air\nppdf32.dll (Adobe Systems Inc.)
FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin: adobe.com/AdobeAAMDetect - C:\Program Files\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll (Adobe Systems)
FF Plugin HKCU: @talk.google.com/GoogleTalkPlugin - C:\Documents and Settings\Administrator\Application Data\Mozilla\plugins\npgoogletalk.dll (Google)
FF Plugin HKCU: @talk.google.com/O1DPlugin - C:\Documents and Settings\Administrator\Application Data\Mozilla\plugins\npo1d.dll (Google)
FF Plugin HKCU: @talk.google.com/O3DPlugin - C:\Documents and Settings\Administrator\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll ()
FF Plugin HKCU: @tools.google.com/Google Update;version=3 - C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\1.3.21.165\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKCU: @tools.google.com/Google Update;version=9 - C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\1.3.21.165\npGoogleUpdate3.dll (Google Inc.)
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\SearchResults.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\amazon-en-GB.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\chambers-en-GB.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\eBay-en-GB.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\yahoo-en-GB.xml
FF Extension: firefox - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\8t6r8xon.default-1383610854031\Extensions\firefox@browsebeyond.net.xpi
FF Extension: Skype Click to Call - C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
FF Extension: Skype Click to Call - C:\Program Files\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF HKLM\...\Firefox\Extensions: [web2pdfextension@web2pdf.adobedotcom] - C:\Program Files\Adobe\Acrobat 11.0\Acrobat\Browser\WCFirefoxExtn
FF Extension: Adobe Acrobat - Create PDF - C:\Program Files\Adobe\Acrobat 11.0\Acrobat\Browser\WCFirefoxExtn

========================== Services (Whitelisted) =================

R2 MBAMScheduler; C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
S2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22208 2013-08-12] ()
R3 Nla; C:\Windows\System32\mswsock.dll [245248 2008-06-20] ()
S2 Skype C2C Service; C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe [3273088 2013-09-16] (Skype Technologies S.A.)
U2 *etadpug; "C:\Program Files\Google\Desktop\Install\{2171273f-4015-e22d-0c9e-883c36136e3a}\   \   \???\{2171273f-4015-e22d-0c9e-883c36136e3a}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)

==================== Drivers (Whitelisted) ====================

U0 bakqggy; C:\Windows\System32\drivers\ybscpvo.sys [54016 2013-11-23] ()
S3 CCDECODE; C:\Windows\System32\DRIVERS\CCDECODE.sys [17024 2008-04-14] (Microsoft Corporation)
S3 FilterService; C:\Windows\System32\DRIVERS\lvuvcflt.sys [23904 2010-05-14] (Logitech Inc.)
R3 LVPr2Mon; C:\Windows\System32\DRIVERS\LVPr2Mon.sys [25824 2010-05-07] ()
R3 mbamchameleon; C:\WINDOWS\system32\drivers\mbamchameleon.sys [47064 2013-11-23] (Malwarebytes Corporation)
R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [22856 2013-04-04] (Malwarebytes Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [211560 2013-06-18] (Microsoft Corporation)
S3 NdisIP; C:\Windows\System32\DRIVERS\NdisIP.sys [10880 2008-04-14] (Microsoft Corporation)
R3 NETw5x32; C:\Windows\System32\DRIVERS\NETw5x32.sys [3636864 2008-11-17] (Intel Corporation)
S3 AgereSoftModem; system32\DRIVERS\AGRSM.sys [x]
U5 Cdrom; C:\Windows\System32\Drivers\Cdrom.sys [62976 2008-04-13] (Microsoft Corporation)
S4 IntelIde; No ImagePath
U5 ScsiPort; C:\Windows\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)
S3 USBAAPL; System32\Drivers\usbaapl.sys [x]
U1 WS2IFSL;

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-11-24 12:39 - 2013-11-24 12:40 - 00013377 _____ C:\Documents and Settings\Administrator\Desktop\FRST.txt
2013-11-24 12:39 - 2013-11-24 12:39 - 01091583 _____ (Farbar) C:\Documents and Settings\Administrator\Desktop\FRST.exe
2013-11-24 12:39 - 2013-11-24 12:39 - 00000000 ____D C:\FRST
2013-11-23 17:58 - 2013-11-23 17:58 - 00017157 _____ C:\Documents and Settings\Administrator\Desktop\attach.txt
2013-11-23 17:58 - 2013-11-23 17:58 - 00012150 _____ C:\Documents and Settings\Administrator\Desktop\dds.txt
2013-11-23 17:56 - 2013-11-23 17:56 - 00688992 ____R (Swearware) C:\Documents and Settings\Administrator\Desktop\dds.com
2013-11-23 16:20 - 2013-11-23 16:20 - 00054016 _____ C:\WINDOWS\system32\Drivers\ybscpvo.sys
2013-11-23 16:13 - 2013-11-23 16:13 - 00010862 _____ C:\Documents and Settings\Administrator\Desktop\farbar.txt
2013-11-23 16:13 - 2013-11-23 16:13 - 00000197 _____ C:\Documents and Settings\Administrator\Desktop\error.txt
2013-11-23 15:56 - 2013-11-23 16:00 - 00012080 _____ C:\Documents and Settings\Administrator\Desktop\Rkill.txt
2013-11-23 15:55 - 2013-11-23 15:55 - 00000784 _____ C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2013-11-23 15:55 - 2013-11-23 15:55 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-11-23 15:55 - 2013-11-23 15:55 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
2013-11-23 15:55 - 2013-11-23 15:55 - 00000000 ____D C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2013-11-23 15:55 - 2013-04-04 14:50 - 00022856 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbam.sys
2013-11-23 15:50 - 2013-11-24 12:36 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\BasicServe
2013-11-23 15:50 - 2013-11-23 16:20 - 00000000 ____D C:\Program Files\Browsebeyond
2013-11-23 15:50 - 2013-11-23 15:50 - 00000000 ____D C:\Program Files\BasicServe
2013-11-23 15:50 - 2013-11-23 15:50 - 00000000 _____ C:\Documents and Settings\All Users\Application Data\3d273a222a202a214437415f474a5e_c
2013-11-23 15:07 - 2013-11-23 15:46 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2013-11-23 15:07 - 2013-11-23 15:07 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes
2013-11-23 15:05 - 2013-11-23 15:05 - 00047064 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2013-11-23 15:04 - 2013-11-23 15:46 - 00000000 ____D C:\Documents and Settings\Administrator\Desktop\mbar
2013-11-23 15:03 - 2013-11-23 15:04 - 00019747 _____ C:\Documents and Settings\Administrator\Desktop\Result.txt
2013-11-23 13:51 - 2013-11-23 13:51 - 00005428 _____ C:\Documents and Settings\Administrator\Desktop\FSS.txt
2013-11-22 18:19 - 2013-11-22 18:19 - 00268600 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2013-11-22 17:40 - 2013-11-24 12:38 - 00014591 _____ C:\WINDOWS\setupapi.log
2013-11-22 17:39 - 2013-11-23 15:51 - 00002123 _____ C:\WINDOWS\WindowsUpdate.log
2013-11-22 17:39 - 2013-11-22 17:39 - 00000000 ____D C:\WINDOWS\Options
2013-11-09 12:18 - 2013-11-09 12:19 - 02347384 _____ (ESET) C:\Documents and Settings\Administrator\Desktop\esetsmartinstaller_enu.exe
2013-11-04 18:20 - 2013-11-04 18:21 - 00000000 ____D C:\Documents and Settings\Administrator\Desktop\Old Firefox Data
2013-11-04 17:45 - 2013-11-04 17:45 - 00000000 ____D C:\Program Files\ESET
2013-11-03 21:10 - 2013-11-03 21:10 - 00010899 _____ C:\Documents and Settings\Administrator\Desktop\tx.Save File
2013-11-03 21:00 - 2013-11-04 17:16 - 00000000 ____D C:\Program Files\MyPC Backup
2013-11-03 20:59 - 2013-11-03 20:59 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\PC1Data
2013-11-03 20:59 - 2013-11-03 20:58 - 05402832 _____ (PC Cleaners) C:\Documents and Settings\All Users\Application Data\pclunst.exe
2013-11-03 10:35 - 2013-11-03 11:36 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\PCPitstop
2013-11-03 10:34 - 2013-11-03 12:50 - 00000000 ____D C:\Program Files\PCPitstop
2013-11-01 21:44 - 2013-11-01 21:44 - 00270054 _____ C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-2052111302-1645522239-725345543-500-0.dat
2013-10-30 16:05 - 2013-10-30 16:05 - 00000000 ____D C:\Documents and Settings\LocalService\Application Data\Macromedia
2013-10-30 16:05 - 2013-10-30 16:05 - 00000000 ____D C:\Documents and Settings\LocalService\Application Data\Adobe
2013-10-30 08:18 - 2013-11-01 21:44 - 00270054 _____ C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
2013-10-29 15:18 - 2013-11-23 18:41 - 00000664 _____ C:\WINDOWS\system32\d3d9caps.dat
2013-10-28 20:46 - 2013-10-28 20:46 - 00000000 ____D C:\Program Files\Conduit
2013-10-28 20:45 - 2013-11-23 16:20 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Conduit
2013-10-28 20:45 - 2013-11-04 16:58 - 00000000 ____D C:\Documents and Settings\Administrator\Local Settings\Application Data\Conduit
2013-10-28 20:45 - 2013-10-28 20:48 - 00000009 _____ C:\END

==================== One Month Modified Files and Folders =======

2013-11-24 12:40 - 2013-11-24 12:39 - 00013377 _____ C:\Documents and Settings\Administrator\Desktop\FRST.txt
2013-11-24 12:39 - 2013-11-24 12:39 - 01091583 _____ (Farbar) C:\Documents and Settings\Administrator\Desktop\FRST.exe
2013-11-24 12:39 - 2013-11-24 12:39 - 00000000 ____D C:\FRST
2013-11-24 12:38 - 2013-11-22 17:40 - 00014591 _____ C:\WINDOWS\setupapi.log
2013-11-24 12:38 - 2010-08-22 20:44 - 00000000 ____D C:\Documents and Settings\Administrator\Application Data\Skype
2013-11-24 12:36 - 2013-11-23 15:50 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\BasicServe
2013-11-24 12:32 - 2011-01-03 11:45 - 00000000 _____ C:\WINDOWS\system32\Drivers\lvuvc.hs
2013-11-23 20:09 - 2012-09-22 12:44 - 00001010 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-2052111302-1645522239-725345543-500UA.job
2013-11-23 19:09 - 2012-09-22 12:44 - 00000958 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-2052111302-1645522239-725345543-500Core.job
2013-11-23 18:51 - 2010-05-01 12:21 - 00000886 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2013-11-23 18:41 - 2013-10-29 15:18 - 00000664 _____ C:\WINDOWS\system32\d3d9caps.dat
2013-11-23 18:24 - 2013-10-09 18:48 - 00000384 ____H C:\WINDOWS\Tasks\Microsoft Antimalware Scheduled Scan.job
2013-11-23 17:58 - 2013-11-23 17:58 - 00017157 _____ C:\Documents and Settings\Administrator\Desktop\attach.txt
2013-11-23 17:58 - 2013-11-23 17:58 - 00012150 _____ C:\Documents and Settings\Administrator\Desktop\dds.txt
2013-11-23 17:56 - 2013-11-23 17:56 - 00688992 ____R (Swearware) C:\Documents and Settings\Administrator\Desktop\dds.com
2013-11-23 16:20 - 2013-11-23 16:20 - 00054016 _____ C:\WINDOWS\system32\Drivers\ybscpvo.sys
2013-11-23 16:20 - 2013-11-23 15:50 - 00000000 ____D C:\Program Files\Browsebeyond
2013-11-23 16:20 - 2013-10-28 20:45 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Conduit
2013-11-23 16:20 - 2010-04-14 03:46 - 00000000 ____D C:\WINDOWS\Help
2013-11-23 16:13 - 2013-11-23 16:13 - 00010862 _____ C:\Documents and Settings\Administrator\Desktop\farbar.txt
2013-11-23 16:13 - 2013-11-23 16:13 - 00000197 _____ C:\Documents and Settings\Administrator\Desktop\error.txt
2013-11-23 16:00 - 2013-11-23 15:56 - 00012080 _____ C:\Documents and Settings\Administrator\Desktop\Rkill.txt
2013-11-23 15:55 - 2013-11-23 15:55 - 00000784 _____ C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2013-11-23 15:55 - 2013-11-23 15:55 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-11-23 15:55 - 2013-11-23 15:55 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
2013-11-23 15:55 - 2013-11-23 15:55 - 00000000 ____D C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2013-11-23 15:51 - 2013-11-22 17:39 - 00002123 _____ C:\WINDOWS\WindowsUpdate.log
2013-11-23 15:50 - 2013-11-23 15:50 - 00000000 ____D C:\Program Files\BasicServe
2013-11-23 15:50 - 2013-11-23 15:50 - 00000000 _____ C:\Documents and Settings\All Users\Application Data\3d273a222a202a214437415f474a5e_c
2013-11-23 15:46 - 2013-11-23 15:07 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2013-11-23 15:46 - 2013-11-23 15:04 - 00000000 ____D C:\Documents and Settings\Administrator\Desktop\mbar
2013-11-23 15:07 - 2013-11-23 15:07 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes
2013-11-23 15:05 - 2013-11-23 15:05 - 00047064 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2013-11-23 15:04 - 2013-11-23 15:03 - 00019747 _____ C:\Documents and Settings\Administrator\Desktop\Result.txt
2013-11-23 13:51 - 2013-11-23 13:51 - 00005428 _____ C:\Documents and Settings\Administrator\Desktop\FSS.txt
2013-11-22 19:08 - 2013-02-04 21:37 - 00002265 _____ C:\Documents and Settings\All Users\Desktop\Skype.lnk
2013-11-22 18:23 - 2010-04-14 03:54 - 00576794 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2013-11-22 18:19 - 2013-11-22 18:19 - 00268600 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2013-11-22 18:19 - 2011-01-03 11:45 - 00000000 _____ C:\WINDOWS\system32\Drivers\logiflt.iad
2013-11-22 18:19 - 2011-01-03 11:44 - 00000000 ____D C:\WINDOWS\system32\logishrd
2013-11-22 18:19 - 2010-05-01 12:21 - 00000882 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2013-11-22 18:19 - 2010-04-14 09:04 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2013-11-22 18:19 - 2010-04-14 03:56 - 00000159 _____ C:\WINDOWS\wiadebug.log
2013-11-22 18:19 - 2010-04-14 03:56 - 00000050 _____ C:\WINDOWS\wiaservc.log
2013-11-22 18:19 - 2001-08-22 14:00 - 00002206 _____ C:\WINDOWS\system32\wpa.dbl
2013-11-22 18:18 - 2010-04-14 09:05 - 00000178 ___SH C:\Documents and Settings\Administrator\ntuser.ini
2013-11-22 18:18 - 2010-04-14 09:04 - 00032358 _____ C:\WINDOWS\SchedLgU.Txt
2013-11-22 17:39 - 2013-11-22 17:39 - 00000000 ____D C:\WINDOWS\Options
2013-11-22 17:30 - 2010-04-14 09:05 - 00000000 ____D C:\Documents and Settings\Administrator
2013-11-16 21:43 - 2012-03-09 19:32 - 00000000 ____D C:\Documents and Settings\Administrator\Desktop\rajni
2013-11-12 21:28 - 2012-12-21 17:19 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Skype
2013-11-10 21:09 - 2010-04-14 20:27 - 00000000 ____D C:\Documents and Settings\Administrator\Application Data\Mozilla
2013-11-09 12:19 - 2013-11-09 12:18 - 02347384 _____ (ESET) C:\Documents and Settings\Administrator\Desktop\esetsmartinstaller_enu.exe
2013-11-04 18:21 - 2013-11-04 18:20 - 00000000 ____D C:\Documents and Settings\Administrator\Desktop\Old Firefox Data
2013-11-04 17:45 - 2013-11-04 17:45 - 00000000 ____D C:\Program Files\ESET
2013-11-04 17:16 - 2013-11-03 21:00 - 00000000 ____D C:\Program Files\MyPC Backup
2013-11-04 16:58 - 2013-10-28 20:45 - 00000000 ____D C:\Documents and Settings\Administrator\Local Settings\Application Data\Conduit
2013-11-04 09:35 - 2010-04-14 09:27 - 00000000 ____D C:\WINDOWS\system32\LogFiles
2013-11-03 21:10 - 2013-11-03 21:10 - 00010899 _____ C:\Documents and Settings\Administrator\Desktop\tx.Save File
2013-11-03 20:59 - 2013-11-03 20:59 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\PC1Data
2013-11-03 20:59 - 2010-04-14 03:54 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared
2013-11-03 20:58 - 2013-11-03 20:59 - 05402832 _____ (PC Cleaners) C:\Documents and Settings\All Users\Application Data\pclunst.exe
2013-11-03 12:50 - 2013-11-03 10:34 - 00000000 ____D C:\Program Files\PCPitstop
2013-11-03 11:36 - 2013-11-03 10:35 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\PCPitstop
2013-11-01 21:44 - 2013-11-01 21:44 - 00270054 _____ C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-2052111302-1645522239-725345543-500-0.dat
2013-11-01 21:44 - 2013-10-30 08:18 - 00270054 _____ C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
2013-11-01 21:30 - 2013-07-07 14:59 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-10-31 14:40 - 2010-04-14 09:04 - 00000000 __SHD C:\Documents and Settings\LocalService
2013-10-30 16:05 - 2013-10-30 16:05 - 00000000 ____D C:\Documents and Settings\LocalService\Application Data\Macromedia
2013-10-30 16:05 - 2013-10-30 16:05 - 00000000 ____D C:\Documents and Settings\LocalService\Application Data\Adobe
2013-10-30 15:57 - 2010-04-20 20:17 - 00000000 ____D C:\Documents and Settings\Administrator\Local Settings\Application Data\Google
2013-10-30 15:57 - 2010-04-20 20:09 - 00000000 ____D C:\Program Files\Google
2013-10-30 08:23 - 2013-02-04 21:37 - 00000000 ___RD C:\Program Files\Skype
2013-10-30 08:04 - 2010-04-14 09:05 - 00000000 ____D C:\WINDOWS\Microsoft.NET
2013-10-28 20:50 - 2010-04-14 12:29 - 00000000 ____D C:\Program Files\Microsoft.NET
2013-10-28 20:48 - 2013-10-28 20:45 - 00000009 _____ C:\END
2013-10-28 20:46 - 2013-10-28 20:46 - 00000000 ____D C:\Program Files\Conduit
ZeroAccess:
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Desktop\Install
ZeroAccess:
C:\Program Files\Google\Desktop\Install

ZeroAccess:
C:\Windows\assembly\GAC\Desktop.ini

Some content of TEMP:
====================
C:\Documents and Settings\Administrator\Local Settings\Temp\SkypeSetup.exe

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
ATTENTION: ====> ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Microsoft Security Client

==================== End Of Log ============================



#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:41 PM

Posted 24 November 2013 - 02:36 PM

Please run the following:

Download attached fixlist.txt file and save it to the Desktop.

Attached File  FixList.txt   2.36KB   4 downloads

NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 WhightKnight

WhightKnight
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:12:41 PM

Posted 24 November 2013 - 03:18 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 24-11-2013
Ran by Administrator at 2013-11-24 14:15:03 Run:1
Running from C:\Documents and Settings\Administrator\Desktop
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
start
() C:\Program Files\BasicServe\basicstarter.exe
() C:\Program Files\BasicServe\basicstarter.exe
() C:\Program Files\Browsebeyond\updateBrowsebeyond.exe
HKLM\...\Run: [] - [x]
HKCU\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path)
BHO: No Name - {6C8DB2EC-499B-4897-A784-0E3186C97E9D} -  No File
Winsock: Catalog5 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5 03 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
FF Extension: firefox - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\8t6r8xon.default-1383610854031\Extensions\firefox@browsebeyond.net.xpi
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\SearchResults.xml
U2 *etadpug; "C:\Program Files\Google\Desktop\Install\{2171273f-4015-e22d-0c9e-883c36136e3a}\   \   \???\{2171273f-4015-e22d-0c9e-883c36136e3a}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)
U0 bakqggy; C:\Windows\System32\drivers\ybscpvo.sys [54016 2013-11-23] ()
C:\Windows\System32\drivers\ybscpvo.sys
2013-11-23 15:50 - 2013-11-24 12:36 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\BasicServe
2013-11-23 15:50 - 2013-11-23 16:20 - 00000000 ____D C:\Program Files\Browsebeyond
2013-11-23 15:50 - 2013-11-23 15:50 - 00000000 ____D C:\Program Files\BasicServe
2013-11-23 15:50 - 2013-11-23 15:50 - 00000000 _____ C:\Documents and Settings\All Users\Application Data\3d273a222a202a214437415f474a5e_c
2013-10-28 20:46 - 2013-10-28 20:46 - 00000000 ____D C:\Program Files\Conduit
2013-10-28 20:45 - 2013-11-23 16:20 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Conduit
2013-10-28 20:45 - 2013-11-04 16:58 - 00000000 ____D C:\Documents and Settings\Administrator\Local Settings\Application Data\Conduit
2013-10-28 20:45 - 2013-10-28 20:48 - 00000009 _____ C:\END
2013-11-16 21:43 - 2012-03-09 19:32 - 00000000 ____D C:\Documents and Settings\Administrator\Desktop\rajni
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Desktop\Install
C:\Program Files\Google\Desktop\Install
C:\Windows\assembly\GAC\Desktop.ini
C:\Documents and Settings\Administrator\Local Settings\Temp\SkypeSetup.exe
DeleteJunctionsIndirectory: C:\Program Files\Microsoft Security Client
end

 

*****************

[3540] C:\Program Files\BasicServe\basicstarter.exe => Process closed successfully.
[1712] C:\Program Files\BasicServe\basicstarter.exe => Process closed successfully.
[3540] C:\Program Files\BasicServe\basicstarter.exe => Process closed successfully.
[1712] C:\Program Files\BasicServe\basicstarter.exe => Process closed successfully.
[2704] C:\Program Files\Browsebeyond\updateBrowsebeyond.exe => Process closed successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\ => Value deleted successfully.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\Google Update* => Value deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6C8DB2EC-499B-4897-A784-0E3186C97E9D} => Key deleted successfully.
HKCR\CLSID\{6C8DB2EC-499B-4897-A784-0E3186C97E9D} => Key not found.
Winsock: Catalog5 entry 000000000001\\LibraryPath  was set successfully to %SystemRoot%\System32\mswsock.dll
Winsock: Catalog5 entry 000000000003\\LibraryPath  was set successfully to %SystemRoot%\System32\mswsock.dll
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\8t6r8xon.default-1383610854031\Extensions\firefox@browsebeyond.net.xpi => Moved successfully.
C:\Program Files\mozilla firefox\searchplugins\SearchResults.xml => Moved successfully.
*etadpug => Service deleted successfully.
bakqggy => Service deleted successfully.
C:\Windows\System32\drivers\ybscpvo.sys => Moved successfully.
C:\Documents and Settings\All Users\Application Data\BasicServe => Moved successfully.
C:\Program Files\Browsebeyond => Moved successfully.
C:\Program Files\BasicServe => Moved successfully.
C:\Documents and Settings\All Users\Application Data\3d273a222a202a214437415f474a5e_c => Moved successfully.
C:\Program Files\Conduit => Moved successfully.
C:\Documents and Settings\All Users\Application Data\Conduit => Moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Conduit => Moved successfully.
C:\END => Moved successfully.
C:\Documents and Settings\Administrator\Desktop\rajni => Moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Desktop\Install => Moved successfully.

"C:\Program Files\Google\Desktop\Install" directory move:

"C:\Program Files\Google\Desktop\Install\{21712~1\0103~1\0103~1\CFFE~1\{21712~1" => Directory moved successfully.
Could not move "C:\Program Files\Google\Desktop\Install" directory. => Scheduled to move on reboot.

C:\Windows\assembly\GAC\Desktop.ini => Moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\SkypeSetup.exe => Moved successfully.
"C:\Program Files\Microsoft Security Client" => Deleting reparse point and unlocking started.
"C:\Program Files\Microsoft Security Client\Backup" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\DbgHelp.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\Drivers" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\en-us" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\EppManifest.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\LegitLib.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\MpAsDesc.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\MpClient.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\MpCmdRun.exe" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\MpCommu.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\mpevmsg.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\MpOAv.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\MpRTP.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\MpSvc.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\MsMpCom.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\MsMpEng.exe" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\MsMpLics.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\MsMpRes.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\msseces.exe" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\MsseWat.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\Setup.exe" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\SetupRes.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\shellext.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\sqmapi.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\SymSrv.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\SymSrv.yes" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client" => Deleting reparse point and unlocking completed.

=> Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2013-11-24 14:18:10)<=

C:\Program Files\Google\Desktop\Install => Is moved successfully.

==== End of Fixlog ====



#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:41 PM

Posted 24 November 2013 - 08:07 PM

Please run the following:

Download ComboFix from the following location:
Link

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

CF_RC_notice.png
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
cfRC_screen_2.png
  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 WhightKnight

WhightKnight
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:12:41 PM

Posted 24 November 2013 - 10:55 PM

ComboFix 13-11-23.02 - Administrator 11/24/2013  21:44:14.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1015.355 [GMT -6:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\rundll32
.
.
(((((((((((((((((((((((((   Files Created from 2013-10-25 to 2013-11-25  )))))))))))))))))))))))))))))))
.
.
2013-11-24 21:46 . 2013-11-24 21:46 62576 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{619C3032-8417-4BD2-8698-95FD25DEFF55}\offreg.dll
2013-11-24 21:46 . 2013-11-24 21:46 40392 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{619C3032-8417-4BD2-8698-95FD25DEFF55}\MpKsl0ea9740a.sys
2013-11-24 21:28 . 2013-11-08 01:15 7772552 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{619C3032-8417-4BD2-8698-95FD25DEFF55}\mpengine.dll
2013-11-24 18:39 . 2013-11-24 20:18 -------- d-----w- C:\FRST
2013-11-23 21:55 . 2013-11-23 21:55 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2013-11-23 21:55 . 2013-04-04 20:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-11-23 21:55 . 2013-11-23 21:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-11-23 21:07 . 2013-11-23 21:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2013-11-23 21:07 . 2013-11-23 21:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2013-11-23 21:05 . 2013-11-23 21:05 47064 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2013-11-22 23:39 . 2013-11-22 23:39 -------- d-----w- c:\windows\Options
2013-11-04 23:45 . 2013-11-04 23:45 -------- d-----w- c:\program files\ESET
2013-11-04 23:16 . 2013-11-04 23:16 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory
2013-11-04 03:00 . 2013-11-04 23:16 -------- d-----w- c:\program files\MyPC Backup
2013-11-04 02:59 . 2013-11-04 02:58 5402832 ----a-w- c:\documents and settings\All Users\Application Data\pclunst.exe
2013-11-04 02:59 . 2013-11-04 02:59 -------- d-----w- c:\documents and settings\All Users\Application Data\PC1Data
2013-11-03 16:35 . 2013-11-03 17:36 -------- d-----w- c:\documents and settings\All Users\Application Data\PCPitstop
2013-11-03 16:34 . 2013-11-03 18:50 -------- d-----w- c:\program files\PCPitstop
2013-10-29 22:39 . 2013-10-14 06:39 7796464 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-11-11 11:50 . 2011-12-25 03:37 230048 ------w- c:\windows\system32\MpSigStub.exe
2013-09-23 18:33 . 2008-01-03 17:18 920064 ----a-w- c:\windows\system32\wininet.dll
2013-09-23 18:33 . 2008-01-03 17:18 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-09-23 18:33 . 2007-09-17 04:07 43520 ------w- c:\windows\system32\licmgr10.dll
2013-09-23 18:33 . 2007-10-18 09:09 18944 ----a-w- c:\windows\system32\corpol.dll
2013-09-23 18:06 . 2007-09-17 04:06 385024 ------w- c:\windows\system32\html.iec
2013-08-29 01:31 . 2007-09-14 00:17 1878656 ----a-w- c:\windows\system32\win32k.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-08-12 995176]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2012-09-20 444904]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 11.0\Acrobat\Acrotray.exe" [2013-09-05 3478392]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
GoZone iSync.lnk - c:\program files\GoZone\GoZone_iSync.exe [2013-2-11 436848]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^GoZone iSync.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\GoZone iSync.lnk
backup=c:\windows\pss\GoZone iSync.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2013-04-04 21:06 958576 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2009-02-27 00:36 30040 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-02-16 01:46 159744 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-02-16 01:46 135168 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Vid]
2010-10-29 20:06 5915480 ----a-w- c:\program files\Logitech\Vid HD\Vid.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LWS]
2010-05-08 00:35 165208 ----a-w- c:\program files\Logitech\LWS\Webcam Software\LWS.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-02-16 01:46 131072 ----a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2007-01-06 03:36 872448 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe
.
R1 MpKsl0ea9740a;MpKsl0ea9740a;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{619C3032-8417-4BD2-8698-95FD25DEFF55}\MpKsl0ea9740a.sys [11/24/2013 3:46 PM 40392]
S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [11/23/2013 3:55 PM 418376]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [11/23/2013 3:55 PM 701512]
S2 Skype C2C Service;Skype C2C Service;c:\documents and settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe [9/16/2013 11:29 AM 3273088]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [9/5/2013 9:34 AM 171680]
S2 Util Browsebeyond;Util Browsebeyond;"c:\program files\Browsebeyond\bin\utilBrowsebeyond.exe" --> c:\program files\Browsebeyond\bin\utilBrowsebeyond.exe [?]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [11/23/2013 3:55 PM 22856]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL0EA9740A
.
Contents of the 'Scheduled Tasks' folder
.
2013-11-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-01 18:21]
.
2013-11-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-01 18:21]
.
2013-11-24 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2013-08-12 15:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
TCP: DhcpNameServer = 192.168.1.1
DPF: {4D2D3A17-9B46-483C-A5F4-1DC471080009} - hxxps://banacsvr.rusm.rossu.loc/auth/taweb.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\8t6r8xon.default-1383610854031\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - ExtSQL: 2013-09-25 16:10; {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}; c:\program files\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
FF - ExtSQL: 2013-11-23 15:50; {740B3FD5-4483-469D-BE7F-8555B153BD04}; c:\program files\Mozilla Firefox\browser\extensions\{740B3FD5-4483-469D-BE7F-8555B153BD04}
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-10 - (no file)
Toolbar-Locked - (no file)
Notify-NavLogon - (no file)
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
MSConfigStartUp-Google Update - c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
MSConfigStartUp-SearchSettings - c:\program files\Common Files\Spigot\Search Settings\SearchSettings.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-11-24 21:51
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2052111302-1645522239-725345543-500\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (Administrator)
"{C2D64FF7-0AB8-4263-89C9-EA3B0F8F050C}"=hex:51,66,7a,6c,4c,1d,3b,1b,e7,53,c4,
   de,8d,58,0d,0e,96,c2,aa,7b,0e,ca,44,15
"{74322BF9-DF26-493F-B0DA-6D2FC5E6429E}"=hex:51,66,7a,6c,4c,1d,3b,1b,e9,37,20,
   68,13,8d,51,05,af,d1,2d,6f,c4,a3,03,87
.
[HKEY_USERS\S-1-5-21-2052111302-1645522239-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5b,f2,98,f6,1f,e4,ce,4c,8d,10,e2,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d6,c6,46,5b,50,94,85,4b,8f,b8,fe,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5b,f2,98,f6,1f,e4,ce,4c,8d,10,e2,\
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5b,f2,98,f6,1f,e4,ce,4c,8d,10,e2,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5b,f2,98,f6,1f,e4,ce,4c,8d,10,e2,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(972)
c:\windows\system32\igfxdev.dll
.
- - - - - - - > 'explorer.exe'(3132)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2013-11-24  21:53:05
ComboFix-quarantined-files.txt  2013-11-25 03:53
.
Pre-Run: 51,336,142,848 bytes free
Post-Run: 51,980,111,872 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 1664DF2B598B394548CF25B42F717C2C
8F558EB6672622401DA993E1E865C861
 



#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:41 PM

Posted 25 November 2013 - 03:08 PM

looks better,

Please run the following:

Please download Junkware Removal Tool to your desktop.
  • Shutdown your antivirus to avoid any conflicts.
  • Right-mouse click JRT.exe and select Run as administrator
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message

NEXT


Download AdwCleaner from here and save it to your desktop.
  • Run AdwCleaner and select Scan
  • If items are found, please select the Clean button
  • Once done it will ask to reboot, allow the reboot
  • On reboot a log will be produced, please attach the content of the log to your next reply
NEXT
  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT

Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, if it shows a screen that says "Threats found!", then click "List of found threats" button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 WhightKnight

WhightKnight
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:12:41 PM

Posted 25 November 2013 - 09:07 PM

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.0.8 (11.05.2013:1)
OS: Microsoft Windows XP x86
Ran by Administrator on Mon 11/25/2013 at 17:19:44.89
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

 

~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL

 

~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\dnu.exe
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{80922EE0-8A76-46AE-95D5-BD3C3FE0708D}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\conduit
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\powerpack
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\conduit
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\firstsearch
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\freeze.com
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\dnupdate
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\dnupdater.downloaduibrowser
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\dnupdater.downloaduibrowser.1
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\dnupdater.downloadupdcontroller
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\dnupdater.downloadupdcontroller.1
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Toolbar.CT3295941

 

~~~ Files

Successfully deleted: [File] "C:\Program Files\mozilla firefox\plugins\npcouponprinter.dll"
Successfully deleted: [File] "C:\Program Files\mozilla firefox\plugins\npmozcouponprinter.dll"

 

~~~ Folders

Successfully deleted: [Folder] "C:\Documents and Settings\All Users\application data\boost_interprocess"
Successfully deleted: [Folder] "C:\Documents and Settings\All Users\application data\pc1data"
Successfully deleted: [Folder] "C:\Documents and Settings\Administrator\Application Data\dvdvideosoftiehelpers"
Successfully deleted: [Folder] "C:\Documents and Settings\Administrator\appdata\locallow\datamngr"
Successfully deleted: [Folder] "C:\Program Files\coupons"
Successfully deleted: [Folder] "C:\Program Files\mypc backup"
Successfully deleted: [Folder] "C:\Program Files\Common Files\software update utility"
Successfully deleted: [Folder] "C:\WINDOWS\system32\ai_recyclebin"

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Mon 11/25/2013 at 17:23:16.18
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

 

# AdwCleaner v3.013 - Report created 25/11/2013 at 17:25:50
# Updated 24/11/2013 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : Administrator - UNIVERSI-D50536
# Running from : C:\Documents and Settings\Administrator\Desktop\adwcleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Deleted : C:\Documents and Settings\Administrator\Local Settings\Application Data\PackageAware

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{6C259840-5BA8-46E6-8ED1-EF3BA47D8BA1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E15A9BFD-D16D-496D-8222-44CADF316E70}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{92380354-381A-471F-BE2E-DD9ACD9777EA}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SoftwareUpdUtility
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{1AE46C09-2AB8-4EE5-88FB-08CD0FF7F2DF}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\BasicServe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\MyPC Backup
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\SoftwareUpdUtility

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702

-\\ Mozilla Firefox v22.0 (en-GB)

[ File : C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\8t6r8xon.default-1383610854031\prefs.js ]

*************************

AdwCleaner[R0].txt - [2492 octets] - [25/11/2013 17:24:16]
AdwCleaner[S0].txt - [2449 octets] - [25/11/2013 17:25:50]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2509 octets] ##########

 

 

 

 

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.11.25.08

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Administrator :: UNIVERSI-D50536 [administrator]

Protection: Disabled

11/25/2013 5:30:00 PM
mbam-log-2013-11-25 (17-30-00).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 215784
Time elapsed: 6 minute(s), 45 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

 

 

ESET Scan:

C:\FRST\Quarantine\firefox@browsebeyond.net.xpi Win32/BrowseFox.B application
C:\FRST\Quarantine\Browsebeyond\bin\utilBrowsebeyond.exe a variant of Win32/BrowseFox.G application
C:\FRST\Quarantine\{21712~1\U\00000004.@ Win32/Conedex.D trojan
C:\FRST\Quarantine\{21712~1\U\00000008.@ Win32/Conedex.T trojan
C:\FRST\Quarantine\{21712~1\U\000000cb.@ Win32/Conedex.E trojan
C:\FRST\Quarantine\{21712~1\U\80000000.@ probably a variant of Win32/Sirefef.FA trojan
C:\FRST\Quarantine\{21712~1\U\80000032.@ probably a variant of Win32/Sirefef.FV trojan
C:\System Volume Information\_restore{C7DAEAE4-A69F-46E2-BEF7-0B02611576B1}\RP670\A0027887.ini Win32/Sirefef.EZ trojan
C:\System Volume Information\_restore{C7DAEAE4-A69F-46E2-BEF7-0B02611576B1}\RP671\A0028031.ini Win32/Sirefef.EZ trojan
C:\System Volume Information\_restore{C7DAEAE4-A69F-46E2-BEF7-0B02611576B1}\RP671\A0028038.ini Win32/Sirefef.EZ trojan
C:\System Volume Information\_restore{C7DAEAE4-A69F-46E2-BEF7-0B02611576B1}\RP672\A0028144.ini Win32/Sirefef.EZ trojan
C:\System Volume Information\_restore{C7DAEAE4-A69F-46E2-BEF7-0B02611576B1}\RP673\A0028152.dll probably a variant of Win32/Conduit.SearchProtect.C application
C:\System Volume Information\_restore{C7DAEAE4-A69F-46E2-BEF7-0B02611576B1}\RP673\A0028153.dll probably a variant of Win32/Conduit.SearchProtect.C application
C:\System Volume Information\_restore{C7DAEAE4-A69F-46E2-BEF7-0B02611576B1}\RP673\A0028154.dll probably a variant of Win32/Conduit.SearchProtect.C application
C:\System Volume Information\_restore{C7DAEAE4-A69F-46E2-BEF7-0B02611576B1}\RP673\A0028155.exe a variant of Win32/Conduit.SearchProtect.B application
C:\System Volume Information\_restore{C7DAEAE4-A69F-46E2-BEF7-0B02611576B1}\RP673\A0028156.exe a variant of Win32/Conduit.SearchProtect.D application
C:\System Volume Information\_restore{C7DAEAE4-A69F-46E2-BEF7-0B02611576B1}\RP673\A0028161.dll probably a variant of Win32/Conduit.SearchProtect.C application
C:\System Volume Information\_restore{C7DAEAE4-A69F-46E2-BEF7-0B02611576B1}\RP673\A0028162.dll probably a variant of Win32/Conduit.SearchProtect.C application
C:\System Volume Information\_restore{C7DAEAE4-A69F-46E2-BEF7-0B02611576B1}\RP673\A0028163.dll probably a variant of Win32/Conduit.SearchProtect.C application
C:\System Volume Information\_restore{C7DAEAE4-A69F-46E2-BEF7-0B02611576B1}\RP673\A0028164.exe a variant of Win32/Conduit.SearchProtect.B application
C:\System Volume Information\_restore{C7DAEAE4-A69F-46E2-BEF7-0B02611576B1}\RP673\A0028165.exe a variant of Win32/Conduit.SearchProtect.D application
C:\System Volume Information\_restore{C7DAEAE4-A69F-46E2-BEF7-0B02611576B1}\RP673\A0028175.dll a variant of Win32/Toolbar.Conduit.P application
C:\System Volume Information\_restore{C7DAEAE4-A69F-46E2-BEF7-0B02611576B1}\RP673\A0028180.dll a variant of Win32/Toolbar.Conduit.P application
C:\System Volume Information\_restore{C7DAEAE4-A69F-46E2-BEF7-0B02611576B1}\RP673\A0028183.dll a variant of Win32/Toolbar.Conduit.B application
C:\System Volume Information\_restore{C7DAEAE4-A69F-46E2-BEF7-0B02611576B1}\RP673\A0028222.exe probably a variant of Win32/PCCleaners application
C:\System Volume Information\_restore{C7DAEAE4-A69F-46E2-BEF7-0B02611576B1}\RP673\A0028229.dll a variant of Win32/Toolbar.Conduit.B application
C:\System Volume Information\_restore{C7DAEAE4-A69F-46E2-BEF7-0B02611576B1}\RP673\A0028234.ini Win32/Sirefef.EZ trojan
C:\System Volume Information\_restore{C7DAEAE4-A69F-46E2-BEF7-0B02611576B1}\RP682\A0028333.ini Win32/Sirefef.EZ trojan
 


Edited by WhightKnight, 25 November 2013 - 09:08 PM.


#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:41 PM

Posted 26 November 2013 - 12:27 PM

All the ESET detections are either in quarantine or old restore points (which will be removed when we uninstall ComboFix at the end)

Please advise how the computer is running now and if there are any outstanding issues.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 WhightKnight

WhightKnight
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:12:41 PM

Posted 26 November 2013 - 08:43 PM

Computer has been running smoothly. Everything appears to have been resolved.
Thank you.



#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:41 PM

Posted 27 November 2013 - 02:35 PM

That's good to hear, we just need to clean up our tools:


You can delete the DDS, JRT and FRST logs and programs from your desktop.


NEXT

Follow these steps to uninstall Combofix
  • Make sure your security programs are totally disabled.
  • Press the WinKey +R to open a run box
  • Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.
Combofix_uninstall_image.jpg


NEXT
  • Double click on adwcleaner.exe to run the tool.
  • Click on Uninstall.
  • Confirm with yes.
If there are any logs/tools remaining on your desktop > right click and delete them.


NEXT


Below I have included a number of recommendations for how to protect your computer against malware infections.
  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.
  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.
  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.
  • Download TFC to your desktop
    • Close any open windows.
    • Double click the TFC icon to run the program
    • TFC will close all open programs itself in order to run,
    • Click the Start button to begin the process.
    • Allow TFC to run uninterrupted.
    • The program should not take long to finish it's job
    • Once its finished it should automatically reboot your machine,
    • if it doesn't, manually reboot to ensure a complete clean
    It's normal after running TFC cleaner that the PC will be slower to boot the first time.
  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE
  • AdblockPlus
    • AdblockPlus, Surf the web without annoying ads!
    • Blocks banners, pop-ups and video ads - even on Facebook and YouTube
    • Protects your online privacy
    • Two-click installation, It's free!
    • click the icon that corresponds to your browser and download.
  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.
  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:
    PC Safety and Security--What Do I Need?.
  • Simple and easy ways to keep your computer safe and secure on the Internet
Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 WhightKnight

WhightKnight
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:12:41 PM

Posted 27 November 2013 - 08:14 PM

Thank you for all of the help!



#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:41 PM

Posted 27 November 2013 - 09:01 PM

you are welcome,

stay safe :hello:

~CB

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:41 PM

Posted 27 November 2013 - 09:02 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users