Jump to content

Need help removing "Trojan.Zaccess".


Recommended Posts

Hi folks,
 
I'm running Vista 64 bit. This all started with the "government sees you've been viewing child porn" screen. Pay $300 to get out of jail.
 
Rebooted, ran ccleaner, then MABM and things seemed better but Avira free version kept sending me warnings. Anyway to make a long story short, MBAM cleans and quarantines the thing but it just re-appears on reboot. Anyway, an MBAM log is attached, any help would be much appreciated.. It's the registry key that is associated with the Trojan.Zaccess, (i.e.
 
HKLM\SYSTEM\CurrentControlSet\Services\etadpug (Trojan.Zaccess) -> Delete on reboot.
 
 
TIA,
 
Rick

 

mbam-log-2013-09-10%20(20-56-54)1.txt

Link to post
Share on other sites

  • Replies 68
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Posted Images

Hello Rick and :welcome:! My name is Borislav and I will be glad to help you solve your malware problem.

Please note:

  • If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
  • I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  • Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  • Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  • Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.
  • Do not perform any kind of scanning and fixing without my instructions. If you want to proceed on your own, please let me know.
Please follow the instructions here and then post the log files in your next reply.

http://forums.malwarebytes.org/index.php?showtopic=9573

Link to post
Share on other sites

OK Borislav, here are my logs.

 

dds_nuke1.txt:

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16483
Run by Rick at 17:22:47 on 2013-09-11
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.6134.4432 [GMT -5:00]
.
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files (x86)\Sendori\sndappv2.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files (x86)\Yahoo!\YNanoClient\cpn0\YNanoService.exe
C:\Program Files (x86)\Sendori\SendoriSvc.exe
C:\Program Files (x86)\Sendori\Sendori.Service.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files (x86)\Sendori\SendoriUp.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files (x86)\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files (x86)\Sendori\SendoriTray.exe
C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Windows\SysWOW64\Ctxfihlp.exe
C:\Windows\SysWOW64\CtHelper.exe
C:\Program Files (x86)\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe
C:\Windows\SysWOW64\CTXFISPI.EXE
C:\Program Files\Logitech\SetPoint\x86\SetPoint32.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files (x86)\Windows Media Player\wmplayer.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_8_800_168.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_8_800_168.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.

uWindow Title = Windows Internet Explorer provided by Yahoo!

uURLSearchHooks: YTNavAssistPlugin Class: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn0\yt.dll
mURLSearchHooks: Yahoo! Axis for IE: {035FDC10-9F1D-430E-87DA-573FFBF5608D} - C:\Program Files (x86)\Yahoo!\YNanoClient\cpn0\YNanoClient_IE.dll
BHO: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn0\yt.dll
BHO: Yahoo! Axis for IE: {035FDC10-9F1D-430E-87DA-573FFBF5608D} - C:\Program Files (x86)\Yahoo!\YNanoClient\cpn0\YNanoClient_IE.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: SSVHelper Class: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: &Inbox Toolbar: {D7E97865-918F-41E4-9CD0-25AB1C574CE8} -
TB: GamingWonderland: {A899079D-206F-43A6-BE6A-07E0FA648EA0} -
TB: GamingWonderland: {a899079d-206f-43a6-be6a-07e0fa648ea0} -
TB: &Inbox Toolbar: {D7E97865-918F-41E4-9CD0-25AB1C574CE8} -
TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn0\yt.dll
TB: Yahoo! Axis for IE: {035FDC10-9F1D-430E-87DA-573FFBF5608D} - C:\Program Files (x86)\Yahoo!\YNanoClient\cpn0\YNanoClient_IE.dll
uRun: [AdobeBridge] <no file>
mRun: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
mRun: [TrueImageMonitor.exe] C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe
mRun: [switchBoard] "C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe"
mRun: [sendori Tray] "C:\Program Files (x86)\Sendori\SendoriTray.exe"
mRun: [LWS] C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe -hide
mRun: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [CTHelper] CTHELPER.EXE
mRun: [AsioThk32Reg] REGSVR32.EXE /S CTASIO.DLL
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [AMBDef] AMBDef.exe
mRun: [AdobeCS5.5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin
mRun: [AdobeCS4ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [AcronisTimounterMonitor] C:\Program Files (x86)\Acronis\TrueImageHome\TimounterMonitor.exe
dRun: [DevconDefaultDB] C:\Windows\System32\READREG /SILENT /FAIL=1
dRun: [CtxfiReg] CTXFIREG.exe /FAIL2
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\LOGITE~1.LNK - C:\Program Files\Logitech\SetPoint\SetPoint.exe
uPolicies-Explorer: HideSCAHealth = dword:1
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
LSP: C:\Windows\System32\Sendori.dll





TCP: NameServer = 192.168.0.1
TCP: Interfaces\{0F695138-013D-4AC0-B796-0DF4D5399CBA} : DHCPNameServer = 192.168.0.1
Handler: inbox - {37540F19-DD4C-478B-B2DF-C19281BCAF27} -
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
LSA: Authentication Packages =  msv1_0 relog_ap
LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg
x64-Run: [RunDLLEntry] C:\Windows\System32\RunDLL32.exe C:\Windows\System32\AmbRunE.dll,RunDLLEntry
x64-Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\System32\NvMcTray.dll,NvTaskbarInit
x64-Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\System32\NvCpl.dll,NvStartup
x64-Run: [msetr] ,ImportError
x64-Run: [mlsck] ,GetItem
x64-Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
x64-Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
x64-Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
x64-Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
x64-Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
x64-Run: [Acronis Scheduler2 Service] "C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe"
x64-mPolicies-Explorer: NoActiveDesktop = dword:1
x64-mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
x64-mPolicies-System: EnableLUA = dword:0
x64-mPolicies-System: EnableUIADesktopToggle = dword:0
x64-Handler: inbox - {37540F19-DD4C-478B-B2DF-C19281BCAF27} - <orphaned>
x64-Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - LocalServer32 - <no file>
x64-mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - C:\Windows\System32\rundll32.exe C:\Windows\System32\advpack.dll,LaunchINFSectionEx C:\Program Files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Rick\AppData\Roaming\Mozilla\Firefox\Profiles\66q7x65w.default\
FF - prefs.js: browser.search.selectedEngine - My Web Search


FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Common Files\Motive\npMotive.dll
FF - plugin: C:\Program Files (x86)\GamingWonderland\bar\1.bin\NPgtStub.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_8_800_168.dll
FF - ExtSQL: !HIDDEN! 2011-04-20 16:18; {20a82645-c095-46ed-80e3-08825760534b}; C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
============= SERVICES / DRIVERS ===============
.
R1 avkmgr;avkmgr;C:\Windows\System32\drivers\avkmgr.sys [2013-4-30 28600]
R2 AntiVirSchedulerService;Avira Scheduler;C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [2013-2-28 84024]
R2 AntiVirService;Avira Real-Time Protection;C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [2013-2-28 108088]
R2 Application Sendori;Application Sendori;C:\Program Files (x86)\Sendori\SendoriSvc.exe [2013-7-1 119072]
R2 avgntflt;avgntflt;C:\Windows\System32\drivers\avgntflt.sys [2013-4-30 105344]
R2 cpuz133;cpuz133;C:\Windows\System32\drivers\cpuz133_x64.sys [2010-11-17 20968]
R2 FontCache;Windows Font Cache Service;C:\Windows\System32\svchost.exe -k LocalServiceAndNoImpersonation [2008-3-29 27648]
R2 McciCMService64;McciCMService64;C:\Program Files\Common Files\Motive\McciCMService.exe [2012-8-17 517632]
R2 Service Sendori;Service Sendori;C:\Program Files (x86)\Sendori\Sendori.Service.exe [2013-7-1 22304]
R2 sndappv2;sndappv2;C:\Program Files (x86)\Sendori\sndappv2.exe [2013-7-1 3623200]
R2 UMVPFSrv;UMVPFSrv;C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\UMVPFSrv.exe [2011-8-19 450848]
R2 YNanoService;Yahoo! NanoClient Service;C:\Program Files (x86)\Yahoo!\YNanoClient\cpn0\YNanoService.exe [2012-7-25 157016]
R3 CT20XUT.SYS;CT20XUT.SYS;C:\Windows\System32\drivers\CT20XUT.sys [2009-1-16 230424]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;C:\Windows\System32\drivers\CTEXFIFX.sys [2009-1-16 1445912]
R3 CTHWIUT.SYS;CTHWIUT.SYS;C:\Windows\System32\drivers\CTHWIUT.sys [2009-1-16 95256]
R3 ha20x22k;Creative 20X2 HAL Driver;C:\Windows\System32\drivers\ha20x22k.sys [2009-1-16 1605144]
R3 yukonx64;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\System32\drivers\yk60x64.sys [2007-12-6 391680]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2009-2-1 79360]
S3 CT20XUT;CT20XUT;C:\Windows\System32\drivers\CT20XUT.sys [2009-1-16 230424]
S3 CTEXFIFX;CTEXFIFX;C:\Windows\System32\drivers\CTEXFIFX.sys [2009-1-16 1445912]
S3 CTHWIUT;CTHWIUT;C:\Windows\System32\drivers\CTHWIUT.sys [2009-1-16 95256]
S3 ENTECH64;ENTECH64;C:\Windows\System32\drivers\Entech64.sys [2008-5-2 12744]
S3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2009-12-25 1038088]
S3 LVRS64;Logitech RightSound Filter Driver;C:\Windows\System32\drivers\lvrs64.sys [2011-8-19 351136]
S3 LVUVC64;Logitech Webcam C260(UVC);C:\Windows\System32\drivers\lvuvc64.sys [2011-8-19 4869024]
S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-3-29 19968]
S3 SwitchBoard;Adobe SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]
S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2012-3-17 89920]
.
=============== File Associations ===============
.
FileExt: .js: JSFile=C:\Windows\SysWOW64\WScript.exe "%1" %*
FileExt: .jse: JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*
.
=============== Created Last 30 ================
.
.
==================== Find3M  ====================
.
2013-09-10 22:13:46    132088    ----a-w-    C:\Windows\System32\drivers\avipbb.sys
2013-09-10 22:13:46    105344    ----a-w-    C:\Windows\System32\drivers\avgntflt.sys
2013-09-10 21:52:19    71048    ----a-w-    C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-09-10 21:52:19    692616    ----a-w-    C:\Windows\SysWow64\FlashPlayerApp.exe
2013-09-10 21:52:15    9430408    ----a-w-    C:\Windows\SysWow64\FlashPlayerInstaller.exe
2013-07-01 16:49:06    325920    ----a-w-    C:\Windows\SysWow64\Sendori.dll
.
============= FINISH: 17:24:42.91 ===============
 

 

 

Attach_nuke1.txt:

 

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 3/30/2008 3:46:37 AM
System Uptime: 9/11/2013 5:11:16 PM (0 hours ago)
.
Motherboard: ASUSTeK Computer INC. |  | Rampage II Extreme
Processor: Intel® Core i7 CPU         950  @ 3.07GHz | LGA1366 | 3815/173mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 358 GiB total, 274.988 GiB free.
D: is FIXED (NTFS) - 140 GiB total, 114.045 GiB free.
E: is FIXED (NTFS) - 298 GiB total, 241.763 GiB free.
F: is CDROM ()
G: is FIXED (NTFS) - 400 GiB total, 263.598 GiB free.
H: is CDROM ()
K: is Removable
L: is Removable
M: is Removable
N: is Removable
O: is Removable
Q: is FIXED (NTFS) - 340 GiB total, 209.17 GiB free.
W: is FIXED (NTFS) - 34 GiB total, 31.647 GiB free.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
3DMark Vantage
7-Zip 4.42
ACDSee 32
Acrobat.com
Acronis True Image Home
Adobe AIR
Adobe Anchor Service CS4
Adobe Anchor Service x64 CS4
Adobe Bridge CS4
Adobe CMaps CS4
Adobe CMaps x64 CS4
Adobe Color - Photoshop Specific CS4
Adobe Color EU Extra Settings CS4
Adobe Color JA Extra Settings CS4
Adobe Color NA Recommended Settings CS4
Adobe Color Video Profiles CS CS4
Adobe Community Help
Adobe CSI CS4
Adobe CSI CS4 x64
Adobe Default Language CS4
Adobe Drive CS4
Adobe Drive CS4 x64
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Fonts All
Adobe Fonts All x64
Adobe Linguistics CS4
Adobe Linguistics CS4 x64
Adobe Output Module
Adobe PDF Library Files CS4
Adobe PDF Library Files x64 CS4
Adobe Photoshop CS4
Adobe Photoshop CS4 (64 Bit)
Adobe Photoshop CS4 Support
Adobe Photoshop CS5.1
Adobe Photoshop Lightroom 4.4 64-bit
Adobe Reader 9.5.5
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe Type Support CS4
Adobe Type Support x64 CS4
Adobe Update Manager CS4
Adobe WinSoft Linguistics Plugin
Adobe WinSoft Linguistics Plugin x64
Adobe XMP Panels CS4
AdobeColorCommonSetCMYK
AdobeColorCommonSetRGB
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ATT-PRT22
Avira Free Antivirus
Bonjour
CameraHelperMsi
Canon MX870 series MP Drivers
CCleaner (remove only)
CDDRV_Installer
Connect
CPUID CPU-Z 1.54
Creative Audio Control Panel
Creative Sound Blaster Properties x64 Edition
Crysis WARHEAD®
Crysis WARHEAD® Patch
Crysis®
DH Driver Cleaner Professional Edition
Diskeeper 2008 Professional
Driver Sweeper 1.5.5
Drivers Install For Linksys Easylink Advisor
EA Download Manager
erLT
EVGA GPU Voltage Tuner
EVGA Precision 1.4.0
FocusTuneDemo version 1.0 (121021)
Framebuffer Crysis WARHEAD Benchmark Tool
Futuremark Measurement Services Client
Futuremark SystemInfo
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Inbox Toolbar
iTunes
Java Auto Updater
Java 6 Update 24
Jigsaws Galore Version 7
Jigsaws Galore Version 7 Free Edition
JMB36X Raid Configurer
KhalInstallWrapper
kuler
Linksys EasyLink Advisor 1.6 (0044)
Logitech GamePanel Software 2.02
Logitech SetPoint
Logitech Webcam Software
LWS Facebook
LWS Gallery
LWS Help_main
LWS Launcher
LWS Motion Detection
LWS Pictures And Video
LWS Twitter
LWS Video Mask Maker
LWS VideoEffects
LWS Webcam Software
LWS WLM Plugin
LWS YouTube Plugin
Macromedia Flash Player 8
Malwarebytes Anti-Malware version 1.75.0.1300
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable (x64)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
Microsoft_VC80_ATL_x86
Microsoft_VC80_ATL_x86_x64
Microsoft_VC80_CRT_x86
Microsoft_VC80_CRT_x86_x64
Microsoft_VC80_MFC_x86
Microsoft_VC80_MFC_x86_x64
Microsoft_VC80_MFCLOC_x86
Microsoft_VC80_MFCLOC_x86_x64
Microsoft_VC90_ATL_x86
Microsoft_VC90_ATL_x86_x64
Microsoft_VC90_CRT_x86
Microsoft_VC90_CRT_x86_x64
Microsoft_VC90_MFC_x86
Microsoft_VC90_MFC_x86_x64
Microsoft_VC90_MFCLOC_x86
Microsoft_VC90_MFCLOC_x86_x64
Mozilla Firefox 23.0.1 (x86 en-US)
Mozilla Maintenance Service
NVIDIA Drivers
NVIDIA Media Center extensions for DVD
NVIDIA PhysX
NVIDIA PureVideo Decoder
OpenAL
PDF Settings CS4
PDF Settings CS5
PhotoKit Sharpener Plug-in Module
Photoshop Camera Raw
Photoshop Camera Raw_x64
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
SelectionLinks
Sendori
SiSoftware Sandra Lite XII.SP1
Skype Click to Call
Skype™ 5.5
Suite Shared Configuration CS4
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Wallpaper XChange 0.3
Yahoo! Axis
Yahoo! Software Update
Yahoo! Toolbar
.
==== Event Viewer Messages From Past Week ========
.
9/5/2013 7:16:24 PM, Error: Service Control Manager [7043]  - The Group Policy Client service did not shut down properly after receiving a preshutdown control.
9/5/2013 6:38:20 PM, Error: Service Control Manager [7034]  - The Diagnostic System Host service terminated unexpectedly.  It has done this 1 time(s).
9/5/2013 6:38:20 PM, Error: Service Control Manager [7031]  - The Windows Driver Foundation - User-mode Driver Framework service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
9/5/2013 6:38:20 PM, Error: Service Control Manager [7031]  - The Windows Audio Endpoint Builder service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
9/5/2013 6:38:20 PM, Error: Service Control Manager [7031]  - The Tablet PC Input Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
9/5/2013 6:38:20 PM, Error: Service Control Manager [7031]  - The Superfetch service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
9/5/2013 6:38:20 PM, Error: Service Control Manager [7031]  - The ReadyBoost service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
9/5/2013 6:38:20 PM, Error: Service Control Manager [7031]  - The Portable Device Enumerator Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
9/5/2013 6:38:20 PM, Error: Service Control Manager [7031]  - The Network Connections service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 100 milliseconds: Restart the service.
9/5/2013 6:38:20 PM, Error: Service Control Manager [7031]  - The Human Interface Device Access service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
9/5/2013 6:38:20 PM, Error: Service Control Manager [7031]  - The Distributed Link Tracking Client service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
9/5/2013 6:38:20 PM, Error: Service Control Manager [7031]  - The Desktop Window Manager Session Manager service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
9/5/2013 11:14:52 AM, Error: Service Control Manager [7003]  - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.
9/11/2013 5:13:25 PM, Error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  nvport
9/11/2013 5:13:22 PM, Error: Service Control Manager [7022]  - The Service Sendori service hung on starting.
9/11/2013 5:11:54 PM, Error: Service Control Manager [7023]  - The Computer Browser service terminated with the following error:  The specified service does not exist as an installed service.
9/11/2013 5:11:54 PM, Error: Service Control Manager [7003]  - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.
9/11/2013 5:11:25 PM, Error: Application Popup [1060]  - \??\C:\Windows\SysWow64\Drivers\nvport.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
9/11/2013 5:11:22 PM, Error: Application Popup [1060]  - \SystemRoot\SysWow64\drivers\pfc.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
9/10/2013 7:20:01 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B68-F52A-11D8-B9A5-505054503030}
9/10/2013 6:45:48 PM, Error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  avipbb avkmgr nvport spldr Wanarpv6
9/10/2013 6:45:48 PM, Error: Service Control Manager [7001]  - The Creative Audio Service service depends on the Windows Audio service which failed to start because of the following error:  The dependency service or group failed to start.
9/10/2013 6:45:48 PM, Error: Service Control Manager [7001]  - The Computer Browser service depends on the Server service which failed to start because of the following error:  The dependency service or group failed to start.
9/10/2013 6:45:14 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
9/10/2013 6:45:14 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
9/10/2013 6:45:07 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
9/10/2013 6:45:03 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
9/10/2013 6:44:56 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
.
==== End Of File ===========================
 

Link to post
Share on other sites

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system.  You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
Link to post
Share on other sites

One or more of the identified infections is related to a nasty rootkit component which is difficult to remove. Rootkits and backdoor Trojans are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums from a CLEAN COMPUTER. You should consider them to be compromised. You should change each password by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, delete the partition, reformat and reinstall the Operating System.

Please read:

Should you decide not to follow this advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. If you wish to proceed, disinfection will require more time and more advanced tools.

Please let us know how you would like to proceed.

Link to post
Share on other sites

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:
    • Startup Repair

      System Restore

      Windows Complete PC Restore

      Windows Memory Diagnostic Tool

      Command Prompt

  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter

    Note: Replace letter e with the drive letter of your flash drive.

  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
Link to post
Share on other sites

OK sorry, had the 32 bit dvd in the drive instead of the 64 bit DVD. here is the results of the FRST64 scan:

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 13-09-2013 04
Ran by SYSTEM on MINWINPC on 13-09-2013 18:17:02
Running from P:\
Windows Vista Home Premium (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [RunDLLEntry] - C:\Windows\system32\RunDLL32.exe C:\Windows\system32\AmbRunE.dll,RunDLLEntry
HKLM\...\Run: [NvMediaCenter] - RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
HKLM\...\Run: [NvCplDaemon] - RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
HKLM\...\Run: [msetr] - ,ImportError
HKLM\...\Run: [mlsck] - ,GetItem
HKLM\...\Run: [Launch LGDCore] - C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe [3040280 2007-12-13] (Logitech Inc.)
HKLM\...\Run: [Launch LCDMon] - C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe [2875928 2007-12-13] (Logitech Inc.)
HKLM\...\Run: [Kernel and Hardware Abstraction Layer] - C:\Windows\KHALMNPR.EXE [134160 2007-11-28] (Logitech, Inc.)
HKLM\...\Run: [AsioReg] - REGSVR32.EXE /S CTASIO.DLL
HKLM\...\Run: [AdobeAAMUpdater-1.0] - C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [499608 2011-03-30] (Adobe Systems Incorporated)
HKLM\...\Run: [Acronis Scheduler2 Service] - C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe [140568 2007-10-30] (Acronis)
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\$Recycle.Bin\S-1-5-18\$3cfaa7d525efb5723ff203af7c314392\n. ATTENTION! ====> ZeroAccess?
HKLM-x32\...\Run: [avgnt] - C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe [347192 2013-09-10] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [TrueImageMonitor.exe] - C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe [2595616 2007-10-30] (Acronis)
HKLM-x32\...\Run: [switchBoard] - C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [sendori Tray] - C:\Program Files (x86)\Sendori\SendoriTray.exe [83232 2013-07-01] (Sendori, Inc.)
HKLM-x32\...\Run: [LWS] - C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe [205336 2011-11-11] (Logitech Inc.)
HKLM-x32\...\Run: [JMB36X IDE Setup] - C:\Windows\RaidTool\xInsIDE.exe [36864 2012-02-07] ()
HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [421776 2012-06-07] (Apple Inc.)
HKLM-x32\...\Run: [CTxfiHlp] - C:\Windows\\SysWOW64\CTXFIHLP.EXE [24576 2009-01-16] (Creative Technology Ltd)
HKLM-x32\...\Run: [CTHelper] - C:\Windows\\SysWOW64\CTHELPER.EXE [19456 2008-02-20] (Creative Technology Ltd)
HKLM-x32\...\Run: [AsioThk32Reg] - REGSVR32.EXE /S CTASIO.DLL [x]
HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59280 2012-05-30] (Apple Inc.)
HKLM-x32\...\Run: [AMBDef] - AMBDef.exe [x]
HKLM-x32\...\Run: [AdobeCS5.5ServiceManager] - C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe [1523360 2011-01-12] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AdobeCS4ServiceManager] - C:\Program Files (x86)\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe [611712 2008-08-14] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe [41056 2013-05-08] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AcronisTimounterMonitor] - C:\Program Files (x86)\Acronis\TrueImageHome\TimounterMonitor.exe [909208 2007-10-30] (Acronis)
HKU\Default\...\Run: [WindowsWelcomeCenter] - rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\Default\...\Run: [EasyLinkAdvisor] - C:\Program Files (x86)\Linksys EasyLink Advisor\LinksysAgent.exe [454784 2007-03-15] (Linksys, a Division of Cisco Systems, Inc.)
HKU\Rick\...\Run: [AdobeBridge] - [x]
HKU\Rick\...\Run: [ehTray.exe] - C:\Windows\ehome\ehTray.exe [138240 2008-01-18] (Microsoft Corporation)
HKU\Rick\...\Run: [EasyLinkAdvisor] - C:\Program Files (x86)\Linksys EasyLink Advisor\LinksysAgent.exe [454784 2007-03-15] (Linksys, a Division of Cisco Systems, Inc.)
Lsa: [Authentication Packages] msv1_0 relog_ap

==================== Services (Whitelisted) =================

S2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [84024 2013-09-10] (Avira Operations GmbH & Co. KG)
S2 AntiVirService; C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [108088 2013-09-10] (Avira Operations GmbH & Co. KG)
S2 Application Sendori; C:\Program Files (x86)\Sendori\SendoriSvc.exe [119072 2013-07-01] (Sendori, Inc.)
S2 Diskeeper; C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe [1808152 2008-02-26] (Diskeeper Corporation)
S2 McciCMService64; C:\Program Files\Common Files\Motive\McciCMService.exe [517632 2009-08-14] (Alcatel-Lucent)
S3 SandraDataSrv; C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP1\Win32\RpcDataSrv.exe [213176 2007-12-12] (SiSoftware)
S3 SandraTheSrv; C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP1\RpcSandraSrv.exe [1619136 2007-12-12] (SiSoftware)
S2 Service Sendori; C:\Program Files (x86)\Sendori\Sendori.Service.exe [22304 2013-07-01] (sendori)
S2 sndappv2; C:\Program Files (x86)\Sendori\sndappv2.exe [3623200 2013-07-01] (Sendori)
S2 TryAndDecideService; C:\Program Files (x86)\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe [492720 2007-10-30] ()
S2 YNanoService; C:\Program Files (x86)\Yahoo!\YNanoClient\cpn0\YNanoService.exe [157016 2012-07-25] (Yahoo! Inc.)
S2 *etadpug; "C:\Program Files (x86)\Google\Desktop\Install\{3cfaa7d5-25ef-b572-3ff2-03af7c314392}\   \...\???\{3cfaa7d5-25ef-b572-3ff2-03af7c314392}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)

==================== Drivers (Whitelisted) ====================

S2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [105344 2013-09-10] (Avira Operations GmbH & Co. KG)
S1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [132088 2013-09-10] (Avira Operations GmbH & Co. KG)
S1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [28600 2013-04-30] (Avira Operations GmbH & Co. KG)
S3 COMMONFX.DLL; C:\Windows\System32\COMMONFX.DLL [157208 2008-02-25] (Creative Technology Ltd)
S2 cpuz133; C:\Windows\system32\drivers\cpuz133_x64.sys [20968 2010-03-30] (Windows ® Win 7 DDK provider)
S2 elagopro; C:\Windows\System32\DRIVERS\elagop64.sys [42496 2007-03-22] (Gteko Ltd.)
S2 elaunidr; C:\Windows\System32\DRIVERS\elauni64.sys [7680 2007-03-22] (Gteko Ltd.)
S3 ENTECH64; C:\Windows\system32\DRIVERS\ENTECH64.sys [12744 2008-04-22] (EnTech Taiwan)
S3 ENTECH64; C:\Windows\system32\DRIVERS\ENTECH64.sys [12744 2008-04-22] (EnTech Taiwan)
S3 MREMP50; C:\PROGRA~2\COMMON~1\Motive\MREMP50.SYS [21248 2009-08-14] (Printing Communications Assoc., Inc. (PCAUSA))
S3 MREMP50; C:\PROGRA~2\COMMON~1\Motive\MREMP50.SYS [21248 2009-08-14] (Printing Communications Assoc., Inc. (PCAUSA))
S3 MRESP50; C:\PROGRA~2\COMMON~1\Motive\MRESP50.SYS [20096 2009-08-14] (Printing Communications Assoc., Inc. (PCAUSA))
S3 MRESP50; C:\PROGRA~2\COMMON~1\Motive\MRESP50.SYS [20096 2009-08-14] (Printing Communications Assoc., Inc. (PCAUSA))
S3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [15680 2006-10-31] ()
S1 nvport; C:\Windows\SysWow64\Drivers\nvport.sys [4608 2005-10-17] (NVIDIA Corporation.)
S3 pfc; C:\Windows\SysWow64\drivers\pfc.sys [9856 2005-10-17] (Padus, Inc.)
S0 snapman; C:\Windows\SysWow64\DRIVERS\snapman.sys [96320 2008-04-06] (Acronis)
S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [x]
S3 CT20XUT.DLL; system32\CT20XUT.DLL [x]
S3 CTAUDFX.DLL; system32\CTAUDFX.DLL [x]
S3 CTEAPSFX.DLL; system32\CTEAPSFX.DLL [x]
S3 CTEDSPFX.DLL; system32\CTEDSPFX.DLL [x]
S3 CTEDSPIO.DLL; system32\CTEDSPIO.DLL [x]
S3 CTEDSPSY.DLL; system32\CTEDSPSY.DLL [x]
S3 CTERFXFX.DLL; system32\CTERFXFX.DLL [x]
S3 CTEXFIFX.DLL; system32\CTEXFIFX.DLL [x]
S3 CTHWIUT.DLL; system32\CTHWIUT.DLL [x]
S3 CTSBLFX.DLL; system32\CTSBLFX.DLL [x]
S3 IpInIp; system32\DRIVERS\ipinip.sys [x]
S3 MREMP50a64; \??\C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS [x]
S3 MREMPR5; \??\C:\PROGRA~2\COMMON~1\Motive\MREMPR5.SYS [x]
S3 MRENDIS5; \??\C:\PROGRA~2\COMMON~1\Motive\MRENDIS5.SYS [x]
S3 MRESP50a64; \??\C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS [x]
S1 nvport; \??\C:\Windows\system32\Drivers\nvport.sys [x]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [x]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [x]
S3 pfc; system32\drivers\pfc.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-09-13 18:16 - 2013-09-13 18:16 - 00000000 ____D C:\FRST
2013-09-13 11:44 - 2013-09-13 11:44 - 00001094 _____ C:\Windows\WindowsUpdate.log
2013-09-12 18:55 - 2013-09-12 18:55 - 00000000 _____ C:\Windows\setuperr.log
2013-09-12 18:55 - 2013-09-12 18:55 - 00000000 _____ C:\Windows\setupact.log
2013-09-12 17:14 - 2013-09-12 17:14 - 01082459 _____ (Farbar) C:\Users\Rick\Desktop\FRST.exe
2013-09-12 17:10 - 2013-09-12 17:10 - 01949572 _____ (Farbar) C:\Users\Rick\Desktop\FRST64.exe
2013-09-11 14:24 - 2013-09-11 14:24 - 00016144 _____ C:\Users\Rick\Desktop\dds_nuke1.txt
2013-09-11 14:24 - 2013-09-11 14:24 - 00011405 _____ C:\Users\Rick\Desktop\attach_nuke1.txt
2013-09-11 14:21 - 2013-09-11 14:21 - 00688992 ____R (Swearware) C:\Users\Rick\Desktop\dds.scr
2013-09-10 16:13 - 2013-09-10 16:13 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-09-05 08:17 - 2013-09-05 13:49 - 00000004 _____ C:\Users\Rick\AppData\Roaming\cache.ini
2013-09-05 08:17 - 2013-09-05 08:17 - 00000000 ____D C:\Program Files (x86)\Google

==================== One Month Modified Files and Folders =======

2013-09-13 18:16 - 2013-09-13 18:16 - 00000000 ____D C:\FRST
2013-09-13 14:30 - 2006-11-02 07:42 - 00032592 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2013-09-13 14:30 - 2006-11-02 07:42 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-09-13 14:27 - 2006-11-02 07:22 - 00004432 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2013-09-13 14:27 - 2006-11-02 07:22 - 00004432 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2013-09-13 14:00 - 2006-11-02 04:46 - 00005198 _____ C:\Windows\System32\PerfStringBackup.INI
2013-09-13 13:52 - 2013-04-08 05:54 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-09-13 12:52 - 2013-04-08 06:52 - 04751752 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2013-09-13 12:52 - 2013-04-08 05:54 - 00003682 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2013-09-13 12:52 - 2013-02-18 19:49 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-09-13 12:52 - 2013-02-18 19:49 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-09-13 11:44 - 2013-09-13 11:44 - 00001094 _____ C:\Windows\WindowsUpdate.log
2013-09-12 18:55 - 2013-09-12 18:55 - 00000000 _____ C:\Windows\setuperr.log
2013-09-12 18:55 - 2013-09-12 18:55 - 00000000 _____ C:\Windows\setupact.log
2013-09-12 17:14 - 2013-09-12 17:14 - 01082459 _____ (Farbar) C:\Users\Rick\Desktop\FRST.exe
2013-09-12 17:10 - 2013-09-12 17:10 - 01949572 _____ (Farbar) C:\Users\Rick\Desktop\FRST64.exe
2013-09-11 14:24 - 2013-09-11 14:24 - 00016144 _____ C:\Users\Rick\Desktop\dds_nuke1.txt
2013-09-11 14:24 - 2013-09-11 14:24 - 00011405 _____ C:\Users\Rick\Desktop\attach_nuke1.txt
2013-09-11 14:21 - 2013-09-11 14:21 - 00688992 ____R (Swearware) C:\Users\Rick\Desktop\dds.scr
2013-09-10 16:38 - 2013-02-28 12:17 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2013-09-10 16:13 - 2013-09-10 16:13 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-09-10 14:13 - 2013-04-30 10:35 - 00132088 _____ (Avira Operations GmbH & Co. KG) C:\Windows\System32\Drivers\avipbb.sys
2013-09-10 14:13 - 2013-04-30 10:35 - 00105344 _____ (Avira Operations GmbH & Co. KG) C:\Windows\System32\Drivers\avgntflt.sys
2013-09-08 15:52 - 2008-07-18 18:22 - 00000000 ____D C:\Users\Rick\AppData\Local\Microsoft Games
2013-09-05 13:49 - 2013-09-05 08:17 - 00000004 _____ C:\Users\Rick\AppData\Roaming\cache.ini
2013-09-05 09:15 - 2013-01-06 14:23 - 00000000 ____D C:\Program Files (x86)\Inbox Toolbar
2013-09-05 08:18 - 2013-01-18 07:41 - 00000948 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-09-05 08:18 - 2010-06-07 20:18 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-09-05 08:17 - 2013-09-05 08:17 - 00000000 ____D C:\Program Files (x86)\Google

ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-2641122492-1466526681-1769750449-1000\$3cfaa7d525efb5723ff203af7c314392

ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$3cfaa7d525efb5723ff203af7c314392

Files to move or delete:
====================
ZeroAccess:
C:\Program Files (x86)\Google\Desktop\Install
C:\Users\Rick\AppData\Roaming\cache.ini


==================== Known DLLs (Whitelisted) ================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
C:\Program Files\Windows Defender\mpsvc.dll => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Windows Defender

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================


==================== Memory info ===========================

Percentage of memory in use: 10%
Total physical RAM: 6134.31 MB
Available physical RAM: 5466.35 MB
Total Pagefile: 5806.83 MB
Available Pagefile: 5532.32 MB
Total Virtual: 8192 MB
Available Virtual: 8191.89 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:358.29 GB) (Free:275.26 GB) NTFS
Drive d: (Local Disk) (Fixed) (Total:298.09 GB) (Free:241.76 GB) NTFS
Drive f: () (Fixed) (Total:400 GB) (Free:263.6 GB) NTFS
Drive g: () (Fixed) (Total:34.26 GB) (Free:31.65 GB) NTFS
Drive h: (New Volume) (Fixed) (Total:340.34 GB) (Free:209.17 GB) NTFS
Drive j: (LRMCxFRE_EN_DVD) (CDROM) (Total:3.54 GB) (Free:0 GB) UDF
Drive p: (CORSAIR) (Removable) (Total:1.87 GB) (Free:0.58 GB) FAT
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: () (Fixed) (Total:139.73 GB) (Free:114.46 GB) NTFS ==>[system with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 140 GB) (Disk ID: 0DE6806B)
Partition 1: (Active) - (Size=140 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 298 GB) (Disk ID: 12C5BF00)
Partition 1: (Active) - (Size=298 GB) - (Type=07 NTFS)

========================================================
Disk: 2 (MBR Code: Windows XP) (Size: 466 GB) (Disk ID: C3B5224E)
Partition 2: (Active) - (Size=434 GB) - (Type=05)

========================================================
Disk: 3 (MBR Code: Windows XP) (Size: 699 GB) (Disk ID: 642AB3DB)
Partition 1: (Active) - (Size=358 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=340 GB) - (Type=07 NTFS)

========================================================
Disk: 9 (Size: 2 GB) (Disk ID: 0007102A)
Partition 1: (Active) - (Size=2 GB) - (Type=0E)


LastRegBack: 2013-09-13 13:57

==================== End Of Log ============================

Link to post
Share on other sites

Open Notepad (Start => All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open Notepad and select Paste). Save it on the flashdrive as fixlist.txt

HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\$Recycle.Bin\S-1-5-18\$3cfaa7d525efb5723ff203af7c314392\n. ATTENTION! ====> ZeroAccess?

S2 *etadpug; "C:\Program Files (x86)\Google\Desktop\Install\{3cfaa7d5-25ef-b572-3ff2-03af7c314392}\ \...\???\{3cfaa7d5-25ef-b572-3ff2-03af7c314392}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)

C:\$Recycle.Bin\S-1-5-21-2641122492-1466526681-1769750449-1000\$3cfaa7d525efb5723ff203af7c314392

C:\$Recycle.Bin\S-1-5-18\$3cfaa7d525efb5723ff203af7c314392

C:\Users\Rick\AppData\Roaming\cache.ini

DeleteJunctionsIndirectory: C:\Program Files\Windows Defender

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.

Link to post
Share on other sites

OK, here is the fixlog:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 13-09-2013 04
Ran by SYSTEM at 2013-09-14 07:50:51 Run:1
Running from P:\
Boot Mode: Recovery
==============================================

Content of fixlist:
*****************
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\$Recycle.Bin\S-1-5-18\$3cfaa7d525efb5723ff203af7c314392\n. ATTENTION! ====> ZeroAccess?
S2 *etadpug; "C:\Program Files (x86)\Google\Desktop\Install\{3cfaa7d5-25ef-b572-3ff2-03af7c314392}\ \...\???\{3cfaa7d5-25ef-b572-3ff2-03af7c314392}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)
C:\$Recycle.Bin\S-1-5-21-2641122492-1466526681-1769750449-1000\$3cfaa7d525efb5723ff203af7c314392
C:\$Recycle.Bin\S-1-5-18\$3cfaa7d525efb5723ff203af7c314392
C:\Users\Rick\AppData\Roaming\cache.ini
DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
*****************

HKLM\Software\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\\Default => Value was restored successfully.
*etadpug => Unable to delete service
*etadpug => Service should be removed with FRST outside recovery mode.
C:\$Recycle.Bin\S-1-5-21-2641122492-1466526681-1769750449-1000\$3cfaa7d525efb5723ff203af7c314392 => Directory moved successfully.
C:\$Recycle.Bin\S-1-5-18\$3cfaa7d525efb5723ff203af7c314392 => Deleted successfully.
C:\Users\Rick\AppData\Roaming\cache.ini => Moved successfully.
Error: DeleteJunctionsIndirectory: C:\Program Files\Windows Defender => entry should be fixed outside recovery mode.

==== End of Fixlog ====

Link to post
Share on other sites

Good.

Please boot into regular mode and run this script:

Open Notepad (Start => All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open Notepad and select Paste). Save it on the same directory as FRST.exe and save it as fixlist.txt

 

DeleteJunctionsIndirectory: C:\Program Files\Windows Defender

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.

The tool will make a log (Fixlog.txt) please post it to your reply.

Reboot Normally.

Link to post
Share on other sites

OK it worked in safe mode. Here's the fixlog:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 13-09-2013
Ran by Rick at 2013-09-15 11:04:51 Run:2
Running from C:\mw
Boot Mode: Safe Mode (minimal)
==============================================

Content of fixlist:
*****************
DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
*****************

"C:\Program Files\Windows Defender" => Deleting reparse point and unlocking started.
"C:\Program Files\Windows Defender\en-US" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpAsDesc.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpClient.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpCmdRun.exe" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpEvMsg.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpOAV.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpRtMon.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpRtPlug.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpSigDwn.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpSoftEx.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpSvc.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MSASCui.exe" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MsMpCom.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MsMpLics.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MsMpRes.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender" => Deleting reparse point and unlocking completed.

==== End of Fixlog ====

Link to post
Share on other sites

Well done! :)

Boot into Regular mode and then:

Note: Please do not run this tool without special supervision and instructions of someone authorized to do so. Otherwise, you could end up with serious problems. For more details, read this article: ComboFix usage, Questions, Help? - Look here

Please visit this webpage and read the ComboFix User's Guide:

  • Once you've read the article and are ready to use the program you can download it directly from the link below.
  • Important! - Please make sure you save combofix to your desktop and do not run it from your browser
  • Direct download link for: ComboFix.exe
  • Please make sure you disable your security applications before running ComboFix.
  • Once Combofix has completed it will produce and open a log file. Please be patient as it can take some time to load.
  • Please copy/paste the contents or attach that log file to your next reply.
  • If needed the file can be located here: C:\combofix.txt
  • NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.
Link to post
Share on other sites

Combofix ran smoothly, log below. I posted this from my XP partition. Internet on Vista is not working.

 

ComboFix 13-09-16.01 - Rick 09/16/2013  11:58:07.1.4 - x64
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.6134.4382 [GMT -5:00]
Running from: c:\users\Rick\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\END
c:\program files (x86)\Google\Desktop\Install
c:\program files (x86)\Google\Desktop\Install\{3cfaa7d5-25ef-b572-3ff2-03af7c314392}\0103~1\7154~1\CFFE~1\{3cfaa7d5-25ef-b572-3ff2-03af7c314392}\@
c:\program files (x86)\Google\Desktop\Install\{3cfaa7d5-25ef-b572-3ff2-03af7c314392}\0103~1\7154~1\CFFE~1\{3cfaa7d5-25ef-b572-3ff2-03af7c314392}\U\00000001.@
c:\program files (x86)\Google\Desktop\Install\{3cfaa7d5-25ef-b572-3ff2-03af7c314392}\0103~1\7154~1\CFFE~1\{3cfaa7d5-25ef-b572-3ff2-03af7c314392}\U\00000002.@
c:\program files (x86)\Google\Desktop\Install\{3cfaa7d5-25ef-b572-3ff2-03af7c314392}\0103~1\7154~1\CFFE~1\{3cfaa7d5-25ef-b572-3ff2-03af7c314392}\U\80000000.@
c:\program files (x86)\Google\Desktop\Install\{3cfaa7d5-25ef-b572-3ff2-03af7c314392}\0103~1\7154~1\CFFE~1\{3cfaa7d5-25ef-b572-3ff2-03af7c314392}\U\80000001.@
c:\program files (x86)\Google\Desktop\Install\{3cfaa7d5-25ef-b572-3ff2-03af7c314392}\0103~1\7154~1\CFFE~1\{3cfaa7d5-25ef-b572-3ff2-03af7c314392}\U\800000cb.@
c:\programdata\xml3F6F.tmp
c:\programdata\xml428C.tmp
c:\programdata\xml46F0.tmp
c:\programdata\xmlC35D.tmp
c:\programdata\xmlC68A.tmp
c:\windows\SysWow64\tmp674A.tmp
c:\windows\SysWow64\tmp6873.tmp
c:\windows\SysWow64\tmpE90.tmp
c:\windows\SysWow64\tmpF0E.tmp
.
.
(((((((((((((((((((((((((   Files Created from 2013-08-16 to 2013-09-16  )))))))))))))))))))))))))))))))
.
.
2013-09-16 17:02 . 2013-09-16 17:02    --------    d-----w-    c:\users\Default\AppData\Local\temp
2013-09-14 18:19 . 2013-09-15 16:12    --------    d-----w-    C:\mw
2013-09-14 02:16 . 2013-09-14 02:16    --------    d-----w-    C:\FRST
2013-09-05 16:17 . 2013-09-05 16:17    --------    d-----w-    c:\program files (x86)\Google
2013-09-05 16:09 . 2013-09-05 16:09    --------    d-----w-    c:\programdata\kxhsj
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-09-13 20:52 . 2013-02-19 03:49    71048    ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-09-13 20:52 . 2013-02-19 03:49    692616    ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
2013-09-13 20:52 . 2013-04-08 14:52    4751752    ----a-w-    c:\windows\SysWow64\FlashPlayerInstaller.exe
2013-09-10 22:13 . 2013-04-30 18:35    132088    ----a-w-    c:\windows\system32\drivers\avipbb.sys
2013-09-10 22:13 . 2013-04-30 18:35    105344    ----a-w-    c:\windows\system32\drivers\avgntflt.sys
2013-07-01 16:49 . 2013-02-28 20:26    325920    ----a-w-    c:\windows\SysWow64\Sendori.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files (x86)\Yahoo!\Companion\Installs\cpn0\yt.dll" [2012-03-21 1523512]
.
[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1]
[HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1555968]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 138240]
"EasyLinkAdvisor"="c:\program files (x86)\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2013-09-10 347192]
"TrueImageMonitor.exe"="c:\program files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-10-31 2595616]
"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"Sendori Tray"="c:\program files (x86)\Sendori\SendoriTray.exe" [2013-07-01 83232]
"LWS"="c:\program files (x86)\Logitech\LWS\Webcam Software\LWS.exe" [2011-11-11 205336]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2012-02-08 36864]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-06-08 421776]
"CTxfiHlp"="CTXFIHLP.EXE" [2009-01-17 24576]
"CTHelper"="CTHELPER.EXE" [2008-02-21 19456]
"AsioThk32Reg"="CTASIO.DLL" [2009-01-17 51712]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280]
"AdobeCS5.5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 1523360]
"AdobeCS4ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2013-05-08 41056]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"AcronisTimounterMonitor"="c:\program files (x86)\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-10-31 909208]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DevconDefaultDB"="c:\windows\system32\READREG" [X]
"CtxfiReg"="CTXFIREG.exe" [2009-01-17 47104]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-3-29 1160208]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
Themes
.
Contents of the 'Scheduled Tasks' folder
.
2013-09-16 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-02-19 20:52]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RunDLLEntry"="c:\windows\system32\AmbRunE.dll" [2007-11-23 16896]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-01-15 82464]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-15 16137248]
"Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2007-12-13 3040280]
"Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2007-12-13 2875928]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-11-29 134160]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-30 499608]
"Acronis Scheduler2 Service"="c:\program files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-10-31 140568]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm

mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\Rick\AppData\Roaming\Mozilla\Firefox\Profiles\66q7x65w.default\
FF - prefs.js: browser.search.selectedEngine - My Web Search


FF - ExtSQL: !HIDDEN! 2011-04-20 16:18; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{a899079d-206f-43a6-be6a-07e0fa648ea0} - c:\program files (x86)\GamingWonderland\bar\1.bin\gtbar.dll
Toolbar-Locked - (no file)
Wow6432Node-HKCU-Run-AdobeBridge - (no file)
Wow6432Node-HKLM-Run-AMBDef - AMBDef.exe
Toolbar-Locked - (no file)
HKLM-Run-msetr - (no file)
HKLM-Run-mlsck - (no file)
HKLM-Run-AsioReg - CTASIO.DLL
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2641122492-1466526681-1769750449-1000\Software\SecuROM\License information*]
"datasecu"=hex:bc,a5,ca,be,e3,63,75,1e,18,54,65,1d,93,b3,41,37,ad,ce,18,5b,af,
   0a,65,eb,6d,4f,cc,cb,cc,0d,75,2a,93,28,28,e5,9e,4e,23,09,57,f5,a4,24,78,8d,\
"rkeysecu"=hex:b5,c9,e5,f9,35,0d,12,cd,ec,89,f0,74,71,cf,e1,9d
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_8_800_174_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_8_800_174_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_8_800_174_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_8_800_174_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_8_800_174.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_8_800_174.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_8_800_174.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_8_800_174.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
   00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
c:\program files (x86)\Creative\Shared Files\CTAudSvc.exe
c:\program files (x86)\Avira\AntiVir Desktop\sched.exe
c:\program files (x86)\Avira\AntiVir Desktop\avguard.exe
c:\program files (x86)\Common Files\Motive\McciCMService.exe
c:\program files (x86)\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
c:\program files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files (x86)\Yahoo!\YNanoClient\cpn0\YNanoService.exe
c:\program files (x86)\Sendori\SendoriSvc.exe
c:\program files (x86)\Sendori\Sendori.Service.exe
c:\program files (x86)\Sendori\SendoriUp.exe
c:\windows\SysWOW64\Ctxfihlp.exe
c:\windows\SysWOW64\CtHelper.exe
c:\program files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
c:\windows\SysWOW64\CTXFISPI.EXE
c:\program files\Logitech\SetPoint\x86\SetPoint32.exe
c:\program files (x86)\Windows Media Player\wmplayer.exe
.
**************************************************************************
.
Completion time: 2013-09-16  12:08:55 - machine was rebooted
ComboFix-quarantined-files.txt  2013-09-16 17:08
.
Pre-Run: 292,151,169,024 bytes free
Post-Run: 292,620,267,520 bytes free
.
- - End Of File - - 587BD9DA97FFA09C4627C7C485C3FB0B
5C616939100B85E558DA92B899A0FC36
 

Link to post
Share on other sites

Please run this script and then will take care for your internet connection.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Folder::

c:\programdata\kxhsj

Firefox::

FF - ProfilePath - c:\users\Rick\AppData\Roaming\Mozilla\Firefox\Profiles\66q7x65w.default\

FF - prefs.js: browser.search.selectedEngine - My Web Search

JavaClearCache::

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.