Hi Tech Spot
I have just been handed my brothers HP laptop which has the symptoms described in the title (Starting in safe mode results in an instant reboot, Ctrl-Alt-Del allows task manager to launch but it's hidden behind the white window of doom) Normal desktop is breiflly visible when shutting down the machine. This looks like the zeroacces rootkit - but I'd appreciate some experinced advice on removing it.
I have manager to get into command prompt and Run Farbar64. Here are the results:-
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 13-09-2013
Ran by John (administrator) on LANDY-HP on 13-09-2013 12:12:03
Running from F:\
Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Safe Mode (minimal)
==================== Could not list processes ===============
==================== Registry (Whitelisted) ==================
HKLM\...\Run: [SynTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2281256 2010-09-13] (Synaptics Incorporated)
HKLM\...\Run: [RTHDVCPL] - C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [6489704 2010-09-22] (Realtek Semiconductor)
HKLM\...\Run: [HPWirelessAssistant] - C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe [363064 2010-07-21] (Hewlett-Packard Company)
HKLM\...\Run: [BullGuard] - C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe [2148664 2011-08-23] (BullGuard Ltd.)
HKLM\...\InprocServer32: [Default-wbemess] \\.\globalroot\systemroot\Installer\{6df6d855-b8c5-a8ac-b497-7724617ee9a7}\n. ATTENTION! ====> ZeroAccess?
HKLM\...\Policies\Explorer: [EnableShellExecuteHooks] 1
HKCU\...\Run: [LightScribe Control Panel] - C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe [2736128 2010-08-16] (Hewlett-Packard Company)
HKCU\...\Run: [Google Update] - C:\Users\John\AppData\Local\Google\Update\GoogleUpdate.exe [136176 2011-08-23] (Google Inc.)
HKCU\...\Run: [Update] - C:\Users\John\AppData\Roaming\glom0_og.exe
HKCU\...\Run: [Mozilla] - C:\Users\John\AppData\Roaming\uwfavjvt\bcceubjs.exe [71168 2009-07-14] (The OpenSSL Project, http://www.openssl.org/)
HKCU\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path)
HKCU\...\Winlogon: [Shell] explorer.exe,C:\Users\John\AppData\Roaming\data.dat [94208 2011-11-17] () <==== ATTENTION
HKCR\...0c966feabec1\InprocServer32: [Default-shell32] C:\Users\John\AppData\Local\{6df6d855-b8c5-a8ac-b497-7724617ee9a7}\n. ATTENTION! ====> ZeroAccess?
HKCU\...\Policies\system: [DisableLockWorkstation] 0
HKCU\...\Policies\system: [DisableChangePassword] 0
HKLM-x32\...\Run: [StartCCC] - C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [98304 2010-09-30] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [Norton Online Backup] - C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe [1155928 2010-06-01] (Symantec Corporation)
HKLM-x32\...\Run: [Microsoft Default Manager] - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe [439568 2010-05-10] (Microsoft Corporation)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [976832 2010-06-09] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe [35760 2010-06-20] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Easybits Recovery] - C:\Program Files (x86)\EasyBits For Kids\ezRecover.exe [61112 2010-08-30] (EasyBits Software AS)
HKLM-x32\...\Run: [HP Quick Launch] - C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe [586296 2010-11-09] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [] - [x]
HKLM-x32\...\Run: [ApnUpdater] - C:\Program Files (x86)\Ask.com\Updater\Updater.exe [1648264 2013-04-25] (Ask)
HKLM-x32\...\Run: [SunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254696 2012-01-18] (Sun Microsystems, Inc.)
Startup: C:\Users\John\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.lnk
ShortcutTarget: ctfmon.lnk -> C:\ProgramData\lsass.exe (No File)
==================== Internet (Whitelisted) ====================
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.uk.msn.com/CQNOT/2
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.uk.msn.com/CQNOT/2
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.uk.msn.com/CQNOT/2
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.uk.msn.com/CQNOT/2
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.uk.msn.com/CQNOT/2
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://g.uk.msn.com/CQNOT/2
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKLM - DefaultScope {ec29edf6-ad3c-4e1c-a087-d6cb81400c43} URL = http://www.bing.com/search?q={searchTerms}&form=HPNTDF&pc=HPNTDF&src=IE-SearchBox
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM - {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://eu.ask.com/web?q={searchterms}&l=dis&o=HPNTDF
SearchScopes: HKLM - {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = http://uk.search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPNTDF
SearchScopes: HKLM - {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = http://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
SearchScopes: HKLM - {d944bb61-2e34-4dbf-a683-47e505c587dc} URL = http://rover.ebay.com/rover/1/710-111095-2958-0/4?satitle={searchTerms}&mfe=Notebooks
SearchScopes: HKLM-x32 - DefaultScope {ec29edf6-ad3c-4e1c-a087-d6cb81400c43} URL = http://www.bing.com/search?q={searchTerms}&form=HPNTDF&pc=HPNTDF&src=IE-SearchBox
SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 - {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://eu.ask.com/web?q={searchterms}&l=dis&o=HPNTDF
SearchScopes: HKLM-x32 - {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = http://uk.search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPNTDF
SearchScopes: HKLM-x32 - {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = http://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
SearchScopes: HKLM-x32 - {d944bb61-2e34-4dbf-a683-47e505c587dc} URL = http://rover.ebay.com/rover/1/710-111095-2958-0/4?satitle={searchTerms}&mfe=Notebooks
SearchScopes: HKCU - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKCU - {0497FFEC-3472-47E6-ACDB-4CD1C50C6CFA} URL = http://websearch.ask.com/redirect?c...pn_sauid=6DDB0B56-FB23-4166-B031-17B817543D76
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll No File
BHO: BGAntiphishingBHO Class - {FC872B94-35E3-4B94-B028-184A2A1C7CCE} - C:\Program Files\BullGuard Ltd\BullGuard\Antiphishing\IE\BGAntiphishingIEBHO.dll (BullGuard Ltd.)
BHO-x32: MSS+ Identifier - {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} - C:\Program Files (x86)\McAfee Security Scan\3.0.318\McAfeeMSS_IE.dll (McAfee, Inc.)
BHO-x32: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO-x32: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
BHO-x32: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
BHO-x32: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO-x32: Bing Bar BHO - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll (Microsoft Corporation)
BHO-x32: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
BHO-x32: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO-x32: HP Network Check Helper - {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll (Hewlett-Packard)
BHO-x32: BGAntiphishingBHO Class - {FC872B94-35E3-4B94-B028-184A2A1C7CCE} - C:\Program Files\BullGuard Ltd\BullGuard\Files32\Antiphishing\IE\BGAntiphishingIEBHO.dll (BullGuard Ltd.)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
Toolbar: HKLM-x32 - @C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll,-100 - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll (Microsoft Corporation)
Toolbar: HKLM-x32 - Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
Toolbar: HKCU - No Name - {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
DPF: HKLM-x32 {298BFFEE-662D-11D5-ADAF-00E0810232D7} http://lanes.simulcast.manheim.co.uk/simulcast5/LiveSound.dll
DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: HKLM-x32 {E39EB9E7-BF7C-45FE-903F-5AF938F56181} http://www.exam2score.com/AzpCtl.CAB
ShellExecuteHooks-x32: EasyBits ShellExecute Hook - {E54729E8-BB3D-4270-9D49-7389EA579090} - C:\Windows\SysWow64\EZUPBH~1.DLL [52920 2010-10-19] (EasyBits Software Corp.)
Winsock: Catalog9 01 C:\Windows\system32\BGLsp.dll [174400] (BullGuard Ltd.)
Winsock: Catalog9 02 C:\Windows\system32\BGLsp.dll [174400] (BullGuard Ltd.)
Winsock: Catalog9 03 C:\Windows\system32\BGLsp.dll [174400] (BullGuard Ltd.)
Winsock: Catalog9 04 C:\Windows\system32\BGLsp.dll [174400] (BullGuard Ltd.)
Winsock: Catalog9 05 C:\Windows\system32\BGLsp.dll [174400] (BullGuard Ltd.)
Winsock: Catalog9 06 C:\Windows\system32\BGLsp.dll [174400] (BullGuard Ltd.)
Winsock: Catalog9 07 C:\Windows\system32\BGLsp.dll [174400] (BullGuard Ltd.)
Winsock: Catalog9 08 C:\Windows\system32\BGLsp.dll [174400] (BullGuard Ltd.)
Winsock: Catalog9 09 C:\Windows\system32\BGLsp.dll [174400] (BullGuard Ltd.)
Winsock: Catalog9 10 C:\Windows\system32\BGLsp.dll [174400] (BullGuard Ltd.)
Winsock: Catalog9 21 C:\Windows\system32\BGLsp.dll [174400] (BullGuard Ltd.)
Winsock: Catalog9-x64 01 C:\Windows\system32\BGLsp.dll [174400] (BullGuard Ltd.)
Winsock: Catalog9-x64 02 C:\Windows\system32\BGLsp.dll [174400] (BullGuard Ltd.)
Winsock: Catalog9-x64 03 C:\Windows\system32\BGLsp.dll [174400] (BullGuard Ltd.)
Winsock: Catalog9-x64 04 C:\Windows\system32\BGLsp.dll [174400] (BullGuard Ltd.)
Winsock: Catalog9-x64 05 C:\Windows\system32\BGLsp.dll [174400] (BullGuard Ltd.)
Winsock: Catalog9-x64 06 C:\Windows\system32\BGLsp.dll [174400] (BullGuard Ltd.)
Winsock: Catalog9-x64 07 C:\Windows\system32\BGLsp.dll [174400] (BullGuard Ltd.)
Winsock: Catalog9-x64 08 C:\Windows\system32\BGLsp.dll [174400] (BullGuard Ltd.)
Winsock: Catalog9-x64 09 C:\Windows\system32\BGLsp.dll [174400] (BullGuard Ltd.)
Winsock: Catalog9-x64 10 C:\Windows\system32\BGLsp.dll [174400] (BullGuard Ltd.)
Winsock: Catalog9-x64 21 C:\Windows\system32\BGLsp.dll [174400] (BullGuard Ltd.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Chrome:
=======
CHR HomePage: hxxp://www.google.com
CHR RestoreOnStartup: "hxxp://www.google.com"
CHR DefaultSearchURL: (Ask) - http://websearch.ask.com/redirect?c...817543D76&apn_dtid=OSJ000YYUK&q={searchTerms}
CHR DefaultSuggestURL: (Ask) - http://ss.websearch.ask.com/query?qsrc=2922&li=ff&sstype=prefix&q={searchTerms}
CHR Plugin: (Remoting Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Users\John\AppData\Local\Google\Chrome\Application\29.0.1547.66\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Users\John\AppData\Local\Google\Chrome\Application\29.0.1547.66\pdf.dll ()
CHR Plugin: (Shockwave Flash) - C:\Users\John\AppData\Local\Google\Chrome\Application\29.0.1547.66\gcswf32.dll No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (Java Deployment Toolkit 6.0.260.3) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll No File
CHR Plugin: (Java(TM) Platform SE 6 U26) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll No File
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
CHR Plugin: (Bing Bar) - C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll (Microsoft Corporation)
CHR Plugin: (Windows Live\u0099 Photo Gallery) - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
CHR Plugin: (Google Update) - C:\Users\John\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll No File
CHR Plugin: (Shockwave for Director) - C:\Windows\SysWOW64\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll No File
CHR Extension: (YouTube) - C:\Users\John\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0
CHR Extension: (Google Search) - C:\Users\John\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0
CHR Extension: (Chrome In-App Payments service) - C:\Users\John\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.4.10_0
CHR Extension: (Gmail) - C:\Users\John\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_1
CHR HKLM-x32\...\Chrome\Extension: [aaaaojmikegpiepcfdkkjaplodkpfmlo] - C:\Users\John\AppData\Local\APN\GoogleCRXs\apnorjtoolbar.crx
CHR StartMenuInternet: Google Chrome - C:\Users\John\AppData\Local\Google\Chrome\Application\chrome.exe
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
==================== Services (Whitelisted) =================
S3 BgRaSvc; C:\Program Files\BullGuard Ltd\BullGuard\Support\BgRaSvc.exe [157576 2011-08-23] (BullGuard Ltd.)
S2 BsBrowser; C:\Program Files\BullGuard Ltd\BullGuard\BsBrowser.dll [73096 2011-08-23] (BullGuard Ltd.)
S2 BsFileScan; C:\Program Files\BullGuard Ltd\BullGuard\BsFileScan.dll [354648 2011-08-23] (BullGuard Ltd.)
S2 BsFire; C:\Program Files\BullGuard Ltd\BullGuard\BsFire.dll [529240 2011-08-23] (BullGuard Ltd.)
S2 BsMailProxy; C:\Program Files\BullGuard Ltd\BullGuard\BsMailProxy\BsMailProxy.dll [233864 2011-08-23] (BullGuard Ltd.)
R2 BsMain; C:\Program Files\BullGuard Ltd\BullGuard\BsMain.dll [244864 2011-08-23] (BullGuard Ltd.)
S3 BsScanner; C:\Program Files\BullGuard Ltd\BullGuard\BullGuardScanner.exe [341896 2011-08-23] (BullGuard Ltd.)
S2 BsUpdate; C:\Program Files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe [426328 2011-08-23] (BullGuard Ltd.)
S3 McComponentHostService; C:\Program Files (x86)\McAfee Security Scan\3.0.318\McCHSvc.exe [235216 2013-02-05] (McAfee, Inc.)
S2 NOBU; C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe [2804568 2010-06-01] (Symantec Corporation)
==================== Drivers (Whitelisted) ====================
S1 AFW; C:\Windows\System32\DRIVERS\afw.sys [31768 2010-07-08] (Agnitum Ltd.)
S3 afwcore; C:\Windows\System32\DRIVERS\afwcore.sys [413208 2010-07-08] (Agnitum Ltd.)
S1 BdSpy; C:\Windows\System32\DRIVERS\BdSpy.sys [63712 2011-08-23] (BullGuard Ltd.)
==================== NetSvcs (Whitelisted) ===================
==================== One Month Created Files and Folders ========
2013-09-13 12:11 - 2013-09-13 12:11 - 00000000 ____D C:\FRST
2013-09-12 17:39 - 2013-09-12 17:39 - 00003416 ____N C:\bootsqm.dat
2013-09-12 17:38 - 2013-09-12 17:38 - 00000000 __SHD C:\found.000
2013-09-12 15:25 - 2013-09-12 17:28 - 00012292 _____ C:\.DS_Store
2013-09-12 15:25 - 2013-09-12 15:25 - 00000000 ____D C:\.Trashes
2013-09-12 15:25 - 2013-09-12 15:25 - 00000000 ____D C:\.fseventsd
2013-09-07 17:42 - 2013-09-12 19:50 - 00000004 _____ C:\Users\John\AppData\Roaming\settings.ini
2013-08-23 08:15 - 2013-08-23 08:15 - 00001904 _____ C:\Users\John\Downloads\MyDesktopStBedes.RDP
2013-08-15 19:54 - 2013-08-15 19:55 - 00000000 ____D C:\Users\John\AppData\Local\{4A081748-5E93-41AA-9C90-6DA5A2A7603E}
==================== One Month Modified Files and Folders =======
2013-09-13 12:11 - 2013-09-13 12:11 - 00000000 ____D C:\FRST
2013-09-13 04:42 - 2013-03-08 17:48 - 00000000 ____D C:\ProgramData\McAfee Security Scan
2013-09-13 04:42 - 2009-07-14 04:20 - 00000000 ____D C:\Windows\rescache
2013-09-13 04:42 - 2009-07-14 04:20 - 00000000 ____D C:\Windows\registration
2013-09-13 04:42 - 2009-07-14 04:20 - 00000000 ____D C:\Windows\AppCompat
2013-09-13 04:35 - 2010-10-19 14:42 - 00000000 ____D C:\ProgramData\Recovery
2013-09-12 19:50 - 2013-09-07 17:42 - 00000004 _____ C:\Users\John\AppData\Roaming\settings.ini
2013-09-12 19:50 - 2013-07-13 18:01 - 00000890 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-09-12 19:50 - 2011-08-23 20:35 - 00000000 ____D C:\ProgramData\BullGuard
2013-09-12 19:49 - 2009-07-14 06:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-09-12 19:49 - 2009-07-14 05:51 - 00105883 _____ C:\Windows\setupact.log
2013-09-12 19:47 - 2011-08-23 20:38 - 00255628 _____ C:\Windows\system32\config\afw_db.conf
2013-09-12 19:47 - 2011-08-23 20:38 - 00001632 _____ C:\Windows\system32\config\afw_hm.conf
2013-09-12 19:47 - 2011-06-23 09:41 - 02056189 _____ C:\Windows\WindowsUpdate.log
2013-09-12 19:47 - 2009-07-14 05:45 - 00023248 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-09-12 19:47 - 2009-07-14 05:45 - 00023248 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-09-12 19:44 - 2011-08-23 19:30 - 00000000 ____D C:\Users\John
2013-09-12 17:42 - 2011-10-31 09:48 - 00000000 ____D C:\Users\John\AppData\Local\CrashDumps
2013-09-12 17:39 - 2013-09-12 17:39 - 00003416 ____N C:\bootsqm.dat
2013-09-12 17:38 - 2013-09-12 17:38 - 00000000 __SHD C:\found.000
2013-09-12 17:28 - 2013-09-12 15:25 - 00012292 _____ C:\.DS_Store
2013-09-12 15:25 - 2013-09-12 15:25 - 00000000 ____D C:\.Trashes
2013-09-12 15:25 - 2013-09-12 15:25 - 00000000 ____D C:\.fseventsd
2013-09-09 02:33 - 2011-06-23 10:25 - 00000000 ___RD C:\Users\Public\Recorded TV
2013-09-07 18:20 - 2013-07-13 18:01 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-09-07 18:18 - 2013-03-08 17:48 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-09-07 17:53 - 2011-08-23 20:46 - 00000904 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3188238764-2307040380-1222809871-1000UA.job
2013-09-07 17:41 - 2011-08-23 20:46 - 00000000 ____D C:\Users\John\AppData\Local\Google
2013-09-07 10:53 - 2011-08-23 20:46 - 00000852 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3188238764-2307040380-1222809871-1000Core.job
2013-08-27 18:52 - 2011-10-13 22:00 - 00000000 ____D C:\Users\John\AppData\Roaming\SoftGrid Client
2013-08-26 18:59 - 2012-11-23 21:14 - 00003180 _____ C:\Windows\System32\Tasks\HPCeeScheduleForJohn
2013-08-26 18:59 - 2011-10-26 19:12 - 00000328 _____ C:\Windows\Tasks\HPCeeScheduleForJohn.job
2013-08-24 15:38 - 2013-03-08 17:48 - 00692104 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-08-24 15:38 - 2013-03-08 17:48 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-08-24 15:38 - 2013-03-08 17:48 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2013-08-24 15:38 - 2011-08-26 15:34 - 00000000 ____D C:\Users\John\AppData\Local\Adobe
2013-08-23 08:15 - 2013-08-23 08:15 - 00001904 _____ C:\Users\John\Downloads\MyDesktopStBedes.RDP
2013-08-21 18:35 - 2013-06-13 08:18 - 17737608 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2013-08-20 20:02 - 2011-08-23 19:31 - 00000000 ____D C:\Users\John\AppData\Local\VirtualStore
2013-08-20 19:06 - 2012-11-15 23:59 - 00743424 ___SH C:\Users\John\Downloads\Thumbs.db
2013-08-18 19:18 - 2011-08-30 10:10 - 00000000 ____D C:\Users\John\Desktop\Lisa baby lamby chops
2013-08-16 16:38 - 2011-08-23 20:31 - 00000342 _____ C:\Windows\Tasks\HPCeeScheduleForLANDY-HP$.job
2013-08-16 16:37 - 2011-08-23 20:31 - 00003218 _____ C:\Windows\System32\Tasks\HPCeeScheduleForLANDY-HP$
2013-08-15 19:55 - 2013-08-15 19:54 - 00000000 ____D C:\Users\John\AppData\Local\{4A081748-5E93-41AA-9C90-6DA5A2A7603E}
ZeroAccess:
C:\Windows\Installer\{6df6d855-b8c5-a8ac-b497-7724617ee9a7}
C:\Windows\Installer\{6df6d855-b8c5-a8ac-b497-7724617ee9a7}\@
ZeroAccess:
C:\Users\John\AppData\Local\{6df6d855-b8c5-a8ac-b497-7724617ee9a7}
C:\Users\John\AppData\Local\{6df6d855-b8c5-a8ac-b497-7724617ee9a7}\@
Files to move or delete:
====================
ZeroAccess:
C:\Users\John\AppData\Local\Google\Desktop\Install
C:\ProgramData\dsgsdgdsgdsgw.pad
C:\Users\John\AppData\Local\Temp\loyrwm1m.dll
C:\Users\John\AppData\Local\Temp\msimg32.dll
C:\Users\John\AppData\Local\Temp\Resource.exe
C:\Users\John\AppData\Local\Temp\setup.exe
C:\Users\John\AppData\Local\Temp\SP51650.exe
C:\Users\John\AppData\Local\Temp\SP51976.exe
C:\Users\John\AppData\Local\Temp\SP52131.exe
C:\Users\John\AppData\Local\Temp\sp54373.exe
C:\Users\John\AppData\Local\Temp\sp54620.exe
C:\Users\John\AppData\Local\Temp\sp58915.exe
C:\Users\John\AppData\Local\Temp\UninstallHPSA.exe
C:\Users\John\AppData\Local\Temp\UninstallHPTCA.exe
==================== Bamital & volsnap Check =================
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
LastRegBack: 2013-09-06 11:09
==================== End Of Log ============================
I have just been handed my brothers HP laptop which has the symptoms described in the title (Starting in safe mode results in an instant reboot, Ctrl-Alt-Del allows task manager to launch but it's hidden behind the white window of doom) Normal desktop is breiflly visible when shutting down the machine. This looks like the zeroacces rootkit - but I'd appreciate some experinced advice on removing it.
I have manager to get into command prompt and Run Farbar64. Here are the results:-
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 13-09-2013
Ran by John (administrator) on LANDY-HP on 13-09-2013 12:12:03
Running from F:\
Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Safe Mode (minimal)
==================== Could not list processes ===============
==================== Registry (Whitelisted) ==================
HKLM\...\Run: [SynTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2281256 2010-09-13] (Synaptics Incorporated)
HKLM\...\Run: [RTHDVCPL] - C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [6489704 2010-09-22] (Realtek Semiconductor)
HKLM\...\Run: [HPWirelessAssistant] - C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe [363064 2010-07-21] (Hewlett-Packard Company)
HKLM\...\Run: [BullGuard] - C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe [2148664 2011-08-23] (BullGuard Ltd.)
HKLM\...\InprocServer32: [Default-wbemess] \\.\globalroot\systemroot\Installer\{6df6d855-b8c5-a8ac-b497-7724617ee9a7}\n. ATTENTION! ====> ZeroAccess?
HKLM\...\Policies\Explorer: [EnableShellExecuteHooks] 1
HKCU\...\Run: [LightScribe Control Panel] - C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe [2736128 2010-08-16] (Hewlett-Packard Company)
HKCU\...\Run: [Google Update] - C:\Users\John\AppData\Local\Google\Update\GoogleUpdate.exe [136176 2011-08-23] (Google Inc.)
HKCU\...\Run: [Update] - C:\Users\John\AppData\Roaming\glom0_og.exe
HKCU\...\Run: [Mozilla] - C:\Users\John\AppData\Roaming\uwfavjvt\bcceubjs.exe [71168 2009-07-14] (The OpenSSL Project, http://www.openssl.org/)
HKCU\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path)
HKCU\...\Winlogon: [Shell] explorer.exe,C:\Users\John\AppData\Roaming\data.dat [94208 2011-11-17] () <==== ATTENTION
HKCR\...0c966feabec1\InprocServer32: [Default-shell32] C:\Users\John\AppData\Local\{6df6d855-b8c5-a8ac-b497-7724617ee9a7}\n. ATTENTION! ====> ZeroAccess?
HKCU\...\Policies\system: [DisableLockWorkstation] 0
HKCU\...\Policies\system: [DisableChangePassword] 0
HKLM-x32\...\Run: [StartCCC] - C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [98304 2010-09-30] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [Norton Online Backup] - C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe [1155928 2010-06-01] (Symantec Corporation)
HKLM-x32\...\Run: [Microsoft Default Manager] - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe [439568 2010-05-10] (Microsoft Corporation)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [976832 2010-06-09] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe [35760 2010-06-20] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Easybits Recovery] - C:\Program Files (x86)\EasyBits For Kids\ezRecover.exe [61112 2010-08-30] (EasyBits Software AS)
HKLM-x32\...\Run: [HP Quick Launch] - C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe [586296 2010-11-09] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [] - [x]
HKLM-x32\...\Run: [ApnUpdater] - C:\Program Files (x86)\Ask.com\Updater\Updater.exe [1648264 2013-04-25] (Ask)
HKLM-x32\...\Run: [SunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254696 2012-01-18] (Sun Microsystems, Inc.)
Startup: C:\Users\John\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.lnk
ShortcutTarget: ctfmon.lnk -> C:\ProgramData\lsass.exe (No File)
==================== Internet (Whitelisted) ====================
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.uk.msn.com/CQNOT/2
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.uk.msn.com/CQNOT/2
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.uk.msn.com/CQNOT/2
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.uk.msn.com/CQNOT/2
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.uk.msn.com/CQNOT/2
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://g.uk.msn.com/CQNOT/2
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKLM - DefaultScope {ec29edf6-ad3c-4e1c-a087-d6cb81400c43} URL = http://www.bing.com/search?q={searchTerms}&form=HPNTDF&pc=HPNTDF&src=IE-SearchBox
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM - {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://eu.ask.com/web?q={searchterms}&l=dis&o=HPNTDF
SearchScopes: HKLM - {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = http://uk.search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPNTDF
SearchScopes: HKLM - {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = http://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
SearchScopes: HKLM - {d944bb61-2e34-4dbf-a683-47e505c587dc} URL = http://rover.ebay.com/rover/1/710-111095-2958-0/4?satitle={searchTerms}&mfe=Notebooks
SearchScopes: HKLM-x32 - DefaultScope {ec29edf6-ad3c-4e1c-a087-d6cb81400c43} URL = http://www.bing.com/search?q={searchTerms}&form=HPNTDF&pc=HPNTDF&src=IE-SearchBox
SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 - {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://eu.ask.com/web?q={searchterms}&l=dis&o=HPNTDF
SearchScopes: HKLM-x32 - {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = http://uk.search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPNTDF
SearchScopes: HKLM-x32 - {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = http://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
SearchScopes: HKLM-x32 - {d944bb61-2e34-4dbf-a683-47e505c587dc} URL = http://rover.ebay.com/rover/1/710-111095-2958-0/4?satitle={searchTerms}&mfe=Notebooks
SearchScopes: HKCU - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKCU - {0497FFEC-3472-47E6-ACDB-4CD1C50C6CFA} URL = http://websearch.ask.com/redirect?c...pn_sauid=6DDB0B56-FB23-4166-B031-17B817543D76
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll No File
BHO: BGAntiphishingBHO Class - {FC872B94-35E3-4B94-B028-184A2A1C7CCE} - C:\Program Files\BullGuard Ltd\BullGuard\Antiphishing\IE\BGAntiphishingIEBHO.dll (BullGuard Ltd.)
BHO-x32: MSS+ Identifier - {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} - C:\Program Files (x86)\McAfee Security Scan\3.0.318\McAfeeMSS_IE.dll (McAfee, Inc.)
BHO-x32: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO-x32: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
BHO-x32: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
BHO-x32: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO-x32: Bing Bar BHO - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll (Microsoft Corporation)
BHO-x32: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
BHO-x32: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO-x32: HP Network Check Helper - {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll (Hewlett-Packard)
BHO-x32: BGAntiphishingBHO Class - {FC872B94-35E3-4B94-B028-184A2A1C7CCE} - C:\Program Files\BullGuard Ltd\BullGuard\Files32\Antiphishing\IE\BGAntiphishingIEBHO.dll (BullGuard Ltd.)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
Toolbar: HKLM-x32 - @C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll,-100 - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll (Microsoft Corporation)
Toolbar: HKLM-x32 - Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
Toolbar: HKCU - No Name - {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
DPF: HKLM-x32 {298BFFEE-662D-11D5-ADAF-00E0810232D7} http://lanes.simulcast.manheim.co.uk/simulcast5/LiveSound.dll
DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: HKLM-x32 {E39EB9E7-BF7C-45FE-903F-5AF938F56181} http://www.exam2score.com/AzpCtl.CAB
ShellExecuteHooks-x32: EasyBits ShellExecute Hook - {E54729E8-BB3D-4270-9D49-7389EA579090} - C:\Windows\SysWow64\EZUPBH~1.DLL [52920 2010-10-19] (EasyBits Software Corp.)
Winsock: Catalog9 01 C:\Windows\system32\BGLsp.dll [174400] (BullGuard Ltd.)
Winsock: Catalog9 02 C:\Windows\system32\BGLsp.dll [174400] (BullGuard Ltd.)
Winsock: Catalog9 03 C:\Windows\system32\BGLsp.dll [174400] (BullGuard Ltd.)
Winsock: Catalog9 04 C:\Windows\system32\BGLsp.dll [174400] (BullGuard Ltd.)
Winsock: Catalog9 05 C:\Windows\system32\BGLsp.dll [174400] (BullGuard Ltd.)
Winsock: Catalog9 06 C:\Windows\system32\BGLsp.dll [174400] (BullGuard Ltd.)
Winsock: Catalog9 07 C:\Windows\system32\BGLsp.dll [174400] (BullGuard Ltd.)
Winsock: Catalog9 08 C:\Windows\system32\BGLsp.dll [174400] (BullGuard Ltd.)
Winsock: Catalog9 09 C:\Windows\system32\BGLsp.dll [174400] (BullGuard Ltd.)
Winsock: Catalog9 10 C:\Windows\system32\BGLsp.dll [174400] (BullGuard Ltd.)
Winsock: Catalog9 21 C:\Windows\system32\BGLsp.dll [174400] (BullGuard Ltd.)
Winsock: Catalog9-x64 01 C:\Windows\system32\BGLsp.dll [174400] (BullGuard Ltd.)
Winsock: Catalog9-x64 02 C:\Windows\system32\BGLsp.dll [174400] (BullGuard Ltd.)
Winsock: Catalog9-x64 03 C:\Windows\system32\BGLsp.dll [174400] (BullGuard Ltd.)
Winsock: Catalog9-x64 04 C:\Windows\system32\BGLsp.dll [174400] (BullGuard Ltd.)
Winsock: Catalog9-x64 05 C:\Windows\system32\BGLsp.dll [174400] (BullGuard Ltd.)
Winsock: Catalog9-x64 06 C:\Windows\system32\BGLsp.dll [174400] (BullGuard Ltd.)
Winsock: Catalog9-x64 07 C:\Windows\system32\BGLsp.dll [174400] (BullGuard Ltd.)
Winsock: Catalog9-x64 08 C:\Windows\system32\BGLsp.dll [174400] (BullGuard Ltd.)
Winsock: Catalog9-x64 09 C:\Windows\system32\BGLsp.dll [174400] (BullGuard Ltd.)
Winsock: Catalog9-x64 10 C:\Windows\system32\BGLsp.dll [174400] (BullGuard Ltd.)
Winsock: Catalog9-x64 21 C:\Windows\system32\BGLsp.dll [174400] (BullGuard Ltd.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Chrome:
=======
CHR HomePage: hxxp://www.google.com
CHR RestoreOnStartup: "hxxp://www.google.com"
CHR DefaultSearchURL: (Ask) - http://websearch.ask.com/redirect?c...817543D76&apn_dtid=OSJ000YYUK&q={searchTerms}
CHR DefaultSuggestURL: (Ask) - http://ss.websearch.ask.com/query?qsrc=2922&li=ff&sstype=prefix&q={searchTerms}
CHR Plugin: (Remoting Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Users\John\AppData\Local\Google\Chrome\Application\29.0.1547.66\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Users\John\AppData\Local\Google\Chrome\Application\29.0.1547.66\pdf.dll ()
CHR Plugin: (Shockwave Flash) - C:\Users\John\AppData\Local\Google\Chrome\Application\29.0.1547.66\gcswf32.dll No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (Java Deployment Toolkit 6.0.260.3) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll No File
CHR Plugin: (Java(TM) Platform SE 6 U26) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll No File
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
CHR Plugin: (Bing Bar) - C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll (Microsoft Corporation)
CHR Plugin: (Windows Live\u0099 Photo Gallery) - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
CHR Plugin: (Google Update) - C:\Users\John\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll No File
CHR Plugin: (Shockwave for Director) - C:\Windows\SysWOW64\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll No File
CHR Extension: (YouTube) - C:\Users\John\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0
CHR Extension: (Google Search) - C:\Users\John\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0
CHR Extension: (Chrome In-App Payments service) - C:\Users\John\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.4.10_0
CHR Extension: (Gmail) - C:\Users\John\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_1
CHR HKLM-x32\...\Chrome\Extension: [aaaaojmikegpiepcfdkkjaplodkpfmlo] - C:\Users\John\AppData\Local\APN\GoogleCRXs\apnorjtoolbar.crx
CHR StartMenuInternet: Google Chrome - C:\Users\John\AppData\Local\Google\Chrome\Application\chrome.exe
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
==================== Services (Whitelisted) =================
S3 BgRaSvc; C:\Program Files\BullGuard Ltd\BullGuard\Support\BgRaSvc.exe [157576 2011-08-23] (BullGuard Ltd.)
S2 BsBrowser; C:\Program Files\BullGuard Ltd\BullGuard\BsBrowser.dll [73096 2011-08-23] (BullGuard Ltd.)
S2 BsFileScan; C:\Program Files\BullGuard Ltd\BullGuard\BsFileScan.dll [354648 2011-08-23] (BullGuard Ltd.)
S2 BsFire; C:\Program Files\BullGuard Ltd\BullGuard\BsFire.dll [529240 2011-08-23] (BullGuard Ltd.)
S2 BsMailProxy; C:\Program Files\BullGuard Ltd\BullGuard\BsMailProxy\BsMailProxy.dll [233864 2011-08-23] (BullGuard Ltd.)
R2 BsMain; C:\Program Files\BullGuard Ltd\BullGuard\BsMain.dll [244864 2011-08-23] (BullGuard Ltd.)
S3 BsScanner; C:\Program Files\BullGuard Ltd\BullGuard\BullGuardScanner.exe [341896 2011-08-23] (BullGuard Ltd.)
S2 BsUpdate; C:\Program Files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe [426328 2011-08-23] (BullGuard Ltd.)
S3 McComponentHostService; C:\Program Files (x86)\McAfee Security Scan\3.0.318\McCHSvc.exe [235216 2013-02-05] (McAfee, Inc.)
S2 NOBU; C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe [2804568 2010-06-01] (Symantec Corporation)
==================== Drivers (Whitelisted) ====================
S1 AFW; C:\Windows\System32\DRIVERS\afw.sys [31768 2010-07-08] (Agnitum Ltd.)
S3 afwcore; C:\Windows\System32\DRIVERS\afwcore.sys [413208 2010-07-08] (Agnitum Ltd.)
S1 BdSpy; C:\Windows\System32\DRIVERS\BdSpy.sys [63712 2011-08-23] (BullGuard Ltd.)
==================== NetSvcs (Whitelisted) ===================
==================== One Month Created Files and Folders ========
2013-09-13 12:11 - 2013-09-13 12:11 - 00000000 ____D C:\FRST
2013-09-12 17:39 - 2013-09-12 17:39 - 00003416 ____N C:\bootsqm.dat
2013-09-12 17:38 - 2013-09-12 17:38 - 00000000 __SHD C:\found.000
2013-09-12 15:25 - 2013-09-12 17:28 - 00012292 _____ C:\.DS_Store
2013-09-12 15:25 - 2013-09-12 15:25 - 00000000 ____D C:\.Trashes
2013-09-12 15:25 - 2013-09-12 15:25 - 00000000 ____D C:\.fseventsd
2013-09-07 17:42 - 2013-09-12 19:50 - 00000004 _____ C:\Users\John\AppData\Roaming\settings.ini
2013-08-23 08:15 - 2013-08-23 08:15 - 00001904 _____ C:\Users\John\Downloads\MyDesktopStBedes.RDP
2013-08-15 19:54 - 2013-08-15 19:55 - 00000000 ____D C:\Users\John\AppData\Local\{4A081748-5E93-41AA-9C90-6DA5A2A7603E}
==================== One Month Modified Files and Folders =======
2013-09-13 12:11 - 2013-09-13 12:11 - 00000000 ____D C:\FRST
2013-09-13 04:42 - 2013-03-08 17:48 - 00000000 ____D C:\ProgramData\McAfee Security Scan
2013-09-13 04:42 - 2009-07-14 04:20 - 00000000 ____D C:\Windows\rescache
2013-09-13 04:42 - 2009-07-14 04:20 - 00000000 ____D C:\Windows\registration
2013-09-13 04:42 - 2009-07-14 04:20 - 00000000 ____D C:\Windows\AppCompat
2013-09-13 04:35 - 2010-10-19 14:42 - 00000000 ____D C:\ProgramData\Recovery
2013-09-12 19:50 - 2013-09-07 17:42 - 00000004 _____ C:\Users\John\AppData\Roaming\settings.ini
2013-09-12 19:50 - 2013-07-13 18:01 - 00000890 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-09-12 19:50 - 2011-08-23 20:35 - 00000000 ____D C:\ProgramData\BullGuard
2013-09-12 19:49 - 2009-07-14 06:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-09-12 19:49 - 2009-07-14 05:51 - 00105883 _____ C:\Windows\setupact.log
2013-09-12 19:47 - 2011-08-23 20:38 - 00255628 _____ C:\Windows\system32\config\afw_db.conf
2013-09-12 19:47 - 2011-08-23 20:38 - 00001632 _____ C:\Windows\system32\config\afw_hm.conf
2013-09-12 19:47 - 2011-06-23 09:41 - 02056189 _____ C:\Windows\WindowsUpdate.log
2013-09-12 19:47 - 2009-07-14 05:45 - 00023248 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-09-12 19:47 - 2009-07-14 05:45 - 00023248 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-09-12 19:44 - 2011-08-23 19:30 - 00000000 ____D C:\Users\John
2013-09-12 17:42 - 2011-10-31 09:48 - 00000000 ____D C:\Users\John\AppData\Local\CrashDumps
2013-09-12 17:39 - 2013-09-12 17:39 - 00003416 ____N C:\bootsqm.dat
2013-09-12 17:38 - 2013-09-12 17:38 - 00000000 __SHD C:\found.000
2013-09-12 17:28 - 2013-09-12 15:25 - 00012292 _____ C:\.DS_Store
2013-09-12 15:25 - 2013-09-12 15:25 - 00000000 ____D C:\.Trashes
2013-09-12 15:25 - 2013-09-12 15:25 - 00000000 ____D C:\.fseventsd
2013-09-09 02:33 - 2011-06-23 10:25 - 00000000 ___RD C:\Users\Public\Recorded TV
2013-09-07 18:20 - 2013-07-13 18:01 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-09-07 18:18 - 2013-03-08 17:48 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-09-07 17:53 - 2011-08-23 20:46 - 00000904 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3188238764-2307040380-1222809871-1000UA.job
2013-09-07 17:41 - 2011-08-23 20:46 - 00000000 ____D C:\Users\John\AppData\Local\Google
2013-09-07 10:53 - 2011-08-23 20:46 - 00000852 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3188238764-2307040380-1222809871-1000Core.job
2013-08-27 18:52 - 2011-10-13 22:00 - 00000000 ____D C:\Users\John\AppData\Roaming\SoftGrid Client
2013-08-26 18:59 - 2012-11-23 21:14 - 00003180 _____ C:\Windows\System32\Tasks\HPCeeScheduleForJohn
2013-08-26 18:59 - 2011-10-26 19:12 - 00000328 _____ C:\Windows\Tasks\HPCeeScheduleForJohn.job
2013-08-24 15:38 - 2013-03-08 17:48 - 00692104 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-08-24 15:38 - 2013-03-08 17:48 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-08-24 15:38 - 2013-03-08 17:48 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2013-08-24 15:38 - 2011-08-26 15:34 - 00000000 ____D C:\Users\John\AppData\Local\Adobe
2013-08-23 08:15 - 2013-08-23 08:15 - 00001904 _____ C:\Users\John\Downloads\MyDesktopStBedes.RDP
2013-08-21 18:35 - 2013-06-13 08:18 - 17737608 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2013-08-20 20:02 - 2011-08-23 19:31 - 00000000 ____D C:\Users\John\AppData\Local\VirtualStore
2013-08-20 19:06 - 2012-11-15 23:59 - 00743424 ___SH C:\Users\John\Downloads\Thumbs.db
2013-08-18 19:18 - 2011-08-30 10:10 - 00000000 ____D C:\Users\John\Desktop\Lisa baby lamby chops
2013-08-16 16:38 - 2011-08-23 20:31 - 00000342 _____ C:\Windows\Tasks\HPCeeScheduleForLANDY-HP$.job
2013-08-16 16:37 - 2011-08-23 20:31 - 00003218 _____ C:\Windows\System32\Tasks\HPCeeScheduleForLANDY-HP$
2013-08-15 19:55 - 2013-08-15 19:54 - 00000000 ____D C:\Users\John\AppData\Local\{4A081748-5E93-41AA-9C90-6DA5A2A7603E}
ZeroAccess:
C:\Windows\Installer\{6df6d855-b8c5-a8ac-b497-7724617ee9a7}
C:\Windows\Installer\{6df6d855-b8c5-a8ac-b497-7724617ee9a7}\@
ZeroAccess:
C:\Users\John\AppData\Local\{6df6d855-b8c5-a8ac-b497-7724617ee9a7}
C:\Users\John\AppData\Local\{6df6d855-b8c5-a8ac-b497-7724617ee9a7}\@
Files to move or delete:
====================
ZeroAccess:
C:\Users\John\AppData\Local\Google\Desktop\Install
C:\ProgramData\dsgsdgdsgdsgw.pad
C:\Users\John\AppData\Local\Temp\loyrwm1m.dll
C:\Users\John\AppData\Local\Temp\msimg32.dll
C:\Users\John\AppData\Local\Temp\Resource.exe
C:\Users\John\AppData\Local\Temp\setup.exe
C:\Users\John\AppData\Local\Temp\SP51650.exe
C:\Users\John\AppData\Local\Temp\SP51976.exe
C:\Users\John\AppData\Local\Temp\SP52131.exe
C:\Users\John\AppData\Local\Temp\sp54373.exe
C:\Users\John\AppData\Local\Temp\sp54620.exe
C:\Users\John\AppData\Local\Temp\sp58915.exe
C:\Users\John\AppData\Local\Temp\UninstallHPSA.exe
C:\Users\John\AppData\Local\Temp\UninstallHPTCA.exe
==================== Bamital & volsnap Check =================
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
LastRegBack: 2013-09-06 11:09
==================== End Of Log ============================
