Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Severe rootkit/malware infection - Rkill and MS MSRT Hang when run


  • This topic is locked This topic is locked
25 replies to this topic

#1 9001M

9001M

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 09 April 2014 - 07:59 PM

I have a laptop here with a very serious malware infection that I'm not able to clear with the tools at my disposal. 

 

I first tried running Rkill in normal operating mode, and it stalled indefinitely at the “Performing miscellaneous checks” stage.  I gave up there, rebooted into Safe Mode and got the same results. 

 

I then ran TDSSKiller, selected the "Loaded Modules" and "Detect TDLFS file system" options.  After rebooting, TDSSKiller reported that Rootkit.Boot.Harbinger.a was detected and cured. 

 

While TDSSKiller was doing it's thing, Microsoft's Malicious Software Removal Tool

Tool launched, reporting detection of malicious software and recommended a full scan.  I terminated that process, downloaded the latest release of that tool and initiated a full system scan.  Unfortunately, it stalled at scan item number: 1108958.  I let it set there for several hours before I terminated it.

 

NOTE 1:  Before initiating the MSRT, I checked running processes and found “Driver Detective” running.  As that was likely malware, I terminated that process.

 

NOTE 2:  During the MSRT run, MSE detected and cleaned the following threats in the background:
    - Trojan:Win64/Alureon
    - Trojan:DOS/Alureon.M

 

I then rebooted and tried running Rkill again - same result - indefinite hang at “Performing miscellaneous checks”. 

 

I then ran MBAM - it found and removed a couple hundred PUPs.

 

After reboot, Rkill still isn't able to finish.

 

In preparation for this post, I downloaded/ran DDS and, unfortunately, it behaves the same as Rkill.  The progress bar gets to about 75% and it just hangs indefinitely.  I tried running it again in Safe Mode - same result.

 

I hope this isn't a hopeless cause...



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:25 PM

Posted 14 April 2014 - 08:00 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/530544 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:25 PM

Posted 16 April 2014 - 11:20 AM

Hello and Welcome to Bleeping Computer, sorry for the wait.

 

Please do the following:

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

 

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.

  • Press Scan button.

  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.

  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.


Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#4 9001M

9001M
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 16 April 2014 - 03:09 PM

Yay!  Thanks for taking this one on!!  Following is the FRST log and I've attached the Addition.txt file.

 

Looking forward to the next steps...

 

---------------------------------------------------------------------------------------------------------------------------------

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 16-04-2014 02
Ran by Mathew (administrator) on MATHEW-HP on 16-04-2014 13:04:05
Running from C:\Users\Mathew\Desktop
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 11
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(Microsoft Corporation) c:\Program Files\Microsoft Security Client\MsMpEng.exe
(Microsoft Corporation) C:\Windows\system32\WLANExt.exe
(Andrea Electronics Corporation) C:\Program Files\IDT\WDM\AESTSr64.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(LeapFrog Enterprises, Inc.) C:\Program Files (x86)\LeapFrog\LeapFrog Connect\CommandService.exe
(National Instruments Corporation) C:\Windows\SysWOW64\lkads.exe
(National Instruments Corporation) C:\Program Files (x86)\National Instruments\MAX\nimxs.exe
(National Instruments Corporation) C:\Program Files (x86)\National Instruments\Shared\Security\nidmsrv.exe
(National Instruments Corporation) C:\Program Files (x86)\National Instruments\Shared\NI WebServer\SystemWebServer.exe
(Roxio) C:\Program Files (x86)\Roxio\RoxioNow Player\RNowSvc.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
(National Instruments, Inc.) C:\Windows\SysWOW64\lkcitdl.exe
(National Instruments Corporation) C:\Windows\SysWOW64\lktsrv.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
(Microsoft Corporation) C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
(National Instruments Corporation) C:\Program Files (x86)\National Instruments\Shared\NI WebServer\ApplicationWebServer.exe
(National Instruments Corporation) C:\Program Files (x86)\National Instruments\Shared\mDNS Responder\nimdnsResponder.exe
(National Instruments Corporation) C:\Windows\SysWOW64\nipxism.exe
(National Instruments Corporation) C:\Program Files (x86)\IVI Foundation\VISA\WinNT\NIvisa\niLxiDiscovery.exe
(National Instruments Corporation) C:\Program Files (x86)\National Instruments\Shared\NI Network Discovery\niDiscSvc.exe
(Microsoft Corporation) c:\Program Files\Microsoft Security Client\NisSrv.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\sttray64.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(GoPro) C:\Program Files (x86)\CineForm\Tools\GoProCineFormStatusViewer.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(Renesas Electronics Corporation) C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
(CyberLink) C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [SysTrayApp] => C:\Program Files\IDT\WDM\sttray64.exe [1128448 2011-11-27] (IDT, Inc.)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1271072 2014-03-11] (Microsoft Corporation)
HKLM-x32\...\Run: [IAStorIcon] => C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284440 2011-05-20] (Intel Corporation)
HKLM-x32\...\Run: [NUSB3MON] => C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe [113288 2011-11-27] (Renesas Electronics Corporation)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe [41056 2013-05-08] (Adobe Systems Incorporated)
HKLM\...\RunOnce: [NCPluginUpdater] - "C:\Program Files (x86)\Hewlett-Packard\HP Health Check\ActiveCheck\product_line\NCPluginUpdater.exe" Update [21720 2014-03-25] (Hewlett-Packard)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\.DEFAULT\...\RunOnce: [Microsoft Security Client] - C:\Program Files\Microsoft Security Client\msseces.exe [1271072 2014-03-11] (Microsoft Corporation)
HKU\.DEFAULT\...\RunOnce: [SPReview] - C:\Windows\System32\SPReview\SPReview.exe [301568 2013-06-03] (Microsoft Corporation)
HKU\.DEFAULT\...\RunOnce: [SpUninstallDeleteDir] - rmdir /s /q "\SearchProtect"
HKU\S-1-5-21-2506442769-3147341017-1797918461-1000\...\MountPoints2: {1787b33d-35da-11e3-a223-2c27d7a91bf4} - F:\HTC_Sync_Manager_PC.exe
HKU\S-1-5-21-2506442769-3147341017-1797918461-1000\...\MountPoints2: {46f640f8-b192-11e0-8f17-2c27d7a91bf4} - F:\WIN\setup.exe
HKU\S-1-5-21-2506442769-3147341017-1797918461-1000\...\MountPoints2: {c35c2657-fd79-11e2-a382-2c27d7a91bf4} - F:\HTC_Sync_Manager_PC.exe
HKU\S-1-5-21-2506442769-3147341017-1797918461-1000\...\MountPoints2: {c35c2666-fd79-11e2-a382-2c27d7a91bf4} - F:\HTC_Sync_Manager_PC.exe
HKU\S-1-5-21-2506442769-3147341017-1797918461-1000\...\MountPoints2: {d1c3c9ba-823d-11e0-8f83-2c27d7a91bf4} - F:\WIN\setup.exe
Startup: C:\Users\Mathew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RT-Updater.lnk
ShortcutTarget: RT-Updater.lnk -> C:\Ross-Tech\VCDS\VCDS.EXE (Ross-Tech, LLC)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/HPNOT/1
HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
URLSearchHook: HKLM-x32 - TrustWorthy Toolbar - {8480b7b1-a45c-4feb-8653-60f834f7ca4b} - C:\Users\Mathew\AppData\LocalLow\TrustWorthy\prxtbTru0.dll (ClientConnect Ltd.)
URLSearchHook: HKCU - (No Name) - {472734EA-242A-422b-ADF8-83D1E48CC825} - No File
URLSearchHook: HKCU - TrustWorthy Toolbar - {8480b7b1-a45c-4feb-8653-60f834f7ca4b} - C:\Users\Mathew\AppData\LocalLow\TrustWorthy\prxtbTru0.dll (ClientConnect Ltd.)
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM - {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://search.ask.com/web?q={searchterms}&l=dis&o=HPNTDF
SearchScopes: HKLM - {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPNTDF
SearchScopes: HKLM - {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = http://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
SearchScopes: HKLM - {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/711-30572-11896-2/4?mpre=http://shop.ebay.com/?_nkw={searchTerms}
SearchScopes: HKLM-x32 - DefaultScope {67345F7F-3F0D-42C6-B9CE-9664F9BA6232} URL =
SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 - {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://search.ask.com/web?q={searchterms}&l=dis&o=HPNTDF
SearchScopes: HKLM-x32 - {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPNTDF
SearchScopes: HKLM-x32 - {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = http://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
SearchScopes: HKLM-x32 - {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/711-30572-11896-2/4?mpre=http://shop.ebay.com/?_nkw={searchTerms}
SearchScopes: HKCU - DefaultScope {67345F7F-3F0D-42C6-B9CE-9664F9BA6232} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3309758&CUI=UN25067616984180208&UM=2
SearchScopes: HKCU - {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3309758&CUI=UN25067616984180208&UM=2&UP=
SearchScopes: HKCU - {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://search.ask.com/web?q={searchterms}&l=dis&o=HPNTDF
SearchScopes: HKCU - {67345F7F-3F0D-42C6-B9CE-9664F9BA6232} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3309758&CUI=UN25067616984180208&UM=2
SearchScopes: HKCU - {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPNTDF
SearchScopes: HKCU - {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = http://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
SearchScopes: HKCU - {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/711-30572-11896-2/4?mpre=http://shop.ebay.com/?_nkw={searchTerms}
BHO: Bing Bar Helper - {1dad3af3-ef2f-4f64-ac4b-11789189fcb6} - C:\Program Files (x86)\Microsoft\BingBar\7.3.132.0\amd64\BingExt.dll (Microsoft Corporation.)
BHO: TrueSuite Website Log On - {8590886E-EC8C-43C1-A32C-E4C2B0B6395B} - C:\Program Files (x86)\HP SimplePass 2011\x64\IEBHO.dll (HP)
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO: HP Network Check Helper - {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPluginx64.dll (Hewlett-Packard)
BHO: Hotspot Shield Class - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files (x86)\Hotspot Shield\HssIE\HssIE_64.dll No File
BHO-x32: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO-x32: Bing Bar Helper - {1dad3af3-ef2f-4f64-ac4b-11789189fcb6} - C:\Program Files (x86)\Microsoft\BingBar\7.3.132.0\BingExt.dll (Microsoft Corporation.)
BHO-x32: PodcastBHO Class - {65134FDF-F8A5-4B3D-91D9-CDF273CFD578} - C:\Program Files (x86)\Common Files\doubleTwist\IEPodcastPlugin.dll (doubleTwist Corporation)
BHO-x32: TrustWorthy Toolbar - {8480b7b1-a45c-4feb-8653-60f834f7ca4b} - C:\Users\Mathew\AppData\LocalLow\TrustWorthy\prxtbTru0.dll (ClientConnect Ltd.)
BHO-x32: TrueSuite Website Log On - {8590886E-EC8C-43C1-A32C-E4C2B0B6395B} - C:\Program Files (x86)\HP SimplePass 2011\IEBHO.dll (HP)
BHO-x32: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO-x32: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO-x32: HP Network Check Helper - {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll (Hewlett-Packard)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
Toolbar: HKLM - Bing Bar - {eec0f710-38b5-4aba-99bf-ec87564a4e13} - C:\Program Files (x86)\Microsoft\BingBar\7.3.132.0\amd64\BingExt.dll (Microsoft Corporation.)
Toolbar: HKLM-x32 - TrustWorthy Toolbar - {8480b7b1-a45c-4feb-8653-60f834f7ca4b} - C:\Users\Mathew\AppData\LocalLow\TrustWorthy\prxtbTru0.dll (ClientConnect Ltd.)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKLM-x32 - Bing Bar - {eec0f710-38b5-4aba-99bf-ec87564a4e13} - C:\Program Files (x86)\Microsoft\BingBar\7.3.132.0\BingExt.dll (Microsoft Corporation.)
Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
Toolbar: HKCU - Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
Toolbar: HKCU - No Name - {8480B7B1-A45C-4FEB-8653-60F834F7CA4B} -  No File
Winsock: Catalog5 10 C:\Program Files (x86)\National Instruments\Shared\mDNS Responder\nimdnsNSP.dll [24320] (National Instruments Corporation)
Winsock: Catalog5-x64 10 C:\Program Files\National Instruments\Shared\mDNS Responder\nimdnsNSP.dll [26368] (National Instruments Corporation)
Tcpip\Parameters: [DhcpNameServer] 10.0.0.1

FireFox:
========
FF ProfilePath: C:\Users\Mathew\AppData\Roaming\Mozilla\Firefox\Profiles\kfh0227w.default
FF DefaultSearchEngine: TrustWorthy Customized Web Search
FF SelectedSearchEngine: Conduit Search
FF Homepage: hxxp://search.conduit.com/?ctid=CT3309758&octid=CT3309758&SearchSource=61&CUI=UN37540639772533349&UM=2&UP=SP32B87CE8-2124-41E3-BC42-834B6641F000&SSPV=
FF Keyword.URL: hxxp://search.conduit.com/ResultsExt.aspx?SSPV=&ctid=CT3309758&SearchSource=2&CUI=UN37540639772533349&UM=2&q=
FF Plugin: @java.com/JavaPlugin - C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF Plugin: @microsoft.com/GENUINE - disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll ()
FF Plugin-x32: @adobe.com/ShockwavePlayer - C:\Windows\SysWOW64\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @google.com/npPicasa3,version=3.0.0 - C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF Plugin-x32: @java.com/JavaPlugin - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF Plugin-x32: @microsoft.com/GENUINE - disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files (x86)\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 - C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @RIM.com/WebSLLauncher,version=1.0 - C:\Program Files (x86)\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll ()
FF Plugin-x32: @tools.google.com/Google Update;version=3 - C:\Program Files (x86)\Google\Update\1.3.23.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 - C:\Program Files (x86)\Google\Update\1.3.23.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKCU: @doubletwist.com/NPPodcast - C:\Program Files (x86)\Common Files\doubleTwist\NPPodcast.dll (doubleTwist Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nplv2011win32.dll (National Instruments)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nplv2012win32.dll (National Instruments)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\NPLV82Win32.dll (National Instruments)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nplv86win32.dll (National Instruments)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nplv90win32.dll (National Instruments)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.)
FF SearchPlugin: C:\Users\Mathew\AppData\Roaming\Mozilla\Firefox\Profiles\kfh0227w.default\searchplugins\conduit-search.xml
FF SearchPlugin: C:\Users\Mathew\AppData\Roaming\Mozilla\Firefox\Profiles\kfh0227w.default\searchplugins\conduit.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\searchplugins\amazon-en-GB.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\searchplugins\chambers-en-GB.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\searchplugins\eBay-en-GB.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\searchplugins\yahoo-en-GB.xml
FF Extension: LogMeIn, Inc. Remote Access Plugin - C:\Users\Mathew\AppData\Roaming\Mozilla\Firefox\Profiles\kfh0227w.default\Extensions\LogMeInClient@logmein.com [2013-10-24]
FF Extension: No Name - C:\Users\Mathew\AppData\Roaming\Mozilla\Firefox\Profiles\kfh0227w.default\Extensions\staged [2013-11-14]
FF Extension: TrustWorthy  - C:\Users\Mathew\AppData\Roaming\Mozilla\Firefox\Profiles\kfh0227w.default\Extensions\{8480b7b1-a45c-4feb-8653-60f834f7ca4b} [2013-10-24]
FF Extension: TrueSuite Website Logon - C:\Program Files (x86)\Mozilla Firefox\extensions\websitelogon@truesuite.com [2011-05-12]
FF Extension: No Name - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} [2011-05-12]
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF StartMenuInternet: FIREFOX.EXE - firefox.exe

Chrome:
=======
CHR HomePage: http:\/\/search.conduit.com\/?ctid=CT3309758&SearchSource=48&CUI=UN37918553521353650&UM=2&UP=SP32B87CE8-2124-41E3-BC42-834B6641F000&SSPV=
CHR RestoreOnStartup: "http:\/\/search.conduit.com\/?ctid=CT3309758&SearchSource=48&CUI=UN37918553521353650&UM=2&UP=SP32B87CE8-2124-41E3-BC42-834B6641F000&SSPV="
CHR Extension: (Entanglement) - C:\Users\Mathew\AppData\Local\Google\Chrome\User Data\Default\Extensions\aciahcmjmecflokailenpkdchphgkefd [2011-05-11]
CHR Extension: (No Name) - C:\Users\Mathew\AppData\Local\Google\Chrome\User Data\Default\Extensions\dkjaldeegndmngnahlmdbfnejdobkmil [2013-08-14]
CHR Extension: (Poppit) - C:\Users\Mathew\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcbkbpnkkkipelfledbfocopglifcfmi [2011-05-11]
CHR Extension: (Website Logon) - C:\Users\Mathew\AppData\Local\Google\Chrome\User Data\Default\Extensions\nhfpefkeidlhbjljfdojcnngjbddgein [2011-05-10]
CHR HKCU\...\Chrome\Extension: [dkjaldeegndmngnahlmdbfnejdobkmil] - C:\Users\Mathew\AppData\Local\CRE\dkjaldeegndmngnahlmdbfnejdobkmil.crx [2013-08-07]
CHR HKLM-x32\...\Chrome\Extension: [dkjaldeegndmngnahlmdbfnejdobkmil] - C:\Users\Mathew\AppData\Local\CRE\dkjaldeegndmngnahlmdbfnejdobkmil.crx [2013-08-07]
CHR HKLM-x32\...\Chrome\Extension: [ippenodjaoidmkkfdlmdhofiebnpjddb] - C:\Program Files (x86)\BrowseSmart\ippenodjaoidmkkfdlmdhofiebnpjddb.crx [2013-08-07]
CHR HKLM-x32\...\Chrome\Extension: [nhfpefkeidlhbjljfdojcnngjbddgein] - C:\Program Files (x86)\HP SimplePass 2011\tschrome.crx [2010-11-17]

==================== Services (Whitelisted) =================

S3 Blackberry Device Manager; C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe [577536 2013-01-18] (Research In Motion Limited)
R2 LkCitadelServer; C:\Windows\SysWOW64\lkcitdl.exe [695136 2011-05-06] (National Instruments, Inc.)
R2 lkClassAds; C:\Windows\SysWOW64\lkads.exe [50328 2012-06-05] (National Instruments Corporation)
R2 lkTimeSync; C:\Windows\SysWOW64\lktsrv.exe [60568 2012-06-05] (National Instruments Corporation)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2014-03-11] (Microsoft Corporation)
R2 mxssvr; C:\Program Files (x86)\National Instruments\MAX\nimxs.exe [51360 2012-05-22] (National Instruments Corporation)
R2 NIApplicationWebServer; C:\Program Files (x86)\National Instruments\Shared\NI WebServer\ApplicationWebServer.exe [53960 2012-05-22] (National Instruments Corporation)
S4 NIApplicationWebServer64; C:\Program Files\National Instruments\Shared\NI WebServer\ApplicationWebServer.exe [76488 2012-05-22] (National Instruments Corporation)
R2 NIDomainService; C:\Program Files (x86)\National Instruments\Shared\Security\nidmsrv.exe [370328 2012-06-05] (National Instruments Corporation)
R2 niLXIDiscovery; C:\Program Files (x86)\IVI Foundation\VISA\WinNT\NIvisa\niLxiDiscovery.exe [236768 2012-06-06] (National Instruments Corporation)
R2 nimDNSResponder; C:\Program Files (x86)\National Instruments\Shared\mDNS Responder\nimdnsResponder.exe [258776 2012-05-31] (National Instruments Corporation)
R2 NINetworkDiscovery; C:\Program Files (x86)\National Instruments\Shared\NI Network Discovery\niDiscSvc.exe [169192 2012-06-05] (National Instruments Corporation)
R2 nipxirmu; C:\Windows\SysWOW64\nipxism.exe [18584 2012-03-14] (National Instruments Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [347872 2014-03-11] (Microsoft Corporation)
R2 niSvcLoc; C:\Program Files (x86)\National Instruments\Shared\NI WebServer\SystemWebServer.exe [53952 2012-05-22] (National Instruments Corporation)
S4 SwiCardDetectSvc; C:\Program Files (x86)\Sierra Wireless Inc\Common\SwiCardDetect64.exe [308592 2010-09-13] (Sierra Wireless, Inc.)

==================== Drivers (Whitelisted) ====================

R1 HssDRV6; C:\Windows\System32\DRIVERS\hssdrv6.sys [41704 2012-08-01] (AnchorFree Inc.)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [268512 2014-01-25] (Microsoft Corporation)
S3 ni1006k; C:\Windows\system32\drivers\ni1006k.sys [30800 2012-03-06] (National Instruments Corporation)
S3 ni1045k; C:\Windows\system32\drivers\ni1045kl.sys [12952 2012-03-06] (National Instruments Corporation)
S3 ni1065k; C:\Windows\system32\drivers\ni1065k.sys [27288 2012-03-06] (National Instruments Corporation)
S3 nidimk; C:\Windows\system32\drivers\nidimkl.sys [12968 2012-01-27] (National Instruments Corporation)
R3 nimdbgk; C:\Windows\system32\drivers\nimdbgkl.sys [12960 2011-07-01] (National Instruments Corporation)
R3 nimxdfk; C:\Windows\system32\drivers\nimxdfkl.sys [12952 2011-07-01] (National Instruments Corporation)
S3 niorbk; C:\Windows\system32\drivers\niorbkl.sys [12952 2011-07-01] (National Instruments Corporation)
S3 nipalfwedl; C:\Windows\System32\drivers\nipalfwedl.sys [12520 2012-06-06] (National Instruments Corporation)
R0 NIPALK; C:\Windows\System32\drivers\nipalk.sys [914624 2012-06-06] (National Instruments Corporation)
S3 nipalusbedl; C:\Windows\System32\drivers\nipalusbedl.sys [12520 2012-06-06] (National Instruments Corporation)
R0 nipbcfk; C:\Windows\System32\drivers\nipbcfk.sys [16984 2012-01-12] (National Instruments Corporation)
R0 nipxibaf; C:\Windows\System32\drivers\nipxibaf.sys [84688 2012-03-06] (National Instruments Corporation)
R0 nipxibrc; C:\Windows\System32\drivers\nipxibrc.sys [60640 2012-04-16] (National Instruments Corporation)
S3 nipxigpk; C:\Windows\system32\drivers\nipxigpk.sys [22680 2011-08-09] (National Instruments Corporation)
R2 nipxirmk; C:\Windows\system32\drivers\nipxirmkl.sys [12952 2012-03-14] (National Instruments Corporation)
R2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [133928 2014-03-11] (Microsoft Corporation)
S3 NiViPciK; C:\Windows\System32\drivers\NiViPciKl.sys [13008 2012-06-06] (National Instruments Corporation)
R2 NiViPxiK; C:\Windows\System32\drivers\NiViPxiKl.sys [13008 2012-06-06] (National Instruments Corporation)
S3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [78336 2013-01-03] (Research In Motion Limited)
R3 RimVSerPort; C:\Windows\System32\DRIVERS\RimSerial_AMD64.sys [44544 2012-12-10] (Research in Motion Ltd)
S3 RT-USB; C:\Windows\System32\drivers\RT-USB64.SYS [70984 2010-06-16] (Ross-Tech LLC)
R3 SCTDriverV1011; C:\Windows\System32\drivers\SCTDriverV1011.sys [261712 2010-11-09] (Jungo)
S3 swiwdmbus; C:\Windows\System32\DRIVERS\swiwdmbusx64.sys [102656 2010-06-21] (Sierra Wireless Inc.)
S3 SWNC8U80; C:\Windows\System32\DRIVERS\swnc8u80.sys [227840 2009-03-31] (Sierra Wireless Inc.)
S3 SWNC8UA3; C:\Windows\System32\DRIVERS\swnc8ua3.sys [240640 2010-06-21] (Sierra Wireless Inc.)
S3 SWUMX80; C:\Windows\System32\DRIVERS\swumx80.sys [198528 2009-05-04] (Sierra Wireless Inc.)
S3 SWUMXA3; C:\Windows\System32\DRIVERS\swumxa3.sys [210944 2010-06-21] (Sierra Wireless Inc.)
R1 wStLib64; C:\Windows\System32\drivers\wStLib64.sys [61120 2014-03-19] (StdLib)
S3 PCTINDIS5X64; \??\C:\Windows\system32\PCTINDIS5X64.SYS [X]
S3 swmsflt; system32\DRIVERS\swmsflt.sys [X]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2014-04-16 13:04 - 2014-04-16 13:04 - 00025885 _____ () C:\Users\Mathew\Desktop\FRST.txt
2014-04-16 13:03 - 2014-04-16 13:04 - 00000000 ____D () C:\FRST
2014-04-16 13:03 - 2014-04-16 13:02 - 02158592 _____ (Farbar) C:\Users\Mathew\Desktop\FRST64.exe
2014-04-09 16:18 - 2014-04-09 16:14 - 00688992 ____R (Swearware) C:\Users\Mathew\Desktop\dds.com
2014-04-08 23:18 - 2014-04-08 23:18 - 00000000 ____H () C:\Users\Mathew\BIT98D6.tmp
2014-04-08 23:06 - 2014-04-08 23:06 - 01057016 _____ (Bleeping Computer, LLC) C:\Users\Mathew\Desktop\uSeRiNiT64-32076.exe
2014-04-08 22:52 - 2014-03-30 18:16 - 23134208 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-04-08 22:52 - 2014-03-30 18:13 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-04-08 22:52 - 2014-03-30 17:13 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-04-08 22:52 - 2014-03-30 16:57 - 17073152 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-04-08 22:51 - 2014-03-04 02:44 - 01163264 _____ (Microsoft Corporation) C:\Windows\system32\kernel32.dll
2014-04-08 22:51 - 2014-03-04 02:44 - 00362496 _____ (Microsoft Corporation) C:\Windows\system32\wow64win.dll
2014-04-08 22:51 - 2014-03-04 02:44 - 00243712 _____ (Microsoft Corporation) C:\Windows\system32\wow64.dll
2014-04-08 22:51 - 2014-03-04 02:44 - 00016384 _____ (Microsoft Corporation) C:\Windows\system32\ntvdm64.dll
2014-04-08 22:51 - 2014-03-04 02:44 - 00013312 _____ (Microsoft Corporation) C:\Windows\system32\wow64cpu.dll
2014-04-08 22:51 - 2014-03-04 02:17 - 00014336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2014-04-08 22:51 - 2014-03-04 02:16 - 01114112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll
2014-04-08 22:51 - 2014-03-04 02:16 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2014-04-08 22:51 - 2014-03-04 02:16 - 00005120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2014-04-08 22:51 - 2014-03-04 01:09 - 00007680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2014-04-08 22:51 - 2014-03-04 01:09 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2014-04-08 22:51 - 2014-02-03 19:35 - 00274880 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\msiscsi.sys
2014-04-08 22:51 - 2014-02-03 19:35 - 00190912 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\storport.sys
2014-04-08 22:51 - 2014-02-03 19:35 - 00027584 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\Diskdump.sys
2014-04-08 22:51 - 2014-02-03 19:28 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\iologmsg.dll
2014-04-08 22:51 - 2014-02-03 19:00 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iologmsg.dll
2014-04-08 22:51 - 2014-01-23 19:37 - 01684928 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ntfs.sys
2014-04-08 22:23 - 2014-04-08 22:23 - 01933048 _____ (Bleeping Computer, LLC) C:\Users\Mathew\Desktop\uSeRiNiT.exe
2014-04-08 22:23 - 2014-04-08 22:23 - 01057016 _____ (Bleeping Computer, LLC) C:\Users\Mathew\Desktop\uSeRiNiT64.exe
2014-04-08 20:44 - 2014-04-08 20:44 - 00001113 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-04-08 20:44 - 2014-04-08 20:44 - 00000000 ____D () C:\Users\Mathew\AppData\Roaming\Malwarebytes
2014-04-08 20:44 - 2014-04-08 20:44 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes' Anti-Malware
2014-04-08 20:44 - 2013-04-04 14:50 - 00025928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-04-08 20:14 - 2014-04-08 20:42 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2014-04-08 20:14 - 2014-04-08 20:14 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-04-08 20:12 - 2014-04-08 20:42 - 00000000 ____D () C:\Users\Mathew\Desktop\mbar
2014-04-08 20:12 - 2014-04-08 20:12 - 00091352 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-04-08 19:52 - 2014-04-08 19:52 - 01057016 _____ (Bleeping Computer, LLC) C:\Users\Mathew\Desktop\rkill64-26761.scr
2014-04-08 16:23 - 2014-04-08 19:51 - 00000000 ____D () C:\de6ae713d9ef54ab7075b2bec133e2
2014-04-08 15:48 - 2014-04-08 15:48 - 00000000 ____D () C:\TDSSKiller_Quarantine
2014-04-08 15:35 - 2014-04-08 15:35 - 04139872 _____ (Kaspersky Lab ZAO) C:\Users\Mathew\Desktop\tdsskiller.exe
2014-04-08 13:22 - 2014-04-08 13:22 - 01057016 _____ (Bleeping Computer, LLC) C:\Users\Mathew\Desktop\rkill64-15850.scr
2014-04-08 11:06 - 2014-04-08 11:06 - 00000000 ____D () C:\Users\Mathew\Documents\IT Files
2014-04-08 11:05 - 2014-04-08 23:11 - 00001420 _____ () C:\Users\Mathew\Desktop\Rkill.txt
2014-04-08 11:05 - 2014-04-08 11:05 - 01933048 _____ (Bleeping Computer, LLC) C:\Users\Mathew\Desktop\rkill.scr
2014-04-08 11:05 - 2014-04-08 11:05 - 01057016 _____ (Bleeping Computer, LLC) C:\Users\Mathew\Desktop\rkill64.scr
2014-04-01 22:30 - 2014-04-01 22:30 - 00330133 _____ () C:\Users\Mathew\Downloads\lb7_182868_BuiltTrans new.ctz
2014-04-01 15:32 - 2014-04-01 15:32 - 01483622 _____ () C:\Users\Mathew\Downloads\IMG_0192.MOV
2014-04-01 15:06 - 2014-04-01 15:06 - 00262144 _____ () C:\Windows\Minidump\040114-69389-01.dmp
2014-03-19 11:15 - 2014-03-19 11:15 - 00061120 _____ (StdLib) C:\Windows\system32\Drivers\wStLib64.sys

==================== One Month Modified Files and Folders =======

2098-01-01 01:00 - 2012-03-07 22:06 - 93517770 _____ () C:\Users\Mathew\Documents\snowmobiling 3-2012 005.AVI
2098-01-01 01:00 - 2012-03-07 22:06 - 92161566 _____ () C:\Users\Mathew\Documents\snowmobiling 3-2012 008.AVI
2098-01-01 01:00 - 2012-03-07 22:06 - 41138394 _____ () C:\Users\Mathew\Documents\snowmobiling 3-2012 007.AVI
2098-01-01 01:00 - 2012-03-07 22:06 - 32904294 _____ () C:\Users\Mathew\Documents\snowmobiling 3-2012 001.AVI
2098-01-01 01:00 - 2012-03-07 22:06 - 32116832 _____ () C:\Users\Mathew\Documents\snowmobiling 3-2012 009.AVI
2098-01-01 01:00 - 2012-03-07 22:06 - 26766668 _____ () C:\Users\Mathew\Documents\snowmobiling 3-2012 010.AVI
2098-01-01 01:00 - 2012-03-07 22:06 - 146357716 _____ () C:\Users\Mathew\Documents\snowmobiling 3-2012 006.AVI
2014-04-16 13:04 - 2014-04-16 13:04 - 00025885 _____ () C:\Users\Mathew\Desktop\FRST.txt
2014-04-16 13:04 - 2014-04-16 13:03 - 00000000 ____D () C:\FRST
2014-04-16 13:02 - 2014-04-16 13:03 - 02158592 _____ (Farbar) C:\Users\Mathew\Desktop\FRST64.exe
2014-04-16 13:01 - 2009-07-13 22:13 - 00783400 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-04-16 12:59 - 2011-04-24 15:59 - 01053864 _____ () C:\Windows\WindowsUpdate.log
2014-04-16 12:59 - 2009-07-13 21:51 - 00102690 _____ () C:\Windows\setupact.log
2014-04-16 12:57 - 2011-05-10 04:57 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-04-16 12:57 - 2009-07-13 22:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-04-09 16:43 - 2011-05-10 04:57 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-04-09 16:29 - 2013-12-16 18:26 - 00000296 _____ () C:\Windows\Tasks\UpdaterEX.job
2014-04-09 16:18 - 2009-07-13 21:45 - 00023248 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-04-09 16:18 - 2009-07-13 21:45 - 00023248 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-04-09 16:14 - 2014-04-09 16:18 - 00688992 ____R (Swearware) C:\Users\Mathew\Desktop\dds.com
2014-04-09 16:11 - 2014-01-20 17:22 - 00000336 _____ () C:\Windows\Tasks\HPCeeScheduleForMathew.job
2014-04-08 23:18 - 2014-04-08 23:18 - 00000000 ____H () C:\Users\Mathew\BIT98D6.tmp
2014-04-08 23:18 - 2014-01-20 17:22 - 00003192 _____ () C:\Windows\System32\Tasks\HPCeeScheduleForMathew
2014-04-08 23:18 - 2011-05-10 04:23 - 00000000 ____D () C:\Users\Mathew
2014-04-08 23:11 - 2014-04-08 11:05 - 00001420 _____ () C:\Users\Mathew\Desktop\Rkill.txt
2014-04-08 23:06 - 2014-04-08 23:06 - 01057016 _____ (Bleeping Computer, LLC) C:\Users\Mathew\Desktop\uSeRiNiT64-32076.exe
2014-04-08 22:43 - 2012-05-11 08:29 - 00000000 ____D () C:\Program Files (x86)\Microsoft Security Client
2014-04-08 22:43 - 2011-12-29 18:54 - 00001945 _____ () C:\Windows\epplauncher.mif
2014-04-08 22:43 - 2011-12-29 18:53 - 00000000 ____D () C:\Program Files\Microsoft Security Client
2014-04-08 22:23 - 2014-04-08 22:23 - 01933048 _____ (Bleeping Computer, LLC) C:\Users\Mathew\Desktop\uSeRiNiT.exe
2014-04-08 22:23 - 2014-04-08 22:23 - 01057016 _____ (Bleeping Computer, LLC) C:\Users\Mathew\Desktop\uSeRiNiT64.exe
2014-04-08 22:14 - 2011-04-24 16:22 - 00421988 _____ () C:\Windows\PFRO.log
2014-04-08 22:12 - 2013-08-14 15:16 - 00000000 ____D () C:\Program Files (x86)\TrustWorthy
2014-04-08 20:44 - 2014-04-08 20:44 - 00001113 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-04-08 20:44 - 2014-04-08 20:44 - 00000000 ____D () C:\Users\Mathew\AppData\Roaming\Malwarebytes
2014-04-08 20:44 - 2014-04-08 20:44 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes' Anti-Malware
2014-04-08 20:42 - 2014-04-08 20:14 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2014-04-08 20:42 - 2014-04-08 20:12 - 00000000 ____D () C:\Users\Mathew\Desktop\mbar
2014-04-08 20:14 - 2014-04-08 20:14 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-04-08 20:12 - 2014-04-08 20:12 - 00091352 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-04-08 19:52 - 2014-04-08 19:52 - 01057016 _____ (Bleeping Computer, LLC) C:\Users\Mathew\Desktop\rkill64-26761.scr
2014-04-08 19:51 - 2014-04-08 16:23 - 00000000 ____D () C:\de6ae713d9ef54ab7075b2bec133e2
2014-04-08 16:20 - 2013-09-10 13:52 - 00000000 ____D () C:\Windows\system32\MRT
2014-04-08 15:48 - 2014-04-08 15:48 - 00000000 ____D () C:\TDSSKiller_Quarantine
2014-04-08 15:35 - 2014-04-08 15:35 - 04139872 _____ (Kaspersky Lab ZAO) C:\Users\Mathew\Desktop\tdsskiller.exe
2014-04-08 13:22 - 2014-04-08 13:22 - 01057016 _____ (Bleeping Computer, LLC) C:\Users\Mathew\Desktop\rkill64-15850.scr
2014-04-08 11:06 - 2014-04-08 11:06 - 00000000 ____D () C:\Users\Mathew\Documents\IT Files
2014-04-08 11:05 - 2014-04-08 11:05 - 01933048 _____ (Bleeping Computer, LLC) C:\Users\Mathew\Desktop\rkill.scr
2014-04-08 11:05 - 2014-04-08 11:05 - 01057016 _____ (Bleeping Computer, LLC) C:\Users\Mathew\Desktop\rkill64.scr
2014-04-08 09:16 - 2009-07-13 19:34 - 00000603 _____ () C:\Windows\win.ini
2014-04-04 20:17 - 2011-05-27 01:53 - 00000627 _____ () C:\Windows\SysWOW64\DOErrors.log
2014-04-04 19:37 - 2011-05-10 05:21 - 00000000 ____D () C:\Users\Mathew\AppData\Local\CrashDumps
2014-04-02 18:39 - 2011-05-10 04:30 - 00000000 ___RD () C:\Users\Mathew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2014-04-02 09:09 - 2013-08-14 15:16 - 00000000 ____D () C:\Users\Mathew\AppData\Local\Conduit
2014-04-01 22:30 - 2014-04-01 22:30 - 00330133 _____ () C:\Users\Mathew\Downloads\lb7_182868_BuiltTrans new.ctz
2014-04-01 16:55 - 2009-07-13 22:08 - 00032580 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-04-01 15:32 - 2014-04-01 15:32 - 01483622 _____ () C:\Users\Mathew\Downloads\IMG_0192.MOV
2014-04-01 15:06 - 2014-04-01 15:06 - 00262144 _____ () C:\Windows\Minidump\040114-69389-01.dmp
2014-04-01 15:06 - 2011-11-28 22:39 - 491150641 _____ () C:\Windows\MEMORY.DMP
2014-04-01 15:06 - 2011-11-28 22:39 - 00000000 ____D () C:\Windows\Minidump
2014-04-01 12:37 - 2011-05-10 04:57 - 00003894 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2014-04-01 12:37 - 2011-05-10 04:57 - 00003642 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2014-04-01 12:34 - 2011-11-26 21:58 - 00000000 _____ () C:\Windows\system32\HP_ActiveX_Patch_NOT_DETECTED.txt
2014-03-31 03:51 - 2013-09-10 13:52 - 90655440 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-03-30 18:16 - 2014-04-08 22:52 - 23134208 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-03-30 18:13 - 2014-04-08 22:52 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-03-30 17:13 - 2014-04-08 22:52 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-03-30 16:57 - 2014-04-08 22:52 - 17073152 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-03-19 11:15 - 2014-03-19 11:15 - 00061120 _____ (StdLib) C:\Windows\system32\Drivers\wStLib64.sys

Some content of TEMP:
====================
C:\Users\Mathew\AppData\Local\Temp\7z.dll
C:\Users\Mathew\AppData\Local\Temp\7z.exe
C:\Users\Mathew\AppData\Local\Temp\ATTPreSetup.exe
C:\Users\Mathew\AppData\Local\Temp\ATT_Communication_Manager.exe
C:\Users\Mathew\AppData\Local\Temp\BackupSetup.exe
C:\Users\Mathew\AppData\Local\Temp\conduitinstaller.exe
C:\Users\Mathew\AppData\Local\Temp\contentDATs.exe
C:\Users\Mathew\AppData\Local\Temp\dtkill.exe
C:\Users\Mathew\AppData\Local\Temp\d_lg2mll.dll
C:\Users\Mathew\AppData\Local\Temp\Executor.exe
C:\Users\Mathew\AppData\Local\Temp\Extract.exe
C:\Users\Mathew\AppData\Local\Temp\FP_PL_PFS_INSTALLER.exe
C:\Users\Mathew\AppData\Local\Temp\HPHelpUpdater.exe
C:\Users\Mathew\AppData\Local\Temp\InstallAsk.exe
C:\Users\Mathew\AppData\Local\Temp\InstallNorton.exe
C:\Users\Mathew\AppData\Local\Temp\jre-6u25-windows-i586-iftw-rv.exe
C:\Users\Mathew\AppData\Local\Temp\Resource.exe
C:\Users\Mathew\AppData\Local\Temp\SearchWithGoogleUpdate.exe
C:\Users\Mathew\AppData\Local\Temp\Setup.exe
C:\Users\Mathew\AppData\Local\Temp\sp52110.exe.exe
C:\Users\Mathew\AppData\Local\Temp\SP52500.exe
C:\Users\Mathew\AppData\Local\Temp\SP52502.exe
C:\Users\Mathew\AppData\Local\Temp\SP52503.exe
C:\Users\Mathew\AppData\Local\Temp\SP52615.exe
C:\Users\Mathew\AppData\Local\Temp\SP52956.exe
C:\Users\Mathew\AppData\Local\Temp\SP53133.exe
C:\Users\Mathew\AppData\Local\Temp\SP53462.exe
C:\Users\Mathew\AppData\Local\Temp\SP53463.exe
C:\Users\Mathew\AppData\Local\Temp\SP54024.exe
C:\Users\Mathew\AppData\Local\Temp\sp54373.exe
C:\Users\Mathew\AppData\Local\Temp\sp54620.exe
C:\Users\Mathew\AppData\Local\Temp\SP54714.exe
C:\Users\Mathew\AppData\Local\Temp\SP55094.exe
C:\Users\Mathew\AppData\Local\Temp\SP55101.exe
C:\Users\Mathew\AppData\Local\Temp\SP55102.exe
C:\Users\Mathew\AppData\Local\Temp\SP55104.exe
C:\Users\Mathew\AppData\Local\Temp\SP55107.exe
C:\Users\Mathew\AppData\Local\Temp\SP55151.exe
C:\Users\Mathew\AppData\Local\Temp\SP55152.exe
C:\Users\Mathew\AppData\Local\Temp\sp58915.exe
C:\Users\Mathew\AppData\Local\Temp\sp64126.exe
C:\Users\Mathew\AppData\Local\Temp\SymcPCCUInstaller.exe
C:\Users\Mathew\AppData\Local\Temp\UninstallHPSA.exe
C:\Users\Mathew\AppData\Local\Temp\UninstallHPTCA.exe

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

LastRegBack: 2014-04-01 13:09

==================== End Of Log ============================

Attached Files



#5 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:25 PM

Posted 16 April 2014 - 03:43 PM

Please do the following:

 

Download attached fixlist.txt file and save it to the Desktop.

 

Attached File  FixList.txt   5.16KB   3 downloads

 

NOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

 

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

 

Run FRST64 and press the Fix button just once and wait.

The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.


Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#6 9001M

9001M
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 16 April 2014 - 03:57 PM

Fixlog.txt is attached

Attached Files



#7 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:25 PM

Posted 16 April 2014 - 04:09 PM

Please run the following;

 

Refer to the ComboFix User's Guide

 

  • Download ComboFix from the following location:

     

    Link

     

    * IMPORTANT !!! Place ComboFix.exe on your  Desktop

     

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.

    You can get help on disabling your protection programs here

     

  • Double click on ComboFix.exe & follow the prompts.

  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

  • When finished, it shall produce a log for you. Post that log in your next reply

     

    Note:

    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

     

    ---------------------------------------------------------------------------------------------

     

  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

     

    ---------------------------------------------------------------------------------------------

 

NOTE:  If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.


Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#8 9001M

9001M
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 16 April 2014 - 04:29 PM

Hmmm...  I disabled MSE and launched ComboFix.  It went as far as finishing the registry backup, scrolled a bunch of green text in its little window, got an error tone and then the ComboFix window closed.  None of the remaining steps were completed, no log file produced...

 

What now?

 

Steve



#9 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:25 PM

Posted 16 April 2014 - 05:44 PM

Hello Steve,

 

try booting into safe mode and running it again,

 

How to boot to safe mode.

Restart your computer and boot into Safe Mode by tapping the F8 key repeatedly until a menu appears > arrow up to Safe Mode with networking from the list > press enter.

(On some systems, this may be the F5 key, so try that if F8 doesn't work.)

Login with your usual account.


Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#10 9001M

9001M
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 16 April 2014 - 06:11 PM

Unfortunately, same result.  Tried it twice, rebooting in between. 

 

It finishes the reg backup, the progress bar at the top of the window works its way to the end and the window closes - no other action, no log file...



#11 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:25 PM

Posted 16 April 2014 - 06:22 PM

Please run the following:

 

Please create a new system restore point before running Malwarebytes Anti-Rootkit if you can.

 

(MBAR tutorial can be found here: http://www.bleepingcomputer.com/virus-removal/how-to-use-malwarebytes-anti-rootkit)

 

Please download Malwarebytes Anti-Rootkit (MBAR) from here http://www.malwarebytes.org/products/mbar/ and save it to your desktop.

Direct link to the file: http://downloads.malwarebytes.org/file/mbar

•Be sure to print out and follow the instructions provided on that same page.
•Caution: This is a beta version so please be sure to read the disclaimer and back up any important data before using.

•Doubleclick on the MBAR file you downloaded.
•Approve the UAC prompt in Vista and newer operating systems.
•Click OK on the next screen, to allow the package to extract the contents of the file to it's own folder, mbar.
•By default, this will be on your desktop, though you can choose another location if you wish. We advise using the default location for simplicity.
•mbar.exe will launch automatically. On some systems, this may take a few extra seconds. Please be patient and wait for the program to open.
•After reading the Introduction, click 'Next' if you agree.
•On the Update Database screen, click on the 'Update' button.
•Once you see 'Success: Database was successfully updated' click on 'Next'.
•Click the 'Scan' button.

A.With some infections, you may see two messages boxes.
  1.'Could not load protection driver'. Click 'OK'.
  2.'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.

•If malware is found, press the Cleanup button when the scan completes.

 

~~~~~~~~~~~~~~~~~~~~~~~

Note:  <<<< this is an important step >>>>

fixdamage - repair damaged services

 

If no detections occurred during the MBAR scan, and/or if the issue with Website Blocking remains, please do this next:

Open the Malwarebytes Anti-Rootkit folder.

Locate fixdamage.exe within the \mbar\Plugins folder and double click on it. In Windows Vista and Windows 7, approve the UAC prompt

fixdamage.exe will open a command window.

You will be asked if you want to continue. Type y if you do.

A reboot request may be made after the fix. Type y in the command prompt, and allow the computer to be rebooted.

Even if a reboot request was not made after running FixDamage.exe please restart the computer.

 

Once back in Windows, please send the following logs as attachments to your reply. These logs are located in the Malwarebytes Anti-Rootkit folder.

 

mbar-log-2013-xx-xx(xx-xx-xx).txt (where xx-xx(xx-xx-xx) is the date and time of the scan)

system-log.txt


Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#12 9001M

9001M
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 16 April 2014 - 07:21 PM

Ok, MBAR successfully completed it scan of the system and found only one instance of "malware" - the uSeRiNiT.exe version of RKill I had sitting on the desktop.

 

Regardless, I went ahead and hit Cleanup, which it did.  And now, it wants to reboot.

 

But since I believe this qualifies for your instruction near the end where you say "If no detections occurred during the MBAR scan", I'm wondering if you would rather I say no to the reboot and do the fixdamage.exe routine you described.

 

So I'm leaving it in that state until I hear back from you.

 

Thanks

 

Steve



#13 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:25 PM

Posted 16 April 2014 - 07:23 PM

Yes, run the fix damage, then reboot the computer.

 

See if ComboFix will now run


Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#14 9001M

9001M
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 16 April 2014 - 08:13 PM

Ok, I've attached the MBAR logs.

 

Unfortunately, ComboFix still bombs at the same spot...

Attached Files



#15 9001M

9001M
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 16 April 2014 - 08:54 PM

Don't know if this is any help, but I noticed the disk seemed to be pretty active just sitting there idle.  Checked Rescource monitor and am seeing "pev.3xE" doing most of the thrashing.

 

Do you recognize that image name?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users