Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

big trojan


  • This topic is locked This topic is locked
59 replies to this topic

#1 vatos

vatos

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:02:37 AM

Posted 14 March 2014 - 05:31 AM

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16476  BrowserJavaVersion: 10.4.1
Run by Siyar at 11:24:09 on 2014-03-14
.
============== Running Processes ================
.
C:\PROGRA~1\AVG\AVG2013\avgrsx.exe
C:\Program Files\AVG\AVG2013\avgcsrvx.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG2013\avgidsagent.exe
C:\Program Files\AVG\AVG2013\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe
C:\Windows\system32\sppsvc.exe
C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe
C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe
C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files\AVG\AVG2013\avgnsx.exe
C:\Program Files\AVG\AVG2013\avgemcx.exe
C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Windows\system32\WUDFHost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files\TeamViewer\Version7\TeamViewer.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\TeamViewer\Version7\tv_w32.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe
C:\Program Files\Free Download Manager\fdm.exe
C:\Program Files\TrueCrypt\TrueCrypt.exe
C:\Users\Siyar\AppData\Local\Akamai\netsession_win.exe
C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe
C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVH.EXE
C:\Users\Siyar\AppData\Local\Akamai\netsession_win.exe
C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Windows\explorer.exe
C:\Windows\system32\taskhost.exe
C:\Windows\ehome\ehRecvr.exe
C:\Program Files\Pidgin\pidgin.exe
C:\Program Files\Miranda IM\miranda32.exe
C:\Program Files\Vidalia Bundle\Tor\tor.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\prevhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.de/
mStart Page = hxxp://start.mysearchdial.com/?f=1&a=dnldmsd&cd=2XzuyEtN2Y1L1QzutDtD0F0FyCyC0F0AtCyDtC0FyDtByBtBtN0D0Tzu0CyDyDtAtN1L2XzutBtFtBtFyEtFyBtAtCtN1L1Czu1Q1G1I1Q1H1B1Q&cr=1434676450&ir=
uProxyOverride = <local>
uURLSearchHooks: <No Name>:  - LocalServer32 - <no file>
uURLSearchHooks: {5786d022-540e-4699-b350-b4be0ae94b79} - <orphaned>
mURLSearchHooks: <No Name>:  - LocalServer32 - <no file>
dURLSearchHooks: {855F3B16-6D32-4fe6-8A56-BBB695989046} - <orphaned>
dURLSearchHooks: {A3BC75A2-1F87-4686-AA43-5347D756017C} - <orphaned>
dURLSearchHooks: <No Name>:  - LocalServer32 - <no file>
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll
BHO: Windows Live Anmelde-Hilfsprogramm: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Free Download Manager: {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - c:\program files\free download manager\iefdm2.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll
uRun: [Vidalia] "c:\program files\vidalia bundle\vidalia\vidalia.exe"
uRun: [Google Update] "c:\users\siyar\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [Overwolf] c:\program files\overwolf\Overwolf.exe -silent
uRun: [Free Download Manager] "c:\program files\free download manager\fdm.exe" -autorun
uRun: [TrueCrypt] "c:\program files\truecrypt\TrueCrypt.exe" /q preferences /a logon
uRun: [AVG-Secure-Search-Update_0913b] c:\users\siyar\appdata\roaming\avg 0913b campaign\AVG-Secure-Search-Update-0913b.exe /PROMPT --mid 477528af873947d1976ed154d4c7221c-ace776aea56d0a0deac3e8203236c80400a0cf40 --CMPID 0913b
uRun: [Akamai NetSession Interface] "c:\users\siyar\appdata\local\akamai\netsession_win.exe"
uRun: [Autodesk Sync] c:\program files\autodesk\autodesk sync\AdSync.exe
uRun: [boxfnzqy] regsvr32.exe "c:\programdata\boxfnzqy.dat"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVG_UI] "c:\program files\avg\avg2013\avgui.exe" /TRAYONLY
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [DivXMediaServer] c:\program files\divx\divx media server\DivXMediaServer.exe
mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [Autodesk Sync] c:\program files\autodesk\autodesk sync\AdSync.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: RestrictRun = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: Alles mit FDM herunterladen - c:\program files\free download manager\dlall.htm
IE: Auswahl mit FDM herunterladen - c:\program files\free download manager\dlselected.htm
IE: Datei mit FDM herunterladen - c:\program files\free download manager\dllink.htm
IE: Videos mit FDM herunterladen - c:\program files\free download manager\dlfvideo.htm
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{36E37517-49DE-4695-9615-D5E14C83017B} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{AF761951-9647-405E-B610-841AF27BD780} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{AF761951-9647-405E-B610-841AF27BD780}\14E64627F69646140573338323 : DHCPNameServer = 192.168.43.1
TCP: Interfaces\{AF761951-9647-405E-B610-841AF27BD780}\35969716273702960586F6E656 : DHCPNameServer = 212.23.115.148 212.23.115.132
TCP: Interfaces\{AF761951-9647-405E-B610-841AF27BD780}\5416379724F687D2141344545313 : DHCPNameServer = 192.168.2.1
TCP: Interfaces\{AF761951-9647-405E-B610-841AF27BD780}\E496373796 : DHCPNameServer = 192.168.2.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R? androidusb;SAMSUNG Android Composite ADB Interface Driver
R? Autodesk Content Service;Autodesk Content Service
R? b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0
R? clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86
R? dgderdrv;dgderdrv
R? FsUsbExDisk;FsUsbExDisk
R? FsUsbExService;FsUsbExService
R? LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver
R? LGSHidFilt;Logitech Gaming KMDF HID Filter Driver
R? LGVirHid;Logitech Gamepanel Virtual HID Device Driver
R? LMIRfsClientNP;LMIRfsClientNP
R? OverwolfUpdaterService;Overwolf Updater Service
R? pwdrvio;pwdrvio
R? pwdspio;pwdspio
R? rzendpt;rzendpt
R? rzudd;Razer Mouse Driver
R? ssadbus;SAMSUNG Android USB Composite Device driver (WDM)
R? ssadmdfl;SAMSUNG Android USB Modem (Filter)
R? ssadmdm;SAMSUNG Android USB Modem Drivers
R? vtany;vtany
R? WatAdminSvc;Windows Activation Technologies Service
R? xhunter1;xhunter1
R? xsherlock;xsherlock
S? AVGIDSAgent;AVGIDSAgent
S? AVGIDSDriver;AVGIDSDriver
S? AVGIDSHX;AVGIDSHX
S? AVGIDSShim;AVGIDSShim
S? Avgldx86;AVG AVI Loader Driver
S? Avglogx;AVG Logging Driver
S? Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield
S? Avgrkx86;AVG Anti-Rootkit Driver
S? Avgtdix;AVG TDI Driver
S? avgwd;AVG WatchDog
S? BrSerIb;Brother MFC Serial Interface Driver(WDM)
S? BrUsbSIb;Brother MFC Serial USB Driver(WDM)
S? cvhsvc;Client Virtualization Handler
S? EagleXNt;EagleXNt
S? kbdcap;kbdcap
S? LMIGuardianSvc;LMIGuardianSvc
S? LMIInfo;LogMeIn Kernel Information Provider
S? LMIRfsDriver;LogMeIn Remote File System Driver
S? MBAMProtector;MBAMProtector
S? MBAMScheduler;MBAMScheduler
S? MBAMService;MBAMService
S? netr28u;RT2870 USB Extensible Wireless LAN Card Driver
S? Ph3xIB32;Philips 713x Inbox PCI TV Card
S? Sftfs;Sftfs
S? sftlist;Application Virtualization Client
S? Sftplay;Sftplay
S? Sftredir;Sftredir
S? Sftvol;Sftvol
S? sftvsa;Application Virtualization Service Agent
S? Stereo Service;NVIDIA Stereoscopic 3D Driver Service
S? TeamViewer6;TeamViewer 6
S? TeamViewer7;TeamViewer 7
.
=============== File Associations ===============
.
FileExt: .scr: AutoCADScriptFile=c:\windows\system32\notepad.exe "%1"
.
=============== Created Last 30 ================
.
2014-03-12 16:35:40 -------- d-----w- C:\OETemp
2014-03-11 20:01:15 -------- d-----w- c:\users\siyar\appdata\roaming\Heus
2014-03-11 20:01:15 -------- d-----w- c:\users\siyar\appdata\roaming\Ahnie
2014-03-05 19:02:58 -------- d-----w- c:\users\siyar\appdata\roaming\Piwo
2014-03-05 19:02:58 -------- d-----w- c:\users\siyar\appdata\roaming\Icwea
2014-03-05 18:48:12 242584 ----a-w- c:\programdata\boxfnzqy.dat
2014-03-03 14:36:41 -------- d-----w- c:\users\siyar\appdata\local\cache
2014-03-03 11:33:10 -------- d-----w- c:\program files\common files\Macrovision Shared
2014-03-03 11:32:19 -------- d-----w- c:\users\siyar\appdata\local\Autodesk
2014-03-03 11:09:35 -------- d-----w- c:\program files\Autodesk
2014-03-03 11:06:22 -------- d-----w- c:\program files\common files\Autodesk Shared
2014-03-03 10:50:52 74072 ----a-w- c:\windows\system32\XAPOFX1_5.dll
2014-03-03 10:50:52 527192 ----a-w- c:\windows\system32\XAudio2_7.dll
2014-03-03 10:50:52 239960 ----a-w- c:\windows\system32\xactengine3_7.dll
2014-03-03 10:37:36 -------- d-----w- c:\users\siyar\appdata\roaming\Autodesk
2014-03-03 10:33:46 -------- d-----w- c:\users\siyar\appdata\local\Akamai
2014-03-03 10:33:23 -------- d-----w- C:\Autodesk
2014-02-26 16:32:29 -------- d-----w- c:\users\siyar\appdata\local\Avg2014
2014-02-21 13:46:01 893552 ----a-w- c:\programdata\microsoft\ehome\packages\mceclientux\updateablemarkup-2\markup.dll
2014-02-21 13:45:47 42168 ----a-w- c:\programdata\microsoft\ehome\packages\mceclientux\dsm-2\StartResources.dll
2014-02-19 10:26:59 -------- d-----w- c:\program files\common files\Overwolf
.
==================== Find3M  ====================
.
2014-03-11 19:07:35 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-03-11 19:07:34 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
============= FINISH: 11:26:43.83 ===============
 

Attached Files



BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,310 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:02:37 AM

Posted 14 March 2014 - 05:44 AM

Hello! Welcome to BleepingComputer Forums! :welcome:
My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:

  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.

 

Can you please describe the symptoms you are experiencing at the moment please?

 

 

Also please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

Regards,

Georgi


cXfZ4wS.png


#3 vatos

vatos
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:02:37 AM

Posted 14 March 2014 - 05:57 AM

Hello Georgi,

thanks for your fast reply. My credit institution blocked my online-banking account, because they said that my personal informations were found on fishing sites. Also my computer is working slower and I cant open Anti Virus programs, because of the Trojan. It says "This program is blocked my group policy". Never had this problem either. I had many viruses before, but never such a big virus, that even my credit institution contacts me. Its a big trojan I think.

I hope you can help me. Here is the FRST.txt:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 13-03-2014  01
Ran by Siyar (administrator) on SIYAR-PC on 14-03-2014 11:49:53
Running from C:\Users\Siyar\Desktop
Windows 7 Ultimate (X86) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2013\avgrsx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2013\avgcsrvx.exe
(NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2013\avgidsagent.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2013\avgwdsvc.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(LogMeIn, Inc.) C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
(LogMeIn, Inc.) C:\Program Files\LogMeIn\x86\RaMaint.exe
(Microsoft Corporation) C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe
(TeamViewer GmbH) C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe
(TeamViewer GmbH) C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe
(Microsoft Corporation) C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2013\avgnsx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2013\avgemcx.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe
(TeamViewer GmbH) C:\Program Files\TeamViewer\Version7\TeamViewer.exe
(TeamViewer GmbH) C:\Program Files\TeamViewer\Version7\tv_w32.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Sun Microsystems, Inc.) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(LogMeIn, Inc.) C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
() C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe
(FreeDownloadManager.ORG) C:\Program Files\Free Download Manager\fdm.exe
(TrueCrypt Foundation) C:\Program Files\TrueCrypt\TrueCrypt.exe
(Akamai Technologies, Inc.) C:\Users\Siyar\AppData\Local\Akamai\netsession_win.exe
(Autodesk, Inc.) C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVH.EXE
(Akamai Technologies, Inc.) C:\Users\Siyar\AppData\Local\Akamai\netsession_win.exe
() C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe
(Sun Microsystems, Inc.) C:\Program Files\Common Files\Java\Java Update\jucheck.exe
(Microsoft Corporation) C:\Windows\ehome\ehRecvr.exe
(The Pidgin developer community) C:\Program Files\Pidgin\pidgin.exe
( ) C:\Program Files\Miranda IM\miranda32.exe
() C:\Program Files\Vidalia Bundle\Tor\tor.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [GrooveMonitor] - C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [30040 2009-02-26] (Microsoft Corporation)
HKLM\...\Run: [APSDaemon] - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59280 2012-11-28] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] - C:\Program Files\iTunes\iTunesHelper.exe [152544 2012-12-12] (Apple Inc.)
HKLM\...\Run: [AVG_UI] - C:\Program Files\AVG\AVG2013\avgui.exe [4411952 2013-11-20] (AVG Technologies CZ, s.r.o.)
HKLM\...\Run: [SunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [252296 2012-01-17] (Sun Microsystems, Inc.)
HKLM\...\Run: [LogMeIn GUI] - C:\Program Files\LogMeIn\x86\LogMeInSystray.exe [63048 2013-04-30] (LogMeIn, Inc.)
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM\...\Run: [DivXMediaServer] - C:\Program Files\DivX\DivX Media Server\DivXMediaServer.exe
HKLM\...\RunOnce: [Malwarebytes Anti-Malware] - C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent [532040 2013-04-04] (Malwarebytes Corporation)
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Malwarebytes <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\AVAST Software <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\AVAST Software <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\AVG <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Malwarebytes' Anti-Malware <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\AVG <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Avira <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\BitDefender <====== ATTENTION
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] fastprox.dll ATTENTION! ====> ZeroAccess?
HKU\.DEFAULT\...\Run: [Autodesk Sync] - C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe [894344 2013-02-05] (Autodesk, Inc.)
HKU\S-1-5-21-4022737933-1016067012-279495612-1001\...\Run: [Vidalia] - C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe [5402115 2011-08-28] ()
HKU\S-1-5-21-4022737933-1016067012-279495612-1001\...\Run: [Google Update] - C:\Users\Siyar\AppData\Local\Google\Update\GoogleUpdate.exe [136176 2012-02-23] (Google Inc.)
HKU\S-1-5-21-4022737933-1016067012-279495612-1001\...\Run: [Overwolf] - C:\Program Files\Overwolf\Overwolf.exe [37632 2014-02-16] (Overwolf LTD)
HKU\S-1-5-21-4022737933-1016067012-279495612-1001\...\Run: [Free Download Manager] - C:\Program Files\Free Download Manager\fdm.exe [6860288 2013-01-16] (FreeDownloadManager.ORG)
HKU\S-1-5-21-4022737933-1016067012-279495612-1001\...\Run: [TrueCrypt] - C:\Program Files\TrueCrypt\TrueCrypt.exe [1516496 2012-12-22] (TrueCrypt Foundation)
HKU\S-1-5-21-4022737933-1016067012-279495612-1001\...\Run: [AVG-Secure-Search-Update_0913b] - C:\Users\Siyar\AppData\Roaming\AVG 0913b Campaign\AVG-Secure-Search-Update-0913b.exe /PROMPT --mid 477528af873947d1976ed154d4c7221c-ace776aea56d0a0deac3e8203236c80400a0cf40 --CMPID 0913b
HKU\S-1-5-21-4022737933-1016067012-279495612-1001\...\Run: [Akamai NetSession Interface] - C:\Users\Siyar\AppData\Local\Akamai\netsession_win.exe [4489472 2013-06-05] (Akamai Technologies, Inc.)
HKU\S-1-5-21-4022737933-1016067012-279495612-1001\...\Run: [Autodesk Sync] - C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe [894344 2013-02-05] (Autodesk, Inc.)
HKU\S-1-5-21-4022737933-1016067012-279495612-1001\...\Run: [boxfnzqy] - regsvr32.exe "C:\ProgramData\boxfnzqy.dat"
HKU\S-1-5-21-4022737933-1016067012-279495612-1001\...\Policies\Explorer: []
HKU\S-1-5-21-4022737933-1016067012-279495612-1001\...\Policies\Explorer: [RestrictRun] 0
HKU\S-1-5-21-4022737933-1016067012-279495612-1001\...\MountPoints2: I - I:\setup.exe
HKU\S-1-5-21-4022737933-1016067012-279495612-1001\...\MountPoints2: {1a88ba53-9dbf-11e1-83fa-001d9223cbef} - J:\setup.exe
HKU\S-1-5-21-4022737933-1016067012-279495612-1001\...409d6c4515e9\InprocServer32: [Default-shell32] C:\$Recycle.Bin\S-1-5-21-4022737933-1016067012-279495612-1001\$9b3a7a6b84eebe59b823cca26da5f27f\n. ATTENTION! ====> ZeroAccess?
Startup: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk
ShortcutTarget: OpenOffice.org 3.3.lnk -> C:\Program Files\OpenOffice.org 3\program\quickstart.exe (No File)
Startup: C:\Users\Siyar\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Bildschirmausschnitt- und Startprogramm.lnk
ShortcutTarget: OneNote 2010 Bildschirmausschnitt- und Startprogramm.lnk -> C:\Program Files\Common Files\microsoft shared\Virtualization Handler\CVH.EXE (Microsoft Corporation)
Startup: C:\Users\Siyar\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xlfjwlc4fr.lnk
ShortcutTarget: xlfjwlc4fr.lnk -> C:\PROGRA~2\rf4clwjflx.cpp (No File)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://de.msn.com/?ocid=iehp
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0x0C643EEEC1F1CB01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.mysearchdial.com/?f=1&a=dnldmsd&cd=2XzuyEtN2Y1L1QzutDtD0F0FyCyC0F0AtCyDtC0FyDtByBtBtN0D0Tzu0CyDyDtAtN1L2XzutBtFtBtFyEtFyBtAtCtN1L1Czu1Q1G1I1Q1H1B1Q&cr=1434676450&ir=
URLSearchHook: HKLM - Default Value = {855F3B16-6D32-4fe6-8A56-BBB695989046}
URLSearchHook: HKCU - (No Name) - {5786d022-540e-4699-b350-b4be0ae94b79} -  No File
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM - {4B4E8226-81C1-6534-98EF-078186BD21DA} URL = http://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=dnldmsd&cd=2XzuyEtN2Y1L1QzutDtD0F0FyCyC0F0AtCyDtC0FyDtByBtBtN0D0Tzu0CyDyDtAtN1L2XzutBtFtBtFyEtFyBtAtCtN1L1Czu1Q1G1I1Q1H1B1Q&cr=1434676450&ir=
SearchScopes: HKCU - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=dnldmsd&cd=2XzuyEtN2Y1L1QzutDtD0F0FyCyC0F0AtCyDtC0FyDtByBtBtN0D0Tzu0CyDyDtAtN1L2XzutBtFtBtFyEtFyBtAtCtN1L1Czu1Q1G1I1Q1H1B1Q&cr=1434676450&ir=
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=dnldmsd&cd=2XzuyEtN2Y1L1QzutDtD0F0FyCyC0F0AtCyDtC0FyDtByBtBtN0D0Tzu0CyDyDtAtN1L2XzutBtFtBtFyEtFyBtAtCtN1L1Czu1Q1G1I1Q1H1B1Q&cr=1434676450&ir=
SearchScopes: HKCU - {9CBD6169-34D5-4320-B868-96A95CCA7701} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2481020
SearchScopes: HKCU - {BE217F0E-5D4C-4829-A52B-70780578596B} URL = http://websearch.ask.com/redirect?client=ie&tb=AVR-4&o=APN10261&src=kw&q={searchTerms}&locale=&apn_ptnrs=^AGS&apn_dtid=^YYYYYY^YY^DE&apn_uid=50b5a682-ef32-4364-b443-656e7e3ac05d&apn_sauid=5BF9C71F-BD64-4111-918B-70265C225ABA
SearchScopes: HKCU - {FFEBBF0A-C22C-4172-89FF-45215A135AC7} URL = http://go.mail.ru/search?q={searchTerms}&utf8in=1&fr=ietb
BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll (Oracle Corporation)
BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
BHO: Free Download Manager - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll (FreeDownloadManager.ORG)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Toolbar: HKCU - No Name - {5786D022-540E-4699-B350-B4BE0AE94B79} -  No File
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll No File
Handler: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WIC4A1~1\MESSEN~1\MSGRAP~1.DLL No File
Handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WIC4A1~1\MESSEN~1\MSGRAP~1.DLL No File
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

Chrome:
=======
CHR HomePage: hxxp://start.mysearchdial.com/?f=1&a=dnldmsd&cd=2XzuyEtN2Y1L1QzutDtD0F0FyCyC0F0AtCyDtC0FyDtByBtBtN0D0Tzu0CyDyDtAtN1L2XzutBtFtBtFyEtFyBtAtCtN1L1Czu1Q1G1I1Q1H1B1Q&cr=1434676450&ir=
CHR DefaultSearchKeyword: mysearchdial.com
CHR DefaultSearchProvider: Mysearchdial
CHR DefaultSearchURL: http://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=dnldmsd&cd=2XzuyEtN2Y1L1QzutDtD0F0FyCyC0F0AtCyDtC0FyDtByBtBtN0D0Tzu0CyDyDtAtN1L2XzutBtFtBtFyEtFyBtAtCtN1L1Czu1Q1G1I1Q1H1B1Q&cr=1434676450&ir=
CHR DefaultNewTabURL:
CHR Plugin: (Remoting Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Users\Siyar\AppData\Local\Google\Chrome\Application\33.0.1750.146\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Users\Siyar\AppData\Local\Google\Chrome\Application\33.0.1750.146\pdf.dll ()
CHR Plugin: (Shockwave Flash) - C:\Users\Siyar\AppData\Local\Google\Chrome\Application\33.0.1750.146\gcswf32.dll No File
CHR Plugin: (Shockwave Flash) - C:\Windows\system32\Macromed\Flash\NPSWF32_11_2_202_235.dll No File
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~1\MIF5BA~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
CHR Plugin: (Foxit Reader Plugin for Mozilla) - C:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)
CHR Plugin: (Java™ Platform SE 6 U31) - C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
CHR Plugin: (Google Update) - C:\Users\Siyar\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files\Microsoft Silverlight\5.0.61118.0\npctrl.dll No File
CHR Extension: (Google Wallet) - C:\Users\Siyar\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-08-21]
CHR Extension: (MySearchDial) - C:\Users\Siyar\AppData\Local\Google\Chrome\User Data\Default\Extensions\pflphaooapbgpeakohlggbpidpppgdff [2013-07-06]
CHR HKLM\...\Chrome\Extension: [aaaaabfjnbeinlpljodiajipidiompfl] - C:\Users\Siyar\AppData\Local\APN\GoogleCRXs\aaaaabfjnbeinlpljodiajipidiompfl_7.15.26.0.crx [2013-07-06]
CHR HKLM\...\Chrome\Extension: [fkjoiggkbepedjmjjbhhecjiimlckcga] - C:\Users\Siyar\AppData\Local\CRE\fkjoiggkbepedjmjjbhhecjiimlckcga.crx [2012-04-16]
CHR HKLM\...\Chrome\Extension: [pflphaooapbgpeakohlggbpidpppgdff] - C:\Users\Siyar\AppData\Local\mysearchdial_speedial_v9.0.2.crx [2013-07-06]
CHR HKCU\...\Chrome\Extension: [fkjoiggkbepedjmjjbhhecjiimlckcga] - C:\Users\Siyar\AppData\Local\CRE\fkjoiggkbepedjmjjbhhecjiimlckcga.crx [2012-04-16]
CHR HKCU\...\Chrome\Extension: [pflphaooapbgpeakohlggbpidpppgdff] - C:\Users\Siyar\AppData\Local\mysearchdial_speedial_v9.0.2.crx [2013-07-06]
CHR StartMenuInternet: Google Chrome - C:\Users\Siyar\AppData\Local\Google\Chrome\Application\chrome.exe

========================== Services (Whitelisted) =================

S3 Autodesk Content Service; C:\Program Files\Autodesk\Content Service\Connect.Service.ContentService.exe [12288 2012-12-13] (Autodesk, Inc.)
R2 AVGIDSAgent; C:\Program Files\AVG\AVG2013\avgidsagent.exe [4939312 2013-07-04] (AVG Technologies CZ, s.r.o.)
R2 avgwd; C:\Program Files\AVG\AVG2013\avgwdsvc.exe [283136 2013-11-20] (AVG Technologies CZ, s.r.o.)
S3 FlexNet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [1064312 2014-03-03] (Flexera Software LLC)
R2 MBAMScheduler; C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
S3 OpenVPNService; C:\Program Files\OpenVPN\bin\openvpnserv.exe [36352 2009-12-12] ()
S3 OverwolfUpdaterService; C:\Program Files\Overwolf\OverwolfUpdater.exe [98560 2014-02-16] (Overwolf LTD)
S3 xsherlock; C:\Windows\system32\xsherlock.xem [675936 2012-08-13] (Wellbia.com Co., Ltd.)
S2 Winmgmt; C:\Users\Siyar\wgsdgsdgdsgsd.exe [X]

==================== Drivers (Whitelisted) ====================

R1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdriverx.sys [208184 2013-11-25] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHX; C:\Windows\System32\DRIVERS\avgidshx.sys [60216 2013-07-20] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSShim; C:\Windows\System32\DRIVERS\avgidsshimx.sys [22328 2013-10-23] (AVG Technologies CZ, s.r.o.)
R1 Avgldx86; C:\Windows\System32\DRIVERS\avgldx86.sys [171320 2013-07-20] (AVG Technologies CZ, s.r.o.)
R0 Avglogx; C:\Windows\System32\DRIVERS\avglogx.sys [246072 2013-07-20] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx86; C:\Windows\System32\DRIVERS\avgmfx86.sys [96568 2013-07-01] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx86; C:\Windows\System32\DRIVERS\avgrkx86.sys [39224 2013-10-23] (AVG Technologies CZ, s.r.o.)
R1 Avgtdix; C:\Windows\System32\DRIVERS\avgtdix.sys [182072 2013-03-21] (AVG Technologies CZ, s.r.o.)
S4 FsUsbExDisk; C:\Windows\system32\FsUsbExDisk.SYS [36640 2010-09-06] ()
R3 kbdcap; C:\Windows\system32\Drivers\kbdcap.sys [109440 2013-06-23] ()
S3 LGBusEnum; C:\Windows\System32\drivers\LGBusEnum.sys [19720 2009-11-24] (Logitech Inc.)
S3 LGSHidFilt; C:\Windows\System32\DRIVERS\LGSHidFilt.Sys [42480 2013-01-17] (Logitech Inc.)
S3 LGVirHid; C:\Windows\System32\drivers\LGVirHid.sys [14856 2009-11-24] (Logitech Inc.)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [22856 2013-04-04] (Malwarebytes Corporation)
R3 netr28u; C:\Windows\System32\DRIVERS\netr28u.sys [734208 2009-05-25] (Ralink Technology Corp.)
R3 Ph3xIB32; C:\Windows\System32\DRIVERS\Ph3xIB32.sys [1311232 2009-07-13] (NXP Semiconductors)
S3 pwdrvio; C:\Windows\system32\pwdrvio.sys [15576 2012-08-20] ()
S3 pwdspio; C:\Windows\system32\pwdspio.sys [10200 2012-08-20] ()
S3 rzendpt; C:\Windows\System32\DRIVERS\rzendpt.sys [26752 2013-06-07] (Razer Inc)
S3 rzudd; C:\Windows\System32\DRIVERS\rzudd.sys [105600 2013-06-07] (Razer Inc)
S3 tap0901; C:\Windows\System32\DRIVERS\tap0901.sys [26624 2011-12-15] (The OpenVPN Project)
R3 XUIF; C:\Windows\System32\Drivers\x10ufx2.sys [27416 2006-11-30] (X10 Wireless Technology, Inc.)
S3 EagleNT; \??\C:\Windows\system32\drivers\EagleNT.sys [X]
R3 EagleXNt; \??\C:\Windows\system32\drivers\EagleXNt.sys [X]
S4 LMIRfsClientNP; No ImagePath
S3 vtany; \??\C:\Windows\vtany.sys [X]
S3 xhunter1; \??\C:\Windows\xhunter1.sys [X]
U3 mbr; \??\C:\Users\Siyar\AppData\Local\Temp\mbr.sys [X]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2014-03-14 11:49 - 2014-03-14 11:50 - 00019932 _____ () C:\Users\Siyar\Desktop\FRST.txt
2014-03-14 11:49 - 2014-03-14 11:49 - 01145856 _____ (Farbar) C:\Users\Siyar\Desktop\FRST.exe
2014-03-14 11:27 - 2014-03-14 11:27 - 00008655 _____ () C:\Users\Siyar\Desktop\attach.txt
2014-03-14 11:27 - 2014-03-14 11:26 - 00012731 _____ () C:\Users\Siyar\Desktop\dds.txt
2014-03-14 11:23 - 2014-03-14 11:23 - 00688992 ____R (Swearware) C:\Users\Siyar\Desktop\dds.com
2014-03-13 22:08 - 2014-03-13 22:09 - 00000986 __RSH () C:\Users\Siyar\ntuser.pol
2014-03-13 17:06 - 2014-03-13 17:06 - 00001071 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-03-13 17:05 - 2014-03-13 17:05 - 10285040 _____ (Malwarebytes Corporation ) C:\Users\Siyar\Downloads\mbam-setup-1.75.0.1300 (1).exe
2014-03-13 17:04 - 2014-03-13 17:05 - 10285040 _____ (Malwarebytes Corporation ) C:\Users\Siyar\Downloads\mbam-setup-1.75.0.1300.exe
2014-03-12 17:42 - 2014-03-12 18:00 - 633428752 _____ (Avira GmbH) C:\Users\Siyar\Desktop\rescue-system.exe
2014-03-11 21:01 - 2014-03-11 21:03 - 00000000 ____D () C:\Users\Siyar\AppData\Roaming\Heus
2014-03-11 21:01 - 2014-03-11 21:03 - 00000000 ____D () C:\Users\Siyar\AppData\Roaming\Ahnie
2014-03-07 10:30 - 2014-03-07 10:30 - 00122361 _____ () C:\Users\Siyar\Downloads\Zeichnung11.dwg
2014-03-05 20:02 - 2014-03-05 20:11 - 00000000 ____D () C:\Users\Siyar\AppData\Roaming\Icwea
2014-03-05 20:02 - 2014-03-05 20:05 - 00000000 ____D () C:\Users\Siyar\AppData\Roaming\Piwo
2014-03-05 19:48 - 2014-03-07 11:41 - 00242584 _____ (Microsoft Corporation) C:\ProgramData\boxfnzqy.dat
2014-03-03 15:36 - 2014-03-10 19:02 - 00000000 ____D () C:\Users\Siyar\AppData\Local\cache
2014-03-03 15:34 - 2014-03-10 19:02 - 00071012 _____ () C:\Windows\system32\webservice4.log
2014-03-03 12:54 - 2014-03-03 12:54 - 00000000 ____D () C:\ProgramData\FLEXnet
2014-03-03 12:46 - 2014-03-03 12:46 - 00002007 _____ () C:\Users\Public\Desktop\Autodesk 360.lnk
2014-03-03 12:46 - 2014-03-03 12:46 - 00000000 ____D () C:\Users\Siyar\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Autodesk
2014-03-03 12:38 - 2014-03-03 12:38 - 00000000 ____D () C:\Users\Siyar\Documents\Inventor Server SDK ACAD 2014
2014-03-03 12:33 - 2014-03-03 12:33 - 00000000 ____D () C:\Program Files\Common Files\Macrovision Shared
2014-03-03 12:32 - 2014-03-03 12:53 - 00000000 ____D () C:\Users\Siyar\AppData\Local\Autodesk
2014-03-03 12:32 - 2014-03-03 12:32 - 00002198 _____ () C:\Users\Public\Desktop\AutoCAD Mechanical 2014 - Deutsch (German).lnk
2014-03-03 12:26 - 2014-03-03 12:26 - 00000000 ____D () C:\Users\Public\Documents\Autodesk
2014-03-03 12:09 - 2014-03-03 12:45 - 00000000 ____D () C:\Program Files\Autodesk
2014-03-03 12:06 - 2014-03-03 12:37 - 00000000 ____D () C:\Program Files\Common Files\Autodesk Shared
2014-03-03 11:52 - 2014-03-03 11:52 - 11588336 _____ () C:\Users\Siyar\Desktop\AutoCAD_Mechanical_2014_German_Win_32_64bit_wi_de-DE_Setup.exe
2014-03-03 11:50 - 2010-06-02 04:55 - 00527192 _____ (Microsoft Corporation) C:\Windows\system32\XAudio2_7.dll
2014-03-03 11:50 - 2010-06-02 04:55 - 00239960 _____ (Microsoft Corporation) C:\Windows\system32\xactengine3_7.dll
2014-03-03 11:50 - 2010-06-02 04:55 - 00074072 _____ (Microsoft Corporation) C:\Windows\system32\XAPOFX1_5.dll
2014-03-03 11:50 - 2006-03-31 12:40 - 02388176 _____ (Microsoft Corporation) C:\Windows\system32\d3dx9_30.dll
2014-03-03 11:50 - 2006-03-31 12:39 - 00229584 _____ (Microsoft Corporation) C:\Windows\system32\xactengine2_1.dll
2014-03-03 11:50 - 2006-03-31 12:39 - 00062672 _____ (Microsoft Corporation) C:\Windows\system32\xinput1_1.dll
2014-03-03 11:50 - 2006-02-03 08:41 - 00014032 _____ (Microsoft Corporation) C:\Windows\system32\x3daudio1_0.dll
2014-03-03 11:49 - 2014-03-03 11:49 - 21388183 _____ () C:\Users\Siyar\Desktop\CAD-Teil1.mp4
2014-03-03 11:37 - 2014-03-03 15:36 - 00000000 ____D () C:\ProgramData\Autodesk
2014-03-03 11:37 - 2014-03-03 15:34 - 00000000 ____D () C:\Users\Siyar\AppData\Roaming\Autodesk
2014-03-03 11:33 - 2014-03-03 11:53 - 00000000 ____D () C:\Autodesk
2014-03-03 11:33 - 2014-03-03 11:34 - 00000000 ____D () C:\Users\Siyar\AppData\Local\Akamai
2014-02-26 17:32 - 2014-02-26 17:32 - 00000000 ____D () C:\Users\Siyar\AppData\Local\Avg2014
2014-02-25 21:15 - 2014-02-25 21:15 - 00781808 _____ (Google Inc.) C:\Users\Siyar\Desktop\GoogleToolbar75Setup.exe
2014-02-19 20:24 - 2014-02-26 23:49 - 95027928 ____T () C:\ProgramData\xlfjwlc4fr.fee
2014-02-19 11:27 - 2014-02-19 11:27 - 00000000 ____D () C:\Program Files\Common Files\Skype
2014-02-19 11:26 - 2014-02-19 11:27 - 00000000 ____D () C:\Program Files\Common Files\Overwolf
2014-02-16 18:37 - 2014-02-16 18:37 - 00001050 _____ () C:\Users\Siyar\Desktop\TrueCrypt (2).lnk
2014-02-15 17:51 - 2014-02-15 17:51 - 00000926 _____ () C:\Users\Siyar\Desktop\pidgin-2.10.8.exe - Shortcut.lnk
2014-02-15 11:23 - 2014-02-15 11:23 - 00000017 _____ () C:\Windows\system32\shortcut_ex.dat

==================== One Month Modified Files and Folders =======

2014-03-14 11:50 - 2014-03-14 11:49 - 00019932 _____ () C:\Users\Siyar\Desktop\FRST.txt
2014-03-14 11:49 - 2014-03-14 11:49 - 01145856 _____ (Farbar) C:\Users\Siyar\Desktop\FRST.exe
2014-03-14 11:49 - 2013-06-30 11:35 - 00000000 ____D () C:\FRST
2014-03-14 11:36 - 2011-09-06 11:06 - 00000000 ____D () C:\Users\Siyar\AppData\Roaming\Tor
2014-03-14 11:27 - 2014-03-14 11:27 - 00008655 _____ () C:\Users\Siyar\Desktop\attach.txt
2014-03-14 11:26 - 2014-03-14 11:27 - 00012731 _____ () C:\Users\Siyar\Desktop\dds.txt
2014-03-14 11:23 - 2014-03-14 11:23 - 00688992 ____R (Swearware) C:\Users\Siyar\Desktop\dds.com
2014-03-14 11:15 - 2011-04-03 00:54 - 01603697 _____ () C:\Windows\WindowsUpdate.log
2014-03-14 11:11 - 2013-07-06 16:11 - 00000292 _____ () C:\Windows\Tasks\MySearchDial.job
2014-03-14 11:07 - 2012-07-15 20:41 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-03-14 10:52 - 2012-07-14 08:45 - 00001120 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4022737933-1016067012-279495612-1001UA.job
2014-03-14 10:51 - 2009-07-14 05:34 - 00014224 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-03-14 10:51 - 2009-07-14 05:34 - 00014224 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-03-14 09:17 - 2011-06-07 18:20 - 00000000 ____D () C:\ProgramData\MFAData
2014-03-14 08:58 - 2014-01-31 18:42 - 00000000 ____D () C:\Users\Siyar\AppData\Roaming\.purple
2014-03-13 22:09 - 2014-03-13 22:08 - 00000986 __RSH () C:\Users\Siyar\ntuser.pol
2014-03-13 22:09 - 2011-04-03 06:39 - 00000000 ____D () C:\Users\Siyar
2014-03-13 17:06 - 2014-03-13 17:06 - 00001071 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-03-13 17:06 - 2012-02-24 00:26 - 00000000 ____D () C:\Program Files\Malwarebytes' Anti-Malware
2014-03-13 17:05 - 2014-03-13 17:05 - 10285040 _____ (Malwarebytes Corporation ) C:\Users\Siyar\Downloads\mbam-setup-1.75.0.1300 (1).exe
2014-03-13 17:05 - 2014-03-13 17:04 - 10285040 _____ (Malwarebytes Corporation ) C:\Users\Siyar\Downloads\mbam-setup-1.75.0.1300.exe
2014-03-13 15:52 - 2012-07-14 08:45 - 00001068 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4022737933-1016067012-279495612-1001Core.job
2014-03-13 03:04 - 2012-02-19 12:16 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-03-13 03:02 - 2011-04-03 07:14 - 00000000 ____D () C:\Program Files\Microsoft Silverlight
2014-03-12 18:05 - 2009-07-14 03:37 - 00000000 ___HD () C:\Windows\system32\GroupPolicy
2014-03-12 18:00 - 2014-03-12 17:42 - 633428752 _____ (Avira GmbH) C:\Users\Siyar\Desktop\rescue-system.exe
2014-03-11 22:26 - 2011-04-03 06:50 - 00000000 ____D () C:\Program Files\Google
2014-03-11 21:37 - 2012-01-27 20:59 - 00000000 ____D () C:\Program Files\CarChecker Autosuche
2014-03-11 21:37 - 2011-04-03 06:50 - 00000000 ____D () C:\Users\Siyar\AppData\Local\Google
2014-03-11 21:35 - 2014-01-08 00:55 - 00000000 ____D () C:\Program Files\CyberGhost 5
2014-03-11 21:04 - 2014-01-20 11:05 - 00000000 ____D () C:\Program Files\TAP-Windows
2014-03-11 21:04 - 2013-06-03 22:22 - 00000350 _____ () C:\Windows\Tasks\AVG-Secure-Search-Update_JUNE2013_TB_rmv.job
2014-03-11 21:04 - 2012-07-21 19:12 - 00000000 ____D () C:\Users\Siyar\AppData\Local\Overwolf
2014-03-11 21:03 - 2014-03-11 21:01 - 00000000 ____D () C:\Users\Siyar\AppData\Roaming\Heus
2014-03-11 21:03 - 2014-03-11 21:01 - 00000000 ____D () C:\Users\Siyar\AppData\Roaming\Ahnie
2014-03-11 21:03 - 2011-06-05 14:28 - 00000000 ____D () C:\Users\Siyar\AppData\Roaming\SoftGrid Client
2014-03-11 20:51 - 2012-11-18 01:50 - 00000000 ____D () C:\ProgramData\NVIDIA
2014-03-11 20:51 - 2011-04-03 07:38 - 24053566 _____ () C:\Windows\PFRO.log
2014-03-11 20:51 - 2009-07-14 05:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-03-11 20:51 - 2009-07-14 05:39 - 00120313 _____ () C:\Windows\setupact.log
2014-03-11 20:07 - 2012-03-31 15:53 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2014-03-11 20:07 - 2011-11-30 22:48 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2014-03-10 19:02 - 2014-03-03 15:36 - 00000000 ____D () C:\Users\Siyar\AppData\Local\cache
2014-03-10 19:02 - 2014-03-03 15:34 - 00071012 _____ () C:\Windows\system32\webservice4.log
2014-03-07 11:41 - 2014-03-05 19:48 - 00242584 _____ (Microsoft Corporation) C:\ProgramData\boxfnzqy.dat
2014-03-07 10:30 - 2014-03-07 10:30 - 00122361 _____ () C:\Users\Siyar\Downloads\Zeichnung11.dwg
2014-03-06 09:49 - 2011-09-06 11:11 - 00000000 ____D () C:\Users\Siyar\AppData\Roaming\Vidalia
2014-03-05 20:11 - 2014-03-05 20:02 - 00000000 ____D () C:\Users\Siyar\AppData\Roaming\Icwea
2014-03-05 20:05 - 2014-03-05 20:02 - 00000000 ____D () C:\Users\Siyar\AppData\Roaming\Piwo
2014-03-04 11:56 - 2012-02-23 23:00 - 00002360 _____ () C:\Users\Siyar\Desktop\Google Chrome.lnk
2014-03-03 15:36 - 2014-03-03 11:37 - 00000000 ____D () C:\ProgramData\Autodesk
2014-03-03 15:34 - 2014-03-03 11:37 - 00000000 ____D () C:\Users\Siyar\AppData\Roaming\Autodesk
2014-03-03 15:19 - 2012-03-31 01:44 - 00519200 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-03-03 12:54 - 2014-03-03 12:54 - 00000000 ____D () C:\ProgramData\FLEXnet
2014-03-03 12:53 - 2014-03-03 12:32 - 00000000 ____D () C:\Users\Siyar\AppData\Local\Autodesk
2014-03-03 12:53 - 2011-04-03 06:45 - 00146976 _____ () C:\Users\Siyar\AppData\Local\GDIPFONTCACHEV1.DAT
2014-03-03 12:46 - 2014-03-03 12:46 - 00002007 _____ () C:\Users\Public\Desktop\Autodesk 360.lnk
2014-03-03 12:46 - 2014-03-03 12:46 - 00000000 ____D () C:\Users\Siyar\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Autodesk
2014-03-03 12:45 - 2014-03-03 12:09 - 00000000 ____D () C:\Program Files\Autodesk
2014-03-03 12:38 - 2014-03-03 12:38 - 00000000 ____D () C:\Users\Siyar\Documents\Inventor Server SDK ACAD 2014
2014-03-03 12:37 - 2014-03-03 12:06 - 00000000 ____D () C:\Program Files\Common Files\Autodesk Shared
2014-03-03 12:34 - 2009-07-14 03:37 - 00000000 ____D () C:\Windows\Microsoft.NET
2014-03-03 12:33 - 2014-03-03 12:33 - 00000000 ____D () C:\Program Files\Common Files\Macrovision Shared
2014-03-03 12:32 - 2014-03-03 12:32 - 00002198 _____ () C:\Users\Public\Desktop\AutoCAD Mechanical 2014 - Deutsch (German).lnk
2014-03-03 12:26 - 2014-03-03 12:26 - 00000000 ____D () C:\Users\Public\Documents\Autodesk
2014-03-03 11:53 - 2014-03-03 11:33 - 00000000 ____D () C:\Autodesk
2014-03-03 11:52 - 2014-03-03 11:52 - 11588336 _____ () C:\Users\Siyar\Desktop\AutoCAD_Mechanical_2014_German_Win_32_64bit_wi_de-DE_Setup.exe
2014-03-03 11:49 - 2014-03-03 11:49 - 21388183 _____ () C:\Users\Siyar\Desktop\CAD-Teil1.mp4
2014-03-03 11:34 - 2014-03-03 11:33 - 00000000 ____D () C:\Users\Siyar\AppData\Local\Akamai
2014-03-01 20:00 - 2012-11-16 23:47 - 00000000 ____D () C:\Users\Siyar\AppData\Roaming\Free Download Manager
2014-02-26 23:49 - 2014-02-19 20:24 - 95027928 ____T () C:\ProgramData\xlfjwlc4fr.fee
2014-02-26 17:32 - 2014-02-26 17:32 - 00000000 ____D () C:\Users\Siyar\AppData\Local\Avg2014
2014-02-25 21:15 - 2014-02-25 21:15 - 00781808 _____ (Google Inc.) C:\Users\Siyar\Desktop\GoogleToolbar75Setup.exe
2014-02-25 14:44 - 2014-01-31 18:56 - 00000000 ____D () C:\Users\Siyar\Desktop\kal
2014-02-20 12:06 - 2012-07-21 19:13 - 00000000 ____D () C:\Program Files\Overwolf
2014-02-19 11:27 - 2014-02-19 11:27 - 00000000 ____D () C:\Program Files\Common Files\Skype
2014-02-19 11:27 - 2014-02-19 11:26 - 00000000 ____D () C:\Program Files\Common Files\Overwolf
2014-02-17 18:43 - 2009-07-14 05:53 - 00032608 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-02-16 18:37 - 2014-02-16 18:37 - 00001050 _____ () C:\Users\Siyar\Desktop\TrueCrypt (2).lnk
2014-02-15 17:51 - 2014-02-15 17:51 - 00000926 _____ () C:\Users\Siyar\Desktop\pidgin-2.10.8.exe - Shortcut.lnk
2014-02-15 11:23 - 2014-02-15 11:23 - 00000017 _____ () C:\Windows\system32\shortcut_ex.dat
2014-02-14 15:11 - 2013-09-23 11:11 - 00000171 _____ () C:\Users\Siyar\AppData\Roaming\WB.CFG
2014-02-13 23:06 - 2013-08-15 22:42 - 00000000 ____D () C:\Windows\system32\MRT
2014-02-13 22:59 - 2011-04-24 21:58 - 85946576 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe

ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-4022737933-1016067012-279495612-1001\$9b3a7a6b84eebe59b823cca26da5f27f

ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$9b3a7a6b84eebe59b823cca26da5f27f

ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-4022737933-1016067012-279495612-501\$9b3a7a6b84eebe59b823cca26da5f27f

Files to move or delete:
====================
C:\Users\Administrator\AppData\Roaming\skype.ini
C:\ProgramData\boxfnzqy.dat
C:\ProgramData\xlfjwlc4fr.fee
C:\Users\Guest\teamviewer.exe

Some content of TEMP:
====================
C:\Users\Siyar\AppData\Local\Temp\AcDeltree.exe
C:\Users\Siyar\AppData\Local\Temp\AskSLib.dll
C:\Users\Siyar\AppData\Local\Temp\bundlesweetimsetup.exe
C:\Users\Siyar\AppData\Local\Temp\IcqUpdater.exe
C:\Users\Siyar\AppData\Local\Temp\ICReinstall_Setup.exe
C:\Users\Siyar\AppData\Local\Temp\jre.exe
C:\Users\Siyar\AppData\Local\Temp\LMkRstPt.exe
C:\Users\Siyar\AppData\Local\Temp\NGMDll.dll
C:\Users\Siyar\AppData\Local\Temp\NGMResource.dll
C:\Users\Siyar\AppData\Local\Temp\oek.dll
C:\Users\Siyar\AppData\Local\Temp\oi_{7611422E-E9E3-49DE-AD53-D54C80771B91}.exe
C:\Users\Siyar\AppData\Local\Temp\rgcncggb.dll
C:\Users\Siyar\AppData\Local\Temp\SkypeSetup.exe
C:\Users\Siyar\AppData\Local\Temp\tbAsha.dll
C:\Users\Siyar\AppData\Local\Temp\unicows.dll
C:\Users\Siyar\AppData\Local\Temp\vxp8d2e-.dll
C:\Users\Siyar\AppData\Local\Temp\wlsetup-cvr.exe
C:\Users\Siyar\AppData\Local\Temp\_unps.exe

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\system32\winlogon.exe => MD5 is legit
C:\Windows\system32\wininit.exe => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\services.exe => MD5 is legit
C:\Windows\system32\User32.dll => MD5 is legit
C:\Windows\system32\userinit.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit
C:\Windows\system32\Drivers\volsnap.sys => MD5 is legit

LastRegBack: 2014-03-10 00:05

==================== End Of Log ============================

Attached Files



#4 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,310 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:02:37 AM

Posted 14 March 2014 - 06:28 AM

Hello,

 

 

Hello,

 

 

IMPORTANT NOTE: One or more of the identified infections is related to the rootkit ZeroAccess. Rootkits, backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to be used be the attacker for malicious purposes. Rootkits are used be Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bepasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:

If your computer was used for online banking, has credit card information or other sensitive data on it, you should stay disconnected from the Internet until your system is fully cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised and change each password using a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:

Although the infection has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

 

 

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. If you decide to continue please the following:

 

 

 

STEP 1

 

 

Click on Start > type in appwiz.cpl in the search box and press Enter
Select Mysearchdial > press Uninstall
 

 

 

STEP 2

 

 

 

Now please download the following file => and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

 

 

STEP 3

 

 

Backup Your Registry
 

 

Now download the following files and save them to your desktop:

 

Winmgmt.reg

 

Now double click on it. An information box will pop up asking if you want to merge the information in the file into the registry, click YES.

 

Reboot the computer in order for the changes to take effect.

 

 

 

STEP 4

 

 

Please re-run FRST and make sure that Addition.txt is ticked as well.

Run a new scan and attach both logs to your next reply.

 

 

 

Regards,

Georgi


cXfZ4wS.png


#5 vatos

vatos
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:02:37 AM

Posted 14 March 2014 - 07:02 AM

I cant execute Tweaking. I can install it, but it doesnt let me open the program. I double click it, but nothing happens. Should I skip it?

never mind, it worked.


Edited by vatos, 14 March 2014 - 07:05 AM.


#6 vatos

vatos
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:02:37 AM

Posted 14 March 2014 - 07:25 AM

I attached FRST.txt, Addition.txt and Fixlog.txt to the attachment. I couldnt copy-paste one of them because post was too long.

Attached Files



#7 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,310 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:02:37 AM

Posted 14 March 2014 - 07:51 AM

Hello,

 

 

Great work...we have an improvement:

 

 

Now please download the following file =>  and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

 

 

Regards,

Georgi


cXfZ4wS.png


#8 vatos

vatos
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:02:37 AM

Posted 14 March 2014 - 10:02 AM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 13-03-2014  01
Ran by Siyar at 2014-03-14 16:01:34 Run:2
Running from C:\Users\Siyar\Desktop
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
start
2014-03-11 21:01 - 2014-03-11 21:03 - 00000000 ____D () C:\Users\Siyar\AppData\Roaming\Heus
2014-03-11 21:01 - 2014-03-11 21:03 - 00000000 ____D () C:\Users\Siyar\AppData\Roaming\Ahnie
2014-03-05 20:02 - 2014-03-05 20:11 - 00000000 ____D () C:\Users\Siyar\AppData\Roaming\Icwea
2014-03-05 20:02 - 2014-03-05 20:05 - 00000000 ____D () C:\Users\Siyar\AppData\Roaming\Piwo
2014-03-14 12:44 - 2012-04-17 22:59 - 00000000 ____D () C:\Users\Siyar\AppData\Local\CRE
C:\$Recycle.Bin\S-1-5-21-4022737933-1016067012-279495612-501\$9b3a7a6b84eebe59b823cca26da5f27f
cmd: netsh winsock reset
cmd: ipconfig /flushdns
end
*****************

C:\Users\Siyar\AppData\Roaming\Heus => Moved successfully.
C:\Users\Siyar\AppData\Roaming\Ahnie => Moved successfully.
C:\Users\Siyar\AppData\Roaming\Icwea => Moved successfully.
C:\Users\Siyar\AppData\Roaming\Piwo => Moved successfully.
C:\Users\Siyar\AppData\Local\CRE => Moved successfully.
C:\$Recycle.Bin\S-1-5-21-4022737933-1016067012-279495612-1001\$9b3a7a6b84eebe59b823cca26da5f27f => Deleted successfully.

=========  netsh winsock reset =========

Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.

========= End of CMD: =========

=========  ipconfig /flushdns =========

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========

==== End of Fixlog ====



#9 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,310 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:02:37 AM

Posted 14 March 2014 - 10:25 AM

I want to make sure there is nothing lurking on the system so just in case I want you to go through these steps:

 

 

 

STEP 1

 

  • Please download RogueKiller.exe and save to the desktop.
  • Close all windows and browsers
  • Right-click the program and select 'Run as Administrator'
  • Press the scan button.
  • A report opens on the desktop named - RKreport.txt
  • Please copy and past the results at pastebin.com and post the link to the log in your next reply.

 

 

STEP 2
 

 

Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    image000q.png
  • Put a checkmark beside loaded modules.
    Sbf88.png
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
    JtwHB.png
  • Click the Start Scan button.
    19695967.jpg
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    67776163.jpg
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    62117367.jpg
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and past the results at pastebin.com and post the link to the log in your next reply.

 

 

STEP 3

 

 

Please download Malwarebytes Anti-Rootkit mbamicontw5.gif and save it to your desktop.

  • Be sure to print out and follow these instructions for performing a scan.
  • Caution: This is a beta version so also read the disclaimer and back up all your data before using.
  • When the scan completes, click on the Cleanup button to remove any threats found and reboot the computer if prompted to do so.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • Two files (mbar-log-YYYY-MM-DD, system-log.txt) will be created and saved within that same folder.
  • Copy and paste the contents of these two log files in your next reply.

Note: Further documentation on this tool can be found in the ReadMe.rtf file which is located in the Malwarebytes Anti-Rootkit (mbar) folder.

 

 

STEP 4

 

 

1.Please download HitmanPro

  • For 32-bit Operating System - dEMD6.gif.
  • For 64-bit Operating System - dEMD6.gif

2.Launch the program by double clicking on the 5vo5F.jpg icon.

Note: If the program won't run please then open the program while holding down the left CTRL key until the program is loaded.

3.Click on the next button. You must agree with the terms of EULA. (if asked)

4.Check the box beside "No, I only want to perform a one-time scan to check this computer".

5.Click on the next button.

6.The program will start to scan the computer. The scan will typically take no more than 5-10 minutes.

7.When the scan is done click on drop-down menu of the found entries (if any) and choose - Apply to all => Ignore <= IMPORTANT!!!

8.Click on the next button.

9.Click on the "Save Log" button.

10.Save that file to your desktop and post the content of that file in your next reply.

Note: if there isn't a dropdown menu when the scan is done then please don't delete anything and close HitmanPro

6-scanfin-choose.jpg

Navigate to C:\Documents and Settings\All Users\Application Data\HitmanPro\Logs (for Windows XP) or to C:\ProgramData\HitmanPro\Logs (for Windows Vista/7) open the report and copy and paste it to your next reply.

 

 

 

Regards,

Georgi


cXfZ4wS.png


#10 vatos

vatos
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:02:37 AM

Posted 14 March 2014 - 04:00 PM

1) RKreport: http://pastebin.com/yq52mxTg

2) tdsskiller done, 0 threats found. Report:  http://pastebin.com/xSbv03zA

3) I could not execute" Malware anti rootkit", because I get a blue screen when I click scan and the computer restarts. Im using "Malwarebytes Anti Malware" now, but I do not get logs there. I just can delete the threats.

Just wanted to let you know, the scan is running since 3 hours and still not finished. Maybe meanwhile you can tell me the solution of that bluescreen or just confirm that "Malwarebytes Anti Malware" is also ok.

 

4) I will do that after the scan is finished.


Edited by vatos, 14 March 2014 - 04:01 PM.


#11 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,310 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:02:37 AM

Posted 14 March 2014 - 04:18 PM

Hello,

 

3) I could not execute" Malware anti rootkit", because I get a blue screen when I click scan and the computer restarts

 

Please go ahead and zip the files from directory C:\Windows\Minidump

 

Upload the archive here and then post the link to the log in your next reply.

 

Im using "Malwarebytes Anti Malware" now, but I do not get logs there. I just can delete the threats.

 

MBAM usually create a log file when the scan is done...

 

Just wanted to let you know, the scan is running since 3 hours and still not finished

 

You probably chose Full scan instead of Quick scan?

 

Maybe meanwhile you can tell me the solution of that bluescreen or just confirm that "Malwarebytes Anti Malware" is also ok.

 

MBAM is ok too, but with limited detection because of missing anti-rootkit abilities.

 

 

Regards,

Georgi


cXfZ4wS.png


#12 vatos

vatos
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:02:37 AM

Posted 15 March 2014 - 02:48 AM

3)What do you mean with zipping? Its a normal "mbrar" folder from Malwarebytes Anti Rootkit. I cant zip it. I installed it, then clicked on update. When update was done I clicked on "scan" and few seconds later I got a a bluescreen.

 

I made a 4 hours scan with MBAM and deleted all 16 threats. The log is gone somehow.

 

This is the hitman log: http://www.filedropper.com/showdownload.php/hitmanpro201403150839



#13 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,310 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:02:37 AM

Posted 15 March 2014 - 03:10 AM

Hi,

 

 

You misunderstood my instructions...Open the following directory C:\Windows\Minidump and zip the files located in that folder (if any)...

 

As for MBAM please open MBAM again and and click on the logs tab.

 

By selecting a log and clicking on 'Open' or double clicking on a log you can open it. Please open the latest log file (if any) and post the content in your next reply.

 

 

Regards,

Georgi


cXfZ4wS.png


#14 vatos

vatos
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:02:37 AM

Posted 15 March 2014 - 11:48 AM

The zip did not work somehow, but I uploaded the unzipped file. I hope you can open it somehow.

Link: http://www.filedropper.com/showdownload.php/031414-44226-01

 

Here is the log of the MBAM:

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2014.03.14.04

Windows 7 x86 NTFS
Internet Explorer 9.0.8112.16421
Siyar :: SIYAR-PC [administrator]

14.03.2014 21:45:26
mbam-log-2014-03-14 (21-45-26).txt

Scan type: Full scan (C:\|E:\|F:\|G:\|H:\|Q:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 1128369
Time elapsed: 4 hour(s), 43 minute(s), 22 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 4
HKCR\AppID\{CA5CAA63-B27C-4963-9BEC-CB16A36D56F8} (PUP.Optional.MySearchDial.A) -> Quarantined and deleted successfully.
HKCU\Software\mysearchdial (PUP.Optional.MySearchDial.A) -> Quarantined and deleted successfully.
HKCU\Software\InstallCore\mysearchdial (PUP.Optional.MySearchDial.A) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\InstallCore\mysearchdial (PUP.Optional.MySearchDial.A) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 7
C:\Users\Siyar\AppData\Roaming\mysearchdial (PUP.Optional.MySearchDial.A) -> Quarantined and deleted successfully.
C:\Users\Siyar\AppData\Roaming\mysearchdial\icons_2.2.4.731 (PUP.Optional.MySearchDial.A) -> Quarantined and deleted successfully.
C:\Users\Siyar\AppData\Roaming\mysearchdial\UpdateProc (PUP.Optional.MySearchDial.A) -> Quarantined and deleted successfully.
C:\Users\Siyar\AppData\Local\Temp\ct2481020 (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Siyar\AppData\Local\Temp\ct3288691 (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Siyar\AppData\Local\Temp\ct3297265 (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Siyar\AppData\Local\Temp\ct3297861 (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.

Files Detected: 16
C:\FRST\Quarantine\C\Users\Siyar\AppData\Local\Temp\bundlesweetimsetup.exe.xBAD (PUP.Optional.SweetIM) -> Quarantined and deleted successfully.
C:\FRST\Quarantine\C\Users\Siyar\AppData\Local\Temp\oek.dll.xBAD (Trojan.Ransom.ED) -> Quarantined and deleted successfully.
C:\FRST\Quarantine\C\Users\Siyar\AppData\Local\Temp\ct2481020\ieLogic.exe.xBAD (PUP.Optional.Conduit) -> Quarantined and deleted successfully.
C:\Kal3\dbghelp.dll (Malware.Gen) -> Quarantined and deleted successfully.
C:\Users\Siyar\AppData\Local\Google\Chrome\User Data\Default\Cache\f_001950 (Trojan.ELEX) -> Quarantined and deleted successfully.
C:\Windows.old\Users\Siyar Karaman\AppData\Local\Babylon\Setup\MyBabylonTB.exe (PUP.Optional.BabylonToolBar.A) -> Quarantined and deleted successfully.
C:\Windows.old\Users\Siyar Karaman\AppData\Local\Babylon\Setup\Setup-tbmntr-9.0.1.5.cab (PUP.Optional.BabylonToolBar.A) -> Quarantined and deleted successfully.
C:\Users\Siyar\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_pricegong.conduitapps.com_0.localstorage (PUP.Optional.Pricegong) -> Quarantined and deleted successfully.
C:\Users\Siyar\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_pricegong.conduitapps.com_0.localstorage-journal (PUP.Optional.Pricegong) -> Quarantined and deleted successfully.
C:\Users\Siyar\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_pflphaooapbgpeakohlggbpidpppgdff_0.localstorage (PUP.Optional.FunMoods.A) -> Quarantined and deleted successfully.
C:\Users\Siyar\AppData\Roaming\mysearchdial\icons_2.2.4.731\magnifying.ico (PUP.Optional.MySearchDial.A) -> Quarantined and deleted successfully.
C:\Users\Siyar\AppData\Roaming\mysearchdial\icons_2.2.4.731\star2.ico (PUP.Optional.MySearchDial.A) -> Quarantined and deleted successfully.
C:\Users\Siyar\AppData\Roaming\mysearchdial\UpdateProc\config.dat (PUP.Optional.MySearchDial.A) -> Quarantined and deleted successfully.
C:\Users\Siyar\AppData\Roaming\mysearchdial\UpdateProc\info.dat (PUP.Optional.MySearchDial.A) -> Quarantined and deleted successfully.
C:\Users\Siyar\AppData\Roaming\mysearchdial\UpdateProc\STTL.DAT (PUP.Optional.MySearchDial.A) -> Quarantined and deleted successfully.
C:\Users\Siyar\AppData\Roaming\mysearchdial\UpdateProc\TTL.DAT (PUP.Optional.MySearchDial.A) -> Quarantined and deleted successfully.

(end)



#15 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,310 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:02:37 AM

Posted 15 March 2014 - 12:32 PM

Hello,

 

Thanks for the dmp file. I sent it to the developers so they can fix it in the next release of MBAR.

 

As for MBAM, the scan took so long because you used FULL scan instead of Quick scan just as I predicted, so nothing wrong here. :)

 

Let's delete some of the entries found by HitmanPro:

 

Please download the following file => and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

Also please run the following tools for me:

 

 

  • Please download RKill by Grinler from the link below and save it to your desktop.

    Rkill
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply.
  • A log pops up at the end of the run. This log file is located at C:\rkill.log.
  • Please post the log in your next reply.

 

 

Please download Farbar Service Scanner and run it on the computer with the issue.

  • Make sure that all options are checked.
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

 

 

Regards,

Georgi


cXfZ4wS.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users