Multiple instances of malware?

abickered · May 31, 2014

Hello, I have been getting multiple instances of dllhost.exe/com surrogate flooding my taskbar. It is taking up lots of memory and making it almost impossible to navigate windows.. I decided to look further in and I have noticed a suspicious folder called Niicex, contianing only zuylagb.exe

I believe it is running multiple searches

in addition to that, there is something else being blocked called f5f5dc.com

i am using windows 7 premium 64BIT i do not haveaccess right now canbarely typer wil be back alter

abickered · June 1, 2014

virustotal scans:

https://www.virustotal.com/en/file/836955022edec913f1ee04b26556dbde5e8663879329bf29fc3b8526465ec3e1/analysis/1401579612/

https://www.virustotal.com/en/url/263d116a63942a92a8a9d2fad301ca078cef3ff74175ce9f6445041a13acc582/analysis/1401580261/

FRST.txt

abickered · June 1, 2014

I hate to make multiple posts but here is the other txt file.

Addition.txt

AdvancedSetup · June 4, 2014

Hello and :welcome:

Please read the following and post back the logs when ready and we'll see about getting you cleaned up.

General P2P/Piracy Warning:

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.
Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.
If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

Before we proceed further, please read all of the following instructions carefully.
If there is anything that you do not understand kindly ask before proceeding.
If needed please print out these instructions.

Please do not post logs using CODE, QUOTE, or FONT tags. Just paste them as direct text.
If the log is too large then you can use attachments by clicking on the More Reply Options button.
Please enable your system to show hidden files: How to see hidden files in Windows
Make sure you're subscribed to this topic:
- Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly
Removing malware can be unpredictable...It is unlikely but things can go very wrong! Please make sure you Backup all files that cannot be replaced if something were to happen. You can copy them to a CD/DVD, external drive or a pen drive
Please don't run any other scans, download, install or uninstall any programs unless requested by me while I'm working with you.
The removal of malware is not instantaneous, please be patient. Often we are also on a different Time Zone.
Perform everything in the correct order. Sometimes one step requires the previous one.
If you have any problems while following my instructions, Stop there and tell me the exact nature of the issue.
You can check here if you're not sure if your computer is 32-bit or 64-bit
Please disable your antivirus while running any requested scanners so that they do not interfere with the scanners.
When we are done, I'll give you instructions on how to cleanup all the tools and logs
Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that.
Your topic will be closed if you haven't replied within 3 days
(If I have not responded within 24 hours, please send me a Private Message as a reminder)

STEP 0
RKill is a program that was developed at BleepingComputer.com that attempts to terminate known malware processes
so that your normal security software can then run and clean your computer of infections.
When RKill runs it will kill malware processes and then removes incorrect executable associations and fixes policies
that stop us from using certain tools. When finished it will display a log file that shows the processes that were
terminated while the program was running.

As RKill only terminates a program's running process, and does not delete any files, after running it you should not reboot
your computer as any malware processes that are configured to start automatically will just be started again.
Instead, after running RKill you should immediately scan your computer using the requested scans I've included.

Please download Rkill by Grinler from one of the links below and save it to your desktop.

Link 1
Link 2

On Windows XP double-click on the Rkill desktop icon to run the tool.
On Windows Vista/Windows 7 or 8, right-click on the Rkill desktop icon and select Run As Administrator
A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
If not, delete the file, then download and use the one provided in Link 2.
If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
If the tool does not run from any of the links provided, please let me know.
Do not reboot the computer, you will need to run the application again.

STEP 01
Backup the Registry:
Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.

Please download ERUNT from one of the following links: Link1 | Link2 | Link3
ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
Double click on erunt-setup.exe to Install ERUNT by following the prompts.
NOTE: Do not choose to allow ERUNT to add an Entry to the Startup folder. Click NO.
Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
Choose a location for the backup.
- Note: the default location is C:\Windows\ERDNT which is acceptable.
Make sure that at least the first two check boxes are selected.
Click on OK
Then click on YES to create the folder.
Note: if it is necessary to restore the registry, open the backup folder and start ERDNT.exe

STEP 02
Please run a Threat Scan with MBAM. If you're unable to run or complete the scan as shown below please see the following: MBAM Clean Removal Process 2x
When reinstalling the program please try the latest version.

Right click and choose "Run as administrator" to open Malwarebytes Anti-Malware and from the Dashboard please Check for Updates by clicking the Update Now... link
Open up Malwarebytes > Settings > Detection and Protection > Enable Scan for rootkit and Under Non Malware Protection set both PUP and PUM to Treat detections as malware.
Click on the SCAN button and run a Threat Scan with Malwarebytes Anti-Malware by clicking the Scan Now>> button.
Once completed please click on the History > Application Logs and find your scan log and open it and then click on the "copy to clipboard" button and post back the results on your next reply.

STEP 03
Please download RogueKiller and save it to your desktop.

You can check here if you're not sure if your computer is 32-bit or 64-bit

RogueKiller 32-bit | RogueKiller 64-bit
Quit all running programs.
For Windows XP, double-click to start.
For Vista,Windows 7/8, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
Read and accept the EULA (End User Licene Agreement)
Click Scan to scan the system.
When the scan completes Close the program > Don't Fix anything!
Don't run any other options, they're not all bad!!
Post back the report which should be located on your desktop.

Thank you

abickered · June 6, 2014

MBAM Scan Log:

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 6/4/2014
Scan Time: 8:37:19 PM
Logfile:
Administrator: Yes

Version: 2.00.2.1012
Malware Database: v2014.06.04.12
Rootkit Database: v2014.06.02.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: andy

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 505635
Time Elapsed: 3 hr, 41 min, 5 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 4
PUP.Optional.AmaizingSearches.A, C:\Users\andy\AppData\Roaming\Mozilla\Firefox\Profiles\rfstf7k3.default\prefs.js, Good: (), Bad: (user_pref("browser.search.defaulturl", "http://websearch.amaizingsearches.info/?pid=1481&r=2014/04/25&hid=12184009920200356876&lg=EN&cc=US&unqvl=51&l=1&q="), Replaced,[4d6561126e0dcc6a3794a2f4828215eb]
PUP.Optional.MySearchDial.A, C:\Users\andy\AppData\Roaming\Mozilla\Firefox\Profiles\rfstf7k3.default\prefs.js, Good: (), Bad: (user_pref("extensions.mysearchdial_i.newTab", false), Replaced,[0ca689ea93e8e15566c56a2d729227d9]
PUP.Optional.MySearchDial.A, C:\Users\andy\AppData\Roaming\Mozilla\Firefox\Profiles\rfstf7k3.default\prefs.js, Good: (), Bad: (user_pref("extensions.mysearchdial_i.smplGrp", "none"), Replaced,[9b175f1417644aec7ab1ff981ee637c9]
PUP.Optional.MySearchDial.A, C:\Users\andy\AppData\Roaming\Mozilla\Firefox\Profiles\rfstf7k3.default\prefs.js, Good: (), Bad: (user_pref("extensions.mysearchdial_i.vrsnTs", "1.8.29.03:25:22"), Replaced,[bff3fc77aad1c27451da99fe58ac9c64]

Physical Sectors: 0
(No malicious items detected)

(end)

I seem to be haivng a problem with roguekiller. When I started a scan, it went normally, but after awhile It froze.

AdvancedSetup · June 6, 2014

No problem.

Please go ahead and run through the following steps and post back the logs when ready.

STEP 04
Please download Junkware Removal Tool to your desktop.

Shutdown your antivirus to avoid any conflicts.
Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
The tool will open and start scanning your system.
Please be patient as this can take a while to complete.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next reply message
When completed make sure to re-enable your antivirus

STEP 05
Lets clean out any adware now: (this will require a reboot so save all your work)

Please download AdwCleaner by Xplode and save to your Desktop.

Double click on AdwCleaner.exe to run the tool.
Vista/Windows 7/8 users right-click and select Run As Administrator
Click on the Scan button.
AdwCleaner will begin...be patient as the scan may take some time to complete.
When it's done you'll see: Pending: Please uncheck elements you don't want removed.
Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
Look over the log especially under Files/Folders for any program you want to save.
If there's a program you may want to save, just uncheck it from AdwCleaner.
If you're not sure, post the log for review. (all items found are adware/spyware/foistware)
If you're ready to clean it all up.....click the Clean button.
After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
Copy and paste the contents of that logfile in your next reply.
A copy of that logfile will also be saved in the C:\AdwCleaner folder.
Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
To restore an item that has been deleted:
Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.

STEP 06
Please open Malwarebytes Anti-Malware and from the Dashboard please Check for Updates by clicking the Update Now... link
Open up Malwarebytes > Settings > Detection and Protection > Enable Scan for rootkits, Under Non Malware Protection set both PUP and PUM to Treat detections as malware.
Click on the SCAN button and run a Threat Scan with Malwarebytes Anti-Malware by clicking the Scan Now>> button.
Once completed please click on the History > Application Logs and find your scan log and open it and then click on the "copy to clipboard" button and post back the results on your next reply.

STEP 07

Please go here to run the online antivirus scannner from ESET.

Turn off the real time scanner of any existing antivirus program while performing the online scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is unticked
Click on Advanced Settings and ensure these options are ticked:
- Scan for potentially unwanted applications
- Scan for potentially unsafe applications
- Enable Anti-Stealth Technology
[*]Click Scan [*]Wait for the scan to finish [*]If any threats were found, click the 'List of found threats' , then click Export to text file.... [*]Save it to your desktop, then please copy and paste that log as a reply to this topic.

STEP 08
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

Double-click to run it. When the tool opens click Yes to disclaimer.
Press the Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

AdvancedSetup · June 9, 2014

You are working over on the Bleepingcomputer site as well. Please choose one or the other doing different tasks can cause problems and wastes the resources from others being able to obtain help.

http://www.bleepingcomputer.com/forums/t/536059/acegain-liveupdate/

thank you

abickered · June 9, 2014

Here are all the logs

AdvancedSetup · June 10, 2014

Please go into Control Panel, Add/Remove and uninstall ALL versions of Java and then run the following

Please download JavaRa-1.16 and save it to your computer.

Double click to open the zip file and then select all and choose Copy.
Create a new folder on your Desktop named RemoveJava and paste the files into this new folder.
Quit all browsers and other running applications.
Right-click on JavaRa.exe in RemoveJava folder and choose Run as administrator to start the program.
From the drop-down menu, choose English and click on Select.
JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
A logfile will pop up. Please save it to a convenient location and post it in your next reply.
RESTART the computer.

Next run this cleanup tool.

Please Run TFC by OldTimer to clear temporary files:

Download TFC from here and save it to your desktop.
http://oldtimer.geekstogo.com/TFC.exe
Close any open programs and Internet browsers.
Double click TFC.exe to run it on XP (for Vista and Windows 7 right click and choose "Run as administrator") and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.
Please be patient as clearing out temp files may take a while.
Once it completes you may be prompted to restart your computer, please do so.
Once it's finished you may delete TFC.exe from your desktop or save it for later use for the cleaning of temporary files.
RESTART THE COMPUTER

Once that's done please run the following.

Please visit this webpage and read the ComboFix User's Guide:

Once you've read the article and are ready to use the program you can download it directly from the link below.
Important! - Please make sure you save combofix to your desktop and do not run it from your browser
Direct download link for: ComboFix.exe
Please make sure you disable your security applications before running ComboFix.
Once Combofix has completed it will produce and open a log file. Please be patient as it can take some time to load.
Please attach that log file to your next reply.
If needed the file can be located here: C:\combofix.txt
NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.

abickered · June 11, 2014

More logs

nice dog btw

log.txt

JavaRa.log

AdvancedSetup · June 11, 2014

Thanks, but just a dog picture from the web that I modified with Photoshop. Been way too busy but supposed to change my Avatar soon.

Great that looks pretty good.

Please download MiniToolBox save it to your desktop and run it.

Checkmark the following check-boxes:

Flush DNS
Report IE Proxy Settings
Reset IE Proxy Settings
Report FF Proxy Settings
Reset FF Proxy Settings
List content of Hosts
List IP configuration
List Winsock Entries
List last 10 Event Viewer log
List Installed Programs
List Devices
List Users, Partitions and Memory size.
List Minidump Files

Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using Reset FF Proxy Settings option Firefox should be closed.

abickered · June 11, 2014

awesome

abickered · June 11, 2014

Sorry for the previous post forgot to attach the log

Result.txt

AdvancedSetup · June 11, 2014

Well the computer has sustained damage probably from a current or previous infection. Let's see what we can do to possibly fix it or not.

Error: (06/10/2014 04:27:30 AM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

Details:
AddLegacyDriverFiles: Unable to back up image of binary Symantec Network Security WFP Driver.

System Error:
The system cannot find the file specified.

Please download Malwarebytes Anti-Rootkit from HERE
If needed there is a self help tutorial here: MBAR tutorial

Unzip the contents to a folder in a convenient location.
Open the folder where the contents were unzipped and run mbar.exe
Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
Click on the Cleanup button to remove any threats and reboot if prompted to do so.
Wait while the system shuts down and the cleanup process is performed.
Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
Inside the folder you extract the file will be a folder called MBAR and inside that folder is one called Plugins - please find the file "fixdamage.exe" in that folder. Right click over it and choose "Run as administrator" and then restart the computer.
When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt

Next:

Please download Farbar Service Scanner and run it on the computer with the issue.

Make sure the following options are checked:
- Internet Services
- Windows Firewall
- System Restore
- Security Center/Action Center
- Windows Update
- Windows Defender
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.

abickered · June 11, 2014

oh

mbar-log-2014-06-11 (05-37-56).txt

system-log.txt

FSS.txt

AdvancedSetup · June 11, 2014

Please run a Full Disk Check on your system drive. If needed here are some links on how to run a Disk Check.

On Windows 7 the disk check log is in the Event Logs under Application with a heading source of Wininit

How to Run Disk Check in Windows 7

How to Run Check Disk at Startup in Vista or Windows 7

How to Read the Event Viewer Log for Check Disk (chkdsk) in Vista, Windows 7, and Windows 8

Once completed please locate the log entry in the Event Logs as shown in the link above and copy/paste the results back here.

Then after the disk check please run a new FRST scan and check the box to include a new Additions log as well.

abickered · June 12, 2014

this is the log, yes?

   65536 KB occupied by the log file.
647318692 KB available on disk.

      4096 bytes in each allocation unit.
241052671 total allocation units on disk.
161829673 allocation units available on disk.

Internal Info:
00 c3 0d 00 86 b3 04 00 e9 4e 08 00 00 00 00 00 .........N......
38 06 00 00 58 00 00 00 00 00 00 00 00 00 00 00 8...X...........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

Windows has finished checking your disk.
Please wait while your computer restarts.

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
    <Provider Name="Microsoft-Windows-Wininit" Guid="{206f6dea-d3c5-4d10-bc72-989f03c8b84b}" EventSourceName="Wininit" />
    <EventID Qualifiers="16384">1001</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2014-06-12T03:41:27.000000000Z" />
    <EventRecordID>6916239</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>Application</Channel>
    <Computer>shin</Computer>
    <Security />
</System>
<EventData>
    <Data>

Checking file system on C:
The type of the file system is NTFS.
Volume label is OS.

A disk check has been scheduled.
Windows will now check the disk.

CHKDSK is verifying files (stage 1 of 3)...
901888 file records processed.

File verification completed.
1306 large file records processed.

0 bad file records processed.

0 EA records processed.

88 reparse records processed.

CHKDSK is verifying indexes (stage 2 of 3)...
1010354 index entries processed.

Index verification completed.
0 unindexed files scanned.

0 unindexed files recovered.

CHKDSK is verifying security descriptors (stage 3 of 3)...
901888 file SDs/SIDs processed.

Cleaning up 637 unused index entries from index $SII of file 0x9.
Cleaning up 637 unused index entries from index $SDH of file 0x9.
Cleaning up 637 unused security descriptors.
Security descriptor verification completed.
54234 data files processed.

CHKDSK is verifying Usn Journal...
33666056 USN bytes processed.

Usn Journal verification completed.
Windows has checked the file system and found no problems.

964210687 KB total disk space.
315698460 KB in 253855 files.
    160920 KB in 54235 indexes.
         0 KB in bad sectors.
   1032615 KB in use by the system.
     65536 KB occupied by the log file.
647318692 KB available on disk.

      4096 bytes in each allocation unit.
241052671 total allocation units on disk.
161829673 allocation units available on disk.

Internal Info:
00 c3 0d 00 86 b3 04 00 e9 4e 08 00 00 00 00 00 .........N......
38 06 00 00 58 00 00 00 00 00 00 00 00 00 00 00 8...X...........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

Windows has finished checking your disk.
Please wait while your computer restarts.
</Data>
</EventData>
</Event>

Addition.txt

FRST.txt

AdvancedSetup · June 12, 2014

Yes that is the log but that was not a FULL disk check. That was a quick basic check.

CHKDSK is verifying files (stage 1 of 3)...

The full check runs 5 steps

From an elevated admin prompt you can type

CHKDSK C: /R

then say yes to run on reboot and reboot.

Once that's done then do the following

Please visit this webpage and read the ComboFix User's Guide:

Once you've read the article and are ready to use the program you can download it directly from the link below.
Important! - Please make sure you save combofix to your desktop and do not run it from your browser
Direct download link for: ComboFix.exe
Please make sure you disable your security applications before running ComboFix.
Once Combofix has completed it will produce and open a log file. Please be patient as it can take some time to load.
Please attach that log file to your next reply.
If needed the file can be located here: C:\combofix.txt
NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.

abickered · June 12, 2014

My bad.

Log Name:      Application
Source:        Microsoft-Windows-Wininit
Date:          6/12/2014 7:07:30 AM
Event ID:      1001
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      shin
Description:

Checking file system on C:
The type of the file system is NTFS.
Volume label is OS.

A disk check has been scheduled.
Windows will now check the disk.

CHKDSK is verifying files (stage 1 of 5)...
901888 file records processed.

File verification completed.
1308 large file records processed.

0 bad file records processed.

0 EA records processed.

88 reparse records processed.

CHKDSK is verifying indexes (stage 2 of 5)...
1010790 index entries processed.

Index verification completed.
0 unindexed files scanned.

0 unindexed files recovered.

CHKDSK is verifying security descriptors (stage 3 of 5)...
901888 file SDs/SIDs processed.

Cleaning up 7 unused index entries from index $SII of file 0x9.
Cleaning up 7 unused index entries from index $SDH of file 0x9.
Cleaning up 7 unused security descriptors.
Security descriptor verification completed.
54452 data files processed.

CHKDSK is verifying Usn Journal...
36295440 USN bytes processed.

Usn Journal verification completed.
CHKDSK is verifying file data (stage 4 of 5)...
901872 files processed.

File data verification completed.
CHKDSK is verifying free space (stage 5 of 5)...
161690924 free clusters processed.

Free space verification is complete.
Windows has checked the file system and found no problems.

964210687 KB total disk space.
316247304 KB in 262792 files.
    164384 KB in 54453 indexes.
         0 KB in bad sectors.
   1035303 KB in use by the system.
     65536 KB occupied by the log file.
646763696 KB available on disk.

      4096 bytes in each allocation unit.
241052671 total allocation units on disk.
161690924 allocation units available on disk.

Internal Info:
00 c3 0d 00 49 d7 04 00 08 8b 08 00 00 00 00 00 ....I...........
3a 06 00 00 58 00 00 00 00 00 00 00 00 00 00 00 :...X...........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

Windows has finished checking your disk.
Please wait while your computer restarts.

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
    <Provider Name="Microsoft-Windows-Wininit" Guid="{206f6dea-d3c5-4d10-bc72-989f03c8b84b}" EventSourceName="Wininit" />
    <EventID Qualifiers="16384">1001</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2014-06-12T11:07:30.000000000Z" />
    <EventRecordID>6925220</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>Application</Channel>
    <Computer>shin</Computer>
    <Security />
</System>
<EventData>
    <Data>

Checking file system on C:
The type of the file system is NTFS.
Volume label is OS.

A disk check has been scheduled.
Windows will now check the disk.

CHKDSK is verifying files (stage 1 of 5)...
901888 file records processed.

File verification completed.
1308 large file records processed.

0 bad file records processed.

0 EA records processed.

88 reparse records processed.

CHKDSK is verifying indexes (stage 2 of 5)...
1010790 index entries processed.

Index verification completed.
0 unindexed files scanned.

0 unindexed files recovered.

CHKDSK is verifying security descriptors (stage 3 of 5)...
901888 file SDs/SIDs processed.

Cleaning up 7 unused index entries from index $SII of file 0x9.
Cleaning up 7 unused index entries from index $SDH of file 0x9.
Cleaning up 7 unused security descriptors.
Security descriptor verification completed.
54452 data files processed.

CHKDSK is verifying Usn Journal...
36295440 USN bytes processed.

Usn Journal verification completed.
CHKDSK is verifying file data (stage 4 of 5)...
901872 files processed.

File data verification completed.
CHKDSK is verifying free space (stage 5 of 5)...
161690924 free clusters processed.

Free space verification is complete.
Windows has checked the file system and found no problems.

964210687 KB total disk space.
316247304 KB in 262792 files.
    164384 KB in 54453 indexes.
         0 KB in bad sectors.
   1035303 KB in use by the system.
     65536 KB occupied by the log file.
646763696 KB available on disk.

      4096 bytes in each allocation unit.
241052671 total allocation units on disk.
161690924 allocation units available on disk.

Internal Info:
00 c3 0d 00 49 d7 04 00 08 8b 08 00 00 00 00 00 ....I...........
3a 06 00 00 58 00 00 00 00 00 00 00 00 00 00 00 :...X...........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

Windows has finished checking your disk.
Please wait while your computer restarts.
</Data>
</EventData>
</Event>

AdvancedSetup · June 13, 2014

Okay, please run Combofix again now and post back the new log. Let me know what issues you're still seeing or having if any.

abickered · June 13, 2014

thought I attached it, my bad.

log2.txt

AdvancedSetup · June 13, 2014

Okay that looks better now. Please go ahead and restart the computer one more time. Then run FRST again and make sure you put a check mark in the ADDITIONS.TXT box so that it will create a new one.

Then post back both new logs on your next reply.

Also run the following for me.

Please download Security Check by screen317 from HERE or HERE.

Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
If you get Unsupported operating system. Aborting now, just reboot and try again.
A Notepad document should open automatically called checkup.txt.
Please Post the contents of that document.
Do Not Attach It!!!

abickered · June 13, 2014

i see you got a new avatar, looks nice

Results of screen317's Security Check version 0.99.84
Windows 7 Service Pack 1 x64 (UAC is enabled)
Internet Explorer 11
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
Spybot - Search & Destroy
Adobe Flash Player 13.0.0.214
Adobe Reader XI
Mozilla Firefox (29.0.1)
````````Process Check: objlist.exe by Laurent````````
Malwarebytes Anti-Malware mbamservice.exe
Malwarebytes Anti-Malware mbam.exe
Malwarebytes Anti-Malware mbamscheduler.exe
Symantec Norton Online Backup NOBuAgent.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````

Addition.txt

FRST.txt

AdvancedSetup · June 13, 2014

Yes new avatar - some didn't like the dark one too much, thanks.

Well the computer was infected with the ZeroAccess rootkit. We can attempt to clean it but let me go ahead and give you this warning so that you're aware.

One or more of the identified infections is related to a nasty rootkit component which is difficult to remove. Rootkits and backdoor Trojans are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums from a CLEAN COMPUTER. You should consider them to be compromised. You should change each password by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, delete the partition, reformat and reinstall the Operating System.

Please read:

Should you decide not to follow this advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. If you wish to proceed, disinfection will require more time and more advanced tools.

Please let us know how you would like to proceed.

Message borrowed from quietman7 with minor wording and link changes

IF you do decide you still want to try to clean the computer please run the following and post back the new logs.

Please download Malwarebytes Anti-Rootkit from HERE
If needed there is a self help tutorial here: MBAR tutorial

Unzip the contents to a folder in a convenient location.
Open the folder where the contents were unzipped and run mbar.exe
Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
Click on the Cleanup button to remove any threats and reboot if prompted to do so.
Wait while the system shuts down and the cleanup process is performed.
Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt

abickered · June 13, 2014

well this beyond sucks .. I'm not really sure what to do

do you have any more helpful links?

thanks

Multiple instances of malware?

Recommended Posts

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Recently Browsing 0 members

Important Information