Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Zero Access Rootkit.


  • This topic is locked This topic is locked
22 replies to this topic

#1 Williamc141

Williamc141

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:04 AM

Posted 07 April 2014 - 12:59 PM

After running Rkill and then doing a scan with malwarebytes I have found out I am infected with the zero access rootkit. Here is the log from DDS.

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16447  BrowserJavaVersion: 10.51.2
Run by Customer at 8:29:08 on 2014-04-07
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.4095.1477 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k apphost
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Airytec\Switch Off\swoff.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k iissvcs
C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\HP\HP Officejet 6600\Bin\ScanToPCActivationApp.exe
C:\Windows\SysWOW64\Ctxfihlp.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Kodak\KODAK Share Button App\Listener.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\HP\HP Officejet 6600\Bin\HPNetworkCommunicator.exe
C:\Windows\system32\vssvc.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe
C:\Program Files (x86)\Runtime Software\DriveImage XML\dixml.exe
C:\Windows\SoftwareDistribution\Download\Install\vstor_redist.exe
c:\5dca0ed5f0fd3f9087cceef61937\Setup.exe
C:\Windows\system32\msiexec.exe
C:\Program Files (x86)\Runtime Software\DriveImage XML\vss642008.exe
c:\5dca0ed5f0fd3f9087cceef61937\vstor40\vstor40_x64.exe
c:\a48f09327e4e8e2c34582c0831\install.exe
C:\Windows\system32\SearchFilterHost.exe
c:\Windows\system32\MsiExec.exe
c:\Windows\syswow64\MsiExec.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://us.yhs4.search.yahoo.com/web/partner?&hspart=w3i&hsimp=yhs-syctransfer&type=W3i_SP,204,0_0,StartPage,20131252,20029,0,85,6944
mWinlogon: Userinit = userinit.exe,
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [HP Officejet 6600 (NET)] "C:\Program Files\HP\HP Officejet 6600\Bin\ScanToPCActivationApp.exe" -deviceID "CN32R6RJHR05RN:NW" -scfn "HP Officejet 6600 (NET)" -AutoStart 1
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [UpdReg] C:\Windows\UpdReg.EXE
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~4\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~1\MICROS~4\Office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
TCP: NameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{A94A740D-65FE-4045-892A-2F3E279B17C3} : DHCPNameServer = 209.18.47.61 209.18.47.62
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
x64-BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
x64-BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
x64-Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
x64-Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
x64-Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices
x64-Run: [Nvtmru] "C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\nvtmru.exe"
x64-Run: [ShadowPlay] C:\Windows\System32\rundll32.exe C:\Windows\System32\nvspcap64.dll,ShadowPlayOnSystemStart
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
x64-SSODL: WebCheck - <orphaned>
x64-SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Customer\AppData\Roaming\Mozilla\Firefox\Profiles\ag23nkdn.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?p={searchTerms}&ei=UTF-8&fr=w3i&type=W3i_DS,157,0_0,Search,20131252,20030,0,85,0
FF - plugin: C:\PROGRA~2\MICROS~4\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~4\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.30214.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_12_0_0_77.dll
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2012-3-20 203888]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2012-7-9 104912]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2012-7-9 123856]
R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [2014-4-4 1809720]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [2014-4-4 857912]
R2 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2012-3-20 98688]
R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2014-4-4 25816]
R3 MBAMSwissArmy;MBAMSwissArmy;C:\Windows\System32\drivers\MBAMSwissArmy.sys [2014-4-4 119512]
R3 MBAMWebAccessControl;MBAMWebAccessControl;C:\Windows\System32\drivers\mwac.sys [2014-4-4 63192]
R3 nvvad_WaveExtensible;NVIDIA Virtual Audio Device (Wave Extensible) (WDM);C:\Windows\System32\drivers\nvvad64v.sys [2013-12-16 39200]
S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2011-12-30 79360]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2011-12-30 79360]
S3 CT20XUT.SYS;CT20XUT.SYS;C:\Windows\System32\drivers\CT20XUT.sys [2011-12-30 202776]
S3 CT20XUT;CT20XUT;C:\Windows\System32\drivers\CT20XUT.sys [2011-12-30 202776]
S3 CTEXFIFX.SYS;CTEXFIFX.SYS;C:\Windows\System32\drivers\CTEXFIFX.sys [2011-12-30 1417240]
S3 CTEXFIFX;CTEXFIFX;C:\Windows\System32\drivers\CTEXFIFX.sys [2011-12-30 1417240]
S3 CTHWIUT.SYS;CTHWIUT.SYS;C:\Windows\System32\drivers\CTHWIUT.sys [2011-12-30 94744]
S3 CTHWIUT;CTHWIUT;C:\Windows\System32\drivers\CTHWIUT.sys [2011-12-30 94744]
S3 dmvsc;dmvsc;C:\Windows\System32\drivers\dmvsc.sys [2011-4-12 71168]
S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2012-3-26 291696]
S3 RTCore64;RTCore64;C:\Program Files (x86)\MSI Afterburner\RTCore64.sys [2012-7-23 10568]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-12-13 54784]
.
=============== File Associations ===============
.
FileExt: .txt: textfile="C:\Program Files (x86)\Windows NT\Accessories\WORDPAD.EXE" "%1" [UserChoice]
.
=============== Created Last 30 ================
.
2014-04-07 13:27:41    --------    d-----w-    C:\a48f09327e4e8e2c34582c0831
2014-04-07 13:27:04    --------    d-----w-    C:\5dca0ed5f0fd3f9087cceef61937
2014-04-07 13:26:22    --------    d-----w-    C:\Program Files (x86)\Runtime Software
2014-04-07 01:14:38    859648    ----a-w-    C:\Windows\System32\IKEEXT.DLL
2014-04-07 01:14:37    830464    ----a-w-    C:\Windows\System32\nshwfp.dll
2014-04-07 01:14:37    656896    ----a-w-    C:\Windows\SysWow64\nshwfp.dll
2014-04-07 01:14:37    324096    ----a-w-    C:\Windows\System32\FWPUCLNT.DLL
2014-04-07 01:14:37    216576    ----a-w-    C:\Windows\SysWow64\FWPUCLNT.DLL
2014-04-07 01:14:35    461312    ----a-w-    C:\Windows\System32\scavengeui.dll
2014-04-07 01:02:46    10521840    ----a-w-    C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{451FA786-9807-4C18-AE7D-58DA36CC10BE}\mpengine.dll
2014-04-04 18:06:34    119512    ----a-w-    C:\Windows\System32\drivers\MBAMSwissArmy.sys
2014-04-04 18:01:08    10521840    ----a-w-    C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{F5ACC57E-A64C-44EB-8D3F-3DDF279D1E2B}\mpengine.dll
2014-04-04 18:00:08    88280    ----a-w-    C:\Windows\System32\drivers\mbamchameleon.sys
2014-04-04 18:00:08    63192    ----a-w-    C:\Windows\System32\drivers\mwac.sys
2014-04-04 18:00:08    25816    ----a-w-    C:\Windows\System32\drivers\mbam.sys
2014-04-04 18:00:08    --------    d-----w-    C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-04-04 17:56:55    2881    ----a-w-    C:\Windows\System32\drivers\etc\Sharedaccess.reg
2014-03-29 22:22:49    10521840    ----a-w-    C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2014-03-23 16:43:43    --------    d-----w-    C:\Users\Customer\AppData\Roaming\tor
.
==================== Find3M  ====================
.
2014-03-31 14:35:08    270496    ------w-    C:\Windows\System32\MpSigStub.exe
2014-03-12 07:18:37    71048    ----a-w-    C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2014-03-12 07:18:37    692616    ----a-w-    C:\Windows\SysWow64\FlashPlayerApp.exe
2014-02-18 06:31:44    96168    ----a-w-    C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2014-02-18 06:23:20    108968    ----a-w-    C:\Windows\System32\WindowsAccessBridge-64.dll
2014-02-02 20:42:22    103736    ----a-w-    C:\Windows\SysWow64\PnkBstrB.exe
2014-02-02 20:42:22    103736    ----a-w-    C:\Windows\SysWow64\PnkBstrB.ex0
.
============= FINISH: 10:05:54.56 ===============
 



BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:01:04 PM

Posted 07 April 2014 - 01:17 PM

Hello! Welcome to BleepingComputer Forums! :welcome:
My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:

  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.

 

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

cXfZ4wS.png


#3 Williamc141

Williamc141
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:04 AM

Posted 07 April 2014 - 01:23 PM

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 13-03-2014
Ran by Customer (administrator) on CUSTOMER-PC on 07-04-2014 13:20:56
Running from C:\Users\Customer\Downloads
Windows 7 Professional Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
() C:\Windows\SysWOW64\PnkBstrA.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
(Airytec) C:\Program Files\Airytec\Switch Off\swoff.exe
(Yahoo! Inc.) C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Microsoft Corporation) C:\Program Files\Microsoft IntelliType Pro\itype.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
(Hewlett-Packard Co.) C:\Program Files\HP\HP Officejet 6600\Bin\ScanToPCActivationApp.exe
(Creative Technology Ltd) C:\Windows\SysWOW64\Ctxfihlp.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(Eastman Kodak Company) C:\Program Files (x86)\Kodak\KODAK Share Button App\Listener.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Hewlett-Packard Co.) C:\Program Files\HP\HP Officejet 6600\Bin\HPNetworkCommunicator.exe
(Runtime Software) C:\Program Files (x86)\Runtime Software\DriveImage XML\dixml.exe
(Microsoft Corporation) c:\Program Files\Microsoft Security Client\MsMpEng.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Microsoft Corporation) C:\Program Files (x86)\Windows NT\Accessories\WORDPAD.EXE
(Microsoft Corporation) C:\Windows\splwow64.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe
(Microsoft Corporation) c:\Program Files\Microsoft Security Client\NisSrv.exe
(Microsoft Corporation) C:\Windows\system32\calc.exe


==================== Registry (Whitelisted) ==================

HKLM\...\Run: [itype] - c:\Program Files\Microsoft IntelliType Pro\itype.exe [1873256 2011-08-10] (Microsoft Corporation)
HKLM\...\Run: [MSC] - c:\Program Files\Microsoft Security Client\msseces.exe [1266912 2013-10-23] (Microsoft Corporation)
HKLM\...\Run: [BCSSync] - C:\Program Files\Microsoft Office\Office14\BCSSync.exe [112512 2010-03-13] (Microsoft Corporation)
HKLM\...\Run: [Nvtmru] - C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\nvtmru.exe [1028384 2013-11-14] (NVIDIA Corporation)
HKLM\...\Run: [ShadowPlay] - C:\Windows\system32\nvspcap64.dll [1064224 2013-11-14] (NVIDIA Corporation)
HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [43848 2014-01-20] (Apple Inc.)
HKLM-x32\...\Run: [CTxfiHlp] - CTXFIHLP.EXE
HKLM-x32\...\Run: [UpdReg] - C:\Windows\UpdReg.EXE [90112 2000-05-11] (Creative Technology Ltd.)
HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2014-01-20] (Apple Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
Winlogon\Notify\LBTWlgn: c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll (Logitech, Inc.)
HKU\S-1-5-21-2461949878-4224771342-3192782425-1000\...\Run: [HP Officejet 6600 (NET)] - C:\Program Files\HP\HP Officejet 6600\Bin\ScanToPCActivationApp.exe [2573416 2012-10-17] (Hewlett-Packard Co.)
HKU\S-1-5-21-2461949878-4224771342-3192782425-1000\...\MountPoints2: {4fb3c02d-1217-11e2-a295-90e6ba104ea8} - E:\KODAK_Camera_Setup_App.exe
HKU\S-1-5-21-2461949878-4224771342-3192782425-1000\...0c966feabec1\InprocServer32: [Default-shell32] C:\Users\Customer\AppData\Local\{a9104503-66db-31a8-e5ac-212252dd4449}\n. ATTENTION! ====> ZeroAccess/Alureon?

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us.yhs4.search.yahoo.com/web/partner?&hspart=w3i&hsimp=yhs-syctransfer&type=W3i_SP,204,0_0,StartPage,20131252,20029,0,85,6944
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0xB00C6B1BBB79CD01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKCU - {68CF1256-AAA2-4F4A-A977-34049FCA763B} URL = http://search.yahoo.com/search?p={searchTerms}&ei=UTF-8&fr=w3i&type=W3i_DS,136,0_0,Search,20131252,20028,0,85,0
BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Winsock: Catalog5 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5 05 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5-x64 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 05 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Tcpip\Parameters: [DhcpNameServer] 209.18.47.61 209.18.47.62

FireFox:
========
FF ProfilePath: C:\Users\Customer\AppData\Roaming\Mozilla\Firefox\Profiles\ag23nkdn.default
FF DefaultSearchEngine: Yahoo
FF SearchEngineOrder.1: Yahoo
FF SelectedSearchEngine: Yahoo
FF Homepage: google.com
FF Keyword.URL: hxxp://search.yahoo.com/search?p={searchTerms}&ei=UTF-8&fr=w3i&type=W3i_DS,157,0_0,Search,20131252,20030,0,85,0
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF64_12_0_0_77.dll ()
FF Plugin: @java.com/DTPlugin,version=10.51.2 - C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.51.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE - disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~1\MICROS~4\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_12_0_0_77.dll ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf - C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=10.51.2 - C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.51.2 - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE - disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files (x86)\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~2\MICROS~4\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 - C:\PROGRA~2\MICROS~4\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npwachk.dll (Nullsoft, Inc.)
FF Extension: ArcadeParlor - C:\Users\Customer\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\{F32E7E42-9AFA-47CA-A0C4-D07EE651D404} [2013-12-23]
FF Extension: ArcadeParlor - C:\Users\Customer\AppData\Roaming\Mozilla\Firefox\Profiles\ag23nkdn.default\Extensions\{F32E7E42-9AFA-47CA-A0C4-D07EE651D404} [2013-12-23]
FF Extension: HTML5 Notifications - C:\Users\Customer\AppData\Roaming\Mozilla\Firefox\Profiles\ag23nkdn.default\Extensions\html5notifications@paxal.net.xpi [2013-08-20]
FF Extension: Adblock Plus - C:\Users\Customer\AppData\Roaming\Mozilla\Firefox\Profiles\ag23nkdn.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2014-01-05]

==================== Services (Whitelisted) =================

S3 fussvc; C:\Program Files (x86)\Windows Kits\8.0\App Certification Kit\fussvc.exe [139776 2012-07-25] (Microsoft Corporation)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1809720 2014-04-03] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [857912 2014-04-03] (Malwarebytes Corporation)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2013-10-23] (Microsoft Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [348376 2013-10-23] (Microsoft Corporation)
R2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [15125280 2013-11-14] (NVIDIA Corporation)
R2 PnkBstrA; C:\Windows\SysWOW64\PnkBstrA.exe [76888 2013-12-21] ()
R2 SwOffScheduler; C:\Program Files\Airytec\Switch Off\swoff.exe [173056 2011-05-28] (Airytec)
S2 SwOffWeb; C:\Program Files\Airytec\Switch Off\swoff.exe [173056 2011-05-28] (Airytec)
S3 Te.Service; C:\Program Files (x86)\Windows Kits\8.0\Testing\Runtimes\TAEF\Wex.Services.exe [126976 2012-07-25] (Microsoft Corporation)
R2 W3SVC; C:\Windows\system32\inetsrv\iisw3adm.dll [453120 2010-11-20] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2014-04-03] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [119512 2014-04-07] (Malwarebytes Corporation)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63192 2014-04-03] (Malwarebytes Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [248240 2013-09-27] (Microsoft Corporation)
R3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [8192 2005-03-29] ()
R2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [134944 2013-09-27] (Microsoft Corporation)
R3 nvvad_WaveExtensible; C:\Windows\System32\drivers\nvvad64v.sys [39200 2013-11-14] (NVIDIA Corporation)
S3 RTCore64; C:\Program Files (x86)\MSI Afterburner\RTCore64.sys [10568 2012-07-23] ()
S3 VSPerfDrv110; C:\Program Files (x86)\Microsoft Visual Studio 11.0\Team Tools\Performance Tools\x64\VSPerfDrv110.sys [70264 2012-07-13] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2014-04-07 13:20 - 2014-04-07 13:21 - 00013910 _____ () C:\Users\Customer\Downloads\FRST.txt
2014-04-07 13:20 - 2014-04-07 13:20 - 00000000 ____D () C:\FRST
2014-04-07 13:19 - 2014-04-07 13:19 - 02157056 _____ (Farbar) C:\Users\Customer\Downloads\FRST64.exe
2014-04-07 11:31 - 2014-04-07 11:40 - 00006836 _____ () C:\Windows\IE11_main.log
2014-04-07 10:07 - 2014-04-07 10:19 - 00009883 _____ () C:\Windows\IE10_main.log
2014-04-07 10:06 - 2014-04-07 10:06 - 00030726 _____ () C:\Users\Customer\Desktop\attach.txt
2014-04-07 10:06 - 2014-04-07 10:06 - 00000000 ____D () C:\Users\Default\AppData\Local\Microsoft Help
2014-04-07 10:06 - 2014-04-07 10:06 - 00000000 ____D () C:\Users\Default User\AppData\Local\Microsoft Help
2014-04-07 10:06 - 2014-04-07 10:05 - 00015254 _____ () C:\Users\Customer\Desktop\dds.txt
2014-04-07 09:17 - 2014-04-07 09:17 - 00000000 ____D () C:\Windows\Temp3F003A2F-8D5C-EF0F-5285-D3902DA2481A-Signatures
2014-04-07 09:16 - 2014-04-07 09:25 - 00000000 ____D () C:\2d789d26116c5992c30cac4b125c
2014-04-07 08:33 - 2014-04-07 12:53 - 4138574892 _____ () C:\Users\Customer\Documents\Drive_C.dat
2014-04-07 08:33 - 2014-04-07 12:53 - 02075146 _____ () C:\Users\Customer\Documents\Drive_C.xml
2014-04-07 08:28 - 2014-04-07 08:28 - 00688992 ____R (Swearware) C:\Users\Customer\Downloads\dds.com
2014-04-07 08:26 - 2014-04-07 08:26 - 00001111 _____ () C:\Users\Public\Desktop\DriveImage XML.lnk
2014-04-07 08:26 - 2014-04-07 08:26 - 00000000 ____D () C:\Program Files (x86)\Runtime Software
2014-04-07 08:25 - 2014-04-07 08:25 - 02026456 _____ () C:\Users\Customer\Downloads\dixmlsetup.exe
2014-04-07 08:09 - 2014-04-07 08:13 - 00000000 ____D () C:\Users\Default\Documents\Visual Studio 2012
2014-04-07 08:09 - 2014-04-07 08:13 - 00000000 ____D () C:\Users\Default User\Documents\Visual Studio 2012
2014-04-06 20:14 - 2013-10-11 21:30 - 00830464 _____ (Microsoft Corporation) C:\Windows\system32\nshwfp.dll
2014-04-06 20:14 - 2013-10-11 21:29 - 00859648 _____ (Microsoft Corporation) C:\Windows\system32\IKEEXT.DLL
2014-04-06 20:14 - 2013-10-11 21:29 - 00324096 _____ (Microsoft Corporation) C:\Windows\system32\FWPUCLNT.DLL
2014-04-06 20:14 - 2013-10-11 21:03 - 00656896 _____ (Microsoft Corporation) C:\Windows\SysWOW64\nshwfp.dll
2014-04-06 20:14 - 2013-10-11 21:01 - 00216576 _____ (Microsoft Corporation) C:\Windows\SysWOW64\FWPUCLNT.DLL
2014-04-06 20:14 - 2013-08-27 20:12 - 00461312 _____ (Microsoft Corporation) C:\Windows\system32\scavengeui.dll
2014-04-06 19:13 - 2014-04-06 19:28 - 00003206 _____ () C:\Users\Customer\Desktop\Rkill.txt
2014-04-06 19:13 - 2014-04-06 19:13 - 01933048 _____ (Bleeping Computer, LLC) C:\Users\Customer\Downloads\rkill.exe
2014-04-06 19:13 - 2014-04-06 19:13 - 01057016 _____ (Bleeping Computer, LLC) C:\Users\Customer\Downloads\rkill64.exe
2014-04-06 18:15 - 2014-04-06 18:15 - 01010176 _____ () C:\Users\Customer\Downloads\MicrosoftFixit50884(2).msi
2014-04-06 18:15 - 2014-04-06 18:15 - 00457632 _____ (Bleeping Computer, LLC) C:\Users\Customer\Downloads\FixExec.exe
2014-04-06 18:15 - 2014-04-06 18:15 - 00001238 _____ () C:\Users\Customer\Desktop\FixExec.txt
2014-04-05 12:18 - 2014-04-05 12:18 - 00000227 _____ () C:\Users\Customer\Downloads\RepairW7FW.zip
2014-04-04 13:06 - 2014-04-07 12:27 - 00119512 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-04-04 13:00 - 2014-04-04 19:03 - 00001106 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-04-04 13:00 - 2014-04-04 19:03 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-04-04 13:00 - 2014-04-03 09:51 - 00088280 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-04-04 13:00 - 2014-04-03 09:51 - 00063192 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-04-04 13:00 - 2014-04-03 09:50 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-04-04 12:58 - 2014-04-04 12:58 - 17523384 _____ (Malwarebytes Corporation ) C:\Users\Customer\Downloads\mb3-setup-1878.1878-3.5.1.2522.exe
2014-04-04 12:56 - 2014-04-04 12:56 - 00002881 _____ () C:\Windows\system32\Drivers\etc\Sharedaccess.reg
2014-04-04 12:48 - 2014-04-04 12:48 - 01010176 _____ () C:\Users\Customer\Downloads\MicrosoftFixit50884(1).msi
2014-04-03 10:13 - 2014-04-03 10:13 - 01010176 _____ () C:\Users\Customer\Downloads\MicrosoftFixit50884.msi
2014-04-03 10:04 - 2014-04-03 10:04 - 00000320 _____ () C:\Windows\PFRO.log
2014-03-24 08:37 - 2014-03-24 08:38 - 69634043 _____ () C:\Users\Customer\Downloads\Smokin_Ridin_Vol_5_Old_22-(DatPiff.com).zip
2014-03-23 13:06 - 2014-03-24 21:22 - 02326528 _____ () C:\Users\Customer\Documents\The long history of Marijuana.ppt
2014-03-23 13:06 - 2014-03-23 13:06 - 00821760 _____ () C:\Users\Customer\Downloads\The long history of Marijuana.ppt
2014-03-23 13:02 - 2014-03-23 13:02 - 00821248 _____ () C:\Users\Customer\Downloads\00620.ppt
2014-03-23 11:43 - 2014-03-23 14:46 - 00000000 ____D () C:\Users\Customer\AppData\Roaming\tor
2014-03-21 18:19 - 2014-03-21 18:19 - 00001242 _____ () C:\Users\Customer\Desktop\firefox - Shortcut.lnk
2014-03-21 17:27 - 2014-03-21 17:27 - 26437344 _____ (Microsoft Corporation) C:\Users\Customer\Downloads\Windows-KB890830-x64-V5.10.exe
2014-03-21 14:41 - 2014-03-23 11:45 - 00000000 ____D () C:\Users\Customer\Desktop\Tor Browser
2014-03-21 14:39 - 2014-03-21 14:40 - 22909659 _____ () C:\Users\Customer\Downloads\torbrowser-install-3.5.3_en-US.exe
2014-03-20 16:20 - 2014-03-20 16:21 - 82390831 _____ () C:\Users\Customer\Downloads\Star_Power-(DatPiff.com).zip
2014-03-20 16:17 - 2014-03-20 16:17 - 77366875 _____ () C:\Users\Customer\Downloads\A_Kid_Named_Cudi-(DatPiff.com).zip
2014-03-16 10:12 - 2014-03-16 10:14 - 149556827 _____ () C:\Users\Customer\Downloads\Best_Of_Earlwolf-(DatPiff.com).zip
2014-03-08 16:23 - 2014-03-08 16:23 - 00282840 _____ (Mozilla) C:\Users\Customer\Downloads\Firefox Setup Stub 27.0.1.exe

==================== One Month Modified Files and Folders =======

2014-04-07 13:21 - 2014-04-07 13:20 - 00013910 _____ () C:\Users\Customer\Downloads\FRST.txt
2014-04-07 13:20 - 2014-04-07 13:20 - 00000000 ____D () C:\FRST
2014-04-07 13:19 - 2014-04-07 13:19 - 02157056 _____ (Farbar) C:\Users\Customer\Downloads\FRST64.exe
2014-04-07 13:18 - 2012-07-30 21:03 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-04-07 13:17 - 2014-02-23 14:04 - 01880782 _____ () C:\Windows\WindowsUpdate.log
2014-04-07 12:53 - 2014-04-07 08:33 - 4138574892 _____ () C:\Users\Customer\Documents\Drive_C.dat
2014-04-07 12:53 - 2014-04-07 08:33 - 02075146 _____ () C:\Users\Customer\Documents\Drive_C.xml
2014-04-07 12:45 - 2013-01-14 21:08 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-04-07 12:27 - 2014-04-04 13:06 - 00119512 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-04-07 11:40 - 2014-04-07 11:31 - 00006836 _____ () C:\Windows\IE11_main.log
2014-04-07 10:28 - 2011-12-29 20:25 - 00859264 _____ () C:\Windows\SysWOW64\PerfStringBackup.INI
2014-04-07 10:28 - 2009-07-14 00:13 - 00859264 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-04-07 10:26 - 2012-08-12 21:22 - 00000000 ____D () C:\Program Files\Microsoft Security Client
2014-04-07 10:26 - 2012-01-01 23:56 - 00001945 _____ () C:\Windows\epplauncher.mif
2014-04-07 10:25 - 2012-08-12 21:22 - 00000000 ____D () C:\Program Files (x86)\Microsoft Security Client
2014-04-07 10:19 - 2014-04-07 10:07 - 00009883 _____ () C:\Windows\IE10_main.log
2014-04-07 10:06 - 2014-04-07 10:06 - 00030726 _____ () C:\Users\Customer\Desktop\attach.txt
2014-04-07 10:06 - 2014-04-07 10:06 - 00000000 ____D () C:\Users\Default\AppData\Local\Microsoft Help
2014-04-07 10:06 - 2014-04-07 10:06 - 00000000 ____D () C:\Users\Default User\AppData\Local\Microsoft Help
2014-04-07 10:05 - 2014-04-07 10:06 - 00015254 _____ () C:\Users\Customer\Desktop\dds.txt
2014-04-07 09:25 - 2014-04-07 09:16 - 00000000 ____D () C:\2d789d26116c5992c30cac4b125c
2014-04-07 09:17 - 2014-04-07 09:17 - 00000000 ____D () C:\Windows\Temp3F003A2F-8D5C-EF0F-5285-D3902DA2481A-Signatures
2014-04-07 08:47 - 2009-07-13 22:20 - 00000000 ____D () C:\Program Files\Common Files\System
2014-04-07 08:47 - 2009-07-13 21:34 - 00000478 _____ () C:\Windows\win.ini
2014-04-07 08:28 - 2014-04-07 08:28 - 00688992 ____R (Swearware) C:\Users\Customer\Downloads\dds.com
2014-04-07 08:26 - 2014-04-07 08:26 - 00001111 _____ () C:\Users\Public\Desktop\DriveImage XML.lnk
2014-04-07 08:26 - 2014-04-07 08:26 - 00000000 ____D () C:\Program Files (x86)\Runtime Software
2014-04-07 08:25 - 2014-04-07 08:25 - 02026456 _____ () C:\Users\Customer\Downloads\dixmlsetup.exe
2014-04-07 08:25 - 2012-08-24 11:35 - 00000000 ____D () C:\Program Files\Microsoft Silverlight
2014-04-07 08:25 - 2012-08-24 11:35 - 00000000 ____D () C:\Program Files (x86)\Microsoft Silverlight
2014-04-07 08:13 - 2014-04-07 08:09 - 00000000 ____D () C:\Users\Default\Documents\Visual Studio 2012
2014-04-07 08:13 - 2014-04-07 08:09 - 00000000 ____D () C:\Users\Default User\Documents\Visual Studio 2012
2014-04-07 08:08 - 2014-01-16 19:00 - 00000000 ____D () C:\ProgramData\Package Cache
2014-04-07 08:08 - 2009-07-13 23:45 - 00031504 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-04-07 08:08 - 2009-07-13 23:45 - 00031504 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-04-07 08:02 - 2014-02-23 13:54 - 00022130 _____ () C:\Windows\setupact.log
2014-04-07 08:02 - 2011-12-01 11:53 - 00000000 ____D () C:\ProgramData\NVIDIA
2014-04-07 08:02 - 2009-07-14 00:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-04-06 19:28 - 2014-04-06 19:13 - 00003206 _____ () C:\Users\Customer\Desktop\Rkill.txt
2014-04-06 19:13 - 2014-04-06 19:13 - 01933048 _____ (Bleeping Computer, LLC) C:\Users\Customer\Downloads\rkill.exe
2014-04-06 19:13 - 2014-04-06 19:13 - 01057016 _____ (Bleeping Computer, LLC) C:\Users\Customer\Downloads\rkill64.exe
2014-04-06 18:15 - 2014-04-06 18:15 - 01010176 _____ () C:\Users\Customer\Downloads\MicrosoftFixit50884(2).msi
2014-04-06 18:15 - 2014-04-06 18:15 - 00457632 _____ (Bleeping Computer, LLC) C:\Users\Customer\Downloads\FixExec.exe
2014-04-06 18:15 - 2014-04-06 18:15 - 00001238 _____ () C:\Users\Customer\Desktop\FixExec.txt
2014-04-05 18:47 - 2011-12-03 02:02 - 00000000 ____D () C:\Program Files (x86)\Steam
2014-04-05 12:18 - 2014-04-05 12:18 - 00000227 _____ () C:\Users\Customer\Downloads\RepairW7FW.zip
2014-04-04 19:03 - 2014-04-04 13:00 - 00001106 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-04-04 19:03 - 2014-04-04 13:00 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-04-04 17:04 - 2011-12-18 14:37 - 00000000 ____D () C:\Users\Customer\AppData\Roaming\uTorrent
2014-04-04 13:00 - 2013-12-26 15:48 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-04-04 12:58 - 2014-04-04 12:58 - 17523384 _____ (Malwarebytes Corporation ) C:\Users\Customer\Downloads\mb3-setup-1878.1878-3.5.1.2522.exe
2014-04-04 12:56 - 2014-04-04 12:56 - 00002881 _____ () C:\Windows\system32\Drivers\etc\Sharedaccess.reg
2014-04-04 12:48 - 2014-04-04 12:48 - 01010176 _____ () C:\Users\Customer\Downloads\MicrosoftFixit50884(1).msi
2014-04-03 10:13 - 2014-04-03 10:13 - 01010176 _____ () C:\Users\Customer\Downloads\MicrosoftFixit50884.msi
2014-04-03 10:04 - 2014-04-03 10:04 - 00000320 _____ () C:\Windows\PFRO.log
2014-04-03 09:51 - 2014-04-04 13:00 - 00088280 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-04-03 09:51 - 2014-04-04 13:00 - 00063192 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-04-03 09:50 - 2014-04-04 13:00 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-04-02 18:11 - 2011-12-01 11:44 - 00000000 ____D () C:\Users\Customer
2014-04-02 18:10 - 2013-11-17 16:41 - 00000000 ____D () C:\Users\Customer\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\RuneScape
2014-04-02 18:10 - 2012-12-29 13:16 - 00000000 ____D () C:\Users\Customer\jagexcache
2014-04-02 18:10 - 2012-08-08 21:06 - 00000000 ____D () C:\Users\DefaultAppPool
2014-04-02 18:09 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\registration
2014-03-31 09:35 - 2010-11-20 22:27 - 00270496 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2014-03-24 21:22 - 2014-03-23 13:06 - 02326528 _____ () C:\Users\Customer\Documents\The long history of Marijuana.ppt
2014-03-24 08:38 - 2014-03-24 08:37 - 69634043 _____ () C:\Users\Customer\Downloads\Smokin_Ridin_Vol_5_Old_22-(DatPiff.com).zip
2014-03-23 14:46 - 2014-03-23 11:43 - 00000000 ____D () C:\Users\Customer\AppData\Roaming\tor
2014-03-23 13:06 - 2014-03-23 13:06 - 00821760 _____ () C:\Users\Customer\Downloads\The long history of Marijuana.ppt
2014-03-23 13:02 - 2014-03-23 13:02 - 00821248 _____ () C:\Users\Customer\Downloads\00620.ppt
2014-03-23 11:45 - 2014-03-21 14:41 - 00000000 ____D () C:\Users\Customer\Desktop\Tor Browser
2014-03-21 18:19 - 2014-03-21 18:19 - 00001242 _____ () C:\Users\Customer\Desktop\firefox - Shortcut.lnk
2014-03-21 18:17 - 2013-12-23 15:21 - 00000000 ____D () C:\Users\Customer\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ArcadeParlor
2014-03-21 17:27 - 2014-03-21 17:27 - 26437344 _____ (Microsoft Corporation) C:\Users\Customer\Downloads\Windows-KB890830-x64-V5.10.exe
2014-03-21 14:40 - 2014-03-21 14:39 - 22909659 _____ () C:\Users\Customer\Downloads\torbrowser-install-3.5.3_en-US.exe
2014-03-20 16:21 - 2014-03-20 16:20 - 82390831 _____ () C:\Users\Customer\Downloads\Star_Power-(DatPiff.com).zip
2014-03-20 16:17 - 2014-03-20 16:17 - 77366875 _____ () C:\Users\Customer\Downloads\A_Kid_Named_Cudi-(DatPiff.com).zip
2014-03-16 10:14 - 2014-03-16 10:12 - 149556827 _____ () C:\Users\Customer\Downloads\Best_Of_Earlwolf-(DatPiff.com).zip
2014-03-12 02:18 - 2012-07-30 21:03 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-03-12 02:18 - 2012-07-30 21:03 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2014-03-12 02:18 - 2011-12-01 13:29 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-03-09 09:57 - 2009-07-14 00:08 - 00032616 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-03-08 16:23 - 2014-03-08 16:23 - 00282840 _____ (Mozilla) C:\Users\Customer\Downloads\Firefox Setup Stub 27.0.1.exe

ZeroAccess:
C:\Users\Customer\AppData\Local\{a9104503-66db-31a8-e5ac-212252dd4449}

Files to move or delete:
====================
C:\Users\Customer\jagex_cl_loginapplet_LIVE.dat
C:\Users\Customer\jagex_cl_runescape_LIVE.dat
C:\Users\Customer\jagex_cl_runescape_LIVE1.dat
C:\Users\Customer\random.dat


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit


LastRegBack: 2014-03-30 10:14

==================== End Of Log ============================

Attached Files



#4 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:01:04 PM

Posted 07 April 2014 - 03:10 PM

Hi,
 
 
Please download the following file => and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.
 
 
Regards,
Georgi


cXfZ4wS.png


#5 Williamc141

Williamc141
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:04 AM

Posted 08 April 2014 - 03:02 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 13-03-2014
Ran by Customer at 2014-04-08 14:55:46 Run:1
Running from C:\Users\Customer\Desktop
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
start
HKU\S-1-5-21-2461949878-4224771342-3192782425-1000\...0c966feabec1\InprocServer32: [Default-shell32] C:\Users\Customer\AppData\Local\{a9104503-66db-31a8-e5ac-212252dd4449}\n. ATTENTION! ====> ZeroAccess/Alureon?
Winsock: Catalog5 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5 05 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5-x64 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 05 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
cmd: netsh winsock reset catalog
FF Extension: ArcadeParlor - C:\Users\Customer\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\{F32E7E42-9AFA-47CA-A0C4-D07EE651D404} [2013-12-23]
FF Extension: ArcadeParlor - C:\Users\Customer\AppData\Roaming\Mozilla\Firefox\Profiles\ag23nkdn.default\Extensions\{F32E7E42-9AFA-47CA-A0C4-D07EE651D404} [2013-12-23]
cmd: type C:\Users\Customer\Desktop\Rkill.txt
cmd: type C:\Users\Customer\Desktop\FixExec.txt
C:\Users\Customer\AppData\Local\{a9104503-66db-31a8-e5ac-212252dd4449}
C:\Users\Customer\AppData\Local\Temp
end
*****************

HKU\S-1-5-21-2461949878-4224771342-3192782425-1000\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} => Key deleted successfully.
Winsock: Catalog5 entry 000000000001\\LibraryPath  was set successfully to %SystemRoot%\system32\NLAapi.dll
Winsock: Catalog5 entry 000000000005\\LibraryPath  was set successfully to %SystemRoot%\System32\mswsock.dll
Winsock: Catalog5-x64 entry 000000000001\\LibraryPath  was set successfully to %SystemRoot%\system32\NLAapi.dll
Winsock: Catalog5-x64 entry 000000000005\\LibraryPath  was set successfully to %SystemRoot%\System32\mswsock.dll

=========  netsh winsock reset catalog =========


Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.


========= End of CMD: =========

C:\Users\Customer\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\{F32E7E42-9AFA-47CA-A0C4-D07EE651D404} => Moved successfully.
C:\Users\Customer\AppData\Roaming\Mozilla\Firefox\Profiles\ag23nkdn.default\Extensions\{F32E7E42-9AFA-47CA-A0C4-D07EE651D404} => Moved successfully.

=========  type C:\Users\Customer\Desktop\Rkill.txt =========

Rkill 2.6.5 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 04/06/2014 07:28:31 PM in x64 mode.
Windows Version: Windows 7 Professional Service Pack 1

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe (PID: 3224) [WD-HEUR]

1 proccess terminated!

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * ALERT: ZEROACCESS rootkit symptoms found!

     * C:\Users\Customer\AppData\Local\{a9104503-66db-31a8-e5ac-212252dd4449}\ [ZA Dir]
     * C:\Users\Customer\AppData\Local\{a9104503-66db-31a8-e5ac-212252dd4449}\L\ [ZA Dir]
     * C:\Users\Customer\AppData\Local\{a9104503-66db-31a8-e5ac-212252dd4449}\U\ [ZA Dir]
     * C:\Windows\installer\{a9104503-66db-31a8-e5ac-212252dd4449}\ [ZA Dir]
     * C:\Windows\installer\{a9104503-66db-31a8-e5ac-212252dd4449}\@ [ZA File]
     * C:\Windows\installer\{a9104503-66db-31a8-e5ac-212252dd4449}\L\ [ZA Dir]
     * C:\Windows\installer\{a9104503-66db-31a8-e5ac-212252dd4449}\L\00000004.@ [ZA File]
     * C:\Windows\installer\{a9104503-66db-31a8-e5ac-212252dd4449}\L\201d3dde [ZA File]
     * C:\Windows\installer\{a9104503-66db-31a8-e5ac-212252dd4449}\U\ [ZA Dir]

========= End of CMD: =========


=========  type C:\Users\Customer\Desktop\FixExec.txt =========

FixExec by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2014 BleepingComputer.com
More Information about FixExec can be found at this link:
 http://www.bleepingcomputer.com/download/windows/utilities/fixexec

Program started at: 04/06/2014 06:15:22 PM in x64 mode.
Windows Version: Windows 7

Checking for processes to terminate before fixing executable associations.
 * No processes found to kill.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.


Program finished at: 04/06/2014 06:15:26 PM
Execution time: 0 hours(s), 0 minute(s), and 4 seconds(s)


========= End of CMD: =========

C:\Users\Customer\AppData\Local\{a9104503-66db-31a8-e5ac-212252dd4449} => Moved successfully.

"C:\Users\Customer\AppData\Local\Temp" directory move:

C:\Users\Customer\AppData\Local\Temp\.NETFramework,Version=v4.5.AssemblyAttributes.vb => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\AboutYourComputer-1.doc => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\Attach.txt => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\CIT 148 Exam #2 Review.doc => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\CVR2BE0.tmp.cvr => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\CVR6664.tmp.cvr => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\CVR7C41.tmp.cvr => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\CVR8381.tmp.cvr => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\CVR8507.tmp.cvr => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\CVR8B10.tmp.cvr => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\CVR9F3E.tmp.cvr => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\CVRA238.tmp.cvr => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\CVRA42B.tmp.cvr => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\CVRA795.tmp.cvr => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\CVRB808.tmp.cvr => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\CVRC9F3.tmp.cvr => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\CVRE713.tmp.cvr => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\CVREB39.tmp.cvr => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\DDS.txt => Moved successfully.
Could not move "C:\Users\Customer\AppData\Local\Temp\etilqs_qj3yQy6A670dA2I" => Scheduled to move on reboot.
Could not move "C:\Users\Customer\AppData\Local\Temp\etilqs_tuXZLJOnKhLSEcs" => Scheduled to move on reboot.
Could not move "C:\Users\Customer\AppData\Local\Temp\FXSAPIDebugLogFile.txt" => Scheduled to move on reboot.
C:\Users\Customer\AppData\Local\Temp\JavaDeployReg.log => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\jusched.log => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\Sarah Orsnge PBL Report.docx => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\wmplog00.sqm => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\wmplog01.sqm => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\wmplog02.sqm => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\~$outYourComputer-1.doc => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\~DFE302F45F99C365B7.TMP => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\~DFFA356941C88661C0.TMP => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\TCD89AA.tmp\CleanGradient.thmx => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\TCD6DB3.tmp\CleanGradient.thmx => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\PPT11.0\ShockwaveFlashObjects.exd => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-96\plugin-649&vid_id=YOUR_VIDEO_ID&vid_title=YOUR_VIDEO_TITLE => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-96\plugin-649&vid_id=YOUR_VIDEO_ID&vid_title=YOUR_VIDEO_TITLE-1 => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-96\plugin-crossdomain.xml => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-95\plugin-crossdomain-1.xml => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-95\plugin-crossdomain-2.xml => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-95\plugin-crossdomain.xml => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-95\plugin-timedtext => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-84\plugin-crossdomain.xml => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-83\plugin-heartbeat => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-83\plugin-heartbeat-1 => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-83\plugin-heartbeat-2 => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-83\plugin-logblob => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-83\plugin-logblob-1 => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-83\plugin-playdata => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-82\plugin-649&vid_id=YOUR_VIDEO_ID&vid_title=YOUR_VIDEO_TITLE => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-82\plugin-crossdomain.xml => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-8\plugin-crossdomain.xml => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-79\plugin- => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-79\plugin--1 => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-74\plugin-crossdomain.xml => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-69\plugin- => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-69\plugin--1 => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-69\plugin--2 => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-69\plugin--3 => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-69\plugin-crossdomain-1.xml => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-69\plugin-crossdomain-2.xml => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-69\plugin-crossdomain.xml => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-69\plugin-en_US => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-69\plugin-en_US-1 => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-63\plugin-crossdomain.xml => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-4\plugin-crossdomain-1.xml => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-4\plugin-crossdomain-2.xml => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-4\plugin-crossdomain.xml => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-39\plugin-authorization => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-39\plugin-events => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-39\plugin-heartbeat => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-39\plugin-heartbeat-1 => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-39\plugin-heartbeat-2 => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-39\plugin-heartbeat-3 => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-39\plugin-heartbeat-4 => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-39\plugin-heartbeat-5 => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-39\plugin-heartbeat-6 => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-39\plugin-license => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-39\plugin-logblob => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-39\plugin-logblob-1 => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-39\plugin-playdata => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-39\plugin-title_states => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-36\plugin-649&vid_id=YOUR_VIDEO_ID&vid_title=YOUR_VIDEO_TITLE => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-36\plugin-649&vid_id=YOUR_VIDEO_ID&vid_title=YOUR_VIDEO_TITLE-1 => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-36\plugin-crossdomain.xml => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-33\plugin-crossdomain-1.xml => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-32\plugin-heartbeat => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-32\plugin-heartbeat-1 => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-31\plugin-heartbeat => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-31\plugin-heartbeat-1 => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-31\plugin-heartbeat-2 => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-29\plugin-heartbeat => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-29\plugin-heartbeat-1 => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-29\plugin-heartbeat-2 => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-29\plugin-heartbeat-3 => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-29\plugin-heartbeat-4 => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-29\plugin-heartbeat-5 => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-29\plugin-heartbeat-6 => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-28\plugin-authorization => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-28\plugin-clientaccesspolicy.xml => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-28\plugin-current => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-28\plugin-events => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-28\plugin-events-1 => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-28\plugin-heartbeat => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-28\plugin-heartbeat-1 => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-28\plugin-heartbeat-2 => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-28\plugin-heartbeat-3 => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-28\plugin-heartbeat-4 => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-28\plugin-heartbeat-5 => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-28\plugin-heartbeat-6 => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-28\plugin-heartbeat-7 => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-28\plugin-heartbeat-8 => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-28\plugin-license => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-28\plugin-logblob => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-28\plugin-playdata => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-28\plugin-playdata-1 => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-28\plugin-playdata-2 => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-28\plugin-title_states => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-28\plugin-title_states-1 => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-27\plugin-authorization => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-27\plugin-events => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-27\plugin-events-1 => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-27\plugin-heartbeat => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-27\plugin-heartbeat-1 => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-27\plugin-heartbeat-2 => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-27\plugin-heartbeat-3 => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-27\plugin-heartbeat-4 => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-27\plugin-heartbeat-5 => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-27\plugin-license => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-27\plugin-logblob => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-27\plugin-logblob-1 => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-27\plugin-playdata => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-27\plugin-title_states => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-12\plugin-649&vid_id=YOUR_VIDEO_ID&vid_title=YOUR_VIDEO_TITLE => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-12\plugin-649&vid_id=YOUR_VIDEO_ID&vid_title=YOUR_VIDEO_TITLE-1 => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-12\plugin-crossdomain-1.xml => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-12\plugin-crossdomain.xml => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-103\plugin-crossdomain-2.xml => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\plugtmp-101\plugin-PlayerIntf.ashx => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\msohtmlclip1\01\clip_colorschememapping.xml => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\msohtmlclip1\01\clip_themedata.thmx => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\MATS-Temp\Results\Windows Firewall Troubleshooter_result.cab => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\MATS-Temp\Results\Windows Security Troubleshooter_result.cab => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\HP\AtStatus\hpinksts5d12lm.log => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\FixIt_2F9BA8E4-C28F-40BC-B5FB-62AABCEC075F\Vista-BFE.reg => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\FixIt_2F9BA8E4-C28F-40BC-B5FB-62AABCEC075F\Vista-MpsSvc.reg => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\FixIt_2F9BA8E4-C28F-40BC-B5FB-62AABCEC075F\Vista-wscsvc.reg => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\FixIt_2F9BA8E4-C28F-40BC-B5FB-62AABCEC075F\Win7-BFE.reg => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\FixIt_2F9BA8E4-C28F-40BC-B5FB-62AABCEC075F\Win7-MpsSvc.reg => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\FixIt_2F9BA8E4-C28F-40BC-B5FB-62AABCEC075F\Win7-wscsvc.reg => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\FixIt_2F9BA8E4-C28F-40BC-B5FB-62AABCEC075F\XP-SharedAccess.reg => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\FixIt_2F9BA8E4-C28F-40BC-B5FB-62AABCEC075F\XP-wscvc.reg => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\acro_rd_dir\Temporary Internet Files\Content.IE5\desktop.ini => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\acro_rd_dir\Temporary Internet Files\Content.IE5\index.dat => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\acro_rd_dir\Temporary Internet Files\Content.IE5\TI7WSISJ\desktop.ini => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\acro_rd_dir\Temporary Internet Files\Content.IE5\Q16MH534\desktop.ini => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\acro_rd_dir\Temporary Internet Files\Content.IE5\FYDNH63X\desktop.ini => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\acro_rd_dir\Temporary Internet Files\Content.IE5\0O17WSP5\desktop.ini => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\acro_rd_dir\History\History.IE5\desktop.ini => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\acro_rd_dir\History\History.IE5\index.dat => Moved successfully.
C:\Users\Customer\AppData\Local\Temp\acro_rd_dir\Cookies\index.dat => Moved successfully.
Could not move "C:\Users\Customer\AppData\Local\Temp" directory. => Scheduled to move on reboot.

 



#6 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:01:04 PM

Posted 08 April 2014 - 04:50 PM

Hi,

 

 

Let me take a deeper look:

 

 

  • Please download OTL from the link below:
  • Save it to your desktop/
  • Double click on the otlDesktopIcon.png icon on your desktop.
  • OTL should now start. Change the following settings:
    - Click on Scan All Users checkbox given at the top.46625204.png
    - Under File Scans, change File age to 90
    - Change Standard Registry to All
    - Check the boxes beside LOP Check and Purity Check
  • Copy and Paste the following code into the customFix.png textbox.
  • Don't copy the word "quoted"

    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %SYSTEMDRIVE%\*.*
    %SYSTEMDRIVE%\*.
    %USERPROFILE%\*.*
    %USERPROFILE%\*.
    %USERPROFILE%\*.exe /s
    %USERPROFILE%\Documents\*.*
    %USERPROFILE%\Downloads\*.*
    %USERPROFILE%\AppData\Local\*.*
    %USERPROFILE%\AppData\Local\*.
    %USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\*.*
    %USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\*.
    %USERPROFILE%\AppData\Local\temp\*.exe
    %USERPROFILE%\AppData\Local\temp\*.dll
    %USERPROFILE%\AppData\Local\temp\*.tlb
    %USERPROFILE%\AppData\Roaming\*.*
    %USERPROFILE%\AppData\Roaming\*.
    %ProgramData%\*.*
    %ProgramData%\*.
    %programdata%\Microsoft\Windows\DRM\*.tmp
    %programdata%\Microsoft\DRM\*.tmp
    %programdata%\temp\*.exe
    %programdata%\temp\*.dll
    %programdata%\temp\*.tlb
    C:\Users\All Users\*.exe /s
    C:\Users\Default\*.exe /s
    C:\Users\Public\*.exe /s
    %CommonProgramFiles%\*.*
    %CommonProgramFiles%\*.
    %CommonProgramFiles%\ComObjects\*.*
    %ProgramFiles%\*.*
    %ProgramFiles%\*.
    %Public%\Documents\*.*
    %Public%\Documents\*.
    %systemroot%\System32\config\systemprofile\*.exe /s
    %systemroot%\System32\config\systemprofile\*.*
    %systemroot%\System32\config\systemprofile\*.
    %systemroot%\system32\config\systemprofile\AppData\Local\*.*
    %systemroot%\system32\config\systemprofile\AppData\Local\*.
    %systemroot%\system32\config\systemprofile\AppData\Roaming\*.*
    %systemroot%\system32\config\systemprofile\AppData\Roaming\*.
    %systemroot%\SysWow64\config\systemprofile\*.exe /s
    %systemroot%\SysWow64\config\systemprofile\*.*
    %systemroot%\SysWow64\config\systemprofile\*.
    %systemroot%\SysWOW64\config\systemprofile\AppData\Local\*.*
    %systemroot%\SysWOW64\config\systemprofile\AppData\Local\*.
    %systemroot%\SysWOW64\config\systemprofile\AppData\Roaming\*.*
    %systemroot%\SysWOW64\config\systemprofile\AppData\Roaming\*.
    %systemroot%\ServiceProfiles\*.exe /s
    %systemroot%\ServiceProfiles\LocalService\AppData\Local\*.*
    %systemroot%\ServiceProfiles\LocalService\AppData\Local\*.
    %systemroot%\ServiceProfiles\LocalService\AppData\Local\Temp\*.exe
    %systemroot%\ServiceProfiles\LocalService\AppData\Local\Temp\*.dll
    %systemroot%\ServiceProfiles\LocalService\AppData\Local\Temp\*.tlb
    %systemroot%\ServiceProfiles\LocalService\AppData\Roaming\*.*
    %systemroot%\ServiceProfiles\LocalService\AppData\Roaming\*.
    %systemroot%\ServiceProfiles\NetworkService\AppData\Local\*.*
    %systemroot%\ServiceProfiles\NetworkService\AppData\Local\*.
    %systemroot%\ServiceProfiles\NetworkService\AppData\Local\Temp\*.exe
    %systemroot%\ServiceProfiles\NetworkService\AppData\Local\Temp\*.dll
    %systemroot%\ServiceProfiles\NetworkService\AppData\Local\Temp\*.tlb
    %systemroot%\ServiceProfiles\NetworkService\AppData\Roaming\*.*
    %systemroot%\ServiceProfiles\NetworkService\AppData\Roaming\*.
    %windir%\temp\*.exe /s
    %windir%\temp\*.*
    %windir%\temp\*.
    %windir%\*.
    %windir%\AppPatch\*.exe /s
    %windir%\ShellNew\*.*
    %windir%\installer\*.
    %windir%\system32\*.
    %windir%\sysnative\*.
    %Temp%\smtmp\1\*.*
    %Temp%\smtmp\2\*.*
    %Temp%\smtmp\3\*.*
    %Temp%\smtmp\4\*.*
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\syswow64\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /90
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\syswow64\drivers\*.sys /90
    %systemroot%\syswow64\drivers\*.sys /lockedfiles
    %SYSTEMDRIVE%\*. /rp /s
    %systemroot%\assembly\tmp\*.* /S /MD5
    %systemroot%\assembly\temp\*.* /S /MD5
    %systemroot%\assembly\GAC\*.ini
    %systemroot%\assembly\GAC_32\*.ini
    %systemroot%\assembly\GAC_64\*.ini
    %SystemRoot%\assembly\GAC_MSIL\*.ini
    wsSystemRoot|l,n,u,@;True;False;True;$,{ /fn
    %systemdrive%\$Recycle.Bin|@;true;true;true /fp
    HKEY_CLASSES_ROOT\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24} /s
    HKEY_CLASSES_ROOT\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} /s
    HKEY_CURRENT_USER\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24} /s
    HKEY_CLASSES_ROOT\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F} /s
    HKEY_CLASSES_ROOT\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9} /s
    HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F} /s
    HKEY_CURRENT_USER\Software\Microsoft\Command Processor /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor /s
    HKCU\Software\Classes\CLSID\{ECD4FC4D-521C-11D0-B792-00A0C90312E1}\InprocServer32 /s
    HKLM\Software\Classes\CLSID\{E6BB64BE-0618-4353-9193-0AFE606D6F0C}\InprocServer32 /s
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\scsimap /s
    HKEY_CLASSES_ROOT\CLSID\{118BEDCC-A901-4203-B4F2-ADCB957D1887} /s
    HKEY_CLASSES_ROOT\CLSID\{312BED3C-A901-4203-B4F2-ADCB957D1887} /s
    HKEY_CLASSES_ROOT\CLSID\{F12BE2CC-A901-4203-B4F2-ADCB957D1887} /s
    HKEY_CLASSES_ROOT\CLSID\{312BFDCE-A901-4203-B4F2-ADCB957D1887} /s
    HKEY_CLASSES_ROOT\CLSID\{212B3DCC-A901-4203-B4F2-ADCB957D1887} /s
    HKEY_CLASSES_ROOT\CLSID\{A12BEDCC-A901-4203-B4F2-ADCB957D1887} /s
    HKEY_CLASSES_ROOT\CLSID\{118BEDCA-A901-4203-B4F2-ADCB957D188F} /s
    HKEY_CLASSES_ROOT\CLSID\{118BEDCA-A901-4203-B4F2-ADCB957D188B} /s
    HKEY_CLASSES_ROOT\CLSID\{3543619C-D563-43f7-95EA-4DA7E1CC396A} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3543619C-D563-43f7-95EA-4DA7E1CC396A} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{3543619C-D563-43f7-95EA-4DA7E1CC396A} /s
    HKEY_CLASSES_ROOT\Directory\shellex\CopyHookHandlers /s
    HKEY_CLASSES_ROOT\Directory\Shellex\CopyHookHandlers\MSCopy /s
    HKEY_CURRENT_USER\Software\Classes\Directory\shellex\CopyHookHandlers /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\CopyHookHandlers /s
    HKEY_CURRENT_USER\Software\MSOLoad /s
    type C:\WINDOWS\system.ini >> test.txt /c
    bcdedit /enum all /v >C:\boot.txt /c
    >C:\commands.txt echo list vol /raw /hide /c
    /wait
    >C:\DiskReport.txt diskpart /s C:\commands.txt /raw /hide /c
    /wait
    type c:\diskreport.txt /c
    /wait
    erase c:\commands.txt /hide /c
    /wait
    erase c:\diskreport.txt /hide /c
    /md5start
    consrv.dll
    services.exe
    explorer.exe
    lsass.exe
    svchost.exe
    wininit.exe
    winlogon.exe
    userinit.exe
    smss.exe
    fastfat.sys
    atapi.sys
    serial.sys
    volsnap.sys
    disk.sys
    i8042prt.sys
    afd.sys
    netbt.sys
    csc.sys
    tcpip.sys
    kbdclass.sys
    kbdhid.sys
    mouclass.sys
    mouhid.sys
    spldr.sys
    dfsc.sys
    hlp.dat
    str.sys
    cerxvx.ocx
    crexv.ocx
    msseedir.dll
    msdr.dll
    lmbd.dll
    wsse.dll
    intel.exe
    WService.dll
    /md5stop
  • Push the runscanbutton.png button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

 

 

Regards,

Georgi


cXfZ4wS.png


#7 Williamc141

Williamc141
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:04 AM

Posted 08 April 2014 - 07:35 PM

The logs are too large to post in a replay and too large to attach.



#8 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:01:04 PM

Posted 09 April 2014 - 06:12 AM

Hi,

 

Zip the log files and then upload the archive here and then post back the link to the archive. :)

 

 

Regards,

Georgi


cXfZ4wS.png


#9 Williamc141

Williamc141
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:04 AM

Posted 09 April 2014 - 08:27 AM

http://www.filedropper.com/desktop_10



#10 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:01:04 PM

Posted 10 April 2014 - 07:18 AM

Hello,

 

 

We need to run an OTL Fix

  • Double click on the otlDesktopIcon.png icon on your desktop.
  • Copy and Paste the following code into the customFix.png textbox.

    :OTL
    [2014/04/06 19:38:33 | 000,000,000 | -HSD | M] -- C:\Windows\installer\{a9104503-66db-31a8-e5ac-212252dd4449}
    [2012/08/12 20:52:09 | 000,000,000 | -HSD | M] -- C:\Windows\system32\%APPDATA%
    :Commands
    [emptytemp]

  • Push runFixbutton.png
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click btnOK.png.
  • A report will open. Copy and Paste that report in your next reply.

 

 

Regards,

Georgi


cXfZ4wS.png


#11 Williamc141

Williamc141
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:04 AM

Posted 10 April 2014 - 06:09 PM

All processes killed
========== OTL ==========
C:\Windows\installer\{a9104503-66db-31a8-e5ac-212252dd4449} folder moved successfully.
C:\Windows\SysWow64\%APPDATA%\Microsoft\Windows\IETldCache folder moved successfully.
C:\Windows\SysWow64\%APPDATA%\Microsoft\Windows folder moved successfully.
C:\Windows\SysWow64\%APPDATA%\Microsoft folder moved successfully.
C:\Windows\SysWow64\%APPDATA% folder moved successfully.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: All Users
 
User: Customer
->Temp folder emptied: 1690429 bytes
->Temporary Internet Files folder emptied: 16475166 bytes
->Java cache emptied: 4384846 bytes
->FireFox cache emptied: 289691530 bytes
->Flash cache emptied: 23784 bytes
 
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: DefaultAppPool
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: Public
 
User: UpdatusUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 200704 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 108641810 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 44852434 bytes
RecycleBin emptied: 1875569574 bytes
 
Total Files Cleaned = 2,233.00 mb
 
 
OTL by OldTimer - Version 3.2.69.0 log created on 04102014_180059

Files\Folders moved on Reboot...
C:\Users\Customer\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...
 



#12 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:01:04 PM

Posted 11 April 2014 - 03:31 AM

Nice work! We managed to clean the infection! :)

 

Also if you don't mind, I want to make sure there is nothing lurking on the system so just in case I want you to go through these steps:

 

The most of them should take no more than 5 minutes each (but the time they take to complete can vary depending on the size of your hard and the speed of your computer).

 

 

STEP 1

 

 

  • Please download RKill by Grinler from the link below and save it to your desktop.

    Rkill
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply.
  • A log pops up at the end of the run. This log file is located at C:\rkill.log.
  • Please post the log in your next reply.

 

 

STEP 2

 

 

  • Please download RogueKillerX64.exe and save to the desktop.
  • Close all windows and browsers
  • Right-click the program and select 'Run as Administrator'
  • Press the scan button.
  • A report opens on the desktop named - RKreport.txt
  • Please copy and past the results at pastebin.com and post the link to the log in your next reply.

 

 

STEP 3
 

 

Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
     
  • Put a checkmark beside loaded modules.
    Sbf88.png
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
     
  • Click the Start Scan button.
     
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    67776163.jpg
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    62117367.jpg
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and past the results at pastebin.com and post the link to the log in your next reply.

 

 

STEP 4

 

 

Please download Malwarebytes Anti-Malware to your desktop.
 

  • Double-click mb3-setup-1878.1878-3.5.1.2522.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.
  • On the Settings tab > Detection and Protection subtab, Detection Options, tick the box 'Scan for rootkits'.
  • Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • With some infections, you may see this message box.
    • 'Could not load DDA driver'
  • Click 'Yes' to this message, to allow the driver to load after a restart.
  • Allow the computer to restart. Continue with the rest of these instructions.
  • When the scan is complete, click Apply Actions.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply.

 

 

STEP 5

 

 

1.Please download HitmanPro.

  • For 32-bit Operating System - dEMD6.gif.
  • This is the mirror - dEMD6.gif
  • For 64-bit Operating System - dEMD6.gif
  • This is the mirror - dEMD6.gif

2.Launch the program by double clicking on the 5vo5F.jpg icon. (Windows Vista/7 users right click on the HitmanPro icon and select run as administrator).

Note: If the program won't run please then open the program while holding down the left CTRL key until the program is loaded.

3.Click on the next button. You must agree with the terms of EULA. (if asked)

4.Check the box beside "No, I only want to perform a one-time scan to check this computer".

5.Click on the next button.

6.The program will start to scan the computer. The scan will typically take no more than 2-3 minutes.

7.When the scan is done click on drop-down menu of the found entries (if any) and choose - Apply to all => Ignore <= IMPORTANT!!!
 
8.Click on the next button.

9.Click on the "Save Log" button.

10.Save that file to your desktop and post the content of that file in your next reply.
 
Note: if there isn't a dropdown menu when the scan is done then please don't delete anything and close HitmanPro

Navigate to C:\ProgramData\HitmanPro\Logs open the report and copy and paste it to your next reply.

 

 

 

STEP 6

 

 

Download Security Check by screen317 from here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

 

and then if there aren't any issues left I'll give you my final recommendations. :)

 

 

Regards,

Georgi


cXfZ4wS.png


#13 Williamc141

Williamc141
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:04 AM

Posted 14 April 2014 - 02:57 PM

RKILL : Rkill 2.6.5 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 04/12/2014 04:47:25 PM in x64 mode.
Windows Version: Windows 7 Professional Service Pack 1

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe (PID: 3140) [WD-HEUR]

1 proccess terminated!

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * No issues found.

Checking Windows Service Integrity:

 * No issues found.

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * No issues found.

Program finished at: 04/12/2014 04:49:52 PM
Execution time: 0 hours(s), 2 minute(s), and 27 seconds(s)

 

RogueKiller V8.8.15 _x64_ [Mar 27 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Customer [Admin rights]
Mode : Scan -- Date : 04/13/2014 17:39:39
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 5 ¤¤¤
[HJ POL][PUM] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Browser Addons : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts




¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) ST500DM002-1BD142 ATA Device +++++
--- User ---
[MBR] 99baf14dd2ca5496a799776cd96e041f
[BSP] bb56dce25ac5c55486cca6a48997e563 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 476838 MB
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ USB) PNY USB 2.0 FD USB Device +++++
--- User ---
[MBR] d99f46bea697fc7a60419581711c533c
[BSP] 33a07a59d299ab4ea9f4ab0156f9d86f : Windows XP MBR Code
Partition table:
0 - [ACTIVE] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 56 | Size: 3894 MB
User = LL1 ... OK!
Error reading LL2 MBR! ([0x32] The request is not supported. )

Finished : << RKreport[0]_S_04132014_173939.txt >>

 

TDSS KILLER

17:41:22.0677 0x149c  TDSS rootkit removing tool 3.0.0.31 Apr 11 2014 08:55:10
17:41:25.0735 0x149c  ============================================================
17:41:25.0735 0x149c  Current date / time: 2014/04/13 17:41:25.0735
17:41:25.0735 0x149c  SystemInfo:
17:41:25.0735 0x149c  
17:41:25.0735 0x149c  OS Version: 6.1.7601 ServicePack: 1.0
17:41:25.0735 0x149c  Product type: Workstation
17:41:25.0735 0x149c  ComputerName: CUSTOMER-PC
17:41:25.0735 0x149c  UserName: Customer
17:41:25.0735 0x149c  Windows directory: C:\Windows
17:41:25.0735 0x149c  System windows directory: C:\Windows
17:41:25.0735 0x149c  Running under WOW64
17:41:25.0735 0x149c  Processor architecture: Intel x64
17:41:25.0735 0x149c  Number of processors: 4
17:41:25.0735 0x149c  Page size: 0x1000
17:41:25.0735 0x149c  Boot type: Normal boot
17:41:25.0735 0x149c  ============================================================
17:41:49.0324 0x149c  KLMD registered as C:\Windows\system32\drivers\75007142.sys
17:41:49.0855 0x149c  System UUID: {4403ED74-EA10-E072-0A96-0F534CFD3A73}
17:41:50.0775 0x149c  Drive \Device\Harddisk0\DR0 - Size: 0x7470C06000 (465.76 Gb), SectorSize: 0x200, Cylinders: 0x38080, SectorsPerTrack: 0x13, TracksPerCylinder: 0xE0, Type 'K0', Flags 0x00000040
17:41:50.0791 0x149c  Drive \Device\Harddisk1\DR1 - Size: 0xF3630000 (3.80 Gb), SectorSize: 0x200, Cylinders: 0x1F0, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
17:41:50.0791 0x149c  ============================================================
17:41:50.0791 0x149c  \Device\Harddisk0\DR0:
17:41:50.0791 0x149c  MBR partitions:
17:41:50.0791 0x149c  \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x32000
17:41:50.0791 0x149c  \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x32800, BlocksNum 0x3A353000
17:41:50.0791 0x149c  \Device\Harddisk1\DR1:
17:41:50.0791 0x149c  MBR partitions:
17:41:50.0791 0x149c  \Device\Harddisk1\DR1\Partition1: MBR, Type 0xC, StartLBA 0x38, BlocksNum 0x79B148
17:41:50.0791 0x149c  ============================================================
17:41:50.0869 0x149c  C: <-> \Device\Harddisk0\DR0\Partition2
17:41:50.0869 0x149c  ============================================================
17:41:50.0869 0x149c  Initialize success
17:41:50.0869 0x149c  ============================================================
17:42:45.0182 0x046c  KLMD registered as C:\Windows\system32\drivers\76595588.sys
17:42:46.0212 0x046c  Deinitialize success







 



#14 Williamc141

Williamc141
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:04 AM

Posted 14 April 2014 - 03:00 PM

Malwarebytes

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 4/14/2014
Scan Time: 1:18:43 PM
Logfile:
Administrator: Yes

Version: 2.00.1.1004
Malware Database: v2014.04.14.05
Rootkit Database: v2014.03.27.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Chameleon: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Customer

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 347352
Time Elapsed: 25 min, 8 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Shuriken: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

 

HITMAN PRO

HitmanPro 3.7.9.216
www.hitmanpro.com

   Computer name . . . . : CUSTOMER-PC
   Windows . . . . . . . : 6.1.1.7601.X64/4
   User name . . . . . . : Customer-PC\Customer
   UAC . . . . . . . . . : Enabled
   License . . . . . . . : Trial (30 days left)

   Scan date . . . . . . : 2014-04-14 14:42:14
   Scan mode . . . . . . : Normal
   Scan duration . . . . : 7m 47s
   Disk access mode  . . : Direct disk access (SRB)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : No

   Threats . . . . . . . : 1
   Traces  . . . . . . . : 37

   Objects scanned . . . : 2,824,241
   Files scanned . . . . : 407,589
   Remnants scanned  . . : 893,703 files / 1,522,949 keys

Malware _____________________________________________________________________

   C:\Users\Customer\Downloads\Dexter_-_Season_5_secure.exe -> Quarantined
      Size . . . . . . . : 846,256 bytes
      Age  . . . . . . . : 396.8 days (2013-03-13 18:50:49)
      Entropy  . . . . . : 8.0
      SHA-256  . . . . . : A0AE24B1B3786CB7DFC4C4A4A0D3B956505E06C5B982FC45D872B667076FC455
      Product  . . . . . : PrivitizeVPN Installer
      Publisher  . . . . : PrivitizeVPN
      Description  . . . : PrivitizeVPN Installer
      Version  . . . . . : 1.0.0.2
      Copyright  . . . . : Copyright 2012
      RSA Key Size . . . : 2048
      Authenticode . . . : Valid
    > Kaspersky  . . . . : not-a-virus:AdWare.NSIS.Agent.aj
      Fuzzy  . . . . . . : 101.0


Suspicious files ____________________________________________________________

   C:\Users\Customer\AppData\Local\PunkBuster\BLR\pb\pbcl.dll
      Size . . . . . . . : 949,190 bytes
      Age  . . . . . . . : 114.1 days (2013-12-21 11:43:01)
      Entropy  . . . . . : 7.6
      SHA-256  . . . . . : DAF43E93528BEEECC015FA98D6EE6D6FD6D19A049321E47A65665144E4511F41
      Fuzzy  . . . . . . : 29.0
         The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Program contains PE structure anomalies. This is not typical for most programs.

   C:\Users\Customer\AppData\Local\PunkBuster\BLR\pb\PnkBstrK.sys
      Size . . . . . . . : 140,360 bytes
      Age  . . . . . . . : 114.1 days (2013-12-21 11:43:30)
      Entropy  . . . . . : 7.8
      SHA-256  . . . . . : 0F41B3843E2D2D1BB1ACF8B7CAA293309CC1CF8CF478B1AC86DD6BB214928DC4
      RSA Key Size . . . : 2048
      Authenticode . . . : Valid
      Fuzzy  . . . . . . : 22.0
         The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Program contains PE structure anomalies. This is not typical for most programs.
         The file is a device driver. Device drivers run as trusted (highly privileged) code.
         Program is code signed with a valid Authenticode certificate.

   C:\Users\Customer\AppData\Local\PunkBuster\COD4\pb\dll\wc002301.dll
      Size . . . . . . . : 967,213 bytes
      Age  . . . . . . . : 629.1 days (2012-07-24 13:00:54)
      Entropy  . . . . . : 7.6
      SHA-256  . . . . . : 4BD30C84D354E3B8B5236F48F62718D6E4F2A6DAA303365B6DFCE45D21DFE853
      Fuzzy  . . . . . . : 29.0
         The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Program contains PE structure anomalies. This is not typical for most programs.

   C:\Users\Customer\AppData\Local\PunkBuster\COD4\pb\dll\wc002318.dll
      Size . . . . . . . : 967,165 bytes
      Age  . . . . . . . : 436.8 days (2013-02-01 18:47:06)
      Entropy  . . . . . : 7.6
      SHA-256  . . . . . : B1B32990F47ED2E39EB18AEA0839D9521B87E9ED18C0BCA8E2C6873FBA9D6494
      Fuzzy  . . . . . . : 29.0
         The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Program contains PE structure anomalies. This is not typical for most programs.

   C:\Users\Customer\AppData\Local\PunkBuster\COD4\pb\pbcl.dll
      Size . . . . . . . : 967,165 bytes
      Age  . . . . . . . : 115.6 days (2013-12-20 00:37:53)
      Entropy  . . . . . : 7.6
      SHA-256  . . . . . : B1B32990F47ED2E39EB18AEA0839D9521B87E9ED18C0BCA8E2C6873FBA9D6494
      Fuzzy  . . . . . . : 29.0
         The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Program contains PE structure anomalies. This is not typical for most programs.

   C:\Users\Customer\AppData\Local\PunkBuster\COD4\pb\pbclold.dll
      Size . . . . . . . : 967,165 bytes
      Age  . . . . . . . : 837.6 days (2011-12-29 00:45:22)
      Entropy  . . . . . : 7.6
      SHA-256  . . . . . : B1B32990F47ED2E39EB18AEA0839D9521B87E9ED18C0BCA8E2C6873FBA9D6494
      Fuzzy  . . . . . . : 29.0
         The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Program contains PE structure anomalies. This is not typical for most programs.


Cookies _____________________________________________________________________

   C:\Users\Customer\AppData\Roaming\Mozilla\Firefox\Profiles\ag23nkdn.default\cookies.sqlite:2o7.net
   C:\Users\Customer\AppData\Roaming\Mozilla\Firefox\Profiles\ag23nkdn.default\cookies.sqlite:ad.auditude.com
   C:\Users\Customer\AppData\Roaming\Mozilla\Firefox\Profiles\ag23nkdn.default\cookies.sqlite:atlanticmedia.122.2o7.net
   C:\Users\Customer\AppData\Roaming\Mozilla\Firefox\Profiles\ag23nkdn.default\cookies.sqlite:baby.healthguru.com
   C:\Users\Customer\AppData\Roaming\Mozilla\Firefox\Profiles\ag23nkdn.default\cookies.sqlite:brighthouse.122.2o7.net
   C:\Users\Customer\AppData\Roaming\Mozilla\Firefox\Profiles\ag23nkdn.default\cookies.sqlite:conditions.healthguru.com
   C:\Users\Customer\AppData\Roaming\Mozilla\Firefox\Profiles\ag23nkdn.default\cookies.sqlite:dmtracker.com
   C:\Users\Customer\AppData\Roaming\Mozilla\Firefox\Profiles\ag23nkdn.default\cookies.sqlite:doubleclick.net
   C:\Users\Customer\AppData\Roaming\Mozilla\Firefox\Profiles\ag23nkdn.default\cookies.sqlite:bleepcombustion.com
   C:\Users\Customer\AppData\Roaming\Mozilla\Firefox\Profiles\ag23nkdn.default\cookies.sqlite:gntbcstglobal.112.2o7.net
   C:\Users\Customer\AppData\Roaming\Mozilla\Firefox\Profiles\ag23nkdn.default\cookies.sqlite:healthguru.com
   C:\Users\Customer\AppData\Roaming\Mozilla\Firefox\Profiles\ag23nkdn.default\cookies.sqlite:idgenterprise.112.2o7.net
   C:\Users\Customer\AppData\Roaming\Mozilla\Firefox\Profiles\ag23nkdn.default\cookies.sqlite:in.getclicky.com
   C:\Users\Customer\AppData\Roaming\Mozilla\Firefox\Profiles\ag23nkdn.default\cookies.sqlite:interland.122.2o7.net
   C:\Users\Customer\AppData\Roaming\Mozilla\Firefox\Profiles\ag23nkdn.default\cookies.sqlite:microsoftsto.112.2o7.net
   C:\Users\Customer\AppData\Roaming\Mozilla\Firefox\Profiles\ag23nkdn.default\cookies.sqlite:newsquestdigitalmedia.122.2o7.net
   C:\Users\Customer\AppData\Roaming\Mozilla\Firefox\Profiles\ag23nkdn.default\cookies.sqlite:oracle.112.2o7.net
   C:\Users\Customer\AppData\Roaming\Mozilla\Firefox\Profiles\ag23nkdn.default\cookies.sqlite:pcworldcommunication.122.2o7.net
   C:\Users\Customer\AppData\Roaming\Mozilla\Firefox\Profiles\ag23nkdn.default\cookies.sqlite:revsci.net
   C:\Users\Customer\AppData\Roaming\Mozilla\Firefox\Profiles\ag23nkdn.default\cookies.sqlite:serving-sys.com
   C:\Users\Customer\AppData\Roaming\Mozilla\Firefox\Profiles\ag23nkdn.default\cookies.sqlite:statcounter.com
   C:\Users\Customer\AppData\Roaming\Mozilla\Firefox\Profiles\ag23nkdn.default\cookies.sqlite:stats.complex.com
   C:\Users\Customer\AppData\Roaming\Mozilla\Firefox\Profiles\ag23nkdn.default\cookies.sqlite:statse.webtrendslive.com
   C:\Users\Customer\AppData\Roaming\Mozilla\Firefox\Profiles\ag23nkdn.default\cookies.sqlite:survey.g.doubleclick.net
   C:\Users\Customer\AppData\Roaming\Mozilla\Firefox\Profiles\ag23nkdn.default\cookies.sqlite:timeinc.122.2o7.net
   C:\Users\Customer\AppData\Roaming\Mozilla\Firefox\Profiles\ag23nkdn.default\cookies.sqlite:track.userpath.net
   C:\Users\Customer\AppData\Roaming\Mozilla\Firefox\Profiles\ag23nkdn.default\cookies.sqlite:www.googleadservices.com
   C:\Users\Customer\AppData\Roaming\Mozilla\Firefox\Profiles\ag23nkdn.default\cookies.sqlite:xiti.com

 

CHECKUP

 Results of screen317's Security Check version 0.99.81  
 Windows 7 Service Pack 1 x64 (UAC is enabled)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
Microsoft Security Essentials   
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:`````````
 JavaFX 2.1.0    
 Java™ 6 Update 29  
 Java 7 Update 51  
 Visual Studio Extensions for Windows Library for JavaScript
 Adobe Flash Player 12.0.0.77  
 Mozilla Firefox (26.0)
````````Process Check: objlist.exe by Laurent````````  
 Microsoft Security Essentials msseces.exe
 Windows Defender MSMpEng.exe
 Malwarebytes Anti-Malware mbamservice.exe  
 Malwarebytes Anti-Malware mbam.exe  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:  
````````````````````End of Log``````````````````````


 



#15 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:01:04 PM

Posted 15 April 2014 - 05:08 AM

Hello,

 

There should have a bigger log file from TDSSKiller in the root folder of drive C:\

Please upload the log at pastebin.com and post the link to the log in your next reply. smile.png

 

Also some updating tasks for you:

 

Also your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application.

  • Download the latest version of Java SE 8.
  • Click the Java SE 8  "Download JRE" button to the right.
  • Select your Platform, Register and check the box that says: "I agree to the Java SE Runtime Environment 7 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-8-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel > Programs, click on Uninstall a program and remove all older versions of Java:
     JavaFX 2.1.0
     Java™ 6 Update 29
     Java 7 Update 51
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version. (Vista/Windows 7 users, right click on the jre-8-windows-i586.exe and select "Run as an Administrator.")

 

Next please run JavaRa.

  • Please download JavaRa 2.5 and unzip it to your desktop.
  • Double-click on JavaRa.exe to start the program.
  • Choose Remove JRE and since you already uninstalled JAVA skip step 1 and click on the next button.
  • Now click on Perform Removal Routine to remove the older versions of Java installed on your computer.
  • When that's successfully done, please click OK to close the message.
  • Click on Next and skip the downloading process. Click Next and now click on Close this wizard and click Finish.
  • From the main menu please choose Additional tasks
  • Place a checkmark beside Remove startup entry, Remove Outdated JRE Firefox Extentions and Clean JRE Temp Files and click Run. The browsers should be closed before running this task.
  • When that's succesfully done you will see a message at the top saying: "Selected tasks completed successfully".
  • A log file should be created in the same directory as JavaRa.
  • Please attach the log to your next reply.
  • Close JavaRa by clicking the red cross button.

 

You can choose between 2 variants:

 

1. If you have applications that require Java to be installed on the computer then uninstall the old version of Java and then run JavaRa to remove all remnants and then go ahead and download & install the latest version of Java (Java SE 8).

 

2. If you want to be on the safe side then go ahead and uninstall the old version of Java, then run JavaRa to remove all remnants and then remove all applications that require Java (time to learn to live without Java and find alternatives to the applications that require Java)... Check this article.

 

It's your call. smile.png

 

 

 

Your Mozilla Firefox is out of date!
Download and install the latest version Mozilla Firefox 28 Final for Windows
Do a backup of your existing profile using Mozbackup or FEBE before you proceed with the update.

 

  • It is possible for other programs on your computer to have security vulnerability that can allow malware to infect you.  
  • Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities.
  • You can check these by visiting Secunia Software Inspector or you can use the following application for this purpose PatchMyPC

 

 

Visit Microsoft's Windows Update Site Frequently

 

  • It is important that you visit Windows Update regularly.
  • This will ensure your computer has always the latest security updates available installed on your computer.  
  • If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

 

When done please post a new log from SecurityCheck.

I'll give you my final recommendations in the next post. :)

 

BTW: Don't worry if SecurityCheck still shows Java as outdated even after you updated it...

SecurityCheck need to be updated to cover Java 8

 

 

Regards,

Georgi


cXfZ4wS.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users