Jump to content

Numerous Problems With Computer


Recommended Posts

Sorry to bump, just realised that I should have posted the logs in the actual message as opposed to as attachments:

 

FRST log:

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 22-04-2014
Ran by george (administrator) on GEORGE-PC on 22-04-2014 23:16:11
Running from C:\Users\george\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4DSR0SW
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG10\avgchsva.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG10\avgrsa.exe
(SEIKO EPSON CORPORATION) C:\Program Files (x86)\Common Files\EPSON\EBAPI\eEBSVC.exe
(ABBYY) C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG10\avgwdsvc.exe
(Microsoft Corp.) C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
(Microsoft Corporation) C:\windows\SysWOW64\svchost.exe
(Seiko Epson Corporation) C:\windows\system32\EscSvc64.exe
(Microsoft Corporation) C:\windows\SysWOW64\svchost.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG10\avgnsa.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG10\avgemca.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Intel Corporation) C:\windows\system32\igfxsrvc.exe
(SEIKO EPSON CORPORATION) C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [10081312 2010-02-22] (Realtek Semiconductor)
HKLM-x32\...\Run: [AVG_TRAY] => C:\Program Files (x86)\AVG\AVG10\avgtray.exe [2345592 2012-08-01] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [DivXUpdate] => C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe [1259376 2011-07-29] ()
HKLM-x32\...\Run: [EEventManager] => C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe [1058400 2011-10-31] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\McAfee <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files (x86)\AVG <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files (x86)\Malwarebytes' Anti-Malware <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files (x86)\AVG <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Malwarebytes <====== ATTENTION
HKLM\...\Winlogon: [userinit] C:\Windows\system32\userinit.exe,,C:\Users\george\AppData\Local\kkndiohy\sqfpsoqp.exe,C:\Users\george\AppData\Local\rtusgjvt\awmfqjfk.exe
HKLM-x32\...\Winlogon: [userinit] userinit.exe,,C:\Users\george\AppData\Local\rtusgjvt\awmfqjfk.exe [X]
Winlogon\Notify\igfxcui: C:\windows\system32\igfxdev.dll (Intel Corporation)
Winlogon\Notify\mlicnai-x32: C:\Users\george\AppData\Local\mlicnai.dll ()
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\$Recycle.Bin\S-1-5-18\$ad763b5b396377e3e4e317939b5470fe\n. ATTENTION! ====> ZeroAccess?
HKU\S-1-5-21-1962686114-1356755012-3113456983-1001\...\Run: [urazga] => C:\Users\george\AppData\Local\Temp\Cailo\urazga.exe <===== ATTENTION
HKU\S-1-5-21-1962686114-1356755012-3113456983-1001\...\Run: [AwmFqjfk] => C:\Users\george\AppData\Local\rtusgjvt\awmfqjfk.exe [198144 2014-04-08] ()
HKU\S-1-5-21-1962686114-1356755012-3113456983-1001\...\Run: [QciDvqdi] => C:\Users\george\AppData\Local\Temp\qcidvqdi.exe [198144 2014-04-08] (SupremSoft Company) <===== ATTENTION
HKU\S-1-5-21-1962686114-1356755012-3113456983-1001\...\Run: [wyarsp] => regsvr32.exe "C:\ProgramData\wyarsp.dat"
HKU\S-1-5-21-1962686114-1356755012-3113456983-1001\...\MountPoints2: {9cbc7aa0-6a91-11df-b36e-806e6f6e6963} - D:\InstallNavi.exe
HKU\S-1-5-21-1962686114-1356755012-3113456983-1001\...409d6c4515e9\InprocServer32: [Default-shell32] C:\$Recycle.Bin\S-1-5-21-1962686114-1356755012-3113456983-1001\$ad763b5b396377e3e4e317939b5470fe\n. ATTENTION! ====> ZeroAccess?
Startup: C:\Users\george\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\awmfqjfk.exe ()

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.stockbrokers.barclays.co.uk/?category=publicproductsandservices&usecase=landing49&WT.mc_id=953710161920565-&mpch=sem
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://uk.msn.com/?ocid=iehp
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0x61E2C1AD9FFECA01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-gb
HKCU\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = about:Tabs
URLSearchHook: HKCU - (No Name) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - No File
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG10\avgssiea.dll (AVG Technologies CZ, s.r.o.)
BHO: Windows Live Family Safety Browser Helper Class - {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - C:\Program Files\Windows Live\Family Safety\fssbho.dll (Microsoft Corporation)
BHO: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files (x86)\Epson Software\Easy Photo Print\EPTBL.dll (SEIKO EPSON CORPORATION)
BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
BHO-x32: E-Web Print - {201CF130-E29C-4E5C-A73F-CD197DEFA6AE} - C:\Program Files (x86)\Epson Software\E-Web Print\ewps_tb.dll (SEIKO EPSON CORPORATION)
BHO-x32: DivX Plus Web Player HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll (DivX, LLC)
BHO-x32: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG10\avgssie.dll (AVG Technologies CZ, s.r.o.)
BHO-x32: No Name - {5C255C8A-E604-49b4-9D64-90988571CECB} -  No File
BHO-x32: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll (Microsoft Corp.)
BHO-x32: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
BHO-x32: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO-x32: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
Toolbar: HKLM - Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files (x86)\Epson Software\Easy Photo Print\EPTBL.dll (SEIKO EPSON CORPORATION)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
Toolbar: HKLM-x32 - &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
Toolbar: HKLM-x32 - No Name - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} -  No File
Toolbar: HKLM-x32 - E-Web Print - {201CF130-E29C-4E5C-A73F-CD197DEFA6AE} - C:\Program Files (x86)\Epson Software\E-Web Print\ewps_tb.dll (SEIKO EPSON CORPORATION)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU - No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} -  No File
Toolbar: HKCU - No Name - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} -  No File
Toolbar: HKCU - No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} -  No File
DPF: HKLM-x32 {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} http://quickscan.bitdefender.com/qsax/qsax.cab
DPF: HKLM-x32 {67DABFBF-D0AB-41FA-9C46-CC0F21721616} http://download.divx.com/player/DivXBrowserPlugin.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG10\avgppa.dll (AVG Technologies CZ, s.r.o.)
Handler-x32: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG10\avgpp.dll (AVG Technologies CZ, s.r.o.)
Handler-x32: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
Handler-x32: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF Plugin: @divx.com/DivX VOD Helper,version=1.0.0 - C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF Plugin: @microsoft.com/GENUINE - disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @divx.com/DivX VOD Helper,version=1.0.0 - C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF Plugin-x32: @java.com/DTPlugin,version=10.7.2 - C:\windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.7.2 - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE - disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files (x86)\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=14.0.8064.0206 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 - C:\Program Files (x86)\Google\Update\1.3.23.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 - C:\Program Files (x86)\Google\Update\1.3.23.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF HKLM-x32\...\Firefox\Extensions: [{1E73965B-8B48-48be-9C8D-68B920ABC1C4}] - C:\Program Files (x86)\AVG\AVG10\Firefox4\
FF Extension: AVG Safe Search - C:\Program Files (x86)\AVG\AVG10\Firefox4\ []
FF HKLM-x32\...\Firefox\Extensions: [{23fcfd51-4958-4f00-80a3-ae97e717ed8b}] - C:\Program Files (x86)\DivX\DivX Plus Web Player\firefox\DivXHTML5
FF Extension: DivX Plus Web Player HTML5 <video> - C:\Program Files (x86)\DivX\DivX Plus Web Player\firefox\DivXHTML5 [2012-11-08]
FF HKLM-x32\...\Firefox\Extensions: [e-webprint@epson.com] - C:\Program Files (x86)\Epson Software\E-Web Print\Firefox Add-on
FF Extension: E-Web Print - C:\Program Files (x86)\Epson Software\E-Web Print\Firefox Add-on [2013-11-12]

Chrome:
=======
CHR DefaultSearchKeyword: google.co.uk
CHR Extension: (Google Drive) - C:\Users\george\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2012-11-08]
CHR Extension: (YouTube) - C:\Users\george\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2012-11-08]
CHR Extension: (Google Search) - C:\Users\george\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2012-11-08]
CHR Extension: (AVG Safe Search) - C:\Users\george\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla [2012-11-08]
CHR Extension: (Google Wallet) - C:\Users\george\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-11-20]
CHR Extension: (DivX Plus Web Player HTML5 <video>) - C:\Users\george\AppData\Local\Google\Chrome\User Data\Default\Extensions\nneajnkjbffgblleaoojgaacokifdkhm [2012-11-08]
CHR Extension: (Gmail) - C:\Users\george\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2012-11-08]
CHR HKLM-x32\...\Chrome\Extension: [jmfkcklnlgedgbglfkkgedjfmejoahla] - C:\Program Files (x86)\AVG\AVG10\Chrome\safesearch.crx [2011-09-09]
CHR HKLM-x32\...\Chrome\Extension: [nneajnkjbffgblleaoojgaacokifdkhm] - C:\Program Files (x86)\DivX\DivX Plus Web Player\chrome\DivXHTML5\DivXHTML5.crx [2011-12-12]

==================== Services (Whitelisted) =================

R2 ABBYY.Licensing.FineReader.Sprint.9.0; C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe [759048 2009-05-14] (ABBYY)
S3 AVG Security Toolbar Service; C:\Program Files (x86)\AVG\AVG10\Toolbar\ToolbarBroker.exe [167264 2011-11-10] ()
R2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [7391072 2012-01-31] (AVG Technologies CZ, s.r.o.)
R2 avgwd; C:\Program Files (x86)\AVG\AVG10\avgwdsvc.exe [269520 2011-02-08] (AVG Technologies CZ, s.r.o.)
R2 EpsonScanSvc; C:\windows\system32\EscSvc64.exe [135824 2011-12-12] (Seiko Epson Corporation)

==================== Drivers (Whitelisted) ====================

U5 9fcb65c0fa2c3c7e; C:\Windows\System32\Drivers\9fcb65c0fa2c3c7e.sys [79296 2014-04-03] () <===== ATTENTION Necurs Rootkit?
R3 AVGIDSDriver; C:\Windows\System32\DRIVERS\AVGIDSDriver.Sys [118864 2011-05-27] (AVG Technologies CZ, s.r.o. )
R0 AVGIDSEH; C:\Windows\System32\DRIVERS\AVGIDSEH.Sys [26704 2011-02-22] (AVG Technologies CZ, s.r.o. )
R3 AVGIDSFilter; C:\Windows\System32\DRIVERS\AVGIDSFilter.Sys [29264 2011-02-10] (AVG Technologies CZ, s.r.o. )
R1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [312160 2012-11-12] (AVG Technologies CZ, s.r.o.)
S1 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [41552 2011-03-01] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [37456 2011-03-16] (AVG Technologies CZ, s.r.o.)
R1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [377936 2011-04-05] (AVG Technologies CZ, s.r.o.)
R0 ioatdma; C:\Windows\System32\Drivers\ioatdma.sys [46792 2009-11-16] (Intel Corporation)
R1 RDPENCDD; C:\Windows\System32\drivers\rdpencdd.sys [7680 2009-07-14] ()
R1 RDPREFMP; C:\Windows\System32\drivers\rdprefmp.sys [8192 2009-07-14] ()
S3 RDPWD; C:\Windows\System32\Drivers\RDPWD.sys [210944 2012-02-17] ()
R0 rdyboost; C:\Windows\System32\drivers\rdyboost.sys [213888 2010-11-20] ()
R2 rspndr; C:\Windows\System32\DRIVERS\rspndr.sys [76800 2009-07-14] ()
R3 RTL8167; C:\Windows\System32\DRIVERS\Rt64win7.sys [314400 2009-12-19] ()
S3 sbp2port; C:\Windows\system32\drivers\sbp2port.sys [103808 2010-11-20] ()
S3 scfilter; C:\Windows\System32\DRIVERS\scfilter.sys [29696 2010-11-20] ()
R2 secdrv; C:\Windows\System32\Drivers\secdrv.sys [23040 2009-06-10] ()
R3 Serenum; C:\Windows\System32\DRIVERS\serenum.sys [23552 2009-07-14] ()
R1 Serial; C:\Windows\System32\DRIVERS\serial.sys [94208 2009-07-14] ()
S3 sermouse; C:\Windows\system32\DRIVERS\sermouse.sys [26624 2009-07-14] ()
S3 sffdisk; C:\Windows\system32\drivers\sffdisk.sys [14336 2009-07-14] ()
S3 sffp_mmc; C:\Windows\system32\drivers\sffp_mmc.sys [13824 2009-07-14] ()
S3 sffp_sd; C:\Windows\system32\drivers\sffp_sd.sys [14336 2010-11-20] ()
S3 sfloppy; C:\Windows\system32\DRIVERS\sfloppy.sys [16896 2009-07-14] ()
S3 SISAGP; C:\Windows\system32\DRIVERS\SISAGPX.sys [67104 2009-08-01] ()
S3 SiSRaid2; C:\Windows\system32\DRIVERS\SiSRaid2.sys [43584 2009-07-14] ()
S3 SiSRaid4; C:\Windows\system32\DRIVERS\sisraid4.sys [80464 2009-07-14] ()
S3 Smb; C:\Windows\System32\DRIVERS\smb.sys [93184 2009-07-14] ()
R0 spldr; C:\Windows\System32\Drivers\spldr.sys [19008 2009-07-14] ()
R3 srv; C:\Windows\System32\DRIVERS\srv.sys [467456 2011-04-29] ()
R3 srv2; C:\Windows\System32\DRIVERS\srv2.sys [410112 2011-04-29] ()
R3 srvnet; C:\Windows\System32\DRIVERS\srvnet.sys [168448 2011-04-29] ()
S3 stexstor; C:\Windows\system32\DRIVERS\stexstor.sys [24656 2009-07-14] ()
R3 swenum; C:\Windows\system32\drivers\swenum.sys [12496 2009-07-14] ()
R0 Tcpip; C:\Windows\System32\drivers\tcpip.sys [1918320 2012-03-30] ()
S3 TCPIP6; C:\Windows\System32\DRIVERS\tcpip.sys [1918320 2012-03-30] ()
R2 tcpipreg; C:\Windows\System32\drivers\tcpipreg.sys [45056 2010-11-20] ()
S3 TDPIPE; C:\Windows\System32\drivers\tdpipe.sys [15872 2009-07-14] ()
S3 TDTCP; C:\Windows\System32\drivers\tdtcp.sys [23552 2012-02-17] ()
R1 tdx; C:\Windows\System32\DRIVERS\tdx.sys [119296 2010-11-20] ()
R1 TermDD; C:\Windows\system32\drivers\termdd.sys [63360 2010-11-20] ()
S3 tssecsrv; C:\Windows\System32\DRIVERS\tssecsrv.sys [39424 2010-11-20] ()
S3 TsUsbFlt; C:\Windows\System32\drivers\tsusbflt.sys [59392 2010-11-20] ()
R3 tunnel; C:\Windows\System32\DRIVERS\tunnel.sys [125440 2010-11-20] ()
S3 uagp35; C:\Windows\system32\DRIVERS\uagp35.sys [64080 2009-07-14] ()
S4 udfs; C:\Windows\System32\DRIVERS\udfs.sys [328192 2010-11-20] ()
S3 uliagpkx; C:\Windows\system32\drivers\uliagpkx.sys [64592 2009-07-14] ()
R3 umbus; C:\Windows\system32\drivers\umbus.sys [48640 2010-11-20] ()
S3 UmPass; C:\Windows\system32\DRIVERS\umpass.sys [9728 2009-07-14] ()
S3 usbccgp; C:\Windows\system32\drivers\usbccgp.sys [98816 2011-03-25] ()
S3 usbcir; C:\Windows\system32\drivers\usbcir.sys [100352 2009-07-14] ()
R3 usbehci; C:\Windows\system32\drivers\usbehci.sys [52736 2011-03-25] ()
R3 usbhub; C:\Windows\System32\DRIVERS\usbhub.sys [343040 2011-03-25] ()
S3 usbohci; C:\Windows\system32\drivers\usbohci.sys [25600 2011-03-25] ()
S3 usbprint; C:\Windows\System32\DRIVERS\usbprint.sys [25088 2009-07-14] ()
S3 usbscan; C:\Windows\System32\DRIVERS\usbscan.sys [41984 2009-07-14] ()
S3 USBSTOR; C:\Windows\System32\DRIVERS\USBSTOR.SYS [91648 2011-03-11] ()
R3 usbuhci; C:\Windows\system32\drivers\usbuhci.sys [30720 2011-03-25] ()
R0 vdrvroot; C:\Windows\System32\drivers\vdrvroot.sys [36432 2009-07-14] ()
S3 vga; C:\Windows\System32\DRIVERS\vgapnp.sys [29184 2009-07-14] ()
R1 VgaSave; C:\Windows\System32\drivers\vga.sys [29184 2009-07-14] ()
S3 vhdmp; C:\Windows\system32\drivers\vhdmp.sys [215936 2010-11-20] ()
S3 viaide; C:\Windows\system32\drivers\viaide.sys [17488 2009-07-14] ()
R0 volmgr; C:\Windows\System32\drivers\volmgr.sys [71552 2010-11-20] ()
R0 volmgrx; C:\Windows\System32\drivers\volmgrx.sys [363392 2010-11-20] ()
R0 volsnap; C:\Windows\System32\drivers\volsnap.sys [295808 2010-11-20] ()
S3 vsmraid; C:\Windows\system32\DRIVERS\vsmraid.sys [161872 2009-07-14] ()
R3 vwifibus; C:\Windows\System32\DRIVERS\vwifibus.sys [24576 2009-07-14] ()
R1 vwififlt; C:\Windows\System32\DRIVERS\vwififlt.sys [59904 2009-07-14] ()
R3 vwifimp; C:\Windows\System32\DRIVERS\vwifimp.sys [17920 2009-07-14] ()
S3 WacomPen; C:\Windows\system32\DRIVERS\wacompen.sys [27776 2009-07-14] ()
S3 WANARP; C:\Windows\System32\DRIVERS\wanarp.sys [88576 2010-11-20] ()
R1 Wanarpv6; C:\Windows\System32\DRIVERS\wanarp.sys [88576 2010-11-20] ()
S3 Wd; C:\Windows\system32\DRIVERS\wd.sys [21056 2009-07-14] ()
R0 Wdf01000; C:\Windows\System32\drivers\Wdf01000.sys [654928 2009-07-14] ()
R1 WfpLwf; C:\Windows\System32\DRIVERS\wfplwf.sys [12800 2009-07-14] ()
S3 WIMMount; C:\Windows\System32\drivers\wimmount.sys [22096 2009-07-14] ()
S3 WinUsb; C:\Windows\System32\DRIVERS\WinUsb.sys [41984 2010-11-20] ()
S3 WmiAcpi; C:\Windows\system32\drivers\wmiacpi.sys [14336 2009-07-14] ()
S4 ws2ifsl; C:\Windows\system32\drivers\ws2ifsl.sys [21504 2009-07-14] ()
R3 WudfPf; C:\Windows\System32\drivers\WudfPf.sys [112128 2010-11-20] ()
S3 WUDFRd; C:\Windows\System32\DRIVERS\WUDFRd.sys [172544 2010-11-20] ()

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2014-04-22 23:15 - 2014-04-22 23:16 - 00000000 ____D () C:\FRST
2014-04-22 22:18 - 2014-04-22 23:12 - 00000076 _____ () C:\Users\george\Desktop\Help from here.txt
2014-04-17 17:06 - 2014-04-17 17:06 - 00281208 _____ (Microsoft Corporation) C:\ProgramData\wyarsp.dat
2014-04-16 20:13 - 2014-04-22 23:16 - 00000000 _____ () C:\Users\george\AppData\Local\oehvhwef.log
2014-04-12 17:59 - 2014-04-12 17:59 - 00145261 _____ () C:\Users\george\AppData\Local\census.cache
2014-04-12 17:59 - 2014-04-12 17:59 - 00080446 _____ () C:\Users\george\AppData\Local\ars.cache
2014-04-12 17:36 - 2012-06-05 08:37 - 00256904 _____ (Trend Micro Inc.) C:\windows\SysWOW64\Drivers\tmcomm.sys
2014-04-12 17:35 - 2014-04-12 17:35 - 00000036 _____ () C:\Users\george\AppData\Local\housecall.guid.cache
2014-04-12 17:29 - 2014-04-12 17:29 - 00000000 ____D () C:\Users\george\AppData\Roaming\QuickScan
2014-04-11 23:19 - 2014-04-11 23:19 - 00003162 _____ () C:\windows\System32\Tasks\{42046625-83BE-4A81-BAD6-0E206C6D9104}
2014-04-11 23:14 - 2014-04-11 23:14 - 00013478 _____ () C:\windows\system32\control - Shortcut.lnk
2014-04-11 23:14 - 2014-04-11 23:14 - 00000878 _____ () C:\Users\george\Desktop\control - Shortcut.lnk
2014-04-11 23:14 - 2009-07-14 02:39 - 00114688 _____ (Microsoft Corporation) C:\Users\george\Desktop\control.exe
2014-04-11 23:10 - 2014-04-11 23:10 - 00003150 _____ () C:\windows\System32\Tasks\{D7FE36BA-2D1A-438E-A8DC-B25C27A1469F}
2014-04-08 22:11 - 2014-04-22 21:45 - 00000000 ____D () C:\Users\george\AppData\Local\rtusgjvt
2014-04-03 08:19 - 2014-04-03 08:19 - 00079296 _____ () C:\windows\system32\Drivers\9fcb65c0fa2c3c7e.sys
2014-03-30 09:29 - 2014-03-30 09:29 - 00000020 _____ () C:\Users\george\AppData\Local\MLICNAI.DLL

==================== One Month Modified Files and Folders =======

2014-04-22 23:16 - 2014-04-22 23:15 - 00000000 ____D () C:\FRST
2014-04-22 23:16 - 2014-04-16 20:13 - 00000000 _____ () C:\Users\george\AppData\Local\oehvhwef.log
2014-04-22 23:16 - 2013-02-26 16:51 - 00000000 _____ () C:\Users\george\AppData\Local\rleeakjy.log
2014-04-22 23:16 - 2012-09-22 09:04 - 00000028 _____ () C:\Users\george\AppData\Local\twrionlj.log
2014-04-22 23:12 - 2014-04-22 22:18 - 00000076 _____ () C:\Users\george\Desktop\Help from here.txt
2014-04-22 23:08 - 2013-02-25 23:29 - 02534298 _____ () C:\Users\george\AppData\Local\vkolfrsa.log
2014-04-22 22:50 - 2013-06-12 18:38 - 00000342 _____ () C:\windows\Tasks\At46.job
2014-04-22 22:50 - 2013-06-12 18:38 - 00000340 _____ () C:\windows\Tasks\At45.job
2014-04-22 22:40 - 2012-11-13 15:42 - 00001026 _____ () C:\Users\george\AppData\Local\pwuhakrg.log
2014-04-22 22:31 - 2012-11-08 08:49 - 00000898 _____ () C:\windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-04-22 22:26 - 2012-11-08 08:49 - 00000830 _____ () C:\windows\Tasks\Adobe Flash Player Updater.job
2014-04-22 21:55 - 2009-07-14 05:45 - 00009920 ____H () C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-04-22 21:55 - 2009-07-14 05:45 - 00009920 ____H () C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-04-22 21:50 - 2013-06-12 18:38 - 00000342 _____ () C:\windows\Tasks\At44.job
2014-04-22 21:50 - 2013-06-12 18:38 - 00000340 _____ () C:\windows\Tasks\At43.job
2014-04-22 21:47 - 2013-06-03 09:46 - 00000350 _____ () C:\windows\Tasks\AVG-Secure-Search-Update_JUNE2013_TB_rmv.job
2014-04-22 21:47 - 2012-11-08 08:49 - 00000894 _____ () C:\windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-04-22 21:47 - 2009-07-14 06:08 - 00000006 ____H () C:\windows\Tasks\SA.DAT
2014-04-22 21:47 - 2009-07-14 05:51 - 00142472 _____ () C:\windows\setupact.log
2014-04-22 21:45 - 2014-04-08 22:11 - 00000000 ____D () C:\Users\george\AppData\Local\rtusgjvt
2014-04-22 21:45 - 2010-10-21 17:25 - 00000000 ____D () C:\windows\system32\Drivers\AVG
2014-04-22 21:45 - 2010-05-28 20:54 - 00000000 ___RD () C:\Users\george\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2014-04-22 21:45 - 2010-05-28 20:53 - 00000000 ____D () C:\Users\george
2014-04-22 21:45 - 2009-07-14 04:20 - 00000000 ____D () C:\windows\registration
2014-04-22 21:45 - 2009-07-14 04:20 - 00000000 ____D () C:\windows\AppCompat
2014-04-22 21:37 - 2010-05-28 20:53 - 01452317 _____ () C:\windows\WindowsUpdate.log
2014-04-22 21:33 - 2013-06-12 18:38 - 00000340 _____ () C:\windows\Tasks\At33.job
2014-04-22 20:50 - 2013-06-12 18:38 - 00000342 _____ () C:\windows\Tasks\At42.job
2014-04-22 20:50 - 2013-06-12 18:38 - 00000340 _____ () C:\windows\Tasks\At41.job
2014-04-22 19:50 - 2013-06-12 18:38 - 00000342 _____ () C:\windows\Tasks\At40.job
2014-04-22 19:50 - 2013-06-12 18:38 - 00000340 _____ () C:\windows\Tasks\At39.job
2014-04-22 18:50 - 2013-06-12 18:38 - 00000342 _____ () C:\windows\Tasks\At38.job
2014-04-22 18:50 - 2013-06-12 18:38 - 00000340 _____ () C:\windows\Tasks\At37.job
2014-04-22 17:50 - 2013-06-12 18:38 - 00000342 _____ () C:\windows\Tasks\At36.job
2014-04-22 17:50 - 2013-06-12 18:38 - 00000340 _____ () C:\windows\Tasks\At35.job
2014-04-22 17:22 - 2014-01-10 13:31 - 00288881 _____ () C:\Users\george\AppData\Local\dvbstftw.log
2014-04-22 17:22 - 2014-01-10 13:31 - 00002472 _____ () C:\Users\george\AppData\Local\bdhvhgpt.log
2014-04-22 17:13 - 2014-02-26 08:53 - 00000054 _____ () C:\Users\george\AppData\Local\ttepsjux.log
2014-04-22 17:13 - 2014-01-10 13:31 - 00000035 _____ () C:\Users\george\AppData\Local\hktiyoqu.log
2014-04-22 17:13 - 2013-06-12 18:38 - 00000342 _____ () C:\windows\Tasks\At34.job
2014-04-22 17:13 - 2013-06-12 18:38 - 00000342 _____ () C:\windows\Tasks\At32.job
2014-04-22 17:13 - 2013-06-12 18:38 - 00000342 _____ () C:\windows\Tasks\At30.job
2014-04-22 17:13 - 2013-06-12 18:38 - 00000342 _____ () C:\windows\Tasks\At28.job
2014-04-22 17:13 - 2013-06-12 18:38 - 00000342 _____ () C:\windows\Tasks\At26.job
2014-04-22 17:13 - 2013-06-12 18:38 - 00000342 _____ () C:\windows\Tasks\At24.job
2014-04-22 17:13 - 2013-06-12 18:38 - 00000342 _____ () C:\windows\Tasks\At22.job
2014-04-22 17:13 - 2013-06-12 18:38 - 00000340 _____ () C:\windows\Tasks\At31.job
2014-04-22 17:13 - 2013-06-12 18:38 - 00000340 _____ () C:\windows\Tasks\At29.job
2014-04-22 17:13 - 2013-06-12 18:38 - 00000340 _____ () C:\windows\Tasks\At27.job
2014-04-22 17:13 - 2013-06-12 18:38 - 00000340 _____ () C:\windows\Tasks\At25.job
2014-04-22 17:13 - 2013-06-12 18:38 - 00000340 _____ () C:\windows\Tasks\At23.job
2014-04-22 17:13 - 2013-06-12 18:38 - 00000340 _____ () C:\windows\Tasks\At21.job
2014-04-22 09:55 - 2013-06-12 18:38 - 00000342 _____ () C:\windows\Tasks\At20.job
2014-04-22 09:55 - 2013-06-12 18:38 - 00000340 _____ () C:\windows\Tasks\At19.job
2014-04-22 07:50 - 2013-06-12 18:38 - 00000342 _____ () C:\windows\Tasks\At16.job
2014-04-22 07:50 - 2013-06-12 18:38 - 00000340 _____ () C:\windows\Tasks\At15.job
2014-04-22 07:34 - 2009-07-14 06:13 - 00726444 _____ () C:\windows\system32\PerfStringBackup.INI
2014-04-21 16:44 - 2013-06-12 18:38 - 00000342 _____ () C:\windows\Tasks\At18.job
2014-04-21 16:44 - 2013-06-12 18:38 - 00000340 _____ () C:\windows\Tasks\At17.job
2014-04-18 07:50 - 2012-04-08 15:27 - 00016456 _____ () C:\windows\PFRO.log
2014-04-17 17:06 - 2014-04-17 17:06 - 00281208 _____ (Microsoft Corporation) C:\ProgramData\wyarsp.dat
2014-04-13 08:13 - 2013-06-12 18:38 - 00000342 _____ () C:\windows\Tasks\At14.job
2014-04-13 08:13 - 2013-06-12 18:38 - 00000340 _____ () C:\windows\Tasks\At13.job
2014-04-13 06:42 - 2013-06-12 18:38 - 00000342 _____ () C:\windows\Tasks\At8.job
2014-04-13 06:42 - 2013-06-12 18:38 - 00000342 _____ () C:\windows\Tasks\At6.job
2014-04-13 06:42 - 2013-06-12 18:38 - 00000342 _____ () C:\windows\Tasks\At48.job
2014-04-13 06:42 - 2013-06-12 18:38 - 00000342 _____ () C:\windows\Tasks\At4.job
2014-04-13 06:42 - 2013-06-12 18:38 - 00000342 _____ () C:\windows\Tasks\At2.job
2014-04-13 06:42 - 2013-06-12 18:38 - 00000342 _____ () C:\windows\Tasks\At12.job
2014-04-13 06:42 - 2013-06-12 18:38 - 00000342 _____ () C:\windows\Tasks\At10.job
2014-04-13 06:42 - 2013-06-12 18:38 - 00000340 _____ () C:\windows\Tasks\At9.job
2014-04-13 06:42 - 2013-06-12 18:38 - 00000340 _____ () C:\windows\Tasks\At7.job
2014-04-13 06:42 - 2013-06-12 18:38 - 00000340 _____ () C:\windows\Tasks\At5.job
2014-04-13 06:42 - 2013-06-12 18:38 - 00000340 _____ () C:\windows\Tasks\At47.job
2014-04-13 06:42 - 2013-06-12 18:38 - 00000340 _____ () C:\windows\Tasks\At3.job
2014-04-13 06:42 - 2013-06-12 18:38 - 00000340 _____ () C:\windows\Tasks\At11.job
2014-04-13 06:42 - 2013-06-12 18:38 - 00000340 _____ () C:\windows\Tasks\At1.job
2014-04-12 17:59 - 2014-04-12 17:59 - 00145261 _____ () C:\Users\george\AppData\Local\census.cache
2014-04-12 17:59 - 2014-04-12 17:59 - 00080446 _____ () C:\Users\george\AppData\Local\ars.cache
2014-04-12 17:35 - 2014-04-12 17:35 - 00000036 _____ () C:\Users\george\AppData\Local\housecall.guid.cache
2014-04-12 17:34 - 2009-07-14 04:20 - 00000000 ____D () C:\windows\system32\NDF
2014-04-12 17:29 - 2014-04-12 17:29 - 00000000 ____D () C:\Users\george\AppData\Roaming\QuickScan
2014-04-11 23:22 - 2011-12-08 11:12 - 00000000 ____D () C:\Program Files (x86)\AVG Secure Search
2014-04-11 23:20 - 2014-03-21 17:47 - 00000000 ____D () C:\ProgramData\AVG Secure Search
2014-04-11 23:19 - 2014-04-11 23:19 - 00003162 _____ () C:\windows\System32\Tasks\{42046625-83BE-4A81-BAD6-0E206C6D9104}
2014-04-11 23:14 - 2014-04-11 23:14 - 00013478 _____ () C:\windows\system32\control - Shortcut.lnk
2014-04-11 23:14 - 2014-04-11 23:14 - 00000878 _____ () C:\Users\george\Desktop\control - Shortcut.lnk
2014-04-11 23:10 - 2014-04-11 23:10 - 00003150 _____ () C:\windows\System32\Tasks\{D7FE36BA-2D1A-438E-A8DC-B25C27A1469F}
2014-04-11 18:58 - 2010-05-28 20:55 - 00000000 ____D () C:\Users\george\AppData\Roaming\Adobe
2014-04-08 22:12 - 2012-09-22 09:04 - 00103520 _____ () C:\Users\george\AppData\Local\unyvhksj.log
2014-04-03 09:57 - 2010-05-28 20:55 - 00000000 ____D () C:\Users\george\AppData\Roaming\Macromedia
2014-04-03 08:30 - 2014-02-22 22:45 - 00000000 ____D () C:\Users\george\Downloads\read
2014-04-03 08:30 - 2013-11-17 16:31 - 00000000 ____D () C:\Users\george\Desktop\ebay
2014-04-03 08:19 - 2014-04-03 08:19 - 00079296 _____ () C:\windows\system32\Drivers\9fcb65c0fa2c3c7e.sys
2014-03-31 14:26 - 2012-11-08 08:49 - 00003894 _____ () C:\windows\System32\Tasks\GoogleUpdateTaskMachineUA
2014-03-31 14:26 - 2012-11-08 08:49 - 00003642 _____ () C:\windows\System32\Tasks\GoogleUpdateTaskMachineCore
2014-03-30 09:29 - 2014-03-30 09:29 - 00000020 _____ () C:\Users\george\AppData\Local\MLICNAI.DLL

ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$ad763b5b396377e3e4e317939b5470fe

ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-1962686114-1356755012-3113456983-1001\$ad763b5b396377e3e4e317939b5470fe

Files to move or delete:
====================
C:\Users\george\AppData\Local\Temp\qcidvqdi.exe
C:\ProgramData\2A621000sm.pad
C:\ProgramData\4188B500sm.pad
C:\ProgramData\bjwbjj8.fee
C:\ProgramData\bjwbjj8.odd
C:\ProgramData\s333e7t6.dat
C:\ProgramData\wyarsp.dat
C:\Users\george\teamviewer.exe
C:\Windows\Tasks\At1.job
C:\Windows\Tasks\At10.job
C:\Windows\Tasks\At11.job
C:\Windows\Tasks\At12.job
C:\Windows\Tasks\At13.job
C:\Windows\Tasks\At14.job
C:\Windows\Tasks\At15.job
C:\Windows\Tasks\At16.job
C:\Windows\Tasks\At17.job
C:\Windows\Tasks\At18.job
C:\Windows\Tasks\At19.job
C:\Windows\Tasks\At2.job
C:\Windows\Tasks\At20.job
C:\Windows\Tasks\At21.job
C:\Windows\Tasks\At22.job
C:\Windows\Tasks\At23.job
C:\Windows\Tasks\At24.job
C:\Windows\Tasks\At25.job
C:\Windows\Tasks\At26.job
C:\Windows\Tasks\At27.job
C:\Windows\Tasks\At28.job
C:\Windows\Tasks\At29.job
C:\Windows\Tasks\At3.job
C:\Windows\Tasks\At30.job
C:\Windows\Tasks\At31.job
C:\Windows\Tasks\At32.job
C:\Windows\Tasks\At33.job
C:\Windows\Tasks\At34.job
C:\Windows\Tasks\At35.job
C:\Windows\Tasks\At36.job
C:\Windows\Tasks\At37.job
C:\Windows\Tasks\At38.job
C:\Windows\Tasks\At39.job
C:\Windows\Tasks\At4.job
C:\Windows\Tasks\At40.job
C:\Windows\Tasks\At41.job
C:\Windows\Tasks\At42.job
C:\Windows\Tasks\At43.job
C:\Windows\Tasks\At44.job
C:\Windows\Tasks\At45.job
C:\Windows\Tasks\At46.job
C:\Windows\Tasks\At47.job
C:\Windows\Tasks\At48.job
C:\Windows\Tasks\At5.job
C:\Windows\Tasks\At6.job
C:\Windows\Tasks\At7.job
C:\Windows\Tasks\At8.job
C:\Windows\Tasks\At9.job

Some content of TEMP:
====================
C:\Users\george\AppData\Local\Temp\0.7670717672962944.bfg
C:\Users\george\AppData\Local\Temp\1129026153.exe
C:\Users\george\AppData\Local\Temp\2513073034.exe
C:\Users\george\AppData\Local\Temp\2825474509.exe
C:\Users\george\AppData\Local\Temp\286127219.exe
C:\Users\george\AppData\Local\Temp\2956964858.exe
C:\Users\george\AppData\Local\Temp\2982129174.exe
C:\Users\george\AppData\Local\Temp\2jfuweif.exe
C:\Users\george\AppData\Local\Temp\3088681571.exe
C:\Users\george\AppData\Local\Temp\3500382649.exe
C:\Users\george\AppData\Local\Temp\357766823.exe
C:\Users\george\AppData\Local\Temp\3672453680.exe
C:\Users\george\AppData\Local\Temp\3718928441.exe
C:\Users\george\AppData\Local\Temp\3962865265.exe
C:\Users\george\AppData\Local\Temp\4114304946.exe
C:\Users\george\AppData\Local\Temp\4188210946.exe
C:\Users\george\AppData\Local\Temp\490391918.exe
C:\Users\george\AppData\Local\Temp\690120377.exe
C:\Users\george\AppData\Local\Temp\868312027.exe
C:\Users\george\AppData\Local\Temp\DivXSetup.exe
C:\Users\george\AppData\Local\Temp\hhbkrhikdhrrqqulamy.bfg
C:\Users\george\AppData\Local\Temp\InstallFlashPlayer.exe
C:\Users\george\AppData\Local\Temp\jsekxvln.exe
C:\Users\george\AppData\Local\Temp\qcidvqdi.exe
C:\Users\george\AppData\Local\Temp\rtdrvmon.exe
C:\Users\george\AppData\Local\Temp\ubwdmqclmnkvxustocc.bfg
C:\Users\george\AppData\Local\Temp\UNINSTALL.EXE
C:\Users\george\AppData\Local\Temp\wkqqcjgicqubwqhfdnh.bfg

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys
[2011-06-21 07:45] - [2010-11-20 14:34] - 0295808 ____A () D41D8CD98F00B204E9800998ECF8427E

C:\Windows\System32\Drivers\volsnap.sys No Company Name <===== ATTENTION!

 

testsigning: ==> Check for possible unsigned rootkit driver <===== ATTENTION!

LastRegBack: 2014-04-19 08:38

==================== End Of Log ============================

 

Additions log:

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 22-04-2014
Ran by george at 2014-04-22 23:17:05
Running from C:\Users\george\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4DSR0SW
Boot Mode: Normal
==========================================================

==================== Security Center ========================

AV: AVG Anti-Virus Free Edition 2011 (Enabled - Up to date) {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
AS: AVG Anti-Virus Free Edition 2011 (Enabled - Up to date) {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

2007 Microsoft Office Suite Service Pack 1 (SP1) (HKLM-x32\...\{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{BEE75E01-DD3F-4D5F-B96C-609E6538D419}) (Version:  - Microsoft)
2007 Microsoft Office Suite Service Pack 1 (SP1) (x32 Version:  - Microsoft) Hidden
ABBYY FineReader 9.0 Sprint (HKLM-x32\...\ABBYY FineReader 9.0 Sprint) (Version: 9.01.513.58212 - ABBYY)
ABBYY FineReader 9.0 Sprint (x32 Version: 9.01.513.58212 - ABBYY) Hidden
Adobe Flash Player 12 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 12.0.0.77 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.06) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.06 - Adobe Systems Incorporated)
AVG 2011 (HKLM\...\AVG) (Version: 10.0.1432 - AVG Technologies)
AVG 2011 (Version: 10.0.1432 - AVG Technologies) Hidden
AVG 2011 (Version: 10.0.3722 - AVG Technologies) Hidden
Basic Operation Guide EPSON XP-402 403 405 406 Series (HKLM-x32\...\EPSON XP-402 403 405 406 Series Bog) (Version:  - )
Choice Guard (x32 Version: 1.2.87.0 - Microsoft Corporation) Hidden
Compatibility Pack for the 2007 Office system (HKLM-x32\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.4518.1014 - Microsoft Corporation)
DivX Setup (HKLM-x32\...\DivX Setup) (Version: 2.6.1.9 - DivX, LLC)
Epson Connect Printer Setup (HKLM-x32\...\{D9B1D51B-EB56-410D-AEB5-1CCFAC4B6C8C}) (Version: 1.1.1 - SEIKO EPSON CORPORATION)
Epson Easy Photo Print 2 (HKLM-x32\...\{30E01116-5666-4807-8EF1-D80E9FF16717}) (Version: 2.3.2.0 - SEIKO EPSON CORPORATION)
Epson Easy Photo Print Plug-in for PMB(Picture Motion Browser) (HKLM-x32\...\{B2D55EB8-32C5-4B43-9006-9E97DECBA178}) (Version: 1.00.0000 - SEIKO EPSON CORPORATION2)
Epson Event Manager (HKLM-x32\...\{BECE9CCD-83F6-4BAA-9B26-227DF7D2E932}) (Version: 3.01.0000 - Seiko Epson Corporation)
Epson E-Web Print (HKLM-x32\...\{695C8469-7822-4B31-A673-5ED84815B649}) (Version: 1.17.0000 - SEIKO EPSON CORPORATION)
EPSON Printer Finder (HKLM-x32\...\{B8ECD0D3-AE08-4891-B6C7-32F96B75EB6C}) (Version: 1.0.0 - SEIKO EPSON CORPORATION)
EPSON Scan (HKLM-x32\...\EPSON Scanner) (Version:  - Seiko Epson Corporation)
EPSON XP-402 403 405 406 Series Printer Uninstall (HKLM\...\EPSON XP-402 403 405 406 Series) (Version:  - SEIKO EPSON Corporation)
EpsonNet Print (HKLM-x32\...\{3E31400D-274E-4647-916C-2CACC3741799}) (Version: 2.6.0 - SEIKO EPSON CORPORATION)
Google Toolbar for Internet Explorer (HKLM-x32\...\{2318C2B1-4965-11d4-9B18-009027A5CD4F}) (Version: 7.5.5111.1712 - Google Inc.)
Google Toolbar for Internet Explorer (x32 Version: 1.0.0 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.23.9 - Google Inc.) Hidden
Java 7 Update 7 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83217007FF}) (Version: 7.0.70 - Oracle)
Java Auto Updater (x32 Version: 2.1.9.0 - Sun Microsystems, Inc.) Hidden
Junk Mail filter update (x32 Version: 14.0.8064.206 - Microsoft Corporation) Hidden
Malwarebytes Anti-Malware version 1.75.0.1300 (HKLM-x32\...\Malwarebytes' Anti-Malware_is1) (Version: 1.75.0.1300 - Malwarebytes Corporation)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319 - Microsoft Corporation) Hidden
Microsoft Application Error Reporting (Version: 12.0.6015.5000 - Microsoft Corporation) Hidden
Microsoft Office 2007 Service Pack 2 (SP2) (x32 Version:  - Microsoft) Hidden
Microsoft Office Excel MUI (English) 2007 (x32 Version: 12.0.6425.1000 - Microsoft Corporation) Hidden
Microsoft Office Home and Student 2007 (HKLM-x32\...\HOMESTUDENTR) (Version: 12.0.6215.1000 - Microsoft Corporation)
Microsoft Office Home and Student 2007 (x32 Version: 12.0.6215.1000 - Microsoft Corporation) Hidden
Microsoft Office Office 64-bit Components 2007 (Version: 12.0.6215.1000 - Microsoft Corporation) Hidden
Microsoft Office OneNote MUI (English) 2007 (x32 Version: 12.0.6425.1000 - Microsoft Corporation) Hidden
Microsoft Office PowerPoint MUI (English) 2007 (x32 Version: 12.0.6425.1000 - Microsoft Corporation) Hidden
Microsoft Office PowerPoint Viewer 2007 (English) (HKLM-x32\...\{95120000-00AF-0409-0000-0000000FF1CE}) (Version: 12.0.4518.1014 - Microsoft Corporation)
Microsoft Office Proof (English) 2007 (x32 Version: 12.0.6425.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (French) 2007 (x32 Version: 12.0.6213.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (Spanish) 2007 (x32 Version: 12.0.6213.1000 - Microsoft Corporation) Hidden
Microsoft Office Proofing (English) 2007 (x32 Version: 12.0.4518.1014 - Microsoft Corporation) Hidden
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2) (x32 Version:  - Microsoft) Hidden
Microsoft Office Shared 64-bit MUI (English) 2007 (Version: 12.0.6425.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007 (Version: 12.0.6425.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared MUI (English) 2007 (x32 Version: 12.0.6425.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared Setup Metadata MUI (English) 2007 (x32 Version: 12.0.6425.1000 - Microsoft Corporation) Hidden
Microsoft Office Word MUI (English) 2007 (x32 Version: 12.0.6425.1000 - Microsoft Corporation) Hidden
Microsoft Search Enhancement Pack (x32 Version: 1.2.123.0 - Microsoft Corporation) Hidden
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.20913.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Sync Framework Runtime Native v1.0 (x86) (HKLM-x32\...\{8A74E887-8F0F-4017-AF53-CBA42211AAA5}) (Version: 1.0.1215.0 - Microsoft Corporation)
Microsoft Sync Framework Services Native v1.0 (x86) (HKLM-x32\...\{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}) (Version: 1.0.1215.0 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729 (HKLM-x32\...\{402ED4A1-8F5B-387A-8688-997ABF58B8F2}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Works (HKLM-x32\...\{67E03279-F703-408F-B4BF-46B5FC8D70CD}) (Version: 9.7.0621 - Microsoft Corporation)
MSVCRT (x32 Version: 14.0.1468.721 - Microsoft) Hidden
Network Guide EPSON XP-402 403 405 406 Series (HKLM-x32\...\EPSON XP-402 403 405 406 Series Netg) (Version:  - )
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6050 - Realtek Semiconductor Corp.)
Software Updater (HKLM-x32\...\{A3B308B9-BE96-4334-816F-3D82B19A7DE2}) (Version: 4.1.7 - SEIKO EPSON CORPORATION) <==== ATTENTION
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (HKLM-x32\...\{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}.KB2468871) (Version: 1 - Microsoft Corporation)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (HKLM-x32\...\{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}.KB2533523) (Version: 1 - Microsoft Corporation)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (HKLM-x32\...\{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}.KB2600217) (Version: 1 - Microsoft Corporation)
Update for Office 2007 (KB946691) (HKLM-x32\...\{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{A420F522-7395-4872-9882-C591B4B92278}) (Version:  - Microsoft)
User's Guide EPSON XP-402 403 405 406 Series (HKLM-x32\...\EPSON XP-402 403 405 406 Series Useg) (Version:  - )
VC80CRTRedist - 8.0.50727.4053 (x32 Version: 1.1.0 - DivX, Inc) Hidden
Visual C++ 8.0 Runtime Setup Package (x64) (HKLM-x32\...\{2FDBBCEA-62DB-45F4-B6E5-0E1FB2A1F29D}) (Version: 9.0.0.623 - AVG Technologies CZ, s.r.o.)
Visual Studio 2008 x64 Redistributables (HKLM-x32\...\{FCDBEA60-79F0-4FAE-BBA8-55A26C609A49}) (Version: 10.0.0.2 - AVG Technologies)
Windows Live Call (x32 Version: 14.0.8064.0206 - Microsoft Corporation) Hidden
Windows Live Communications Platform (x32 Version: 14.0.8064.206 - Microsoft Corporation) Hidden
Windows Live Essentials (HKLM-x32\...\WinLiveSuite_Wave3) (Version: 14.0.8064.0206 - Microsoft Corporation)
Windows Live Essentials (x32 Version: 14.0.8064.206 - Microsoft Corporation) Hidden
Windows Live Family Safety (Version: 14.0.8064.206 - Microsoft Corporation) Hidden
Windows Live Mail (x32 Version: 14.0.8064.0206 - Microsoft Corporation) Hidden
Windows Live Messenger (x32 Version: 14.0.8064.0206 - Microsoft Corporation) Hidden
Windows Live Photo Gallery (x32 Version: 14.0.8064.206 - Microsoft Corporation) Hidden
Windows Live Sign-in Assistant (HKLM-x32\...\{45338B07-A236-4270-9A77-EBB4115517B5}) (Version: 5.000.818.5 - Microsoft Corporation)
Windows Live Sync (HKLM-x32\...\{A1BF9950-8CDB-468E-83FA-EACFB00EA7D5}) (Version: 14.0.8064.206 - Microsoft Corporation)
Windows Live Toolbar (x32 Version: 14.0.8064.206 - Microsoft Corporation) Hidden
Windows Live Upload Tool (HKLM-x32\...\{205C6BDD-7B73-42DE-8505-9A093F35A238}) (Version: 14.0.8014.1029 - Microsoft Corporation)
Windows Live Writer (x32 Version: 14.0.8064.0206 - Microsoft Corporation) Hidden

==================== Restore Points  =========================

==================== Hosts content: ==========================

2009-07-14 03:34 - 2009-06-10 22:00 - 00000824 ____A C:\windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (whitelisted) =============

Task: {19DC2DBA-776E-4671-9C6C-0549627F9B31} - System32\Tasks\At36 => C:\windows\Fonts\kIMtCT.com
Task: {1A435FF3-7E5F-45B8-BB2E-C96210FC8FBA} - System32\Tasks\At48 => C:\windows\Fonts\kIMtCT.com
Task: {1B27B483-209D-472D-BE1F-1AA16CB47F86} - System32\Tasks\At15 => C:\windows\Fonts\kIMtCT.com
Task: {21831AE2-72EB-44C5-A2A6-1BFD200B3FB1} - System32\Tasks\At31 => C:\windows\Fonts\kIMtCT.com
Task: {223F808E-7E09-4689-929B-741FA84F9693} - System32\Tasks\At4 => C:\windows\Fonts\kIMtCT.com
Task: {27A687D3-539D-4B8A-B65E-177DAC0173D7} - System32\Tasks\At27 => C:\windows\Fonts\kIMtCT.com
Task: {28763CA0-B807-4F4D-AF58-25D31ACAA946} - System32\Tasks\At13 => C:\windows\Fonts\kIMtCT.com
Task: {3534A97E-CA51-4750-8DB7-FF8DCA9EB593} - System32\Tasks\At6 => C:\windows\Fonts\kIMtCT.com
Task: {35D3A608-74DF-4C36-B10D-EA2D403C1601} - System32\Tasks\At19 => C:\windows\Fonts\kIMtCT.com
Task: {3697F74E-5BEF-4533-A811-62FC7FDA6BA4} - System32\Tasks\At37 => C:\windows\Fonts\kIMtCT.com
Task: {36A6CAF1-B229-4DD4-ABD2-0A1788B0FA37} - System32\Tasks\At5 => C:\windows\Fonts\kIMtCT.com
Task: {36BBEA45-3AED-4911-BA34-17A156D662AE} - System32\Tasks\At7 => C:\windows\Fonts\kIMtCT.com
Task: {414E4E05-9809-4EA7-8CA9-3C3B01E02759} - System32\Tasks\At42 => C:\windows\Fonts\kIMtCT.com
Task: {47738AE0-DEDC-4DE8-B2F0-3E5A4BB94BAD} - System32\Tasks\At29 => C:\windows\Fonts\kIMtCT.com
Task: {47D32966-AAA1-4C6B-A2F2-72F645FD7FE5} - System32\Tasks\At1 => C:\windows\Fonts\kIMtCT.com
Task: {49D093A4-A268-498A-9D08-828B4CCF5CF3} - System32\Tasks\At30 => C:\windows\Fonts\kIMtCT.com
Task: {4B8539D9-2026-4FB4-865D-62DE3D0C3B65} - System32\Tasks\AVG-Secure-Search-Update_JUNE2013_TB_rmv => C:\windows\TEMP\{8FE3C13C-7A07-4C79-ADE6-FB295B390217}.exe
Task: {52D65A29-32A6-4718-B387-6AF3AAABCF17} - System32\Tasks\At46 => C:\windows\Fonts\kIMtCT.com
Task: {53AB3A25-2256-45BC-B075-9D15596A0CCA} - System32\Tasks\At12 => C:\windows\Fonts\kIMtCT.com
Task: {577AF655-E039-4954-A98D-C5849A1B6502} - System32\Tasks\At32 => C:\windows\Fonts\kIMtCT.com
Task: {57A83B1B-6F7F-41D8-B7F4-B5C7DA7720A5} - System32\Tasks\At44 => C:\windows\Fonts\kIMtCT.com
Task: {5AA07D64-0D3D-4A40-84FD-3682C1325A9A} - System32\Tasks\At28 => C:\windows\Fonts\kIMtCT.com
Task: {69BC55C2-0520-4003-A4A2-A0DC905BB9A1} - System32\Tasks\At47 => C:\windows\Fonts\kIMtCT.com
Task: {6A1D1347-277D-45EA-8B57-34C90CFC90A2} - System32\Tasks\Adobe Flash Player Updater => C:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-03-11] (Adobe Systems Incorporated)
Task: {7409A9D0-1600-4293-9D2C-B5216BA7F439} - System32\Tasks\At10 => C:\windows\Fonts\kIMtCT.com
Task: {7D08C331-B610-4CBB-958D-B68EB4CFD69E} - System32\Tasks\At25 => C:\windows\Fonts\kIMtCT.com
Task: {7D6C815D-90BC-4DF9-B910-BA731C1C14E3} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-11-08] (Google Inc.)
Task: {84238122-B8C9-41AB-B08F-6C369F72B7AB} - System32\Tasks\At35 => C:\windows\Fonts\kIMtCT.com
Task: {84256AF5-2E81-44E9-A35D-7F61BC40517F} - System32\Tasks\At22 => C:\windows\Fonts\kIMtCT.com
Task: {86B4843C-0201-4477-952C-53CBA77E8B0F} - System32\Tasks\At24 => C:\windows\Fonts\kIMtCT.com
Task: {8A366BBC-E852-4FE9-B6BE-6DE0E19EAD93} - System32\Tasks\At8 => C:\windows\Fonts\kIMtCT.com
Task: {8A99CF21-5CF0-45A0-9B6E-6D705C2D4380} - System32\Tasks\At9 => C:\windows\Fonts\kIMtCT.com
Task: {8EE60E70-3EB6-4777-A656-AF828A24BE53} - System32\Tasks\At43 => C:\windows\Fonts\kIMtCT.com
Task: {9BFA9798-4243-48CF-B532-28DA681885BE} - System32\Tasks\At20 => C:\windows\Fonts\kIMtCT.com
Task: {9D322107-3EC3-4989-8B53-B450B3C58D01} - System32\Tasks\At38 => C:\windows\Fonts\kIMtCT.com
Task: {A854C787-D8B1-402E-83B0-66352EF74B73} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-11-08] (Google Inc.)
Task: {AA9BD140-9E20-4C6A-9160-FD64041D4637} - System32\Tasks\At23 => C:\windows\Fonts\kIMtCT.com
Task: {BB9E5A67-DF63-4AF7-BDFA-FBF735C961CB} - System32\Tasks\At16 => C:\windows\Fonts\kIMtCT.com
Task: {C2487247-1B08-401F-BF49-B4DA63D91966} - System32\Tasks\At14 => C:\windows\Fonts\kIMtCT.com
Task: {C72405A3-6EED-4578-9C1A-4912967477EC} - System32\Tasks\At33 => C:\windows\Fonts\kIMtCT.com
Task: {C9080A13-2E9D-4D30-AC36-BB9799249E62} - System32\Tasks\At40 => C:\windows\Fonts\kIMtCT.com
Task: {D0A81650-9607-44A5-B464-BEE7F4BCFED6} - System32\Tasks\At41 => C:\windows\Fonts\kIMtCT.com
Task: {D800BA11-D965-490C-B607-9F968E813969} - System32\Tasks\At45 => C:\windows\Fonts\kIMtCT.com
Task: {E69D58DA-9BBB-467B-8960-89E72E63052A} - System32\Tasks\At2 => C:\windows\Fonts\kIMtCT.com
Task: {E706EEF5-0D0C-4A9E-8E31-ACEEF177C986} - System32\Tasks\At3 => C:\windows\Fonts\kIMtCT.com
Task: {EC422A9F-9AFD-4072-B457-6F0C3164871B} - System32\Tasks\At39 => C:\windows\Fonts\kIMtCT.com
Task: {F1D464F8-9B13-4929-8321-A0BAC41C0D2A} - System32\Tasks\At11 => C:\windows\Fonts\kIMtCT.com
Task: {F303E342-4A07-4DAA-A5ED-6A57B9F8F4AD} - System32\Tasks\At18 => C:\windows\Fonts\kIMtCT.com
Task: {F6C82B39-9389-41E4-AE20-DE0F0744B895} - System32\Tasks\At17 => C:\windows\Fonts\kIMtCT.com
Task: {F88A4440-9230-4467-86F7-C2B6CAEF8061} - System32\Tasks\At21 => C:\windows\Fonts\kIMtCT.com
Task: {F9AF774F-84DE-44C9-8A6F-DCCFCF6F4490} - System32\Tasks\At26 => C:\windows\Fonts\kIMtCT.com
Task: {FF5285CD-D074-4D17-9230-EB2EAC1742DA} - System32\Tasks\At34 => C:\windows\Fonts\kIMtCT.com
Task: C:\windows\Tasks\Adobe Flash Player Updater.job => C:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\windows\Tasks\At1.job => ?
Task: C:\windows\Tasks\At10.job => ?
Task: C:\windows\Tasks\At11.job => ?
Task: C:\windows\Tasks\At12.job => ?
Task: C:\windows\Tasks\At13.job => ?
Task: C:\windows\Tasks\At14.job => ?
Task: C:\windows\Tasks\At15.job => ?
Task: C:\windows\Tasks\At16.job => ?
Task: C:\windows\Tasks\At17.job => ?
Task: C:\windows\Tasks\At18.job => ?
Task: C:\windows\Tasks\At19.job => ?
Task: C:\windows\Tasks\At2.job => ?
Task: C:\windows\Tasks\At20.job => ?
Task: C:\windows\Tasks\At21.job => ?
Task: C:\windows\Tasks\At22.job => ?
Task: C:\windows\Tasks\At23.job => ?
Task: C:\windows\Tasks\At24.job => ?
Task: C:\windows\Tasks\At25.job => ?
Task: C:\windows\Tasks\At26.job => ?
Task: C:\windows\Tasks\At27.job => ?
Task: C:\windows\Tasks\At28.job => ?
Task: C:\windows\Tasks\At29.job => ?
Task: C:\windows\Tasks\At3.job => ?
Task: C:\windows\Tasks\At30.job => ?
Task: C:\windows\Tasks\At31.job => ?
Task: C:\windows\Tasks\At32.job => ?
Task: C:\windows\Tasks\At33.job => ?
Task: C:\windows\Tasks\At34.job => ?
Task: C:\windows\Tasks\At35.job => ?
Task: C:\windows\Tasks\At36.job => ?
Task: C:\windows\Tasks\At37.job => ?
Task: C:\windows\Tasks\At38.job => ?
Task: C:\windows\Tasks\At39.job => ?
Task: C:\windows\Tasks\At4.job => ?
Task: C:\windows\Tasks\At40.job => ?
Task: C:\windows\Tasks\At41.job => ?
Task: C:\windows\Tasks\At42.job => ?
Task: C:\windows\Tasks\At43.job => ?
Task: C:\windows\Tasks\At44.job => ?
Task: C:\windows\Tasks\At45.job => ?
Task: C:\windows\Tasks\At46.job => ?
Task: C:\windows\Tasks\At47.job => ?
Task: C:\windows\Tasks\At48.job => ?
Task: C:\windows\Tasks\At5.job => ?
Task: C:\windows\Tasks\At6.job => ?
Task: C:\windows\Tasks\At7.job => ?
Task: C:\windows\Tasks\At8.job => ?
Task: C:\windows\Tasks\At9.job => ?
Task: C:\windows\Tasks\AVG-Secure-Search-Update_JUNE2013_TB_rmv.job => C:\windows\TEMP\{8FE3C13C-7A07-4C79-ADE6-FB295B390217}.exe
Task: C:\windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

==================== Loaded Modules (whitelisted) =============

2011-12-15 10:09 - 2011-10-26 06:21 - 00043520 _____ () C:\windows\system32\CSRSRV.dll
2009-07-14 00:19 - 2009-07-14 02:41 - 00036864 _____ () C:\windows\system32\pcwum.dll
2009-07-14 00:19 - 2009-07-14 02:41 - 00036864 _____ () c:\windows\system32\pcwum.DLL
2009-07-14 00:19 - 2009-07-14 02:41 - 00036864 _____ () c:\windows\system32\pcwum.dll

==================== Alternate Data Streams (whitelisted) =========

==================== Safe Mode (whitelisted) ===================

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BsScanner => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\BsScanner => ""="Service"

==================== Disabled items from MSCONFIG ==============

==================== Faulty Device Manager Devices =============

==================== Event log errors: =========================

Application errors:
==================
Error: (04/22/2014 11:14:16 PM) (Source: Application Hang) (User: )
Description: The program iexplore.exe version 9.0.8112.16421 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 10f0

Start Time: 01cf5e77e4af75a2

Termination Time: 47

Application Path: C:\Program Files (x86)\Internet Explorer\iexplore.exe

Report Id:

Error: (04/22/2014 11:12:02 PM) (Source: Application Hang) (User: )
Description: The program iexplore.exe version 9.0.8112.16421 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: d44

Start Time: 01cf5e7325083006

Termination Time: 47

Application Path: C:\Program Files (x86)\Internet Explorer\iexplore.exe

Report Id:

Error: (04/22/2014 10:38:33 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "Microsoft.VC80.CRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.6195"1".
Dependent Assembly Microsoft.VC80.CRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.6195" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (04/22/2014 10:38:33 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "Microsoft.VC80.CRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.6195"1".
Dependent Assembly Microsoft.VC80.CRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.6195" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (04/22/2014 10:38:33 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "Microsoft.VC80.CRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.6195"1".
Dependent Assembly Microsoft.VC80.CRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.6195" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (04/22/2014 09:58:01 PM) (Source: Application Hang) (User: )
Description: The program iexplore.exe version 9.0.8112.16421 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: aa4

Start Time: 01cf5e6c8102c94c

Termination Time: 16

Application Path: C:\Program Files (x86)\Internet Explorer\iexplore.exe

Report Id: c858b063-ca60-11e3-945f-90fba63a199f

Error: (04/22/2014 09:48:05 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "Microsoft.VC80.CRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.6195"1".
Dependent Assembly Microsoft.VC80.CRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.6195" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (04/22/2014 09:48:02 PM) (Source: System Restore) (User: )
Description: An unspecified error occurred during System Restore: (Scheduled Checkpoint). Additional information: 0x80070005.

Error: (04/22/2014 09:34:12 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "Microsoft.VC80.CRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.6195"1".
Dependent Assembly Microsoft.VC80.CRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.6195" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (04/22/2014 09:34:12 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "Microsoft.VC80.CRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.6195"1".
Dependent Assembly Microsoft.VC80.CRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.6195" could not be found.
Please use sxstrace.exe for detailed diagnosis.

System errors:
=============
Error: (04/22/2014 09:48:30 PM) (Source: Service Control Manager) (User: )
Description: The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to start because of the following error:
%%-2147024891

Error: (04/22/2014 09:48:30 PM) (Source: Service Control Manager) (User: )
Description: The Function Discovery Resource Publication service terminated with the following error:
%%-2147024891

Error: (04/22/2014 09:47:51 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
Avgmfx64

Error: (04/22/2014 09:47:35 PM) (Source: Service Control Manager) (User: )
Description: The Function Discovery Resource Publication service terminated with the following error:
%%-2147024891

Error: (04/22/2014 09:34:46 PM) (Source: Service Control Manager) (User: )
Description: The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to start because of the following error:
%%-2147024891

Error: (04/22/2014 09:34:46 PM) (Source: Service Control Manager) (User: )
Description: The Function Discovery Resource Publication service terminated with the following error:
%%-2147024891

Error: (04/22/2014 09:34:24 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
Avgmfx64

Error: (04/22/2014 09:33:55 PM) (Source: Service Control Manager) (User: )
Description: The Function Discovery Resource Publication service terminated with the following error:
%%-2147024891

Error: (04/22/2014 09:33:25 PM) (Source: EventLog) (User: )
Description: The previous system shutdown at 21:31:47 on ‎22/‎04/‎2014 was unexpected.

Error: (04/22/2014 05:33:45 PM) (Source: Service Control Manager) (User: )
Description: The Function Discovery Resource Publication service terminated with the following error:
%%-2147024891

Microsoft Office Sessions:
=========================

CodeIntegrity Errors:
===================================
  Date: 2014-04-02 17:25:53.141
  Description: N/A

  Date: 2014-04-02 17:25:53.063
  Description: N/A

==================== Memory info ===========================

Percentage of memory in use: 51%
Total physical RAM: 2037.18 MB
Available physical RAM: 996.89 MB
Total Pagefile: 4074.36 MB
Available Pagefile: 2630.84 MB
Total Virtual: 8192 MB
Available Virtual: 8191.8 MB

==================== Drives ================================

Drive c: (Windows7) (Fixed) (Total:292.23 GB) (Free:238.24 GB) NTFS
Drive d: (EPSON) (CDROM) (Total:0.27 GB) (Free:0 GB) CDFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298 GB) (Disk ID: 7154A816)
Partition 1: (Active) - (Size=6 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=292 GB) - (Type=07 NTFS)

==================== End Of Log ============================

Link to post
Share on other sites

Welcome to the forum.

Please read the following information first.

 

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

I would change all my passwords and keep a close eye on all your sensitive accounts.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

-----------------------------------------

General P2P/Piracy Warning:

 

1. If you're using Peer 2 Peer software such uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

2. If you have illegal/cracked software, cracks, keygens, custom (Adobe) host file, etc. on the system, please remove or uninstall them now and read the policy on Piracy.

Failure to remove such software will result in your topic being closed and no further assistance being provided.

<====><====><====><====><====><====><====><====>

Next................

Please download and run RogueKiller 32 bit to your desktop.

RogueKiller<---use this one for 64 bit systems

Which system am I using?

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

(please don't put logs in code or quotes and use the default font)

MrC

Note:

Please read all of my instructions completely including these.

Make sure system restore is turned on and running. Create a new restore point

Make sure you're subscribed to this topic: Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly

Removing malware can be unpredictable...unlikely but things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive

<+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>The removal of malware isn't instantaneous, please be patient.

<+>When we are done, I'll give to instructions on how to cleanup all the tools and logs

<+>Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that.

------->Your topic will be closed if you haven't replied within 3 days!<--------

If I don't respond within 24 hours, please send me a PM

MrC
Link to post
Share on other sites

Hi MrC,

 

Thanks for getting back to me. Here is the RogueKiller report:

 

RogueKiller V8.8.15 _x64_ [Mar 27 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : george [Admin rights]
Mode : Scan -- Date : 04/23/2014 17:47:00
| ARK || FAK || MBR |

¤¤¤ Bad processes : 1 ¤¤¤
[sUSP PATH] awmfqjfk.exe -- C:\Users\george\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\awmfqjfk.exe [-] -> KILLED [TermProc]

¤¤¤ Registry Entries : 21 ¤¤¤
[RUN][sUSP PATH] HKCU\[...]\Run : Urazga (C:\Users\george\AppData\Local\Temp\Cailo\urazga.exe [x]) -> FOUND
[RUN][sUSP PATH] HKCU\[...]\Run : AwmFqjfk (C:\Users\george\AppData\Local\rtusgjvt\awmfqjfk.exe [-]) -> FOUND
[RUN][sUSP PATH] HKCU\[...]\Run : wyarsp (regsvr32.exe "C:\ProgramData\wyarsp.dat" [x]) -> FOUND
[RUN][sUSP PATH] HKUS\S-1-5-21-1962686114-1356755012-3113456983-1001\[...]\Run : Urazga (C:\Users\george\AppData\Local\Temp\Cailo\urazga.exe [x]) -> FOUND
[RUN][sUSP PATH] HKUS\S-1-5-21-1962686114-1356755012-3113456983-1001\[...]\Run : AwmFqjfk (C:\Users\george\AppData\Local\rtusgjvt\awmfqjfk.exe [-]) -> FOUND
[RUN][sUSP PATH] HKUS\S-1-5-21-1962686114-1356755012-3113456983-1001\[...]\Run : wyarsp (regsvr32.exe "C:\ProgramData\wyarsp.dat" [x]) -> FOUND
[sHELL][sUSP PATH] HKLM\[...]\Winlogon : userinit (C:\Windows\system32\userinit.exe,,C:\Users\george\AppData\Local\kkndiohy\sqfpsoqp.exe,C:\Users\george\AppData\Local\rtusgjvt\awmfqjfk.exe [7][x][-]) -> FOUND
[sHELL][sUSP PATH] HKLM\[...]\Wow6432Node\[...]\Winlogon : userinit (userinit.exe,,C:\Users\george\AppData\Local\rtusgjvt\awmfqjfk.exe [7][-]) -> FOUND
[sERVICE][Root.Necurs] HKLM\[...]\CCSet\[...]\Services : 9fcb65c0fa2c3c7e (C:\windows\system32\9fcb65c0fa2c3c7e.sys [x]) -> FOUND
[sERVICE][Root.Necurs] HKLM\[...]\CS001\[...]\Services : 9fcb65c0fa2c3c7e (C:\windows\system32\9fcb65c0fa2c3c7e.sys [x]) -> FOUND
[sERVICE][Root.Necurs] HKLM\[...]\CS002\[...]\Services : 9fcb65c0fa2c3c7e (C:\windows\system32\9fcb65c0fa2c3c7e.sys [x]) -> FOUND
[HJ POL][PUM] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : EnableLUA (0) -> FOUND
[HJ SECU][PUM] HKLM\[...]\Wow6432Node\[...]\Security Center : UpdatesDisableNotify (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 :  (C:\$Recycle.Bin\S-1-5-21-1962686114-1356755012-3113456983-1001\$ad763b5b396377e3e4e317939b5470fe\n. [x]) -> FOUND
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 :  (C:\$Recycle.Bin\S-1-5-18\$ad763b5b396377e3e4e317939b5470fe\n. [x]) -> FOUND
[HJ INPROC][ZeroAccess] HKLM\[...]\InprocServer32 :  (C:\$Recycle.Bin\S-1-5-18\$ad763b5b396377e3e4e317939b5470fe\n. [x]) -> FOUND

¤¤¤ Scheduled tasks : 2 ¤¤¤
[V1][sUSP PATH] AVG-Secure-Search-Update_JUNE2013_TB_rmv.job : C:\windows\TEMP\{8FE3C13C-7A07-4C79-ADE6-FB295B390217}.exe - --uninstall=1 [x] -> FOUND
[V2][sUSP PATH] AVG-Secure-Search-Update_JUNE2013_TB_rmv : C:\windows\TEMP\{8FE3C13C-7A07-4C79-ADE6-FB295B390217}.exe - --uninstall=1 [x] -> FOUND

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Browser Addons : 1 ¤¤¤
[CHR][PUP] Default : AVG Safe Search

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤
[Address] EAT @iexplore.exe (DllCanUnloadNow) : ATL90.DLL -> HOOKED (C:\windows\SysWOW64\msfeeds.dll @ 0x72A279D7)
[Address] EAT @iexplore.exe (DllGetClassObject) : ATL90.DLL -> HOOKED (C:\windows\SysWOW64\msfeeds.dll @ 0x72A27AD8)
[Address] EAT @iexplore.exe (MsfeedsCreateInstance) : ATL90.DLL -> HOOKED (C:\windows\SysWOW64\msfeeds.dll @ 0x72A050C7)
[Address] EAT @iexplore.exe (DllCanUnloadNow) : ATL90.DLL -> HOOKED (C:\windows\SysWOW64\msfeeds.dll @ 0x72A279D7)
[Address] EAT @iexplore.exe (DllGetClassObject) : ATL90.DLL -> HOOKED (C:\windows\SysWOW64\msfeeds.dll @ 0x72A27AD8)
[Address] EAT @iexplore.exe (MsfeedsCreateInstance) : ATL90.DLL -> HOOKED (C:\windows\SysWOW64\msfeeds.dll @ 0x72A050C7)
[Address] EAT @iexplore.exe (DirectInput8Create) : jsprofilercore.dll -> HOOKED (C:\windows\SysWOW64\DINPUT8.dll @ 0x70C9CC8E)
[Address] EAT @iexplore.exe (DllCanUnloadNow) : jsprofilercore.dll -> HOOKED (C:\windows\SysWOW64\DINPUT8.dll @ 0x70C9C945)
[Address] EAT @iexplore.exe (DllGetClassObject) : jsprofilercore.dll -> HOOKED (C:\windows\SysWOW64\DINPUT8.dll @ 0x70C9C8D3)
[Address] EAT @iexplore.exe (DllRegisterServer) : jsprofilercore.dll -> HOOKED (C:\windows\SysWOW64\DINPUT8.dll @ 0x70CA9F76)
[Address] EAT @iexplore.exe (DllUnregisterServer) : jsprofilercore.dll -> HOOKED (C:\windows\SysWOW64\DINPUT8.dll @ 0x70CA9F98)

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : Root.Necurs|ZeroAccess|PUP ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

 

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) Hitachi HDS721032CLA362 ATA Device +++++
--- User ---
[MBR] 8d1a0beebb8c0788d55fb1d4e1f11c77
[bSP] 4d9f22ec6f90bdfdc14f9f964362bec6 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 6000 MB
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 12290048 | Size: 299241 MB
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_04232014_174700.txt >>

 

Prior to seeing your message, I had also run a free virus scan at Eset, which found 47 entries. I hope this won't interfere with your help. Here is the Eset log:

C:\Documents and Settings\All Users\Application Data\wyarsp.dat a variant of Win32/Kryptik.CAEB trojan 
C:\Documents and Settings\george\AppData\Local\Application Data\Temporary Internet Files\Content.IE5\YL0YAPCI\zq0agio0kc[1].htm JS/Exploit.Agent.NFT trojan 
C:\Documents and Settings\george\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YL0YAPCI\zq0agio0kc[1].htm JS/Exploit.Agent.NFT trojan 
C:\Documents and Settings\george\AppData\Local\Temp\hhbkrhikdhrrqqulamy.bfg a variant of Win32/Caphaw.P.Gen trojan 
C:\Documents and Settings\george\AppData\Local\Temp\jar_cache18133545422214735.tmp a variant of Win32/Caphaw.P.Gen trojan 
C:\Documents and Settings\george\AppData\Local\Temp\jar_cache3800393629266448087.tmp a variant of Win32/Kryptik.BFHV trojan 
C:\Documents and Settings\george\AppData\Local\Temp\wkqqcjgicqubwqhfdnh.bfg a variant of Win32/Kryptik.BFHV trojan 
C:\Documents and Settings\george\AppData\Local\Temporary Internet Files\Content.IE5\YL0YAPCI\zq0agio0kc[1].htm JS/Exploit.Agent.NFT trojan 
C:\Documents and Settings\george\Local Settings\Microsoft\Windows\Temporary Internet Files\Content.IE5\YL0YAPCI\zq0agio0kc[1].htm JS/Exploit.Agent.NFT trojan 
C:\Documents and Settings\george\Local Settings\Temp\hhbkrhikdhrrqqulamy.bfg a variant of Win32/Caphaw.P.Gen trojan 
C:\Documents and Settings\george\Local Settings\Temp\jar_cache18133545422214735.tmp a variant of Win32/Caphaw.P.Gen trojan 
C:\Documents and Settings\george\Local Settings\Temp\jar_cache3800393629266448087.tmp a variant of Win32/Kryptik.BFHV trojan 
C:\Documents and Settings\george\Local Settings\Temp\wkqqcjgicqubwqhfdnh.bfg a variant of Win32/Kryptik.BFHV trojan 
C:\Documents and Settings\george\Local Settings\Temporary Internet Files\Content.IE5\YL0YAPCI\zq0agio0kc[1].htm JS/Exploit.Agent.NFT trojan 
C:\Users\All Users\wyarsp.dat a variant of Win32/Kryptik.CAEB trojan 
C:\Users\All Users\Application Data\wyarsp.dat a variant of Win32/Kryptik.CAEB trojan 
C:\Users\george\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YL0YAPCI\zq0agio0kc[1].htm JS/Exploit.Agent.NFT trojan 
C:\Users\george\AppData\Local\Temp\hhbkrhikdhrrqqulamy.bfg a variant of Win32/Caphaw.P.Gen trojan 
C:\Users\george\AppData\Local\Temp\jar_cache18133545422214735.tmp a variant of Win32/Caphaw.P.Gen trojan 
C:\Users\george\AppData\Local\Temp\jar_cache3800393629266448087.tmp a variant of Win32/Kryptik.BFHV trojan 
C:\Users\george\AppData\Local\Temp\wkqqcjgicqubwqhfdnh.bfg a variant of Win32/Kryptik.BFHV trojan 
C:\Users\george\AppData\Local\Temporary Internet Files\Content.IE5\YL0YAPCI\zq0agio0kc[1].htm JS/Exploit.Agent.NFT trojan 
C:\Users\george\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\10\3d59a78a-19118218 Java/Exploit.Agent.PRO trojan 
C:\Users\george\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\19\486dbed3-30f16ef8 Java/Exploit.Agent.PRO trojan 
C:\Users\george\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\55\750ceeb7-162ae04e Java/Exploit.Agent.NTD trojan 
C:\Users\george\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\6\63e5c2c6-771104b5 Java/Exploit.Agent.PRO trojan 
C:\Users\george\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\62\d4ecf7e-105095f8 Java/Exploit.Agent.NTD trojan 
C:\Users\george\Local Settings\Microsoft\Windows\Temporary Internet Files\Content.IE5\YL0YAPCI\zq0agio0kc[1].htm JS/Exploit.Agent.NFT trojan 
C:\Users\george\Local Settings\Temp\hhbkrhikdhrrqqulamy.bfg a variant of Win32/Caphaw.P.Gen trojan 
C:\Users\george\Local Settings\Temp\jar_cache18133545422214735.tmp a variant of Win32/Caphaw.P.Gen trojan 
C:\Users\george\Local Settings\Temp\jar_cache3800393629266448087.tmp a variant of Win32/Kryptik.BFHV trojan 
C:\Users\george\Local Settings\Temp\wkqqcjgicqubwqhfdnh.bfg a variant of Win32/Kryptik.BFHV trojan 
C:\Users\george\Local Settings\Temporary Internet Files\Content.IE5\YL0YAPCI\zq0agio0kc[1].htm JS/Exploit.Agent.NFT trojan 
C:\Documents and Settings\All Users\wyarsp.dat a variant of Win32/Kryptik.CAEB trojan cleaned by deleting - quarantined
C:\Documents and Settings\george\AppData\Local\Application Data\Microsoft\Windows\Temporary Internet Files\Content.IE5\YL0YAPCI\zq0agio0kc[1].htm JS/Exploit.Agent.NFT trojan cleaned by deleting - quarantined
C:\Documents and Settings\george\AppData\Local\Application Data\Temp\hhbkrhikdhrrqqulamy.bfg a variant of Win32/Caphaw.P.Gen trojan cleaned by deleting - quarantined
C:\Documents and Settings\george\AppData\Local\Application Data\Temp\jar_cache18133545422214735.tmp a variant of Win32/Caphaw.P.Gen trojan cleaned by deleting - quarantined
C:\Documents and Settings\george\AppData\Local\Application Data\Temp\jar_cache3800393629266448087.tmp a variant of Win32/Kryptik.BFHV trojan cleaned by deleting - quarantined
C:\Documents and Settings\george\AppData\Local\Application Data\Temp\wkqqcjgicqubwqhfdnh.bfg a variant of Win32/Kryptik.BFHV trojan cleaned by deleting - quarantined
C:\Documents and Settings\george\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\10\3d59a78a-19118218 Java/Exploit.Agent.PRO trojan cleaned by deleting - quarantined
C:\Documents and Settings\george\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\19\486dbed3-30f16ef8 Java/Exploit.Agent.PRO trojan cleaned by deleting - quarantined
C:\Documents and Settings\george\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\55\750ceeb7-162ae04e Java/Exploit.Agent.NTD trojan cleaned by deleting - quarantined
C:\Documents and Settings\george\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\6\63e5c2c6-771104b5 Java/Exploit.Agent.PRO trojan cleaned by deleting - quarantined
C:\Documents and Settings\george\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\62\d4ecf7e-105095f8 Java/Exploit.Agent.NTD trojan cleaned by deleting - quarantined
C:\ProgramData\wyarsp.dat a variant of Win32/Kryptik.CAEB trojan cleaned by deleting - quarantined
Operating memory Win32/Ramnit.BK virus 

I am unable to create a system restore point. The message "shadow copy provider" had an error appears. Will not do any more virus scans or removals unless prompted.

 

Thanks again,

Tom.

Link to post
Share on other sites

You're badly infected..lets see what we can do.

If you can't create a restore point, you should be able to create a registry backup:
bwebb7v.jpgDownload Delfix from Here and save it to your desktop.

  • Place a check mark in front of .......
  • Create registry backup <---only!
  • Uncheck the rest!
  • Click the Run button.

    Close the tool out when it's done....we'll use it later.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Do what you can here:

    Run RogueKiller again and click Scan
    When the scan completes > click on the Registry tab
    Put a check next to all of these and uncheck the rest: (if found)

    [RUN][sUSP PATH] HKCU\[...]\Run : Urazga (C:\Users\george\AppData\Local\Temp\Cailo\urazga.exe [x]) -> FOUND
    [RUN][sUSP PATH] HKCU\[...]\Run : AwmFqjfk (C:\Users\george\AppData\Local\rtusgjvt\awmfqjfk.exe [-]) -> FOUND
    [RUN][sUSP PATH] HKCU\[...]\Run : wyarsp (regsvr32.exe "C:\ProgramData\wyarsp.dat" [x]) -> FOUND
    [RUN][sUSP PATH] HKUS\S-1-5-21-1962686114-1356755012-3113456983-1001\[...]\Run : Urazga (C:\Users\george\AppData\Local\Temp\Cailo\urazga.exe [x]) -> FOUND
    [RUN][sUSP PATH] HKUS\S-1-5-21-1962686114-1356755012-3113456983-1001\[...]\Run : AwmFqjfk (C:\Users\george\AppData\Local\rtusgjvt\awmfqjfk.exe [-]) -> FOUND
    [RUN][sUSP PATH] HKUS\S-1-5-21-1962686114-1356755012-3113456983-1001\[...]\Run : wyarsp (regsvr32.exe "C:\ProgramData\wyarsp.dat" [x]) -> FOUND
    [sHELL][sUSP PATH] HKLM\[...]\Winlogon : userinit (C:\Windows\system32\userinit.exe,,C:\Users\george\AppData\Local\kkndiohy\sqfpsoqp.exe,C:\Users\george\AppData\Local\rtusgjvt\awmfqjfk.exe [7][x][-]) -> FOUND
    [sHELL][sUSP PATH] HKLM\[...]\Wow6432Node\[...]\Winlogon : userinit (userinit.exe,,C:\Users\george\AppData\Local\rtusgjvt\awmfqjfk.exe [7][-]) -> FOUND
    [sERVICE][Root.Necurs] HKLM\[...]\CCSet\[...]\Services : 9fcb65c0fa2c3c7e (C:\windows\system32\9fcb65c0fa2c3c7e.sys [x]) -> FOUND
    [sERVICE][Root.Necurs] HKLM\[...]\CS001\[...]\Services : 9fcb65c0fa2c3c7e (C:\windows\system32\9fcb65c0fa2c3c7e.sys [x]) -> FOUND
    [sERVICE][Root.Necurs] HKLM\[...]\CS002\[...]\Services : 9fcb65c0fa2c3c7e (C:\windows\system32\9fcb65c0fa2c3c7e.sys [x]) -> FOUND
    [HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-21-1962686114-1356755012-3113456983-1001\$ad763b5b396377e3e4e317939b5470fe\n. [x]) -> FOUND
    [HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-18\$ad763b5b396377e3e4e317939b5470fe\n. [x]) -> FOUND
    [HJ INPROC][ZeroAccess] HKLM\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-18\$ad763b5b396377e3e4e317939b5470fe\n. [x]) -> FOUND

    Now click Delete on the right hand column under Options

    -------------

    Next click on the Processes tab and put a check next to these and uncheck the rest. (if found)

    [sUSP PATH] awmfqjfk.exe -- C:\Users\george\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\awmfqjfk.exe [-] -> KILLED [TermProc]

    Now click Delete on the right hand column under Options

    ~~~~~~~~~~~~~~~~~~~~~~

    Enable hidden files:
    http://www.howtogeek.com/howto/windows-vista/show-hidden-files-and-folders-in-windows-vista/

    Delete these files/folders if found:
    C:\Users\george\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\awmfqjfk.exe
    C:\Users\george\AppData\Local\Temp\Cailo
    C:\Users\george\AppData\Local\rtusgjvt
    C:\ProgramData\wyarsp.dat
    C:\Users\george\AppData\Local\kkndiohy

    ~~~~~~~~~~~~~~~~~~~~~~~~~

    Next...run TDSSKiller:

    Please read the directions carefully so you don't end up deleting something that is good!!

    If in doubt about an entry....please ask or choose Skip!!!!

    Don't Delete anything unless instructed to!

    If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
    Skip and click on Continue

    If a suspicious object is detected, the default action will be Skip, click on Continue

    Please note that TDSSKiller can be run in safe mode if needed.

    Please download the latest version of TDSSKiller from HERE and save it to your Desktop.
    • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters. (Leave the KSN box checked)

      image000q.png
    • Put a checkmark beside loaded modules.

      2012081514h0118.png
    • A reboot will be needed to apply the changes. Do it.
    • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
    • Then click on Change parameters in TDSSKiller.
    • Check all boxes then click OK.

      clip.jpg
    • Click the Start Scan button.

      19695967.jpg
    • The scan should take no longer than 2 minutes.
    • If a suspicious object is detected, the default action will be Skip, click on Continue.

      67776163.jpg

      Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.

      If in doubt about an entry....please ask or choose Skip
    • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
      Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.

      62117367.jpg

      Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
    • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here. There may be 3 logs > so post or attach all of them.
    • Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

    Here's a summary of what to do if you would like to print it out:

    If in doubt about an entry....please ask or choose Skip

    Don't Delete anything unless instructed to!

    If a suspicious object is detected, the default action will be Skip, click on Continue

    If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
    Skip and click on Continue

    Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.

    If malicious objects are found, they will show in the Scan results and offer three (3) options.

    Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

    ~~~~~~~~~~~~~~~~~~~~

    You can attach the logs if they're too long:

    Bottom right corner of this page.
    reply1.jpg

    New window that comes up.
    replyer1.jpg


    MrC






     
Link to post
Share on other sites

Hi MrC,
 
Registry backup now done.
 
Current RogueKiller report:
 
RogueKiller V8.8.15 _x64_ [Mar 27 2014] by Adlice Software
 mail : http://www.adlice.com/contact/
 Feedback : http://forum.adlice.com
 Website : http://www.adlice.co...es/roguekiller/
 Blog : http://www.adlice.com
 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
 Started in : Normal mode
 User : george [Admin rights]
 Mode : Scan -- Date : 04/23/2014 23:56:22
 | ARK || FAK || MBR |
 
¤¤¤ Bad processes : 0 ¤¤¤
 
¤¤¤ Registry Entries : 9 ¤¤¤
 [RUN][sUSP PATH] HKCU\[...]\Run : wyarsp (regsvr32.exe "C:\ProgramData\wyarsp.dat" [x]) -> FOUND
 [RUN][sUSP PATH] HKUS\S-1-5-21-1962686114-1356755012-3113456983-1001\[...]\Run : wyarsp (regsvr32.exe "C:\ProgramData\wyarsp.dat" [x]) -> FOUND
 [HJ POL][PUM] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
 [HJ POL][PUM] HKLM\[...]\System : EnableLUA (0) -> FOUND
 [HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
 [HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : EnableLUA (0) -> FOUND
 [HJ SECU][PUM] HKLM\[...]\Wow6432Node\[...]\Security Center : UpdatesDisableNotify (1) -> FOUND
 [HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
 [HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
 
¤¤¤ Scheduled tasks : 2 ¤¤¤
 [V1][sUSP PATH] AVG-Secure-Search-Update_JUNE2013_TB_rmv.job : C:\windows\TEMP\{8FE3C13C-7A07-4C79-ADE6-FB295B390217}.exe - --uninstall=1 [x] -> FOUND
 [V2][sUSP PATH] AVG-Secure-Search-Update_JUNE2013_TB_rmv : C:\windows\TEMP\{8FE3C13C-7A07-4C79-ADE6-FB295B390217}.exe - --uninstall=1 [x] -> FOUND
 
¤¤¤ Startup Entries : 0 ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ Browser Addons : 1 ¤¤¤
 [CHR][PUP] Default : AVG Safe Search
 
¤¤¤ Particular Files / Folders: ¤¤¤
 
¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤
 [Address] EAT @iexplore.exe (BeginBufferedAnimation) : netutils.dll -> HOOKED (C:\windows\SysWOW64\uxtheme.dll @ 0x7380DF38)
 [Address] EAT @iexplore.exe (BeginBufferedPaint) : netutils.dll -> HOOKED (C:\windows\SysWOW64\uxtheme.dll @ 0x7380B741)
 [Address] EAT @iexplore.exe (BeginPanningFeedback) : netutils.dll -> HOOKED (C:\windows\SysWOW64\uxtheme.dll @ 0x738276AF)
 [Address] EAT @iexplore.exe (BufferedPaintClear) : netutils.dll -> HOOKED (C:\windows\SysWOW64\uxtheme.dll @ 0x7380BBDB)
 [Address] EAT @iexplore.exe (BufferedPaintInit) : netutils.dll -> HOOKED (C:\windows\SysWOW64\uxtheme.dll @ 0x7380B8D4)
 [Address] EAT @iexplore.exe (BufferedPaintRenderAnimation) : netutils.dll -> HOOKED (C:\windows\SysWOW64\uxtheme.dll @ 0x7380DE83)
 [Address] EAT @iexplore.exe (BufferedPaintSetAlpha) : netutils.dll -> HOOKED (C:\windows\SysWOW64\uxtheme.dll @ 0x7382CE19)
 [Address] EAT @iexplore.exe (BufferedPaintStopAllAnimations) : netutils.dll -> HOOKED (C:\windows\SysWOW64\uxtheme.dll @ 0x7380E428)
 [Address] EAT @iexplore.exe (BufferedPaintUnInit) : netutils.dll -> HOOKED (C:\windows\SysWOW64\uxtheme.dll @ 0x73817525)
 [Address] EAT @iexplore.exe (CloseThemeData) : netutils.dll -> HOOKED (C:\windows\SysWOW64\uxtheme.dll @ 0x73801FA1)
 [Address] EAT @iexplore.exe (DrawThemeBackground) : netutils.dll -> HOOKED (C:\windows\SysWOW64\uxtheme.dll @ 0x7380D464)
 [Address] EAT @iexplore.exe (DrawThemeBackgroundEx) : netutils.dll -> HOOKED (C:\windows\SysWOW64\uxtheme.dll @ 0x7381436D)
 [Address] EAT @iexplore.exe (DrawThemeEdge) : netutils.dll -> HOOKED (C:\windows\SysWOW64\uxtheme.dll @ 0x7382C01C)
 [Address] EAT @iexplore.exe (DrawThemeIcon) : netutils.dll -> HOOKED (C:\windows\SysWOW64\uxtheme.dll @ 0x7382D123)
 [Address] EAT @iexplore.exe (DrawThemeParentBackground) : netutils.dll -> HOOKED (C:\windows\SysWOW64\uxtheme.dll @ 0x7380E776)
 [Address] EAT @iexplore.exe (DrawThemeParentBackgroundEx) : netutils.dll -> HOOKED (C:\windows\SysWOW64\uxtheme.dll @ 0x7380E5C5)
 [Address] EAT @iexplore.exe (DrawThemeText) : netutils.dll -> HOOKED (C:\windows\SysWOW64\uxtheme.dll @ 0x7380DB21)
 [Address] EAT @iexplore.exe (DrawThemeTextEx) : netutils.dll -> HOOKED (C:\windows\SysWOW64\uxtheme.dll @ 0x7380A70C)
 [Address] EAT @iexplore.exe (EnableThemeDialogTexture) : netutils.dll -> HOOKED (C:\windows\SysWOW64\uxtheme.dll @ 0x7381786D)
 [Address] EAT @iexplore.exe (EnableTheming) : netutils.dll -> HOOKED (C:\windows\SysWOW64\uxtheme.dll @ 0x7382C9FF)
 [Address] EAT @iexplore.exe (EndBufferedAnimation) : netutils.dll -> HOOKED (C:\windows\SysWOW64\uxtheme.dll @ 0x7380ACE8)
 [Address] EAT @iexplore.exe (EndBufferedPaint) : netutils.dll -> HOOKED (C:\windows\SysWOW64\uxtheme.dll @ 0x7380ACE8)
 [Address] EAT @iexplore.exe (EndPanningFeedback) : netutils.dll -> HOOKED (C:\windows\SysWOW64\uxtheme.dll @ 0x7382762C)
 [Address] EAT @iexplore.exe (GetBufferedPaintBits) : netutils.dll -> HOOKED (C:\windows\SysWOW64\uxtheme.dll @ 0x7380CF26)
 [Address] EAT @iexplore.exe (GetBufferedPaintDC) : netutils.dll -> HOOKED (C:\windows\SysWOW64\uxtheme.dll @ 0x7382CDCF)
 [Address] EAT @iexplore.exe (GetBufferedPaintTargetDC) : netutils.dll -> HOOKED (C:\windows\SysWOW64\uxtheme.dll @ 0x7382CD86)
 [Address] EAT @iexplore.exe (GetBufferedPaintTargetRect) : netutils.dll -> HOOKED (C:\windows\SysWOW64\uxtheme.dll @ 0x7382C893)
 [Address] EAT @iexplore.exe (GetCurrentThemeName) : netutils.dll -> HOOKED (C:\windows\SysWOW64\uxtheme.dll @ 0x738163AE)
 [Address] EAT @iexplore.exe (GetThemeAppProperties) : netutils.dll -> HOOKED (C:\windows\SysWOW64\uxtheme.dll @ 0x7380EBD6)
 [Address] EAT @iexplore.exe (GetThemeBackgroundContentRect) : netutils.dll -> HOOKED (C:\windows\SysWOW64\uxtheme.dll @ 0x7380DA9E)
 [Address] EAT @iexplore.exe (GetThemeBackgroundExtent) : netutils.dll -> HOOKED (C:\windows\SysWOW64\uxtheme.dll @ 0x73817155)
 [Address] EAT @iexplore.exe (GetThemeBackgroundRegion) : netutils.dll -> HOOKED (C:\windows\SysWOW64\uxtheme.dll @ 0x73810190)
 [Address] EAT @iexplore.exe (GetThemeBitmap) : netutils.dll -> HOOKED (C:\windows\SysWOW64\uxtheme.dll @ 0x73804B9C)
 [Address] EAT @iexplore.exe (GetThemeBool) : netutils.dll -> HOOKED (C:\windows\SysWOW64\uxtheme.dll @ 0x73806651)
 [Address] EAT @iexplore.exe (GetThemeColor) : netutils.dll -> HOOKED (C:\windows\SysWOW64\uxtheme.dll @ 0x738027C0)
 [Address] EAT @iexplore.exe (GetThemeDocumentationProperty) : netutils.dll -> HOOKED (C:\windows\SysWOW64\uxtheme.dll @ 0x7382C346)
 [Address] EAT @iexplore.exe (GetThemeEnumValue) : netutils.dll -> HOOKED (C:\windows\SysWOW64\uxtheme.dll @ 0x738027C0)
 [Address] EAT @iexplore.exe (GetThemeFilename) : netutils.dll -> HOOKED (C:\windows\SysWOW64\uxtheme.dll @ 0x7382B997)
 [Address] EAT @iexplore.exe (GetThemeFont) : netutils.dll -> HOOKED (C:\windows\SysWOW64\uxtheme.dll @ 0x738176A2)
 [Address] EAT @iexplore.exe (GetThemeInt) : netutils.dll -> HOOKED (C:\windows\SysWOW64\uxtheme.dll @ 0x738027C0)
 [Address] EAT @iexplore.exe (GetThemeIntList) : netutils.dll -> HOOKED (C:\windows\SysWOW64\uxtheme.dll @ 0x7382B86E)
 [Address] EAT @iexplore.exe (GetThemeMargins) : netutils.dll -> HOOKED (C:\windows\SysWOW64\uxtheme.dll @ 0x73802F97)
 [Address] EAT @iexplore.exe (GetThemeMetric) : netutils.dll -> HOOKED (C:\windows\SysWOW64\uxtheme.dll @ 0x738155B4)
 [Address] EAT @iexplore.exe (GetThemePartSize) : netutils.dll -> HOOKED (C:\windows\SysWOW64\uxtheme.dll @ 0x7380289F)
 [Address] EAT @iexplore.exe (GetThemePosition) : netutils.dll -> HOOKED (C:\windows\SysWOW64\uxtheme.dll @ 0x7382B80D)
 [Address] EAT @iexplore.exe (GetThemePropertyOrigin) : netutils.dll -> HOOKED (C:\windows\SysWOW64\uxtheme.dll @ 0x73810923)
 [Address] EAT @iexplore.exe (GetThemeRect) : netutils.dll -> HOOKED (C:\windows\SysWOW64\uxtheme.dll @ 0x7382B936)
 [Address] EAT @iexplore.exe (GetThemeStream) : netutils.dll -> HOOKED (C:\windows\SysWOW64\uxtheme.dll @ 0x7382B8CF)
 [Address] EAT @iexplore.exe (GetThemeString) : netutils.dll -> HOOKED (C:\windows\SysWOW64\uxtheme.dll @ 0x7382B7A1)
 [Address] EAT @iexplore.exe (GetThemeSysBool) : netutils.dll -> HOOKED (C:\windows\SysWOW64\uxtheme.dll @ 0x7382CB86)
 [Address] EAT @iexplore.exe (GetThemeSysColor) : netutils.dll -> HOOKED (C:\windows\SysWOW64\uxtheme.dll @ 0x73815530)
 [Address] EAT @iexplore.exe (GetThemeSysColorBrush) : netutils.dll -> HOOKED (C:\windows\SysWOW64\uxtheme.dll @ 0x7382CA32)
 [Address] EAT @iexplore.exe (GetThemeSysFont) : netutils.dll -> HOOKED (C:\windows\SysWOW64\uxtheme.dll @ 0x7382C3D8)
 [Address] EAT @iexplore.exe (GetThemeSysInt) : netutils.dll -> HOOKED (C:\windows\SysWOW64\uxtheme.dll @ 0x7382C5E7)
 [Address] EAT @iexplore.exe (GetThemeSysSize) : netutils.dll -> HOOKED (C:\windows\SysWOW64\uxtheme.dll @ 0x7382CC61)
 [Address] EAT @iexplore.exe (GetThemeSysString) : netutils.dll -> HOOKED (C:\windows\SysWOW64\uxtheme.dll @ 0x7382C553)
 [Address] EAT @iexplore.exe (GetThemeTextExtent) : netutils.dll -> HOOKED (C:\windows\SysWOW64\uxtheme.dll @ 0x738089FE)
 [Address] EAT @iexplore.exe (GetThemeTextMetrics) : netutils.dll -> HOOKED (C:\windows\SysWOW64\uxtheme.dll @ 0x7381778C)
 [Address] EAT @iexplore.exe (GetThemeTransitionDuration) : netutils.dll -> HOOKED (C:\windows\SysWOW64\uxtheme.dll @ 0x7380E1A1)
 [Address] EAT @iexplore.exe (GetWindowTheme) : netutils.dll -> HOOKED (C:\windows\SysWOW64\uxtheme.dll @ 0x7381535B)
 [Address] EAT @iexplore.exe (HitTestThemeBackground) : netutils.dll -> HOOKED (C:\windows\SysWOW64\uxtheme.dll @ 0x73812DC1)
 [Address] EAT @iexplore.exe (IsAppThemed) : netutils.dll -> HOOKED (C:\windows\SysWOW64\uxtheme.dll @ 0x73817009)
 [Address] EAT @iexplore.exe (IsCompositionActive) : netutils.dll -> HOOKED (C:\windows\SysWOW64\uxtheme.dll @ 0x738065DF)
 [Address] EAT @iexplore.exe (IsThemeActive) : netutils.dll -> HOOKED (C:\windows\SysWOW64\uxtheme.dll @ 0x73816F36)
 [Address] EAT @iexplore.exe (IsThemeBackgroundPartiallyTransparent) : netutils.dll -> HOOKED (C:\windows\SysWOW64\uxtheme.dll @ 0x7380281C)
 [Address] EAT @iexplore.exe (IsThemeDialogTextureEnabled) : netutils.dll -> HOOKED (C:\windows\SysWOW64\uxtheme.dll @ 0x7382CB3F)
 [Address] EAT @iexplore.exe (IsThemePartDefined) : netutils.dll -> HOOKED (C:\windows\SysWOW64\uxtheme.dll @ 0x738030CF)
 [Address] EAT @iexplore.exe (OpenThemeData) : netutils.dll -> HOOKED (C:\windows\SysWOW64\uxtheme.dll @ 0x73805F29)
 [Address] EAT @iexplore.exe (OpenThemeDataEx) : netutils.dll -> HOOKED (C:\windows\SysWOW64\uxtheme.dll @ 0x738106FE)
 [Address] EAT @iexplore.exe (SetThemeAppProperties) : netutils.dll -> HOOKED (C:\windows\SysWOW64\uxtheme.dll @ 0x7382CCEC)
 [Address] EAT @iexplore.exe (SetWindowTheme) : netutils.dll -> HOOKED (C:\windows\SysWOW64\uxtheme.dll @ 0x73817AFC)
 [Address] EAT @iexplore.exe (SetWindowThemeAttribute) : netutils.dll -> HOOKED (C:\windows\SysWOW64\uxtheme.dll @ 0x73809E39)
 [Address] EAT @iexplore.exe (ThemeInitApiHook) : netutils.dll -> HOOKED (C:\windows\SysWOW64\uxtheme.dll @ 0x73804571)
 [Address] EAT @iexplore.exe (UpdatePanningFeedback) : netutils.dll -> HOOKED (C:\windows\SysWOW64\uxtheme.dll @ 0x738275ED)
 
¤¤¤ External Hives: ¤¤¤
 
¤¤¤ Infection : PUP ¤¤¤
 
¤¤¤ HOSTS File: ¤¤¤
 --> %SystemRoot%\System32\drivers\etc\hosts
 
¤¤¤ MBR Check: ¤¤¤
 
+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) Hitachi HDS721032CLA362 ATA Device +++++
 --- User ---
 [MBR] 8d1a0beebb8c0788d55fb1d4e1f11c77
 [bSP] 4d9f22ec6f90bdfdc14f9f964362bec6 : Windows 7/8 MBR Code
 Partition table:
 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 6000 MB
 1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 12290048 | Size: 299241 MB
 User = LL1 ... OK!
 User = LL2 ... OK!
 
Finished : << RKreport[0]_S_04232014_235622.txt >>
 RKreport[0]_D_04232014_193832.txt;RKreport[0]_D_04232014_200101.txt;RKreport[0]_S_04232014_193306.txt
 RKreport[0]_S_04232014_195922.txt;RKreport[0]_S_04232014_200214.txt

Have deleted the 5 hidden files that you mentioned. 
 
Regarding TDSS Kiler, have run the program twice and will atttach the two logs.

Link to post
Share on other sites

They should have been created as .txt files, have you looked in C:\

 

To attach a log:

Bottom right corner of this page.

reply1.jpg

New window that comes up.

replyer1.jpg

----------------------------

 

Run ComboFix next:

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

http://www.bleepingcomputer.com/download/combofix/dl/12/ <---ComboFix direct download

Please make sure you click download buttons that look similar to this, not "sponsored ad links":

bleep-crop.jpg

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

 

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites

ComboFix would not run in normal Windows mode as it kept freezing halfway through the installation, so I had to boot into safe mode to run it. A message about AVG needing to be disabled appeared which I could not do in safe mode. In the end I uninstalled AVG before running ComboFix. Should I reinstall AVG or is there a more preferable virus scanner that I should use? I'll post the log for ComboFix below and attach the six logs from TDSSKiller.

 

ComboFix log:

ComboFix 14-04-20.01 - george 24/04/2014  10:04:55.1.2 - x64 MINIMAL
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.44.1033.18.2037.1496 [GMT 1:00]
Running from: c:\users\george\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\2A621000sm.pad
c:\programdata\4188B500sm.pad
c:\programdata\windows
c:\programdata\wyarsp.dat
c:\users\george\AppData\Local\bdhvhgpt.log
c:\users\george\AppData\Local\dvbstftw.log
c:\users\george\AppData\Local\hktiyoqu.log
c:\users\george\AppData\Local\MLICNAI.DLL
c:\users\george\AppData\Local\pwuhakrg.log
c:\users\george\AppData\Local\ttepsjux.log
c:\users\george\AppData\Local\unyvhksj.log
c:\users\george\AppData\Local\vkolfrsa.log
c:\users\george\AppData\Roaming\Microsoft\Windows\.data
.
.
(((((((((((((((((((((((((   Files Created from 2014-03-24 to 2014-04-24  )))))))))))))))))))))))))))))))
.
.
2014-04-24 09:11 . 2014-04-24 09:11 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-04-24 09:02 . 2014-04-24 09:02 -------- d-----w- c:\users\george\AppData\Roaming\TuneUp Software
2014-04-23 19:09 . 2014-04-23 22:49 -------- d-----w- C:\TDSSKiller_Quarantine
2014-04-23 18:30 . 2014-04-23 18:30 -------- d-----w- c:\windows\ERUNT
2014-04-23 14:06 . 2014-04-23 14:06 -------- d-----w- c:\program files (x86)\ESET
2014-04-22 22:15 . 2014-04-22 22:17 -------- d-----w- C:\FRST
2014-04-12 16:36 . 2012-06-05 07:37 256904 ----a-w- c:\windows\SysWow64\drivers\tmcomm.sys
2014-04-12 16:29 . 2014-04-12 16:29 -------- d-----w- c:\users\george\AppData\Roaming\QuickScan
2014-04-08 21:11 . 2014-04-22 20:45 -------- d-----w- c:\users\george\AppData\Local\rtusgjvt
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-03-21 16:47 . 2012-08-30 19:00 49952 ----a-w- c:\windows\system32\drivers\avgtpx64.sys
2014-03-11 19:26 . 2012-11-08 07:48 692616 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2014-03-11 19:26 . 2011-10-20 21:40 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-07-12 22:18 . 2013-07-12 22:18 4188160 ----a-w- c:\program files (x86)\GUT74C4.tmp
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"EEventManager"="c:\program files (x86)\Epson Software\Event Manager\EEventManager.exe" [2011-10-31 1058400]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVWSzItQUxZTUYtU0xLTFUtQVoyVUItNkdPS0ItSkhGTkg&inst=MC0w∏=90&ver=10.0.1432" [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
.
R2 ABBYY.Licensing.FineReader.Sprint.9.0;ABBYY FineReader 9.0 Sprint Licensing Service;c:\program files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe;c:\program files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 EpsonScanSvc;Epson Scanner Service;c:\windows\system32\EscSvc64.exe;c:\windows\SYSNATIVE\EscSvc64.exe [x]
R3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files (x86)\AVG\AVG10\Toolbar\ToolbarBroker.exe;c:\program files (x86)\AVG\AVG10\Toolbar\ToolbarBroker.exe [x]
R3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys;c:\windows\SYSNATIVE\DRIVERS\HECIx64.sys [x]
R3 ioatdma1;ioatdma1;c:\windows\System32\Drivers\qd162x64.sys;c:\windows\SYSNATIVE\Drivers\qd162x64.sys [x]
R3 ioatdma2;Intel® QuickData Technology device ver.2;c:\windows\System32\Drivers\qd262x64.sys;c:\windows\SYSNATIVE\Drivers\qd262x64.sys [x]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
S0 ioatdma;Intel® QuickData Technology device;c:\windows\System32\Drivers\ioatdma.sys;c:\windows\SYSNATIVE\Drivers\ioatdma.sys [x]
S4 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys;c:\windows\SYSNATIVE\DRIVERS\AVGIDSEH.Sys [x]
S4 Avgrkx64;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx64.sys;c:\windows\SYSNATIVE\DRIVERS\avgrkx64.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2014-04-24 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-11-08 19:26]
.
2014-04-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-11-08 07:49]
.
2014-04-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-11-08 07:49]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-10-02 165912]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-10-02 385560]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-10-02 363544]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-02-22 10081312]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm

mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: garmin.com\my
TCP: DhcpNameServer = 192.168.1.1

.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
Wow6432Node-HKCU-Run-wyarsp - c:\programdata\wyarsp.dat
Notify-mlicnai - c:\users\george\AppData\Local\mlicnai.dll
SafeBoot-04958153.sys
SafeBoot-60744195.sys
SafeBoot-82509609.sys
SafeBoot-BsScanner
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_12_0_0_77_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_12_0_0_77_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_12_0_0_77_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_12_0_0_77_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_12_0_0_77.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.12"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_12_0_0_77.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_12_0_0_77.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_12_0_0_77.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-04-24  10:14:21
ComboFix-quarantined-files.txt  2014-04-24 09:14
.
Pre-Run: 253,933,203,456 bytes free
Post-Run: 259,413,082,112 bytes free
.
- - End Of File - - 1760E0644BEB84D072D39A85D8A8F23D
A36C5E4F47E84449FF07ED3517B43A31

TDSSKiller.3.0.0.32_23.04.2014_20.03.02_log.txt

TDSSKiller.3.0.0.32_23.04.2014_20.03.23_log.txt

TDSSKiller.3.0.0.32_23.04.2014_20.05.32_log.txt

TDSSKiller.3.0.0.32_23.04.2014_20.10.19_log.txt

TDSSKiller.3.0.0.32_23.04.2014_20.11.19_log.txt

TDSSKiller.3.0.0.32_23.04.2014_23.52.02_log.txt

Link to post
Share on other sites

Looks much better.

Delete this folder and file:
c:\users\george\AppData\Local\rtusgjvt
c:\program files (x86)\GUT74C4.tmp


Then..........

Please download Farbar Recovery Scan Tool (FRST) and save it to a folder.
(use correct version for your system.....Which system am I using?)
FRST <----for 32 bit systems
FRST64 <----for 64 bit systems

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button. (make sure the Addition box is checked) <-------------
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

If the logs are large, you can attach them:

To attach a log:

Bottom right corner of this page.
reply1.jpg

New window that comes up.
replyer1.jpg

MrC

Link to post
Share on other sites

Before we go on:

Did you set these Group Policies:
 

HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Malwarebytes <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files (x86)\AVG <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files (x86)\ESET <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\McAfee <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files (x86)\Malwarebytes' Anti-Malware <====== ATTENTION

 



and do you have any idea what these tasks are from:

 

Task: {19DC2DBA-776E-4671-9C6C-0549627F9B31} - System32\Tasks\At36 => C:\windows\Fonts\kIMtCT.com
Task: {1A435FF3-7E5F-45B8-BB2E-C96210FC8FBA} - System32\Tasks\At48 => C:\windows\Fonts\kIMtCT.com
Task: {1B27B483-209D-472D-BE1F-1AA16CB47F86} - System32\Tasks\At15 => C:\windows\Fonts\kIMtCT.com

 



MrC

Link to post
Share on other sites

Most likely they were put there by the malware, we'll get rid of them along with a lot of other items:

Download the attached fixlist.txt to the same folder as FRST.exe.

Run FRST.exe and click Fix only once and wait

The tool will create a log (Fixlog.txt) in the folder, please post it to your reply.

Then..............

Clean out temp files:

Download TFC from here and save it to your desktop.

http://oldtimer.geekstogo.com/TFC.exe

http://www.bleepingcomputer.com/download/tfc/dl/92/

Close any open programs and Internet browsers.

Double click TFC.exe to run it on XP (for Vista and Windows 7 right click and choose "Run as administrator") and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.

Please be patient as clearing out temp files may take a while.

Once it completes you may be prompted to restart your computer, please do so.

Once it's finished you may delete TFC.exe from your desktop or save it for later use for the cleaning of temporary files.

Next:

Please download AdwCleaner from HERE or HERE to your desktop.

  • Double click on AdwCleaner.exe to run the tool.

    Vista/Windows 7/8 users right-click and select Run As Administrator

  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • When it's done you'll see: Pending: Please uncheck elements you don't want removed.
  • Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • Look over the log especially under Files/Folders for any program you want to save.
  • If there's a program you may want to save, just uncheck it from AdwCleaner.
  • If you're not sure, post the log for review. (all items found are adware/spyware/foistware)
  • If you're ready to clean it all up.....click the Clean button.
  • After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.
  • Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
  • To restore an item that has been deleted:
  • Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.
Last.........

Please run a Quick Scan with Malwarebytes like this: (Ver: 1.75)

Open up Malwarebytes > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal.

Please Update and run a Quick Scan with Malwarebytes Anti-Malware, post the report.

Make sure that everything is checked, and click Remove Selected.

If you're using Malwarebytes 2.0, please run a Threat Scan

Click on settings > Detection and Protection > Non-Malware Protection > PUP (Potentially Unwanted Program) detections > Make sure it's set to Treat detections as malware

Same for PUM (Potentially Unwanted Modifications)

Quarantine All that's found

Last......

Run a new scan with RogueKiller and post the new log.

MrC

Link to post
Share on other sites

Temp files cleaned. Logs for AdwCleaner, Malwarebytes and RogueKiler below. Did not remove any files found from AdwCleaner yet as thought would be best to post log first before doing so.

 

AdwCleaner log:
# AdwCleaner v3.202 - Report created 25/04/2014 at 00:41:29
# Updated 23/04/2014 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : george - GEORGE-PC
# Running from : C:\Users\george\Desktop\adwcleaner.exe
# Option : Scan

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Found C:\Program Files (x86)\AVG Secure Search
Folder Found C:\Program Files (x86)\Common Files\AVG Secure Search
Folder Found C:\ProgramData\AVG Secure Search
Folder Found C:\ProgramData\AVG Security Toolbar
Folder Found C:\Users\george\AppData\LocalLow\AVG Security Toolbar

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Found : HKCU\Software\AppDataLow\Software\AVG Security Toolbar
Key Found : HKCU\Software\AVG Secure Search
Key Found : HKCU\Software\AVG Security Toolbar
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Found : HKCU\Software\YahooPartnerToolbar
Key Found : [x64] HKCU\Software\AVG Secure Search
Key Found : [x64] HKCU\Software\AVG Security Toolbar
Key Found : [x64] HKCU\Software\YahooPartnerToolbar
Key Found : HKLM\SOFTWARE\Classes\AppID\{BB711CB0-C70B-482E-9852-EC05EBD71DBB}
Key Found : HKLM\SOFTWARE\Classes\AppID\ScriptHelper.EXE
Key Found : HKLM\SOFTWARE\Classes\AppID\WLXQuickTimeShellExt.DLL
Key Found : HKLM\SOFTWARE\Classes\CLSID\{408CFAD9-8F13-4747-8EC7-770A339C7237}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{94496571-6AC5-4836-82D5-D46260C44B17}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{BC9FD17D-30F6-4464-9E53-596A90AFF023}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{CC5AD34C-6F10-4CB3-B74A-C2DD4D5060A3}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Found : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Found : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Found : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Found : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{07CAC314-E962-4F78-89AB-DD002F2490EE}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{13ABD093-D46F-40DF-A608-47E162EC799D}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}

***** [ Browsers ] *****

-\\ Internet Explorer v9.0.8112.16421

-\\ Google Chrome v

[ File : C:\Users\george\AppData\Local\Google\Chrome\User Data\Default\preferences ]

Found [Extension] : jmfkcklnlgedgbglfkkgedjfmejoahla
Found [Extension] : ndibdjnfmopecpmkdieinmbadjfpblof

*************************

AdwCleaner[R0].txt - [3054 octets] - [25/04/2014 00:41:29]

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [3114 octets] ##########

 

----------------

MalwarebytesLog:
Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2014.04.24.09

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
george :: GEORGE-PC [administrator]

25/04/2014 00:46:49
mbam-log-2014-04-25 (00-46-49).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 234370
Time elapsed: 3 minute(s), 6 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 1
HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

 

------------

 

RogueKiller report:
RogueKiller V8.8.15 _x64_ [Mar 27 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : george [Admin rights]
Mode : Scan -- Date : 04/25/2014 00:54:10
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 8 ¤¤¤
[HJ POL][PUM] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : EnableLUA (0) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Browser Addons : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

127.0.0.1       localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) Hitachi HDS721032CLA362 ATA Device +++++
--- User ---
[MBR] 8d1a0beebb8c0788d55fb1d4e1f11c77
[bSP] 4d9f22ec6f90bdfdc14f9f964362bec6 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 6000 MB
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 12290048 | Size: 299241 MB
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_04252014_005410.txt >>
RKreport[0]_D_04232014_193832.txt;RKreport[0]_D_04232014_200101.txt;RKreport[0]_S_04232014_193306.txt
RKreport[0]_S_04232014_195922.txt;RKreport[0]_S_04232014_200214.txt;RKreport[0]_S_04232014_235622.txt

Link to post
Share on other sites

Good....I'll give you recommendations when we're done.

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • If you get Unsupported operating system. Aborting now, just reboot and try again.
  • A Notepad document should open automatically called checkup.txt.
  • Please Post the contents of that document.
  • Do Not Attach It!!!
MrC
Link to post
Share on other sites

Security check log:

 Results of screen317's Security Check version 0.99.82 
 Windows 7 Service Pack 1 x64 (UAC is disabled!) 
 Internet Explorer 11 
``````````````Antivirus/Firewall Check:``````````````
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
 Malwarebytes Anti-Malware version 1.75.0.1300 
 Java 7 Update 7 
 Java version out of Date!
 Adobe Reader XI 
 Google Chrome 33.0.1750.146 
 Google Chrome 33.0.1750.154 
 Google Chrome 34.0.1847.116 
````````Process Check: objlist.exe by Laurent```````` 
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````
 

Link to post
Share on other sites

Out dated programs on the system are vulnerable to malware.
Please update or uninstall them:


~~~~~~~~~~~~~~~~~~~~~~~~~

Java 7 Update 7 <---please update, should be Update 55

Java version out of Date! <--------Go to control panel > Java > Update Tab > Update Now
Uncheck the box to install the Ask toolbar!!! and any other free "stuff".

If there's no update tab in Java, uninstall it and Download and install the latest version from Here
Uncheck the box to install the Ask toolbar!!! and any other free "stuff".

~~~~~~~~~~~~~~~~~~~~~~~~

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

cf2.jpg

Then hit enter. (it may look like CF is re-installing but it's not)
This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall or download and run the uninstaller)

---------------------------------

bwebb7v.jpgDownload Delfix from here and save it to your desktop. (you may already have this)

  • Ensure Remove disinfection tools is checked.
  • Click the Run button.

Any other programs or logs you can manually delete. (right click.....Delete)
IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST folder, FRST-OlderVersion folder, MBAR folder, etc....AdwCleaner > just run the program and click uninstall.

Note:
If you used FRST and can't delete the quarantine folder:
Download the fixlist.txt to the same folder as FRST.exe.
Run FRST.exe and click Fix only once and wait
That will delete the quarantine folder created by FRST.
The rest you can manually delete.

-------------------------------

Any questions...please post back.
If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again. (My Preventive Maintenance also found HERE)

Good Luck and Thanks for using the forum, MrC

Link to post
Share on other sites

One quick problem, Windows Update is not working, even after running Microsoft Fixit and following some of the suggested steps from Microsoft. It was last updated 07/11/13 and the error code 80073712 is given. Is this a common problem for computers that have previously been infected?

Link to post
Share on other sites

Download and run Malwarebytes Anti-Rootkit:
http://www.malwarebytes.org/antirootkit/

After it runs.......run the fixdamage.exe

Download Malwarebytes Anti-Rootkit from the link above
Run the file and follow the onscreen instructions to extract it to a location of your choosing (your desktop by default)
Malwarebytes Anti-Rootkit will then open, follow the instruction in the wizard to update and allow the program to scan your computer for threats
Click on the Cleanup button to remove any threats and reboot if prompted to do so
Wait while the system shuts down and the cleanup process is performed
Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process
If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional: Internet access, Windows Update, Windows Firewall
If there are additional problems with your system, such as any of those listed above or other system issues, then run the 'fixdamage' tool included with Malwarebytes Anti-Rootkit located within the 'Plugins' folder and reboot
Verify that your system is now functioning normally


Let me know.....MrC

Link to post
Share on other sites

No malware found using Malwarebytes Anti-Rootkit, but few problems found in the Action Center. Can not turn firewall on, error: 0x80070424. Can not check for Windows updates, error 80073712. There are also messages on the action centre about Java suite and Internet Explorer not working correctly, although this has most likely been resolved since installing latest version of Java.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.