Jump to content

Possible Zeroaccess Infection


Recommended Posts

I don't believe that this entry is related to ZeroAccess, as there are no other signs of it in any of your logfiles.
Before I'll take invasive actions, please run this one:

FRST.gif Fix with Farbar Recovery Scan Tool

icon_exclaim.gif This fix was created for this user for use on that particular machine. icon_exclaim.gif
icon_exclaim.gif Running it on another one may cause damage and render the system unstable. icon_exclaim.gif

Press the WindowsKey.png + R on your keyboard at the same time. Type Notepad and click OK.

  • Copy the entire content of the codebox below and paste into the Notepad document:
    startFolder: C:\Windows\system64end
  • Click File, Save As and type fixlist.txt as the File Name.

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    > XP users click run after receipt of Windows Security Warning - Open File.
    > 8 users will be prompted about Windows SmartScreen protection - click More information and Run.
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please include it in your reply.

Link to post
Share on other sites



Farbar was run and results follow...


Also, you asked about strange behavior.  One thing we have noticed is the computer takes a long time to shut down.  Even if there are no applications open, it says "waiting for background programs to close" before finally shutting down.  None of my other Windows 7 computers (at work and etc.) take this long to shut down when nothing is open.  They just turn off.  I'm not sure if this means anything, but I though I would share it.






P.S. sorry about the file upload -- I can't get the website to post my text reply with the logfile...



Link to post
Share on other sites

Hello and I'm sorry for the delay, I had to consult this thing with some colleagues.

Did you run this FixZeroAccess thing?

51a5d669693dd-icon_OTL.png Scan with OTL

Please download OTL by OldTimer and save the file to your desktop.

  • Right-click on 51a5d669693dd-icon_OTL.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Make sure that Scan All Users, LOP check and Purity check are ticked.
  • For 64-bit systems only - make sure that Include 64-bit option is also ticked.
  • Sections Processes, Modules, Services, Drivers, Standard Registry are set to Use Safelist.
  • Section Extra Registry is also set to Use Safelist.
  • Under the Custom Scans/Fixes bar in the box paste in the following:
  • Push Run Scan and wait patiently.
  • Two notepad windows will be opened after this run: OTL.txt (maximized) and Extras.txt (minimized).

Please include the content of both logfiles in your next reply.

Link to post
Share on other sites



I don't believe teh Zeroaccess tool generated any reports.  I have searched my system but can't find anything.  As I recall, it did not indicate that it had found a ZA infection when it was run.  I was also continuing to have poor system behavior and Malwarebytes was reporting blocking malicious websites, so that's when I contacted you.



Link to post
Share on other sites

Hi :)

Your logs are clean, aside of this one strange entry about junctions. Let's try to rework it:

51a5bf3d99e8a-ComboFixlogo16.png Fix with ComboFix

Let's prepare a Script for ComboFix to mark some things for being deleted.

  • Press the WindowsKey.png + R on your keyboard at the same time.
  • A Run window should appear in the lower left corner. Type in notepad.exe and press Enter.
  • In the shown window paste in the following script:
  • Go to File menu and select Save as.
  • Make sure that the Save as type option is set to Text files (*.txt) and the place to save will be your desktop.
  • Name the file CFScript and select Save.

Your CFScript.txt file should appear on your desktop.

Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

  • Now drag your CFScript file and drop it onto the 51a5bf3d99e8a-ComboFixlogo16.png icon:
  • This will start ComboFix. Let it run uninterrupted!
  • A reboot may be needed during this run. Allow it.
  • When finished, it shall produce a log for you at C:\ComboFix.txt and display it.

Please include that log in your next reply.

icon_idea.gif If you'll encounter any issues with internet connection after running ComboFix, please visit this link.
icon_idea.gif If an error about operation on the key marked for deletion will appear after running the tool, please reboot your machine.
icon_idea.gif Do not forget to turn on your previously switched-off protection software!

Link to post
Share on other sites

Hi Naat:


Good to hear the logs are clean -- we're making progress.  I ran Combofix and the log is below.  The machine seems to be running well.  There are only two things that seem a bit out of the ordinary.  First it still takes a minute or so to "close background programs" on shutdown.  This is longer than my other Windows 7 machines.  I also seem to be prompted to update Java nearly every time I start the machine.  Much more often that my other machines.  This may be normal behavior, but I thought I should share it just the same.


Other than that it runs nicely and boots up pretty quickly too...




ComboFix 14-10-15.01 - Hillside3 10/27/2014  18:37:45.2.8 - x64
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.4078.1939 [GMT -7:00]
Running from: c:\users\Hillside3\Desktop\ComboFix.exe
Command switches used :: c:\users\Hillside3\Desktop\CFScript.txt
AV: Norton 360 *Disabled/Updated* {D87FA2C0-F526-77B1-D6EC-0EDF3936CEDB}
FW: Norton 360 *Disabled* {E04423E5-BF49-76E9-FDB3-A7EAC7E589A0}
SP: Norton 360 *Disabled/Updated* {631E4324-D31C-783F-EC5C-35AD42B18466}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
(((((((((((((((((((((((((   Files Created from 2014-09-28 to 2014-10-28  )))))))))))))))))))))))))))))))
2014-10-28 01:49 . 2014-10-28 01:49 -------- d-----w- c:\users\Sounds\AppData\Local\temp
2014-10-28 01:49 . 2014-10-28 01:49 -------- d-----w- c:\users\Pat&Car\AppData\Local\temp
2014-10-28 01:49 . 2014-10-28 01:49 -------- d-----w- c:\users\Pat&Ca\AppData\Local\temp
2014-10-28 01:49 . 2014-10-28 01:49 -------- d-----w- c:\users\Owner\AppData\Local\temp
2014-10-28 01:49 . 2014-10-28 01:49 -------- d-----w- c:\users\Help\AppData\Local\temp
2014-10-28 01:49 . 2014-10-28 01:49 -------- d-----w- c:\users\Geoffrey\AppData\Local\temp
2014-10-22 01:23 . 2014-10-22 01:23 37624 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2014-10-22 01:22 . 2014-10-22 01:23 -------- d-----w- c:\programdata\RogueKiller
2014-10-19 21:55 . 2014-10-19 21:29 24064 ----a-w- c:\windows\zoek-delete.exe
2014-10-19 21:55 . 2014-10-28 01:49 -------- d-----w- c:\users\Hillside3\AppData\Local\Temp
2014-10-19 21:09 . 2014-10-19 21:52 -------- d-----w- C:\zoek_backup
2014-10-19 20:38 . 2014-10-19 20:38 -------- d-----w- c:\windows\ERUNT
2014-10-18 22:38 . 2014-10-18 22:38 27256 ----a-w- c:\windows\system32\drivers\FixZeroAccess.sys
2014-10-18 22:05 . 2014-10-22 13:26 -------- d-----w- C:\FRST
2014-10-18 16:56 . 2014-10-18 16:57 -------- d-----w- C:\NPE
2014-10-15 02:33 . 2014-09-18 02:00 3241472 ----a-w- c:\windows\system32\msi.dll
2014-10-02 21:36 . 2014-10-14 19:35 -------- d-----w- c:\windows\system32\drivers\N360x64\1506000.020
2014-10-01 15:14 . 2014-09-25 02:08 371712 ----a-w- c:\windows\system32\qdvd.dll
2014-10-01 15:14 . 2014-09-25 01:40 519680 ----a-w- c:\windows\SysWow64\qdvd.dll
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
2014-10-28 01:28 . 2014-05-24 16:18 129752 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-10-15 10:01 . 2011-10-22 19:50 103265616 ----a-w- c:\windows\system32\MRT.exe
2014-10-01 18:11 . 2014-05-24 16:18 63704 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-10-01 18:11 . 2014-05-24 16:18 93400 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-10-01 18:11 . 2013-08-31 23:26 25816 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-09-24 00:44 . 2012-04-08 00:03 701104 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2014-09-24 00:44 . 2011-10-05 21:23 71344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-09-09 22:11 . 2014-09-23 20:13 2048 ----a-w- c:\windows\system32\tzres.dll
2014-09-09 21:47 . 2014-09-23 20:13 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2014-09-05 03:18 . 2010-06-24 16:33 23256 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2014-08-23 02:07 . 2014-08-28 12:27 404480 ----a-w- c:\windows\system32\gdi32.dll
2014-08-23 01:45 . 2014-08-28 12:27 311808 ----a-w- c:\windows\SysWow64\gdi32.dll
2014-08-01 11:53 . 2014-09-10 20:16 1031168 ----a-w- c:\windows\system32\TSWorkspace.dll
2014-08-01 11:35 . 2014-09-10 20:16 793600 ----a-w- c:\windows\SysWow64\TSWorkspace.dll
((((((((((((((((((((((((((((((((((((((((((((   Look   )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
---- Directory of c:\windows\System64 ----
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
"Adobe Acrobat Synchronizer"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\AdobeCollabSync.exe" [2014-09-04 1104288]
"GarminExpressTrayApp"="c:\program files (x86)\Garmin\Express Tray\ExpressTray.exe" [2014-08-07 688984]
"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-09-13 283160]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-01-05 336384]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2014-08-21 959176]
"Adobe Acrobat Speed Launcher"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2014-09-04 41360]
"Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2014-09-04 840592]
"RoxWatchTray"="c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe" [2010-11-25 240112]
"Desktop Disc Tool"="c:\program files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe" [2010-11-17 514544]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2014-07-03 43816]
"UpdatePDRShortCut"="c:\program files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"DiscWizardMonitor.exe"="c:\program files (x86)\Seagate\DiscWizard\DiscWizardMonitor.exe" [2011-06-30 2638152]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2013-07-02 254336]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2014-07-08 152392]
"GarminExpressTrayApp"="c:\program files (x86)\Garmin\Express Tray\ExpressTray.exe" [2014-08-07 688984]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]
ImageMixer 3 SE Camera Monitor Ver.5.lnk - c:\program files (x86)\PIXELA\ImageMixer 3 SE Ver.5\Transfer Utility\CameraMonitor.exe [2011-10-30 253952]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]
R3 HPx9G+;HPx9G+ Device USB Driver;c:\windows\system32\DRIVERS\HPx9G2k.sys;c:\windows\SYSNATIVE\DRIVERS\HPx9G2k.sys [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys;c:\windows\SYSNATIVE\drivers\Impcd.sys [x]
R3 k57nd60a;Broadcom NetLink Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys;c:\windows\SYSNATIVE\DRIVERS\k57nd60a.sys [x]
R3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys;c:\windows\SYSNATIVE\drivers\mwac.sys [x]
R3 netvsc;netvsc;c:\windows\system32\DRIVERS\netvsc60.sys;c:\windows\SYSNATIVE\DRIVERS\netvsc60.sys [x]
R3 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [x]
R3 SynthVid;SynthVid;c:\windows\system32\DRIVERS\VMBusVideoM.sys;c:\windows\SYSNATIVE\DRIVERS\VMBusVideoM.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys;c:\windows\SYSNATIVE\DRIVERS\wdcsam64.sys [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys;c:\windows\SYSNATIVE\Drivers\PxHlpa64.sys [x]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360x64\1506000.020\SYMDS64.SYS;c:\windows\SYSNATIVE\drivers\N360x64\1506000.020\SYMDS64.SYS [x]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360x64\1506000.020\SYMEFA64.SYS;c:\windows\SYSNATIVE\drivers\N360x64\1506000.020\SYMEFA64.SYS [x]
S0 vididr;Acronis Virtual Disk;c:\windows\system32\DRIVERS\vididr.sys;c:\windows\SYSNATIVE\DRIVERS\vididr.sys [x]
S0 vidsflt53;Acronis Disk Storage Filter (53);c:\windows\system32\DRIVERS\vsflt53.sys;c:\windows\SYSNATIVE\DRIVERS\vsflt53.sys [x]
S1 BHDrvx64;BHDrvx64;c:\program files (x86)\Norton 360\NortonData\\Definitions\BASHDefs\20141016.001\BHDrvx64.sys;c:\program files (x86)\Norton 360\NortonData\\Definitions\BASHDefs\20141016.001\BHDrvx64.sys [x]
S1 ccSet_N360;N360 Settings Manager;c:\windows\system32\drivers\N360x64\1506000.020\ccSetx64.sys;c:\windows\SYSNATIVE\drivers\N360x64\1506000.020\ccSetx64.sys [x]
S1 IDSVia64;IDSVia64;c:\program files (x86)\Norton 360\NortonData\\Definitions\IPSDefs\20141024.001\IDSvia64.sys;c:\program files (x86)\Norton 360\NortonData\\Definitions\IPSDefs\20141024.001\IDSvia64.sys [x]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360x64\1506000.020\Ironx64.SYS;c:\windows\SYSNATIVE\drivers\N360x64\1506000.020\Ironx64.SYS [x]
S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\N360x64\1506000.020\SYMNETS.SYS;c:\windows\SYSNATIVE\Drivers\N360x64\1506000.020\SYMNETS.SYS [x]
S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x]
S2 Garmin Core Update Service;Garmin Core Update Service;c:\program files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe;c:\program files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe [x]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [x]
S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [x]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [x]
S2 N360;Norton 360;c:\program files (x86)\Norton 360\Engine\\N360.exe;c:\program files (x86)\Norton 360\Engine\\N360.exe [x]
S2 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files (x86)\Common Files\Seagate\Schedule2\schedul2.exe;c:\program files (x86)\Common Files\Seagate\Schedule2\schedul2.exe [x]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys;c:\windows\SYSNATIVE\drivers\AtihdW76.sys [x]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [x]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys;c:\windows\SYSNATIVE\drivers\MBAMSwissArmy.sys [x]
S3 tplh64;Gigabit PCI Express Network Adapter Driver;c:\windows\system32\DRIVERS\tplh64.sys;c:\windows\SYSNATIVE\DRIVERS\tplh64.sys [x]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - MBAMSWISSARMY
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ    hpqcxs08 hpqddsvc
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-10-19 17:52 1089352 ----a-w- c:\program files (x86)\Google\Chrome\Application\38.0.2125.104\Installer\chrmstp.exe
Contents of the 'Scheduled Tasks' folder
2014-10-28 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-08 00:44]
2014-10-28 c:\windows\Tasks\G2MUpdateTask-S-1-5-21-1263235551-3185265231-852751295-1000.job
- c:\users\Hillside3\AppData\Local\Citrix\GoToMeeting\1848\g2mupdate.exe [2014-10-21 21:09]
2014-10-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-10-20 17:46]
2014-10-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-10-20 17:46]
2014-10-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1263235551-3185265231-852751295-1003Core.job
- c:\users\Emily\AppData\Local\Google\Update\GoogleUpdate.exe [2013-08-15 19:06]
2014-10-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1263235551-3185265231-852751295-1003UA.job
- c:\users\Emily\AppData\Local\Google\Update\GoogleUpdate.exe [2013-08-15 19:06]
--------- X64 Entries -----------
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-06-23 10920552]
"DBRMTray"="c:\dell\DBRM\Reminder\DbrmTrayIcon.exe" [2011-03-08 227328]
"Seagate Scheduler2 Service"="c:\program files (x86)\Common Files\Seagate\Schedule2\schedhlp.exe" [2011-06-30 395152]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2013-03-21 472992]
"DBRMTray"="c:\dell\DBRM\Reminder\TrayApp.exe" [2010-02-04 7168]
------- Supplementary Scan -------
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer =
TCP: Interfaces\{2BD44437-9BAF-4D2F-83A8-A56A8B141EA4}: NameServer =,
FF - ProfilePath - c:\users\Hillside3\AppData\Roaming\Mozilla\Firefox\Profiles\fabf13mb.default\
FF - ExtSQL: !HIDDEN! 2011-10-10 20:32; smartwebprinting@hp.com; c:\program files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
- - - - ORPHANS REMOVED - - - -
Toolbar-Locked - (no file)
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
AddRemove-{b43ffffb-1adc-4bcb-b277-7844ebff94da} - c:\programdata\Package Cache\{b43ffffb-1adc-4bcb-b277-7844ebff94da}\GarminExpressInstaller.exe
AddRemove-{ce085a78-074e-4823-8dc1-8a721b94b76d} - c:\programdata\Package Cache\{ce085a78-074e-4823-8dc1-8a721b94b76d}\vcredist_x86.exe
"ImagePath"="\"c:\program files (x86)\Norton 360\Engine\\N360.exe\" /s \"N360\" /m \"c:\program files (x86)\Norton 360\Engine\\diMaster.dll\" /prefetch:1"
"TrustedImagePaths"="c:\program files (x86)\Norton 360\Engine\;c:\program files (x86)\Norton 360\Engine64\"
--------------------- LOCKED REGISTRY KEYS ---------------------
@Denied: (A 2) (Everyone)
@Denied: (A 2) (Everyone)
@Denied: (A 2) (Everyone)
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_167.ocx, 1"
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_167.ocx, 1"
@Denied: (A 2) (Everyone)
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
@Denied: (Full) (Everyone)
Completion time: 2014-10-27  18:53:27
ComboFix-quarantined-files.txt  2014-10-28 01:53
ComboFix2.txt  2014-10-19 04:06
Pre-Run: 1,750,234,271,744 bytes free
Post-Run: 1,750,123,356,160 bytes free
- - End Of File - - 7A399E58720551F2AFE42D2FFECF7897

Link to post
Share on other sites

Hi :)

First it still takes a minute or so to "close background programs" on shutdown.

My machine at work has got the same. I don't know where it comes from, I suspect hardware.

I also seem to be prompted to update Java nearly every time I start the machine. Much more often that my other machines. This may be normal behavior, but I thought I should share it just the same.

Same here :)

Windows-System-Restore-Point.png Create a System Restore Point

Creating and maintaining System Restore Points is a backup plan if something would go wrong. Better to be safe than sorry.

  • Press the StartOrb.jpg, right-click on Computer and select Properties.
  • Select System Protection.
  • Confirm if prompted and/or enter the Administrator password if necessary.
  • At the bottom click Create.
  • Enter the name, like Fresh Restore Point and click Create
  • You will be prompted when finished.

You may now close the System Properties window.

FRST.gif Fix with Farbar Recovery Scan Tool

icon_exclaim.gif This fix was created for this user for use on that particular machine. icon_exclaim.gif
icon_exclaim.gif Running it on another one may cause damage and render the system unstable. icon_exclaim.gif

Press the WindowsKey.png + R on your keyboard at the same time. Type Notepad and click OK.

  • Copy the entire content of the codebox below and paste into the Notepad document:
    startDeleteJunctionsIndirectory: C:\Windows\system64RemoveDirectory: C:\Windows\system64end
  • Click File, Save As and type fixlist.txt as the File Name.

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    > XP users click run after receipt of Windows Security Warning - Open File.
    > 8 users will be prompted about Windows SmartScreen protection - click More information and Run.
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please include it in your reply.

Link to post
Share on other sites



Thanks for your response on Java and on the slow shutdown -- sounds like this is normal.  Farbar was run and the fixlog follows....




Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 27-10-2014 01
Ran by Hillside3 at 2014-10-28 17:42:53 Run:2
Running from C:\Users\Hillside3\Desktop
Loaded Profile: Hillside3 (Available profiles: Hillside3 & Emily & Geoffrey & Administrator)
Boot Mode: Normal

Content of fixlist:
DeleteJunctionsIndirectory: C:\Windows\system64
RemoveDirectory: C:\Windows\system64

"C:\Windows\system64" => Deleting reparse point and unlocking started.
"C:\Windows\system64" => Deleting reparse point and unlocking done.
"C:\Windows\system64" => Deleting reparse point and unlocking completed.
"C:\Windows\system64" => Removed successfully.

==== End of Fixlog ====

Link to post
Share on other sites

I am glad to hear that. Now let's do some last scans and if all will be well, I will send you on your merry way :)

51a46ae42d560-malwarebytes_anti_malware. Scan with Malwarebytes' Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.

  • Install the progam and select update.
  • Once updated, click the Settings tab, in the left panel choose Detctions & protection and tick Scan for rootkits.
  • Click the Scan tab, choose Threat Scan is checked and click Scan Now.
  • If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
  • Upon completion of the scan (or after the reboot), click the History tab.
  • Click Application Logs and double-click the Scan Log.
  • At the bottom click Export and choose Text file.

Save the file to your desktop and include its content in your next reply.

ESETOnline.png Scan with ESET Online Scanner

This step can only be done using Internet Explorer, Google Chrome or Mozilla Firefox.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.
Please visit ESET Online Scanner website.
Click there Run ESET Online Scanner.

If using Internet Explorer:

  • Accept the Terms of Use and click Start.
  • Allow the running of add-on.

If using Mozilla Firefox or Google Chrome:

  • Download esetsmartinstaller_enu.exe that you'll be given link to.
  • Double click esetsmartinstaller_enu.exe.
  • Allow the Terms of Use and click Start.

To perform the scan:

  • Make sure that Enable detecion of potentially unwanted applications is checked.
  • In the Advanced Settings dropdown menu:
    • Make sure that Remove found threats is unchecked.
    • Scan archives is checked.
    • Scan for potentially unsafe applications and Enable Anti-Stealth technology are checked.
    • Use custom proxy settings is unchecked.
  • Click Start
  • The program will begin to download it's virus database. The speed may vary depending on your Internet connection.
  • When completed, the program will begin to scan. This may take several hours. Please, be patient.
  • Do not do anything on your machine as it may interrupt the scan.
  • When the scan is done, click Finish.
  • A logfile will be created at C:\Program Files (x86)\ESET\ESET Online Scanner. Open it using Notepad.

Please include this logfile in your next reply.
Don't forget to re-enable previously switched-off protection software!

51c9d14017fa0-SecurityCheck.PNG Scan with Security Check

Please download Security Check by Screen317 and save it to your desktop.

  • Right-click on 51c9d14017fa0-SecurityCheck.PNG icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Follow onscreen instructions inside the black box. This scan won't take long.
  • Soon a notepad document called checkup.txt will open automaticaly.

Please include the content of that document.

Link to post
Share on other sites



All three scans are complete and the log files are below.  Let me know if there is anything else to be done and thank very much for all of your help!




Malwarebytes Anti-Malware

Scan Date: 10/29/2014
Scan Time: 6:41:34 PM
Logfile: MBlog.txt
Administrator: Yes

Malware Database: v2014.10.30.02
Rootkit Database: v2014.10.22.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Hillside3

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 716667
Time Elapsed: 33 min, 39 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)



ESETSmartInstaller@High as downloader log:
all ok
# product=EOS
# version=8
# OnlineScannerApp.exe=
# OnlineScanner.ocx=
# api_version=3.0.2
# EOSSerial=62e1085d1d96c1468db5bf139e67245d
# engine=20843
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2014-10-30 05:20:20
# local_time=2014-10-29 10:20:20 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode_1='Norton 360'
# compatibility_mode=3598 16777213 100 100 944780 165222516 0 0
# compatibility_mode_1=''
# compatibility_mode=5893 16776574 100 94 40186213 166189870 0 0
# scanned=507644
# found=2
# cleaned=2
# scan_time=9962
sh=19C3924DBC1CE13677A7DAE8354C04AC946A84F1 ft=1 fh=8514238789025651 vn="a variant of Win32/Toolbar.DefaultTab.C potentially unwanted application (deleted - quarantined)" ac=C fn="C:\zoek_backup\C_Windows_sysWoW64_config_systemprofile_AppData_Local_Google_Chrome_User Data_Default_Extensions_kdidombaedgpfiiedeimiebkmbilgmlc\1.1.25_0\plugins\npDefaultTabSearch.dll"
sh=CBE641F16C8F27109261B5A89A0E66D1767082F2 ft=1 fh=4167ae04532e2c00 vn="Win32/OpenCandy potentially unsafe application (deleted - quarantined)" ac=C fn="D:\Hillside_Net_Shared\Software\FLStudio 10.0.8\flstudio_10.0.8_online.exe"


Results of screen317's Security Check version 0.99.89 
Windows 7 Service Pack 1 x64 (UAC is enabled) 
Internet Explorer 11 
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled! 
Norton 360   
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
Java 7 Update 71 
Java version out of Date!
Adobe Flash Player 
Mozilla Firefox 32.0.3 Firefox out of Date! 
Google Chrome 38.0.2125.104 
Google Chrome 38.0.2125.111 
````````Process Check: objlist.exe by Laurent```````` 
Malwarebytes Anti-Malware mbamservice.exe 
Malwarebytes Anti-Malware mbam.exe 
Malwarebytes Anti-Malware mbamscheduler.exe  
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 1%
````````````````````End of Log``````````````````````

Link to post
Share on other sites

Yup, we need to update you :)

updates.png Update outdated software

Staying always updated is crucial, not only for your operating system, but also for any third-party installed software.

Your logs clearly indicate that some of your software needs updating.

javacup.png Updating Java manually

  • Click the Start button
  • Click Control Panel
  • Double click Java - Looks like a coffee cup. You may have to switch to Classical View to see it.
  • Click the Update tab
  • Click Update Now
  • Allow any updates to be downloaded and installed.
  • If prompted (during the installation) to also install ASK toolbar, leave this unchecked - Ask does not have a good reputation.
  • From Control panel also please remove any older versions of Java - do not leave them installed!.
firefox-256.jpg Updating Mozilla Firefox manually
  • Please open Firefox.
  • Click the firefoxmenu.png icon.
  • Click Help and select About Firefox.
  • Firefox will search for any updates and start downloading them automatically.
  • When the updates will be ready you will be prompted to restart Firefox. Please do it.
Please remember to keep your software always updated. It's crucial as the bugs are still discovered and patched by the vendors.

51a5ce45263de-delfix.png Clean with DelFix

Please download DelFix by Xplode and save it to your desktop.

  • Right-click on 51a5ce45263de-delfix.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Ensure that Remove disinfection tools, Purge system restore and Reset system settings are checked.
  • Push Run.
  • When finished, it will display a notepad report.
Include it for my review.

Please also manually reboot your machine after posting your logfile.

Link to post
Share on other sites



Java was updated and Firefox says that is is the latest version (no updates available.)  The Delfix logfile follows...




# DelFix v10.8 - Logfile created 31/10/2014 at 19:13:08
# Updated 29/07/2014 by Xplode
# Username : Hillside3 - HILLSIDE3-PC
# Operating System : Windows 7 Professional Service Pack 1 (64 bits)

~ Removing disinfection tools ...

Deleted : C:\Qoobox
Deleted : C:\FRST
Deleted : C:\zoek_backup
Deleted : C:\AdwCleaner
Deleted : C:\ComboFix.txt
Deleted : C:\rkill.log
Deleted : C:\TDSSKiller.
Deleted : C:\TDSSKiller.
Deleted : C:\TDSSKiller.
Deleted : C:\TDSSKiller.
Deleted : C:\zoek-results.log
Deleted : C:\zoek-results2014-10-19-211422.log
Deleted : C:\Users\Hillside3\Desktop\SecurityCheck.exe
Deleted : C:\Users\Hillside3\Downloads\esetsmartinstaller_enu.exe
Deleted : C:\Users\Hillside3\Downloads\FRST (1).txt
Deleted : C:\Users\Hillside3\Downloads\FRST (2).txt
Deleted : C:\Users\Hillside3\Downloads\FRST.txt
Deleted : C:\Users\Hillside3\Downloads\JRT.exe
Deleted : C:\Users\Hillside3\Downloads\OTL (1).exe
Deleted : C:\Users\Hillside3\Downloads\OTL.exe
Deleted : C:\Users\Hillside3\Downloads\Scan.txt
Deleted : C:\Windows\grep.exe
Deleted : C:\Windows\PEV.exe
Deleted : C:\Windows\NIRCMD.exe
Deleted : C:\Windows\MBR.exe
Deleted : C:\Windows\SED.exe
Deleted : C:\Windows\SWREG.exe
Deleted : C:\Windows\SWSC.exe
Deleted : C:\Windows\SWXCACLS.exe
Deleted : C:\Windows\Zip.exe
Deleted : HKLM\SOFTWARE\OldTimer Tools
Deleted : HKLM\SOFTWARE\AdwCleaner
Deleted : HKLM\SOFTWARE\Swearware
Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\combofix.exe

~ Cleaning system restore ...

Deleted : RP #262 [Windows Backup | 10/26/2014 21:29:35]
Deleted : RP #263 [Windows Backup | 10/27/2014 02:00:18]
Deleted : RP #264 [Windows Backup | 10/27/2014 03:23:07]
Deleted : RP #265 [Restore Pt 10-28-14 | 10/29/2014 00:38:32]
Deleted : RP #266 [installed Java 7 Update 71 | 10/29/2014 13:35:38]

New restore point created !

~ Resetting system settings ... OK

########## - EOF - ##########

Link to post
Share on other sites

Any further problems? If not, you are good to go :)

Below you will find my thoughts about securing your machine. Go ahead through it, you will benefit from some useful advice about safe computing.

Recommended reading:

icon_exclaim.gif MUST READ - security tips: Keep your computer safe online.

icon_exclaim.gif MUST READ - general maintenance: Slow computer/browser? Check here.

Recommended additional software:

icon_arrow.gif TFC - to clean unneeded temporary files.

icon_arrow.gif Malwarebytes' Anti-Malware - to scan your system from time to time in search for malware.

icon_arrow.gif Malwarebytes' Anti-Exploit - to prevent plenty of mostly exploited vulnerabilities.

icon_arrow.gif McShield - to prevent infections spread by removable media.

icon_arrow.gif CryptoPrevent - to secure yourself from very severe CryptoLocker infection.

icon_arrow.gif Unchecky - to prevent from installing additional foistware, implemented in legitimate installations.

My help is always free, but if you are happy with the help provided and wish to help my fight against malware, please consider making a donation.

All donations are to refund a new HDD to replace the old one, which recently passed away! btn_donate_SM.gif

Now if you have any other questions, feel free to ask me. Otherwise simply acknowledge my recommendations and this topic will be closed.


Stay safe,

Naat :)

Link to post
Share on other sites

  • 3 weeks later...

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

This topic is now closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.