Solved Multiple csrs process, com surroget process & fluxuating cpu usage superfetch running very high

Orcus

TS Rookie
# AdwCleaner v4.113 - Logfile created 28/03/2015 at 17:34:27
# Updated 22/03/2015 by Xplode
# Database : 2015-03-28.1 [Server]
# Operating system : Windows 7 Ultimate Service Pack 1 (x64)
# Username : DELL-LD531 - DELL-LD531-PC
# Running from : C:\Users\DELL-LD531\Desktop\adwcleaner_4.113.exe
# Option : Cleaning

***** [ Services ] *****

[#] Service Deleted : YahooAUService

***** [ Files / Folders ] *****


***** [ Scheduled tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\f0778299-13a0-f5d0-8bbd-18f6859963f9
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AD11DADE-C597-45D9-D8C5-1D2EB0B89613}

***** [ Web browsers ] *****

-\\ Internet Explorer v11.0.9600.17689


-\\ Mozilla Firefox v36.0.1 (x86 en-US)

[xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.AutoSearchEventData", "auto%20search");
[xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.ClearCacheDate", 24);
[xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.DNSCatch", false);
[xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.DisplayEULA", false);
[xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.DnsCatchEventData", "dns%20catch");
[xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.FirstLaunchShown", true);
[xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.LoadLayoutDate.62781", 24);
[xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.NewTabSearchEventData", "tab%20search");
[xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.ShowAfterUpdatePage", true);
[xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.ShowRecommendedOptions", true);
[xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.StateReportDate", "1427228910080");
[xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.TopRightSearchEventData", "top%20right%20search");
[xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.beforeInstallSaved", true);
[xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.beforeinstall.homepage", "chrome%3A//branding/locale/browserconfig.properties");
[xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.beforeinstall.search", "Google");
[xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.comp.affiliate.2810218.disabled", true);
[xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.customNewTab", false);
[xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.helpUsImprove", true);
[xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.hideOthers", false);
[xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.processAddrBar", false);
[xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.restoreSearch", false);
[xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.searchHistory", false);
[xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.showFirstLaunchOptions", false);
[xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.tb_lang", "en");
[xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.tool_id", "62781");
[xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.user_id", "84740314");
[xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.user_key", "b2669d4d8fa6f4ee7d66f1e018452b052c89ade7");
[xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.user_layouts", "62781");
[xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.user_lnames", "Gamers%20Unite%21%20Snag%20Bar");
[xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.xml_service_url", "64e3a27980eeceb34248bc3e680b4e63");
[xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.yahooSearch", false);

-\\ Google Chrome v41.0.2272.101

[C:\Users\DELL-LD531\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
[C:\Users\DELL-LD531\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}

*************************

AdwCleaner[R0].txt - [12587 bytes] - [22/03/2015 02:58:48]
AdwCleaner[R1].txt - [5167 bytes] - [28/03/2015 17:13:45]
AdwCleaner[S0].txt - [12549 bytes] - [22/03/2015 03:20:37]
AdwCleaner[S1].txt - [5449 bytes] - [28/03/2015 17:34:27]

########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [5508 bytes] ##########
 

Orcus

TS Rookie
And lastly the jrt log u asked for not sure if it found anything or not but it didnt require a reboot so im leaning toward not
 

Orcus

TS Rookie
# AdwCleaner v4.113 - Logfile created 28/03/2015 at 17:34:27
# Updated 22/03/2015 by Xplode
# Database : 2015-03-28.1 [Server]
# Operating system : Windows 7 Ultimate Service Pack 1 (x64)
# Username : DELL-LD531 - DELL-LD531-PC
# Running from : C:\Users\DELL-LD531\Desktop\adwcleaner_4.113.exe
# Option : Cleaning

***** [ Services ] *****

[#] Service Deleted : YahooAUService

***** [ Files / Folders ] *****


***** [ Scheduled tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\f0778299-13a0-f5d0-8bbd-18f6859963f9
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AD11DADE-C597-45D9-D8C5-1D2EB0B89613}

***** [ Web browsers ] *****

-\\ Internet Explorer v11.0.9600.17689


-\\ Mozilla Firefox v36.0.1 (x86 en-US)

[xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.AutoSearchEventData", "auto%20search");
[xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.ClearCacheDate", 24);
[xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.DNSCatch", false);
[xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.DisplayEULA", false);
[xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.DnsCatchEventData", "dns%20catch");
[xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.FirstLaunchShown", true);
[xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.LoadLayoutDate.62781", 24);
[xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.NewTabSearchEventData", "tab%20search");
[xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.ShowAfterUpdatePage", true);
[xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.ShowRecommendedOptions", true);
[xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.StateReportDate", "1427228910080");
[xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.TopRightSearchEventData", "top%20right%20search");
[xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.beforeInstallSaved", true);
[xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.beforeinstall.homepage", "chrome%3A//branding/locale/browserconfig.properties");
[xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.beforeinstall.search", "Google");
[xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.comp.affiliate.2810218.disabled", true);
[xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.customNewTab", false);
[xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.helpUsImprove", true);
[xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.hideOthers", false);
[xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.processAddrBar", false);
[xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.restoreSearch", false);
[xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.searchHistory", false);
[xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.showFirstLaunchOptions", false);
[xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.tb_lang", "en");
[xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.tool_id", "62781");
[xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.user_id", "84740314");
[xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.user_key", "b2669d4d8fa6f4ee7d66f1e018452b052c89ade7");
[xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.user_layouts", "62781");
[xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.user_lnames", "Gamers%20Unite%21%20Snag%20Bar");
[xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.xml_service_url", "64e3a27980eeceb34248bc3e680b4e63");
[xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.yahooSearch", false);

-\\ Google Chrome v41.0.2272.101

[C:\Users\DELL-LD531\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
[C:\Users\DELL-LD531\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}

*************************

AdwCleaner[R0].txt - [12587 bytes] - [22/03/2015 02:58:48]
AdwCleaner[R1].txt - [5167 bytes] - [28/03/2015 17:13:45]
AdwCleaner[S0].txt - [12549 bytes] - [22/03/2015 03:20:37]
AdwCleaner[S1].txt - [5449 bytes] - [28/03/2015 17:34:27]

########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [5508 bytes] ##########
 

Orcus

TS Rookie
And I still continue to have the same issues but they seem to have gotten worse as now every time I reboot I sart up with 100%processor until I stop the background intelligent transfer service also still have the fake taskhost.exe process that when u end process tree creates a fake comsurroget process I do have the previous logs from malwarebytes where it did detect and remove things and where the rootkit was enabled even tho now in the program it says it is but in the log it says rootkit disabled I eagerly await your reply as I am now pretty well convinced the computer is fubar and a reinstall of windows will b the only way to fix it I still have a sliver of hope that I am wrong
 
Last edited:

Orcus

TS Rookie
Ok so I went poking around in my processes mainly the com surroget dllhost.exe and when I went to open file location it opened the system32 folder which is where the legit dllhost.exe is supposed to b I then proceeded to check the certificate to make sure it is a microsoft file which it is but then I scrolled down in the folder and noticed a file called dllhst3g.exe which claims to b the legit comsurroget file sorry about the mising rogue killer log I im dling it now didnt see that u asked for that one
 
Last edited:

Broni

Malware Annihilator
Re-read my rules I posted at the very beginning.
One of them says:
Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
Follow my previous reply.
 

Orcus

TS Rookie
All I did was look at the files I didnt run any programs or change anything Rogue killer has been either freezing on the pre scan at 40% or it freezes doing the rootkit scan after the prescaan finizshesand I click scan I renamed it we will see how that works out
 

Orcus

TS Rookie
Rogue killer keeps locking up on the antirootkit scan ive tried renaming it like u said and both winlogon.exe and winlogon.com do the same as the origonal name did
 

Broni

Malware Annihilator
Create new restore point before proceeding with the next step....
How to: http://www.smartestcomputing.us.com/topic/63983-how-to-create-new-restore-point-all-windows/

Download
Malwarebytes Anti-Rootkit (MBAR) to your desktop.
  • Warning! Malwarebytes Anti-Rootkit needs to be run from an account with administrator rights.
  • Double click on downloaded file. OK self extracting prompt.
  • MBAR will start. Click "Next" to continue.
  • Click in the following screen "Update" to obtain the latest malware definitions.
  • Once the update is complete select "Next" and click "Scan".
  • When the scan is finished and no malware has been found select "Exit".
  • If malware was detected, make sure to check all the items and click "Cleanup". Reboot your computer.
  • Open the MBAR folder located on your Desktop and paste the content of the following files in your next reply:
    • "mbar-log-{date} (xx-xx-xx).txt"
    • "system-log.txt"
NOTE. If you see This version requires you to completely exit the Anti Malware application message right click on the Malwarebytes Anti-Malware icon in the system tray and click on Exit.
 

Orcus

TS Rookie
Wel...for some reason it wont let me create a system restore point it keeps saying system restore encountered an error please try to run system restore again (0x81000203)
 

Orcus

TS Rookie
Nvm I figured it out my microsoft shadow copy was disabled I enabled it and was able to create the restore point
 

Orcus

TS Rookie
Ok so fixing the permissions helped but didnt fix my issues completely I just wanted to wait a day before running any more scans bc it appears what ever is infecting my system keeps putting the same stuff back on the computer at some point after the scans remove it the only thing mbar picked up was rogue killer but when malwarebytes ran my automatic scheduled scan it picked up the same stuff its been picking up so I am going to post not only the mbar files but the log from malewarebytes that just detected 24 pups onmy system I hope this helps
 

Orcus

TS Rookie
Malwarebytes Anti-Rootkit BETA 1.09.1.1004
www.malwarebytes.org

Database version:
main: v2015.04.01.10
rootkit: v2015.03.31.01

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.17691
DELL-LD531 :: DELL-LD531-PC [administrator]

4/1/2015 3:47:46 PM
mbar-log-2015-04-01 (15-47-46).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 364861
Time elapsed: 1 hour(s), 8 minute(s), 45 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Users\DELL-LD531\Desktop\winlogon.com (Heuristics.Reserved.Word.Exploit) -> Delete on reboot. [57174c1b8a00b482ff306795e223de22]

Physical Sectors Detected: 0
(No malicious items detected)

(end)
 

Orcus

TS Rookie
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.09.1.1004

(c) Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

Account is Administrative

Internet Explorer version: 11.0.9600.17691

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 0.798000 GHz
Memory total: 2011512832, free: 1299771392

Downloaded database version: v2015.04.01.10
Downloaded database version: v2015.03.31.01
Downloaded database version: v2015.03.09.01
=======================================
Initializing...
------------ Kernel report ------------
04/01/2015 15:46:05
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_AuthenticAMD.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\ACPI.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\system32\drivers\vdrvroot.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\DRIVERS\compbatt.sys
\SystemRoot\system32\DRIVERS\BATTC.SYS
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\system32\drivers\pciide.sys
\SystemRoot\system32\drivers\PCIIDEX.SYS
\SystemRoot\system32\DRIVERS\pcmcia.sys
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\drivers\atapi.sys
\SystemRoot\system32\drivers\ataport.SYS
\SystemRoot\system32\drivers\amdxata.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\drivers\vmstorfl.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\drivers\disk.sys
\SystemRoot\system32\drivers\CLASSPNP.SYS
\SystemRoot\System32\Drivers\aswVmm.sys
\SystemRoot\System32\Drivers\aswRvrt.sys
\SystemRoot\system32\DRIVERS\dtsoftbus01.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\drivers\aswSnx.sys
\SystemRoot\system32\drivers\aswSP.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\system32\drivers\aswRdr2.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\vwififlt.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\serial.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\??\C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\system32\drivers\csc.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\blbdrive.sys
\SystemRoot\system32\DRIVERS\amdk8.sys
\SystemRoot\system32\DRIVERS\atikmdag.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\system32\DRIVERS\bcmwl664.sys
\SystemRoot\system32\DRIVERS\vwifibus.sys
\SystemRoot\system32\DRIVERS\b57nd60a.sys
\SystemRoot\system32\DRIVERS\usbohci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\i8042prt.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\serenum.sys
\SystemRoot\system32\DRIVERS\1394ohci.sys
\SystemRoot\system32\DRIVERS\CmBatt.sys
\SystemRoot\system32\DRIVERS\wmiacpi.sys
\SystemRoot\system32\DRIVERS\CompositeBus.sys
\SystemRoot\system32\DRIVERS\msiscsi.sys
\SystemRoot\system32\DRIVERS\storport.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\rdpbus.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\HdAudio.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\ksthunk.sys
\SystemRoot\system32\DRIVERS\VSTAZL6.SYS
\SystemRoot\system32\DRIVERS\VSTDPV6.SYS
\SystemRoot\system32\DRIVERS\VSTCNXT6.SYS
\SystemRoot\system32\drivers\modem.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_dumpata.sys
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\system32\DRIVERS\kbdhid.sys
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\drivers\aswMonFlt.sys
\??\C:\Windows\system32\drivers\mbam.sys
\SystemRoot\system32\drivers\aswStm.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\system32\drivers\mrxdav.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\system32\drivers\aswHwid.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\system32\drivers\spsys.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\system32\DRIVERS\LVPr2M64.sys
\??\C:\Windows\system32\drivers\mwac.sys
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\MBAMSwissArmy.sys
\Windows\System32\ntdll.dll
\Windows\System32\smss.exe
\Windows\System32\apisetschema.dll
\Windows\System32\autochk.exe
\Windows\System32\wininet.dll
\Windows\System32\difxapi.dll
\Windows\System32\clbcatq.dll
\Windows\System32\lpk.dll
\Windows\System32\Wldap32.dll
\Windows\System32\normaliz.dll
\Windows\System32\gdi32.dll
\Windows\System32\msvcrt.dll
\Windows\System32\rpcrt4.dll
\Windows\System32\usp10.dll
\Windows\System32\imagehlp.dll
\Windows\System32\ole32.dll
\Windows\System32\advapi32.dll
\Windows\System32\ws2_32.dll
\Windows\System32\imm32.dll
\Windows\System32\user32.dll
\Windows\System32\shell32.dll
\Windows\System32\msctf.dll
\Windows\System32\urlmon.dll
\Windows\System32\setupapi.dll
\Windows\System32\oleaut32.dll
\Windows\System32\kernel32.dll
\Windows\System32\nsi.dll
\Windows\System32\sechost.dll
\Windows\System32\shlwapi.dll
\Windows\System32\psapi.dll
\Windows\System32\iertutil.dll
\Windows\System32\comdlg32.dll
\Windows\System32\userenv.dll
\Windows\System32\comctl32.dll
\Windows\System32\api-ms-win-downlevel-normaliz-l1-1-0.dll
\Windows\System32\crypt32.dll
\Windows\System32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
\Windows\System32\api-ms-win-downlevel-advapi32-l1-1-0.dll
\Windows\System32\api-ms-win-downlevel-ole32-l1-1-0.dll
\Windows\System32\cfgmgr32.dll
\Windows\System32\KernelBase.dll
\Windows\System32\devobj.dll
\Windows\System32\wintrust.dll
\Windows\System32\api-ms-win-downlevel-version-l1-1-0.dll
\Windows\System32\api-ms-win-downlevel-user32-l1-1-0.dll
\Windows\System32\profapi.dll
\Windows\System32\msasn1.dll
\Windows\SysWOW64\normaliz.dll
----------- End -----------
Done!

Scan started
Database versions:
main: v2015.04.01.10
rootkit: v2015.03.31.01

<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xfffffa8002649060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa8002649b90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa8002649060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa80024cb520, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xfffffa80024cd060, DeviceName: \Device\Ide\IdeDeviceP0T0L0-0\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
Done!
Drive 0
This is a System drive
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 86308630

Partition information:

Partition 0 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 2048 Numsec = 204800
Partition file system is NTFS
Partition is bootable

Partition 1 type is Primary (0x7)
Partition is NOT ACTIVE.
Partition starts at LBA: 206848 Numsec = 156092416

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 80026361856 bytes
Sector size: 512 bytes

Done!
Infected: C:\Users\DELL-LD531\Desktop\winlogon.com --> [Heuristics.Reserved.Word.Exploit]
Scan finished
Creating System Restore point...
Cleaning up...
Removal scheduling successful. System shutdown needed.
System shutdown occurred
=======================================


Removal queue found; removal started
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-I.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-0-2048-I.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam...
Removal finished
 

Orcus

TS Rookie
Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 4/2/2015
Scan Time: 2:07:45 AM
Logfile: mwbscan.txt
Administrator: Yes

Version: 2.01.4.1018
Malware Database: v2015.04.02.02
Rootkit Database: v2015.03.31.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: DELL-LD531

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 363976
Time Elapsed: 1 hr, 25 min, 53 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 2
PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}, , [f2d877f08cfe79bd182f077ba55eff01],
PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781, , [f2d877f08cfe79bd182f077ba55eff01],

Files: 22
PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\059d0773476e585aaab0cb05f2d35011, , [f2d877f08cfe79bd182f077ba55eff01],
PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\0b12654c5711f7cde49ae8c25f3da38c.0, , [f2d877f08cfe79bd182f077ba55eff01],
PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\0c82e5b864501f211be07075dc4be877, , [f2d877f08cfe79bd182f077ba55eff01],
PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\2307328ea5b85f50ab61208ede74b646, , [f2d877f08cfe79bd182f077ba55eff01],
PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\313c238dc888c75cb26d7ff7a7f4b20d.0, , [f2d877f08cfe79bd182f077ba55eff01],
PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\38e57055c77d685cb6a4002b23e54fc3, , [f2d877f08cfe79bd182f077ba55eff01],
PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\3f10c0f0b60ea2b5efa2d3278e712442, , [f2d877f08cfe79bd182f077ba55eff01],
PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\4d112a27a725b7d2d9e7487c4c114214.0, , [f2d877f08cfe79bd182f077ba55eff01],
PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\4d3cd39fbcb748f71119851a59ce6447, , [f2d877f08cfe79bd182f077ba55eff01],
PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\612dc44b76ebf053257ba62b314ae79c, , [f2d877f08cfe79bd182f077ba55eff01],
PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\7f26d2753138a5ebec0c48f6ece74ecb.0, , [f2d877f08cfe79bd182f077ba55eff01],
PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\8605190db1a4b0b68eaec697f0ccabca, , [f2d877f08cfe79bd182f077ba55eff01],
PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\863244884c13f5f32b09296c582fbdd7.0, , [f2d877f08cfe79bd182f077ba55eff01],
PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\8ac482009c24f4e3c08ceab6ad53837b, , [f2d877f08cfe79bd182f077ba55eff01],
PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\b0d04a379326cc971538f3ecc6e4945d.0, , [f2d877f08cfe79bd182f077ba55eff01],
PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\b4fc19616a211ba1ce6fdeb987d83986, , [f2d877f08cfe79bd182f077ba55eff01],
PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\b70c539aa3601c1da3539ac2f6ef9954, , [f2d877f08cfe79bd182f077ba55eff01],
PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\ca778d8032bff8589c9ea58165547209, , [f2d877f08cfe79bd182f077ba55eff01],
PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\cfbf9dd3ed978b23c1976cf9c7fe11bc, , [f2d877f08cfe79bd182f077ba55eff01],
PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\d46deb45f2b0c6145a71d5ed76b9c1b3, , [f2d877f08cfe79bd182f077ba55eff01],
PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\ec933e0432b5461997a2523f42e1a674, , [f2d877f08cfe79bd182f077ba55eff01],
PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\tb.xml, , [f2d877f08cfe79bd182f077ba55eff01],

Physical Sectors: 0
(No malicious items detected)


(end)
 

Orcus

TS Rookie
Weird thing is its still saying I have the rootkit scan disabled but I have the setting turned on in the program so something is still overriding the rootkit scan is it possible I could be experiencing a cross infection from another computer on my home network??? meaning one of my other computers is reinfecting my personal computer after I clean it ????
 
Last edited:

Broni

Malware Annihilator
What kind of rootkit scan are you referring to? Part of your AV program?

Please download ComboFix from Here, Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Never rename Combofix unless instructed.
  • Close any open browsers.
  • Very Important! Temporarily disable your anti-virus and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    If the connection is not there use restore point you created prior to running Combofix.
  • Double click on combofix.exe & follow the prompts.

  • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt"
**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error Illegal operation attempted on a registery key that has been marked for deletion, restart computer to fix the issue.
**Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try the following...

Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.
Download Rkill (courtesy of BleepingComputer.com) to your desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

Restart computer in safe mode

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Windows Vista, 7 or 8 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.

When the scan is done Notepad will open with rKill.txt log.
NOTE. rKill.txt log will also be present on your desktop.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

IF you had to run rKill post BOTH logs, rKill.txt and Combofix.txt.
 

Orcus

TS Rookie
The rootkit scan thats part of malwarebytes anti malware I have it set to run a scheduled complete system scan once a day and I have the anti rootkit scan setting turned on but in the log it reads antirootkit disabled and if I dont run any other scans than the scheduled malwarebytes scan every day malware bytes picks up the same 24 pups every day infact I just came and checked bc the scheduled scan just finished and it has the exact same results as what I posted yesterday ill post the log so u can see what I mean then ill start the new steps uve given me also just so u know I havent been using the computer for anything since staring this process no games no web browsing nothing but trying to get rid of this infection so as to not inhibit this process in any way
 
Last edited:

Orcus

TS Rookie
Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 4/3/2015
Scan Time: 2:07:04 AM
Logfile: mwb scan 2.txt
Administrator: Yes

Version: 2.01.4.1018
Malware Database: v2015.04.03.03
Rootkit Database: v2015.03.31.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: DELL-LD531

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 359481
Time Elapsed: 1 hr, 16 min, 13 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 2
PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}, , [e54a01675b2fdf572fa8e59e758e3cc4],
PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781, , [e54a01675b2fdf572fa8e59e758e3cc4],

Files: 22
PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\059d0773476e585aaab0cb05f2d35011, , [e54a01675b2fdf572fa8e59e758e3cc4],
PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\0b12654c5711f7cde49ae8c25f3da38c.0, , [e54a01675b2fdf572fa8e59e758e3cc4],
PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\0c82e5b864501f211be07075dc4be877, , [e54a01675b2fdf572fa8e59e758e3cc4],
PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\2307328ea5b85f50ab61208ede74b646, , [e54a01675b2fdf572fa8e59e758e3cc4],
PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\313c238dc888c75cb26d7ff7a7f4b20d.0, , [e54a01675b2fdf572fa8e59e758e3cc4],
PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\38e57055c77d685cb6a4002b23e54fc3, , [e54a01675b2fdf572fa8e59e758e3cc4],
PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\3f10c0f0b60ea2b5efa2d3278e712442, , [e54a01675b2fdf572fa8e59e758e3cc4],
PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\4d112a27a725b7d2d9e7487c4c114214.0, , [e54a01675b2fdf572fa8e59e758e3cc4],
PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\4d3cd39fbcb748f71119851a59ce6447, , [e54a01675b2fdf572fa8e59e758e3cc4],
PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\5d5ae10d9dbf6c32b9e724ee97183bb1.0, , [e54a01675b2fdf572fa8e59e758e3cc4],
PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\612dc44b76ebf053257ba62b314ae79c, , [e54a01675b2fdf572fa8e59e758e3cc4],
PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\7f26d2753138a5ebec0c48f6ece74ecb.0, , [e54a01675b2fdf572fa8e59e758e3cc4],
PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\8605190db1a4b0b68eaec697f0ccabca, , [e54a01675b2fdf572fa8e59e758e3cc4],
PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\863244884c13f5f32b09296c582fbdd7.0, , [e54a01675b2fdf572fa8e59e758e3cc4],
PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\8ac482009c24f4e3c08ceab6ad53837b, , [e54a01675b2fdf572fa8e59e758e3cc4],
PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\b0d04a379326cc971538f3ecc6e4945d.0, , [e54a01675b2fdf572fa8e59e758e3cc4],
PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\b4fc19616a211ba1ce6fdeb987d83986, , [e54a01675b2fdf572fa8e59e758e3cc4],
PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\ca778d8032bff8589c9ea58165547209, , [e54a01675b2fdf572fa8e59e758e3cc4],
PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\cfbf9dd3ed978b23c1976cf9c7fe11bc, , [e54a01675b2fdf572fa8e59e758e3cc4],
PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\d46deb45f2b0c6145a71d5ed76b9c1b3, , [e54a01675b2fdf572fa8e59e758e3cc4],
PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\ec933e0432b5461997a2523f42e1a674, , [e54a01675b2fdf572fa8e59e758e3cc4],
PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\tb.xml, , [e54a01675b2fdf572fa8e59e758e3cc4],

Physical Sectors: 0
(No malicious items detected)


(end)
 

Broni

Malware Annihilator
Let's see if same MBAM issue will happen when we're done with cleaning.
For now go ahead with Combofix.
 

Orcus

TS Rookie
ComboFix 15-04-01.01 - DELL-LD531 04/04/2015 15:10:37.2.2 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.1918.1257 [GMT -5:00]
Running from: c:\users\DELL-LD531\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2015-03-04 to 2015-04-04 )))))))))))))))))))))))))))))))
.
.
2015-04-04 20:41 . 2015-04-04 20:41 -------- d-----w- c:\users\hedev\AppData\Local\temp
2015-04-04 20:41 . 2015-04-04 20:41 -------- d-----w- c:\users\Default\AppData\Local\temp
2015-04-01 20:46 . 2015-04-02 10:45 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
2015-03-30 11:24 . 2015-03-30 11:14 111016 ----a-w- c:\windows\system32\WindowsAccessBridge-64.dll
2015-03-30 11:24 . 2015-03-30 11:13 207272 ----a-w- c:\windows\system32\javaw.exe
2015-03-30 11:24 . 2015-03-30 11:13 206760 ----a-w- c:\windows\system32\java.exe
2015-03-30 11:24 . 2013-10-18 07:41 916456 ----a-w- c:\windows\system32\deployJava1.dll
2015-03-30 11:24 . 2013-10-18 07:41 1034216 ----a-w- c:\windows\system32\npDeployJava1.dll
2015-03-30 11:20 . 2015-03-30 11:20 -------- d-----w- c:\program files (x86)\Common Files\Java
2015-03-29 02:11 . 2015-03-30 05:13 35064 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2015-03-29 02:11 . 2015-03-29 04:34 -------- d-----w- c:\programdata\RogueKiller
2015-03-28 10:28 . 2015-03-28 10:28 -------- d-----w- C:\TDSSKiller_Quarantine
2015-03-26 20:16 . 2015-03-30 11:07 98216 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2015-03-26 20:14 . 2015-03-30 11:05 -------- d-----w- c:\program files (x86)\Java
2015-03-26 09:12 . 2015-03-28 10:25 -------- d-----w- C:\FRST
2015-03-26 08:56 . 2015-04-02 10:45 -------- d-----w- c:\programdata\AVAST Software
2015-03-22 14:49 . 2015-01-31 03:48 3179520 ----a-w- c:\windows\system32\rdpcorets.dll
2015-03-22 14:49 . 2015-01-30 23:56 243200 ----a-w- c:\windows\system32\rdpudd.dll
2015-03-22 14:49 . 2015-01-31 03:48 16384 ----a-w- c:\windows\system32\RdpGroupPolicyExtension.dll
2015-03-22 14:49 . 2015-02-03 03:31 215552 ----a-w- c:\windows\system32\ubpm.dll
2015-03-22 14:49 . 2015-02-03 03:12 171520 ----a-w- c:\windows\SysWow64\ubpm.dll
2015-03-22 09:14 . 2015-04-04 17:05 136408 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2015-03-22 09:13 . 2015-04-01 20:45 107736 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2015-03-22 09:13 . 2015-03-17 11:15 63704 ----a-w- c:\windows\system32\drivers\mwac.sys
2015-03-22 09:13 . 2015-03-17 11:15 25816 ----a-w- c:\windows\system32\drivers\mbam.sys
2015-03-22 09:13 . 2015-03-22 09:13 -------- d-----w- c:\program files (x86)\Malwarebytes Anti-Malware
2015-03-22 09:13 . 2015-03-22 09:13 -------- d-----w- c:\programdata\Malwarebytes
2015-03-22 09:00 . 2015-03-28 19:13 -------- d-----w- c:\programdata\Malwarebytes Anti-Exploit
2015-03-22 08:59 . 2015-03-22 09:00 -------- d-----w- c:\program files (x86)\Malwarebytes Anti-Exploit
2015-03-22 07:58 . 2015-03-28 22:34 -------- d-----w- C:\AdwCleaner
2015-03-14 02:59 . 2015-02-03 03:12 3209728 ----a-w- c:\windows\SysWow64\mf.dll
2015-03-14 02:59 . 2015-02-03 03:34 5554104 ----a-w- c:\windows\system32\ntoskrnl.exe
2015-03-14 02:59 . 2015-02-03 03:30 1480192 ----a-w- c:\windows\system32\crypt32.dll
2015-03-14 02:59 . 2015-02-03 03:12 1174528 ----a-w- c:\windows\SysWow64\crypt32.dll
2015-03-14 02:59 . 2015-02-03 03:16 3973048 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2015-03-14 02:59 . 2015-02-03 03:16 3917760 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2015-03-14 02:59 . 2015-02-03 03:33 616360 ----a-w- c:\windows\system32\winresume.efi
2015-03-14 02:59 . 2015-02-03 03:34 94656 ----a-w- c:\windows\system32\drivers\mountmgr.sys
2015-03-14 02:59 . 2015-02-03 03:31 4121600 ----a-w- c:\windows\system32\mf.dll
2015-03-14 02:59 . 2015-02-03 03:31 14632960 ----a-w- c:\windows\system32\wmp.dll
2015-03-14 02:51 . 2015-02-20 02:08 47616 ----a-w- c:\windows\SysWow64\ieetwproxystub.dll
2015-03-14 02:50 . 2015-02-20 02:50 66560 ----a-w- c:\windows\system32\iesetup.dll
2015-03-14 02:49 . 2015-02-13 05:22 14177280 ----a-w- c:\windows\system32\shell32.dll
2015-03-14 02:13 . 2015-02-26 03:25 3204096 ----a-w- c:\windows\system32\win32k.sys
2015-03-14 02:10 . 2015-02-04 03:16 465920 ----a-w- c:\windows\system32\WMPhoto.dll
2015-03-14 02:10 . 2015-02-04 02:54 417792 ----a-w- c:\windows\SysWow64\WMPhoto.dll
2015-03-13 06:33 . 2015-03-13 06:33 -------- d-----w- c:\program files (x86)\SquareEnix
2015-03-11 20:34 . 2015-03-22 08:38 -------- d-sh--w- c:\users\DELL-LD531\AppData\Local\EmieUserList
2015-03-11 20:34 . 2015-03-22 08:38 -------- d-sh--w- c:\users\DELL-LD531\AppData\Local\EmieSiteList
2015-03-11 20:34 . 2015-03-22 08:38 -------- d-sh--w- c:\users\DELL-LD531\AppData\Local\EmieBrowserModeList
2015-03-07 11:36 . 2015-03-20 06:24 -------- d-----w- c:\users\DELL-LD531\AppData\Roaming\vlc
2015-03-06 09:01 . 2015-03-07 11:34 -------- d-----w- c:\program files (x86)\VideoLAN
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-03-30 11:13 . 2013-10-18 07:43 319912 ----a-w- c:\windows\system32\javaws.exe
2015-03-28 15:07 . 2014-10-08 14:19 2876528 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\markup.dll
2015-03-28 15:06 . 2014-10-08 14:19 42168 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll
2015-03-27 15:33 . 2014-10-08 15:21 736952 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore-2\Microsoft.MediaCenter.Sports.UI.dll
2015-03-26 09:25 . 2013-10-09 16:31 778928 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2015-03-26 09:25 . 2013-10-09 16:31 142512 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2015-03-22 15:17 . 2014-09-15 18:46 2876528 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
2015-03-22 15:17 . 2014-09-15 18:45 42168 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
2015-03-18 15:09 . 2014-09-15 19:47 539984 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2015-03-12 15:56 . 2014-09-16 02:30 736952 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
2015-03-10 15:41 . 2014-10-06 16:32 539984 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll
2015-02-24 14:58 . 2015-02-19 14:06 2876528 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-3\markup.dll
2015-02-24 14:57 . 2015-02-19 14:06 42168 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM-3\StartResources.dll
2015-02-05 17:09 . 2014-02-20 00:12 5070512 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
2015-01-09 03:14 . 2015-02-12 19:47 91136 ----a-w- c:\windows\system32\wdi.dll
2015-01-09 03:14 . 2015-02-12 19:47 950272 ----a-w- c:\windows\system32\perftrack.dll
2015-01-09 03:14 . 2015-02-12 19:47 29696 ----a-w- c:\windows\system32\powertracker.dll
2015-01-09 02:48 . 2015-02-12 19:47 76800 ----a-w- c:\windows\SysWow64\wdi.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-02-11 61440]
"WinampAgent"="c:\program files (x86)\Winamp\winampa.exe" [2013-07-23 84576]
"Malwarebytes Anti-Exploit"="c:\program files (x86)\Malwarebytes Anti-Exploit\mbae.exe" [2014-12-10 2561848]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"SoftwareSASGeneration"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R2 LVPrcS64;Process Monitor;c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe;c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe [x]
R2 MbaeSvc;Malwarebytes Anti-Exploit Service;c:\program files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe;c:\program files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe [x]
R2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [x]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [x]
R2 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]
R3 getbus;getbus;c:\users\DELL-L~1\AppData\Local\Temp\getbus.sys;c:\users\DELL-L~1\AppData\Local\Temp\getbus.sys [x]
R3 LVUSBS64;Logitech USB Monitor Filter;c:\windows\system32\DRIVERS\LVUSBS64.sys;c:\windows\SYSNATIVE\DRIVERS\LVUSBS64.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys;c:\windows\SYSNATIVE\drivers\synth3dvsc.sys [x]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys;c:\windows\SYSNATIVE\drivers\terminpt.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys;c:\windows\SYSNATIVE\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys;c:\windows\SYSNATIVE\drivers\rdvgkmd.sys [x]
R3 X6va013;X6va013;c:\windows\SysWOW64\Drivers\X6va013;c:\windows\SysWOW64\Drivers\X6va013 [x]
R3 X6va015;X6va015;c:\windows\SysWOW64\Drivers\X6va015;c:\windows\SysWOW64\Drivers\X6va015 [x]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys;c:\windows\SYSNATIVE\DRIVERS\dtsoftbus01.sys [x]
S1 ESProtectionDriver;Malwarebytes Anti-Exploit;c:\program files (x86)\Malwarebytes Anti-Exploit\mbae64.sys;c:\program files (x86)\Malwarebytes Anti-Exploit\mbae64.sys [x]
S3 LVPr2M64;Logitech LVPr2M64 Driver;c:\windows\system32\DRIVERS\LVPr2M64.sys;c:\windows\SYSNATIVE\DRIVERS\LVPr2M64.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys;c:\windows\SYSNATIVE\drivers\MBAMSwissArmy.sys [x]
S3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys;c:\windows\SYSNATIVE\drivers\mwac.sys [x]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTAZL6.SYS [x]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTDPV6.SYS [x]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTCNXT6.SYS [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MBAMSWISSARMY
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2015-04-02 22:12 1061704 ----a-w- c:\program files (x86)\Google\Chrome\Application\41.0.2272.118\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2015-04-04 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-10-09 09:25]
.
2015-04-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2015-01-07 13:59]
.
2015-04-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2015-01-07 13:59]
.
.
--------- X64 Entries -----------
.
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com
mDefault_Page_URL = hxxp://www.yahoo.com/?ilc=8
mStart Page = hxxp://www.yahoo.com/?ilc=8
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
FF - ProfilePath - c:\users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=mkg030&p=
.
- - - - ORPHANS REMOVED - - - -
.
ShellIconOverlayIdentifiers-{472083B0-C522-11CF-8763-00608CC02F24} - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\X6va013]
"ImagePath"="\??\c:\windows\SysWOW64\Drivers\X6va013"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\X6va015]
"ImagePath"="\??\c:\windows\SysWOW64\Drivers\X6va015"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_17_0_0_134_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_17_0_0_134_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_17_0_0_134_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_17_0_0_134_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_17_0_0_134.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.17"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_17_0_0_134.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_17_0_0_134.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_17_0_0_134.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2015-04-04 15:54:00
ComboFix-quarantined-files.txt 2015-04-04 20:53
ComboFix2.txt 2015-04-03 10:38
.
Pre-Run: 21,380,349,952 bytes free
Post-Run: 21,174,657,024 bytes free
.
- - End Of File - - 4B671B5C4D9A67542547C07A1817D801
A36C5E4F47E84449FF07ED3517B43A31
 

Broni

Malware Annihilator
What happened to Avast?

Re-run Farbar Recovery Scan Tool (FRST/FRST64) you ran at the very beginning of this topic.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Make sure you checkmark Addition.txt box.
  • Press Scan button.
  • Scan will create two logs, FRST.txt and Addition.txt in the same directory the tool is run. Please copy and paste them to your reply.
 

Orcus

TS Rookie
Avast was interfering with other scans u wanted me to do and it wouldnt let me just stop it so I uninstalled it temporarily