SrvID (Malware.Trace)

[markuk]

Hello all!

 

I noticed yesterday after scanning with malwarebyte i was getting the following:

 

Registry Keys Detected: 1
HKCU\Software\VB and VBA Program Settings\SrvID (Malware.Trace) -> Quarantined and deleted successfully.

 

Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|AdobeUpdate (Trojan.Agent) -> Data: wscript "C:\Users\mark\AppData\Roaming\Adobe64x\invis.vbs" "C:\Users\mark\AppData\Roaming\Adobe64x\bat.exe" -> Quarantined and deleted successfully.

 

Files Detected: 1
C:\Users\mark\AppData\Roaming\Adobe64x\invis.vbs (Trojan.Agent) -> Quarantined and deleted successfully.

 

After "removing" and several restarts it just kept coming back. I checked in task manager and saw "WUDHOST". I killed the process and was then able to remove them 3 items.

 

Scanning again and it showed no problem. (i also used malware rootkit scanner, which found SrvID and removed it)

 

I then used ESET online scanner.

I wish i copied what it found but i cant bloody remember now! Something about bit miner coin .h ? also something named "MSIL" (not 100% sure on this one!)

 

anyways everything was removed and several scans have reported no problems. But i'd like the experts to have a look. I did read a lot about SrvID, and it usually creates another file which logs passwords. Which i could not find. Since my reports show nothing is wrong, i have changed all my passwords. But would like it if someone could have a re-look and offer any advice.

 

Heres the logs from DDS:

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16450  BrowserJavaVersion: 10.40.2
Run by mark at 9:00:52 on 2013-10-10
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.44.1033.18.16344.13991 [GMT 1:00]
.
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\VIA_XHCI\usb3Monitor.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Intel\iCLS Client\HeciServer.exe
C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe
C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
E:\Itunes\iTunesHelper.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
E:\Malwarebytes' Anti-Malware\mbamscheduler.exe
E:\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.5.0\ToolbarUpdater.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
E:\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Adobe\Elements 11 Organizer\PhotoshopElementsFileAgent.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\Nero\Update\NASvc.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_9_900_117_ActiveX.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.

BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
mRun: [uSB3MON] "C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [amd_dc_opt] C:\Program Files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [iTunesHelper] "E:\Itunes\iTunesHelper.exe"
mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0




TCP: NameServer = 194.168.4.100 194.168.8.100
TCP: Interfaces\{4BDDE909-497E-466E-94E5-59D0D335FCC0} : DHCPNameServer = 194.168.4.100 194.168.8.100
SSODL: WebCheck - <orphaned>
x64-BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
x64-Run: [VIAxHCUtl] C:\VIA_XHCI\usb3Monitor.exe
x64-Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
x64-SSODL: WebCheck - <orphaned>
x64-mASetup: {12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\Windows\System32\ieudinit.exe
.
============= SERVICES / DRIVERS ===============
.
R0 iusb3hcs;Intel® USB 3.0 Host Controller Switch Driver;C:\Windows\System32\drivers\iusb3hcs.sys [2012-9-22 16152]
R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2013-9-12 56336]
R1 AppleCharger;AppleCharger;C:\Windows\System32\drivers\AppleCharger.sys [2012-9-22 21616]
R1 avgtp;avgtp;C:\Windows\System32\drivers\avgtpx64.sys [2012-12-15 45856]
R2 AdobeActiveFileMonitor11.0;Adobe Active File Monitor V11;C:\Program Files (x86)\Adobe\Elements 11 Organizer\PhotoshopElementsFileAgent.exe [2012-9-23 171600]
R2 Intel® Capability Licensing Service Interface;Intel® Capability Licensing Service Interface;C:\Program Files\Intel\iCLS Client\HeciServer.exe [2011-12-9 607456]
R2 jhi_service;Intel® Dynamic Application Loader Host Interface Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe [2012-9-22 161560]
R2 MBAMScheduler;MBAMScheduler;E:\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-9-26 418376]
R2 MBAMService;MBAMService;E:\Malwarebytes' Anti-Malware\mbamservice.exe [2012-9-26 701512]
R2 NAUpdate;Nero Update;C:\Program Files (x86)\Nero\Update\NASvc.exe [2012-7-13 769432]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2013-1-18 383264]
R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2012-9-22 363800]
R2 vToolbarUpdater15.5.0;vToolbarUpdater15.5.0;C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.5.0\ToolbarUpdater.exe [2013-8-14 1643184]
R3 iusb3hub;Intel® USB 3.0 Hub Driver;C:\Windows\System32\drivers\iusb3hub.sys [2012-9-22 356120]
R3 iusb3xhc;Intel® USB 3.0 eXtensible Host Controller Driver;C:\Windows\System32\drivers\iusb3xhc.sys [2012-9-22 787736]
R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;C:\Windows\System32\drivers\L1C62x64.sys [2012-2-10 104560]
R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2012-9-26 25928]
R3 rzudd;Razer Keyboard Driver;C:\Windows\System32\drivers\rzudd.sys [2012-8-17 110592]
R3 VUSB3HUB;VIA USB 3 Root Hub Service;C:\Windows\System32\drivers\ViaHub3.sys [2012-9-22 205312]
R3 xhcdrv;VIA USB eXtensible Host Controller Service;C:\Windows\System32\drivers\xhcdrv.sys [2012-9-22 254464]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 AppleChargerSrv;AppleChargerSrv;system32\AppleChargerSrv.exe --> system32\AppleChargerSrv.exe [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-21 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-21 31232]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-12-13 54784]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-9-25 1255736]
.
=============== Created Last 30 ================
.
2013-10-09 17:48:17 -------- d-----w- C:\Users\mark\AppData\Roaming\Adobe64x
2013-10-06 23:38:43 -------- d-----w- C:\Users\mark\AppData\Local\My Games
2013-09-23 21:29:40 -------- d-----w- C:\ProgramData\Oracle
2013-09-23 21:29:36 96168 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2013-09-18 18:53:04 -------- d-----w- C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2013-09-18 18:53:04 -------- d-----w- C:\Program Files\iTunes
2013-09-18 18:53:04 -------- d-----w- C:\Program Files\iPod
2013-09-12 19:51:51 -------- d-----w- C:\ProgramData\regid.1986-12.com.adobe
2013-09-12 19:50:24 56336 ------w- C:\Windows\System32\drivers\PxHlpa64.sys
2013-09-12 19:50:24 11376 ------w- C:\Windows\System32\drivers\cdralw2k.sys
2013-09-12 19:50:24 10864 ------w- C:\Windows\System32\drivers\cdr4_xp.sys
2013-09-12 19:50:18 -------- d-----w- C:\Program Files (x86)\Common Files\Sonic Shared
2013-09-12 19:50:18 -------- d-----w- C:\Program Files (x86)\Common Files\PX Storage Engine
2013-09-12 19:47:12 -------- d-----w- C:\Users\mark\mps
2013-09-12 19:46:28 -------- d-----w- C:\Users\mark\AppData\Roaming\com.adobe.downloadassistant.AdobeDownloadAssistant
2013-09-11 12:10:20 -------- d-----w- C:\Users\mark\AppData\Local\Blizzard Entertainment
.
==================== Find3M  ====================
.
2013-10-09 19:06:19 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-10-09 19:06:19 692616 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2013-09-23 21:29:34 868264 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll
2013-09-23 21:29:34 790440 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2013-08-16 23:29:02 240 ----a-w- C:\Windows\DeleteOnReboot.bat
2013-08-16 10:14:38 27256 ----a-w- C:\Windows\System32\drivers\FixZeroAccess.sys
2013-08-15 11:38:34 82816 ----a-w- C:\Users\mark\AppData\Roaming\pcouffin.sys
2013-08-14 15:50:21 45856 ----a-w- C:\Windows\System32\drivers\avgtpx64.sys
2013-07-25 09:25:54 1888768 ----a-w- C:\Windows\System32\WMVDECOD.DLL
2013-07-25 08:57:27 1620992 ----a-w- C:\Windows\SysWow64\WMVDECOD.DLL
2013-07-19 01:58:42 2048 ----a-w- C:\Windows\System32\tzres.dll
2013-07-19 01:41:01 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
.
============= FINISH:  9:00:57.01 ===============
 

 

and Attach:

 

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 25/09/2012 19:19:21
System Uptime: 10/10/2013 07:59:12 (2 hours ago)
.
Motherboard: Gigabyte Technology Co., Ltd. |  | Z77X-D3H
Processor: Intel® Core i5-3570K CPU @ 3.40GHz | Intel® Core i5-3570K CPU @ 3.40GHz | 3801/100mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 112 GiB total, 17.848 GiB free.
D: is CDROM ()
E: is FIXED (NTFS) - 931 GiB total, 819.947 GiB free.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP180: 20/09/2013 07:35:14 - Scheduled Checkpoint
RP181: 22/09/2013 10:12:53 - Removed Assassin's Creed ® III
RP182: 23/09/2013 22:29:22 - Installed Java 7 Update 40
RP183: 02/10/2013 21:15:43 - Scheduled Checkpoint
RP184: 07/10/2013 00:38:18 - Installed DirectX
RP185: 07/10/2013 01:14:31 - Installed DirectX
RP186: 09/10/2013 20:12:13 - Malwarebytes Anti-Rootkit Restore Point
.
==== Installed Programs ======================
.
Adobe AIR
Adobe Download Assistant
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Photoshop Elements 11
Adobe Reader XI (11.0.04)
Age of Empires II: HD Edition
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Atheros Communications Inc.® AR81Family Gigabit/Fast Ethernet Driver
Batman: Arkham Asylum GOTY Edition
Batman: Arkham City GOTY
BitTorrent
Bonjour
Borderlands
Borderlands 2
CCleaner
Company of Heroes
Company of Heroes (New Steam Version)
CPUID CPU-Z 1.64.0
CPUID HWMonitor 1.20
Dual-Core Optimizer
Elements 11 Organizer
ESET Online Scanner v3
Football Manager 2013
Football Manager 2013 Editor
Intel® Management Engine Components
Intel® USB 3.0 eXtensible Host Controller Driver
Intel® Trusted Connect Service Client
iTunes
Java 7 Update 25 (64-bit)
Java 7 Update 40
Java Auto Updater
Malwarebytes Anti-Malware version 1.75.0.1300
marvell 91xx driver
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Games for Windows - LIVE Redistributable
Microsoft Games for Windows Marketplace
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.51106
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.51106
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.51106
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.51106
Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.51106
Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.51106
Microsoft WSE 3.0 Runtime
MSI Afterburner 2.2.4
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nero Audio Pack 1
Nero Blu-ray Player
Nero Blu-ray Player Help (CHM)
Nero ControlCenter
Nero ControlCenter Help (CHM)
Nero Core Components
Nero Disc Menus Basic
Nero Effects Basic
Nero Kwik Media
Nero Kwik Media Help (CHM)
Nero Kwik Themes Basic
Nero PiP Effects Basic
Nero SharedVideoCodecs
Nero Update
Nero Video
Nero Video 12
Nero Video Help (CHM)
neroxml
NVIDIA 3D Vision Controller Driver 306.97
NVIDIA 3D Vision Driver 311.06
NVIDIA Control Panel 311.06
NVIDIA Graphics Driver 311.06
NVIDIA HD Audio Driver 1.3.18.0
NVIDIA Install Application
NVIDIA PhysX
NVIDIA Stereoscopic 3D Driver
NVIDIA Update 1.11.3
NVIDIA Update Components
ON_OFF Charge B11.1102.1
OpenAL
Origin
Platform
Prerequisite installer
PSE11 STI Installer
RaidCall
Razer Synapse 2.0
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2736428)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2804576)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2835393)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628v2)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Security Update for Microsoft .NET Framework 4 Extended (KB2736428)
Security Update for Microsoft .NET Framework 4 Extended (KB2742595)
Sid Meier's Civilization V
Steam
System Requirements Lab CYRI
System Requirements Lab Detection
Team Fortress Classic
TeamSpeak 3 Client
The Sims™ 3
The Sims™ 3 High-End Loft Stuff
The Sims™ 3 Master Suite Stuff
The Sims™ 3 Showtime
The Sims™ 3 University Life
Tropico 4
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Uplay
VIA Platform Device Manager
WhoCrashed 3.06
Windows Live ID Sign-in Assistant
WinRAR 4.20 (32-bit)
World of Warcraft
.
==== Event Viewer Messages From Past Week ========
.
10/10/2013 08:01:21, Error: Service Control Manager [7038]  - The nvUpdatusService service was unable to log on as .\UpdatusUser with the currently configured password due to the following error:  Logon failure: the specified account password has expired. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
10/10/2013 08:01:21, Error: Service Control Manager [7000]  - The NVIDIA Update Service Daemon service failed to start due to the following error:  The service did not start due to a logon failure.
09/10/2013 20:13:20, Error: mbamchameleon [61703]  -
08/10/2013 09:09:37, Error: Service Control Manager [7032]  - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Search service, but this action failed with the following error:  An instance of the service is already running.
08/10/2013 09:09:07, Error: Service Control Manager [7031]  - The Windows Search service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 30000 milliseconds: Restart the service.
08/10/2013 09:09:07, Error: Service Control Manager [7024]  - The Windows Search service terminated with service-specific error %%-1073473535.
07/10/2013 23:15:04, Error: Service Control Manager [7009]  - A timeout was reached (30000 milliseconds) while waiting for the Steam Client Service service to connect.
07/10/2013 23:15:04, Error: Service Control Manager [7000]  - The Steam Client Service service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.
.
==== End Of File ===========================

 

Thanks in advance! (i do have to pop out so i may not reply for a few hours)

[kevinf80]

Hello and

 

P2P/Piracy Warning:

 

   

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

 

Next,

 

Download Farbar Recovery Scan Tool and save it to your desktop.

 

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

• Double-click to run it. When the tool opens click Yes to disclaimer.
  
• Press Scan button.
  
• It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
  

 

Next,

 

Download Security Check by screen317 from either of the following:

http://screen317.spywareinfoforum.org/SecurityCheck.exe or http://screen317.changelog.fr/SecurityCheck.exe

Save it to your Desktop.

Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.

A Notepad document should open automatically called checkup.txt; please post the contents of that document.

 

Let me see those logs...

[markuk]

Hey again!

 

Heres the FRST log

 

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 02-10-2013
Ran by mark (administrator) on MARK-PC on 10-10-2013 09:14:47
Running from C:\Users\mark\Desktop
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Normal

==================== Processes (Whitelisted) =================

(NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(VIA Technologies, Inc.) C:\VIA_XHCI\usb3Monitor.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
(Apple Inc.) E:\Itunes\iTunesHelper.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Malwarebytes Corporation) E:\Malwarebytes' Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) E:\Malwarebytes' Anti-Malware\mbamservice.exe
() C:\Windows\SysWOW64\PnkBstrA.exe
(AVG Secure Search) C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.5.0\ToolbarUpdater.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Malwarebytes Corporation) E:\Malwarebytes' Anti-Malware\mbamgui.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Adobe\Elements 11 Organizer\PhotoshopElementsFileAgent.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Nero AG) C:\Program Files (x86)\Nero\Update\NASvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Adobe Systems Incorporated) C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_9_900_117_ActiveX.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [VIAxHCUtl] - C:\VIA_XHCI\usb3Monitor.exe [331776 2011-07-12] (VIA Technologies, Inc.)
HKLM\...\Run: [AdobeAAMUpdater-1.0] - C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [499608 2011-06-16] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [uSB3MON] - C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [291608 2012-01-27] (Intel Corporation)
HKLM-x32\...\Run: [] - [x]
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [amd_dc_opt] - C:\Program Files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe [77824 2008-07-22] (AMD)
HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-09-13] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] - E:\Itunes\iTunesHelper.exe [152392 2013-09-17] (Apple Inc.)
HKLM-x32\...\Run: [sunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
HKU\UpdatusUser\...\Run: [AVG-Secure-Search-Update_JUNE2013_TB] - "C:\Program Files (x86)\AVG Secure Search\AVG-Secure-Search-Update_JUNE2013_TB.exe"  /PROMPT /CMPID=JUNE2013_TB

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.co.uk/
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-GB
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKLM - DefaultScope value is missing.
BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
BHO-x32: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
DPF: HKLM-x32 {0E5F0222-96B9-11D3-8997-00104BD12D94} http://www.pcpitstop.com/betapit/PCPitStop.CAB
DPF: HKLM-x32 {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab
DPF: HKLM-x32 {82E5DF24-51E8-47CD-864A-F4BD5005AA73} https://www.icloud.com/system/iCloud.cab
DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Tcpip\Parameters: [DhcpNameServer] 194.168.4.100 194.168.8.100

Chrome:
=======

CHR DefaultSearchURL: (Google) - {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}ie={inputEncoding}
CHR DefaultSuggestURL: (Google) - {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&q={searchTerms}&{google:cursorPosition}sugkey={google:suggestAPIKeyParameter}
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\28.0.1500.63\PepperFlash\pepflashplayer.dll No File
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\28.0.1500.63\ppGoogleNaClPluginChrome.dll No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\28.0.1500.63\pdf.dll No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 11.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (AVG SiteSafety plugin) - C:\Program Files (x86)\Common Files\AVG Secure Search\SiteSafetyInstaller\14.2.0\\npsitesafety.dll No File
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.135\npGoogleUpdate3.dll No File
CHR Plugin: (Intel\u00AE Identity Protection Technology) - C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
CHR Plugin: (Intel\u00AE Identity Protection Technology) - C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
CHR Plugin: (Java Platform SE 7 U13) - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
CHR Plugin: (NVIDIA 3D Vision) - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
CHR Plugin: (NVIDIA 3D VISION) - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
CHR Plugin: (Raidcall plugin) - C:\Users\mark\AppData\Roaming\RCKR\plugins\nprcplugin.dll (Raidcall)
CHR Plugin: (Raidcall plugin) - C:\Users\mark\AppData\Roaming\raidcall\plugins\nprcplugin.dll (Raidcall)
CHR Plugin: (Java Deployment Toolkit 7.0.130.20) - C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
CHR Plugin: (iTunes Application Detector) - E:\Itunes\Mozilla Plugins\npitunes.dll ()
CHR Extension: (Google Docs) - C:\Users\mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.5_0
CHR Extension: (Google Drive) - C:\Users\mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.3_0
CHR Extension: (YouTube) - C:\Users\mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0
CHR Extension: (Google Search) - C:\Users\mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0
CHR Extension: (Gmail) - C:\Users\mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0
CHR HKLM-x32\...\Chrome\Extension: [cdjbnddbclciabnckgeahmneohjlahdm] - C:\Users\mark\AppData\Local\9be01176-e57d-4497-b1db-706a712aeb5f.crx

==================== Services (Whitelisted) =================

R2 AdobeActiveFileMonitor11.0; C:\Program Files (x86)\Adobe\Elements 11 Organizer\PhotoshopElementsFileAgent.exe [171600 2012-09-23] (Adobe Systems Incorporated)
S3 AppleChargerSrv; C:\Windows\System32\AppleChargerSrv.exe [31272 2010-04-07] ()
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [161560 2011-12-16] (Intel Corporation)
R2 MBAMScheduler; E:\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
R2 MBAMService; E:\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
R2 PnkBstrA; C:\Windows\SysWow64\PnkBstrA.exe [76888 2013-07-07] ()
R2 vToolbarUpdater15.5.0; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.5.0\ToolbarUpdater.exe [1643184 2013-08-14] (AVG Secure Search)

==================== Drivers (Whitelisted) ====================

R1 AppleCharger; C:\Windows\System32\DRIVERS\AppleCharger.sys [21616 2011-11-02] ()
R1 avgtp; C:\Windows\system32\drivers\avgtpx64.sys [45856 2013-08-14] (AVG Technologies)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
R0 PxHlpa64; C:\Windows\System32\Drivers\PxHlpa64.sys [56336 2012-08-10] (Corel Corporation)
R1 Serial; C:\Windows\System32\DRIVERS\serial.sys [94208 2009-07-14] (Brother Industries Ltd.)
R3 VUSB3HUB; C:\Windows\System32\DRIVERS\ViaHub3.sys [205312 2012-01-20] (VIA Technologies, Inc.)
R3 xhcdrv; C:\Windows\System32\DRIVERS\xhcdrv.sys [254464 2012-01-20] (VIA Technologies, Inc.)
S3 ALSysIO; \??\C:\Users\ADMINI~1\AppData\Local\Temp\ALSysIO64.sys [x]
U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-14] (Microsoft Corporation)
S3 gdrv; \??\C:\Windows\gdrv.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-10-10 09:14 - 2013-10-10 09:14 - 00891167 _____ C:\Users\mark\Desktop\SecurityCheck.exe
2013-10-10 09:14 - 2013-10-10 09:14 - 00000000 ____D C:\FRST
2013-10-10 09:13 - 2013-10-10 09:13 - 01954124 _____ (Farbar) C:\Users\mark\Desktop\FRST64.exe
2013-10-10 09:01 - 2013-10-10 09:01 - 00007784 _____ C:\Users\mark\Desktop\attach.txt
2013-10-10 09:01 - 2013-10-10 09:00 - 00011652 _____ C:\Users\mark\Desktop\dds.txt
2013-10-10 08:51 - 2013-10-10 08:51 - 00688992 ____R (Swearware) C:\Users\mark\Desktop\dds.scr
2013-10-10 00:22 - 2013-10-10 00:22 - 93853456 _____ (Microsoft Corporation) C:\Users\mark\Desktop\msert.exe
2013-10-09 20:14 - 2013-10-10 07:59 - 00000224 _____ C:\Windows\setupact.log
2013-10-09 20:14 - 2013-10-09 20:14 - 00000000 _____ C:\Windows\setuperr.log
2013-10-09 20:08 - 2013-10-09 20:08 - 12907592 _____ (Malwarebytes Corp.) C:\Users\mark\Desktop\mbar-1.07.0.1005.exe
2013-10-09 18:48 - 2013-10-09 21:01 - 00000000 ____D C:\Users\mark\AppData\Roaming\Adobe64x
2013-10-09 17:53 - 2013-10-09 17:53 - 00675988 _____ C:\Users\mark\Desktop\Minecraft1.exe
2013-10-07 00:38 - 2013-10-07 01:15 - 00000000 ____D C:\Users\mark\AppData\Local\My Games
2013-09-28 00:48 - 2013-09-28 00:48 - 00000000 ____D C:\Users\mark\Downloads\Clubland 90s [Explicit] [+digital booklet]
2013-09-23 22:29 - 2013-09-23 22:29 - 00264616 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2013-09-23 22:29 - 2013-09-23 22:29 - 00175016 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2013-09-23 22:29 - 2013-09-23 22:29 - 00175016 _____ (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2013-09-23 22:29 - 2013-09-23 22:29 - 00096168 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2013-09-23 22:29 - 2013-09-23 22:29 - 00000000 ____D C:\ProgramData\Oracle
2013-09-23 22:29 - 2013-09-23 22:29 - 00000000 ____D C:\Program Files (x86)\Java
2013-09-18 19:53 - 2013-09-18 19:53 - 00001450 _____ C:\Users\Public\Desktop\iTunes.lnk
2013-09-18 19:53 - 2013-09-18 19:53 - 00000000 ____D C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2013-09-18 19:53 - 2013-09-18 19:53 - 00000000 ____D C:\Program Files\iTunes
2013-09-18 19:53 - 2013-09-18 19:53 - 00000000 ____D C:\Program Files\iPod
2013-09-18 19:51 - 2013-09-18 20:05 - 00000000 ____D C:\Users\mark\Desktop\m ipho
2013-09-12 21:24 - 2013-09-12 21:24 - 00003498 _____ C:\Windows\System32\Tasks\AdobeAAMUpdater-1.0-mark-PC-mark
2013-09-12 20:51 - 2013-09-12 20:51 - 00000000 ____D C:\ProgramData\regid.1986-12.com.adobe
2013-09-12 20:50 - 2013-09-12 20:50 - 00000000 ____D C:\Program Files\Common Files\Adobe
2013-09-12 20:50 - 2012-08-10 03:01 - 00056336 ____N (Corel Corporation) C:\Windows\system32\Drivers\PxHlpa64.sys
2013-09-12 20:50 - 2012-04-24 03:01 - 00011376 ____N (Corel Corporation) C:\Windows\system32\Drivers\cdralw2k.sys
2013-09-12 20:50 - 2012-04-24 03:01 - 00010864 ____N (Corel Corporation) C:\Windows\system32\Drivers\cdr4_xp.sys
2013-09-12 20:47 - 2013-09-12 20:47 - 00000000 ____D C:\Users\mark\mps
2013-09-12 20:46 - 2013-09-12 20:46 - 00000748 _____ C:\Users\Public\Desktop\Adobe Download Assistant.lnk
2013-09-12 20:46 - 2013-09-12 20:46 - 00000000 ____D C:\Users\mark\AppData\Roaming\com.adobe.downloadassistant.AdobeDownloadAssistant
2013-09-12 20:46 - 2013-09-12 20:46 - 00000000 ____D C:\Users\Default\AppData\Roaming\Macromedia
2013-09-12 20:46 - 2013-09-12 20:46 - 00000000 ____D C:\Users\Default User\AppData\Roaming\Macromedia
2013-09-11 13:10 - 2013-09-11 13:10 - 00000000 ____D C:\Users\mark\AppData\Local\Blizzard Entertainment

==================== One Month Modified Files and Folders =======

2013-10-10 09:14 - 2013-10-10 09:14 - 00891167 _____ C:\Users\mark\Desktop\SecurityCheck.exe
2013-10-10 09:14 - 2013-10-10 09:14 - 00000000 ____D C:\FRST
2013-10-10 09:13 - 2013-10-10 09:13 - 01954124 _____ (Farbar) C:\Users\mark\Desktop\FRST64.exe
2013-10-10 09:06 - 2012-09-25 11:26 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-10-10 09:01 - 2013-10-10 09:01 - 00007784 _____ C:\Users\mark\Desktop\attach.txt
2013-10-10 09:00 - 2013-10-10 09:01 - 00011652 _____ C:\Users\mark\Desktop\dds.txt
2013-10-10 08:51 - 2013-10-10 08:51 - 00688992 ____R (Swearware) C:\Users\mark\Desktop\dds.scr
2013-10-10 08:24 - 2012-09-25 16:21 - 00000000 ____D C:\Users\mark\Documents\my games
2013-10-10 08:16 - 2013-07-23 00:11 - 02002910 _____ C:\Windows\WindowsUpdate.log
2013-10-10 08:06 - 2009-07-14 05:45 - 00021664 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-10-10 08:06 - 2009-07-14 05:45 - 00021664 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-10-10 08:04 - 2012-11-13 19:18 - 00000000 ____D C:\Users\mark\AppData\Roaming\BitTorrent
2013-10-10 08:03 - 2009-07-14 06:13 - 00778834 _____ C:\Windows\system32\PerfStringBackup.INI
2013-10-10 07:59 - 2013-10-09 20:14 - 00000224 _____ C:\Windows\setupact.log
2013-10-10 07:59 - 2012-09-22 00:43 - 00000000 ____D C:\ProgramData\NVIDIA
2013-10-10 07:59 - 2009-07-14 06:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-10-10 00:22 - 2013-10-10 00:22 - 93853456 _____ (Microsoft Corporation) C:\Users\mark\Desktop\msert.exe
2013-10-09 21:07 - 2013-08-16 23:12 - 00000000 ____D C:\Users\mark\Desktop\mbar
2013-10-09 21:07 - 2013-08-16 23:12 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2013-10-09 21:01 - 2013-10-09 18:48 - 00000000 ____D C:\Users\mark\AppData\Roaming\Adobe64x
2013-10-09 20:14 - 2013-10-09 20:14 - 00000000 _____ C:\Windows\setuperr.log
2013-10-09 20:08 - 2013-10-09 20:08 - 12907592 _____ (Malwarebytes Corp.) C:\Users\mark\Desktop\mbar-1.07.0.1005.exe
2013-10-09 20:06 - 2012-09-25 11:26 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-10-09 20:06 - 2012-09-25 11:26 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-10-09 20:06 - 2012-09-25 11:26 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2013-10-09 17:58 - 2012-11-07 20:21 - 00000000 ____D C:\Users\mark\AppData\Roaming\.minecraft
2013-10-09 17:53 - 2013-10-09 17:53 - 00675988 _____ C:\Users\mark\Desktop\Minecraft1.exe
2013-10-07 01:15 - 2013-10-07 00:38 - 00000000 ____D C:\Users\mark\AppData\Local\My Games
2013-10-01 21:03 - 2012-11-06 15:34 - 00000000 ____D C:\Users\mark\Desktop\iphoto
2013-09-28 23:56 - 2012-09-28 17:18 - 00000000 ____D C:\Users\mark\AppData\Local\Origin
2013-09-28 00:48 - 2013-09-28 00:48 - 00000000 ____D C:\Users\mark\Downloads\Clubland 90s [Explicit] [+digital booklet]
2013-09-25 21:18 - 2012-09-25 12:21 - 00000000 ____D C:\World of Warcraft
2013-09-23 22:29 - 2013-09-23 22:29 - 00264616 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2013-09-23 22:29 - 2013-09-23 22:29 - 00175016 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2013-09-23 22:29 - 2013-09-23 22:29 - 00175016 _____ (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2013-09-23 22:29 - 2013-09-23 22:29 - 00096168 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2013-09-23 22:29 - 2013-09-23 22:29 - 00000000 ____D C:\ProgramData\Oracle
2013-09-23 22:29 - 2013-09-23 22:29 - 00000000 ____D C:\Program Files (x86)\Java
2013-09-23 22:29 - 2012-09-25 20:28 - 00868264 _____ (Oracle Corporation) C:\Windows\SysWOW64\npDeployJava1.dll
2013-09-23 22:29 - 2012-09-25 20:28 - 00790440 _____ (Oracle Corporation) C:\Windows\SysWOW64\deployJava1.dll
2013-09-23 22:27 - 2012-11-11 11:24 - 00000000 ____D C:\Users\mark\AppData\Local\Adobe
2013-09-23 20:57 - 2012-10-22 18:12 - 00000000 ____D C:\Users\mark\AppData\Roaming\TS3Client
2013-09-18 20:05 - 2013-09-18 19:51 - 00000000 ____D C:\Users\mark\Desktop\m ipho
2013-09-18 19:53 - 2013-09-18 19:53 - 00001450 _____ C:\Users\Public\Desktop\iTunes.lnk
2013-09-18 19:53 - 2013-09-18 19:53 - 00000000 ____D C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2013-09-18 19:53 - 2013-09-18 19:53 - 00000000 ____D C:\Program Files\iTunes
2013-09-18 19:53 - 2013-09-18 19:53 - 00000000 ____D C:\Program Files\iPod
2013-09-13 17:39 - 2012-11-11 11:23 - 00000000 ____D C:\ProgramData\Adobe
2013-09-13 17:29 - 2009-07-14 05:45 - 01928240 _____ C:\Windows\system32\FNTCACHE.DAT
2013-09-12 21:24 - 2013-09-12 21:24 - 00003498 _____ C:\Windows\System32\Tasks\AdobeAAMUpdater-1.0-mark-PC-mark
2013-09-12 20:57 - 2012-09-25 11:26 - 00000000 ____D C:\Users\mark\AppData\Roaming\Adobe
2013-09-12 20:51 - 2013-09-12 20:51 - 00000000 ____D C:\ProgramData\regid.1986-12.com.adobe
2013-09-12 20:51 - 2012-09-25 11:37 - 00059088 _____ C:\Users\mark\AppData\Local\GDIPFONTCACHEV1.DAT
2013-09-12 20:50 - 2013-09-12 20:50 - 00000000 ____D C:\Program Files\Common Files\Adobe
2013-09-12 20:50 - 2012-11-11 11:23 - 00000000 ____D C:\Program Files (x86)\Adobe
2013-09-12 20:47 - 2013-09-12 20:47 - 00000000 ____D C:\Users\mark\mps
2013-09-12 20:47 - 2012-09-25 19:19 - 00000000 ____D C:\Users\mark
2013-09-12 20:46 - 2013-09-12 20:46 - 00000748 _____ C:\Users\Public\Desktop\Adobe Download Assistant.lnk
2013-09-12 20:46 - 2013-09-12 20:46 - 00000000 ____D C:\Users\mark\AppData\Roaming\com.adobe.downloadassistant.AdobeDownloadAssistant
2013-09-12 20:46 - 2013-09-12 20:46 - 00000000 ____D C:\Users\Default\AppData\Roaming\Macromedia
2013-09-12 20:46 - 2013-09-12 20:46 - 00000000 ____D C:\Users\Default User\AppData\Roaming\Macromedia
2013-09-11 13:10 - 2013-09-11 13:10 - 00000000 ____D C:\Users\mark\AppData\Local\Blizzard Entertainment

Files to move or delete:
====================
ZeroAccess:
C:\Program Files (x86)\Google\Desktop\Install

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

LastRegBack: 2013-10-02 21:08

==================== End Of Log ============================

 

Heres the security report:

 

Results of screen317's Security Check version 0.99.74 
 Windows 7 Service Pack 1 x64 (UAC is enabled) 
 Internet Explorer 10 
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled! 
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
 Malwarebytes Anti-Malware version 1.75.0.1300 
 Java 7 Update 40 
 Adobe Flash Player 11.9.900.117 
 Adobe Reader XI 
````````Process Check: objlist.exe by Laurent```````` 
 Malwarebytes Anti-Malware mbamservice.exe 
 Malwarebytes Anti-Malware mbamgui.exe 
 mbamscheduler.exe   
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 12% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````
 

And the attachment you asked for: Addition.txt

 

 

[kevinf80]

There is still a reference to ZeroAccess infection, ok we continue:

 

Download attached fixlist.txt file and save it to the Desktop, or the folder you saved FRST into.

NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

 

Run FRST and press the Fix button just once and wait.

The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

Next,

 

Run quick scan with Mlawarebytes and post its log...

 

Next,

 

We need to run an online AV scan to ensure there are no remnants of any infection left on your system, this scan can take several hours to complete, it is very thorough and well worth running, please be patient and let it complete:

 

Run Eset Online Scanner

 

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

 

Go to Eset web page http:// http://www.eset.com/us/online-scanner-popup/ to run an online scan from ESET.

 

• Turn off the real time scanner of any existing antivirus program while performing the online scan
  
• click on the Run ESET Online Scanner button
  
• Tick the box next to YES, I accept the Terms of Use.
  Click Start
  
• When asked, allow the add/on to be installed
  Click Start
  
• Make sure that the option Remove found threats is unticked
  
• Click on Advanced Settings, ensure the options
  
• Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  Click Scan
  
• wait for the virus definitions to be downloaded
  
• Wait for the scan to finish
  

 

When the scan is complete

 

• If no threats were found
  
• put a checkmark in "Uninstall application on close"
  
• close program
  
• report to me that nothing was found
  

 

If threats were found

 

• click on "list of threats found"
  
• click on "export to text file" and save it as ESET SCAN and save to the desktop
  
• Click on back
  
• put a checkmark in "Uninstall application on close"
  
• click on finish
  

 

close program

 

copy and paste the report here

 

Let me see those logs.....

 

 

fixlist.txt

[markuk]

Hmm i thought the zero access was long gone. Is that a problem? One of you guys helped me remove it a few months ago. Would it of reinstalled itself or something?

 

FIXLOG:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 02-10-2013
Ran by mark at 2013-10-10 11:27:51 Run:1
Running from C:\Users\mark\Desktop
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
Start
C:\Program Files (x86)\Google\Desktop\Install
End

*****************

C:\Program Files (x86)\Google\Desktop\Install => Moved successfully.

==== End of Fixlog ====

 

 

malwarebyte log:

 

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.10.10.03

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
mark :: MARK-PC [administrator]

10/10/2013 11:28:42
mbam-log-2013-10-10 (11-28-42).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 222766
Time elapsed: 55 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

 

ESET Found nothing.

[markuk]

Forgot to ask. Can i just delete that fixzeroaccess.sys file?

[kevinf80]

FRST has to remove the Quarantine folder before we can clean up... Do the following:

 

Download attached fixlist.txt file and save it to the Desktop, or the folder you saved FRST into.

NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

 

Run FRST/FRST64 and press the Fix button just once and wait.

The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

When that completes you can Delete FRST from your Desktop, also its folder C:\FRST  When those steps complete you should be good to go, unless you have any remaining issues or concerns...

 

Kevin.....

fixlist.txt

[markuk]

Okie

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 02-10-2013
Ran by mark at 2013-10-10 13:15:52 Run:2
Running from C:\Users\mark\Desktop
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
Start
DeleteQuarantine:
End

*****************

C:\FRST\Quarantine => Removed successfully.

==== End of Fixlog ====

 

I guess thats me all done. is it ok to remove that zeroaccess file now?

 

thanks for your help !

[kevinf80]

ZeroAccess file should be gone, FRST moved it to Quarantine, then we delete Quarantine folder and finally Delete FRST and its folder....

 

If all is ok with no issues here are some tips to reduce the potential for malware infection in the future:

 

Make proper use of your antivirus and firewall

 

Antivirus and Firewall programs are integral to your computer security. However, just having them installed isn't enough. The definitions of these programs are frequently updated to detect the latest malware, if you don't keep up with these updates then you'll be vulnerable to infection. Many antivirus and firewall programs have automatic update features, make use of those if you can. If your program doesn't, then get in the habit of routinely performing manual updates, because it's important.

 

You should keep your antivirus and firewall guard enabled at all times, NEVER turn them off unless there's a specific reason to do so. Also, regularly performing a full system scan with your antivirus program is a good idea to make sure you're system remains clean. Once a week should be adequate. You can set the scan to run during a time when you don't plan to use the computer and just leave it to complete on its own.

 

Install and use WinPatrol from here http://www.winpatrol.com/download.html  This will inform you of any attempted unauthorized changes to your system.

 

WinPatrol features explained here http://www.winpatrol.com/features.html

 

Go here http://www.filehippo.com/updatechecker/ run the FileHippo Update Checker, update all applications as suggested by the Update Checker. Ignore any Beta updates. (Use stand alone version, not a full install)

If Java or Adobe are updated please check under Start > Control Panel > Add/Remove Programs, ensure any old versions are removed. <--- Very important

 

Use a safer web browser

 

Internet Explorer is not the most secure tool for browsing the web. It has been known to be very susceptible to infection, and there are a few good free alternatives:

 

FireFox http://www.mozilla.com/en-US/,

 

Opera http://www.opera.com/, and

 

Chrome http://www.google.com/chrome.

 

All of these are excellent faster, safer, more powerful and functional free alternatives to Internet Explorer. It's definitely worth the short period of adjustment to start using one of these. If you wish to continue using Internet Explorer, it would be a good idea to follow the tutorial here http://www.bleepingcomputer.com/tutorials/tutorial102.html which will help you to make IE MUCH safer.

 

These browser add-ons will help to make your browser safer:

 

Web of Trust warns you about risky websites that try to scam visitors, deliver malware or send spam. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous ones:

 

Available for Firefox and Internet Explorer.

 

Green to go,

Yellow for caution, and

Red to stop.

 

 

Available for Firefox only. NoScript helps to block malicious scripts and in general gives you much better control over what types of things webpages can do to your computer while you're browsing.

 

These are just a couple of the most popular add-ons, if you're interested in more, take a look at this article:

http://browsers.about.com/od/addonsplugi2/tp/browser_security_privacy.htm

 

Here a couple of links by two security experts that will give some excellent tips and advice.

 

So how did I get infected in the first place by Tony Klein from here: http://www.spywareinfoforum.com/index.php?/topic/60955-so-how-did-i-get-infected-in-the-first-place/

 

How to prevent Malware by Miekiemoes from here: http://users.telenet.be/bluepatchy/miekiemoes/prevention.html

 

Finally this link http://www.geekstogo.com/forum/topic/38-free-antivirus-and-antispyware-software will give a comprehensive upto date list of free Security programs. To include - Antivirus, Antispyware, Firewall, Antimalware, Online scanners and rescue CD`s.

 

Don`t forget, the best form of defense is common sense. If you don`t recognize it, don`t open it. If something looks to good to be true, then it aint.

 

Let me know when its OK to close out your thread....

 

Take care,

 

Kevin

[markuk]

hello again.

 

C - programs - windows - system32 - drivers - still had a file called fixzeroaccess.sys

 

I've just deleted it and rebooted. it hasnt come back and everything seems to be working fine.

 

Thanks again for your help

[kevinf80]

That driver is something to do with a removal tool for ZA from Symantec, nothing to do with the tools I  asked you to run. Maybe something you`ve run yourself at an earlier time...

 

Are you ok for the thread to be closed out..

 

Cheers,

 

Kevin

[markuk]

whoops i've deleted it! Nothing seems unstable tho! fingers crossed it stays this way!

 

Yup can close thread :-)

 

Thanks again

[LDTate]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!