Malwarebytes freezing during full scan, high memory use/ ZeroAccess / Sirefef

[chancetyme22]

I have been trying to run a full scan with malwarebytes and it freezes at my temporary internet files each time. I have tried to run the scan in safe mode as well and to no avail. I originally tried running the scan because I have had a program (svchost.exe) that has been running what I think is high on memory (200,000kb) and my ram% continues to rise until I restart. Also I have been able to run a quick scan which reveals no threats or viruses. I have used cc cleaner and tried to run the scan and it still freeze. I have run the mbam program just fine but when I try to run a dds scan it gets 3/4 of the way through and stays there.Turned off internet and no firewalls or protection on. I waited for an hour a couple times and it does not advance.

[Maurice Naggar]

Hello chancetyme.

I will be helping you. Please follow my guidance and do not run tools or fixes nor do changes on your own.

Please confirm for me that you are the owner of this system.

If it is owned by someone else, or if it belongs to a company or an organization, please Stop and tell me that.

As a reminder, please just only Copy & Paste all log contents directly into main-body of reply box.

Use 1 reply per each log as needed. IF you hit some log that is way too huge, then you may attach.

Please do a backup of any documents/personal files that you cannot afford to lose.

Malware cleanups can sometimes be unpredictable. So do a backup to Offline media as a precaution.

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Disconnect any external storage drives from the computer.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
  
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  
• Use the arrow keys to select the Repair your computer menu item.
  
• Select English as the keyboard language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account an click Next.

OR If you have the Windows o.s. DVD, then To enter System Recovery Options, by using Windows installation disc:

• Insert the installation disc.
  
• Restart your computer.
  
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  
• Click Repair your computer.
  
• Select English as the keyboard language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

• • 
    
  • Startup Repair
    
  • System Restore
    
  • Windows Complete PC Restore
    
  • Windows Memory Diagnostic Tool
    
  • Command Prompt

[*]Select Command Prompt

Now, Plug the flashdrive with FRST tool into the PC.

[*]In the command window type in notepad and press Enter.

[*]The notepad opens. Under File menu select Open.

[*]Select "Computer" and find your flash drive letter and close the notepad.

[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter

Note: Replace letter e with the drive letter of your flash drive.

[*]The tool will start to run.

[*]When the tool opens click Yes to disclaimer.

[*]Press Scan button.

[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

[chancetyme22]

This is my computer. Here is the log that Farbar pulled up.

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 28-05-2013

Ran by SYSTEM on 29-05-2013 16:58:52

Running from F:\

Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)

Internet Explorer Version 9

Boot Mode: Recovery

The current controlset is ControlSet001

ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM-x32\...\Run: [HDAudDeck] C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe -r [2870896 2010-12-22] (VIA)

HKLM-x32\...\Run: [instaLAN] "C:\Program Files (x86)\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe" startup [1884064 2011-11-14] (Affinegy, Inc.)

HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-08-27] (Apple Inc.)

HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421776 2012-09-09] (Apple Inc.)

HKLM-x32\...\Run: [] [x]

HKLM-x32\...\Run: [Razer Synapse] "C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe" [608104 2013-04-22] (Razer USA Ltd)

HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [958576 2013-04-04] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [49208 2010-06-09] (Hewlett-Packard)

HKLM-x32\...\Run: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [642808 2012-12-19] (Advanced Micro Devices, Inc.)

HKLM-x32\...\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [253816 2013-03-12] (Oracle Corporation)

HKU\Chance\...\Run: [steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent [1635752 2013-05-03] (Valve Corporation)

HKU\Chance\...\Run: [spybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe [x]

HKU\Chance\...\Run: [skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun [18642024 2013-02-28] (Skype Technologies S.A.)

HKU\Chance\...\Run: [Raptr] C:\PROGRA~2\Raptr\raptrstub.exe --startup [55360 2013-05-20] (Raptr, Inc)

==================== Services (Whitelisted) =================

S2 AffinegyService; C:\Program Files (x86)\Belkin\Router Setup and Monitor\BelkinService.exe [563104 2011-11-14] (Affinegy, Inc.)

S3 BRSptSvc; C:\ProgramData\BitRaider\BRSptSvc.exe [938776 2013-05-24] (BitRaider, LLC)

S2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)

S2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)

S2 VIAKaraokeService; C:\Windows\system32\viakaraokesrv.exe [27760 2010-12-14] (VIA Technologies, Inc.)

S2 SBSDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [x]

==================== Drivers (Whitelisted) ====================

S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)

S3 rzdaendpt; C:\Windows\System32\DRIVERS\rzdaendpt.sys [25600 2013-04-18] (Razer USA Ltd)

S3 rzvkeyboard; C:\Windows\System32\DRIVERS\rzvkeyboard.sys [23040 2013-04-18] (Razer USA Ltd)

S3 BRDriver64; \??\C:\programdata\bitraider\BRDriver64.sys [x]

S3 catchme; \??\C:\ComboFix\catchme.sys [x]

S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-05-29 16:58 - 2013-05-29 16:58 - 00000000 ____D C:\FRST

2013-05-29 13:44 - 2013-05-29 13:44 - 01915774 ____A (Farbar) C:\Users\Chance\Downloads\FRST64.exe

2013-05-28 21:13 - 2013-05-28 21:13 - 00688992 ____R (Swearware) C:\Users\Chance\Desktop\dds.com

2013-05-28 21:06 - 2013-05-28 21:06 - 00688992 ____R (Swearware) C:\Users\Chance\Desktop\dds.scr

2013-05-28 21:05 - 2013-05-28 21:05 - 00044452 ____A C:\Users\Chance\Desktop\CheckResults.txt

2013-05-28 21:04 - 2013-05-28 21:04 - 00353352 ____A (Malwarebytes Corporation) C:\Users\Chance\Desktop\mbam-check-2.0.0.1000.exe

2013-05-28 18:19 - 2013-05-03 13:15 - 75016696 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe

2013-05-28 18:17 - 2013-05-28 18:17 - 00001113 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2013-05-28 18:17 - 2013-05-28 18:17 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware

2013-05-28 18:17 - 2013-04-04 11:50 - 00025928 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

2013-05-28 18:16 - 2013-05-28 18:17 - 10285040 ____A (Malwarebytes Corporation ) C:\Users\Chance\Downloads\mbam-setup-1.75.0.1300(1).exe

2013-05-27 18:51 - 2013-05-27 18:51 - 02237968 ____A (Kaspersky Lab ZAO) C:\Users\Chance\Downloads\tdsskiller.exe

2013-05-27 18:25 - 2013-05-27 18:25 - 00000000 ___HD C:\kleaner.tmp

2013-05-27 18:23 - 2013-05-27 18:23 - 165451392 ____A (Kaspersky Lab) C:\Users\Chance\Downloads\kis13.0.1.4190EN_3843.exe

2013-05-27 18:18 - 2013-05-28 18:23 - 00001832 ____A C:\Windows\PFRO.log

2013-05-27 18:18 - 2013-05-27 18:18 - 00001863 ____A C:\AdwCleaner[s3].txt

2013-05-27 18:17 - 2013-05-27 18:17 - 00632031 ____A C:\Users\Chance\Downloads\adwcleaner.exe

2013-05-27 18:17 - 2013-05-27 18:17 - 00001793 ____A C:\AdwCleaner[R4].txt

2013-05-27 06:48 - 2013-05-29 13:49 - 00002204 ____A C:\Windows\setupact.log

2013-05-27 06:48 - 2013-05-27 06:48 - 00000000 ____A C:\Windows\setuperr.log

2013-05-26 06:46 - 2013-05-26 06:46 - 00028212 ____A C:\Users\Chance\Documents\cc_20130526_094616.reg

2013-05-26 06:44 - 2013-05-26 06:44 - 04346816 ____A (Piriform Ltd) C:\Users\Chance\Downloads\ccsetup401.exe

2013-05-25 19:52 - 2013-05-25 19:52 - 00000000 ____A C:\Windows\SysWOW64\config.nt

2013-05-25 19:52 - 2013-05-09 00:58 - 00287840 ____A (AVAST Software) C:\Windows\System32\aswBoot.exe

2013-05-25 19:51 - 2013-05-27 18:18 - 00000000 ____D C:\ProgramData\AVAST Software

2013-05-25 19:51 - 2013-05-25 19:51 - 00000000 ____D C:\Program Files\AVAST Software

2013-05-25 19:50 - 2013-05-25 19:51 - 117478104 ____A C:\Users\Chance\Downloads\avast_free_antivirus_setup.exe

2013-05-25 17:57 - 2013-05-25 17:57 - 10285040 ____A (Malwarebytes Corporation ) C:\Users\Chance\Downloads\mbam-setup-1.75.0.1300.exe

2013-05-25 17:55 - 2013-05-29 11:56 - 00007608 ____A C:\Users\Chance\AppData\Local\Resmon.ResmonCfg

2013-05-24 17:46 - 2013-05-24 17:46 - 00001042 ____A C:\AdwCleaner[s2].txt

2013-05-24 17:46 - 2013-05-24 17:46 - 00000983 ____A C:\AdwCleaner[R3].txt

2013-05-24 10:38 - 2013-05-24 10:38 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox

2013-05-15 21:37 - 2013-05-05 13:36 - 17818624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2013-05-15 21:37 - 2013-05-05 13:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2013-05-15 21:37 - 2013-05-05 11:25 - 12324864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll

2013-05-15 21:37 - 2013-05-05 11:12 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb

2013-05-15 21:36 - 2013-04-04 17:19 - 10926080 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2013-05-15 21:36 - 2013-04-04 17:08 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2013-05-15 21:36 - 2013-04-04 17:01 - 01346560 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2013-05-15 21:36 - 2013-04-04 17:00 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2013-05-15 21:36 - 2013-04-04 16:59 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl

2013-05-15 21:36 - 2013-04-04 16:58 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

2013-05-15 21:36 - 2013-04-04 16:57 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2013-05-15 21:36 - 2013-04-04 16:56 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe

2013-05-15 21:36 - 2013-04-04 16:55 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2013-05-15 21:36 - 2013-04-04 16:55 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll

2013-05-15 21:36 - 2013-04-04 16:54 - 02147840 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2013-05-15 21:36 - 2013-04-04 16:54 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll

2013-05-15 21:36 - 2013-04-04 16:51 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

2013-05-15 21:36 - 2013-04-04 16:46 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2013-05-15 21:36 - 2013-04-04 14:11 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll

2013-05-15 21:36 - 2013-04-04 14:09 - 09738752 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll

2013-05-15 21:36 - 2013-04-04 14:02 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl

2013-05-15 21:36 - 2013-04-04 14:02 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll

2013-05-15 21:36 - 2013-04-04 14:02 - 01104384 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll

2013-05-15 21:36 - 2013-04-04 14:01 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll

2013-05-15 21:36 - 2013-04-04 13:59 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll

2013-05-15 21:36 - 2013-04-04 13:58 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll

2013-05-15 21:36 - 2013-04-04 13:58 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe

2013-05-15 21:36 - 2013-04-04 13:57 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll

2013-05-15 21:36 - 2013-04-04 13:56 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll

2013-05-15 21:36 - 2013-04-04 13:55 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll

2013-05-15 21:36 - 2013-04-04 13:54 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll

2013-05-15 21:36 - 2013-04-04 13:50 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll

2013-05-15 03:35 - 2013-04-09 22:01 - 00983400 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgkrnl.sys

2013-05-15 03:35 - 2013-04-09 22:01 - 00265064 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgmms1.sys

2013-05-15 03:35 - 2013-02-26 22:02 - 00111448 ____A (Microsoft Corporation) C:\Windows\System32\consent.exe

2013-05-15 03:35 - 2013-02-26 21:52 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll

2013-05-15 03:35 - 2013-02-26 21:52 - 00197120 ____A (Microsoft Corporation) C:\Windows\System32\shdocvw.dll

2013-05-15 03:35 - 2013-02-26 21:48 - 01930752 ____A (Microsoft Corporation) C:\Windows\System32\authui.dll

2013-05-15 03:35 - 2013-02-26 21:47 - 00070144 ____A (Microsoft Corporation) C:\Windows\System32\appinfo.dll

2013-05-15 03:35 - 2013-02-26 20:55 - 12872704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll

2013-05-15 03:35 - 2013-02-26 20:55 - 00180224 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shdocvw.dll

2013-05-15 03:35 - 2013-02-26 20:49 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\authui.dll

2013-05-15 03:35 - 2011-02-03 03:25 - 00144384 ____A (Microsoft Corporation) C:\Windows\System32\cdd.dll

2013-05-15 03:34 - 2013-04-09 19:30 - 03153920 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2013-05-15 03:34 - 2013-03-18 21:53 - 00230400 ____A (Microsoft Corporation) C:\Windows\System32\wwansvc.dll

2013-05-15 03:34 - 2013-03-18 21:53 - 00048640 ____A (Microsoft Corporation) C:\Windows\System32\wwanprotdim.dll

2013-05-12 15:56 - 2013-05-24 10:11 - 00000000 ____D C:\Users\Chance\AppData\Roaming\Awesomium

2013-05-12 13:43 - 2013-05-12 13:43 - 00000000 ____D C:\Program Files (x86)\NVIDIA Corporation

2013-05-12 13:43 - 2013-05-12 13:43 - 00000000 ____D C:\Program Files (x86)\AGEIA Technologies

2013-05-12 13:41 - 2013-05-24 10:09 - 00000000 ____D C:\ProgramData\BitRaider

2013-05-12 13:41 - 2013-05-12 13:41 - 04676120 ____A (BitRaider, LLC) C:\Users\Chance\Downloads\MarvelHeroesBeta.exe

2013-05-12 13:41 - 2013-05-12 13:41 - 00000000 ____D C:\Users\Public\Documents\BitRaider

2013-05-02 17:43 - 2013-05-29 12:35 - 00000000 ____D C:\Users\Chance\AppData\Roaming\Raptr

2013-05-02 17:43 - 2013-05-21 04:27 - 00000000 ____D C:\Program Files (x86)\Raptr

2013-05-02 17:42 - 2013-05-02 17:42 - 00071576 ____A C:\Users\Chance\Downloads\raptr_installer.exe

2013-04-30 16:28 - 2013-05-01 19:06 - 00000000 ____D C:\Users\Chance\Desktop\Work

==================== One Month Modified Files and Folders =======

2013-05-29 16:58 - 2013-05-29 16:58 - 00000000 ____D C:\FRST

2013-05-29 13:52 - 2013-02-12 20:23 - 01589951 ____A C:\Windows\WindowsUpdate.log

2013-05-29 13:51 - 2009-07-13 21:13 - 00779958 ____A C:\Windows\System32\PerfStringBackup.INI

2013-05-29 13:49 - 2013-05-27 06:48 - 00002204 ____A C:\Windows\setupact.log

2013-05-29 13:44 - 2013-05-29 13:44 - 01915774 ____A (Farbar) C:\Users\Chance\Downloads\FRST64.exe

2013-05-29 13:35 - 2012-06-18 16:35 - 00000000 ____D C:\Users\Chance\AppData\Roaming\Skype

2013-05-29 13:33 - 2012-04-25 10:03 - 00000000 ____D C:\Users\Chance\AppData\Local\PMB Files

2013-05-29 13:33 - 2012-04-25 10:03 - 00000000 ____D C:\ProgramData\PMB Files

2013-05-29 13:15 - 2012-04-25 09:45 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2013-05-29 13:12 - 2012-04-25 10:00 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2013-05-29 12:41 - 2009-07-13 20:45 - 00021872 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2013-05-29 12:41 - 2009-07-13 20:45 - 00021872 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2013-05-29 12:35 - 2013-05-02 17:43 - 00000000 ____D C:\Users\Chance\AppData\Roaming\Raptr

2013-05-29 12:34 - 2012-04-25 10:00 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2013-05-29 12:34 - 2012-04-25 09:55 - 00000000 ____D C:\Program Files (x86)\Steam

2013-05-29 12:34 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2013-05-29 11:56 - 2013-05-25 17:55 - 00007608 ____A C:\Users\Chance\AppData\Local\Resmon.ResmonCfg

2013-05-28 21:13 - 2013-05-28 21:13 - 00688992 ____R (Swearware) C:\Users\Chance\Desktop\dds.com

2013-05-28 21:06 - 2013-05-28 21:06 - 00688992 ____R (Swearware) C:\Users\Chance\Desktop\dds.scr

2013-05-28 21:05 - 2013-05-28 21:05 - 00044452 ____A C:\Users\Chance\Desktop\CheckResults.txt

2013-05-28 21:04 - 2013-05-28 21:04 - 00353352 ____A (Malwarebytes Corporation) C:\Users\Chance\Desktop\mbam-check-2.0.0.1000.exe

2013-05-28 18:46 - 2012-12-25 20:14 - 00000000 ____D C:\Users\Chance\Documents\The War Z

2013-05-28 18:23 - 2013-05-27 18:18 - 00001832 ____A C:\Windows\PFRO.log

2013-05-28 18:17 - 2013-05-28 18:17 - 00001113 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2013-05-28 18:17 - 2013-05-28 18:17 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware

2013-05-28 18:17 - 2013-05-28 18:16 - 10285040 ____A (Malwarebytes Corporation ) C:\Users\Chance\Downloads\mbam-setup-1.75.0.1300(1).exe

2013-05-28 18:17 - 2013-02-12 21:35 - 00000000 ____D C:\Users\Chance\Desktop\Fixys

2013-05-27 18:51 - 2013-05-27 18:51 - 02237968 ____A (Kaspersky Lab ZAO) C:\Users\Chance\Downloads\tdsskiller.exe

2013-05-27 18:25 - 2013-05-27 18:25 - 00000000 ___HD C:\kleaner.tmp

2013-05-27 18:23 - 2013-05-27 18:23 - 165451392 ____A (Kaspersky Lab) C:\Users\Chance\Downloads\kis13.0.1.4190EN_3843.exe

2013-05-27 18:18 - 2013-05-27 18:18 - 00001863 ____A C:\AdwCleaner[s3].txt

2013-05-27 18:18 - 2013-05-25 19:51 - 00000000 ____D C:\ProgramData\AVAST Software

2013-05-27 18:17 - 2013-05-27 18:17 - 00632031 ____A C:\Users\Chance\Downloads\adwcleaner.exe

2013-05-27 18:17 - 2013-05-27 18:17 - 00001793 ____A C:\AdwCleaner[R4].txt

2013-05-27 18:14 - 2012-06-18 16:34 - 00000000 ___RD C:\Program Files (x86)\Skype

2013-05-27 18:14 - 2012-06-18 16:34 - 00000000 ____D C:\ProgramData\Skype

2013-05-27 06:48 - 2013-05-27 06:48 - 00000000 ____A C:\Windows\setuperr.log

2013-05-26 06:46 - 2013-05-26 06:46 - 00028212 ____A C:\Users\Chance\Documents\cc_20130526_094616.reg

2013-05-26 06:45 - 2012-07-27 14:03 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy

2013-05-26 06:45 - 2012-04-25 10:00 - 00000000 ____D C:\Program Files\CCleaner

2013-05-26 06:44 - 2013-05-26 06:44 - 04346816 ____A (Piriform Ltd) C:\Users\Chance\Downloads\ccsetup401.exe

2013-05-25 20:31 - 2012-09-06 20:00 - 00000000 ____D C:\Users\Chance\AppData\Local\epsxe

2013-05-25 19:54 - 2012-04-25 10:00 - 00000000 ____D C:\Program Files (x86)\Google

2013-05-25 19:52 - 2013-05-25 19:52 - 00000000 ____A C:\Windows\SysWOW64\config.nt

2013-05-25 19:51 - 2013-05-25 19:51 - 00000000 ____D C:\Program Files\AVAST Software

2013-05-25 19:51 - 2013-05-25 19:50 - 117478104 ____A C:\Users\Chance\Downloads\avast_free_antivirus_setup.exe

2013-05-25 17:57 - 2013-05-25 17:57 - 10285040 ____A (Malwarebytes Corporation ) C:\Users\Chance\Downloads\mbam-setup-1.75.0.1300.exe

2013-05-24 17:59 - 2012-04-25 10:59 - 00000000 ____D C:\Users\Chance\Desktop\Games

2013-05-24 17:49 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NDF

2013-05-24 17:46 - 2013-05-24 17:46 - 00001042 ____A C:\AdwCleaner[s2].txt

2013-05-24 17:46 - 2013-05-24 17:46 - 00000983 ____A C:\AdwCleaner[R3].txt

2013-05-24 17:45 - 2012-04-25 09:54 - 00000000 ____D C:\Users\Chance\Tracing

2013-05-24 10:38 - 2013-05-24 10:38 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox

2013-05-24 10:11 - 2013-05-12 15:56 - 00000000 ____D C:\Users\Chance\AppData\Roaming\Awesomium

2013-05-24 10:09 - 2013-05-12 13:41 - 00000000 ____D C:\ProgramData\BitRaider

2013-05-21 04:27 - 2013-05-02 17:43 - 00000000 ____D C:\Program Files (x86)\Raptr

2013-05-20 21:16 - 2012-09-29 18:16 - 00000000 ____D C:\Users\Chance\AppData\Roaming\SoftGrid Client

2013-05-16 05:53 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache

2013-05-16 04:27 - 2009-07-13 20:45 - 00291368 ____A C:\Windows\System32\FNTCACHE.DAT

2013-05-14 16:15 - 2012-04-25 09:45 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe

2013-05-14 16:15 - 2012-04-25 09:45 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

2013-05-12 15:56 - 2012-09-22 06:01 - 00000000 ____D C:\Users\Chance\Documents\My Games

2013-05-12 13:43 - 2013-05-12 13:43 - 00000000 ____D C:\Program Files (x86)\NVIDIA Corporation

2013-05-12 13:43 - 2013-05-12 13:43 - 00000000 ____D C:\Program Files (x86)\AGEIA Technologies

2013-05-12 13:41 - 2013-05-12 13:41 - 04676120 ____A (BitRaider, LLC) C:\Users\Chance\Downloads\MarvelHeroesBeta.exe

2013-05-12 13:41 - 2013-05-12 13:41 - 00000000 ____D C:\Users\Public\Documents\BitRaider

2013-05-09 00:58 - 2013-05-25 19:52 - 00287840 ____A (AVAST Software) C:\Windows\System32\aswBoot.exe

2013-05-06 18:19 - 2013-04-12 16:42 - 00000000 ____D C:\Program Files (x86)\RIFT

2013-05-05 13:36 - 2013-05-15 21:37 - 17818624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2013-05-05 13:16 - 2013-05-15 21:37 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2013-05-05 11:25 - 2013-05-15 21:37 - 12324864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll

2013-05-05 11:12 - 2013-05-15 21:37 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb

2013-05-03 13:15 - 2013-05-28 18:19 - 75016696 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe

2013-05-02 17:42 - 2013-05-02 17:42 - 00071576 ____A C:\Users\Chance\Downloads\raptr_installer.exe

2013-05-01 23:06 - 2010-11-20 19:27 - 00278800 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe

2013-05-01 19:06 - 2013-04-30 16:28 - 00000000 ____D C:\Users\Chance\Desktop\Work

ZeroAccess:

C:\Windows\Installer\{9d02f850-4238-487a-1a88-22eacf793c60}

C:\Windows\Installer\{9d02f850-4238-487a-1a88-22eacf793c60}\L

C:\Windows\Installer\{9d02f850-4238-487a-1a88-22eacf793c60}\U

ZeroAccess:

C:\Users\Chance\AppData\Local\{9d02f850-4238-487a-1a88-22eacf793c60}

C:\Users\Chance\AppData\Local\{9d02f850-4238-487a-1a88-22eacf793c60}\L

C:\Users\Chance\AppData\Local\{9d02f850-4238-487a-1a88-22eacf793c60}\U

Other Malware:

===========

C:\ProgramData\ntuser.dat

==================== Known DLLs (Whitelisted) ================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2013-05-25 19:51:31

Restore point made on: 2013-05-27 18:06:39

Restore point made on: 2013-05-27 18:14:11

Restore point made on: 2013-05-28 06:53:46

Restore point made on: 2013-05-28 18:19:39

==================== Memory info ===========================

Percentage of memory in use: 10%

Total physical RAM: 8174.64 MB

Available physical RAM: 7335.2 MB

Total Pagefile: 8172.84 MB

Available Pagefile: 7335.91 MB

Total Virtual: 8192 MB

Available Virtual: 8191.85 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:1862.92 GB) (Free:1317.38 GB) NTFS (Disk=0 Partition=2)

Drive f: (USB20FD) (Removable) (Total:7.53 GB) (Free:7.53 GB) FAT32 (Disk=1 Partition=1)

Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS (Disk=0 Partition=1) ==>[system with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================

Disk: 0 (MBR Code: Windows 7 or 8) (Size: 1863 GB) (Disk ID: 51575D39)

Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)

Partition 2: (Not Active) - (Size=-198731366400) - (Type=07 NTFS)

========================================================

Disk: 1 (MBR Code: Windows XP) (Size: 8 GB) (Disk ID: C3072E18)

Partition 1: (Active) - (Size=8 GB) - (Type=0C)

Last Boot: 2013-05-24 05:11

==================== End Of Log ============================

[Maurice Naggar]

I have some unfortunate & serious news for you:

Backdoor trojan warning:ZeroAccess / Sirefef

This system has some serious backdoor trojans. ZeroAccess / Sirefef

This is a point where you need to decide about whether to make a clean start.

According to the information provided in logs, one or more of the identified infections is a backdoor trojan. This allows hackers to remotely control your computer, steal critical system information, and download and execute files.

You are strongly advised to do the following immediately.

1. Contact your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and ask them to put a watch on your accounts or change all your account numbers.

2. From a clean computer, change ALL your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups.

3. Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.These trojans leave a backdoor open on the system that can allow a hacker total and complete access to your computer. (Remote access trojan) Hackers can operate your computer just as if they were sitting in front of it. Hackers can watch everything you are doing on the computer, play tricks, do screenshots, log passwords, start and stop programs.

See this article on creating strong passwords http://www.microsoft.com/security/online-privacy/passwords-create.aspx

* Take any other steps you think appropriate for an attempted identity theft.

You should also understand that once a system has been compromised by a Trojan backdoor, it can never really be trusted again unless you completely reformat the hard drives and reinstall Windows fresh.

While we usually can successfully remove malware like this, we cannot guarantee that it is totally gone, and that your system is completely safe to use for future financial information and/or transactions.

Here is some additional information: What Is A Backdoor Trojan? http://www.geekstogo...backdoor-trojan

Danger: Remote Access Trojans http://www.microsoft...o/virusrat.mspx

Consumers – Identity Theft http://www.ftc.gov/b...mers/index.html

When should I re-format? How should I reinstall? http://www.dslreports.com/faq/10063

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? http://www.dslreports.com/faq/10451

Let me know what you decide.

To continue the malware hunt & attempted removal, do the following as I outline.

Under no circumstances is thic pc to be used to surf the web, nor do any games, nor any online transactions, and certainly no banking !!!

Treat this pc as if it were in isolation & quarantine. Do not use it to run any of your programs or any purpose other than our cleanups here.

Please carefully follow this procedure

Please download the attached fixlist.txt and SAVE / copy it to your flashdrive.

NOTICE: This script was written specifically for this user, for use on this particular system. Running this on another machine may cause damage to your operating system

On Vista or Windows 7/8: Now please enter System Recovery Options. (as you did before)

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Fixlist.txt

[chancetyme22]

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 28-05-2013

Ran by SYSTEM at 2013-05-29 17:37:28 Run:1

Running from F:\

Boot Mode: Recovery

==============================================

HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => Value deleted successfully.

HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\SunJavaUpdateSched => Value deleted successfully.

HKEY_USERS\Chance\Software\Microsoft\Windows\CurrentVersion\Run\\Steam => Value deleted successfully.

HKEY_USERS\Chance\Software\Microsoft\Windows\CurrentVersion\Run\\SpybotSD TeaTimer => Value deleted successfully.

C:\Windows\Installer\{9d02f850-4238-487a-1a88-22eacf793c60} => Moved successfully.

C:\Windows\Installer\{9d02f850-4238-487a-1a88-22eacf793c60}\L => File/Directory not found.

C:\Windows\Installer\{9d02f850-4238-487a-1a88-22eacf793c60}\U => File/Directory not found.

C:\Users\Chance\AppData\Local\{9d02f850-4238-487a-1a88-22eacf793c60} => Moved successfully.

C:\Users\Chance\AppData\Local\{9d02f850-4238-487a-1a88-22eacf793c60}\L => File/Directory not found.

C:\Users\Chance\AppData\Local\{9d02f850-4238-487a-1a88-22eacf793c60}\U => File/Directory not found.

C:\ProgramData\ntuser.dat => Moved successfully.

==== End of Fixlog ====

I would like to be safe and use my computer for all applications so i guess reformatting and installing windows is the way to go. How would I go about that? I have my drivers, utilities and windows installation discs still.

[Maurice Naggar]

Print out this section and /or Copy & paste into a txt document for your future reference.

See the clean install guide at this link

I would suggest you see this page How to Do a Clean Installation with Windows 7.

I suggest you delete all existing partitions on the HDD as part of the new Windows 7 install.

Since a clean install will result in the loss of all your personal files & documents, you will want to back them up / copy to Offline media beforehand.

For all the files, documents, personal stuff you back-up..... after all is done & you have the new Windows setup, and Antivirus installed, and MBAM.....

then I would scan any files you restore with 1) antivirus, 2) MBAM.

If you have the Windows 7 operating system DVD, set pc to boot from it, restart the system and boot from DVD. You'll want to first delete the existing Wdinows 7 partition, then do a new install of Windows 7.

If you do not have the Windows 7 DVD, check with your pc maker's support site for the directions on doing a factory restore.

Once you have Windows restored, be sure if the OEM included any antivirus that you un-install it, and install your own.

Be sure you make a visit to Windows Update to insure your Windows is all up-to-date.

Keep your pc disconnected from internet before & during the Windows clean install.

Only reconnect after the antivirus program is installed.

IF and only if your OEM or vendor included a pre-installed antivirus, be sure to Uninstall it before installing your antivirus.

Best to you. Good luck.

Backups are your pc's best friend.

Safer practices & malware prevention

• Have a hardware router between the incoming internet-modem and your computer.
  
• Use a Standard user account rather than an administrator-rights account when "surfing" the web.
  
• Configure your Antivirus software to check for updates daily, at a time in which you are sure the computer will be on.
  
• Check in at Windows Update and install any Important Updates offered.
  
• Make certain that Automatic Updates is enabled.
  How to configure and use Automatic Updates in Windows
  http://support.microsoft.com/kb/306525
  
• Check on other update issues as well, by getting, installing and using Secunia Personal Software Inspector (OSI) on a monthly basis.
  See How to detect vulnerable and out-dated programs using Secunia Personal Software Inspector
  
• Download, install, and keep updated Spyware Blaster (free): http://www.javacoolsoftware.com/spywareblaster.html (all Protections should be enabled at all times)
  Tutorial for Spywareblaster: Using SpywareBlaster to protect your computer from Spyware, Hijackers, and Malware
  
• I'd recommend that you get and use MVP Mike Burgess' custom hosts file http://mvps.org/winhelp2002/hosts.htm
  See the FAQ page http://mvps.org/winhelp2002/hostsfaq.htm
  That would help to keep your browser away from known spyware/malware sites.
  Get notified when the MVPS HOSTS file is updated
  http://winhelp2002.mvps.org/updates.htm
  
• Make regular backups of your system to removable media: DVD, USB external hard drive, etc.
  Having a total image backup of your system stored on DVD/CD is highly important.
  Get and make use of imaging-backup utilities and save them to offline media. That way you have something to fall back to if a disaster hits.
  [color-darkblue]How to create a Windows system image in Windows 7 and Windows 8
  http://www.bleepingcomputer.com/tutorials/create-system-image-in-windows-7-8/
  How to use System Image Recovery in the Windows 7 and Windows 8 Recovery Environment
  http://www.bleepingcomputer.com/tutorials/system-image-recovery-in-windows-7-8/
  
  
• Consider using Web of Trust WOT add-on for your browser(s)
  http://www.mywot.com/en/download
  http://www.mywot.com/en/faq/add-on
  
• Take extreme care if you share USB-flash/thumb drives from other people {even from friends, roommates, relatives}
  Don't plug in an unknown flash/thumb drive into your PC.
  IF you must do so, hold down the SHIFT-key when you insert the drive.
  Scan any file with your Antivirus prior to opening or using.
  On some regular schedule, it is a good idea to do an online scan for viruses and malware. Here is a very short list of sites where this may be done:
  
  ESET Online Scanner
  BitDefender Quickscan
  Trend Micro Housecall
  F-Secure Online Scanner
  Microsoft Safety Scanner
  Panda ActiveScan
  
  
• See Six tips to help you stay safer online
  
• Never, ever download free games, free tools, videos, mutli-media files or anything free unless you can be absolutely sure the source is safe !
  

We are finished here. Best regards.

[Maurice Naggar]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!