Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ZeroAccess Removal Help Needed


  • Please log in to reply
17 replies to this topic

#1 i.hate.open.cloud

i.hate.open.cloud

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:49 AM

Posted 20 May 2014 - 09:28 PM

Hi. I was running a routine scan with MalwareBytes and received notification that it had picked up some ZeroAccess Trojan files. I cleared them from the quarantine, and subsequent full scans with MBAM and Microsoft Security Essentials come up clean, but I know that this Trojan is hard to remove and I need some help with fully cleaning my system. MBAM required a restart to complete the quarantine process, and upon restart I was informed that Windows Firewall was turned off, which is unusual.  

 

Two other issues that are probably unrelated but I feel I should mention anyway: at startup, I am getting a Windows notification saying “There is a file or folder on your computer called "C:\Program" which could cause certain applications to not function correctly. Renaming it to "C:\Program1" would solve this problem. Would you like to rename it now?" and the options are to Rename or Ignore. It appears that this is related to a problem caused by an update to Foxit Reader, though the problem persists even after uninstalling Foxit. Probably not a virus thing, but full disclosure and all. I started a separate BC thread on it here: http://www.bleepingcomputer.com/forums/t/534482/file-name-warning

 

Another oddity that just happened is that I was looking at the Microsoft support site and a couple flickering horizontal lines appeared on the screen. They stayed anchored to specific places on the site and scrolled accordingly, but were visible in the browser’s title bar after closing that tab. I put the computer to sleep and that seemed to resolve the problem, but this is concerning, as that’s never happened before. Again, probably not related, but I’m including it just in case.

 

Anyway, I’m running Windows 7, 32-bit on a tablet. Here is the requested DDS logs, followed by the initial MBAM Trojan detection report: 

---------

DDS.txt:

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.7601.17514  BrowserJavaVersion: 10.55.2
Run by GWNet at 21:17:11 on 2014-05-20
#Option MBR scan  is disabled.
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.1642.627 [GMT -

5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304

-765193BCB75F}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-

DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4

-4D23E83BFDE2}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\USBKBTool\SnxUsbDockingKB2267Srv.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Acer\Device Control\DeviceCtrlSvc.exe
C:\Program Files\Launch Manager\dsiwmis.exe
C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe
C:\Windows\system32\taskhost.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\NTI\Acer Backup Manager\IScheduleSvc.exe
C:\Program Files\Acer\Acer VCM\RS_Service.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe
C:\Program Files\Acer\Device Control\ADevCtrl.exe
C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe
C:\Program Files\HIDMon\HIDMON.exe
C:\Program Files\Acer\Auto Screen Rotation Blocker

\AutoScreenRotationBlocker.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Hosts_Anti_Adwares_PUPs\HOSTS_Anti-Adware_main.exe
C:\Program Files\Acer\Acer VCM\AcerVCM.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Acer\Device Control\AdWmiSvc.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil32_13_0_0_214_ActiveX.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Page_URL = hxxp://acer.msn.com
mStart Page = hxxp://acer.msn.com
mDefault_Page_URL = hxxp://acer.msn.com
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -

c:\program files\java\jre7\bin\ssv.dll
BHO: Speckie: {8CE7F568-67FA-4432-BA39-F5AFD68E7B8B} - c:\users\gwnet

\appdata\roaming\speckie\bin32\Speckie32.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} -

c:\program files\common files\microsoft shared\windows live

\WindowsLiveLogin.dll
BHO: WOT Helper: {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - c:\program files

\wot\WOT.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} -

c:\program files\java\jre7\bin\jp2ssv.dll
TB: WOT: {71576546-354D-41C9-AAE8-31F2EC22BF0D} - c:\program files\wot

\WOT.dll
TB: WOT: {71576546-354D-41c9-AAE8-31F2EC22BF0D} - c:\program files\wot

\WOT.dll
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static

\CLIStart.exe" MSRun
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [RtHDVBg] c:\program files\realtek\audio\hda\RtHDVBg.exe /FORPCEE4
mRun: [ADevCtrl] "c:\program files\acer\device control\ADevCtrl.exe"

Start_Run
mRun: [BackupManagerTray] "c:\program files\nti\acer backup manager

\BackupManagerTray.exe" -h -k
mRun: [Power Management] c:\program files\acer\acer epower management

\ePowerTray.exe
mRun: [xLaunchHIDMon] c:\program files\hidmon\HIDMon.exe
mRun: [AutoScreenRotationBlocker] "c:\program files\acer\auto screen rotation

blocker\AutoScreenRotationBlocker.exe" Start_Run
mRun: [MICSetting] c:\oem\mic_bf_setting\runcmd.exe c:\oem\mic_bf_setting

\Set.cmd
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -

runkey
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update

\jusched.exe"
mRun: [HOSTS Anti-Adware_PUPs] c:\program files\hosts_anti_adwares_pups

\HOSTS_Anti-Adware_main.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup

\acervc~1.lnk - c:\program files\acer\acer vcm\AcerVCM.exe
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: EnableSecureUIAPath = dword:1
IE: E&xport to Microsoft Excel - c:\progra~1\mif5ba~1\office11\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-

E99415F33AEC} - c:\program files\windows live\writer

\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-

96E929D65503}
IE: {E6846530-6088-4AA3-932F-C6245CE59A4C} - {8CE7F568-67FA-4432-BA39-

F5AFD68E7B8B} - c:\users\gwnet\appdata\roaming\speckie\bin32\Speckie32.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} -

hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} -

hxxp://download.eset.com/special/eos/OnlineScanner.cab
TCP: NameServer = 192.168.15.1
TCP: Interfaces\{38D5825C-83CE-43BC-A62D-16D5952E4B7A} : DHCPNameServer =

192.168.15.1
TCP: Interfaces\{38D5825C-83CE-43BC-A62D-

16D5952E4B7A}\2554745535E4544575946494 : DHCPNameServer = 199.227.1.130

199.227.1.129
TCP: Interfaces\{38D5825C-83CE-43BC-A62D-

16D5952E4B7A}\34F657274797162746D27457563747 : DHCPNameServer = 12.127.17.71

12.127.17.72
TCP: Interfaces\{38D5825C-83CE-43BC-A62D-16D5952E4B7A}\443594D27457563747 :

DHCPNameServer = 10.87.10.10
TCP: Interfaces\{38D5825C-83CE-43BC-A62D-

16D5952E4B7A}\455727E65627D27657563747 : DHCPNameServer = 172.26.236.40
TCP: Interfaces\{A6344F12-C04F-4388-8E76-5CF5DADD096D} : DHCPNameServer =

192.168.236.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program

files\acer\acer vcm\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files

\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Handler: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - c:\program files\wot

\WOT.dll
SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 gfibto;gfibto;c:\windows\system32\drivers\gfibto.sys [2013-2-19 13560]
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers

\MpFilter.sys [2014-1-25 231960]
R1 BST;Bosch Sensortec BMA150 Driver;c:\windows\system32\drivers\bma150.sys

[2011-3-8 15936]
R1 MpKsl59063ffd;MpKsl59063ffd;c:\programdata\microsoft\microsoft

antimalware\definition updates\{4a6b038a-18fa-41e3-9ad3-

5e681e3b09d2}\MpKsl59063ffd.sys [2014-5-20 39464]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows

\system32\atiesrxx.exe [2011-3-8 176128]
R2 DsiDeviceControlService;Dritek Device Control Service;c:\program files

\acer\device control\DeviceCtrlSvc.exe [2011-3-8 66128]
R2 DsiWMIService;Dritek WMI Service;c:\program files\launch manager

\dsiwmis.exe [2011-3-8 346704]
R2 ePowerSvc;Acer ePower Service;c:\program files\acer\acer epower

management\ePowerSvc.exe [2011-5-6 739944]
R2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers

\NisDrvWFP.sys [2013-6-18 104264]
R2 NTI IScheduleSvc;NTI IScheduleSvc;c:\program files\nti\acer backup

manager\IScheduleSvc.exe [2011-3-3 257344]
R2 RS_Service;Raw Socket Service;c:\program files\acer\acer vcm

\RS_Service.exe [2011-3-8 260640]
R2 SnxUsbDockingKB2267Srv;SnxUsbDockingKB2267 Service;c:\program files

\usbkbtool\SnxUsbDockingKB2267Srv.exe [2011-2-4 86016]
R3 acpials;ALS Sensor Filter;c:\windows\system32\drivers\acpials.sys [2009-7

-14 7680]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows

\system32\drivers\AtihdW73.sys [2011-3-8 101392]
R3 AX88772B;ASIX AX88772B USB2.0 to Fast Ethernet Adapter;c:\windows

\system32\drivers\ax88772b.sys [2013-7-22 94208]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security

client\NisSrv.exe [2014-3-11 279776]
R3 usbfilter;AMD USB Filter Driver;c:\windows\system32\drivers\usbfilter.sys

[2011-3-8 35968]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN

v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe

[2010-3-18 130384]
S2 HOSTS Anti-PUPs;HOSTS Anti-PUPs;c:\program files\hosts_anti_adwares_pups

\hosts_anti-adware.exe -update --> c:\program files\hosts_anti_adwares_pups

\HOSTS_Anti-Adware.exe -update [?]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows

\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows

\system32\drivers\RtsUStor.sys [2011-3-8 197224]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2014-4-7

52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows

\system32\wat\WatAdminSvc.exe [2013-2-19 1343400]
S4 0111591378393439mcinstcleanup;McAfee Application Installer Cleanup

(0111591378393439);c:\users\gwnet\appdata\local\temp\011159~1.exe -cleanup -

nolog --> c:\users\gwnet\appdata\local\temp\011159~1.EXE -cleanup -nolog [?]
S4 GREGService;GREGService;c:\program files\acer\registration\GREGsvc.exe

[2010-1-8 23584]
S4 Live Updater Service;Live Updater Service;c:\program files\acer\acer

updater\UpdaterService.exe [2011-3-8 244624]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files

\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
.
=============== Created Last 30 ================
.
2014-05-20 06:29:28 62576 ----a-w- c:\programdata\microsoft

\microsoft antimalware\definition updates\{4a6b038a-18fa-41e3-9ad3-

5e681e3b09d2}\offreg.dll
2014-05-20 06:29:28 39464 ----a-w- c:\programdata\microsoft

\microsoft antimalware\definition updates\{4a6b038a-18fa-41e3-9ad3-

5e681e3b09d2}\MpKsl59063ffd.sys
2014-05-20 03:52:08 8050496 ----a-w- c:\programdata\microsoft

\microsoft antimalware\definition updates\{4a6b038a-18fa-41e3-9ad3-

5e681e3b09d2}\mpengine.dll
2014-05-19 13:36:35 8050496 ----a-w- c:\programdata\microsoft

\microsoft antimalware\definition updates\backup\mpengine.dll
2014-05-17 00:36:23 765968 ------w- c:\programdata\microsoft

\microsoft antimalware\definition updates\{68db63c6-ba4d-41b3-a558-

14bf5c8d428b}\gapaengine.dll
2014-05-14 20:20:46 -------- d-----w- C:\Program
2014-05-06 15:49:22 -------- d-----w- c:\windows

\system32\Adobe
.
==================== Find3M  ====================
.
2014-05-20 09:37:47 107736 ----a-w- c:\windows\system32\drivers

\MBAMSwissArmy.sys
2014-05-16 00:20:59 70832 ----a-w- c:\windows

\system32\FlashPlayerCPLApp.cpl
2014-05-16 00:20:59 692400 ----a-w- c:\windows

\system32\FlashPlayerApp.exe
2014-04-08 04:18:59 152576 ----a-w- c:\windows

\system32\msclmd.dll
2014-04-03 14:51:14 51416 ----a-w- c:\windows\system32\drivers

\mwac.sys
2014-04-03 14:51:00 73432 ----a-w- c:\windows\system32\drivers

\mbamchameleon.sys
2014-04-03 14:50:56 23256 ----a-w- c:\windows\system32\drivers

\mbam.sys
2014-03-18 03:11:08 94632 ----a-w- c:\windows

\system32\WindowsAccessBridge.dll
2014-03-11 14:52:30 104264 ----a-w- c:\windows\system32\drivers

\NisDrvWFP.sys
.
============= FINISH: 21:18:05.14 ===============

 

 

 

 

 

 

 

 

 

 

Malwarebytes Anti-Malware

www.malwarebytes.org

 

Scan Date: 5/19/2014

Scan Time: 9:18:58 AM

Logfile:

Administrator: Yes

 

Version: 2.00.1.1004

Malware Database: v2014.05.16.17

Rootkit Database: v2014.03.27.01

License: Free

Malware Protection: Disabled

Malicious Website Protection: Disabled

Chameleon: Disabled

 

OS: Windows 7 Service Pack 1

CPU: x86

File System: NTFS

User: GWNet

 

Scan Type: Custom Scan

Result: Completed

Objects Scanned: 324749

Time Elapsed: 61 hr, 56 min, 24 sec

 

Memory: Enabled

Startup: Enabled

Filesystem: Enabled

Archives: Enabled

Rootkits: Enabled

Shuriken: Enabled

PUP: Enabled

PUM: Enabled

 

Processes: 0

(No malicious items detected)

 

Modules: 0

(No malicious items detected)

 

Registry Keys: 0

(No malicious items detected)

 

Registry Values: 0

(No malicious items detected)

 

Registry Data: 0

(No malicious items detected)

 

Folders: 1

Trojan.0Access, C:\Windows\System64, Quarantined, [5ba527d953ada35d0d2d8b77d42c847c],

 

Files: 3

Trojan.0Access, C:\Windows\System64\atl100.dll, Quarantined, [5ba527d953ada35d0d2d8b77d42c847c],

Trojan.0Access, C:\Windows\System64\msvcp100.dll, Quarantined, [5ba527d953ada35d0d2d8b77d42c847c],

Trojan.0Access, C:\Windows\System64\msvcr100.dll, Quarantined, [5ba527d953ada35d0d2d8b77d42c847c],

 

Physical Sectors: 0

(No malicious items detected)

 

 

(end)

 

 

 

---------

 

Thank you for your time, and any help is appreciated.

Attached Files


Edited by i.hate.open.cloud, 20 May 2014 - 09:31 PM.


BC AdBot (Login to Remove)

 


#2 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:10:49 AM

Posted 23 May 2014 - 03:09 PM

Hi i.hate.open.cloud

Please take note of the following:

1. Please do not run any other tools unless instructed.
2. Please don't install or uninstall anything unless asked.
3. The cleaning process is not instant. Please continue to review my answers until I tell you that your computer is clean.
4. If there's anything that you don't understand, please ask your question(s) before proceeding with the fixes.
5. Please reply to this thread. Do not start a new topic.

probably not related, but I’m including it just in case.

Like you say, they may not be connected.... but they may.
Thanks for the info, we'll bare that in mind when we run some scans. :)


For x32 bit systems download Farbar Recovery Scan Tool and save it to your Desktop.
  • Double-click the downloaded icon to run the tool. Vista/Windows 7/8 users right-click and select Run As Administrator

    frsticon_zpsdc3cbdc3.png
  • When the tool opens click Yes to disclaimer.

    frstdis_zps7f598f12.png
  • Make sure that Addition.txt is selected at the bottom
  • Press Scan button.

    newfrst_zpsa63ffa3d.png
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please copy and paste it to your reply also.
Thanks

BBPP6nz.png


#3 i.hate.open.cloud

i.hate.open.cloud
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:49 AM

Posted 23 May 2014 - 07:29 PM

Hi Starbuck, thank you for taking the time to help me. Here are the Farbar logs:

 

 

FRST.txt

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:23-05-2014
Ran by GWNet (administrator) on GWNET-PC on 23-05-2014 19:21:08
Running from C:\Users\GWNet\Desktop
Platform: Microsoft Windows 7 Home Premium  Service Pack 1 (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Microsoft Corporation) C:\Windows\System32\wisptis.exe
() C:\Program Files\USBKBTool\SnxUsbDockingKB2267Srv.exe
(Dritek System Inc.) C:\Program Files\Acer\Device Control\DeviceCtrlSvc.exe
(Dritek System Inc.) C:\Program Files\Launch Manager\dsiwmis.exe
(Acer Incorporated) C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe
(Microsoft Corporation) C:\Windows\System32\wisptis.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
(NTI Corporation) C:\Program Files\NTI\Acer Backup Manager\IScheduleSvc.exe
(Acer Incorporated) C:\Program Files\Acer\Acer VCM\RS_Service.exe
(Microsoft Corp.) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe
() C:\Program Files\Acer\Device Control\ADevCtrl.exe
(Acer Incorporated) C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe
() C:\Program Files\HIDMon\HIDMON.exe
(Dritek System Inc.) C:\Program Files\Acer\Auto Screen Rotation Blocker\AutoScreenRotationBlocker.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
() C:\Program Files\Hosts_Anti_Adwares_PUPs\HOSTS_Anti-Adware_main.exe
(Acer Incorporated) C:\Program Files\Acer\Acer VCM\AcerVCM.exe
(Microsoft Corporation) C:\Windows\System32\wbem\unsecapp.exe
(Dritek System Inc.) C:\Program Files\Acer\Device Control\AdWmiSvc.exe
(Microsoft Corporation) C:\Windows\System32\wbem\unsecapp.exe
(Acer Incorporated) C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil32_13_0_0_214_ActiveX.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [StartCCC] => C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [336384 2011-01-13] (Advanced Micro Devices, Inc.)
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [10025576 2011-01-26] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg] => C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe [1530472 2011-01-18] (Realtek Semiconductor)
HKLM\...\Run: [ADevCtrl] => C:\Program Files\Acer\Device Control\ADevCtrl.exe [239696 2011-02-21] ()
HKLM\...\Run: [BackupManagerTray] => C:\Program Files\NTI\Acer Backup Manager\BackupManagerTray.exe [377664 2011-03-03] (NTI Corporation)
HKLM\...\Run: [Power Management] => C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe [715368 2011-02-22] (Acer Incorporated)
HKLM\...\Run: [xLaunchHIDMon] => C:\Program Files\HIDMon\HIDMon.exe [114688 2011-02-11] ()
HKLM\...\Run: [AutoScreenRotationBlocker] => C:\Program Files\Acer\Auto Screen Rotation Blocker\AutoScreenRotationBlocker.exe [114768 2011-02-21] (Dritek System Inc.)
HKLM\...\Run: [MICSetting] => C:\OEM\MIC_BF_Setting\RunCMD.exe [236064 2009-09-21] ()
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [951576 2014-03-11] (Microsoft Corporation)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
HKLM\...\Run: [HOSTS Anti-Adware_PUPs] => C:\Program Files\Hosts_Anti_Adwares_PUPs\HOSTS_Anti-Adware_main.exe [302961 2014-01-31] ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Acer VCM.lnk
ShortcutTarget: Acer VCM.lnk -> C:\Program Files\Acer\Acer VCM\AcerVCM.exe (Acer Incorporated)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://acer.msn.com
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://acer.msn.com
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://acer.msn.com
URLSearchHook: ATTENTION ==> Default URLSearchHook is missing.
SearchScopes: HKLM - DefaultScope value is missing.
SearchScopes: HKCU - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKCU - {5E57C69F-7B86-4D6A-886E-F202DAD1F96E} URL = http://en.wikipedia.org/w/index.php?title=Special:Search&search={searchTerms}
SearchScopes: HKCU - {5EAD76BB-64B7-45AA-A74E-D84035BD2E06} URL = http://search.yahoo.com/search?p={searchTerms}&b={startPage?}&fr=ie8
SearchScopes: HKCU - {60B7AF15-7BB3-4A2E-8E80-A4D68D7F1530} URL = http://www.youtube.com/results?search_query={searchTerms}&page={startPage?}&utm_source=opensearch
BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Speckie - {8CE7F568-67FA-4432-BA39-F5AFD68E7B8B} - C:\Users\GWNet\AppData\Roaming\Speckie\bin32\Speckie32.dll (Versoworks Pty Ltd)
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: WOT Helper - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dll ()
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll ()
Toolbar: HKCU - WOT - {71576546-354D-41C9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll ()
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Acer\Acer VCM\Skype4COM.dll (Skype Technologies)
Handler: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll ()
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.15.1

FireFox:
========
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF32_12_0_0_70.dll ()
FF Plugin: @adobe.com/ShockwavePlayer - C:\Windows\system32\Adobe\Director\np32dsw_1211151.dll (Adobe Systems, Inc.)
FF Plugin: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.fdf - C:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll No File
FF Plugin: @java.com/DTPlugin,version=10.55.2 - C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.55.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE - disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=15.4.3502.0922 - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)

========================== Services (Whitelisted) =================

S4 0111591378393439mcinstcleanup; C:\Users\GWNet\AppData\Local\Temp\011159~1.EXE [833616 2013-01-30] (McAfee, Inc.)
R2 DsiDeviceControlService; C:\Program Files\Acer\Device Control\DeviceCtrlSvc.exe [66128 2011-02-21] (Dritek System Inc.)
R2 ePowerSvc; C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe [739944 2011-02-22] (Acer Incorporated)
S4 GREGService; C:\Program Files\Acer\Registration\GREGsvc.exe [23584 2010-01-08] (Acer Incorporated)
S2 HOSTS Anti-PUPs; C:\Program Files\Hosts_Anti_Adwares_PUPs\HOSTS_Anti-Adware.exe [285795 2014-01-31] ()
S4 Live Updater Service; C:\Program Files\Acer\Acer Updater\UpdaterService.exe [244624 2011-01-31] (Acer Incorporated)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22216 2014-03-11] (Microsoft Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [279776 2014-03-11] (Microsoft Corporation)
R2 NTI IScheduleSvc; C:\Program Files\NTI\Acer Backup Manager\IScheduleSvc.exe [257344 2011-03-03] (NTI Corporation)
R2 RS_Service; C:\Program Files\Acer\Acer VCM\RS_Service.exe [260640 2010-01-29] (Acer Incorporated)
R2 SnxUsbDockingKB2267Srv; C:\Program Files\USBKBTool\SnxUsbDockingKB2267Srv.exe [86016 2011-02-04] ()

==================== Drivers (Whitelisted) ====================

R3 acpials; C:\Windows\System32\DRIVERS\acpials.sys [7680 2009-07-13] (Microsoft Corporation)
R3 AX88772B; C:\Windows\System32\DRIVERS\ax88772b.sys [94208 2013-07-22] (ASIX Electronics Corp.)
R1 BST; C:\Windows\System32\DRIVERS\bma150.sys [15936 2011-01-10] (Bosch Sensortec GmbH)
R0 gfibto; C:\Windows\System32\drivers\gfibto.sys [13560 2013-10-17] (GFI Software)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [231960 2014-01-25] (Microsoft Corporation)
U5 AppMgmt; C:\Windows\system32\svchost.exe [20992 2009-07-13] (Microsoft Corporation)
S3 AthBTPort; system32\DRIVERS\btath_flt.sys [X]
S3 BTATH_A2DP; system32\drivers\btath_a2dp.sys [X]
S3 BTATH_BUS; system32\DRIVERS\btath_bus.sys [X]
S3 BTATH_HCRP; system32\DRIVERS\btath_hcrp.sys [X]
S3 BTATH_LWFLT; system32\DRIVERS\btath_lwflt.sys [X]
S3 BTATH_RCP; system32\DRIVERS\btath_rcp.sys [X]
S3 BtFilter; system32\DRIVERS\btfilter.sys [X]
S3 catchme; \??\C:\Users\GWNet\AppData\Local\Temp\catchme.sys [X]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2014-05-23 19:21 - 2014-05-23 19:21 - 00011119 _____ () C:\Users\GWNet\Desktop\FRST.txt
2014-05-23 19:20 - 2014-05-23 19:21 - 00000000 ____D () C:\FRST
2014-05-23 19:09 - 2014-05-23 19:10 - 01056768 _____ (Farbar) C:\Users\GWNet\Desktop\FRST.exe
2014-05-20 21:18 - 2014-05-20 21:20 - 00012667 _____ () C:\Users\GWNet\Desktop\dds.txt
2014-05-20 21:18 - 2014-05-20 21:20 - 00006276 _____ () C:\Users\GWNet\Desktop\attach.txt
2014-05-20 21:08 - 2014-05-22 00:43 - 00000000 ____D () C:\Users\GWNet\Desktop\Ex3 Stuff
2014-05-20 21:07 - 2014-05-20 21:08 - 00688992 ____R (Swearware) C:\Users\GWNet\Desktop\dds.com
2014-05-15 19:21 - 2014-05-15 19:21 - 00000000 ____D () C:\Users\Public\Foxit Software
2014-05-14 15:20 - 2014-05-14 15:20 - 00000000 ____D () C:\Program
2014-05-06 10:49 - 2014-05-06 10:52 - 00000000 ____D () C:\Windows\system32\Adobe
2014-04-29 20:03 - 2014-04-29 20:03 - 06987623 _____ () C:\Users\GWNet\Desktop\Chronicles of the Black Company.zip

==================== One Month Modified Files and Folders =======

2014-05-23 19:21 - 2014-05-23 19:21 - 00011119 _____ () C:\Users\GWNet\Desktop\FRST.txt
2014-05-23 19:21 - 2014-05-23 19:20 - 00000000 ____D () C:\FRST
2014-05-23 19:17 - 2011-05-06 06:28 - 01371068 _____ () C:\Windows\WindowsUpdate.log
2014-05-23 19:10 - 2014-05-23 19:09 - 01056768 _____ (Farbar) C:\Users\GWNet\Desktop\FRST.exe
2014-05-22 15:12 - 2011-03-08 05:34 - 00743352 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-05-22 00:43 - 2014-05-20 21:08 - 00000000 ____D () C:\Users\GWNet\Desktop\Ex3 Stuff
2014-05-21 14:30 - 2009-07-13 23:34 - 00009920 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-05-21 14:30 - 2009-07-13 23:34 - 00009920 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-05-20 21:20 - 2014-05-20 21:18 - 00012667 _____ () C:\Users\GWNet\Desktop\dds.txt
2014-05-20 21:20 - 2014-05-20 21:18 - 00006276 _____ () C:\Users\GWNet\Desktop\attach.txt
2014-05-20 21:08 - 2014-05-20 21:07 - 00688992 ____R (Swearware) C:\Users\GWNet\Desktop\dds.com
2014-05-20 04:37 - 2014-03-31 02:18 - 00107736 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-05-19 09:21 - 2009-07-13 23:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-05-19 09:20 - 2013-02-15 21:16 - 00059086 _____ () C:\Windows\PFRO.log
2014-05-19 09:20 - 2009-07-13 23:39 - 00035460 _____ () C:\Windows\setupact.log
2014-05-19 09:20 - 2009-07-13 21:37 - 00000000 ____D () C:\Windows\Branding
2014-05-19 09:19 - 2014-03-31 02:17 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-05-16 19:08 - 2014-04-14 21:27 - 00000000 ____D () C:\Program Files\Foxit Software
2014-05-15 19:21 - 2014-05-15 19:21 - 00000000 ____D () C:\Users\Public\Foxit Software
2014-05-15 19:21 - 2009-07-13 21:37 - 00000000 ___RD () C:\Users\Public
2014-05-15 19:20 - 2013-02-24 00:48 - 00692400 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2014-05-15 19:20 - 2013-02-24 00:48 - 00070832 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2014-05-14 15:20 - 2014-05-14 15:20 - 00000000 ____D () C:\Program
2014-05-08 11:59 - 2013-10-30 09:57 - 00000000 ____D () C:\Users\GWNet\Desktop\Math
2014-05-06 19:11 - 2009-07-13 21:37 - 00000000 ____D () C:\Windows\rescache
2014-05-06 15:59 - 2013-02-22 00:32 - 00000000 ____D () C:\Users\GWNet\AppData\Local\CrashDumps
2014-05-06 13:52 - 2013-09-28 02:14 - 00000000 ____D () C:\Users\GWNet\Documents\Exalted
2014-05-06 10:52 - 2014-05-06 10:49 - 00000000 ____D () C:\Windows\system32\Adobe
2014-04-29 20:03 - 2014-04-29 20:03 - 06987623 _____ () C:\Users\GWNet\Desktop\Chronicles of the Black Company.zip
2014-04-29 09:01 - 2013-12-22 09:12 - 00000000 ____D () C:\Program Files\Avant Browser
2014-04-23 06:58 - 2014-04-14 21:28 - 00000000 ____D () C:\Users\GWNet\AppData\Roaming\Foxit Software

Some content of TEMP:
====================
C:\Users\GWNet\AppData\Local\Temp\0111591378393439mcinst.exe
C:\Users\GWNet\AppData\Local\Temp\0c731f1a-bfe1-4713-84d8-76c1dcdcbf81.exe
C:\Users\GWNet\AppData\Local\Temp\3193f7f7-5578-418b-9b93-682877d5f5f6.exe
C:\Users\GWNet\AppData\Local\Temp\33e8b74f-b88a-4f78-a2aa-77aedc9ea401.exe
C:\Users\GWNet\AppData\Local\Temp\3bebb15d-bed6-4e40-b437-df4cdedb9263.exe
C:\Users\GWNet\AppData\Local\Temp\3ce27175-c876-405e-9061-dcd910421e12.exe
C:\Users\GWNet\AppData\Local\Temp\71aa48f8-a00b-41cc-ba21-825206a200f0.exe
C:\Users\GWNet\AppData\Local\Temp\8abd2d85-4302-4673-abd0-43ab60b726b6.exe
C:\Users\GWNet\AppData\Local\Temp\9f4a476e-8c11-40f1-bd5f-efb9fd961c1a.exe
C:\Users\GWNet\AppData\Local\Temp\catchme.dll
C:\Users\GWNet\AppData\Local\Temp\CountInstallation.exe
C:\Users\GWNet\AppData\Local\Temp\e3a3d2d8-a6ed-45b3-a0ee-4ac4baf41e09.exe
C:\Users\GWNet\AppData\Local\Temp\Foxit Reader Updater.exe
C:\Users\GWNet\AppData\Local\Temp\Foxit Updater.exe
C:\Users\GWNet\AppData\Local\Temp\install_flashplayer13x32axau_gtbd_chrd_dn_aaa_aih.exe
C:\Users\GWNet\AppData\Local\Temp\Install_HOSTS_Anti-Adware.exe
C:\Users\GWNet\AppData\Local\Temp\install_reader11_en_gtbd_chrd_dn_aaa_aih.exe
C:\Users\GWNet\AppData\Local\Temp\install_reader11_en_gtbd_chrd_dn_aaa_aih[1].exe
C:\Users\GWNet\AppData\Local\Temp\jre-7u15-windows-i586-iftw.exe
C:\Users\GWNet\AppData\Local\Temp\jre-7u45-windows-i586-iftw.exe
C:\Users\GWNet\AppData\Local\Temp\jre-7u55-windows-i586-iftw.exe
C:\Users\GWNet\AppData\Local\Temp\MSN58FA.exe
C:\Users\GWNet\AppData\Local\Temp\Quarantine.exe

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\system32\winlogon.exe => MD5 is legit
C:\Windows\system32\wininit.exe => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\services.exe => MD5 is legit
C:\Windows\system32\User32.dll => MD5 is legit
C:\Windows\system32\userinit.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit
C:\Windows\system32\Drivers\volsnap.sys => MD5 is legit

LastRegBack: 2014-05-12 21:11

==================== End Of Log ============================

 

 

 

Addition.txt:

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version:23-05-2014
Ran by GWNet at 2014-05-23 19:22:44
Running from C:\Users\GWNet\Desktop
Boot Mode: Normal
==========================================================

==================== Security Center ========================

AV: Microsoft Security Essentials (Enabled - Up to date) {641105E6-77ED-3F35-A304-765193BCB75F}
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Microsoft Security Essentials (Enabled - Up to date) {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}

==================== Installed Programs ======================

Acer Auto Screen Rotation Blocker (HKLM\...\AutoScreenRotationBlocker) (Version: 1.02.1103 - Acer Inc.)
Acer Backup Manager (HKLM\...\InstallShield_{0B61BBD5-DA3C-409A-8730-0C3DC3B0F270}) (Version: 3.0.3.89 - NTI Corporation)
Acer Crystal Eye Webcam (HKLM\...\InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}) (Version: 1.1.1421 - CyberLink Corp.)
Acer Crystal Eye Webcam (Version: 1.1.1421 - CyberLink Corp.) Hidden
Acer Device Control (HKLM\...\ADevCtrl) (Version: 1.01.3002 - Acer Inc.)
Acer ePower Management (HKLM\...\{3DB0448D-AD82-4923-B305-D001E521A964}) (Version: 6.00.3006 - Acer Incorporated)
Acer Registration (HKLM\...\Acer Registration) (Version: 1.03.3004 - Acer Incorporated)
Acer Touch Application Suite (HKLM\...\{1C572D82-7E38-4A13-932A-D651AA95E1E9}) (Version: 1.00.3002 - Acer Incorporated)
Acer Updater (HKLM\...\{EE171732-BEB4-4576-887D-CB62727F01CA}) (Version: 1.02.3005 - Acer Incorporated)
Acer VCM (HKLM\...\{047F790A-7A2A-4B6A-AD02-38092BA63DAC}) (Version: 4.05.3100 - Acer Incorporated)
Adobe AIR (HKLM\...\Adobe AIR) (Version: 2.0.2.12610 - Adobe Systems Inc.)
Adobe AIR (Version: 2.0.2.12610 - Adobe Systems Inc.) Hidden
Adobe Flash Player 12 Plugin (HKLM\...\Adobe Flash Player Plugin) (Version: 12.0.0.70 - Adobe Systems Incorporated)
Adobe Flash Player 13 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 13.0.0.214 - Adobe Systems Incorporated)
Adobe Shockwave Player 12.1 (HKLM\...\Adobe Shockwave Player) (Version: 12.1.1.151 - Adobe Systems, Inc.)
AIM for Windows (HKCU\...\AIM) (Version:  - AOL Inc.)
ATI Catalyst Install Manager (HKLM\...\{93DED073-01CE-E238-919E-2ADF059ACE30}) (Version: 3.0.812.0 - ATI Technologies, Inc.)
Avant Browser (remove only) (HKLM\...\AvantBrowser) (Version: 12.5.0.0 - Avant Force)
AX88772B Windows 7 Drivers (HKLM\...\InstallShield_{54A168C9-2250-4058-80EB-1F4A4192548A}) (Version: 1.0.1.1 - ASIX Electronics Corporation)
AX88772B Windows 7 Drivers (Version: 1.0.1.1 - ASIX Electronics Corporation) Hidden
Backup Manager V3 (Version: 3.0.3.89 - NTI Corporation) Hidden
Catalyst Control Center - Branding (Version: 1.00.0000 - ATI) Hidden
Catalyst Control Center Graphics Previews Common (Version: 2011.0112.2151.39168 - ATI) Hidden
Catalyst Control Center InstallProxy (Version: 2011.0112.2151.39168 - ATI Technologies, Inc.) Hidden
Catalyst Control Center Localization All (Version: 2011.0112.2151.39168 - ATI) Hidden
CCC Help Chinese Standard (Version: 2011.0112.2150.39168 - ATI) Hidden
CCC Help Chinese Traditional (Version: 2011.0112.2150.39168 - ATI) Hidden
CCC Help Czech (Version: 2011.0112.2150.39168 - ATI) Hidden
CCC Help Danish (Version: 2011.0112.2150.39168 - ATI) Hidden
CCC Help Dutch (Version: 2011.0112.2150.39168 - ATI) Hidden
CCC Help English (Version: 2011.0112.2150.39168 - ATI) Hidden
CCC Help Finnish (Version: 2011.0112.2150.39168 - ATI) Hidden
CCC Help French (Version: 2011.0112.2150.39168 - ATI) Hidden
CCC Help German (Version: 2011.0112.2150.39168 - ATI) Hidden
CCC Help Greek (Version: 2011.0112.2150.39168 - ATI) Hidden
CCC Help Hungarian (Version: 2011.0112.2150.39168 - ATI) Hidden
CCC Help Italian (Version: 2011.0112.2150.39168 - ATI) Hidden
CCC Help Japanese (Version: 2011.0112.2150.39168 - ATI) Hidden
CCC Help Korean (Version: 2011.0112.2150.39168 - ATI) Hidden
CCC Help Norwegian (Version: 2011.0112.2150.39168 - ATI) Hidden
CCC Help Polish (Version: 2011.0112.2150.39168 - ATI) Hidden
CCC Help Portuguese (Version: 2011.0112.2150.39168 - ATI) Hidden
CCC Help Russian (Version: 2011.0112.2150.39168 - ATI) Hidden
CCC Help Spanish (Version: 2011.0112.2150.39168 - ATI) Hidden
CCC Help Swedish (Version: 2011.0112.2150.39168 - ATI) Hidden
CCC Help Thai (Version: 2011.0112.2150.39168 - ATI) Hidden
CCC Help Turkish (Version: 2011.0112.2150.39168 - ATI) Hidden
ccc-core-static (Version: 2011.0112.2151.39168 - ATI) Hidden
ccc-utility (Version: 2011.0112.2151.39168 - ATI) Hidden
D3DX10 (Version: 15.4.2368.0902 - Microsoft) Hidden
HIDMon (HKLM\...\{7166D240-F1EE-4044-B0F3-F6AB1AF8AE72}) (Version: 1.4.0.0211 - eGalax_eMPIA Technology Inc.)
Identity Card (HKLM\...\Identity Card) (Version: 1.00.3006 - Acer Incorporated)
Java 7 Update 55 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83217025FF}) (Version: 7.0.550 - Oracle)
Java Auto Updater (Version: 2.1.9.8 - Sun Microsystems, Inc.) Hidden
Junk Mail filter update (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Launch Manager (HKLM\...\LManager) (Version: 5.1.2 - Acer Inc.)
Malwarebytes Anti-Malware version 2.0.1.1004 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.1.1004 - Malwarebytes Corporation)
Mesh Runtime (Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319 - Microsoft Corporation) Hidden
Microsoft Application Error Reporting (Version: 12.0.6012.5000 - Microsoft Corporation) Hidden
Microsoft Office 2010 (HKLM\...\{95140000-0070-0000-0000-0000000FF1CE}) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Office Basic Edition 2003 (HKLM\...\{91130409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.8173.0 - Microsoft Corporation)
Microsoft Office File Validation Add-In (HKLM\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
Microsoft Primary Interoperability Assemblies 2005 (HKLM\...\{2C303EE0-A595-3543-A71A-931C7AC40EDE}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Security Client (Version: 4.5.0216.0 - Microsoft Corporation) Hidden
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.5.216.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30214.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Touch Pack for Windows 7 (HKLM\...\{8FF90DB8-6DED-44A3-B182-244FEC09012F}) (Version: 1.0.40517.00 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319 (HKLM\...\{196BB40D-1578-3D01-B289-BEFC77A11A1E}) (Version: 10.0.30319 - Microsoft Corporation)
Microsoft XNA Framework Redistributable 3.0 (HKLM\...\{3898934B-05AE-41CD-96BE-70DA9BFBCE1F}) (Version: 3.0.11010.0 - Microsoft Corporation)
MSVCRT (Version: 15.4.2862.0708 - Microsoft) Hidden
Realtek High Definition Audio Driver (HKLM\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6302 - Realtek Semiconductor Corp.)
Realtek USB 2.0 Card Reader (HKLM\...\{96AE7E41-E34E-47D0-AC07-1091A8127911}) (Version: 6.1.7600.30126 - Realtek Semiconductor Corp.)
Revo Uninstaller 1.95 (HKLM\...\Revo Uninstaller) (Version: 1.95 - VS Revo Group)
Shared C Run-time for x86 (Version: 10.0.0 - McAfee) Hidden
Speckie (HKLM\...\{C1A4F1E2-46E6-4EEE-B183-B10908BEF30F}) (Version: 5.9.1 - Versoworks)
swMSM (Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (HKLM\...\{3C3901C5-3455-3E0A-A214-0B093A5070A6}.KB2468871) (Version: 1 - Microsoft Corporation)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (HKLM\...\{3C3901C5-3455-3E0A-A214-0B093A5070A6}.KB2533523) (Version: 1 - Microsoft Corporation)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (HKLM\...\{3C3901C5-3455-3E0A-A214-0B093A5070A6}.KB2600217) (Version: 1 - Microsoft Corporation)
USBKBTool 1.0.3.6  (HKLM\...\USBKBTool) (Version: 1.0.3.6 - )
Windows Live Communications Platform (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Essentials (HKLM\...\WinLiveSuite) (Version: 15.4.3502.0922 - Microsoft Corporation)
Windows Live Essentials (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live ID Sign-in Assistant (Version: 7.250.4225.0 - Microsoft Corporation) Hidden
Windows Live Installer (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Mail (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Mesh (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Mesh ActiveX Control for Remote Connections (HKLM\...\{2902F983-B4C1-44BA-B85D-5C6D52E2C441}) (Version: 15.4.5722.2 - Microsoft Corporation)
Windows Live Messenger (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live MIME IFilter (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Movie Maker (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Photo Common (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Photo Gallery (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live PIMT Platform (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Remote Client (Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Windows Live Remote Client Resources (Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Windows Live Remote Service (Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Windows Live Remote Service Resources (Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Windows Live SOXE (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live SOXE Definitions (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live UX Platform (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live UX Platform Language Pack (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Writer (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Writer Resources (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
WMV9/VC-1 Video Playback (Version: 1.0.60112.2202 - ATI Technologies Inc.) Hidden
WOT for Internet Explorer (HKLM\...\{373B90E1-A28C-434C-92B6-7281AFA6115A}) (Version: 13.9.2.0 - WOT Services Oy)

==================== Restore Points  =========================

24-05-2014 00:15:43 Windows Update

==================== Hosts content: ==========================

2009-07-13 21:04 - 2014-01-31 09:20 - 00040113 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1 08sr.combineads.info # hosts anti-adware / pups
127.0.0.1 08srvr.combineads.info # hosts anti-adware / pups
127.0.0.1 12srvr.combineads.info # hosts anti-adware / pups
127.0.0.1 2010-fr.com # hosts anti-adware / pups
127.0.0.1 2012-new.biz # hosts anti-adware / pups
127.0.0.1 212link.com # hosts anti-adware / pups
127.0.0.1 2319825.ourtoolbar.com # hosts anti-adware / pups
127.0.0.1 24h00business.com # hosts anti-adware / pups
127.0.0.1 a.adorika.net # hosts anti-adware / pups
127.0.0.1 a.ad-sys.com # hosts anti-adware / pups
127.0.0.1 a.daasafterdusk.com # hosts anti-adware / pups
127.0.0.1 ad.adn360.com # hosts anti-adware / pups
127.0.0.1 adeartss.eu # hosts anti-adware / pups
127.0.0.1 adesoeasy.eu # hosts anti-adware / pups
127.0.0.1 adf.girldatesforfree.net # hosts anti-adware / pups
127.0.0.1 adm.soft365.com # hosts anti-adware / pups
127.0.0.1 adomicileavail.googlepages.com # hosts anti-adware / pups
127.0.0.1 ads7.complexadveising.com # hosts anti-adware / pups
127.0.0.1 ads.adplxmd.com # hosts anti-adware / pups
127.0.0.1 ads.aff.co # hosts anti-adware / pups
127.0.0.1 ads.alpha00001.com # hosts anti-adware / pups
127.0.0.1 ads.cloud4ads.com # hosts anti-adware / pups
127.0.0.1 ads.egdating.net # hosts anti-adware / pups
127.0.0.1 ads.eorezo.com # hosts anti-adware / pups
127.0.0.1 ads.hooqy.com # hosts anti-adware / pups
127.0.0.1 ads.pornerbros.com # hosts anti-adware / pups
127.0.0.1 ads.realken.com # hosts anti-adware / pups
127.0.0.1 ads.regiedepub.com # hosts anti-adware / pups
127.0.0.1 ads.sucomspot.com # hosts anti-adware / pups

There are 641 more lines.

==================== Scheduled Tasks (whitelisted) =============

Task: {805F203D-E48E-42CE-AA7D-391CF77DAFC4} - System32\Tasks\Microsoft\Windows\WindowsBackup\AutomaticBackup => Rundll32.exe /d sdengin2.dll,ExecuteScheduledBackup
Task: {829FF169-3EF0-4BF3-9792-36AA3CC1461B} - System32\Tasks\Microsoft\Windows\TabletPC\InputPersonalization => C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe [2009-07-13] (Microsoft Corporation)
Task: {92F49AEE-F1DE-4A29-B38F-AA6934F31DF8} - System32\Tasks\Ad-Aware Antivirus Scheduled Scan => C:\PROGRA~1\AD-AWA~1\AdAwareLauncher.exe

==================== Loaded Modules (whitelisted) =============

2011-02-04 04:12 - 2011-02-04 04:12 - 00086016 _____ () C:\Program Files\USBKBTool\SnxUsbDockingKB2267Srv.exe
2011-03-03 17:00 - 2011-03-03 17:00 - 00465640 _____ () C:\Program Files\NTI\Acer Backup Manager\sqlite3.dll
2011-03-03 17:00 - 2011-03-03 17:00 - 01081664 _____ () C:\Program Files\NTI\Acer Backup Manager\ACE.dll
2011-03-03 17:00 - 2011-03-03 17:00 - 00125760 _____ () C:\Program Files\NTI\Acer Backup Manager\MailConverter32.dll
2011-03-08 05:21 - 2011-02-21 22:01 - 00239696 _____ () C:\Program Files\Acer\Device Control\ADevCtrl.exe
2011-03-08 05:21 - 2011-02-21 22:01 - 00057424 _____ () C:\Program Files\Acer\Device Control\BrandDetection.dll
2011-05-06 07:18 - 2011-02-11 04:53 - 00114688 _____ () C:\Program Files\HIDMon\HIDMON.exe
2014-01-31 09:16 - 2014-01-31 09:16 - 00302961 _____ () C:\Program Files\Hosts_Anti_Adwares_PUPs\HOSTS_Anti-Adware_main.exe
2013-09-02 14:23 - 2013-09-02 14:23 - 01637336 _____ () C:\Program Files\WOT\WOT.dll

==================== Alternate Data Streams (whitelisted) =========

==================== Safe Mode (whitelisted) ===================

==================== EXE Association (whitelisted) =============

==================== Disabled items from MSCONFIG ==============

MSCONFIG\Services: 0111591378393439mcinstcleanup => 2
MSCONFIG\Services: GREGService => 2
MSCONFIG\Services: Live Updater Service => 2
MSCONFIG\startupreg: AcerRingLauncher => C:\Program Files\Acer\TouchApplicationSuite\Acer Ring\AcerRingLauncher.exe
MSCONFIG\startupreg: Ad-Aware Browsing Protection => "C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe"
MSCONFIG\startupreg: Adobe Reader Speed Launcher => "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
MSCONFIG\startupreg: LManager => C:\Program Files\Launch Manager\LManager.exe

==================== Faulty Device Manager Devices =============

Name: Generic Bluetooth Adapter
Description: Generic Bluetooth Adapter
Class Guid: {e0cbf06c-cd8b-4647-bb8a-263b43f0f974}
Manufacturer: GenericAdapter
Service: BTHUSB
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

==================== Event log errors: =========================

Application errors:
==================
Error: (05/19/2014 08:34:49 AM) (Source: Windows Backup) (EventID: 4103) (User: )
Description: The backup did not complete because of an error writing to the backup location E:\. The error is: The backup location cannot be found or is not valid. Review your backup settings and check the backup location. (0x81000006).

Error: (05/16/2014 07:07:36 PM) (Source: VSS) (EventID: 8194) (User: )
Description: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface.  hr = 0x80070005, Access is denied.
.
This is often caused by incorrect security settings in either the writer or requestor process.

Operation:
   Gathering Writer Data

Context:
   Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
   Writer Name: System Writer
   Writer Instance ID: {da745826-72b9-47d1-b8e3-3a84b1fb745a}

Error: (05/15/2014 07:08:33 PM) (Source: VSS) (EventID: 8194) (User: )
Description: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface.  hr = 0x80070005, Access is denied.
.
This is often caused by incorrect security settings in either the writer or requestor process.

Operation:
   Gathering Writer Data

Context:
   Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
   Writer Name: System Writer
   Writer Instance ID: {95aed6d1-9dd8-4380-9718-6d53a368c2c9}

Error: (05/15/2014 04:23:17 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"1".
Dependent Assembly Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (05/15/2014 04:22:53 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"1".
Dependent Assembly Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (05/15/2014 04:22:34 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"1".
Dependent Assembly Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (05/14/2014 03:21:44 PM) (Source: VSS) (EventID: 8194) (User: )
Description: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface.  hr = 0x80070005, Access is denied.
.
This is often caused by incorrect security settings in either the writer or requestor process.

Operation:
   Gathering Writer Data

Context:
   Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
   Writer Name: System Writer
   Writer Instance ID: {e564f999-d534-4c58-96a8-9ed76b3b3e3c}

Error: (05/14/2014 02:50:19 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program WINWORD.EXE version 11.0.8409.0 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 1e54

Start Time: 01cf6fad8f56912b

Termination Time: 166

Application Path: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

Report Id:

Error: (05/14/2014 02:39:44 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program WINWORD.EXE version 11.0.8409.0 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 1b1c

Start Time: 01cf6fac02c764d0

Termination Time: 68

Application Path: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

Report Id:

Error: (05/12/2014 09:13:18 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"1".
Dependent Assembly Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

System errors:
=============
Error: (05/22/2014 03:43:36 PM) (Source: AX88772B) (EventID: 17) (User: )
Description: Speed IO complete failed.

Error: (05/19/2014 08:05:33 PM) (Source: Microsoft Antimalware) (EventID: 2001) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.

 New Signature Version:

 Previous Signature Version: 1.173.2473.0

 Update Source: %NT AUTHORITY59

 Update Stage: 4.5.0216.00

 Source Path: 4.5.0216.01

 Signature Type: %NT AUTHORITY602

 Update Type: %NT AUTHORITY604

 User: NT AUTHORITY\SYSTEM

 Current Engine Version: %NT AUTHORITY605

 Previous Engine Version: %NT AUTHORITY606

 Error code: %NT AUTHORITY607

 Error description: %NT AUTHORITY608

Error: (05/19/2014 09:21:39 AM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
cdrom

Error: (05/19/2014 09:21:36 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The HOSTS Anti-PUPs service failed to start due to the following error:
%%1053

Error: (05/19/2014 09:21:36 AM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the HOSTS Anti-PUPs service to connect.

Error: (05/16/2014 07:17:51 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
cdrom

Error: (05/16/2014 07:17:47 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The HOSTS Anti-PUPs service failed to start due to the following error:
%%1053

Error: (05/16/2014 07:17:47 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the HOSTS Anti-PUPs service to connect.

Error: (05/15/2014 07:19:33 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
cdrom

Error: (05/15/2014 07:19:30 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The HOSTS Anti-PUPs service failed to start due to the following error:
%%1053

Microsoft Office Sessions:
=========================
Error: (05/19/2014 08:34:49 AM) (Source: Windows Backup) (EventID: 4103) (User: )
Description: E:\The backup location cannot be found or is not valid. Review your backup settings and check the backup location. (0x81000006)

Error: (05/16/2014 07:07:36 PM) (Source: VSS) (EventID: 8194) (User: )
Description: 0x80070005, Access is denied.

Operation:
   Gathering Writer Data

Context:
   Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
   Writer Name: System Writer
   Writer Instance ID: {da745826-72b9-47d1-b8e3-3a84b1fb745a}

Error: (05/15/2014 07:08:33 PM) (Source: VSS) (EventID: 8194) (User: )
Description: 0x80070005, Access is denied.

Operation:
   Gathering Writer Data

Context:
   Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
   Writer Name: System Writer
   Writer Instance ID: {95aed6d1-9dd8-4380-9718-6d53a368c2c9}

Error: (05/15/2014 04:23:17 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"C:\Program Files\ASIX Electronics Corporation\AX88772B Windows 7 Drivers\64-bit\DPInst.exe

Error: (05/15/2014 04:22:53 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"c:\program files\NTI\acer backup manager\Migrate\OutlookMsgNet64.exe

Error: (05/15/2014 04:22:34 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"c:\program files\NTI\acer backup manager\OutlookMsgNet64.exe

Error: (05/14/2014 03:21:44 PM) (Source: VSS) (EventID: 8194) (User: )
Description: 0x80070005, Access is denied.

Operation:
   Gathering Writer Data

Context:
   Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
   Writer Name: System Writer
   Writer Instance ID: {e564f999-d534-4c58-96a8-9ed76b3b3e3c}

Error: (05/14/2014 02:50:19 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: WINWORD.EXE11.0.8409.01e5401cf6fad8f56912b166C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

Error: (05/14/2014 02:39:44 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: WINWORD.EXE11.0.8409.01b1c01cf6fac02c764d068C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

Error: (05/12/2014 09:13:18 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"C:\Program Files\ASIX Electronics Corporation\AX88772B Windows 7 Drivers\64-bit\DPInst.exe

CodeIntegrity Errors:
===================================
  Date: 2013-10-10 13:01:39.008
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\dsound.dll because the set of per-page image hashes could not be found on the system.

  Date: 2013-10-10 13:01:38.520
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\dsound.dll because the set of per-page image hashes could not be found on the system.

  Date: 2013-10-10 13:01:28.568
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\dsound.dll because the set of per-page image hashes could not be found on the system.

  Date: 2013-10-10 13:01:27.943
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\dsound.dll because the set of per-page image hashes could not be found on the system.

  Date: 2013-09-30 08:48:02.165
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\dsound.dll because the set of per-page image hashes could not be found on the system.

  Date: 2013-09-30 08:48:01.509
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\dsound.dll because the set of per-page image hashes could not be found on the system.

  Date: 2013-03-12 23:49:46.645
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Common Files\mcafee\VSCore\SET4077.tmp because the set of per-page image hashes could not be found on the system.

  Date: 2013-03-12 23:49:46.625
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Common Files\mcafee\VSCore\SET4077.tmp because the set of per-page image hashes could not be found on the system.

  Date: 2013-02-18 01:57:37.885
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\dsound.dll because the set of per-page image hashes could not be found on the system.

  Date: 2013-02-18 01:57:37.403
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\dsound.dll because the set of per-page image hashes could not be found on the system.

==================== Memory info ===========================

Percentage of memory in use: 57%
Total physical RAM: 1641.9 MB
Available physical RAM: 696.44 MB
Total Pagefile: 2305.67 MB
Available Pagefile: 666.97 MB
Total Virtual: 2047.88 MB
Available Virtual: 1891.62 MB

==================== Drives ================================

Drive c: (Acer) (Fixed) (Total:29.72 GB) (Free:7.64 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 30 GB) (Disk ID: AD8AA5A3)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=30 GB) - (Type=07 NTFS)

==================== End Of Log ============================



#4 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:10:49 AM

Posted 24 May 2014 - 07:12 AM

Hi i.hate.open.cloud
 

I am getting a Windows notification saying There is a file or folder on your computer called "C:\Program" which could cause certain applications to not function correctly. Renaming it to "C:\Program1" would solve this problem. Would you like to rename it now?" and the options are to Rename or Ignore. It appears that this is related to a problem caused by an update to Foxit Reader,

I'm not completely convinced that an update caused this.
 

2014-05-16 19:08 - 2014-04-14 21:27 - 00000000 ____D () C:\Program Files\Foxit Software
2014-04-23 06:58 - 2014-04-14 21:28 - 00000000 ____D () C:\Users\GWNet\AppData\Roaming\Foxit Software
2014-05-14 15:20 - 2014-05-14 15:20 - 00000000 ____D () C:\Program

The date of that folder doesn't match any change date to Foxit.
We'll take a look and see what's inside that folder.

Also, you are running IE8 on Win7, is there a particular reason that such an old version of IE is being used?


Please download the attached fixlist.txt file (bottom of this post) and save it to the Desktop.
NOTE.
It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine.
Running this on another machine may cause damage to your operating system


Re-run FRST/FRST64 and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post this in your next reply.


Thanks

Attached Files


BBPP6nz.png


#5 i.hate.open.cloud

i.hate.open.cloud
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:49 AM

Posted 25 May 2014 - 08:40 AM

The trojan alert and the Foxit update request did occur within a few days of one another, so they certainly could be related. I did a little bit of research and saw that other people were getting the same File Name box after updating Foxit, so I assumed that it was a flawed update.

Regarding Foxit changes, you should know that I just switched to the program in April because Adobe installers weren't running properly for me, which prevented me from updating Reader, so I had to install a new PDF reader. In the process, I wound up installing and uninstalling it a couple of times, as well as uninstalling the packaged Foxit Cloud program (all uninstalls were with Revo Uninstaller). Also, after the File Name Warning started appearing at start up, I attempted uninstalling and reinstalling as a first attempt to fix the problem. I'm not familiar enough with the change logs to know exactly what you're seeing, but the various (un)installs may account for changes that don't sync up with any official product changes.

 

As for the old browser-yeah, I really should update. The honest truth is that I've avoided doing so because I really dislike the minimalist interface that the current versions use, and so I've avoided updating. :unsure:
 

Here is the Fixlog.txt file:

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version:25-05-2014 01
Ran by GWNet at 2014-05-25 08:13:37 Run:1
Running from C:\Users\GWNet\Desktop
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
URLSearchHook: ATTENTION ==> Default URLSearchHook is missing.
SearchScopes: HKLM - DefaultScope value is missing.
SearchScopes: HKCU - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
C:\Users\GWNet\AppData\Local\Temp\0111591378393439mcinst.exe
C:\Users\GWNet\AppData\Local\Temp\0c731f1a-bfe1-4713-84d8-76c1dcdcbf81.exe
C:\Users\GWNet\AppData\Local\Temp\3193f7f7-5578-418b-9b93-682877d5f5f6.exe
C:\Users\GWNet\AppData\Local\Temp\33e8b74f-b88a-4f78-a2aa-77aedc9ea401.exe
C:\Users\GWNet\AppData\Local\Temp\3bebb15d-bed6-4e40-b437-df4cdedb9263.exe
C:\Users\GWNet\AppData\Local\Temp\3ce27175-c876-405e-9061-dcd910421e12.exe
C:\Users\GWNet\AppData\Local\Temp\71aa48f8-a00b-41cc-ba21-825206a200f0.exe
C:\Users\GWNet\AppData\Local\Temp\8abd2d85-4302-4673-abd0-43ab60b726b6.exe
C:\Users\GWNet\AppData\Local\Temp\9f4a476e-8c11-40f1-bd5f-efb9fd961c1a.exe
C:\Users\GWNet\AppData\Local\Temp\catchme.dll
C:\Users\GWNet\AppData\Local\Temp\CountInstallation.exe
C:\Users\GWNet\AppData\Local\Temp\e3a3d2d8-a6ed-45b3-a0ee-4ac4baf41e09.exe
C:\Users\GWNet\AppData\Local\Temp\Foxit Reader Updater.exe
C:\Users\GWNet\AppData\Local\Temp\Foxit Updater.exe
C:\Users\GWNet\AppData\Local\Temp\install_flashplayer13x32axau_gtbd_chrd_dn_aaa_aih.exe
C:\Users\GWNet\AppData\Local\Temp\Install_HOSTS_Anti-Adware.exe
C:\Users\GWNet\AppData\Local\Temp\install_reader11_en_gtbd_chrd_dn_aaa_aih.exe
C:\Users\GWNet\AppData\Local\Temp\install_reader11_en_gtbd_chrd_dn_aaa_aih[1].exe
C:\Users\GWNet\AppData\Local\Temp\jre-7u15-windows-i586-iftw.exe
C:\Users\GWNet\AppData\Local\Temp\jre-7u45-windows-i586-iftw.exe
C:\Users\GWNet\AppData\Local\Temp\jre-7u55-windows-i586-iftw.exe
C:\Users\GWNet\AppData\Local\Temp\MSN58FA.exe
C:\Users\GWNet\AppData\Local\Temp\Quarantine.exe
C:\ProgramData\Ad-Aware Browsing Protection
Folder: C:\Program
Reboot:

 

*****************

Default URLSearchHook was restored successfully .
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value was restored successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value deleted successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => Key not found.
C:\Users\GWNet\AppData\Local\Temp\0111591378393439mcinst.exe => Moved successfully.
C:\Users\GWNet\AppData\Local\Temp\0c731f1a-bfe1-4713-84d8-76c1dcdcbf81.exe => Moved successfully.
C:\Users\GWNet\AppData\Local\Temp\3193f7f7-5578-418b-9b93-682877d5f5f6.exe => Moved successfully.
C:\Users\GWNet\AppData\Local\Temp\33e8b74f-b88a-4f78-a2aa-77aedc9ea401.exe => Moved successfully.
C:\Users\GWNet\AppData\Local\Temp\3bebb15d-bed6-4e40-b437-df4cdedb9263.exe => Moved successfully.
C:\Users\GWNet\AppData\Local\Temp\3ce27175-c876-405e-9061-dcd910421e12.exe => Moved successfully.
C:\Users\GWNet\AppData\Local\Temp\71aa48f8-a00b-41cc-ba21-825206a200f0.exe => Moved successfully.
C:\Users\GWNet\AppData\Local\Temp\8abd2d85-4302-4673-abd0-43ab60b726b6.exe => Moved successfully.
C:\Users\GWNet\AppData\Local\Temp\9f4a476e-8c11-40f1-bd5f-efb9fd961c1a.exe => Moved successfully.
C:\Users\GWNet\AppData\Local\Temp\catchme.dll => Moved successfully.
C:\Users\GWNet\AppData\Local\Temp\CountInstallation.exe => Moved successfully.
C:\Users\GWNet\AppData\Local\Temp\e3a3d2d8-a6ed-45b3-a0ee-4ac4baf41e09.exe => Moved successfully.
C:\Users\GWNet\AppData\Local\Temp\Foxit Reader Updater.exe => Moved successfully.
C:\Users\GWNet\AppData\Local\Temp\Foxit Updater.exe => Moved successfully.
C:\Users\GWNet\AppData\Local\Temp\install_flashplayer13x32axau_gtbd_chrd_dn_aaa_aih.exe => Moved successfully.
C:\Users\GWNet\AppData\Local\Temp\Install_HOSTS_Anti-Adware.exe => Moved successfully.
C:\Users\GWNet\AppData\Local\Temp\install_reader11_en_gtbd_chrd_dn_aaa_aih.exe => Moved successfully.
C:\Users\GWNet\AppData\Local\Temp\install_reader11_en_gtbd_chrd_dn_aaa_aih[1].exe => Moved successfully.
C:\Users\GWNet\AppData\Local\Temp\jre-7u15-windows-i586-iftw.exe => Moved successfully.
C:\Users\GWNet\AppData\Local\Temp\jre-7u45-windows-i586-iftw.exe => Moved successfully.
C:\Users\GWNet\AppData\Local\Temp\jre-7u55-windows-i586-iftw.exe => Moved successfully.
C:\Users\GWNet\AppData\Local\Temp\MSN58FA.exe => Moved successfully.
C:\Users\GWNet\AppData\Local\Temp\Quarantine.exe => Moved successfully.
"C:\ProgramData\Ad-Aware Browsing Protection" => File/Directory not found.

========================= Folder: C:\Program ========================

2014-05-14 15:20 - 2014-05-14 15:20 - 0048937 _____ () C:\Program\unins000.dat
2014-05-14 15:20 - 2014-05-14 15:20 - 1902144 _____ () C:\Program\unins000.exe
2014-05-14 15:20 - 2014-05-14 15:20 - 0022701 _____ () C:\Program\unins000.msg

====== End of Folder: ======

 

The system needed a reboot.

==== End of Fixlog ====



#6 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:10:49 AM

Posted 25 May 2014 - 04:59 PM

Hi i.hate.open.cloud
 

========================= Folder: C:\Program ========================

2014-05-14 15:20 - 2014-05-14 15:20 - 0048937 _____ () C:\Program\unins000.dat
2014-05-14 15:20 - 2014-05-14 15:20 - 1902144 _____ () C:\Program\unins000.exe
2014-05-14 15:20 - 2014-05-14 15:20 - 0022701 _____ () C:\Program\unins000.msg

====== End of Folder: ======

Well at least we know what is inside that folder now.
 

Also, after the File Name Warning started appearing at start up, I attempted uninstalling and reinstalling as a first attempt to fix the problem. I'm not familiar enough with the change logs to know exactly what you're seeing,

According to the uninstall list, neither are installed now.... is this correct?
If neither is installed now, we can safely remove the 'Program' folder.
 

The honest truth is that I've avoided doing so because I really dislike the minimalist interface that the current versions use, and so I've avoided updating.

I can actually relate to that.
I didn't like the new layout either. ( i missed the old File, Edit, View, Favorites, Tools, Help buttons on the top left )
So with a few simple changes, i changed this:

newie_zps780636fa.png

into this:

newie2_zpseff39e44.png

is this what you would be more happy with?

So far there's nothing relating to Zero Access showing in the reports, but i think it best if we looked a little deeper.... just to make sure.
There is something else we should address as well.

Step 1
Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2

CF_download_FF.gif


CF_download_rename.gif

This is an example, you may rename ComboFix to anything you want.Then:

Double click on Combo-Fix.exe & follow the prompts.

Vista/Win7 users should right click on the icon and select Run as Administrator.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

    If running Vista/Win7, you will not see the recovery console screens as they are Win XP related
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    cf1.png

    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    whatnext.png

    Click on Yes, to continue scanning for malware.

    Note:
    Do not mouseclick combofix's window while it's running. That may cause it to stall


    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.



    Step 2
    Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) 8 Update 5 and save it to your desktop.
    • Scroll down to where it says "Java SE 8 Update 5".
    • Click the "Download JRE " button.
    • Accept the license agreement.
    • select 'Windows x86'offline from the list.
    • Save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button.
    • Repeat as many times as necessary to remove each Java versions.
      .
      Java 7 Update 55
      .
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on downloaded icon to install the newest version.
    In your next reply, please submit:
    Combofix.txt


    Thanks.

BBPP6nz.png


#7 i.hate.open.cloud

i.hate.open.cloud
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:49 AM

Posted 26 May 2014 - 11:11 PM

I attempted to run ComboFix and it wouldn't progress past the Scanning for Infected Files screen. I let it "scan" for almost an hour before attempting to exit, which froze the computer and required a hard shutdown. I've yet to attempt to update Java.

 

 

Foxit is no longer installed, but I held off deleting the Program folder in hope of letting ComboFix do its thing first. I would like to reinstall Foxit at a later point, but I would like to deal with this trojan before attempting anything there.

 

 

Your modified IE interface does look better. Is it possible to place the tabs and the address bar on separate lines?

 

 

 



#8 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:10:49 AM

Posted 27 May 2014 - 01:02 AM

attempted to run ComboFix and it wouldn't progress past the Scanning for Infected Files screen.

2 things to try then:
Make sure that MSSE is closed down.

Click on the 'Show Hidden Icons' arrow. (Bottom right of your screen)
and right click on the MSSE icon and select Open.

On the page that opens..... click on the Settings tab.

msse1_zps361cb990.png

On the next screen click on RealTime Protection

msse2_zpsfa7e45da.png

Now UNtick Turn on Realtime Protection (Recommended) and then click on Save Changes.

msse3_zps03970683.png

If the User Account control is turned on, you will need to click Yes on the next screen.

Just reverse the process and turn the Realtime Protection back on.

Try running Combofix in Safe Mode:

Restart your computer.

When the computer starts you will see your computer's hardware being listed. When you see this information start to gently tap the F8 key repeatedly until you are presented with the Windows 7 Advanced Boot Options.
Select the Safe Mode option using the arrow keys.
Then press the enter key on your keyboard to boot into Safe Mode.
When Windows starts you will be at a typical logon screen. Logon to your computer and try running Combofix again.

BBPP6nz.png


#9 i.hate.open.cloud

i.hate.open.cloud
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:49 AM

Posted 27 May 2014 - 01:24 AM

I made sure to disable MSE, MB, Windows Firewall, and HOSTS Anti-Adware before attempting to run ComboFix. I'm not opposed to running CF in Safe Mode, but last time I was instructed to use it against ZeroAccess, it did the same thing in Safe Mode (http://www.bleepingcomputer.com/forums/t/529412/zeroaccess-rootkit-infection-unable-to-create-dds-logs/?p=3331762). Still want me to try?



#10 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:10:49 AM

Posted 27 May 2014 - 11:22 AM

Hi i.hate.open.cloud

Thanks for the link to your previous thread.... it does answer a few things.
I see what you mean about Combofix.
Unfortunately every so often we do come up against a system that will not run Combofix.
Luckily it doesn't happen very often.
There are other programs we can use to run a double check:

Download RogueKiller and save it to your desktop.
  • Close all the running processes
  • Double click RogueKiller icon to run the program
    Vista/Win7 users should right click the icon and select Run as Administrator.
  • Wait for the Prescan to finish.
  • Now click the Scan button.
  • Please copy and paste the report in your next reply.
A copy of the RKreport.txt can be found on your desktop.

Note:
If RogueKiller is blocked, do not hesitate to try running it again.
If it still fails to run, right click on the downloaded icon and select 'Rename'.....rename it to winlogon and try again.

Thanks

BBPP6nz.png


#11 i.hate.open.cloud

i.hate.open.cloud
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:49 AM

Posted 27 May 2014 - 12:07 PM

Okay, I ran RogueKiller and it generated this report (first one). When reviewing results, the curser shot to the edge of the screen and clicked something (this has been a day 1 issue with this machine when it's in the docking station, so it's annoying but not new). Unfortunately, it clicked the "Delete" button on the RK menu (it was displaying the results for registry entries). This generated a second report on the desktop. Everything seems okay, but I'm afraid that I unintentionally screwed something up. I am so sorry. RogueKiller is still open, if that makes any difference.

 

Here is the initial RK report:

 

RogueKiller V8.8.15 [Mar 27 2014] by Adlice Software

 

mail : http://www.adlice.com/contact/

 

Feedback : http://forum.adlice.com

 

Website : http://www.adlice.com/softwares/roguekiller/

 

Blog : http://www.adlice.com

 

 

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version

 

Started in : Normal mode

 

User : GWNet [Admin rights]

 

Mode : Scan -- Date : 05/27/2014 11:52:06

 

| ARK || FAK || MBR |

 

 

¤¤¤ Bad processes : 0 ¤¤¤

 

 

¤¤¤ Registry Entries : 3 ¤¤¤

 

[HJ POL][PUM] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND

 

[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

 

[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

 

 

¤¤¤ Scheduled tasks : 0 ¤¤¤

 

 

¤¤¤ Startup Entries : 0 ¤¤¤

 

 

¤¤¤ Web browsers : 0 ¤¤¤

 

 

¤¤¤ Browser Addons : 0 ¤¤¤

 

 

¤¤¤ Particular Files / Folders: ¤¤¤

 

 

¤¤¤ Driver : [LOADED] ¤¤¤

 

[Address] EAT @explorer.exe (BeginBufferedAnimation) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FD09AE)

 

[Address] EAT @explorer.exe (BeginBufferedPaint) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FC49A1)

 

[Address] EAT @explorer.exe (BeginPanningFeedback) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FF0731)

 

[Address] EAT @explorer.exe (BufferedPaintClear) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FC6395)

 

[Address] EAT @explorer.exe (BufferedPaintInit) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FC940E)

 

[Address] EAT @explorer.exe (BufferedPaintRenderAnimation) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FD08ED)

 

[Address] EAT @explorer.exe (BufferedPaintSetAlpha) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FDE6B3)

 

[Address] EAT @explorer.exe (BufferedPaintStopAllAnimations) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FDD395)

 

[Address] EAT @explorer.exe (BufferedPaintUnInit) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FC94AB)

 

[Address] EAT @explorer.exe (CloseThemeData) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FC6A18)

 

[Address] EAT @explorer.exe (DrawThemeBackground) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FC3982)

 

[Address] EAT @explorer.exe (DrawThemeBackgroundEx) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FDD9DA)

 

[Address] EAT @explorer.exe (DrawThemeEdge) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FE3B52)

 

[Address] EAT @explorer.exe (DrawThemeIcon) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FF35E7)

 

[Address] EAT @explorer.exe (DrawThemeParentBackground) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FC53E5)

 

[Address] EAT @explorer.exe (DrawThemeParentBackgroundEx) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FC51BF)

 

[Address] EAT @explorer.exe (DrawThemeText) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FC4EA1)

 

[Address] EAT @explorer.exe (DrawThemeTextEx) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FC63E6)

 

[Address] EAT @explorer.exe (EnableThemeDialogTexture) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FCFCAF)

 

[Address] EAT @explorer.exe (EnableTheming) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FF2FEB)

 

[Address] EAT @explorer.exe (EndBufferedAnimation) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FC3F9A)

 

[Address] EAT @explorer.exe (EndBufferedPaint) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FC3F9A)

 

[Address] EAT @explorer.exe (EndPanningFeedback) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FF06CC)

 

[Address] EAT @explorer.exe (GetBufferedPaintBits) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FC4BAF)

 

[Address] EAT @explorer.exe (GetBufferedPaintDC) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FD04BC)

 

[Address] EAT @explorer.exe (GetBufferedPaintTargetDC) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FD0473)

 

[Address] EAT @explorer.exe (GetBufferedPaintTargetRect) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FF2E7F)

 

[Address] EAT @explorer.exe (GetCurrentThemeName) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FD05DD)

 

[Address] EAT @explorer.exe (GetThemeAppProperties) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FD0FB1)

 

[Address] EAT @explorer.exe (GetThemeBackgroundContentRect) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FCCD2E)

 

[Address] EAT @explorer.exe (GetThemeBackgroundExtent) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FCF8BF)

 

[Address] EAT @explorer.exe (GetThemeBackgroundRegion) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FD165D)

 

[Address] EAT @explorer.exe (GetThemeBitmap) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FCBF93)

 

[Address] EAT @explorer.exe (GetThemeBool) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FC7C1F)

 

[Address] EAT @explorer.exe (GetThemeColor) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FC616C)

 

[Address] EAT @explorer.exe (GetThemeDocumentationProperty) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FF2932)

 

[Address] EAT @explorer.exe (GetThemeEnumValue) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FC616C)

 

[Address] EAT @explorer.exe (GetThemeFilename) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FF2412)

 

[Address] EAT @explorer.exe (GetThemeFont) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FCFF21)

 

[Address] EAT @explorer.exe (GetThemeInt) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FC616C)

 

[Address] EAT @explorer.exe (GetThemeIntList) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FF23B1)

 

[Address] EAT @explorer.exe (GetThemeMargins) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FC86E9)

 

[Address] EAT @explorer.exe (GetThemeMetric) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FD06E2)

 

[Address] EAT @explorer.exe (GetThemePartSize) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FCCDB1)

 

[Address] EAT @explorer.exe (GetThemePosition) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FF2350)

 

[Address] EAT @explorer.exe (GetThemePropertyOrigin) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FE3FBB)

 

[Address] EAT @explorer.exe (GetThemeRect) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FD3611)

 

[Address] EAT @explorer.exe (GetThemeStream) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FD39D9)

 

[Address] EAT @explorer.exe (GetThemeString) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FF22E4)

 

[Address] EAT @explorer.exe (GetThemeSysBool) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FF3172)

 

[Address] EAT @explorer.exe (GetThemeSysColor) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FE3274)

 

[Address] EAT @explorer.exe (GetThemeSysColorBrush) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FF301E)

 

[Address] EAT @explorer.exe (GetThemeSysFont) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FF29C4)

 

[Address] EAT @explorer.exe (GetThemeSysInt) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FF2BD3)

 

[Address] EAT @explorer.exe (GetThemeSysSize) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FF320B)

 

[Address] EAT @explorer.exe (GetThemeSysString) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FF2B3F)

 

[Address] EAT @explorer.exe (GetThemeTextExtent) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FC2D57)

 

[Address] EAT @explorer.exe (GetThemeTextMetrics) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FCF992)

 

[Address] EAT @explorer.exe (GetThemeTransitionDuration) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FD1081)

 

[Address] EAT @explorer.exe (GetWindowTheme) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FCDF46)

 

[Address] EAT @explorer.exe (HitTestThemeBackground) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FD3CE3)

 

[Address] EAT @explorer.exe (IsAppThemed) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FCF869)

 

[Address] EAT @explorer.exe (IsCompositionActive) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FC2E9A)

 

[Address] EAT @explorer.exe (IsThemeActive) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FCF785)

 

[Address] EAT @explorer.exe (IsThemeBackgroundPartiallyTransparent) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FC60AB)

 

[Address] EAT @explorer.exe (IsThemeDialogTextureEnabled) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FF312B)

 

[Address] EAT @explorer.exe (IsThemePartDefined) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FC85B4)

 

[Address] EAT @explorer.exe (OpenThemeData) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FC73D2)

 

[Address] EAT @explorer.exe (OpenThemeDataEx) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FE3D43)

 

[Address] EAT @explorer.exe (SetThemeAppProperties) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FF3296)

 

[Address] EAT @explorer.exe (SetWindowTheme) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FD0134)

 

[Address] EAT @explorer.exe (SetWindowThemeAttribute) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FDCFE6)

 

[Address] EAT @explorer.exe (ThemeInitApiHook) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FCB176)

 

[Address] EAT @explorer.exe (UpdatePanningFeedback) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FF068D)

 

[Address] EAT @explorer.exe (DllCanUnloadNow) : hcproviders.dll -> HOOKED (C:\Windows\system32\SearchFolder.dll @ 0x681E29B6)

 

[Address] EAT @explorer.exe (DllGetClassObject) : hcproviders.dll -> HOOKED (C:\Windows\system32\SearchFolder.dll @ 0x681E3E5E)

 

[Address] EAT @explorer.exe (DllRegisterServer) : hcproviders.dll -> HOOKED (C:\Windows\system32\SearchFolder.dll @ 0x6822A698)

 

[Address] EAT @explorer.exe (DllUnregisterServer) : hcproviders.dll -> HOOKED (C:\Windows\system32\SearchFolder.dll @ 0x6822A698)

 

 

¤¤¤ External Hives: ¤¤¤

 

 

¤¤¤ Infection :  ¤¤¤

 

 

¤¤¤ HOSTS File: ¤¤¤

 

--> %SystemRoot%\System32\drivers\etc\hosts

 

 

 

127.0.0.1 08sr.combineads.info # hosts anti-adware / pups

 

127.0.0.1 08srvr.combineads.info # hosts anti-adware / pups

 

127.0.0.1 12srvr.combineads.info # hosts anti-adware / pups

 

127.0.0.1 2010-fr.com # hosts anti-adware / pups

 

127.0.0.1 2012-new.biz # hosts anti-adware / pups

 

127.0.0.1 212link.com # hosts anti-adware / pups

 

127.0.0.1 2319825.ourtoolbar.com # hosts anti-adware / pups

 

127.0.0.1 24h00business.com # hosts anti-adware / pups

 

127.0.0.1 a.adorika.net # hosts anti-adware / pups

 

127.0.0.1 a.ad-sys.com # hosts anti-adware / pups

 

127.0.0.1 a.daasafterdusk.com # hosts anti-adware / pups

 

127.0.0.1 ad.adn360.com # hosts anti-adware / pups

 

127.0.0.1 adeartss.eu # hosts anti-adware / pups

 

127.0.0.1 adesoeasy.eu # hosts anti-adware / pups

 

127.0.0.1 adf.girldatesforfree.net # hosts anti-adware / pups

 

127.0.0.1 adm.soft365.com # hosts anti-adware / pups

 

127.0.0.1 adomicileavail.googlepages.com # hosts anti-adware / pups

 

127.0.0.1 ads7.complexadveising.com # hosts anti-adware / pups

 

127.0.0.1 ads.adplxmd.com # hosts anti-adware / pups

 

127.0.0.1 ads.aff.co # hosts anti-adware / pups

 

[...]

 

 

 

¤¤¤ MBR Check: ¤¤¤

 

 

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) SanDisk SSD P4 32GB ATA Device +++++

 

--- User ---

 

[MBR] 201d18ae858bedb7c8a00b3f3cba3721

 

[BSP] a63de4e4fa4e1b9d14268b0887869488 : Windows 7/8 MBR Code

 

Partition table:

 

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB

 

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 30432 MB

 

User = LL1 ... OK!

 

User = LL2 ... OK!

 

 

Finished : << RKreport[0]_S_05272014_115206.txt >>

 

 

 

And the second:

 

 

RogueKiller V8.8.15 [Mar 27 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : GWNet [Admin rights]
Mode : Remove -- Date : 05/27/2014 11:55:22
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 3 ¤¤¤
[HJ POL][PUM] HKCU\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Browser Addons : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
[Address] EAT @explorer.exe (BeginBufferedAnimation) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FD09AE)
[Address] EAT @explorer.exe (BeginBufferedPaint) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FC49A1)
[Address] EAT @explorer.exe (BeginPanningFeedback) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FF0731)
[Address] EAT @explorer.exe (BufferedPaintClear) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FC6395)
[Address] EAT @explorer.exe (BufferedPaintInit) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FC940E)
[Address] EAT @explorer.exe (BufferedPaintRenderAnimation) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FD08ED)
[Address] EAT @explorer.exe (BufferedPaintSetAlpha) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FDE6B3)
[Address] EAT @explorer.exe (BufferedPaintStopAllAnimations) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FDD395)
[Address] EAT @explorer.exe (BufferedPaintUnInit) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FC94AB)
[Address] EAT @explorer.exe (CloseThemeData) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FC6A18)
[Address] EAT @explorer.exe (DrawThemeBackground) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FC3982)
[Address] EAT @explorer.exe (DrawThemeBackgroundEx) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FDD9DA)
[Address] EAT @explorer.exe (DrawThemeEdge) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FE3B52)
[Address] EAT @explorer.exe (DrawThemeIcon) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FF35E7)
[Address] EAT @explorer.exe (DrawThemeParentBackground) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FC53E5)
[Address] EAT @explorer.exe (DrawThemeParentBackgroundEx) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FC51BF)
[Address] EAT @explorer.exe (DrawThemeText) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FC4EA1)
[Address] EAT @explorer.exe (DrawThemeTextEx) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FC63E6)
[Address] EAT @explorer.exe (EnableThemeDialogTexture) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FCFCAF)
[Address] EAT @explorer.exe (EnableTheming) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FF2FEB)
[Address] EAT @explorer.exe (EndBufferedAnimation) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FC3F9A)
[Address] EAT @explorer.exe (EndBufferedPaint) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FC3F9A)
[Address] EAT @explorer.exe (EndPanningFeedback) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FF06CC)
[Address] EAT @explorer.exe (GetBufferedPaintBits) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FC4BAF)
[Address] EAT @explorer.exe (GetBufferedPaintDC) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FD04BC)
[Address] EAT @explorer.exe (GetBufferedPaintTargetDC) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FD0473)
[Address] EAT @explorer.exe (GetBufferedPaintTargetRect) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FF2E7F)
[Address] EAT @explorer.exe (GetCurrentThemeName) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FD05DD)
[Address] EAT @explorer.exe (GetThemeAppProperties) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FD0FB1)
[Address] EAT @explorer.exe (GetThemeBackgroundContentRect) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FCCD2E)
[Address] EAT @explorer.exe (GetThemeBackgroundExtent) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FCF8BF)
[Address] EAT @explorer.exe (GetThemeBackgroundRegion) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FD165D)
[Address] EAT @explorer.exe (GetThemeBitmap) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FCBF93)
[Address] EAT @explorer.exe (GetThemeBool) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FC7C1F)
[Address] EAT @explorer.exe (GetThemeColor) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FC616C)
[Address] EAT @explorer.exe (GetThemeDocumentationProperty) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FF2932)
[Address] EAT @explorer.exe (GetThemeEnumValue) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FC616C)
[Address] EAT @explorer.exe (GetThemeFilename) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FF2412)
[Address] EAT @explorer.exe (GetThemeFont) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FCFF21)
[Address] EAT @explorer.exe (GetThemeInt) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FC616C)
[Address] EAT @explorer.exe (GetThemeIntList) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FF23B1)
[Address] EAT @explorer.exe (GetThemeMargins) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FC86E9)
[Address] EAT @explorer.exe (GetThemeMetric) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FD06E2)
[Address] EAT @explorer.exe (GetThemePartSize) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FCCDB1)
[Address] EAT @explorer.exe (GetThemePosition) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FF2350)
[Address] EAT @explorer.exe (GetThemePropertyOrigin) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FE3FBB)
[Address] EAT @explorer.exe (GetThemeRect) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FD3611)
[Address] EAT @explorer.exe (GetThemeStream) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FD39D9)
[Address] EAT @explorer.exe (GetThemeString) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FF22E4)
[Address] EAT @explorer.exe (GetThemeSysBool) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FF3172)
[Address] EAT @explorer.exe (GetThemeSysColor) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FE3274)
[Address] EAT @explorer.exe (GetThemeSysColorBrush) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FF301E)
[Address] EAT @explorer.exe (GetThemeSysFont) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FF29C4)
[Address] EAT @explorer.exe (GetThemeSysInt) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FF2BD3)
[Address] EAT @explorer.exe (GetThemeSysSize) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FF320B)
[Address] EAT @explorer.exe (GetThemeSysString) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FF2B3F)
[Address] EAT @explorer.exe (GetThemeTextExtent) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FC2D57)
[Address] EAT @explorer.exe (GetThemeTextMetrics) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FCF992)
[Address] EAT @explorer.exe (GetThemeTransitionDuration) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FD1081)
[Address] EAT @explorer.exe (GetWindowTheme) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FCDF46)
[Address] EAT @explorer.exe (HitTestThemeBackground) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FD3CE3)
[Address] EAT @explorer.exe (IsAppThemed) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FCF869)
[Address] EAT @explorer.exe (IsCompositionActive) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FC2E9A)
[Address] EAT @explorer.exe (IsThemeActive) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FCF785)
[Address] EAT @explorer.exe (IsThemeBackgroundPartiallyTransparent) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FC60AB)
[Address] EAT @explorer.exe (IsThemeDialogTextureEnabled) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FF312B)
[Address] EAT @explorer.exe (IsThemePartDefined) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FC85B4)
[Address] EAT @explorer.exe (OpenThemeData) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FC73D2)
[Address] EAT @explorer.exe (OpenThemeDataEx) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FE3D43)
[Address] EAT @explorer.exe (SetThemeAppProperties) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FF3296)
[Address] EAT @explorer.exe (SetWindowTheme) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FD0134)
[Address] EAT @explorer.exe (SetWindowThemeAttribute) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FDCFE6)
[Address] EAT @explorer.exe (ThemeInitApiHook) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FCB176)
[Address] EAT @explorer.exe (UpdatePanningFeedback) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x73FF068D)
[Address] EAT @explorer.exe (DllCanUnloadNow) : hcproviders.dll -> HOOKED (C:\Windows\system32\SearchFolder.dll @ 0x681E29B6)
[Address] EAT @explorer.exe (DllGetClassObject) : hcproviders.dll -> HOOKED (C:\Windows\system32\SearchFolder.dll @ 0x681E3E5E)
[Address] EAT @explorer.exe (DllRegisterServer) : hcproviders.dll -> HOOKED (C:\Windows\system32\SearchFolder.dll @ 0x6822A698)
[Address] EAT @explorer.exe (DllUnregisterServer) : hcproviders.dll -> HOOKED (C:\Windows\system32\SearchFolder.dll @ 0x6822A698)

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

127.0.0.1 08sr.combineads.info # hosts anti-adware / pups
127.0.0.1 08srvr.combineads.info # hosts anti-adware / pups
127.0.0.1 12srvr.combineads.info # hosts anti-adware / pups
127.0.0.1 2010-fr.com # hosts anti-adware / pups
127.0.0.1 2012-new.biz # hosts anti-adware / pups
127.0.0.1 212link.com # hosts anti-adware / pups
127.0.0.1 2319825.ourtoolbar.com # hosts anti-adware / pups
127.0.0.1 24h00business.com # hosts anti-adware / pups
127.0.0.1 a.adorika.net # hosts anti-adware / pups
127.0.0.1 a.ad-sys.com # hosts anti-adware / pups
127.0.0.1 a.daasafterdusk.com # hosts anti-adware / pups
127.0.0.1 ad.adn360.com # hosts anti-adware / pups
127.0.0.1 adeartss.eu # hosts anti-adware / pups
127.0.0.1 adesoeasy.eu # hosts anti-adware / pups
127.0.0.1 adf.girldatesforfree.net # hosts anti-adware / pups
127.0.0.1 adm.soft365.com # hosts anti-adware / pups
127.0.0.1 adomicileavail.googlepages.com # hosts anti-adware / pups
127.0.0.1 ads7.complexadveising.com # hosts anti-adware / pups
127.0.0.1 ads.adplxmd.com # hosts anti-adware / pups
127.0.0.1 ads.aff.co # hosts anti-adware / pups
[...]

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) SanDisk SSD P4 32GB ATA Device +++++
--- User ---
[MBR] 201d18ae858bedb7c8a00b3f3cba3721
[BSP] a63de4e4fa4e1b9d14268b0887869488 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 30432 MB
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_D_05272014_115522.txt >>
RKreport[0]_S_05272014_115206.txt



#12 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:10:49 AM

Posted 27 May 2014 - 12:53 PM

This generated a second report on the desktop. Everything seems okay,

There's no harm done.... so don't worry.
We would have fixed the first line, but the next 2 are just lines that come up in every report and we ignore those.
But fixing them will make no difference to your system.

Looking at the previous thread reports and your MBAM notification about the zero access files, it seems that these may have just been leftovers as there is no sign of any active infection.

As for the 'Program' folder, you can delete it yourself or i can remove it for you.

Are there any issues with the system that i should be aware of at this point?

BBPP6nz.png


#13 i.hate.open.cloud

i.hate.open.cloud
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:49 AM

Posted 28 May 2014 - 05:18 AM

Good to hear that there doesn't seem to be damage from RK or ZeroAccess. Thanks for your help and advice.

 

I went ahead and deleted the Program folder and restarted the computer, which eliminated the File Name alert, but now there are shortcuts to the Computer folder and the C:\Users\GWNet folder on the Desktop. Did any of the tools or changes create those? There's also a folder called Qoobox in the C:\ directory, which I assume is related to one of the tools. I haven't opened it.

 

I would like to reinstall Foxit and see if the Program issue comes up again, as well as update Java, but I'll hold off on those two in case there's anything else you want me to do first.



#14 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:10:49 AM

Posted 28 May 2014 - 11:32 AM

Hi i.hate.open.cloud

There was a question i forgot to answer earlier: (with regards to IE )
 

Is it possible to place the tabs and the address bar on separate lines?

Yes you can make your tabs appear either below or to the right of the Address bar in Windows Internet Explorer 9. Here's how:

http://windows.microsoft.com/en-us/windows7/change-the-location-of-your-tabs-in-internet-explorer-9

but it seems that M$ have done away with this option after IE9.
 

but now there are shortcuts to the Computer folder and the C:\Users\GWNet folder on the Desktop. Did any of the tools or changes create those?

Not that i'm aware of.
If after the cleanup procedure they are still there you can right click on them and select delete.
 

There's also a folder called Qoobox in the C:\ directory

This is the quarantine folder for Combofix.
Probably a left over from your previous thread.
We will remove that for you.

Don't forget to update Java as per Step 2 in Post #6.

Let's finish the cleaning process and remove the tools we have used.
We'll also set you a fresh restore point.

Step 1
Restart MBAM.
Click on the History tab >> Quarantine
Tick to select any items and then click the Delete button.
Close MBAM.


Step 2
Download Delfix and save it to your desktop.
  • Ensure Remove disinfection tools is checked.
  • Also place a checkmark next to:
  • Create registry backup
  • Purge system restore

    delf_zpsb39a5ff3.png
    .
  • Click the Run button.
When the tool has finished, a log will open in notepad.... but i don't actually need this report

To find out how you may have been infected....read this topic:
How did i get infected?

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Use an AntiVirus Software

Only install one AntiVirus program

Update your AntiVirus Software regularly

Use a Firewall

Only install one software Firewall

Scan regularly with a 'Stand Alone' Anti-Malware scanner:
Installing another scanner that you can run once or twice a week is always beneficial.
Something like:
Malwarebytes Anti-Malware
SUPERAntiSypware
Remember to update these programs each time before running.
You can install more than one of these if you only run them as stand alone programs.

Use an alternative browser to Internet Explorer:
Some excellent alternatives to MS Internet Explorer are:

Firefox
For added security, add the NoScript extension to this browser:
Allow active content to run only from sites you trust, and protect yourself against XSS and Clickjacking attacks
also consider adding:
WOT - Safe Browsing Tool

Web of Trust warns you about risky sites that cheat customers, deliver malware or send spam. Millions of members of the WOT community rate sites based on their experience, giving you an extra layer of protection when browsing or searching the Web.
Btw: you don't have to make a contribution.

Opera

Keep a backup of your registry
Keeping a regular backup of your registry will help when something goes wrong.
Use a program like:
Erunt

A full tutorial on how to set up and use Erunt can be found here:
Erunt tutorial

Keep your system clean of temp files etc, using a 'Cleaner':

Cleaners are programs that will help to clean out your:
Windows temp files
Current user temp files
Cookies
Temporary Internet flies
Browser history
Recycle bin
Etc.......
In other words.... all the rubbish that you accumalate over the course of your browsing and day to day usage of your pc.
Programs like:
TFC by OldTimer
ATF Cleaner

Visit Microsoft's Windows Update Site Frequently - It is important that you visit Windowsupdate regularly.
Alternatively, turn on the Automatic Updates.

Peer to Peer programs
Don't be tempted to use Peer to Peer programs.
Many of the downloads are bundled with malware.

Update all your 'Security' programs regularly - Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Glad I was able to help.

Safe surfing. Computer_addict__by_Sinister_Starfeesh.g

BBPP6nz.png


#15 i.hate.open.cloud

i.hate.open.cloud
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:49 AM

Posted 29 May 2014 - 01:26 AM

I updated Java and ran Delfix. After that, I redownloaded Foxit reader (there was a newer version than my previous installer) and installed it on a bare-bones level and removed the packaged Foxit Cloud with Revo Uninstaller. It didn't create a new C:\Program folder after install, and on reboot there was no such folder or associated File Name Warning, so I guess they fixed the issue, or something. :) Those two shortcuts were still present after Delfix did its thing, and I deleted them without any problems, I'm just not sure how they got there.

 

EDIT: It seems that something is hogging CPU resources. It looks like Java, as CPU useage is spiking when it's utilized within a webpage (77-100% on some pages). Things sped up after completing the scans, but there's still a huge spike when some pages are loaded. Any thoughts?

 

I'm currently running full scans with MBAM and then MSE for good luck, and I'm confident they'll be clean, but I'll let you know if something comes up. I think I'm going to bite the bullet and update my browser. It looks like you recommend Firefox, which I'm considering switching to. I would like to know how you reconfigured the layout in IE, though.

 

I think that about covers things. I really appreciate your help with everything; do you accept Paypal donations?


Edited by i.hate.open.cloud, 29 May 2014 - 06:29 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users