BitCoinMiner removing problem

Auronzolo · June 8, 2014

Hi! Since it's been almost 1 week I get a svchost.exe error after the start up, reading on Internet i discovered that a malware could be the issue i'm looking for; i ran MalwareByte updated to the latest version and i discovered that i have to deal with W23/BitCoinMiner malware. I thought a simple scan and removal action have would fix the problem but the malware always come back after a restart.

It also disabled somehow the Windows safe mode so when i press F8 i can only select the Boot device (Asus motherboard) and to get into the safe mode i have to active it using the command "msconfig"

I tryed to do a scan on safe mode then but nothing, the problem always come back and sometimes it slows my boot Windows start up (it takes a while to load during Windows logo screen)

I tryed to scan with ESET Online and im going to copy here what i've founded:

C:\$Recycle.Bin\S-1-5-21-3068055036-2407879928-2449727651-1000\$R4CKAUH.exe Win32/DownWare.L potentially unwanted application

C:\$Recycle.Bin\S-1-5-21-3068055036-2407879928-2449727651-1000\$RQSZ66D.exe Win32/DownWare.L potentially unwanted application

C:\Program Files\Common Files\SpeedBit\SBUpdate\sbci32.dll probably a variant of Win32/SBWatchman.A potentially unwanted application

C:\Program Files\Common Files\SpeedBit\SBUpdate\sbci64.dll a variant of MSIL/SBWatchman.A potentially unwanted application

C:\Program Files\Common Files\SpeedBit\SBUpdate\sbei64.dll a variant of MSIL/SBWatchman.A potentially unwanted application

C:\Program Files\Common Files\SpeedBit\SBUpdate\sbfi32.dll probably a variant of Win32/SBWatchman.A potentially unwanted application

C:\Program Files\Common Files\SpeedBit\SBUpdate\sbfi64.dll a variant of MSIL/SBWatchman.A potentially unwanted application

C:\Program Files\Common Files\SpeedBit\SBUpdate\sbi32.exe a variant of Win32/SBWatchman.A potentially unwanted application

C:\Program Files\Common Files\SpeedBit\SBUpdate\sbi64.exe a variant of MSIL/SBWatchman.A potentially unwanted application

C:\Program Files\Common Files\SpeedBit\SBUpdate\sbu.exe a variant of MSIL/SBWatchman.A potentially unwanted application

C:\Users\Auron\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1FP8BPMG\jusched[1].exe a variant of Win32/BitCoinMiner.BS potentially unsafe application

C:\Users\Auron\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1FP8BPMG\svchost[1].exe a variant of Win32/BitCoinMiner.AF potentially unsafe application

C:\Users\Auron\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5ELDYM8B\SearchIndexer[1].exe multiple threats

C:\Users\Auron\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y2SFO49C\ssl[1].exe Win32/Autoit.NPY trojan

C:\Users\Auron\AppData\Roaming\Microsoft\SystemCertificates\My\Updater\jusched.exe a variant of Win32/BitCoinMiner.BS potentially unsafe application

C:\Users\Auron\AppData\Roaming\Microsoft\SystemCertificates\My\Updater\SearchIndexer.exe multiple threats

C:\Users\Auron\AppData\Roaming\Microsoft\SystemCertificates\My\Updater\ssl.exe Win32/Autoit.NPY trojan

C:\Users\Auron\AppData\Roaming\Microsoft\SystemCertificates\My\Updater\svchost.exe a variant of Win32/BitCoinMiner.AF potentially unsafe application

C:\Users\Auron\AppData\Roaming\Microsoft\SystemCertificates\My\Updater\updater.exe Win32/TrojanDownloader.Autoit.NLZ trojan

C:\Users\Auron\Downloads\ccsetup404.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application

E:\Download\CrystalDiskInfo5_6_2-en.exe Win32/OpenCandy potentially unsafe application

E:\Download\disk-defrag-setup.exe Win32/InstallMonetizer.AQ potentially unwanted application

E:\Photoshop2\Adobe CS6\Autorun.exe Win32/TrojanDownloader.Autoit.NLZ trojan

Operating memory a variant of Win32/BitCoinMiner.BS potentially unsafe application

I didn't delete the files founded, can you please help me with this stubborn malware?

kevinf80 · June 8, 2014

Hello and

P2P/Piracy Warning:

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

Download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Next,

Download TDSSKiller and save it to your Desktop.

Make sure TDSSKiller.exe is on the Desktop itself, not within a folder on the desktop.

Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt

If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.

If Malicious objects are found, do NOT select Delete or Cure. Change the action to Skip, When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

Post those logs to your next reply..

Kevin

Auronzolo · June 8, 2014

Hi! Thank you for the reply.

This is the FRST.txt content from Farbar Recovery

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 06-06-2014

Ran by Auron (administrator) on FADETOSHADOW on 08-06-2014 18:08:20

Running from C:\Users\Auron\Downloads

Platform: Windows 7 Ultimate Service Pack 1 (X64) OS Language: Italian Standard

Internet Explorer Version 11

Boot Mode: Normal

The only official download link for FRST:

Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/

Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/

Download link from any site other than Bleeping Computer is unpermitted or outdated.

See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe

(AMD) C:\Windows\System32\atiesrxx.exe

(AMD) C:\Windows\System32\atieclxx.exe

(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

() E:\Programmi\HSPA USB MODEM\BackgroundService\ServiceManager.exe

(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe

() C:\Program Files (x86)\D-Link\DWA-125 revA\ANIWConnService.exe

() C:\Windows\SysWOW64\PnkBstrA.exe

(VIA Technologies, Inc.) C:\Windows\System32\ViakaraokeSrv.exe

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe

(Speedbit Ltd.) C:\Program Files (x86)\DAP\DAP.exe

(Spotify Ltd) C:\Users\Auron\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe

(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe

(Intel Corporation) C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe

(D-Link Corp.) C:\Program Files (x86)\D-Link\DWA-125 revA\AirNCFG.exe

() E:\Programmi\HSPA USB MODEM\BackgroundService\ModemListener.exe

(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

(Apple Inc.) E:\Programmi\iTunes\iTunesHelper.exe

(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe

(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe

(Microsoft Corporation) C:\Windows\SysWOW64\cmd.exe

() C:\Users\Auron\AppData\Roaming\Microsoft\SystemCertificates\My\Updater\jusched.exe

(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

(Microsoft Corporation) C:\Windows\System32\msiexec.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [MSC] => C:\Program Files\Microsoft Security Client\msseces.exe [1271072 2014-03-11] (Microsoft Corporation)

HKLM-x32\...\Run: [iAStorIcon] => C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284440 2011-11-29] (Intel Corporation)

HKLM-x32\...\Run: [uSB3MON] => C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [291608 2012-02-27] (Intel Corporation)

HKLM-x32\...\Run: [D-Link D-Link DWA-125] => C:\Program Files (x86)\D-Link\DWA-125 revA\AirNCFG.exe [1074496 2011-06-10] (D-Link Corp.)

HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [43848 2014-02-12] (Apple Inc.)

HKLM-x32\...\Run: [Archos Sepang ModemListener] => E:\Programmi\HSPA USB MODEM\BackgroundService\ModemListener.exe [102400 2011-06-20] ()

HKLM-x32\...\Run: [sunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)

HKLM-x32\...\Run: [iTunesHelper] => E:\Programmi\iTunes\iTunesHelper.exe [152392 2014-05-26] (Apple Inc.)

Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]

HKU\S-1-5-21-3068055036-2407879928-2449727651-1000\...\Run: [DownloadAccelerator] => C:\Program Files (x86)\DAP\DAP.EXE [3865232 2013-08-24] (Speedbit Ltd.)

HKU\S-1-5-21-3068055036-2407879928-2449727651-1000\...\Run: [spotify Web Helper] => C:\Users\Auron\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe [1176632 2014-06-07] (Spotify Ltd)

HKU\S-1-5-21-3068055036-2407879928-2449727651-1000\...\MountPoints2: {88e8dbeb-5530-11e3-9ddb-10bf48e362f3} - F:\autorun.exe

HKU\S-1-5-21-3068055036-2407879928-2449727651-1000\...\MountPoints2: {ce58ecca-0c53-11e3-9238-806e6f6e6963} - "D:\StarCraft II Setup.exe"

Startup: C:\Users\Auron\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk

ShortcutTarget: ERUNT AutoBackup.lnk -> C:\Program Files (x86)\ERUNT\AUTOBACK.EXE ()

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.speedbit.com/?s=D8Oaya1

SearchScopes: HKLM-x32 - {7F4EFF06-7032-458e-AE16-1C1D8255C28A} URL = http://go.speedbit.com/search.aspx?s=D8Oaya1&q={searchTerms}

SearchScopes: HKCU - {7F4EFF06-7032-458e-AE16-1C1D8255C28A} URL = http://go.speedbit.com/search.aspx?s=D8Oaya1&q={searchTerms}

BHO-x32: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)

BHO-x32: SpeedBit Link Verification Helper - {D5974A72-C81C-4DC3-BE77-A8A7BBC8864E} - C:\Program Files (x86)\DAP\LinkVerifier.dll (Speedbit Ltd.)

BHO-x32: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)

Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.254 62.101.93.101 83.103.25.250

FireFox:

========

FF ProfilePath: C:\Users\Auron\AppData\Roaming\Mozilla\Firefox\Profiles\x2wa7owp.default

FF Plugin: @microsoft.com/GENUINE - disabled No File

FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - C:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)

FF Plugin-x32: @Apple.com/iTunes,version=1.0 - E:\Programmi\iTunes\Mozilla Plugins\npitunes.dll ()

FF Plugin-x32: @esn.me/esnsonar,version=0.70.4 - C:\Program Files (x86)\Battlelog Web Plugins\Sonar\0.70.4\npesnsonar.dll No File

FF Plugin-x32: @esn/npbattlelog,version=2.3.2 - C:\Program Files (x86)\Battlelog Web Plugins\2.3.2\npbattlelog.dll (EA Digital Illusions CE AB)

FF Plugin-x32: @java.com/DTPlugin,version=10.55.2 - C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)

FF Plugin-x32: @java.com/JavaPlugin,version=10.55.2 - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)

FF Plugin-x32: @microsoft.com/GENUINE - disabled No File

FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - C:\Program Files (x86)\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)

FF Plugin-x32: @tools.google.com/Google Update;version=3 - C:\Program Files (x86)\Google\Update\1.3.24.7\npGoogleUpdate3.dll (Google Inc.)

FF Plugin-x32: @tools.google.com/Google Update;version=9 - C:\Program Files (x86)\Google\Update\1.3.24.7\npGoogleUpdate3.dll (Google Inc.)

FF Plugin-x32: @videolan.org/vlc,version=2.0.8 - E:\Programmi\VLC\npvlc.dll (VideoLAN)

FF SearchPlugin: C:\Users\Auron\AppData\Roaming\Mozilla\Firefox\Profiles\x2wa7owp.default\searchplugins\speedbit.xml

FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\amazon-it.xml

FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\eBay-it.xml

FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\hoepli.xml

FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\yahoo-it.xml

FF HKLM-x32\...\Firefox\Extensions: [daplinkchecker@speedbit.com] - C:\Program Files (x86)\DAP\daplinkchecker

FF Extension: DAP Link Checker - C:\Program Files (x86)\DAP\daplinkchecker [2013-08-24]

FF HKCU\...\Firefox\Extensions: [{F17C1572-C9EC-4e5c-A542-D05CBB5C5A08}] - C:\Program Files (x86)\DAP\DAPFireFox

FF Extension: Download Accelerator Plus (DAP) extension - C:\Program Files (x86)\DAP\DAPFireFox [2013-08-24]

Chrome:

=======

CHR HomePage:

CHR StartupUrls: "hxxp://www.google.it/", "hxxp://www.facebook.it/", "hxxp://www.youtube.it/"

CHR Extension: (Documenti Google) - C:\Users\Auron\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-06-08]

CHR Extension: (Google Drive) - C:\Users\Auron\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2013-08-24]

CHR Extension: (YouTube) - C:\Users\Auron\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2013-08-24]

CHR Extension: (Ricerca Google) - C:\Users\Auron\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-06-08]

CHR Extension: (Download Accelerator Plus (DAP)) - C:\Users\Auron\AppData\Local\Google\Chrome\User Data\Default\Extensions\ffdcfjdljhbehggjdkdioajnknjcpbjb [2013-08-24]

CHR Extension: (Google Wallet) - C:\Users\Auron\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-08-24]

CHR Extension: (Gmail) - C:\Users\Auron\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2013-08-24]

CHR HKLM-x32\...\Chrome\Extension: [ffdcfjdljhbehggjdkdioajnknjcpbjb] - C:\Program Files (x86)\DAP\DAPChrome\DAPChrome6.crx [2013-08-24]

==================== Services (Whitelisted) =================

R2 Archos Sepang Modem Device Helper; E:\Programmi\HSPA USB MODEM\BackgroundService\ServiceManager.exe [49752 2011-06-20] ()

R2 D_Link_DWA-125_WPS; C:\Program Files (x86)\D-Link\DWA-125 revA\ANIWConnService.exe [53248 2010-07-12] ()

R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2014-03-11] (Microsoft Corporation)

R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [347872 2014-03-11] (Microsoft Corporation)

R2 PnkBstrA; C:\Windows\SysWOW64\PnkBstrA.exe [76888 2013-10-04] ()

S4 SBUpd; C:\Program Files\Common Files\SpeedBit\SBUpdate\sbu.exe [1097848 2013-02-27] (Speedbit Ltd.)

S4 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1817560 2013-05-16] (Safer-Networking Ltd.)

S4 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [1033688 2013-05-16] (Safer-Networking Ltd.)

S4 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2013-05-15] (Safer-Networking Ltd.)

R2 VIAKaraokeService; C:\Windows\system32\viakaraokesrv.exe [27760 2011-11-12] (VIA Technologies, Inc.)

==================== Drivers (Whitelisted) ====================

R1 anodlwf; C:\Windows\System32\DRIVERS\anodlwfx.sys [15872 2010-05-29] ()

S3 hitmanpro37; C:\Windows\system32\drivers\hitmanpro37.sys [32512 2014-06-08] ()

S3 jrdusbser; C:\Windows\System32\DRIVERS\jrdusbser.sys [120832 2011-06-20] (TCT International Mobile Ltd)

R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [268512 2014-01-25] (Microsoft Corporation)

S3 NANMp50; C:\Windows\System32\Drivers\NANMp50.sys [46776 2010-03-25] (Printing Communications Assoc., Inc. (PCAUSA))

S3 NANSp50; C:\Windows\System32\Drivers\NANSp50.sys [45752 2010-03-25] (Printing Communications Assoc., Inc. (PCAUSA))

R3 netr28ux; C:\Windows\System32\DRIVERS\Dnetr28ux.sys [1617472 2011-04-28] (Ralink Technology Corp.)

R2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [133928 2014-03-11] (Microsoft Corporation)

S3 RTCore64; C:\Program Files (x86)\MSI Afterburner\RTCore64.sys [13368 2013-01-23] ()

S3 SBUpdd; C:\Program Files\Common Files\SpeedBit\SBUpdate\sbw.sys [40856 2013-02-27] ()

S3 VGPU; System32\drivers\rdvgkmd.sys [X]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2014-06-08 18:08 - 2014-06-08 18:08 - 00012365 _____ () C:\Users\Auron\Downloads\FRST.txt

2014-06-08 18:06 - 2014-06-08 18:08 - 00000000 ____D () C:\FRST

2014-06-08 18:06 - 2014-06-08 18:06 - 02072576 _____ (Farbar) C:\Users\Auron\Downloads\FRST64.exe

2014-06-08 13:18 - 2014-06-08 13:18 - 00002956 _____ () C:\Users\Auron\Desktop\BitCoiner.txt

2014-06-08 12:44 - 2014-06-08 12:44 - 02347384 _____ (ESET) C:\Users\Auron\Downloads\esetsmartinstaller_enu.exe

2014-06-08 12:44 - 2014-06-08 12:44 - 00000000 ____D () C:\Program Files (x86)\ESET

2014-06-08 12:39 - 2014-06-08 12:42 - 00000000 ____D () C:\AdwCleaner

2014-06-08 12:39 - 2010-08-30 08:34 - 00536576 _____ (SQLite Development Team) C:\Windows\SysWOW64\sqlite3.dll

2014-06-08 12:38 - 2014-06-08 12:38 - 01333465 _____ () C:\Users\Auron\Downloads\AdwCleaner.exe

2014-06-08 12:24 - 2014-06-08 12:24 - 00000691 _____ () C:\Users\Auron\Desktop\JRT.txt

2014-06-08 12:20 - 2014-06-08 12:20 - 01016261 _____ (Thisisu) C:\Users\Auron\Downloads\JRT.exe

2014-06-08 12:20 - 2014-06-08 12:20 - 00000000 ____D () C:\Windows\ERUNT

2014-06-08 12:14 - 2014-06-08 12:14 - 05245952 _____ () C:\Users\Auron\Downloads\RogueKillerX64.exe

2014-06-08 12:11 - 2014-06-08 12:11 - 00791393 _____ (Lars Hederer ) C:\Users\Auron\Downloads\erunt-setup.exe

2014-06-08 12:11 - 2014-06-08 12:11 - 00000928 _____ () C:\Users\Auron\Desktop\NTREGOPT.lnk

2014-06-08 12:11 - 2014-06-08 12:11 - 00000909 _____ () C:\Users\Auron\Desktop\ERUNT.lnk

2014-06-08 12:11 - 2014-06-08 12:11 - 00000000 ____D () C:\Windows\ERDNT

2014-06-08 12:11 - 2014-06-08 12:11 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ERUNT

2014-06-08 12:11 - 2014-06-08 12:11 - 00000000 ____D () C:\Program Files (x86)\ERUNT

2014-06-08 12:10 - 2014-06-08 12:10 - 01940216 _____ (Bleeping Computer, LLC) C:\Users\Auron\Downloads\rkill.exe

2014-06-08 12:10 - 2014-06-08 12:10 - 00002212 _____ () C:\Users\Auron\Desktop\Rkill.txt

2014-06-08 12:02 - 2014-06-08 18:02 - 00000000 ____D () C:\Users\Auron\AppData\Local\CrashDumps

2014-06-08 12:02 - 2014-06-08 12:02 - 04686336 _____ () C:\Users\Auron\Desktop\RogueKiller.exe

2014-06-08 12:02 - 2014-06-08 12:02 - 00000000 ____D () C:\ProgramData\RogueKiller

2014-06-08 12:01 - 2014-06-08 12:01 - 00032512 _____ () C:\Windows\system32\Drivers\hitmanpro37.sys

2014-06-08 12:00 - 2014-06-08 12:00 - 00002814 _____ () C:\Windows\system32\.crusader

2014-06-08 11:56 - 2014-06-08 12:00 - 00000000 ____D () C:\ProgramData\HitmanPro

2014-06-08 11:52 - 2014-06-08 11:52 - 00000630 _____ () C:\Users\Auron\Desktop\Registro del 08.06.14.reg

2014-06-08 11:44 - 2014-06-08 11:48 - 00000000 ____D () C:\Users\Auron\Desktop\mbar

2014-06-08 11:44 - 2014-06-08 11:48 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)

2014-06-07 14:46 - 2014-06-08 10:43 - 00000000 ____D () C:\Users\Auron\AppData\Roaming\Spotify

2014-06-07 14:46 - 2014-06-07 18:59 - 00000000 ____D () C:\Users\Auron\AppData\Local\Spotify

2014-06-07 14:46 - 2014-06-07 14:46 - 00001809 _____ () C:\Users\Auron\Desktop\Spotify.lnk

2014-06-07 14:46 - 2014-06-07 14:46 - 00001795 _____ () C:\Users\Auron\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Spotify.lnk

2014-06-05 00:43 - 2014-06-05 00:43 - 00000132 _____ () C:\Users\Auron\AppData\Roaming\Adobe PNG Format CS6 Prefs

2014-06-05 00:26 - 2014-06-05 00:26 - 00000000 ____D () C:\ProgramData\regid.1986-12.com.adobe

2014-06-05 00:11 - 2014-06-05 00:21 - 00003312 _____ () C:\Windows\System32\Tasks\Microsoft System Certificates

2014-06-04 23:38 - 2014-06-04 23:38 - 00000000 ____D () C:\Users\Auron\Documents\Adobe Scripts

2014-06-04 23:27 - 2014-06-08 18:06 - 00000000 ____D () C:\ProgramData\Adobe

2014-06-04 23:27 - 2014-06-04 23:27 - 00000000 ____D () C:\Users\Default\AppData\Roaming\Macromedia

2014-06-04 23:27 - 2014-06-04 23:27 - 00000000 ____D () C:\Users\Default User\AppData\Roaming\Macromedia

2014-06-04 23:25 - 2014-06-05 00:30 - 00000000 ____D () C:\Users\Auron\AppData\Local\Adobe

2014-06-04 23:25 - 2014-06-04 23:25 - 00000000 ____D () C:\Users\Auron\AppData\Roaming\Macromedia

2014-06-04 19:21 - 2014-06-04 19:21 - 00000668 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Audacity.lnk

2014-05-30 19:34 - 2014-05-30 19:34 - 00001544 _____ () C:\Users\Public\Desktop\iTunes.lnk

2014-05-30 19:34 - 2014-05-30 19:34 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes

2014-05-30 19:33 - 2014-05-30 19:34 - 00000000 ____D () C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69

2014-05-30 19:33 - 2014-05-30 19:34 - 00000000 ____D () C:\Program Files\iTunes

2014-05-30 19:33 - 2014-05-30 19:33 - 00000000 ____D () C:\Program Files\iPod

2014-05-25 22:30 - 2014-06-02 14:45 - 00000000 ____D () C:\Users\Auron\AppData\Roaming\.minecraft

2014-05-24 18:41 - 2014-05-24 18:41 - 00000000 ____D () C:\Users\Auron\Documents\Electronic Arts

2014-05-24 18:41 - 2014-05-24 18:41 - 00000000 ____D () C:\Users\Auron\AppData\Local\Electronic Arts

2014-05-24 18:26 - 2014-05-24 18:27 - 00000000 ____D () C:\Users\Auron\AppData\Local\WiFi Guard

2014-05-24 18:26 - 2014-05-24 18:26 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SoftPerfect WiFi Guard

2014-05-24 17:36 - 2014-05-24 17:36 - 00000692 _____ () C:\Users\Auron\Desktop\NetSurveyor.lnk

2014-05-24 17:36 - 2014-05-24 17:36 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NutsAboutNets

2014-05-24 17:36 - 2010-03-25 11:05 - 00046776 _____ (Printing Communications Assoc., Inc. (PCAUSA)) C:\Windows\system32\Drivers\NANMp50.sys

2014-05-24 17:36 - 2010-03-25 11:05 - 00045752 _____ (Printing Communications Assoc., Inc. (PCAUSA)) C:\Windows\system32\Drivers\NANSp50.sys

2014-05-14 23:54 - 2014-05-06 06:40 - 23544320 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll

2014-05-14 23:54 - 2014-05-06 06:17 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb

2014-05-14 23:54 - 2014-05-06 05:25 - 17382912 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll

2014-05-14 23:54 - 2014-05-06 05:07 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb

2014-05-14 23:54 - 2014-05-06 05:00 - 00084992 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll

2014-05-14 23:54 - 2014-05-06 04:10 - 00069632 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll

2014-05-14 23:45 - 2014-05-09 08:14 - 00477184 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll

2014-05-14 23:45 - 2014-05-09 08:11 - 00424448 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll

2014-05-14 23:45 - 2014-04-12 04:22 - 00155072 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys

2014-05-14 23:45 - 2014-04-12 04:22 - 00095680 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys

2014-05-14 23:45 - 2014-04-12 04:19 - 01460736 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll

2014-05-14 23:45 - 2014-04-12 04:19 - 00136192 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll

2014-05-14 23:45 - 2014-04-12 04:19 - 00031232 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe

2014-05-14 23:45 - 2014-04-12 04:19 - 00029184 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll

2014-05-14 23:45 - 2014-04-12 04:19 - 00028160 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll

2014-05-14 23:45 - 2014-04-12 04:12 - 00022016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll

2014-05-14 23:45 - 2014-04-12 04:10 - 00096768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll

2014-05-14 23:45 - 2014-03-25 04:43 - 14175744 _____ (Microsoft Corporation) C:\Windows\system32\shell32.dll

2014-05-14 23:45 - 2014-03-25 04:09 - 12874240 _____ (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll

2014-05-14 23:45 - 2014-03-04 11:47 - 05550016 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe

2014-05-14 23:45 - 2014-03-04 11:44 - 00728064 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll

2014-05-14 23:45 - 2014-03-04 11:44 - 00722944 _____ (Microsoft Corporation) C:\Windows\system32\objsel.dll

2014-05-14 23:45 - 2014-03-04 11:44 - 00424960 _____ (Microsoft Corporation) C:\Windows\system32\KernelBase.dll

2014-05-14 23:45 - 2014-03-04 11:44 - 00340992 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll

2014-05-14 23:45 - 2014-03-04 11:44 - 00314880 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll

2014-05-14 23:45 - 2014-03-04 11:44 - 00210944 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll

2014-05-14 23:45 - 2014-03-04 11:44 - 00086528 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll

2014-05-14 23:45 - 2014-03-04 11:44 - 00039936 _____ (Microsoft Corporation) C:\Windows\system32\wincredprovider.dll

2014-05-14 23:45 - 2014-03-04 11:43 - 00455168 _____ (Microsoft Corporation) C:\Windows\system32\winlogon.exe

2014-05-14 23:45 - 2014-03-04 11:43 - 00057344 _____ (Microsoft Corporation) C:\Windows\system32\cngprovider.dll

2014-05-14 23:45 - 2014-03-04 11:43 - 00056832 _____ (Microsoft Corporation) C:\Windows\system32\adprovider.dll

2014-05-14 23:45 - 2014-03-04 11:43 - 00053760 _____ (Microsoft Corporation) C:\Windows\system32\capiprovider.dll

2014-05-14 23:45 - 2014-03-04 11:43 - 00052736 _____ (Microsoft Corporation) C:\Windows\system32\dpapiprovider.dll

2014-05-14 23:45 - 2014-03-04 11:43 - 00044544 _____ (Microsoft Corporation) C:\Windows\system32\dimsroam.dll

2014-05-14 23:45 - 2014-03-04 11:43 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll

2014-05-14 23:45 - 2014-03-04 11:20 - 03969984 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe

2014-05-14 23:45 - 2014-03-04 11:20 - 03914176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe

2014-05-14 23:45 - 2014-03-04 11:17 - 00550912 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll

2014-05-14 23:45 - 2014-03-04 11:17 - 00538112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\objsel.dll

2014-05-14 23:45 - 2014-03-04 11:17 - 00259584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msv1_0.dll

2014-05-14 23:45 - 2014-03-04 11:17 - 00247808 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll

2014-05-14 23:45 - 2014-03-04 11:17 - 00172032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdigest.dll

2014-05-14 23:45 - 2014-03-04 11:17 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSpkg.dll

2014-05-14 23:45 - 2014-03-04 11:17 - 00051200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cngprovider.dll

2014-05-14 23:45 - 2014-03-04 11:17 - 00049664 _____ (Microsoft Corporation) C:\Windows\SysWOW64\adprovider.dll

2014-05-14 23:45 - 2014-03-04 11:17 - 00048128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\capiprovider.dll

2014-05-14 23:45 - 2014-03-04 11:17 - 00047616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dpapiprovider.dll

2014-05-14 23:45 - 2014-03-04 11:17 - 00036864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dimsroam.dll

2014-05-14 23:45 - 2014-03-04 11:17 - 00035328 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wincredprovider.dll

2014-05-14 23:45 - 2014-03-04 11:17 - 00017408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\credssp.dll

2014-05-14 23:45 - 2014-03-04 11:16 - 00274944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll

==================== One Month Modified Files and Folders =======

2014-06-08 18:08 - 2014-06-08 18:08 - 00012365 _____ () C:\Users\Auron\Downloads\FRST.txt

2014-06-08 18:08 - 2014-06-08 18:06 - 00000000 ____D () C:\FRST

2014-06-08 18:08 - 2013-08-24 02:10 - 00000000 ____D () C:\Users\Auron\AppData\Local\Temp

2014-06-08 18:06 - 2014-06-08 18:06 - 02072576 _____ (Farbar) C:\Users\Auron\Downloads\FRST64.exe

2014-06-08 18:06 - 2014-06-04 23:27 - 00000000 ____D () C:\ProgramData\Adobe

2014-06-08 18:06 - 2013-08-24 02:51 - 00000000 ____D () C:\Users\Auron\AppData\Roaming\Adobe

2014-06-08 18:06 - 2011-04-12 12:49 - 00741386 _____ () C:\Windows\system32\perfh010.dat

2014-06-08 18:06 - 2011-04-12 12:49 - 00147440 _____ () C:\Windows\system32\perfc010.dat

2014-06-08 18:06 - 2009-07-14 07:13 - 01661180 _____ () C:\Windows\system32\PerfStringBackup.INI

2014-06-08 18:04 - 2013-08-24 02:11 - 02062374 _____ () C:\Windows\WindowsUpdate.log

2014-06-08 18:02 - 2014-06-08 12:02 - 00000000 ____D () C:\Users\Auron\AppData\Local\CrashDumps

2014-06-08 18:01 - 2013-09-28 03:57 - 00179956 _____ () C:\Windows\PFRO.log

2014-06-08 18:01 - 2013-09-28 03:57 - 00019131 _____ () C:\Windows\setupact.log

2014-06-08 18:01 - 2013-08-24 02:52 - 00000000 ____D () C:\ProgramData\TEMP

2014-06-08 18:01 - 2013-08-24 02:39 - 00001144 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2014-06-08 18:01 - 2009-07-14 07:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT

2014-06-08 13:31 - 2013-08-24 02:39 - 00001148 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2014-06-08 13:18 - 2014-06-08 13:18 - 00002956 _____ () C:\Users\Auron\Desktop\BitCoiner.txt

2014-06-08 12:50 - 2009-07-14 06:45 - 00022064 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2014-06-08 12:50 - 2009-07-14 06:45 - 00022064 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2014-06-08 12:44 - 2014-06-08 12:44 - 02347384 _____ (ESET) C:\Users\Auron\Downloads\esetsmartinstaller_enu.exe

2014-06-08 12:44 - 2014-06-08 12:44 - 00000000 ____D () C:\Program Files (x86)\ESET

2014-06-08 12:43 - 2013-08-24 02:10 - 00000000 ____D () C:\Users\Auron\AppData\Local\VirtualStore

2014-06-08 12:42 - 2014-06-08 12:39 - 00000000 ____D () C:\AdwCleaner

2014-06-08 12:38 - 2014-06-08 12:38 - 01333465 _____ () C:\Users\Auron\Downloads\AdwCleaner.exe

2014-06-08 12:24 - 2014-06-08 12:24 - 00000691 _____ () C:\Users\Auron\Desktop\JRT.txt

2014-06-08 12:20 - 2014-06-08 12:20 - 01016261 _____ (Thisisu) C:\Users\Auron\Downloads\JRT.exe

2014-06-08 12:20 - 2014-06-08 12:20 - 00000000 ____D () C:\Windows\ERUNT

2014-06-08 12:14 - 2014-06-08 12:14 - 05245952 _____ () C:\Users\Auron\Downloads\RogueKillerX64.exe

2014-06-08 12:14 - 2014-04-12 16:41 - 00122584 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys

2014-06-08 12:11 - 2014-06-08 12:11 - 00791393 _____ (Lars Hederer ) C:\Users\Auron\Downloads\erunt-setup.exe

2014-06-08 12:11 - 2014-06-08 12:11 - 00000928 _____ () C:\Users\Auron\Desktop\NTREGOPT.lnk

2014-06-08 12:11 - 2014-06-08 12:11 - 00000909 _____ () C:\Users\Auron\Desktop\ERUNT.lnk

2014-06-08 12:11 - 2014-06-08 12:11 - 00000000 ____D () C:\Windows\ERDNT

2014-06-08 12:11 - 2014-06-08 12:11 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ERUNT

2014-06-08 12:11 - 2014-06-08 12:11 - 00000000 ____D () C:\Program Files (x86)\ERUNT

2014-06-08 12:11 - 2013-08-24 02:11 - 00000000 ___RD () C:\Users\Auron\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

2014-06-08 12:10 - 2014-06-08 12:10 - 01940216 _____ (Bleeping Computer, LLC) C:\Users\Auron\Downloads\rkill.exe

2014-06-08 12:10 - 2014-06-08 12:10 - 00002212 _____ () C:\Users\Auron\Desktop\Rkill.txt

2014-06-08 12:02 - 2014-06-08 12:02 - 04686336 _____ () C:\Users\Auron\Desktop\RogueKiller.exe

2014-06-08 12:02 - 2014-06-08 12:02 - 00000000 ____D () C:\ProgramData\RogueKiller

2014-06-08 12:01 - 2014-06-08 12:01 - 00032512 _____ () C:\Windows\system32\Drivers\hitmanpro37.sys

2014-06-08 12:00 - 2014-06-08 12:00 - 00002814 _____ () C:\Windows\system32\.crusader

2014-06-08 12:00 - 2014-06-08 11:56 - 00000000 ____D () C:\ProgramData\HitmanPro

2014-06-08 11:52 - 2014-06-08 11:52 - 00000630 _____ () C:\Users\Auron\Desktop\Registro del 08.06.14.reg

2014-06-08 11:48 - 2014-06-08 11:44 - 00000000 ____D () C:\Users\Auron\Desktop\mbar

2014-06-08 11:48 - 2014-06-08 11:44 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)

2014-06-08 11:44 - 2014-04-12 16:41 - 00092888 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys

2014-06-08 11:41 - 2009-07-14 05:20 - 00000000 ____D () C:\Windows\AppCompat

2014-06-08 10:57 - 2013-08-24 11:15 - 00000000 ____D () C:\Windows\pss

2014-06-08 10:43 - 2014-06-07 14:46 - 00000000 ____D () C:\Users\Auron\AppData\Roaming\Spotify

2014-06-08 10:43 - 2013-08-24 02:16 - 00000000 ____D () C:\Windows\Chipset

2014-06-08 10:39 - 2014-04-12 16:41 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware

2014-06-08 10:39 - 2014-04-12 16:41 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware

2014-06-08 10:39 - 2013-08-24 02:55 - 00001106 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2014-06-08 03:50 - 2014-04-12 16:47 - 00000000 ____D () C:\Users\Auron\AppData\Local\Songr

2014-06-08 03:14 - 2014-04-21 22:15 - 00000000 ____D () C:\ProgramData\Origin

2014-06-08 01:25 - 2013-08-24 13:52 - 00000000 ____D () C:\Users\Auron\AppData\Roaming\Skype

2014-06-07 18:59 - 2014-06-07 14:46 - 00000000 ____D () C:\Users\Auron\AppData\Local\Spotify

2014-06-07 14:46 - 2014-06-07 14:46 - 00001809 _____ () C:\Users\Auron\Desktop\Spotify.lnk

2014-06-07 14:46 - 2014-06-07 14:46 - 00001795 _____ () C:\Users\Auron\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Spotify.lnk

2014-06-06 19:09 - 2009-07-14 06:45 - 04946240 _____ () C:\Windows\system32\FNTCACHE.DAT

2014-06-05 00:43 - 2014-06-05 00:43 - 00000132 _____ () C:\Users\Auron\AppData\Roaming\Adobe PNG Format CS6 Prefs

2014-06-05 00:31 - 2013-08-24 02:27 - 00070744 _____ () C:\Users\Auron\AppData\Local\GDIPFONTCACHEV1.DAT

2014-06-05 00:30 - 2014-06-04 23:25 - 00000000 ____D () C:\Users\Auron\AppData\Local\Adobe

2014-06-05 00:26 - 2014-06-05 00:26 - 00000000 ____D () C:\ProgramData\regid.1986-12.com.adobe

2014-06-05 00:21 - 2014-06-05 00:11 - 00003312 _____ () C:\Windows\System32\Tasks\Microsoft System Certificates

2014-06-04 23:38 - 2014-06-04 23:38 - 00000000 ____D () C:\Users\Auron\Documents\Adobe Scripts

2014-06-04 23:37 - 2013-08-24 02:10 - 00000000 ____D () C:\Users\Auron

2014-06-04 23:31 - 2013-08-24 02:54 - 00000000 ____D () C:\Users\Auron\AppData\Roaming\EQATEC Analytics

2014-06-04 23:27 - 2014-06-04 23:27 - 00000000 ____D () C:\Users\Default\AppData\Roaming\Macromedia

2014-06-04 23:27 - 2014-06-04 23:27 - 00000000 ____D () C:\Users\Default User\AppData\Roaming\Macromedia

2014-06-04 23:25 - 2014-06-04 23:25 - 00000000 ____D () C:\Users\Auron\AppData\Roaming\Macromedia

2014-06-04 19:21 - 2014-06-04 19:21 - 00000668 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Audacity.lnk

2014-06-02 14:45 - 2014-05-25 22:30 - 00000000 ____D () C:\Users\Auron\AppData\Roaming\.minecraft

2014-06-01 23:19 - 2013-08-24 03:47 - 00000000 ____D () C:\Program Files (x86)\MSI Afterburner

2014-06-01 22:15 - 2013-08-24 03:01 - 00000000 ____D () C:\Program Files (x86)\Spybot - Search & Destroy 2

2014-05-30 19:34 - 2014-05-30 19:34 - 00001544 _____ () C:\Users\Public\Desktop\iTunes.lnk

2014-05-30 19:34 - 2014-05-30 19:34 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes

2014-05-30 19:34 - 2014-05-30 19:33 - 00000000 ____D () C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69

2014-05-30 19:34 - 2014-05-30 19:33 - 00000000 ____D () C:\Program Files\iTunes

2014-05-30 19:33 - 2014-05-30 19:33 - 00000000 ____D () C:\Program Files\iPod

2014-05-24 18:41 - 2014-05-24 18:41 - 00000000 ____D () C:\Users\Auron\Documents\Electronic Arts

2014-05-24 18:41 - 2014-05-24 18:41 - 00000000 ____D () C:\Users\Auron\AppData\Local\Electronic Arts

2014-05-24 18:27 - 2014-05-24 18:26 - 00000000 ____D () C:\Users\Auron\AppData\Local\WiFi Guard

2014-05-24 18:26 - 2014-05-24 18:26 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SoftPerfect WiFi Guard

2014-05-24 17:36 - 2014-05-24 17:36 - 00000692 _____ () C:\Users\Auron\Desktop\NetSurveyor.lnk

2014-05-24 17:36 - 2014-05-24 17:36 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NutsAboutNets

2014-05-24 16:16 - 2009-07-14 05:20 - 00000000 ____D () C:\Windows\system32\NDF

2014-05-24 13:50 - 2009-07-14 05:20 - 00000000 ____D () C:\Windows\rescache

2014-05-23 22:43 - 2014-03-23 22:58 - 00000000 ___RD () C:\Program Files (x86)\Skype

2014-05-23 22:43 - 2013-08-24 13:52 - 00000000 ____D () C:\ProgramData\Skype

2014-05-21 19:35 - 2013-08-24 02:41 - 00002249 _____ () C:\Users\Public\Desktop\Google Chrome.lnk

2014-05-19 19:41 - 2014-01-12 22:56 - 00000000 ____D () C:\Users\Auron\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Games

2014-05-16 19:11 - 2013-10-01 02:58 - 00152125 _____ () C:\Windows\DirectX.log

2014-05-16 18:48 - 2013-08-24 02:11 - 00000000 ___RD () C:\Users\Auron\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools

2014-05-16 18:47 - 2014-05-07 19:59 - 00000000 ___SD () C:\Windows\system32\CompatTel

2014-05-16 18:47 - 2009-07-14 05:20 - 00000000 ____D () C:\Windows\PolicyDefinitions

2014-05-14 23:54 - 2013-08-24 03:30 - 00000000 ____D () C:\Windows\system32\MRT

2014-05-14 23:53 - 2013-08-24 03:30 - 93223848 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe

2014-05-12 07:26 - 2014-04-12 16:41 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys

2014-05-12 07:25 - 2013-08-24 02:55 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys

2014-05-10 17:26 - 2013-08-24 02:39 - 00004144 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA

2014-05-10 17:26 - 2013-08-24 02:39 - 00003892 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore

2014-05-09 08:14 - 2014-05-14 23:45 - 00477184 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll

2014-05-09 08:11 - 2014-05-14 23:45 - 00424448 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll

Some content of TEMP:

====================

C:\Users\Auron\AppData\Local\Temp\13-9_win7_win8_64_dd_ccc_whql.exe

C:\Users\Auron\AppData\Local\Temp\jre-7u55-windows-i586-iftw.exe

C:\Users\Auron\AppData\Local\Temp\Quarantine.exe

C:\Users\Auron\AppData\Local\Temp\raptrpatch.exe

C:\Users\Auron\AppData\Local\Temp\raptr_stub.exe

C:\Users\Auron\AppData\Local\Temp\SCC.dll

C:\Users\Auron\AppData\Local\Temp\SkypeSetup.exe

C:\Users\Auron\AppData\Local\Temp\sonarinst.exe

C:\Users\Auron\AppData\Local\Temp\SRLDetectionLibrary3548307430425438192.dll

C:\Users\Auron\AppData\Local\Temp\SRLDetectionLibrary7241043097803026716.dll

C:\Users\Auron\AppData\Local\Temp\VCdControlTool.exe

C:\Users\Auron\AppData\Local\Temp\{2AB94ACA-DBF7-4DA1-A310-C1EC9AFC68CA}-GoogleUpdateSetup.exe

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\rpcss.dll => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

LastRegBack: 2014-06-02 22:01

==================== End Of Log ============================

Im going to post another reply since the message lenght is too much.

Addition.txt

Auronzolo · June 8, 2014

Here instead, im going to post the TDSSKILLER .txt content

Edit: The forum system tell me the lenght of the message is excessive, im going to attach the file, is it a problem? There are too many rows, sorry.

TDSSKiller.txt

kevinf80 · June 8, 2014

Download attached fixlist.txt file and save it to the Desktop, or the folder you saved FRST into.

NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.

The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Open Malwarebytes 2.0, run a Threat Scan

On the Dashboard, click the 'Update Now >>' link
After the update completes, click the 'Scan Now >>' button.
Or, on the Dashboard, click the Scan Now >> button.
If an update is available, click the Update Now button.
A Threat Scan will begin.
When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
In most cases, a restart will be required.
Wait for the prompt to restart the computer to appear, then click on Yes.

Post log:

After the restart once you are back at your desktop, open MBAM once more.
Click on the History tab > Application Logs.
Double click on the scan log which shows the Date and time of the scan just performed.
Click 'Copy to Clipboard'
Paste the contents of the clipboard into your reply.

Next,

Download AdwCleaner by Xplode onto your Desktop.

Double click on Adwcleaner.exe to run the tool.
Click on Scan
Once the scan is done, click on the Clean button.
You will get a prompt asking to close all programs. Click OK.
Click OK again to reboot your computer.
A text file will open after the restart. Please post the content of that logfile in your reply.
You can also find the logfile at C:\AdwCleaner[sn].txt.

Next,

Please download Junkware Removal Tool to your desktop.

Shut down your protection software now to avoid potential conflicts.
Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next message.

Let me see those logs, also give an update on any remaining issues or concerns....

Kevin

fixlist.txt

Auronzolo · June 8, 2014

FRST Log:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 06-06-2014

Ran by Auron at 2014-06-08 22:05:01 Run:1

Running from C:\Users\Auron\Desktop\FRST

Boot Mode: Normal

==============================================

Content of fixlist:

*****************

Start

C:\Program Files (x86)\DAP

C:\Users\Auron\AppData\Roaming\Microsoft\SystemCertificates\My\Updater\jusched.exe

HKU\S-1-5-21-3068055036-2407879928-2449727651-1000\...\MountPoints2: {88e8dbeb-5530-11e3-9ddb-10bf48e362f3} - F:\autorun.exe

HKU\S-1-5-21-3068055036-2407879928-2449727651-1000\...\MountPoints2: {ce58ecca-0c53-11e3-9238-806e6f6e6963} - "D:\StarCraft II Setup.exe"

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.speedbit.c...q={searchTerms}

SearchScopes: HKCU - {7F4EFF06-7032-458e-AE16-1C1D8255C28A} URL = http://go.speedbit.c...q={searchTerms}

C:\Users\Auron\AppData\Local\Temp\13-9_win7_win8_64_dd_ccc_whql.exe

C:\Users\Auron\AppData\Local\Temp\jre-7u55-windows-i586-iftw.exe

C:\Users\Auron\AppData\Local\Temp\Quarantine.exe

C:\Users\Auron\AppData\Local\Temp\raptrpatch.exe

C:\Users\Auron\AppData\Local\Temp\raptr_stub.exe

C:\Users\Auron\AppData\Local\Temp\SCC.dll

C:\Users\Auron\AppData\Local\Temp\SkypeSetup.exe

C:\Users\Auron\AppData\Local\Temp\sonarinst.exe

C:\Users\Auron\AppData\Local\Temp\SRLDetectionLibrary3548307430425438192.dll

C:\Users\Auron\AppData\Local\Temp\SRLDetectionLibrary7241043097803026716.dll

C:\Users\Auron\AppData\Local\Temp\VCdControlTool.exe

C:\Users\Auron\AppData\Local\Temp\{2AB94ACA-DBF7-4DA1-A310-C1EC9AFC68CA}-GoogleUpdateSetup.exe

AlternateDataStreams: C:\ProgramData\TEMP:56E2E879

AlternateDataStreams: C:\ProgramData\TEMP:76650B61

End

*****************

C:\Program Files (x86)\DAP => Moved successfully.

C:\Users\Auron\AppData\Roaming\Microsoft\SystemCertificates\My\Updater\jusched.exe => Moved successfully.

'HKU\S-1-5-21-3068055036-2407879928-2449727651-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{88e8dbeb-5530-11e3-9ddb-10bf48e362f3}' => Key deleted successfully.

'HKCR\CLSID\{88e8dbeb-5530-11e3-9ddb-10bf48e362f3}'=> Key not found.

'HKU\S-1-5-21-3068055036-2407879928-2449727651-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ce58ecca-0c53-11e3-9238-806e6f6e6963}' => Key deleted successfully.

'HKCR\CLSID\{ce58ecca-0c53-11e3-9238-806e6f6e6963}'=> Key not found.

HKCU\Software\Microsoft\Internet Explorer\Main\\Start Page => Value was restored successfully.

'HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{7F4EFF06-7032-458e-AE16-1C1D8255C28A}' => Key deleted successfully.

'HKCR\Wow6432Node\CLSID\{7F4EFF06-7032-458e-AE16-1C1D8255C28A}'=> Key not found.

'HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{7F4EFF06-7032-458e-AE16-1C1D8255C28A}' => Key deleted successfully.

'HKCR\CLSID\{7F4EFF06-7032-458e-AE16-1C1D8255C28A}'=> Key not found.

C:\Users\Auron\AppData\Local\Temp\13-9_win7_win8_64_dd_ccc_whql.exe => Moved successfully.

C:\Users\Auron\AppData\Local\Temp\jre-7u55-windows-i586-iftw.exe => Moved successfully.

C:\Users\Auron\AppData\Local\Temp\Quarantine.exe => Moved successfully.

C:\Users\Auron\AppData\Local\Temp\raptrpatch.exe => Moved successfully.

C:\Users\Auron\AppData\Local\Temp\raptr_stub.exe => Moved successfully.

C:\Users\Auron\AppData\Local\Temp\SCC.dll => Moved successfully.

C:\Users\Auron\AppData\Local\Temp\SkypeSetup.exe => Moved successfully.

C:\Users\Auron\AppData\Local\Temp\sonarinst.exe => Moved successfully.

C:\Users\Auron\AppData\Local\Temp\SRLDetectionLibrary3548307430425438192.dll => Moved successfully.

C:\Users\Auron\AppData\Local\Temp\SRLDetectionLibrary7241043097803026716.dll => Moved successfully.

C:\Users\Auron\AppData\Local\Temp\VCdControlTool.exe => Moved successfully.

C:\Users\Auron\AppData\Local\Temp\{2AB94ACA-DBF7-4DA1-A310-C1EC9AFC68CA}-GoogleUpdateSetup.exe => Moved successfully.

C:\ProgramData\TEMP => ":56E2E879" ADS removed successfully.

C:\ProgramData\TEMP => ":76650B61" ADS removed successfully.

==== End of Fixlog ====

MALWAREBYTES LOG

Malwarebytes Anti-Malware

www.malwarebytes.org

Data scansione: 08/06/2014

Ora scansione: 22:08:01

File di log:

Amministratore: Si

Versione: 2.00.2.1012

Database malware: v2014.06.08.07

Database rootkit: v2014.06.02.01

Licenza: Free

Protezione da malware: Disattivata

Protezione da siti web nocivi: Disattivata

Self-protection: Disattivata

SO: Windows 7 Service Pack 1

CPU: x64

File system: NTFS

Utente: Auron

Tipo di scansione: Scansione elementi nocivi

Risultati: Completata

Elementi analizzati: 273510

Tempo impiegato: 3 min, 48 sec

Memoria: Attivata

Esecuzioni automatiche: Attivata

File system: Attivata

Archivi compressi: Attivata

Rootkit: Attivata

Heuristics: Attivata

PUP: Avviso

PUM: Attivata

Processi: 0

(No malicious items detected)

Moduli: 1

Trojan.Miner, C:\Users\Auron\AppData\Roaming\Microsoft\SystemCertificates\My\Updater\libcurl-4.dll, Elimina al riavvio, [07ab79fae7944ee8731ce343b94957a9],

Chiavi di registro: 0

(No malicious items detected)

Valori di registro: 0

(No malicious items detected)

Dati di registro: 0

(No malicious items detected)

Cartelle: 0

(No malicious items detected)

File: 1

Trojan.Miner, C:\Users\Auron\AppData\Roaming\Microsoft\SystemCertificates\My\Updater\libcurl-4.dll, Elimina al riavvio, [07ab79fae7944ee8731ce343b94957a9],

Settori fisici: 0

(No malicious items detected)

(end)

ADW CLEANER LOG

# AdwCleaner v3.212 - Rapporto creato 08/06/2014 in 23:04:19

# Aggiornato 05/06/2014 di Xplode

# Sistema operativo : Windows 7 Ultimate Service Pack 1 (64 bits)

# Nome utente : Auron - FADETOSHADOW

# In esecuzione da : C:\Users\Auron\Downloads\AdwCleaner.exe

# Opzione : Pulisci

***** [ Servizi ] *****

***** [ File / Cartelle ] *****

File Eliminato : C:\Users\Auron\AppData\Roaming\Mozilla\Firefox\Profiles\x2wa7owp.default\searchplugins\speedbit.xml

***** [ Collegamenti ] *****

***** [ Registro ] *****

***** [ Browser ] *****

-\\ Internet Explorer v11.0.9600.17041

Impostazioni Ripristinato : HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURls [Tabs]

-\\ Mozilla Firefox v23.0.1 (it)

[ File : C:\Users\Auron\AppData\Roaming\Mozilla\Firefox\Profiles\x2wa7owp.default\prefs.js ]

-\\ Google Chrome v35.0.1916.114

[ File : C:\Users\Auron\AppData\Local\Google\Chrome\User Data\Default\preferences ]

*************************

AdwCleaner[R0].txt - [2339 octets] - [08/06/2014 12:39:21]

AdwCleaner[R1].txt - [1277 octets] - [08/06/2014 23:03:24]

AdwCleaner[s0].txt - [2351 octets] - [08/06/2014 12:42:14]

AdwCleaner[s1].txt - [1162 octets] - [08/06/2014 23:04:19]

########## EOF - C:\AdwCleaner\AdwCleaner[s1].txt - [1222 octets] ##########

JRT LOG

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Junkware Removal Tool (JRT) by Thisisu

Version: 6.1.4 (04.06.2014:1)

OS: Windows 7 Ultimate x64

Ran by Auron on 08/06/2014 at 23:06:50,41

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~ Services

~~~ Registry Values

~~~ Registry Keys

~~~ Files

~~~ Folders

~~~ Event Viewer Logs were cleared

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Scan was completed on 08/06/2014 at 23:10:09,74

End of JRT log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

After these steps, i still get the svchost.exe error (it stops working) a few seconds after the loading of the desktop

Auronzolo · June 8, 2014

I did another scan with MalwareBytes after the system restart but it still found the same 4 malware in these directories

C:\Users\Auron\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1FP8BPMG\svchost[1].exe

C:\Users\Auron\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y2SFO49C\libcurl-4[1].dll

C:\Users\Auron\AppData\Roaming\Microsoft\SystemCertificates\My\Updater\libcurl-4.dll

C:\Users\Auron\AppData\Roaming\Microsoft\SystemCertificates\My\Updater\svchost.exe

kevinf80 · June 8, 2014

Run the following:

Please download RogueKiller and save it to your desktop from the following link: http://www.bleepingcomputer.com/download/roguekiller/

Quit all running programs.
For Windows XP, double-click to start.
For Vista,Windows 7/8, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
Read and accept the EULA (End User Licene Agreement)
Click Scan to scan the system.
When the scan completes Close the program > Don't Fix anything!
Post back the report which should be located on your desktop.

Kevin

Auronzolo · June 8, 2014

ROGUEKILLER LOG

RogueKiller V9.0.2.0 [Jun 3 2014] by Adlice Software

mail : http://www.adlice.com/contact/

Feedback : http://forum.adlice.com

Website : http://www.adlice.com/softwares/roguekiller/

Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User : Auron [Admin rights]

Mode : Scan -- Date : 06/08/2014 23:49:14

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 8 ¤¤¤

[PUM.Policies] (X64) HKEY_USERS\S-1-5-21-3068055036-2407879928-2449727651-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0 -> Trovato

[PUM.Policies] (X64) HKEY_USERS\S-1-5-21-3068055036-2407879928-2449727651-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr : 0 -> Trovato

[PUM.Policies] (X86) HKEY_USERS\S-1-5-21-3068055036-2407879928-2449727651-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0 -> Trovato

[PUM.Policies] (X86) HKEY_USERS\S-1-5-21-3068055036-2407879928-2449727651-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr : 0 -> Trovato

[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Trovato

[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Trovato

[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Trovato

[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Trovato

¤¤¤ Le attività pianificate : 1 ¤¤¤

[suspicious.Path] \\Microsoft System Certificates -- C:\Users\Auron\AppData\Roaming\Microsoft\SystemCertificates\My\Updater\updater.exe -> Trovato

¤¤¤ Files : 0 ¤¤¤

¤¤¤ HOSTS File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 ¤¤¤

¤¤¤ I browser Web : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤

+++++ PhysicalDrive0: Samsung SSD 840 Series +++++

--- User ---

[MBR] ba5346095d4947ec6e50af3d62cb5ff9

[bSP] 77250c8ba95989d5289a7c1f4e999dbc : Windows Vista/7/8 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB

1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 114371 MB

User = LL1 ... OK

User = LL2 ... OK

+++++ PhysicalDrive1: ST500DM002-1BD142 +++++

--- User ---

[MBR] 33c45ea6aabf571cd1aee27ceb6dc8b1

[bSP] efb681f376bb0a9a020f2a26d6ac2c3e : Windows Vista/7/8 MBR Code

Partition table:

0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 476937 MB

User = LL1 ... OK

User = LL2 ... OK

============================================

RKreport_SCN_06082014_120512.log

kevinf80 · June 8, 2014

Read the following link before we continue and run Combofix:

ComboFix usage, Questions, Help? - Look here

Next,

Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from either of the following links :-

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

http://www.infospyware.net/antimalware/combofix/

Ensure that Combofix is saved directly to the Desktop <--- Very important
Disable all security programs as they will have a negative effect on Combofix, instructions available here http://www.bleepingcomputer.com/forums/topic114351.html if required. Be aware the list may not have all programs listed, if you need more help please ask.
Close any open browsers and any other programs you might have running
Double click the icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)
Instructions for running Combofix available here http://www.bleepingcomputer.com/combofix/how-to-use-combofix if required.
If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review

****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read here http://thespykiller.co.uk/index.php?page=20 why disabling autoruns is recommended.

*EXTRA NOTES*

    If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
    If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
    If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

Post the log in next reply please...

Kevin

Auronzolo · June 8, 2014

Here's the Log of ComboFix

ComboFix 14-06-04.01 - Auron 09/06/2014 0:02.1.4 - x64

Microsoft Windows 7 Ultimate 6.1.7601.1.1252.39.1040.18.8131.6093 [GMT 2:00]

Eseguito da: c:\users\Auron\Desktop\ComboFix.exe

AV: Microsoft Security Essentials *Disabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}

SP: Microsoft Security Essentials *Disabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}

SP: Spybot - Search and Destroy *Disabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

((((((((((((((((((((((((((((((((((((( Other deleting )))))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\install.exe

c:\program files (x86)\Common Files\GW2SurferIcon.ico

c:\users\Auron\AppData\Roaming\Microsoft\SystemCertificates\My\Updater\jusched.exe

c:\users\Auron\AppData\Roaming\Microsoft\SystemCertificates\My\Updater\libcurl-4.dll

c:\users\Auron\AppData\Roaming\Microsoft\SystemCertificates\My\Updater\libcurl.dll

c:\users\Auron\AppData\Roaming\Microsoft\SystemCertificates\My\Updater\libeay32.dll

c:\users\Auron\AppData\Roaming\Microsoft\SystemCertificates\My\Updater\libidn-11.dll

c:\users\Auron\AppData\Roaming\Microsoft\SystemCertificates\My\Updater\librtmp.dll

c:\users\Auron\AppData\Roaming\Microsoft\SystemCertificates\My\Updater\libssh2.dll

c:\users\Auron\AppData\Roaming\Microsoft\SystemCertificates\My\Updater\libusb-1.0.dll

c:\users\Auron\AppData\Roaming\Microsoft\SystemCertificates\My\Updater\libwinpthread-1.dll

c:\users\Auron\AppData\Roaming\Microsoft\SystemCertificates\My\Updater\pthreadGC2.dll

c:\users\Auron\AppData\Roaming\Microsoft\SystemCertificates\My\Updater\SearchIndexer.exe

c:\users\Auron\AppData\Roaming\Microsoft\SystemCertificates\My\Updater\ssl.exe

c:\users\Auron\AppData\Roaming\Microsoft\SystemCertificates\My\Updater\ssleay32.dll

c:\users\Auron\AppData\Roaming\Microsoft\SystemCertificates\My\Updater\svchost.exe

c:\users\Auron\AppData\Roaming\Microsoft\SystemCertificates\My\Updater\updater.exe

c:\users\Auron\AppData\Roaming\Microsoft\SystemCertificates\My\Updater\zlib1.dll

c:\windows\wininit.ini

.

((((((((((((((((((((((((( Created files from 2014-05-08 to 2014-06-08 )))))))))))))))))))))))))))))))))))

.

2014-06-08 22:04 . 2014-06-08 22:04 -------- d-----w- c:\users\Default\AppData\Local\temp

2014-06-08 10:11 . 2014-06-08 10:11 -------- d-----w- c:\program files (x86)\ERUNT

2014-06-08 10:02 . 2014-06-08 21:20 -------- d-----w- c:\users\Auron\AppData\Local\CrashDumps

2014-06-08 10:02 . 2014-06-08 10:02 -------- d-----w- c:\programdata\RogueKiller

2014-06-08 10:01 . 2014-06-08 10:01 32512 ----a-w- c:\windows\system32\drivers\hitmanpro37.sys

2014-06-08 09:56 . 2014-06-08 10:00 -------- d-----w- c:\programdata\HitmanPro

2014-06-08 09:44 . 2014-06-08 09:48 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)

2014-06-07 12:46 . 2014-06-07 16:59 -------- d-----w- c:\users\Auron\AppData\Local\Spotify

2014-06-07 12:46 . 2014-06-08 22:00 -------- d-----w- c:\users\Auron\AppData\Roaming\Spotify

2014-06-06 17:20 . 2014-05-02 10:48 1031560 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{784D5A4B-891A-42C7-8C1C-DC2193160573}\gapaengine.dll

2014-06-06 17:20 . 2014-04-30 23:20 10702536 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2014-06-04 22:26 . 2014-06-04 22:26 -------- d-----w- c:\programdata\regid.1986-12.com.adobe

2014-06-04 21:26 . 2014-06-08 16:06 -------- d-----w- c:\program files (x86)\Common Files\Adobe

2014-06-04 21:25 . 2014-06-04 22:30 -------- d-----w- c:\users\Auron\AppData\Local\Adobe

2014-05-30 17:33 . 2014-05-30 17:34 -------- d-----w- c:\programdata\34BE82C4-E596-4e99-A191-52C6199EBF69

2014-05-30 17:33 . 2014-05-30 17:34 -------- d-----w- c:\program files\iTunes

2014-05-30 17:33 . 2014-05-30 17:33 -------- d-----w- c:\program files\iPod

2014-05-25 20:30 . 2014-06-02 12:45 -------- d-----w- c:\users\Auron\AppData\Roaming\.minecraft

2014-05-24 16:41 . 2014-05-24 16:41 -------- d-----w- c:\users\Auron\AppData\Local\Electronic Arts

2014-05-24 16:26 . 2014-05-24 16:27 -------- d-----w- c:\users\Auron\AppData\Local\WiFi Guard

2014-05-24 15:36 . 2010-03-25 09:05 46776 ----a-w- c:\windows\system32\drivers\NANMp50.sys

2014-05-24 15:36 . 2010-03-25 09:05 45752 ----a-w- c:\windows\system32\drivers\NANSp50.sys

2014-05-23 20:43 . 2014-05-23 20:43 -------- d-----w- c:\program files (x86)\Common Files\Skype

2014-05-14 21:54 . 2014-05-06 04:40 23544320 ----a-w- c:\windows\system32\mshtml.dll

2014-05-14 21:54 . 2014-05-06 04:17 2724864 ----a-w- c:\windows\system32\mshtml.tlb

2014-05-14 21:54 . 2014-05-06 03:07 2724864 ----a-w- c:\windows\SysWow64\mshtml.tlb

2014-05-14 21:54 . 2014-05-06 03:00 84992 ----a-w- c:\windows\system32\mshtmled.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))

.

2014-06-08 21:18 . 2014-04-12 14:41 122584 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys

2014-06-08 09:44 . 2014-04-12 14:41 92888 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys

2014-05-14 21:53 . 2013-08-24 01:30 93223848 ----a-w- c:\windows\system32\MRT.exe

2014-05-12 05:26 . 2014-04-12 14:41 63704 ----a-w- c:\windows\system32\drivers\mwac.sys

2014-05-12 05:25 . 2013-08-24 00:55 25816 ----a-w- c:\windows\system32\drivers\mbam.sys

2014-05-02 10:48 . 2013-09-05 21:24 1031560 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll

2014-04-18 02:43 . 2014-04-18 02:43 78432 ----a-w- c:\windows\system32\atimpc64.dll

2014-04-18 02:43 . 2014-04-18 02:43 78432 ----a-w- c:\windows\system32\amdpcom64.dll

2014-04-18 02:43 . 2014-04-18 02:43 71704 ----a-w- c:\windows\SysWow64\atimpc32.dll

2014-04-18 02:43 . 2014-04-18 02:43 71704 ----a-w- c:\windows\SysWow64\amdpcom32.dll

2014-04-18 02:43 . 2013-03-29 02:37 143304 ----a-w- c:\windows\system32\atiuxp64.dll

2014-04-18 02:42 . 2014-04-18 02:42 126336 ----a-w- c:\windows\SysWow64\atiuxpag.dll

2014-04-18 02:42 . 2014-04-18 02:42 117584 ----a-w- c:\windows\system32\atiu9p64.dll

2014-04-18 02:42 . 2013-03-29 02:37 99520 ----a-w- c:\windows\SysWow64\atiu9pag.dll

2014-04-18 02:42 . 2013-03-29 02:37 1343272 ----a-w- c:\windows\system32\aticfx64.dll

2014-04-18 02:42 . 2013-03-29 02:37 1117184 ----a-w- c:\windows\SysWow64\aticfx32.dll

2014-04-18 02:42 . 2013-03-29 02:36 10335208 ----a-w- c:\windows\system32\atidxx64.dll

2014-04-18 02:42 . 2014-04-18 02:42 8866928 ----a-w- c:\windows\SysWow64\atidxx32.dll

2014-04-18 02:42 . 2013-03-29 02:36 6796592 ----a-w- c:\windows\SysWow64\atiumdva.dll

2014-04-18 02:42 . 2013-03-29 02:36 6799688 ----a-w- c:\windows\SysWow64\atiumdag.dll

2014-04-18 02:42 . 2014-04-18 02:42 7520200 ----a-w- c:\windows\system32\atiumd6a.dll

2014-04-18 02:42 . 2014-04-18 02:42 8010968 ----a-w- c:\windows\system32\atiumd64.dll

2014-04-18 02:39 . 2014-04-18 02:39 274656 ----a-w- c:\windows\system32\drivers\amdacpksd.sys

2014-04-18 02:36 . 2014-04-18 02:36 15376384 ----a-w- c:\windows\system32\drivers\atikmdag.sys

2014-04-18 02:23 . 2014-04-18 02:23 231424 ----a-w- c:\windows\system32\clinfo.exe

2014-04-18 02:22 . 2014-04-18 02:22 98816 ----a-w- c:\windows\system32\OpenVideo64.dll

2014-04-18 02:22 . 2014-04-18 02:22 83456 ----a-w- c:\windows\SysWow64\OpenVideo.dll

2014-04-18 02:22 . 2014-04-18 02:22 86528 ----a-w- c:\windows\system32\OVDecode64.dll

2014-04-18 02:22 . 2014-04-18 02:22 73216 ----a-w- c:\windows\SysWow64\OVDecode.dll

2014-04-18 02:22 . 2014-04-18 02:22 28685824 ----a-w- c:\windows\system32\amdocl64.dll

2014-04-18 02:19 . 2014-04-18 02:19 24107520 ----a-w- c:\windows\SysWow64\amdocl.dll

2014-04-18 02:17 . 2014-04-18 02:17 65024 ----a-w- c:\windows\system32\OpenCL.dll

2014-04-18 02:17 . 2014-04-18 02:17 58880 ----a-w- c:\windows\SysWow64\OpenCL.dll

2014-04-18 02:13 . 2014-04-18 02:13 127488 ----a-w- c:\windows\system32\mantle64.dll

2014-04-18 02:13 . 2014-04-18 02:13 113664 ----a-w- c:\windows\SysWow64\mantle32.dll

2014-04-18 02:12 . 2014-04-18 02:12 27907584 ----a-w- c:\windows\system32\atio6axx.dll

2014-04-18 02:12 . 2014-04-18 02:12 5442048 ----a-w- c:\windows\system32\amdmantle64.dll

2014-04-18 01:58 . 2014-04-18 01:58 4358656 ----a-w- c:\windows\SysWow64\amdmantle32.dll

2014-04-18 01:51 . 2014-04-18 01:51 23409152 ----a-w- c:\windows\SysWow64\atioglxx.dll

2014-04-18 01:46 . 2014-04-18 01:46 368128 ----a-w- c:\windows\system32\atiapfxx.exe

2014-04-18 01:46 . 2014-04-18 01:46 62464 ----a-w- c:\windows\system32\aticalrt64.dll

2014-04-18 01:46 . 2014-04-18 01:46 52224 ----a-w- c:\windows\SysWow64\aticalrt.dll

2014-04-18 01:46 . 2014-04-18 01:46 55808 ----a-w- c:\windows\system32\aticalcl64.dll

2014-04-18 01:46 . 2014-04-18 01:46 49152 ----a-w- c:\windows\SysWow64\aticalcl.dll

2014-04-18 01:46 . 2014-04-18 01:46 15716352 ----a-w- c:\windows\system32\aticaldd64.dll

2014-04-18 01:45 . 2014-04-18 01:45 91136 ----a-w- c:\windows\system32\mantleaxl64.dll

2014-04-18 01:45 . 2014-04-18 01:45 85504 ----a-w- c:\windows\SysWow64\mantleaxl32.dll

2014-04-18 01:42 . 2014-04-18 01:42 14302208 ----a-w- c:\windows\SysWow64\aticaldd.dll

2014-04-18 01:33 . 2014-04-18 01:33 48128 ----a-w- c:\windows\system32\amdmmcl6.dll

2014-04-18 01:33 . 2014-04-18 01:33 37888 ----a-w- c:\windows\SysWow64\amdmmcl.dll

2014-04-18 01:30 . 2014-04-18 01:30 442368 ----a-w- c:\windows\system32\atidemgy.dll

2014-04-18 01:30 . 2014-04-18 01:30 31232 ----a-w- c:\windows\system32\atimuixx.dll

2014-04-18 01:29 . 2014-04-18 01:29 586240 ----a-w- c:\windows\system32\atieclxx.exe

2014-04-18 01:29 . 2014-04-18 01:29 239616 ----a-w- c:\windows\system32\atiesrxx.exe

2014-04-18 01:28 . 2014-04-18 01:28 190976 ----a-w- c:\windows\system32\atitmm64.dll

2014-04-18 01:21 . 2014-04-18 01:21 806912 ----a-w- c:\windows\system32\coinst_14.100.dll

2014-04-18 01:09 . 2014-04-18 01:09 1177600 ----a-w- c:\windows\system32\atiadlxx.dll

2014-04-18 01:09 . 2014-04-18 01:09 848896 ----a-w- c:\windows\SysWow64\atiadlxy.dll

2014-04-18 01:07 . 2014-04-18 01:07 75264 ----a-w- c:\windows\system32\atig6pxx.dll

2014-04-18 01:07 . 2014-04-18 01:07 69632 ----a-w- c:\windows\SysWow64\atiglpxx.dll

2014-04-18 01:07 . 2014-04-18 01:07 69632 ----a-w- c:\windows\system32\atiglpxx.dll

2014-04-18 01:07 . 2014-04-18 01:07 146944 ----a-w- c:\windows\system32\atig6txx.dll

2014-04-18 01:07 . 2014-04-18 01:07 133632 ----a-w- c:\windows\SysWow64\atigktxx.dll

2014-04-18 01:07 . 2014-04-18 01:07 638976 ----a-w- c:\windows\system32\drivers\atikmpag.sys

2014-04-18 01:04 . 2014-04-18 01:04 43520 ----a-w- c:\windows\system32\drivers\ati2erec.dll

2014-04-17 20:33 . 2014-04-17 20:33 51200 ----a-w- c:\windows\system32\kdbsdk64.dll

2014-04-17 20:28 . 2014-04-17 20:28 38912 ----a-w- c:\windows\SysWow64\kdbsdk32.dll

2014-04-14 18:13 . 2013-08-24 01:06 96168 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll

2014-03-11 07:52 . 2013-06-18 19:50 133928 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys

2013-08-27 11:32 . 2013-08-28 23:32 44 ---h--w- c:\program files (x86)\ca324b40.tmp

.

((((((((((((((((((((((((((((((((((((( Reg Points loaded ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* Empty valors & legit/default aren't displayed.

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Spotify Web Helper"="c:\users\Auron\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [2014-06-07 1176632]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2011-11-29 284440]

"USB3MON"="c:\program files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe" [2012-02-27 291608]

"D-Link D-Link DWA-125"="c:\program files (x86)\D-Link\DWA-125 revA\AirNCFG.exe" [2011-06-10 1074496]

"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2014-02-12 43848]

"Archos Sepang ModemListener"="e:\programmi\HSPA USB MODEM\BackgroundService\ModemListener.exe" [2011-06-20 102400]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2013-07-02 254336]

"iTunesHelper"="e:\programmi\iTunes\iTunesHelper.exe" [2014-05-26 152392]

.

c:\users\Auron\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

ERUNT AutoBackup.lnk - c:\program files (x86)\ERUNT\AUTOBACK.EXE %SystemRoot%\ERDNT\AutoBackup\#Date# /noconfirmdelete /noprogresswindow [2005-10-20 38912]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

R2 Archos Sepang Modem Device Helper;Archos Sepang Modem Device Helper;e:\programmi\HSPA USB MODEM\BackgroundService\ServiceManager.exe;e:\programmi\HSPA USB MODEM\BackgroundService\ServiceManager.exe [x]

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]

R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]

R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]

R3 hitmanpro37;HitmanPro 3.7 Support Driver;c:\windows\system32\drivers\hitmanpro37.sys;c:\windows\SYSNATIVE\drivers\hitmanpro37.sys [x]

R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]

R3 jrdusbser;Modem Interface Device for Legacy Serial Communication;c:\windows\system32\DRIVERS\jrdusbser.sys;c:\windows\SYSNATIVE\DRIVERS\jrdusbser.sys [x]

R3 NANMp50;NANMp50 NDIS Protocol Driver;c:\windows\system32\Drivers\NANMp50.sys;c:\windows\SYSNATIVE\Drivers\NANMp50.sys [x]

R3 NANSp50;NANSp50 NDIS Protocol Driver;c:\windows\system32\Drivers\NANSp50.sys;c:\windows\SYSNATIVE\Drivers\NANSp50.sys [x]

R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys;c:\windows\SYSNATIVE\DRIVERS\NisDrvWFP.sys [x]

R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe;c:\program files\Microsoft Security Client\NisSrv.exe [x]

R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]

R3 RTCore64;RTCore64;c:\program files (x86)\MSI Afterburner\RTCore64.sys;c:\program files (x86)\MSI Afterburner\RTCore64.sys [x]

R3 SBUpdd;SpeedBit UpdateD;c:\program files\Common Files\SpeedBit\SBUpdate\sbw.sys;c:\program files\Common Files\SpeedBit\SBUpdate\sbw.sys [x]

R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys;c:\windows\SYSNATIVE\drivers\synth3dvsc.sys [x]

R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys;c:\windows\SYSNATIVE\drivers\terminpt.sys [x]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]

R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]

R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys;c:\windows\SYSNATIVE\drivers\tsusbhub.sys [x]

R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]

R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys;c:\windows\SYSNATIVE\drivers\rdvgkmd.sys [x]

R3 WatAdminSvc;Servizio Windows Activation Technologies;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]

R4 SBUpd;SpeedBit Update;c:\program files\Common Files\SpeedBit\SBUpdate\sbu.exe;c:\program files\Common Files\SpeedBit\SBUpdate\sbu.exe [x]

R4 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [x]

R4 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [x]

R4 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [x]

S0 iusb3hcs;Driver dello switch Controller Host Intel® USB 3.0;c:\windows\system32\DRIVERS\iusb3hcs.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3hcs.sys [x]

S1 anodlwf;ANOD Network Security Filter driver;c:\windows\system32\DRIVERS\anodlwfx.sys;c:\windows\SYSNATIVE\DRIVERS\anodlwfx.sys [x]

S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x]

S2 D_Link_DWA-125_WPS;D_Link_DWA-125_WPS Service;c:\program files (x86)\D-Link\DWA-125 revA\ANIWConnService.exe;c:\program files (x86)\D-Link\DWA-125 revA\ANIWConnService.exe [x]

S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [x]

S2 VIAKaraokeService;VIA Karaoke digital mixer Service;c:\windows\system32\viakaraokesrv.exe;c:\windows\SYSNATIVE\viakaraokesrv.exe [x]

S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys;c:\windows\SYSNATIVE\drivers\AtihdW76.sys [x]

S3 iusb3hub;Driver hub Intel® USB 3.0;c:\windows\system32\DRIVERS\iusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3hub.sys [x]

S3 iusb3xhc;Driver Controller Host estendibile Intel® USB 3.0;c:\windows\system32\DRIVERS\iusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3xhc.sys [x]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]

S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys;c:\windows\SYSNATIVE\drivers\viahduaa.sys [x]

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]

2014-05-21 17:31 1091912 ----a-w- c:\program files (x86)\Google\Chrome\Application\35.0.1916.114\Installer\chrmstp.exe

.

Directory's content 'Scheduled Tasks'

.

2014-06-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-08-24 00:39]

.

2014-06-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-08-24 00:39]

.

--------- X64 Entries -----------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2014-03-11 1271072]

.

------- Scan supplementare -------

.

uLocal Page = c:\windows\system32\blank.htm

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyOverride = *.local

IE: &Download with &DAP - c:\program files (x86)\DAP\dapextie.htm

IE: &Verify with DAP - c:\program files (x86)\DAP\dapverify.htm

IE: Download &all with DAP - c:\program files (x86)\DAP\dapextie2.htm

TCP: DhcpNameServer = 192.168.1.254 62.101.93.101 83.103.25.250

Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} -

Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} -

FF - ProfilePath - c:\users\Auron\AppData\Roaming\Mozilla\Firefox\Profiles\x2wa7owp.default\

.

- - - - CHIAVI ORFANE RIMOSSE - - - -

.

BHO-{D5974A72-C81C-4DC3-BE77-A8A7BBC8864E} - c:\program files (x86)\DAP\LinkVerifier.dll

Wow6432Node-HKCU-Run-DownloadAccelerator - c:\program files (x86)\DAP\DAP.EXE

Notify-SDWinLogon - SDWinLogon.dll

HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start

AddRemove-Battlelog Web Plugins - c:\program files (x86)\Battlelog Web Plugins\uninstall.exe

AddRemove-Download Accelerator Plus (DAP) - c:\progra~2\DAP\DAPREMOVE.EXE

AddRemove-ESN Sonar-0.70.4 - c:\program files (x86)\Battlelog Web Plugins\Sonar\esnsonar_uninstall.exe

AddRemove-PunkBusterSvc - e:\program files (x86)\Origin Games\Battlefield 4 Beta\pbsvc.exe

.

--------------------- REGISTRY KEYS BLOCKED ---------------------

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

End of scan: 2014-06-09 00:05:46

ComboFix-quarantined-files.txt 2014-06-08 22:05

.

Pre-Run: 60.323.680.256 byte disponibili

Post-Run: 60.130.721.792 byte disponibili

.

- - End Of File - - E836606D30C4353586CE697E59678FE4

After the scan, i didn't remove the items, it's the first time i use this utility and i think it did the work, am i right?

kevinf80 · June 8, 2014

Yes Combofix has removed all found malicious entries. need an online AV scan to make sure we got all entries....

We need to run an online AV scan to ensure there are no remnants of any infection left on your system that may have been missed. This scan is very thorough and well worth running, it can take several hours please be patient and let it complete:

Run Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and Windows 7/8 right click on IE shortcut and run as admin

Go to Eset web page http://www.eset.com/us/online-scanner/ to run an online scan from ESET.

Turn off the real time scanner of any existing antivirus program while performing the online scan
click on the Run ESET Online Scanner button
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the add/on to be installed
Click Start
Make sure that the option "Remove found threats" is UNticked
Click on Advanced Settings, ensure the options
Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
Click Scan
wait for the virus definitions to be downloaded
Wait for the scan to finish

When the scan is complete

If no threats were found
put a checkmark in "Uninstall application on close"
close program
report to me that nothing was found

If threats were found

click on "list of threats found"
click on "export to text file" and save it as ESET SCAN and save to the desktop
Click on back
put a checkmark in "Uninstall application on close"
click on finish

close program

Copy and paste the report in next reply.

Next,

Download Security Check by screen317 from either of the following:

http://screen317.spywareinfoforum.org/SecurityCheck.exe or http://screen317.changelog.fr/SecurityCheck.exe

Save it to your Desktop. (If your security alerts either accept the alert, or turn the security off while Secuirity Check runs)

Double click SecurityCheck.exe (Vista or Windows 7/8 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.

A Notepad document should open automatically called checkup.txt; please post the contents of that document.

If Security Check will not run or you get an alert saying it is not supported, Re-boot your PC then try again...

Let me see those two logs in next reply, also give an update on any remaining issues or concerns...

Kevin...

Auronzolo · June 8, 2014

ESET LOG

C:\FRST\Quarantine\C\Users\Auron\AppData\Roaming\Microsoft\SystemCertificates\My\Updater\jusched.exe.xBAD a variant of Win32/BitCoinMiner.BS potentially unsafe application