1. TechSpot is dedicated to computer enthusiasts and power users. Ask a question and give support. Join the community here.
    TechSpot is dedicated to computer enthusiasts and power users.
    Ask a question and give support.
    Join the community here, it only takes a minute.
    Dismiss Notice

Multiple csrs process, com surroget process & fluxuating cpu usage superfetch running very high

By Orcus ยท 77 replies
Mar 24, 2015
  1. Orcus

    Orcus TS Rookie Topic Starter Posts: 56

    # AdwCleaner v4.113 - Logfile created 28/03/2015 at 17:34:27
    # Updated 22/03/2015 by Xplode
    # Database : 2015-03-28.1 [Server]
    # Operating system : Windows 7 Ultimate Service Pack 1 (x64)
    # Username : DELL-LD531 - DELL-LD531-PC
    # Running from : C:\Users\DELL-LD531\Desktop\adwcleaner_4.113.exe
    # Option : Cleaning

    ***** [ Services ] *****

    [#] Service Deleted : YahooAUService

    ***** [ Files / Folders ] *****


    ***** [ Scheduled tasks ] *****


    ***** [ Shortcuts ] *****


    ***** [ Registry ] *****

    Key Deleted : HKLM\SOFTWARE\f0778299-13a0-f5d0-8bbd-18f6859963f9
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AD11DADE-C597-45D9-D8C5-1D2EB0B89613}

    ***** [ Web browsers ] *****

    -\\ Internet Explorer v11.0.9600.17689


    -\\ Mozilla Firefox v36.0.1 (x86 en-US)

    [xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.AutoSearchEventData", "auto%20search");
    [xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.ClearCacheDate", 24);
    [xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.DNSCatch", false);
    [xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.DisplayEULA", false);
    [xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.DnsCatchEventData", "dns%20catch");
    [xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.FirstLaunchShown", true);
    [xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.LoadLayoutDate.62781", 24);
    [xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.NewTabSearchEventData", "tab%20search");
    [xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.ShowAfterUpdatePage", true);
    [xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.ShowRecommendedOptions", true);
    [xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.StateReportDate", "1427228910080");
    [xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.TopRightSearchEventData", "top%20right%20search");
    [xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.beforeInstallSaved", true);
    [xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.beforeinstall.homepage", "chrome%3A//branding/locale/browserconfig.properties");
    [xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.beforeinstall.search", "Google");
    [xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.comp.affiliate.2810218.disabled", true);
    [xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.customNewTab", false);
    [xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.helpUsImprove", true);
    [xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.hideOthers", false);
    [xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.processAddrBar", false);
    [xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.restoreSearch", false);
    [xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.searchHistory", false);
    [xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.showFirstLaunchOptions", false);
    [xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.tb_lang", "en");
    [xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.tool_id", "62781");
    [xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.user_id", "84740314");
    [xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.user_key", "b2669d4d8fa6f4ee7d66f1e018452b052c89ade7");
    [xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.user_layouts", "62781");
    [xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.user_lnames", "Gamers%20Unite%21%20Snag%20Bar");
    [xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.xml_service_url", "64e3a27980eeceb34248bc3e680b4e63");
    [xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.yahooSearch", false);

    -\\ Google Chrome v41.0.2272.101

    [C:\Users\DELL-LD531\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
    [C:\Users\DELL-LD531\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}

    *************************

    AdwCleaner[R0].txt - [12587 bytes] - [22/03/2015 02:58:48]
    AdwCleaner[R1].txt - [5167 bytes] - [28/03/2015 17:13:45]
    AdwCleaner[S0].txt - [12549 bytes] - [22/03/2015 03:20:37]
    AdwCleaner[S1].txt - [5449 bytes] - [28/03/2015 17:34:27]

    ########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [5508 bytes] ##########
     
  2. Orcus

    Orcus TS Rookie Topic Starter Posts: 56

    And lastly the jrt log u asked for not sure if it found anything or not but it didnt require a reboot so im leaning toward not
     
  3. Orcus

    Orcus TS Rookie Topic Starter Posts: 56

    # AdwCleaner v4.113 - Logfile created 28/03/2015 at 17:34:27
    # Updated 22/03/2015 by Xplode
    # Database : 2015-03-28.1 [Server]
    # Operating system : Windows 7 Ultimate Service Pack 1 (x64)
    # Username : DELL-LD531 - DELL-LD531-PC
    # Running from : C:\Users\DELL-LD531\Desktop\adwcleaner_4.113.exe
    # Option : Cleaning

    ***** [ Services ] *****

    [#] Service Deleted : YahooAUService

    ***** [ Files / Folders ] *****


    ***** [ Scheduled tasks ] *****


    ***** [ Shortcuts ] *****


    ***** [ Registry ] *****

    Key Deleted : HKLM\SOFTWARE\f0778299-13a0-f5d0-8bbd-18f6859963f9
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AD11DADE-C597-45D9-D8C5-1D2EB0B89613}

    ***** [ Web browsers ] *****

    -\\ Internet Explorer v11.0.9600.17689


    -\\ Mozilla Firefox v36.0.1 (x86 en-US)

    [xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.AutoSearchEventData", "auto%20search");
    [xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.ClearCacheDate", 24);
    [xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.DNSCatch", false);
    [xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.DisplayEULA", false);
    [xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.DnsCatchEventData", "dns%20catch");
    [xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.FirstLaunchShown", true);
    [xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.LoadLayoutDate.62781", 24);
    [xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.NewTabSearchEventData", "tab%20search");
    [xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.ShowAfterUpdatePage", true);
    [xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.ShowRecommendedOptions", true);
    [xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.StateReportDate", "1427228910080");
    [xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.TopRightSearchEventData", "top%20right%20search");
    [xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.beforeInstallSaved", true);
    [xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.beforeinstall.homepage", "chrome%3A//branding/locale/browserconfig.properties");
    [xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.beforeinstall.search", "Google");
    [xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.comp.affiliate.2810218.disabled", true);
    [xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.customNewTab", false);
    [xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.helpUsImprove", true);
    [xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.hideOthers", false);
    [xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.processAddrBar", false);
    [xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.restoreSearch", false);
    [xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.searchHistory", false);
    [xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.showFirstLaunchOptions", false);
    [xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.tb_lang", "en");
    [xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.tool_id", "62781");
    [xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.user_id", "84740314");
    [xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.user_key", "b2669d4d8fa6f4ee7d66f1e018452b052c89ade7");
    [xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.user_layouts", "62781");
    [xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.user_lnames", "Gamers%20Unite%21%20Snag%20Bar");
    [xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.xml_service_url", "64e3a27980eeceb34248bc3e680b4e63");
    [xikrc5ub.default\prefs.js] - Line Deleted : user_pref("freecauseafe43e800abc4df281a03fe44b74abe8.yahooSearch", false);

    -\\ Google Chrome v41.0.2272.101

    [C:\Users\DELL-LD531\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
    [C:\Users\DELL-LD531\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}

    *************************

    AdwCleaner[R0].txt - [12587 bytes] - [22/03/2015 02:58:48]
    AdwCleaner[R1].txt - [5167 bytes] - [28/03/2015 17:13:45]
    AdwCleaner[S0].txt - [12549 bytes] - [22/03/2015 03:20:37]
    AdwCleaner[S1].txt - [5449 bytes] - [28/03/2015 17:34:27]

    ########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [5508 bytes] ##########
     
  4. Orcus

    Orcus TS Rookie Topic Starter Posts: 56

    And I still continue to have the same issues but they seem to have gotten worse as now every time I reboot I sart up with 100%processor until I stop the background intelligent transfer service also still have the fake taskhost.exe process that when u end process tree creates a fake comsurroget process I do have the previous logs from malwarebytes where it did detect and remove things and where the rootkit was enabled even tho now in the program it says it is but in the log it says rootkit disabled I eagerly await your reply as I am now pretty well convinced the computer is fubar and a reinstall of windows will b the only way to fix it I still have a sliver of hope that I am wrong
     
    Last edited: Mar 28, 2015
  5. Broni

    Broni Malware Annihilator Posts: 55,145   +451

    I still need RogueKiller log.
     
  6. Orcus

    Orcus TS Rookie Topic Starter Posts: 56

    Ok so I went poking around in my processes mainly the com surroget dllhost.exe and when I went to open file location it opened the system32 folder which is where the legit dllhost.exe is supposed to b I then proceeded to check the certificate to make sure it is a microsoft file which it is but then I scrolled down in the folder and noticed a file called dllhst3g.exe which claims to b the legit comsurroget file sorry about the mising rogue killer log I im dling it now didnt see that u asked for that one
     
    Last edited: Mar 28, 2015
  7. Broni

    Broni Malware Annihilator Posts: 55,145   +451

    Re-read my rules I posted at the very beginning.
    One of them says:
    Follow my previous reply.
     
  8. Orcus

    Orcus TS Rookie Topic Starter Posts: 56

    All I did was look at the files I didnt run any programs or change anything Rogue killer has been either freezing on the pre scan at 40% or it freezes doing the rootkit scan after the prescaan finizshesand I click scan I renamed it we will see how that works out
     
  9. Orcus

    Orcus TS Rookie Topic Starter Posts: 56

    Rogue killer keeps locking up on the antirootkit scan ive tried renaming it like u said and both winlogon.exe and winlogon.com do the same as the origonal name did
     
  10. Broni

    Broni Malware Annihilator Posts: 55,145   +451

    Create new restore point before proceeding with the next step....
    How to: http://www.smartestcomputing.us.com/topic/63983-how-to-create-new-restore-point-all-windows/

    Download [​IMG] Malwarebytes Anti-Rootkit (MBAR) to your desktop.
    • Warning! Malwarebytes Anti-Rootkit needs to be run from an account with administrator rights.
    • Double click on downloaded file. OK self extracting prompt.
    • MBAR will start. Click "Next" to continue.
    • Click in the following screen "Update" to obtain the latest malware definitions.
    • Once the update is complete select "Next" and click "Scan".
    • When the scan is finished and no malware has been found select "Exit".
    • If malware was detected, make sure to check all the items and click "Cleanup". Reboot your computer.
    • Open the MBAR folder located on your Desktop and paste the content of the following files in your next reply:
      • "mbar-log-{date} (xx-xx-xx).txt"
      • "system-log.txt"
    NOTE. If you see This version requires you to completely exit the Anti Malware application message right click on the Malwarebytes Anti-Malware icon in the system tray and click on Exit.
     
  11. Orcus

    Orcus TS Rookie Topic Starter Posts: 56

    Wel...for some reason it wont let me create a system restore point it keeps saying system restore encountered an error please try to run system restore again (0x81000203)
     
  12. Orcus

    Orcus TS Rookie Topic Starter Posts: 56

    Nvm I figured it out my microsoft shadow copy was disabled I enabled it and was able to create the restore point
     
  13. Broni

    Broni Malware Annihilator Posts: 55,145   +451

    Go on...
     
  14. Orcus

    Orcus TS Rookie Topic Starter Posts: 56

    Ok so fixing the permissions helped but didnt fix my issues completely I just wanted to wait a day before running any more scans bc it appears what ever is infecting my system keeps putting the same stuff back on the computer at some point after the scans remove it the only thing mbar picked up was rogue killer but when malwarebytes ran my automatic scheduled scan it picked up the same stuff its been picking up so I am going to post not only the mbar files but the log from malewarebytes that just detected 24 pups onmy system I hope this helps
     
  15. Orcus

    Orcus TS Rookie Topic Starter Posts: 56

    Malwarebytes Anti-Rootkit BETA 1.09.1.1004
    www.malwarebytes.org

    Database version:
    main: v2015.04.01.10
    rootkit: v2015.03.31.01

    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 11.0.9600.17691
    DELL-LD531 :: DELL-LD531-PC [administrator]

    4/1/2015 3:47:46 PM
    mbar-log-2015-04-01 (15-47-46).txt

    Scan type: Quick scan
    Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
    Scan options disabled:
    Objects scanned: 364861
    Time elapsed: 1 hour(s), 8 minute(s), 45 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 1
    C:\Users\DELL-LD531\Desktop\winlogon.com (Heuristics.Reserved.Word.Exploit) -> Delete on reboot. [57174c1b8a00b482ff306795e223de22]

    Physical Sectors Detected: 0
    (No malicious items detected)

    (end)
     
  16. Orcus

    Orcus TS Rookie Topic Starter Posts: 56

    ---------------------------------------
    Malwarebytes Anti-Rootkit BETA 1.09.1.1004

    (c) Malwarebytes Corporation 2011-2012

    OS version: 6.1.7601 Windows 7 Service Pack 1 x64

    Account is Administrative

    Internet Explorer version: 11.0.9600.17691

    File system is: NTFS
    Disk drives: C:\ DRIVE_FIXED
    CPU speed: 0.798000 GHz
    Memory total: 2011512832, free: 1299771392

    Downloaded database version: v2015.04.01.10
    Downloaded database version: v2015.03.31.01
    Downloaded database version: v2015.03.09.01
    =======================================
    Initializing...
    ------------ Kernel report ------------
    04/01/2015 15:46:05
    ------------ Loaded modules -----------
    \SystemRoot\system32\ntoskrnl.exe
    \SystemRoot\system32\hal.dll
    \SystemRoot\system32\kdcom.dll
    \SystemRoot\system32\mcupdate_AuthenticAMD.dll
    \SystemRoot\system32\PSHED.dll
    \SystemRoot\system32\CLFS.SYS
    \SystemRoot\system32\CI.dll
    \SystemRoot\system32\drivers\Wdf01000.sys
    \SystemRoot\system32\drivers\WDFLDR.SYS
    \SystemRoot\system32\drivers\ACPI.sys
    \SystemRoot\system32\drivers\WMILIB.SYS
    \SystemRoot\system32\drivers\msisadrv.sys
    \SystemRoot\system32\drivers\pci.sys
    \SystemRoot\system32\drivers\vdrvroot.sys
    \SystemRoot\System32\drivers\partmgr.sys
    \SystemRoot\system32\DRIVERS\compbatt.sys
    \SystemRoot\system32\DRIVERS\BATTC.SYS
    \SystemRoot\system32\drivers\volmgr.sys
    \SystemRoot\System32\drivers\volmgrx.sys
    \SystemRoot\system32\drivers\pciide.sys
    \SystemRoot\system32\drivers\PCIIDEX.SYS
    \SystemRoot\system32\DRIVERS\pcmcia.sys
    \SystemRoot\System32\drivers\mountmgr.sys
    \SystemRoot\system32\drivers\atapi.sys
    \SystemRoot\system32\drivers\ataport.SYS
    \SystemRoot\system32\drivers\amdxata.sys
    \SystemRoot\system32\drivers\fltmgr.sys
    \SystemRoot\system32\drivers\fileinfo.sys
    \SystemRoot\System32\Drivers\Ntfs.sys
    \SystemRoot\System32\Drivers\msrpc.sys
    \SystemRoot\System32\Drivers\ksecdd.sys
    \SystemRoot\System32\Drivers\cng.sys
    \SystemRoot\System32\drivers\pcw.sys
    \SystemRoot\System32\Drivers\Fs_Rec.sys
    \SystemRoot\system32\drivers\ndis.sys
    \SystemRoot\system32\drivers\NETIO.SYS
    \SystemRoot\System32\Drivers\ksecpkg.sys
    \SystemRoot\System32\drivers\tcpip.sys
    \SystemRoot\System32\drivers\fwpkclnt.sys
    \SystemRoot\system32\drivers\vmstorfl.sys
    \SystemRoot\system32\drivers\volsnap.sys
    \SystemRoot\System32\Drivers\spldr.sys
    \SystemRoot\System32\drivers\rdyboost.sys
    \SystemRoot\System32\Drivers\mup.sys
    \SystemRoot\System32\drivers\hwpolicy.sys
    \SystemRoot\System32\DRIVERS\fvevol.sys
    \SystemRoot\system32\drivers\disk.sys
    \SystemRoot\system32\drivers\CLASSPNP.SYS
    \SystemRoot\System32\Drivers\aswVmm.sys
    \SystemRoot\System32\Drivers\aswRvrt.sys
    \SystemRoot\system32\DRIVERS\dtsoftbus01.sys
    \SystemRoot\system32\DRIVERS\cdrom.sys
    \SystemRoot\system32\drivers\aswSnx.sys
    \SystemRoot\system32\drivers\aswSP.sys
    \SystemRoot\System32\Drivers\Null.SYS
    \SystemRoot\System32\Drivers\Beep.SYS
    \SystemRoot\System32\drivers\vga.sys
    \SystemRoot\System32\drivers\VIDEOPRT.SYS
    \SystemRoot\System32\drivers\watchdog.sys
    \SystemRoot\System32\DRIVERS\RDPCDD.sys
    \SystemRoot\system32\drivers\rdpencdd.sys
    \SystemRoot\system32\drivers\rdprefmp.sys
    \SystemRoot\System32\Drivers\Msfs.SYS
    \SystemRoot\System32\Drivers\Npfs.SYS
    \SystemRoot\system32\DRIVERS\tdx.sys
    \SystemRoot\system32\DRIVERS\TDI.SYS
    \SystemRoot\system32\drivers\afd.sys
    \SystemRoot\system32\drivers\aswRdr2.sys
    \SystemRoot\System32\DRIVERS\netbt.sys
    \SystemRoot\system32\DRIVERS\wfplwf.sys
    \SystemRoot\system32\DRIVERS\pacer.sys
    \SystemRoot\system32\DRIVERS\vwififlt.sys
    \SystemRoot\system32\DRIVERS\netbios.sys
    \SystemRoot\system32\DRIVERS\serial.sys
    \SystemRoot\system32\DRIVERS\wanarp.sys
    \SystemRoot\system32\DRIVERS\termdd.sys
    \SystemRoot\system32\DRIVERS\rdbss.sys
    \SystemRoot\system32\drivers\nsiproxy.sys
    \SystemRoot\system32\DRIVERS\mssmbios.sys
    \??\C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.sys
    \SystemRoot\System32\drivers\discache.sys
    \SystemRoot\system32\drivers\csc.sys
    \SystemRoot\System32\Drivers\dfsc.sys
    \SystemRoot\system32\DRIVERS\blbdrive.sys
    \SystemRoot\system32\DRIVERS\amdk8.sys
    \SystemRoot\system32\DRIVERS\atikmdag.sys
    \SystemRoot\System32\drivers\dxgkrnl.sys
    \SystemRoot\System32\drivers\dxgmms1.sys
    \SystemRoot\system32\DRIVERS\bcmwl664.sys
    \SystemRoot\system32\DRIVERS\vwifibus.sys
    \SystemRoot\system32\DRIVERS\b57nd60a.sys
    \SystemRoot\system32\DRIVERS\usbohci.sys
    \SystemRoot\system32\DRIVERS\USBPORT.SYS
    \SystemRoot\system32\DRIVERS\usbehci.sys
    \SystemRoot\system32\DRIVERS\HDAudBus.sys
    \SystemRoot\system32\DRIVERS\i8042prt.sys
    \SystemRoot\system32\DRIVERS\mouclass.sys
    \SystemRoot\system32\DRIVERS\kbdclass.sys
    \SystemRoot\system32\DRIVERS\serenum.sys
    \SystemRoot\system32\DRIVERS\1394ohci.sys
    \SystemRoot\system32\DRIVERS\CmBatt.sys
    \SystemRoot\system32\DRIVERS\wmiacpi.sys
    \SystemRoot\system32\DRIVERS\CompositeBus.sys
    \SystemRoot\system32\DRIVERS\msiscsi.sys
    \SystemRoot\system32\DRIVERS\storport.sys
    \SystemRoot\system32\DRIVERS\AgileVpn.sys
    \SystemRoot\system32\DRIVERS\rasl2tp.sys
    \SystemRoot\system32\DRIVERS\ndistapi.sys
    \SystemRoot\system32\DRIVERS\ndiswan.sys
    \SystemRoot\system32\DRIVERS\raspppoe.sys
    \SystemRoot\system32\DRIVERS\raspptp.sys
    \SystemRoot\system32\DRIVERS\rassstp.sys
    \SystemRoot\system32\DRIVERS\rdpbus.sys
    \SystemRoot\system32\DRIVERS\swenum.sys
    \SystemRoot\system32\DRIVERS\ks.sys
    \SystemRoot\system32\DRIVERS\umbus.sys
    \SystemRoot\system32\DRIVERS\usbhub.sys
    \SystemRoot\System32\Drivers\NDProxy.SYS
    \SystemRoot\system32\drivers\HdAudio.sys
    \SystemRoot\system32\drivers\portcls.sys
    \SystemRoot\system32\drivers\drmk.sys
    \SystemRoot\system32\drivers\ksthunk.sys
    \SystemRoot\system32\DRIVERS\VSTAZL6.SYS
    \SystemRoot\system32\DRIVERS\VSTDPV6.SYS
    \SystemRoot\system32\DRIVERS\VSTCNXT6.SYS
    \SystemRoot\system32\drivers\modem.sys
    \SystemRoot\System32\Drivers\crashdmp.sys
    \SystemRoot\System32\Drivers\dump_dumpata.sys
    \SystemRoot\System32\Drivers\dump_atapi.sys
    \SystemRoot\System32\Drivers\dump_dumpfve.sys
    \SystemRoot\system32\DRIVERS\usbccgp.sys
    \SystemRoot\system32\DRIVERS\USBD.SYS
    \SystemRoot\System32\win32k.sys
    \SystemRoot\System32\drivers\Dxapi.sys
    \SystemRoot\system32\DRIVERS\hidusb.sys
    \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    \SystemRoot\system32\DRIVERS\kbdhid.sys
    \SystemRoot\system32\DRIVERS\mouhid.sys
    \SystemRoot\system32\DRIVERS\monitor.sys
    \SystemRoot\System32\TSDDD.dll
    \SystemRoot\System32\cdd.dll
    \SystemRoot\system32\drivers\luafv.sys
    \SystemRoot\system32\drivers\aswMonFlt.sys
    \??\C:\Windows\system32\drivers\mbam.sys
    \SystemRoot\system32\drivers\aswStm.sys
    \SystemRoot\system32\DRIVERS\lltdio.sys
    \SystemRoot\system32\DRIVERS\nwifi.sys
    \SystemRoot\system32\DRIVERS\ndisuio.sys
    \SystemRoot\system32\DRIVERS\rspndr.sys
    \SystemRoot\System32\DRIVERS\srvnet.sys
    \SystemRoot\system32\DRIVERS\bowser.sys
    \SystemRoot\system32\drivers\mrxdav.sys
    \SystemRoot\system32\DRIVERS\mrxsmb.sys
    \SystemRoot\system32\DRIVERS\mrxsmb10.sys
    \SystemRoot\system32\DRIVERS\mrxsmb20.sys
    \SystemRoot\System32\DRIVERS\srv2.sys
    \SystemRoot\System32\DRIVERS\srv.sys
    \SystemRoot\system32\drivers\aswHwid.sys
    \SystemRoot\system32\drivers\HTTP.sys
    \SystemRoot\system32\drivers\peauth.sys
    \SystemRoot\System32\Drivers\secdrv.SYS
    \SystemRoot\system32\drivers\spsys.sys
    \SystemRoot\System32\drivers\tcpipreg.sys
    \SystemRoot\system32\DRIVERS\LVPr2M64.sys
    \??\C:\Windows\system32\drivers\mwac.sys
    \??\C:\Windows\system32\drivers\mbamchameleon.sys
    \??\C:\Windows\system32\drivers\MBAMSwissArmy.sys
    \Windows\System32\ntdll.dll
    \Windows\System32\smss.exe
    \Windows\System32\apisetschema.dll
    \Windows\System32\autochk.exe
    \Windows\System32\wininet.dll
    \Windows\System32\difxapi.dll
    \Windows\System32\clbcatq.dll
    \Windows\System32\lpk.dll
    \Windows\System32\Wldap32.dll
    \Windows\System32\normaliz.dll
    \Windows\System32\gdi32.dll
    \Windows\System32\msvcrt.dll
    \Windows\System32\rpcrt4.dll
    \Windows\System32\usp10.dll
    \Windows\System32\imagehlp.dll
    \Windows\System32\ole32.dll
    \Windows\System32\advapi32.dll
    \Windows\System32\ws2_32.dll
    \Windows\System32\imm32.dll
    \Windows\System32\user32.dll
    \Windows\System32\shell32.dll
    \Windows\System32\msctf.dll
    \Windows\System32\urlmon.dll
    \Windows\System32\setupapi.dll
    \Windows\System32\oleaut32.dll
    \Windows\System32\kernel32.dll
    \Windows\System32\nsi.dll
    \Windows\System32\sechost.dll
    \Windows\System32\shlwapi.dll
    \Windows\System32\psapi.dll
    \Windows\System32\iertutil.dll
    \Windows\System32\comdlg32.dll
    \Windows\System32\userenv.dll
    \Windows\System32\comctl32.dll
    \Windows\System32\api-ms-win-downlevel-normaliz-l1-1-0.dll
    \Windows\System32\crypt32.dll
    \Windows\System32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
    \Windows\System32\api-ms-win-downlevel-advapi32-l1-1-0.dll
    \Windows\System32\api-ms-win-downlevel-ole32-l1-1-0.dll
    \Windows\System32\cfgmgr32.dll
    \Windows\System32\KernelBase.dll
    \Windows\System32\devobj.dll
    \Windows\System32\wintrust.dll
    \Windows\System32\api-ms-win-downlevel-version-l1-1-0.dll
    \Windows\System32\api-ms-win-downlevel-user32-l1-1-0.dll
    \Windows\System32\profapi.dll
    \Windows\System32\msasn1.dll
    \Windows\SysWOW64\normaliz.dll
    ----------- End -----------
    Done!

    Scan started
    Database versions:
    main: v2015.04.01.10
    rootkit: v2015.03.31.01

    <<<2>>>
    Physical Sector Size: 512
    Drive: 0, DevicePointer: 0xfffffa8002649060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    --------- Disk Stack ------
    DevicePointer: 0xfffffa8002649b90, DeviceName: Unknown, DriverName: \Driver\partmgr\
    DevicePointer: 0xfffffa8002649060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    DevicePointer: 0xfffffa80024cb520, DeviceName: Unknown, DriverName: \Driver\ACPI\
    DevicePointer: 0xfffffa80024cd060, DeviceName: \Device\Ide\IdeDeviceP0T0L0-0\, DriverName: \Driver\atapi\
    ------------ End ----------
    Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    Upper DeviceData: 0x0, 0x0, 0x0
    Lower DeviceData: 0x0, 0x0, 0x0
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    <<<2>>>
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
    Done!
    Drive 0
    This is a System drive
    Scanning MBR on drive 0...
    Inspecting partition table:
    MBR Signature: 55AA
    Disk Signature: 86308630

    Partition information:

    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 2048 Numsec = 204800
    Partition file system is NTFS
    Partition is bootable

    Partition 1 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 206848 Numsec = 156092416

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Disk Size: 80026361856 bytes
    Sector size: 512 bytes

    Done!
    Infected: C:\Users\DELL-LD531\Desktop\winlogon.com --> [Heuristics.Reserved.Word.Exploit]
    Scan finished
    Creating System Restore point...
    Cleaning up...
    Removal scheduling successful. System shutdown needed.
    System shutdown occurred
    =======================================


    Removal queue found; removal started
    Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-I.mbam...
    Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-0-2048-I.mbam...
    Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam...
    Removal finished
     
  17. Orcus

    Orcus TS Rookie Topic Starter Posts: 56

    Malwarebytes Anti-Malware
    www.malwarebytes.org

    Scan Date: 4/2/2015
    Scan Time: 2:07:45 AM
    Logfile: mwbscan.txt
    Administrator: Yes

    Version: 2.01.4.1018
    Malware Database: v2015.04.02.02
    Rootkit Database: v2015.03.31.01
    License: Premium
    Malware Protection: Enabled
    Malicious Website Protection: Enabled
    Self-protection: Disabled

    OS: Windows 7 Service Pack 1
    CPU: x64
    File System: NTFS
    User: DELL-LD531

    Scan Type: Threat Scan
    Result: Completed
    Objects Scanned: 363976
    Time Elapsed: 1 hr, 25 min, 53 sec

    Memory: Enabled
    Startup: Enabled
    Filesystem: Enabled
    Archives: Enabled
    Rootkits: Disabled
    Heuristics: Enabled
    PUP: Enabled
    PUM: Enabled

    Processes: 0
    (No malicious items detected)

    Modules: 0
    (No malicious items detected)

    Registry Keys: 0
    (No malicious items detected)

    Registry Values: 0
    (No malicious items detected)

    Registry Data: 0
    (No malicious items detected)

    Folders: 2
    PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}, , [f2d877f08cfe79bd182f077ba55eff01],
    PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781, , [f2d877f08cfe79bd182f077ba55eff01],

    Files: 22
    PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\059d0773476e585aaab0cb05f2d35011, , [f2d877f08cfe79bd182f077ba55eff01],
    PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\0b12654c5711f7cde49ae8c25f3da38c.0, , [f2d877f08cfe79bd182f077ba55eff01],
    PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\0c82e5b864501f211be07075dc4be877, , [f2d877f08cfe79bd182f077ba55eff01],
    PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\2307328ea5b85f50ab61208ede74b646, , [f2d877f08cfe79bd182f077ba55eff01],
    PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\313c238dc888c75cb26d7ff7a7f4b20d.0, , [f2d877f08cfe79bd182f077ba55eff01],
    PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\38e57055c77d685cb6a4002b23e54fc3, , [f2d877f08cfe79bd182f077ba55eff01],
    PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\3f10c0f0b60ea2b5efa2d3278e712442, , [f2d877f08cfe79bd182f077ba55eff01],
    PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\4d112a27a725b7d2d9e7487c4c114214.0, , [f2d877f08cfe79bd182f077ba55eff01],
    PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\4d3cd39fbcb748f71119851a59ce6447, , [f2d877f08cfe79bd182f077ba55eff01],
    PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\612dc44b76ebf053257ba62b314ae79c, , [f2d877f08cfe79bd182f077ba55eff01],
    PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\7f26d2753138a5ebec0c48f6ece74ecb.0, , [f2d877f08cfe79bd182f077ba55eff01],
    PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\8605190db1a4b0b68eaec697f0ccabca, , [f2d877f08cfe79bd182f077ba55eff01],
    PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\863244884c13f5f32b09296c582fbdd7.0, , [f2d877f08cfe79bd182f077ba55eff01],
    PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\8ac482009c24f4e3c08ceab6ad53837b, , [f2d877f08cfe79bd182f077ba55eff01],
    PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\b0d04a379326cc971538f3ecc6e4945d.0, , [f2d877f08cfe79bd182f077ba55eff01],
    PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\b4fc19616a211ba1ce6fdeb987d83986, , [f2d877f08cfe79bd182f077ba55eff01],
    PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\b70c539aa3601c1da3539ac2f6ef9954, , [f2d877f08cfe79bd182f077ba55eff01],
    PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\ca778d8032bff8589c9ea58165547209, , [f2d877f08cfe79bd182f077ba55eff01],
    PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\cfbf9dd3ed978b23c1976cf9c7fe11bc, , [f2d877f08cfe79bd182f077ba55eff01],
    PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\d46deb45f2b0c6145a71d5ed76b9c1b3, , [f2d877f08cfe79bd182f077ba55eff01],
    PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\ec933e0432b5461997a2523f42e1a674, , [f2d877f08cfe79bd182f077ba55eff01],
    PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\tb.xml, , [f2d877f08cfe79bd182f077ba55eff01],

    Physical Sectors: 0
    (No malicious items detected)


    (end)
     
  18. Orcus

    Orcus TS Rookie Topic Starter Posts: 56

    Weird thing is its still saying I have the rootkit scan disabled but I have the setting turned on in the program so something is still overriding the rootkit scan is it possible I could be experiencing a cross infection from another computer on my home network??? meaning one of my other computers is reinfecting my personal computer after I clean it ????
     
    Last edited: Apr 2, 2015
  19. Broni

    Broni Malware Annihilator Posts: 55,145   +451

    What kind of rootkit scan are you referring to? Part of your AV program?

    Please download ComboFix from Here, Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Very Important! Temporarily disable your anti-virus and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
      If the connection is not there use restore point you created prior to running Combofix.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error Illegal operation attempted on a registery key that has been marked for deletion, restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try the following...

    Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Download Rkill (courtesy of BleepingComputer.com) to your desktop.
    There are 2 different versions. If one of them won't run then download and try to run the other one.
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
    iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

    Restart computer in safe mode

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Windows Vista, 7 or 8 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    When the scan is done Notepad will open with rKill.txt log.
    NOTE. rKill.txt log will also be present on your desktop.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    IF you had to run rKill post BOTH logs, rKill.txt and Combofix.txt.
     
  20. Orcus

    Orcus TS Rookie Topic Starter Posts: 56

    The rootkit scan thats part of malwarebytes anti malware I have it set to run a scheduled complete system scan once a day and I have the anti rootkit scan setting turned on but in the log it reads antirootkit disabled and if I dont run any other scans than the scheduled malwarebytes scan every day malware bytes picks up the same 24 pups every day infact I just came and checked bc the scheduled scan just finished and it has the exact same results as what I posted yesterday ill post the log so u can see what I mean then ill start the new steps uve given me also just so u know I havent been using the computer for anything since staring this process no games no web browsing nothing but trying to get rid of this infection so as to not inhibit this process in any way
     
    Last edited: Apr 3, 2015
  21. Orcus

    Orcus TS Rookie Topic Starter Posts: 56

    Malwarebytes Anti-Malware
    www.malwarebytes.org

    Scan Date: 4/3/2015
    Scan Time: 2:07:04 AM
    Logfile: mwb scan 2.txt
    Administrator: Yes

    Version: 2.01.4.1018
    Malware Database: v2015.04.03.03
    Rootkit Database: v2015.03.31.01
    License: Premium
    Malware Protection: Enabled
    Malicious Website Protection: Enabled
    Self-protection: Disabled

    OS: Windows 7 Service Pack 1
    CPU: x64
    File System: NTFS
    User: DELL-LD531

    Scan Type: Threat Scan
    Result: Completed
    Objects Scanned: 359481
    Time Elapsed: 1 hr, 16 min, 13 sec

    Memory: Enabled
    Startup: Enabled
    Filesystem: Enabled
    Archives: Enabled
    Rootkits: Disabled
    Heuristics: Enabled
    PUP: Enabled
    PUM: Enabled

    Processes: 0
    (No malicious items detected)

    Modules: 0
    (No malicious items detected)

    Registry Keys: 0
    (No malicious items detected)

    Registry Values: 0
    (No malicious items detected)

    Registry Data: 0
    (No malicious items detected)

    Folders: 2
    PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}, , [e54a01675b2fdf572fa8e59e758e3cc4],
    PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781, , [e54a01675b2fdf572fa8e59e758e3cc4],

    Files: 22
    PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\059d0773476e585aaab0cb05f2d35011, , [e54a01675b2fdf572fa8e59e758e3cc4],
    PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\0b12654c5711f7cde49ae8c25f3da38c.0, , [e54a01675b2fdf572fa8e59e758e3cc4],
    PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\0c82e5b864501f211be07075dc4be877, , [e54a01675b2fdf572fa8e59e758e3cc4],
    PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\2307328ea5b85f50ab61208ede74b646, , [e54a01675b2fdf572fa8e59e758e3cc4],
    PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\313c238dc888c75cb26d7ff7a7f4b20d.0, , [e54a01675b2fdf572fa8e59e758e3cc4],
    PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\38e57055c77d685cb6a4002b23e54fc3, , [e54a01675b2fdf572fa8e59e758e3cc4],
    PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\3f10c0f0b60ea2b5efa2d3278e712442, , [e54a01675b2fdf572fa8e59e758e3cc4],
    PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\4d112a27a725b7d2d9e7487c4c114214.0, , [e54a01675b2fdf572fa8e59e758e3cc4],
    PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\4d3cd39fbcb748f71119851a59ce6447, , [e54a01675b2fdf572fa8e59e758e3cc4],
    PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\5d5ae10d9dbf6c32b9e724ee97183bb1.0, , [e54a01675b2fdf572fa8e59e758e3cc4],
    PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\612dc44b76ebf053257ba62b314ae79c, , [e54a01675b2fdf572fa8e59e758e3cc4],
    PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\7f26d2753138a5ebec0c48f6ece74ecb.0, , [e54a01675b2fdf572fa8e59e758e3cc4],
    PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\8605190db1a4b0b68eaec697f0ccabca, , [e54a01675b2fdf572fa8e59e758e3cc4],
    PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\863244884c13f5f32b09296c582fbdd7.0, , [e54a01675b2fdf572fa8e59e758e3cc4],
    PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\8ac482009c24f4e3c08ceab6ad53837b, , [e54a01675b2fdf572fa8e59e758e3cc4],
    PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\b0d04a379326cc971538f3ecc6e4945d.0, , [e54a01675b2fdf572fa8e59e758e3cc4],
    PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\b4fc19616a211ba1ce6fdeb987d83986, , [e54a01675b2fdf572fa8e59e758e3cc4],
    PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\ca778d8032bff8589c9ea58165547209, , [e54a01675b2fdf572fa8e59e758e3cc4],
    PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\cfbf9dd3ed978b23c1976cf9c7fe11bc, , [e54a01675b2fdf572fa8e59e758e3cc4],
    PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\d46deb45f2b0c6145a71d5ed76b9c1b3, , [e54a01675b2fdf572fa8e59e758e3cc4],
    PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\ec933e0432b5461997a2523f42e1a674, , [e54a01675b2fdf572fa8e59e758e3cc4],
    PUP.Optional.FreeCauseTB.A, C:\Users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\FCTB\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\62781\tb.xml, , [e54a01675b2fdf572fa8e59e758e3cc4],

    Physical Sectors: 0
    (No malicious items detected)


    (end)
     
  22. Broni

    Broni Malware Annihilator Posts: 55,145   +451

    Let's see if same MBAM issue will happen when we're done with cleaning.
    For now go ahead with Combofix.
     
  23. Orcus

    Orcus TS Rookie Topic Starter Posts: 56

    ComboFix 15-04-01.01 - DELL-LD531 04/04/2015 15:10:37.2.2 - x64
    Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.1918.1257 [GMT -5:00]
    Running from: c:\users\DELL-LD531\Desktop\ComboFix.exe
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2015-03-04 to 2015-04-04 )))))))))))))))))))))))))))))))
    .
    .
    2015-04-04 20:41 . 2015-04-04 20:41 -------- d-----w- c:\users\hedev\AppData\Local\temp
    2015-04-04 20:41 . 2015-04-04 20:41 -------- d-----w- c:\users\Default\AppData\Local\temp
    2015-04-01 20:46 . 2015-04-02 10:45 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
    2015-03-30 11:24 . 2015-03-30 11:14 111016 ----a-w- c:\windows\system32\WindowsAccessBridge-64.dll
    2015-03-30 11:24 . 2015-03-30 11:13 207272 ----a-w- c:\windows\system32\javaw.exe
    2015-03-30 11:24 . 2015-03-30 11:13 206760 ----a-w- c:\windows\system32\java.exe
    2015-03-30 11:24 . 2013-10-18 07:41 916456 ----a-w- c:\windows\system32\deployJava1.dll
    2015-03-30 11:24 . 2013-10-18 07:41 1034216 ----a-w- c:\windows\system32\npDeployJava1.dll
    2015-03-30 11:20 . 2015-03-30 11:20 -------- d-----w- c:\program files (x86)\Common Files\Java
    2015-03-29 02:11 . 2015-03-30 05:13 35064 ----a-w- c:\windows\system32\drivers\TrueSight.sys
    2015-03-29 02:11 . 2015-03-29 04:34 -------- d-----w- c:\programdata\RogueKiller
    2015-03-28 10:28 . 2015-03-28 10:28 -------- d-----w- C:\TDSSKiller_Quarantine
    2015-03-26 20:16 . 2015-03-30 11:07 98216 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
    2015-03-26 20:14 . 2015-03-30 11:05 -------- d-----w- c:\program files (x86)\Java
    2015-03-26 09:12 . 2015-03-28 10:25 -------- d-----w- C:\FRST
    2015-03-26 08:56 . 2015-04-02 10:45 -------- d-----w- c:\programdata\AVAST Software
    2015-03-22 14:49 . 2015-01-31 03:48 3179520 ----a-w- c:\windows\system32\rdpcorets.dll
    2015-03-22 14:49 . 2015-01-30 23:56 243200 ----a-w- c:\windows\system32\rdpudd.dll
    2015-03-22 14:49 . 2015-01-31 03:48 16384 ----a-w- c:\windows\system32\RdpGroupPolicyExtension.dll
    2015-03-22 14:49 . 2015-02-03 03:31 215552 ----a-w- c:\windows\system32\ubpm.dll
    2015-03-22 14:49 . 2015-02-03 03:12 171520 ----a-w- c:\windows\SysWow64\ubpm.dll
    2015-03-22 09:14 . 2015-04-04 17:05 136408 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
    2015-03-22 09:13 . 2015-04-01 20:45 107736 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
    2015-03-22 09:13 . 2015-03-17 11:15 63704 ----a-w- c:\windows\system32\drivers\mwac.sys
    2015-03-22 09:13 . 2015-03-17 11:15 25816 ----a-w- c:\windows\system32\drivers\mbam.sys
    2015-03-22 09:13 . 2015-03-22 09:13 -------- d-----w- c:\program files (x86)\Malwarebytes Anti-Malware
    2015-03-22 09:13 . 2015-03-22 09:13 -------- d-----w- c:\programdata\Malwarebytes
    2015-03-22 09:00 . 2015-03-28 19:13 -------- d-----w- c:\programdata\Malwarebytes Anti-Exploit
    2015-03-22 08:59 . 2015-03-22 09:00 -------- d-----w- c:\program files (x86)\Malwarebytes Anti-Exploit
    2015-03-22 07:58 . 2015-03-28 22:34 -------- d-----w- C:\AdwCleaner
    2015-03-14 02:59 . 2015-02-03 03:12 3209728 ----a-w- c:\windows\SysWow64\mf.dll
    2015-03-14 02:59 . 2015-02-03 03:34 5554104 ----a-w- c:\windows\system32\ntoskrnl.exe
    2015-03-14 02:59 . 2015-02-03 03:30 1480192 ----a-w- c:\windows\system32\crypt32.dll
    2015-03-14 02:59 . 2015-02-03 03:12 1174528 ----a-w- c:\windows\SysWow64\crypt32.dll
    2015-03-14 02:59 . 2015-02-03 03:16 3973048 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
    2015-03-14 02:59 . 2015-02-03 03:16 3917760 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
    2015-03-14 02:59 . 2015-02-03 03:33 616360 ----a-w- c:\windows\system32\winresume.efi
    2015-03-14 02:59 . 2015-02-03 03:34 94656 ----a-w- c:\windows\system32\drivers\mountmgr.sys
    2015-03-14 02:59 . 2015-02-03 03:31 4121600 ----a-w- c:\windows\system32\mf.dll
    2015-03-14 02:59 . 2015-02-03 03:31 14632960 ----a-w- c:\windows\system32\wmp.dll
    2015-03-14 02:51 . 2015-02-20 02:08 47616 ----a-w- c:\windows\SysWow64\ieetwproxystub.dll
    2015-03-14 02:50 . 2015-02-20 02:50 66560 ----a-w- c:\windows\system32\iesetup.dll
    2015-03-14 02:49 . 2015-02-13 05:22 14177280 ----a-w- c:\windows\system32\shell32.dll
    2015-03-14 02:13 . 2015-02-26 03:25 3204096 ----a-w- c:\windows\system32\win32k.sys
    2015-03-14 02:10 . 2015-02-04 03:16 465920 ----a-w- c:\windows\system32\WMPhoto.dll
    2015-03-14 02:10 . 2015-02-04 02:54 417792 ----a-w- c:\windows\SysWow64\WMPhoto.dll
    2015-03-13 06:33 . 2015-03-13 06:33 -------- d-----w- c:\program files (x86)\SquareEnix
    2015-03-11 20:34 . 2015-03-22 08:38 -------- d-sh--w- c:\users\DELL-LD531\AppData\Local\EmieUserList
    2015-03-11 20:34 . 2015-03-22 08:38 -------- d-sh--w- c:\users\DELL-LD531\AppData\Local\EmieSiteList
    2015-03-11 20:34 . 2015-03-22 08:38 -------- d-sh--w- c:\users\DELL-LD531\AppData\Local\EmieBrowserModeList
    2015-03-07 11:36 . 2015-03-20 06:24 -------- d-----w- c:\users\DELL-LD531\AppData\Roaming\vlc
    2015-03-06 09:01 . 2015-03-07 11:34 -------- d-----w- c:\program files (x86)\VideoLAN
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2015-03-30 11:13 . 2013-10-18 07:43 319912 ----a-w- c:\windows\system32\javaws.exe
    2015-03-28 15:07 . 2014-10-08 14:19 2876528 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\markup.dll
    2015-03-28 15:06 . 2014-10-08 14:19 42168 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll
    2015-03-27 15:33 . 2014-10-08 15:21 736952 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore-2\Microsoft.MediaCenter.Sports.UI.dll
    2015-03-26 09:25 . 2013-10-09 16:31 778928 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2015-03-26 09:25 . 2013-10-09 16:31 142512 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2015-03-22 15:17 . 2014-09-15 18:46 2876528 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
    2015-03-22 15:17 . 2014-09-15 18:45 42168 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
    2015-03-18 15:09 . 2014-09-15 19:47 539984 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
    2015-03-12 15:56 . 2014-09-16 02:30 736952 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
    2015-03-10 15:41 . 2014-10-06 16:32 539984 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll
    2015-02-24 14:58 . 2015-02-19 14:06 2876528 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-3\markup.dll
    2015-02-24 14:57 . 2015-02-19 14:06 42168 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM-3\StartResources.dll
    2015-02-05 17:09 . 2014-02-20 00:12 5070512 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
    2015-01-09 03:14 . 2015-02-12 19:47 91136 ----a-w- c:\windows\system32\wdi.dll
    2015-01-09 03:14 . 2015-02-12 19:47 950272 ----a-w- c:\windows\system32\perftrack.dll
    2015-01-09 03:14 . 2015-02-12 19:47 29696 ----a-w- c:\windows\system32\powertracker.dll
    2015-01-09 02:48 . 2015-02-12 19:47 76800 ----a-w- c:\windows\SysWow64\wdi.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-02-11 61440]
    "WinampAgent"="c:\program files (x86)\Winamp\winampa.exe" [2013-07-23 84576]
    "Malwarebytes Anti-Exploit"="c:\program files (x86)\Malwarebytes Anti-Exploit\mbae.exe" [2014-12-10 2561848]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    "SoftwareSASGeneration"= 1 (0x1)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
    "LoadAppInit_DLLs"=1 (0x1)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "aux1"=wdmaud.drv
    .
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
    R2 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
    R2 LVPrcS64;Process Monitor;c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe;c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe [x]
    R2 MbaeSvc;Malwarebytes Anti-Exploit Service;c:\program files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe;c:\program files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe [x]
    R2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [x]
    R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [x]
    R2 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
    R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]
    R3 getbus;getbus;c:\users\DELL-L~1\AppData\Local\Temp\getbus.sys;c:\users\DELL-L~1\AppData\Local\Temp\getbus.sys [x]
    R3 LVUSBS64;Logitech USB Monitor Filter;c:\windows\system32\DRIVERS\LVUSBS64.sys;c:\windows\SYSNATIVE\DRIVERS\LVUSBS64.sys [x]
    R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
    R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys;c:\windows\SYSNATIVE\drivers\synth3dvsc.sys [x]
    R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys;c:\windows\SYSNATIVE\drivers\terminpt.sys [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
    R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
    R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys;c:\windows\SYSNATIVE\drivers\tsusbhub.sys [x]
    R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys;c:\windows\SYSNATIVE\drivers\rdvgkmd.sys [x]
    R3 X6va013;X6va013;c:\windows\SysWOW64\Drivers\X6va013;c:\windows\SysWOW64\Drivers\X6va013 [x]
    R3 X6va015;X6va015;c:\windows\SysWOW64\Drivers\X6va015;c:\windows\SysWOW64\Drivers\X6va015 [x]
    S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys;c:\windows\SYSNATIVE\DRIVERS\dtsoftbus01.sys [x]
    S1 ESProtectionDriver;Malwarebytes Anti-Exploit;c:\program files (x86)\Malwarebytes Anti-Exploit\mbae64.sys;c:\program files (x86)\Malwarebytes Anti-Exploit\mbae64.sys [x]
    S3 LVPr2M64;Logitech LVPr2M64 Driver;c:\windows\system32\DRIVERS\LVPr2M64.sys;c:\windows\SYSNATIVE\DRIVERS\LVPr2M64.sys [x]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys;c:\windows\SYSNATIVE\drivers\MBAMSwissArmy.sys [x]
    S3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys;c:\windows\SYSNATIVE\drivers\mwac.sys [x]
    S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTAZL6.SYS [x]
    S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTDPV6.SYS [x]
    S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTCNXT6.SYS [x]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - MBAMSWISSARMY
    *NewlyCreated* - WS2IFSL
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
    2015-04-02 22:12 1061704 ----a-w- c:\program files (x86)\Google\Chrome\Application\41.0.2272.118\Installer\chrmstp.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2015-04-04 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-10-09 09:25]
    .
    2015-04-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2015-01-07 13:59]
    .
    2015-04-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2015-01-07 13:59]
    .
    .
    --------- X64 Entries -----------
    .
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://www.google.com
    mDefault_Page_URL = hxxp://www.yahoo.com/?ilc=8
    mStart Page = hxxp://www.yahoo.com/?ilc=8
    mLocal Page = c:\windows\SysWOW64\blank.htm
    TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
    FF - ProfilePath - c:\users\DELL-LD531\AppData\Roaming\Mozilla\Firefox\Profiles\xikrc5ub.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=mkg030&p=
    .
    - - - - ORPHANS REMOVED - - - -
    .
    ShellIconOverlayIdentifiers-{472083B0-C522-11CF-8763-00608CC02F24} - (no file)
    .
    .
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\X6va013]
    "ImagePath"="\??\c:\windows\SysWOW64\Drivers\X6va013"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\X6va015]
    "ImagePath"="\??\c:\windows\SysWOW64\Drivers\X6va015"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_17_0_0_134_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_17_0_0_134_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker6"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_17_0_0_134_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_17_0_0_134_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_17_0_0_134.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.17"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_17_0_0_134.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_17_0_0_134.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_17_0_0_134.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker6"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2015-04-04 15:54:00
    ComboFix-quarantined-files.txt 2015-04-04 20:53
    ComboFix2.txt 2015-04-03 10:38
    .
    Pre-Run: 21,380,349,952 bytes free
    Post-Run: 21,174,657,024 bytes free
    .
    - - End Of File - - 4B671B5C4D9A67542547C07A1817D801
    A36C5E4F47E84449FF07ED3517B43A31
     
  24. Broni

    Broni Malware Annihilator Posts: 55,145   +451

    [​IMG] What happened to Avast?

    [​IMG] Re-run Farbar Recovery Scan Tool (FRST/FRST64) you ran at the very beginning of this topic.

    • Double-click to run it. When the tool opens click Yes to disclaimer.
    • Make sure you checkmark Addition.txt box.
    • Press Scan button.
    • Scan will create two logs, FRST.txt and Addition.txt in the same directory the tool is run. Please copy and paste them to your reply.
     
  25. Orcus

    Orcus TS Rookie Topic Starter Posts: 56

    Avast was interfering with other scans u wanted me to do and it wouldnt let me just stop it so I uninstalled it temporarily
     

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...