Annoying Audio Ads in background/ Zero Access

[Needhelpplease1]

Hello, I have an annoying issue, I recently got rid of an annoying re-direct virus around 1-2 weeks ago. A day or two later I started noticing Internet Explorer (IE) as an active process in Task Manager, even though I did not have it actively pulled up. The name of the website also changed, and sometimes there were 3 or 4 different IE processes pulled up. Occasionally I would encounter audio ads. I was unable to try and end the process like you would normally end any program that was not responding or was slow to exit normally. I had to go to processes in order to exit the ads out, however within only a few minutes the random IE programs were running in the background again. I scanned my computer with Malwarebytes, Avast, and Spybot Search and Destroy. Malwarebytes had previously destroyed the re-direct virus, but found nothing when I tried to remove these audio ads. Avast! also found nothing, so I downloaded Spybot Search and Destroy, and it came up with around 84 problems, and I had them fixed, however this still did not remove the problem. Any further help would be greatly appreciated as soon as possible!

Thank you for your time.

[Maurice Naggar]

Hello Needhelp,

Where (if any) did you get help 2 weeks ago?

Save and close any work documents, close any apps that you started.

Temporarily turn off (disable) your antivirus program

How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab and then the General Settings sub-tab. Make sure all option lines have a checkmark.

Then click the Scanner settings sub-tab in second row of tabs. Make sure all option lines have a checkmark.

If you have the PRO license, then do this too: Click the Protection tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

If prompted for a Restart, do that.

When done, click the Scanner tab.

Do a Full Scan.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

When all done, Copy & paste the MBAM scan log into a reply here.

Re-enable your antivirus program.

[Needhelpplease1]

First, I would like to thank you for your help.

And now for the results:

Malwarebytes Anti-Malware 1.70.0.1100

www.malwarebytes.org

Database version: v2013.03.01.09

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 8.0.7601.17514

Joseph :: JOSEPH-PC [administrator]

3/1/2013 3:30:09 PM

mbam-log-2013-03-01 (15-30-09).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 559796

Time elapsed: 1 hour(s), 36 minute(s), 24 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

________________________________

As you can see, there were no malicious items detected, but the problem is still present.

[Needhelpplease1]

Sorry I forgot to post this earlier, but I did not receive any help prior to my posts on this forum. I am normally capable of getting rid of viruses, malware, etc. but this one I have never experienced. I truly appreciate your help, however.

[Maurice Naggar]

Please download Junkware Removal Tool to your Desktop.

• Please close your security software to avoid potential conflicts.
  
• Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click JRT.exe and select Run as administrator.
  
• The tool will open and start scanning your system.
  
• Please be patient as this can take a while to complete, depending on your system's specifications.
  
• On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  
• Please post the contents of JRT.txt into your reply. And tell me, How is the system now?
  
• Re-enable your security software.

[Needhelpplease1]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Junkware Removal Tool (JRT) by Thisisu

Version: 4.6.6 (02.27.2013:1)

OS: Windows 7 Home Premium x64

Ran by Joseph on Sat 03/02/2013 at 11:01:41.47

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~ Services

~~~ Registry Values

Successfully deleted: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\toolbar\\{30f9b915-b755-4826-820b-08fba6bd249d}

Successfully deleted: [Registry Value] hkey_current_user\software\microsoft\internet explorer\toolbar\webbrowser\\{9d425283-d487-4337-bab6-ab8354a81457}

Successfully deleted: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\toolbar\\{9d425283-d487-4337-bab6-ab8354a81457}

Successfully repaired: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\main\\Start Page

Suspicious HKCU\..\Run entries found. Trojan:JS/Medfos.B?

Val Name Type Value Data

======== ==== ==========

msplex REG_SZ "C:\Windows\System32\rundll32.exe" "C:\Users\Joseph\AppData\Roaming\msplex.dll",_Add

pocpr REG_SZ "C:\Windows\System32\rundll32.exe" "C:\Users\Joseph\AppData\Roaming\pocpr.dll",SetDefaults

msmges REG_SZ "C:\Windows\System32\rundll32.exe" "C:\Users\Joseph\AppData\Roaming\msmges.dll",HashNotImplemented

Suspicious HKCU\..\Run entries found. Trojan:JS/Medfos.B?

Val Name Type Value Data

======== ==== ==========

msplex REG_SZ "C:\Windows\System32\rundll32.exe" "C:\Users\Joseph\AppData\Roaming\msplex.dll",_Add

msmges REG_SZ "C:\Windows\System32\rundll32.exe" "C:\Users\Joseph\AppData\Roaming\msmges.dll",HashNotImplemented

Successfully deleted: [Registry Value] hkey_current_user\software\microsoft\internet explorer\toolbar\webbrowser\\{d4027c7f-154a-4066-a1ad-4243d8127440}

Successfully deleted: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\toolbar\\{d4027c7f-154a-4066-a1ad-4243d8127440}

~~~ Registry Keys

Successfully deleted: [Registry Key] hkey_classes_root\appid\babylonhelper.exe

Successfully deleted: [Registry Key] hkey_current_user\software\conduit

Successfully deleted: [Registry Key] hkey_local_machine\software\conduit

Successfully deleted: [Registry Key] hkey_local_machine\software\conduitengine

Successfully deleted: [Registry Key] hkey_current_user\software\softonic

Successfully deleted: [Registry Key] hkey_current_user\software\sparktrust

Successfully deleted: [Registry Key] hkey_local_machine\software\sparktrust

Successfully deleted: [Registry Key] hkey_current_user\software\zugo

Successfully deleted: [Registry Key] hkey_current_user\software\appdatalow\software\conduit

Successfully deleted: [Registry Key] hkey_current_user\software\appdatalow\software\conduitengine

Successfully deleted: [Registry Key] hkey_current_user\software\appdatalow\software\fun web products

Successfully deleted: [Registry Key] hkey_current_user\software\appdatalow\software\funwebproducts

Successfully deleted: [Registry Key] hkey_current_user\software\appdatalow\software\pricegong

Successfully deleted: [Registry Key] hkey_current_user\software\appdatalow\toolbar

Successfully deleted: [Registry Key] hkey_current_user\software\microsoft\internet explorer\menuext\&search

Successfully deleted: [Registry Key] hkey_local_machine\software\classes\appid\escort.dll

Successfully deleted: [Registry Key] hkey_local_machine\software\classes\appid\tbcommonutils.dll

Successfully deleted: [Registry Key] hkey_local_machine\software\classes\appid\tbhelper.exe

Successfully deleted: [Registry Key] hkey_local_machine\software\classes\conduit.engine

Successfully deleted: [Registry Key] hkey_local_machine\software\classes\fbdownloader.bho

Successfully deleted: [Registry Key] hkey_local_machine\software\classes\fbdownloader.downloadphoto

Successfully deleted: [Registry Key] hkey_local_machine\software\classes\installer\features\a28b4d68debaa244eb686953b7074fef

Successfully deleted: [Registry Key] hkey_local_machine\software\classes\installer\products\a28b4d68debaa244eb686953b7074fef

Successfully deleted: [Registry Key] hkey_local_machine\software\classes\installer\upgradecodes\f928123a039649549966d4c29d35b1c9

Successfully deleted: [Registry Key] hkey_local_machine\software\classes\prod.cap

Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\tracing\babylon_rasapi32

Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\tracing\babylon_rasmancs

Successfully deleted: [Registry Key] hkey_local_machine\software\wow6432node\microsoft\tracing\babylontc_rasapi32

Successfully deleted: [Registry Key] hkey_local_machine\software\wow6432node\microsoft\tracing\babylontc_rasmancs

Successfully deleted: [Registry Key-Heur] HKEY_LOCAL_MACHINE\software\classes\Toolbar.CT1460988

Successfully deleted: [Registry Key-Heur] HKEY_LOCAL_MACHINE\software\classes\Toolbar.CT2418376

Successfully deleted: [Registry Key-Heur] HKEY_LOCAL_MACHINE\software\classes\Toolbar.CT2903601

Successfully deleted: [Registry Key-Heur] HKEY_LOCAL_MACHINE\software\classes\Toolbar.CT2956065

Successfully deleted: [Registry Key] hkey_current_user\software\microsoft\internet explorer\searchscopes\{171debeb-c3d4-40b7-ac73-056a5eba4a7e}

Successfully deleted: [Registry Key] hkey_classes_root\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}

Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects\{30f9b915-b755-4826-820b-08fba6bd249d}

Successfully deleted: [Registry Key] hkey_current_user\software\microsoft\internet explorer\searchscopes\{6a1806cd-94d4-4689-ba73-e35ea1ea9990}

Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\internet explorer\searchscopes\{6a1806cd-94d4-4689-ba73-e35ea1ea9990}

Successfully deleted: [Registry Key] hkey_classes_root\clsid\{9afb8248-617f-460d-9366-d71cdeda3179}

Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects\{9d425283-d487-4337-bab6-ab8354a81457}

Successfully deleted: [Registry Key] hkey_classes_root\clsid\{abd3b5e1-b268-407b-a150-2641dab8d898}

Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects\{abd3b5e1-b268-407b-a150-2641dab8d898}

Successfully deleted: [Registry Key] hkey_current_user\software\microsoft\internet explorer\searchscopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}

Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\internet explorer\searchscopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}

Successfully deleted: [Registry Key] hkey_classes_root\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}

Successfully deleted: [Registry Key] hkey_current_user\software\microsoft\internet explorer\searchscopes\{a18dc704-6bad-4a58-8e45-842a87cb5324}

Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\internet explorer\searchscopes\{a18dc704-6bad-4a58-8e45-842a87cb5324}

Successfully deleted: [Registry Key] hkey_classes_root\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}

Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects\{d4027c7f-154a-4066-a1ad-4243d8127440}

Successfully deleted: [Registry Key] "hkey_classes_root\genericasktoolbar.toolbarwnd"

Successfully deleted: [Registry Key] "hkey_classes_root\genericasktoolbar.toolbarwnd.1"

Successfully deleted: [Registry Key] "hkey_current_user\software\appdatalow\asktoolbarinfo"

Successfully deleted: [Registry Key] "hkey_current_user\software\appdatalow\software\asktoolbar"

Successfully deleted: [Registry Key] "hkey_current_user\software\ask.com"

Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\appid\genericasktoolbar.dll"

~~~ Files

Successfully deleted: [File] "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ebay.lnk"

Successfully deleted: [File] C:\eula.1028.txt

Successfully deleted: [File] C:\eula.1031.txt

Successfully deleted: [File] C:\eula.1033.txt

Successfully deleted: [File] C:\eula.1036.txt

Successfully deleted: [File] C:\eula.1040.txt

Successfully deleted: [File] C:\eula.1041.txt

Successfully deleted: [File] C:\eula.1042.txt

Successfully deleted: [File] C:\eula.2052.txt

Successfully deleted: [File] C:\install.res.1028.dll

Successfully deleted: [File] C:\install.res.1031.dll

Successfully deleted: [File] C:\install.res.1033.dll

Successfully deleted: [File] C:\install.res.1036.dll

Successfully deleted: [File] C:\install.res.1040.dll

Successfully deleted: [File] C:\install.res.1041.dll

Successfully deleted: [File] C:\install.res.1042.dll

Successfully deleted: [File] C:\install.res.2052.dll

Successfully deleted: [File] C:\install.res.3082.dll

~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\sparktrust"

Successfully deleted: [Folder] "C:\ProgramData\tarma installer"

Successfully deleted: [Folder] "C:\Users\Joseph\AppData\Roaming\drivercure"

Successfully deleted: [Folder] "C:\Users\Joseph\AppData\Roaming\sparktrust"

Successfully deleted: [Folder] "C:\Users\Joseph\appdata\local\conduit"

Successfully deleted: [Folder] "C:\Users\Joseph\appdata\locallow\babylontoolbar"

Successfully deleted: [Folder] "C:\Users\Joseph\appdata\locallow\conduit"

Successfully deleted: [Folder] "C:\Users\Joseph\appdata\locallow\conduitengine"

Successfully deleted: [Folder] "C:\Users\Joseph\appdata\locallow\facemoods.com"

Successfully deleted: [Folder] "C:\Users\Joseph\appdata\locallow\funwebproducts"

Successfully deleted: [Folder] "C:\Users\Joseph\appdata\locallow\pricegong"

Successfully deleted: [Folder] "C:\Users\Joseph\appdata\locallow\toolbar4"

Successfully deleted: [Folder] "C:\Program Files (x86)\conduitengine"

Successfully deleted: [Folder] "C:\Program Files (x86)\fbdownloader"

Successfully deleted: [Folder] "C:\Program Files (x86)\sdiv 2.0"

Successfully deleted: [Folder] "C:\Program Files (x86)\winzip registry optimizer"

Successfully deleted: [Folder] "C:\Program Files (x86)\Common Files\homepage protection"

Successfully deleted: [Folder] "C:\Windows\syswow64\ai_recyclebin"

Failed to delete: [Folder] "C:\Users\Joseph\appdata\locallow\asktoolbar"

Successfully deleted: [Folder] "C:\Program Files (x86)\ask.com"

Successfully deleted: [Folder] "C:\Windows\installer\{86d4b82a-abed-442a-be86-96357b70f4fe}"

~~~ Event Viewer Logs were cleared

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Scan was completed on Sat 03/02/2013 at 11:16:00.56

End of JRT log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Will tell how my computer is running soon.

[Needhelpplease1]

Unfortunately even after that scan, it is still present.

[Maurice Naggar]

Let me suggest, if you're an MBAM customer, you contact the consumer help desk here.

If you are in an organization or a corporate customer, contact Corporate Support for assistance.

Otherwise, Please print out, read and follow the directions here, skipping any steps you are unable to complete. Then post a NEW topic here.

One of the expert helpers there will give you one-on-one assistance when one becomes available.

After posting your new post make sure under options that you select Follow this topic and choose one of the Email options so that you're alerted when someone has replied to your post.

Please post there the contents of MBAM scan log & the DDS logs

[Needhelpplease1]

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2012-11-20.01)

.

Microsoft Windows 7 Home Premium

Boot Device: \Device\HarddiskVolume1

Install Date: 12/25/2009 8:26:35 AM

System Uptime: 3/2/2013 11:51:01 AM (1 hours ago)

.

Motherboard: PEGATRON CORPORATION | | NARRA5

Processor: AMD Sempron Processor LE-1200 | Socket AM2 | 2100/200mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 286 GiB total, 208.526 GiB free.

D: is FIXED (NTFS) - 12 GiB total, 2.173 GiB free.

E: is CDROM ()

F: is Removable

G: is Removable

H: is Removable

I: is Removable

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP477: 2/16/2013 9:20:35 PM - FBDO : Disk Optimizer - FixBee Disk Optimizer

RP478: 2/20/2013 9:47:45 PM - Installed DirectX

RP479: 2/22/2013 3:46:48 PM - FBDO : Disk Optimizer - FixBee Disk Optimizer

RP480: 2/28/2013 8:54:38 PM - Removed Ask Toolbar.

RP481: 2/28/2013 9:01:37 PM - Windows Modules Installer

RP482: 3/2/2013 12:31:30 PM - Malwarebytes Anti-Rootkit Restore Point

.

==== Installed Programs ======================

.

64 Bit HP CIO Components Installer

AbiWord 2.8.6

Acrobat.com

Activation Assistant for the 2007 Microsoft Office suites

Adobe AIR

Adobe Anchor Service CS3

Adobe Asset Services CS3

Adobe Bridge CS3

Adobe Bridge Start Meeting

Adobe Camera Raw 4.0

Adobe CMaps

Adobe Color Common Settings

Adobe Color EU Extra Settings

Adobe Color JA Extra Settings

Adobe Color NA Recommended Settings

Adobe Device Central CS3

Adobe Download Assistant

Adobe ExtendScript Toolkit 2

Adobe Flash CS3

Adobe Flash CS3 Professional

Adobe Flash Player 11 ActiveX

Adobe Flash Player Plugin

Adobe Flash Video Encoder

Adobe Help Viewer CS3

Adobe Linguistics CS3

Adobe PDF Library Files

Adobe Reader 9.5.4

Adobe Setup

Adobe Type Support

Adobe Update Manager CS3

Adobe Version Cue CS3 Client

Adobe WinSoft Linguistics Plugin

Ask Toolbar

avast! Free Antivirus

Bing Rewards Client Installer

Bookworm Deluxe 1.03

BufferChm

CCleaner

Compact Wireless-G USB Network Adapter with SpeedBooster Driver - WUSB54GSC

Compatibility Pack for the 2007 Office system

Conduit Engine

Copy

CyberLink DVD Suite Deluxe

Destinations

DeviceDiscovery

DirectX for Managed Code Update (Summer 2004)

DJ_AIO_06_F2400_SW_Min

F2400

Feedback Tool

FixBee Disk Optimizer

Garry's Mod

GoGear VIBE Device Manager

Google Chrome

Google Toolbar for Internet Explorer

Google Update Helper

GPBaseService2

Hardware Diagnostic Tools

Hewlett-Packard ACLM.NET v1.2.1.1

Homepage Protection

HP Advisor

HP Customer Experience Enhancements

HP Customer Participation Program 13.0

HP Deskjet F2400 All-In-One Driver Software 13.0 Rel .6

HP Games

HP Imaging Device Functions 13.0

HP MediaSmart Demo

HP MediaSmart DVD

HP MediaSmart Movie Themes

HP MediaSmart Music/Photo/Video

HP MediaSmart SmartMenu

HP Odometer

HP Print Projects 1.0

HP Remote Solution

HP Setup

HP Smart Web Printing 4.5

HP Solution Center 13.0

HP Support Assistant

HP Support Information

HP Update

HPPhotoGadget

hpPrintProjects

HPProductAssistant

hpWLPGInstaller

Insaniquarium Deluxe 1.0

Interlok driver setup x64

Java Auto Updater

Java 7 Update 5

Java 7 Update 5 (64-bit)

JavaFX 2.1.1

Junk Mail filter update

LabelPrint

LightScribe System Software

LSI PCI-SV92EX Soft Modem

Malwarebytes Anti-Malware version 1.70.0.1100

MarketResearch

Media Converter for Philips

Microsoft .NET Framework 4 Client Profile

Microsoft .NET Framework 4 Extended

Microsoft Application Error Reporting

Microsoft Choice Guard

Microsoft Office File Validation Add-In

Microsoft Office Live Add-in 1.5

Microsoft Office PowerPoint Viewer 2007 (English)

Microsoft Silverlight

Microsoft SQL Server 2005 Compact Edition [ENU]

Microsoft Sync Framework Runtime Native v1.0 (x86)

Microsoft Sync Framework Services Native v1.0 (x86)

Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2005 Redistributable (x64)

Microsoft Visual C++ 2005 Redistributable (x64) - KB2467175

Microsoft Visual C++ 2008 ATL Update kb973924 - x64 9.0.30729.4148

Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - KB2467174 - x64 9.0.30729.5570

Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161

Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Microsoft Works

MSVCRT

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

MTRS 2.0 1.0

MXDFP 1.0

NVIDIA Control Panel 301.42

NVIDIA Drivers

NVIDIA Graphics Driver 301.42

NVIDIA Install Application

NVIDIA Update 1.8.15

NVIDIA Update Components

PDF Settings

Power2Go

PowerDirector

PowerRecover

RCA Detective™ 3.0.1.1

RCA easyRip 2.5.2.0

Realtek High Definition Audio Driver

Scan

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)

Security Update for Microsoft .NET Framework 4 Extended (KB2487367)

Security Update for Microsoft .NET Framework 4 Extended (KB2656351)

SmartWebPrinting

SolutionCenter

Spiral Knights

Spybot - Search & Destroy

Status

Steam

Team Fortress 2

The Rosetta Stone

The Weather Channel App

Toolbox

TrayApp

Trusted Software Assistant

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Microsoft .NET Framework 4 Client Profile (KB2600217)

Update for Microsoft .NET Framework 4 Extended (KB2468871)

Update for Microsoft .NET Framework 4 Extended (KB2533523)

Update for Microsoft .NET Framework 4 Extended (KB2600217)

WavePad Sound Editor

WebM Media Foundation Components

WebReg

Windows Live Call

Windows Live Communications Platform

Windows Live Essentials

Windows Live Family Safety

Windows Live Mail

Windows Live Movie Maker

Windows Live Photo Gallery

Windows Live Sign-in Assistant

Windows Live Sync

Windows Live Upload Tool

Windows Live Writer

Wizard101

.

==== Event Viewer Messages From Past Week ========

.

3/2/2013 11:53:57 AM, Error: Service Control Manager [7038] - The nvUpdatusService service was unable to log on as .\UpdatusUser with the currently configured password due to the following error: Logon failure: the specified account password has expired. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).

3/2/2013 11:53:57 AM, Error: Service Control Manager [7000] - The NVIDIA Update Service Daemon service failed to start due to the following error: The service did not start due to a logon failure.

3/2/2013 11:52:16 AM, Error: Service Control Manager [7023] - The Function Discovery Resource Publication service terminated with the following error: %%-2147024891

3/2/2013 11:52:16 AM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to start because of the following error: %%-2147024891

3/2/2013 11:51:28 AM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.

3/2/2013 11:51:28 AM, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.

3/2/2013 11:51:28 AM, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.

.

==== End Of File ===========================

Here are the DDS logs in case you wanted to see them here as well. I thank you so much for your time, Mr. Naggar, hopefully I can eliminate this pesky issue soon.

[Needhelpplease1]

Oh and here is the Attach information.

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2012-11-20.01)

.

Microsoft Windows 7 Home Premium

Boot Device: \Device\HarddiskVolume1

Install Date: 12/25/2009 8:26:35 AM

System Uptime: 3/2/2013 11:51:01 AM (1 hours ago)

.

Motherboard: PEGATRON CORPORATION | | NARRA5

Processor: AMD Sempron Processor LE-1200 | Socket AM2 | 2100/200mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 286 GiB total, 208.526 GiB free.

D: is FIXED (NTFS) - 12 GiB total, 2.173 GiB free.

E: is CDROM ()

F: is Removable

G: is Removable

H: is Removable

I: is Removable

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP477: 2/16/2013 9:20:35 PM - FBDO : Disk Optimizer - FixBee Disk Optimizer

RP478: 2/20/2013 9:47:45 PM - Installed DirectX

RP479: 2/22/2013 3:46:48 PM - FBDO : Disk Optimizer - FixBee Disk Optimizer

RP480: 2/28/2013 8:54:38 PM - Removed Ask Toolbar.

RP481: 2/28/2013 9:01:37 PM - Windows Modules Installer

RP482: 3/2/2013 12:31:30 PM - Malwarebytes Anti-Rootkit Restore Point

.

==== Installed Programs ======================

.

64 Bit HP CIO Components Installer

AbiWord 2.8.6

Acrobat.com

Activation Assistant for the 2007 Microsoft Office suites

Adobe AIR

Adobe Anchor Service CS3

Adobe Asset Services CS3

Adobe Bridge CS3

Adobe Bridge Start Meeting

Adobe Camera Raw 4.0

Adobe CMaps

Adobe Color Common Settings

Adobe Color EU Extra Settings

Adobe Color JA Extra Settings

Adobe Color NA Recommended Settings

Adobe Device Central CS3

Adobe Download Assistant

Adobe ExtendScript Toolkit 2

Adobe Flash CS3

Adobe Flash CS3 Professional

Adobe Flash Player 11 ActiveX

Adobe Flash Player Plugin

Adobe Flash Video Encoder

Adobe Help Viewer CS3

Adobe Linguistics CS3

Adobe PDF Library Files

Adobe Reader 9.5.4

Adobe Setup

Adobe Type Support

Adobe Update Manager CS3

Adobe Version Cue CS3 Client

Adobe WinSoft Linguistics Plugin

Ask Toolbar

avast! Free Antivirus

Bing Rewards Client Installer

Bookworm Deluxe 1.03

BufferChm

CCleaner

Compact Wireless-G USB Network Adapter with SpeedBooster Driver - WUSB54GSC

Compatibility Pack for the 2007 Office system

Conduit Engine

Copy

CyberLink DVD Suite Deluxe

Destinations

DeviceDiscovery

DirectX for Managed Code Update (Summer 2004)

DJ_AIO_06_F2400_SW_Min

F2400

Feedback Tool

FixBee Disk Optimizer

Garry's Mod

GoGear VIBE Device Manager

Google Chrome

Google Toolbar for Internet Explorer

Google Update Helper

GPBaseService2

Hardware Diagnostic Tools

Hewlett-Packard ACLM.NET v1.2.1.1

Homepage Protection

HP Advisor

HP Customer Experience Enhancements

HP Customer Participation Program 13.0

HP Deskjet F2400 All-In-One Driver Software 13.0 Rel .6

HP Games

HP Imaging Device Functions 13.0

HP MediaSmart Demo

HP MediaSmart DVD

HP MediaSmart Movie Themes

HP MediaSmart Music/Photo/Video

HP MediaSmart SmartMenu

HP Odometer

HP Print Projects 1.0

HP Remote Solution

HP Setup

HP Smart Web Printing 4.5

HP Solution Center 13.0

HP Support Assistant

HP Support Information

HP Update

HPPhotoGadget

hpPrintProjects

HPProductAssistant

hpWLPGInstaller

Insaniquarium Deluxe 1.0

Interlok driver setup x64

Java Auto Updater

Java 7 Update 5

Java 7 Update 5 (64-bit)

JavaFX 2.1.1

Junk Mail filter update

LabelPrint

LightScribe System Software

LSI PCI-SV92EX Soft Modem

Malwarebytes Anti-Malware version 1.70.0.1100

MarketResearch

Media Converter for Philips

Microsoft .NET Framework 4 Client Profile

Microsoft .NET Framework 4 Extended

Microsoft Application Error Reporting

Microsoft Choice Guard

Microsoft Office File Validation Add-In

Microsoft Office Live Add-in 1.5

Microsoft Office PowerPoint Viewer 2007 (English)

Microsoft Silverlight

Microsoft SQL Server 2005 Compact Edition [ENU]

Microsoft Sync Framework Runtime Native v1.0 (x86)

Microsoft Sync Framework Services Native v1.0 (x86)

Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2005 Redistributable (x64)

Microsoft Visual C++ 2005 Redistributable (x64) - KB2467175

Microsoft Visual C++ 2008 ATL Update kb973924 - x64 9.0.30729.4148

Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - KB2467174 - x64 9.0.30729.5570

Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161

Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Microsoft Works

MSVCRT

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

MTRS 2.0 1.0

MXDFP 1.0

NVIDIA Control Panel 301.42

NVIDIA Drivers

NVIDIA Graphics Driver 301.42

NVIDIA Install Application

NVIDIA Update 1.8.15

NVIDIA Update Components

PDF Settings

Power2Go

PowerDirector

PowerRecover

RCA Detective™ 3.0.1.1

RCA easyRip 2.5.2.0

Realtek High Definition Audio Driver

Scan

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)

Security Update for Microsoft .NET Framework 4 Extended (KB2487367)

Security Update for Microsoft .NET Framework 4 Extended (KB2656351)

SmartWebPrinting

SolutionCenter

Spiral Knights

Spybot - Search & Destroy

Status

Steam

Team Fortress 2

The Rosetta Stone

The Weather Channel App

Toolbox

TrayApp

Trusted Software Assistant

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Microsoft .NET Framework 4 Client Profile (KB2600217)

Update for Microsoft .NET Framework 4 Extended (KB2468871)

Update for Microsoft .NET Framework 4 Extended (KB2533523)

Update for Microsoft .NET Framework 4 Extended (KB2600217)

WavePad Sound Editor

WebM Media Foundation Components

WebReg

Windows Live Call

Windows Live Communications Platform

Windows Live Essentials

Windows Live Family Safety

Windows Live Mail

Windows Live Movie Maker

Windows Live Photo Gallery

Windows Live Sign-in Assistant

Windows Live Sync

Windows Live Upload Tool

Windows Live Writer

Wizard101

.

==== Event Viewer Messages From Past Week ========

.

3/2/2013 11:53:57 AM, Error: Service Control Manager [7038] - The nvUpdatusService service was unable to log on as .\UpdatusUser with the currently configured password due to the following error: Logon failure: the specified account password has expired. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).

3/2/2013 11:53:57 AM, Error: Service Control Manager [7000] - The NVIDIA Update Service Daemon service failed to start due to the following error: The service did not start due to a logon failure.

3/2/2013 11:52:16 AM, Error: Service Control Manager [7023] - The Function Discovery Resource Publication service terminated with the following error: %%-2147024891

3/2/2013 11:52:16 AM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to start because of the following error: %%-2147024891

3/2/2013 11:51:28 AM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.

3/2/2013 11:51:28 AM, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.

3/2/2013 11:51:28 AM, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.

.

==== End Of File ===========================

[Needhelpplease1]

Hello, I was told by a moderator to follow a pinned thread, which instructed me to post this information here. First, I will give a brief explanation of my problem. Around 1-2 weeks ago my computer contracted a re-direct virus, in which Malwarebytes found 8 malicious items, and Malwarebytes removed them. However, this did not fix the problem, a few days later I noticed Internet Explorer running in the background, but was only visible through task manager, I could not end the process directly, unless I went to the processes tab, after which the Internet Explorer would come back again. I ran an Avast! full scan, as well as another Malwarebytes full scan, but neither came up with anything. I then decided to download Spybot Search & Destroy, which found around 84 malicious items, and it destroyed those. However the problem still did not fix. I finally ended up here, with no other option because I had no idea what else to do but to ask experts. The Internet Explorer (IE) websites that were "running" were websites I had never seen before. The names I have noticed most common were named: www.listonlist.com, Crash Recovery, Blank Page, and Navigation Cancelled. Several other websites would play occasionally that would have ads playing, with various names that I do not remember. I believe I have a rootkit, which I fear is going to take my private information, I have changed my passwords several times to help eliminate the problem, and have not been told by any friends or family on my email that they recieved strange messages or spam from me. I understand this is long, and perhaps some of this information is irrelevant, but I assumed it would be best to provide as much information as possible. Thank you so very much for your time.

When I posted here I was assisted by a Mr. Maurice Naggar, who kindly helped me, I ran several scans, before he directed me to go to a thread and follow the instructions given there. I will now provide the scans, and their information:

*MALWAREBYTES FULL SCAN INFORMATION*

Malwarebytes Anti-Malware 1.70.0.1100

www.malwarebytes.org

Database version: v2013.03.01.09

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 8.0.7601.17514

Joseph :: JOSEPH-PC [administrator]

3/1/2013 3:30:09 PM

mbam-log-2013-03-01 (15-30-09).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 559796

Time elapsed: 1 hour(s), 36 minute(s), 24 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

_________________________

*JUNKWARE REMOVAL TOOL*

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Junkware Removal Tool (JRT) by Thisisu

Version: 4.6.6 (02.27.2013:1)

OS: Windows 7 Home Premium x64

Ran by Joseph on Sat 03/02/2013 at 11:01:41.47

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~ Services

~~~ Registry Values

Successfully deleted: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\toolbar\\{30f9b915-b755-4826-820b-08fba6bd249d}

Successfully deleted: [Registry Value] hkey_current_user\software\microsoft\internet explorer\toolbar\webbrowser\\{9d425283-d487-4337-bab6-ab8354a81457}

Successfully deleted: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\toolbar\\{9d425283-d487-4337-bab6-ab8354a81457}

Successfully repaired: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\main\\Start Page

Suspicious HKCU\..\Run entries found. Trojan:JS/Medfos.B?

Val Name Type Value Data

======== ==== ==========

msplex REG_SZ "C:\Windows\System32\rundll32.exe" "C:\Users\Joseph\AppData\Roaming\msplex.dll",_Add

pocpr REG_SZ "C:\Windows\System32\rundll32.exe" "C:\Users\Joseph\AppData\Roaming\pocpr.dll",SetDefaults

msmges REG_SZ "C:\Windows\System32\rundll32.exe" "C:\Users\Joseph\AppData\Roaming\msmges.dll",HashNotImplemented

Suspicious HKCU\..\Run entries found. Trojan:JS/Medfos.B?

Val Name Type Value Data

======== ==== ==========

msplex REG_SZ "C:\Windows\System32\rundll32.exe" "C:\Users\Joseph\AppData\Roaming\msplex.dll",_Add

msmges REG_SZ "C:\Windows\System32\rundll32.exe" "C:\Users\Joseph\AppData\Roaming\msmges.dll",HashNotImplemented

Successfully deleted: [Registry Value] hkey_current_user\software\microsoft\internet explorer\toolbar\webbrowser\\{d4027c7f-154a-4066-a1ad-4243d8127440}

Successfully deleted: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\toolbar\\{d4027c7f-154a-4066-a1ad-4243d8127440}

~~~ Registry Keys

Successfully deleted: [Registry Key] hkey_classes_root\appid\babylonhelper.exe

Successfully deleted: [Registry Key] hkey_current_user\software\conduit

Successfully deleted: [Registry Key] hkey_local_machine\software\conduit

Successfully deleted: [Registry Key] hkey_local_machine\software\conduitengine

Successfully deleted: [Registry Key] hkey_current_user\software\softonic

Successfully deleted: [Registry Key] hkey_current_user\software\sparktrust

Successfully deleted: [Registry Key] hkey_local_machine\software\sparktrust

Successfully deleted: [Registry Key] hkey_current_user\software\zugo

Successfully deleted: [Registry Key] hkey_current_user\software\appdatalow\software\conduit

Successfully deleted: [Registry Key] hkey_current_user\software\appdatalow\software\conduitengine

Successfully deleted: [Registry Key] hkey_current_user\software\appdatalow\software\fun web products

Successfully deleted: [Registry Key] hkey_current_user\software\appdatalow\software\funwebproducts

Successfully deleted: [Registry Key] hkey_current_user\software\appdatalow\software\pricegong

Successfully deleted: [Registry Key] hkey_current_user\software\appdatalow\toolbar

Successfully deleted: [Registry Key] hkey_current_user\software\microsoft\internet explorer\menuext\&search

Successfully deleted: [Registry Key] hkey_local_machine\software\classes\appid\escort.dll

Successfully deleted: [Registry Key] hkey_local_machine\software\classes\appid\tbcommonutils.dll

Successfully deleted: [Registry Key] hkey_local_machine\software\classes\appid\tbhelper.exe

Successfully deleted: [Registry Key] hkey_local_machine\software\classes\conduit.engine

Successfully deleted: [Registry Key] hkey_local_machine\software\classes\fbdownloader.bho

Successfully deleted: [Registry Key] hkey_local_machine\software\classes\fbdownloader.downloadphoto

Successfully deleted: [Registry Key] hkey_local_machine\software\classes\installer\features\a28b4d68debaa244eb686953b7074fef

Successfully deleted: [Registry Key] hkey_local_machine\software\classes\installer\products\a28b4d68debaa244eb686953b7074fef

Successfully deleted: [Registry Key] hkey_local_machine\software\classes\installer\upgradecodes\f928123a039649549966d4c29d35b1c9

Successfully deleted: [Registry Key] hkey_local_machine\software\classes\prod.cap

Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\tracing\babylon_rasapi32

Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\tracing\babylon_rasmancs

Successfully deleted: [Registry Key] hkey_local_machine\software\wow6432node\microsoft\tracing\babylontc_rasapi32

Successfully deleted: [Registry Key] hkey_local_machine\software\wow6432node\microsoft\tracing\babylontc_rasmancs

Successfully deleted: [Registry Key-Heur] HKEY_LOCAL_MACHINE\software\classes\Toolbar.CT1460988

Successfully deleted: [Registry Key-Heur] HKEY_LOCAL_MACHINE\software\classes\Toolbar.CT2418376

Successfully deleted: [Registry Key-Heur] HKEY_LOCAL_MACHINE\software\classes\Toolbar.CT2903601

Successfully deleted: [Registry Key-Heur] HKEY_LOCAL_MACHINE\software\classes\Toolbar.CT2956065

Successfully deleted: [Registry Key] hkey_current_user\software\microsoft\internet explorer\searchscopes\{171debeb-c3d4-40b7-ac73-056a5eba4a7e}

Successfully deleted: [Registry Key] hkey_classes_root\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}

Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects\{30f9b915-b755-4826-820b-08fba6bd249d}

Successfully deleted: [Registry Key] hkey_current_user\software\microsoft\internet explorer\searchscopes\{6a1806cd-94d4-4689-ba73-e35ea1ea9990}

Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\internet explorer\searchscopes\{6a1806cd-94d4-4689-ba73-e35ea1ea9990}

Successfully deleted: [Registry Key] hkey_classes_root\clsid\{9afb8248-617f-460d-9366-d71cdeda3179}

Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects\{9d425283-d487-4337-bab6-ab8354a81457}

Successfully deleted: [Registry Key] hkey_classes_root\clsid\{abd3b5e1-b268-407b-a150-2641dab8d898}

Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects\{abd3b5e1-b268-407b-a150-2641dab8d898}

Successfully deleted: [Registry Key] hkey_current_user\software\microsoft\internet explorer\searchscopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}

Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\internet explorer\searchscopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}

Successfully deleted: [Registry Key] hkey_classes_root\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}

Successfully deleted: [Registry Key] hkey_current_user\software\microsoft\internet explorer\searchscopes\{a18dc704-6bad-4a58-8e45-842a87cb5324}

Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\internet explorer\searchscopes\{a18dc704-6bad-4a58-8e45-842a87cb5324}

Successfully deleted: [Registry Key] hkey_classes_root\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}

Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects\{d4027c7f-154a-4066-a1ad-4243d8127440}

Successfully deleted: [Registry Key] "hkey_classes_root\genericasktoolbar.toolbarwnd"

Successfully deleted: [Registry Key] "hkey_classes_root\genericasktoolbar.toolbarwnd.1"

Successfully deleted: [Registry Key] "hkey_current_user\software\appdatalow\asktoolbarinfo"

Successfully deleted: [Registry Key] "hkey_current_user\software\appdatalow\software\asktoolbar"

Successfully deleted: [Registry Key] "hkey_current_user\software\ask.com"

Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\appid\genericasktoolbar.dll"

~~~ Files

Successfully deleted: [File] "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ebay.lnk"

Successfully deleted: [File] C:\eula.1028.txt

Successfully deleted: [File] C:\eula.1031.txt

Successfully deleted: [File] C:\eula.1033.txt

Successfully deleted: [File] C:\eula.1036.txt

Successfully deleted: [File] C:\eula.1040.txt

Successfully deleted: [File] C:\eula.1041.txt

Successfully deleted: [File] C:\eula.1042.txt

Successfully deleted: [File] C:\eula.2052.txt

Successfully deleted: [File] C:\install.res.1028.dll

Successfully deleted: [File] C:\install.res.1031.dll

Successfully deleted: [File] C:\install.res.1033.dll

Successfully deleted: [File] C:\install.res.1036.dll

Successfully deleted: [File] C:\install.res.1040.dll

Successfully deleted: [File] C:\install.res.1041.dll

Successfully deleted: [File] C:\install.res.1042.dll

Successfully deleted: [File] C:\install.res.2052.dll

Successfully deleted: [File] C:\install.res.3082.dll

~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\sparktrust"

Successfully deleted: [Folder] "C:\ProgramData\tarma installer"

Successfully deleted: [Folder] "C:\Users\Joseph\AppData\Roaming\drivercure"

Successfully deleted: [Folder] "C:\Users\Joseph\AppData\Roaming\sparktrust"

Successfully deleted: [Folder] "C:\Users\Joseph\appdata\local\conduit"

Successfully deleted: [Folder] "C:\Users\Joseph\appdata\locallow\babylontoolbar"

Successfully deleted: [Folder] "C:\Users\Joseph\appdata\locallow\conduit"

Successfully deleted: [Folder] "C:\Users\Joseph\appdata\locallow\conduitengine"

Successfully deleted: [Folder] "C:\Users\Joseph\appdata\locallow\facemoods.com"

Successfully deleted: [Folder] "C:\Users\Joseph\appdata\locallow\funwebproducts"

Successfully deleted: [Folder] "C:\Users\Joseph\appdata\locallow\pricegong"

Successfully deleted: [Folder] "C:\Users\Joseph\appdata\locallow\toolbar4"

Successfully deleted: [Folder] "C:\Program Files (x86)\conduitengine"

Successfully deleted: [Folder] "C:\Program Files (x86)\fbdownloader"

Successfully deleted: [Folder] "C:\Program Files (x86)\sdiv 2.0"

Successfully deleted: [Folder] "C:\Program Files (x86)\winzip registry optimizer"

Successfully deleted: [Folder] "C:\Program Files (x86)\Common Files\homepage protection"

Successfully deleted: [Folder] "C:\Windows\syswow64\ai_recyclebin"

Failed to delete: [Folder] "C:\Users\Joseph\appdata\locallow\asktoolbar"

Successfully deleted: [Folder] "C:\Program Files (x86)\ask.com"

Successfully deleted: [Folder] "C:\Windows\installer\{86d4b82a-abed-442a-be86-96357b70f4fe}"

~~~ Event Viewer Logs were cleared

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Scan was completed on Sat 03/02/2013 at 11:16:00.56

End of JRT log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

_______________________

*DDS*

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2012-11-20.01)

.

Microsoft Windows 7 Home Premium

Boot Device: \Device\HarddiskVolume1

Install Date: 12/25/2009 8:26:35 AM

System Uptime: 3/2/2013 11:51:01 AM (1 hours ago)

.

Motherboard: PEGATRON CORPORATION | | NARRA5

Processor: AMD Sempron™ Processor LE-1200 | Socket AM2 | 2100/200mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 286 GiB total, 208.526 GiB free.

D: is FIXED (NTFS) - 12 GiB total, 2.173 GiB free.

E: is CDROM ()

F: is Removable

G: is Removable

H: is Removable

I: is Removable

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP477: 2/16/2013 9:20:35 PM - FBDO : Disk Optimizer - FixBee Disk Optimizer

RP478: 2/20/2013 9:47:45 PM - Installed DirectX

RP479: 2/22/2013 3:46:48 PM - FBDO : Disk Optimizer - FixBee Disk Optimizer

RP480: 2/28/2013 8:54:38 PM - Removed Ask Toolbar.

RP481: 2/28/2013 9:01:37 PM - Windows Modules Installer

RP482: 3/2/2013 12:31:30 PM - Malwarebytes Anti-Rootkit Restore Point

.

==== Installed Programs ======================

.

64 Bit HP CIO Components Installer

AbiWord 2.8.6

Acrobat.com

Activation Assistant for the 2007 Microsoft Office suites

Adobe AIR

Adobe Anchor Service CS3

Adobe Asset Services CS3

Adobe Bridge CS3

Adobe Bridge Start Meeting

Adobe Camera Raw 4.0

Adobe CMaps

Adobe Color Common Settings

Adobe Color EU Extra Settings

Adobe Color JA Extra Settings

Adobe Color NA Recommended Settings

Adobe Device Central CS3

Adobe Download Assistant

Adobe ExtendScript Toolkit 2

Adobe Flash CS3

Adobe Flash CS3 Professional

Adobe Flash Player 11 ActiveX

Adobe Flash Player Plugin

Adobe Flash Video Encoder

Adobe Help Viewer CS3

Adobe Linguistics CS3

Adobe PDF Library Files

Adobe Reader 9.5.4

Adobe Setup

Adobe Type Support

Adobe Update Manager CS3

Adobe Version Cue CS3 Client

Adobe WinSoft Linguistics Plugin

Ask Toolbar

avast! Free Antivirus

Bing Rewards Client Installer

Bookworm Deluxe 1.03

BufferChm

CCleaner

Compact Wireless-G USB Network Adapter with SpeedBooster Driver - WUSB54GSC

Compatibility Pack for the 2007 Office system

Conduit Engine

Copy

CyberLink DVD Suite Deluxe

Destinations

DeviceDiscovery

DirectX for Managed Code Update (Summer 2004)

DJ_AIO_06_F2400_SW_Min

F2400

Feedback Tool

FixBee Disk Optimizer

Garry's Mod

GoGear VIBE Device Manager

Google Chrome

Google Toolbar for Internet Explorer

Google Update Helper

GPBaseService2

Hardware Diagnostic Tools

Hewlett-Packard ACLM.NET v1.2.1.1

Homepage Protection

HP Advisor

HP Customer Experience Enhancements

HP Customer Participation Program 13.0

HP Deskjet F2400 All-In-One Driver Software 13.0 Rel .6

HP Games

HP Imaging Device Functions 13.0

HP MediaSmart Demo

HP MediaSmart DVD

HP MediaSmart Movie Themes

HP MediaSmart Music/Photo/Video

HP MediaSmart SmartMenu

HP Odometer

HP Print Projects 1.0

HP Remote Solution

HP Setup

HP Smart Web Printing 4.5

HP Solution Center 13.0

HP Support Assistant

HP Support Information

HP Update

HPPhotoGadget

hpPrintProjects

HPProductAssistant

hpWLPGInstaller

Insaniquarium Deluxe 1.0

Interlok driver setup x64

Java Auto Updater

Java™ 7 Update 5

Java™ 7 Update 5 (64-bit)

JavaFX 2.1.1

Junk Mail filter update

LabelPrint

LightScribe System Software

LSI PCI-SV92EX Soft Modem

Malwarebytes Anti-Malware version 1.70.0.1100

MarketResearch

Media Converter for Philips

Microsoft .NET Framework 4 Client Profile

Microsoft .NET Framework 4 Extended

Microsoft Application Error Reporting

Microsoft Choice Guard

Microsoft Office File Validation Add-In

Microsoft Office Live Add-in 1.5

Microsoft Office PowerPoint Viewer 2007 (English)

Microsoft Silverlight

Microsoft SQL Server 2005 Compact Edition [ENU]

Microsoft Sync Framework Runtime Native v1.0 (x86)

Microsoft Sync Framework Services Native v1.0 (x86)

Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2005 Redistributable (x64)

Microsoft Visual C++ 2005 Redistributable (x64) - KB2467175

Microsoft Visual C++ 2008 ATL Update kb973924 - x64 9.0.30729.4148

Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - KB2467174 - x64 9.0.30729.5570

Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161

Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Microsoft Works

MSVCRT

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

MTRS 2.0 1.0

MXDFP 1.0

NVIDIA Control Panel 301.42

NVIDIA Drivers

NVIDIA Graphics Driver 301.42

NVIDIA Install Application

NVIDIA Update 1.8.15

NVIDIA Update Components

PDF Settings

Power2Go

PowerDirector

PowerRecover

RCA Detective™ 3.0.1.1

RCA easyRip 2.5.2.0

Realtek High Definition Audio Driver

Scan

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)

Security Update for Microsoft .NET Framework 4 Extended (KB2487367)

Security Update for Microsoft .NET Framework 4 Extended (KB2656351)

SmartWebPrinting

SolutionCenter

Spiral Knights

Spybot - Search & Destroy

Status

Steam

Team Fortress 2

The Rosetta Stone

The Weather Channel App

Toolbox

TrayApp

Trusted Software Assistant

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Microsoft .NET Framework 4 Client Profile (KB2600217)

Update for Microsoft .NET Framework 4 Extended (KB2468871)

Update for Microsoft .NET Framework 4 Extended (KB2533523)

Update for Microsoft .NET Framework 4 Extended (KB2600217)

WavePad Sound Editor

WebM Media Foundation Components

WebReg

Windows Live Call

Windows Live Communications Platform

Windows Live Essentials

Windows Live Family Safety

Windows Live Mail

Windows Live Movie Maker

Windows Live Photo Gallery

Windows Live Sign-in Assistant

Windows Live Sync

Windows Live Upload Tool

Windows Live Writer

Wizard101

.

==== Event Viewer Messages From Past Week ========

.

3/2/2013 11:53:57 AM, Error: Service Control Manager [7038] - The nvUpdatusService service was unable to log on as .\UpdatusUser with the currently configured password due to the following error: Logon failure: the specified account password has expired. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).

3/2/2013 11:53:57 AM, Error: Service Control Manager [7000] - The NVIDIA Update Service Daemon service failed to start due to the following error: The service did not start due to a logon failure.

3/2/2013 11:52:16 AM, Error: Service Control Manager [7023] - The Function Discovery Resource Publication service terminated with the following error: %%-2147024891

3/2/2013 11:52:16 AM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to start because of the following error: %%-2147024891

3/2/2013 11:51:28 AM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.

3/2/2013 11:51:28 AM, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.

3/2/2013 11:51:28 AM, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.

.

==== End Of File ===========================

_____________________________

*ATTACH*

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2012-11-20.01)

.

Microsoft Windows 7 Home Premium

Boot Device: \Device\HarddiskVolume1

Install Date: 12/25/2009 8:26:35 AM

System Uptime: 3/2/2013 11:51:01 AM (1 hours ago)

.

Motherboard: PEGATRON CORPORATION | | NARRA5

Processor: AMD Sempron Processor LE-1200 | Socket AM2 | 2100/200mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 286 GiB total, 208.526 GiB free.

D: is FIXED (NTFS) - 12 GiB total, 2.173 GiB free.

E: is CDROM ()

F: is Removable

G: is Removable

H: is Removable

I: is Removable

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP477: 2/16/2013 9:20:35 PM - FBDO : Disk Optimizer - FixBee Disk Optimizer

RP478: 2/20/2013 9:47:45 PM - Installed DirectX

RP479: 2/22/2013 3:46:48 PM - FBDO : Disk Optimizer - FixBee Disk Optimizer

RP480: 2/28/2013 8:54:38 PM - Removed Ask Toolbar.

RP481: 2/28/2013 9:01:37 PM - Windows Modules Installer

RP482: 3/2/2013 12:31:30 PM - Malwarebytes Anti-Rootkit Restore Point

.

==== Installed Programs ======================

.

64 Bit HP CIO Components Installer

AbiWord 2.8.6

Acrobat.com

Activation Assistant for the 2007 Microsoft Office suites

Adobe AIR

Adobe Anchor Service CS3

Adobe Asset Services CS3

Adobe Bridge CS3

Adobe Bridge Start Meeting

Adobe Camera Raw 4.0

Adobe CMaps

Adobe Color Common Settings

Adobe Color EU Extra Settings

Adobe Color JA Extra Settings

Adobe Color NA Recommended Settings

Adobe Device Central CS3

Adobe Download Assistant

Adobe ExtendScript Toolkit 2

Adobe Flash CS3

Adobe Flash CS3 Professional

Adobe Flash Player 11 ActiveX

Adobe Flash Player Plugin

Adobe Flash Video Encoder

Adobe Help Viewer CS3

Adobe Linguistics CS3

Adobe PDF Library Files

Adobe Reader 9.5.4

Adobe Setup

Adobe Type Support

Adobe Update Manager CS3

Adobe Version Cue CS3 Client

Adobe WinSoft Linguistics Plugin

Ask Toolbar

avast! Free Antivirus

Bing Rewards Client Installer

Bookworm Deluxe 1.03

BufferChm

CCleaner

Compact Wireless-G USB Network Adapter with SpeedBooster Driver - WUSB54GSC

Compatibility Pack for the 2007 Office system

Conduit Engine

Copy

CyberLink DVD Suite Deluxe

Destinations

DeviceDiscovery

DirectX for Managed Code Update (Summer 2004)

DJ_AIO_06_F2400_SW_Min

F2400

Feedback Tool

FixBee Disk Optimizer

Garry's Mod

GoGear VIBE Device Manager

Google Chrome

Google Toolbar for Internet Explorer

Google Update Helper

GPBaseService2

Hardware Diagnostic Tools

Hewlett-Packard ACLM.NET v1.2.1.1

Homepage Protection

HP Advisor

HP Customer Experience Enhancements

HP Customer Participation Program 13.0

HP Deskjet F2400 All-In-One Driver Software 13.0 Rel .6

HP Games

HP Imaging Device Functions 13.0

HP MediaSmart Demo

HP MediaSmart DVD

HP MediaSmart Movie Themes

HP MediaSmart Music/Photo/Video

HP MediaSmart SmartMenu

HP Odometer

HP Print Projects 1.0

HP Remote Solution

HP Setup

HP Smart Web Printing 4.5

HP Solution Center 13.0

HP Support Assistant

HP Support Information

HP Update

HPPhotoGadget

hpPrintProjects

HPProductAssistant

hpWLPGInstaller

Insaniquarium Deluxe 1.0

Interlok driver setup x64

Java Auto Updater

Java 7 Update 5

Java 7 Update 5 (64-bit)

JavaFX 2.1.1

Junk Mail filter update

LabelPrint

LightScribe System Software

LSI PCI-SV92EX Soft Modem

Malwarebytes Anti-Malware version 1.70.0.1100

MarketResearch

Media Converter for Philips

Microsoft .NET Framework 4 Client Profile

Microsoft .NET Framework 4 Extended

Microsoft Application Error Reporting

Microsoft Choice Guard

Microsoft Office File Validation Add-In

Microsoft Office Live Add-in 1.5

Microsoft Office PowerPoint Viewer 2007 (English)

Microsoft Silverlight

Microsoft SQL Server 2005 Compact Edition [ENU]

Microsoft Sync Framework Runtime Native v1.0 (x86)

Microsoft Sync Framework Services Native v1.0 (x86)

Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2005 Redistributable (x64)

Microsoft Visual C++ 2005 Redistributable (x64) - KB2467175

Microsoft Visual C++ 2008 ATL Update kb973924 - x64 9.0.30729.4148

Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - KB2467174 - x64 9.0.30729.5570

Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161

Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Microsoft Works

MSVCRT

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

MTRS 2.0 1.0

MXDFP 1.0

NVIDIA Control Panel 301.42

NVIDIA Drivers

NVIDIA Graphics Driver 301.42

NVIDIA Install Application

NVIDIA Update 1.8.15

NVIDIA Update Components

PDF Settings

Power2Go

PowerDirector

PowerRecover

RCA Detective™ 3.0.1.1

RCA easyRip 2.5.2.0

Realtek High Definition Audio Driver

Scan

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)

Security Update for Microsoft .NET Framework 4 Extended (KB2487367)

Security Update for Microsoft .NET Framework 4 Extended (KB2656351)

SmartWebPrinting

SolutionCenter

Spiral Knights

Spybot - Search & Destroy

Status

Steam

Team Fortress 2

The Rosetta Stone

The Weather Channel App

Toolbox

TrayApp

Trusted Software Assistant

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Microsoft .NET Framework 4 Client Profile (KB2600217)

Update for Microsoft .NET Framework 4 Extended (KB2468871)

Update for Microsoft .NET Framework 4 Extended (KB2533523)

Update for Microsoft .NET Framework 4 Extended (KB2600217)

WavePad Sound Editor

WebM Media Foundation Components

WebReg

Windows Live Call

Windows Live Communications Platform

Windows Live Essentials

Windows Live Family Safety

Windows Live Mail

Windows Live Movie Maker

Windows Live Photo Gallery

Windows Live Sign-in Assistant

Windows Live Sync

Windows Live Upload Tool

Windows Live Writer

Wizard101

.

==== Event Viewer Messages From Past Week ========

.

3/2/2013 11:53:57 AM, Error: Service Control Manager [7038] - The nvUpdatusService service was unable to log on as .\UpdatusUser with the currently configured password due to the following error: Logon failure: the specified account password has expired. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).

3/2/2013 11:53:57 AM, Error: Service Control Manager [7000] - The NVIDIA Update Service Daemon service failed to start due to the following error: The service did not start due to a logon failure.

3/2/2013 11:52:16 AM, Error: Service Control Manager [7023] - The Function Discovery Resource Publication service terminated with the following error: %%-2147024891

3/2/2013 11:52:16 AM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to start because of the following error: %%-2147024891

3/2/2013 11:51:28 AM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.

3/2/2013 11:51:28 AM, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.

3/2/2013 11:51:28 AM, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.

.

==== End Of File ===========================

[Maurice Naggar]

Stay put. I am moving your thread here to Malware-removal help forum. and I'll pm to you with the (new) link.

[Needhelpplease1]

Okay, thank you again.

[Maurice Naggar]

Older versions of Java pose a security risk. Uninstall Java 7 Update 5 &

Java 7 Update 5 (64-bit)

And if you do not need Java for the programs that you use, keep Java off your system .

How to disable Java in various browsers : http://blog.eset.com/2012/08/29/disabling-java-a-safer-way-to-browse

Also see No, Seriously, Just Disable Java in Your Browser Right Now

Brian Krebs posted on 1 March 2013 of a new zero-day vulnerability

cf https://krebsonsecurity.com/2013/03/new-java-0-day-attack-echoes-bit9-breach/

As he noted in his closing,

Most consumers can get by without Java installed, or least not plugged into the browser. Because of the prevalence of threats targeting Java installations, I’d urge these users to remove Java or unplug it from the browser. If this is too much trouble, consider adopting a dual-browser approach, keeping Java unplugged from your main browser, and plugged in to a secondary browser that you only use to visit sites that require the plugin.

Question for you:

You ran Malwarebytes Anti-Rootkit on your own? why?

Where is the log?

• Download & SAVE to your Desktop >> Tigzy's RogueKillerfrom here << or
  >> from here <<
  
• Quit all programs that you may have started.
  
• Please disconnect any USB or external drives from the computer before you run this scan!
  
• For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.
  For Windows XP, double-click to start.
  
• Wait until Prescan has finished ...
  
• Then Click on Scan button at upper right of screen.
  
• Wait until the Status box shows "Scan Finished"
  
• Click on Report and copy/paste the content of the Notepad into your next reply.
  
• The log should be found in RKreport[1].txt on your Desktop
  
• Do NOT press any Fix button.
  
• Exit/Close RogueKiller

[Needhelpplease1]

I ran the Malwarebytes Anti-Rootkit without truly thinking about how it could mess with data, however, I did cancel the scan, I don't recall getting a log from it, however. My apologies for any inconvenience, I will not scan anything without suggestion again, it slipped my mind really.

Tigzy's Roguekiller Log:

RogueKiller V8.5.2 [Feb 23 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User : Joseph [Admin rights]

Mode : Scan -- Date : 03/02/2013 13:33:44

| ARK || FAK || MBR |

¤¤¤ Bad processes : 2 ¤¤¤

[DLL] rundll32.exe -- C:\Windows\System32\rundll32.exe : C:\Users\Joseph\AppData\Roaming\msplex.dll [x] -> KILLED [TermProc]

[DLL] rundll32.exe -- C:\Windows\SysWOW64\rundll32.exe : C:\Users\Joseph\AppData\Roaming\msplex.dll [x] -> KILLED [TermProc]

¤¤¤ Registry Entries : 15 ¤¤¤

[RUN][sUSP PATH] HKCU\[...]\Run : msplex ("C:\Windows\System32\rundll32.exe" "C:\Users\Joseph\AppData\Roaming\msplex.dll",_Add) [7] -> FOUND

[RUN][sUSP PATH] HKCU\[...]\Run : pocpr ("C:\Windows\System32\rundll32.exe" "C:\Users\Joseph\AppData\Roaming\pocpr.dll",SetDefaults) [7] -> FOUND

[RUN][sUSP PATH] HKCU\[...]\Run : msmges ("C:\Windows\System32\rundll32.exe" "C:\Users\Joseph\AppData\Roaming\msmges.dll",HashNotImplemented) [7] -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-1448738616-3995532035-3103400055-1000[...]\Run : msplex ("C:\Windows\System32\rundll32.exe" "C:\Users\Joseph\AppData\Roaming\msplex.dll",_Add) [7] -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-1448738616-3995532035-3103400055-1000[...]\Run : pocpr ("C:\Windows\System32\rundll32.exe" "C:\Users\Joseph\AppData\Roaming\pocpr.dll",SetDefaults) [7] -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-1448738616-3995532035-3103400055-1000[...]\Run : msmges ("C:\Windows\System32\rundll32.exe" "C:\Users\Joseph\AppData\Roaming\msmges.dll",HashNotImplemented) [7] -> FOUND

[TASK][ROGUE ST] 0 : c:\program files (x86)\internet explorer\iexplore.exe -> FOUND

[TASK][ROGUE ST] 4798 : wscript.exe C:\Users\Joseph\AppData\Local\Temp\launchie.vbs //B -> FOUND

[TASK][sUSP PATH] RunAsStdUser Task : "C:\Users\Joseph\AppData\Local\cheerychickenSA\bin\1.0.7.0\CheeryChickenSA.exe" [x] -> FOUND

[HJPOL] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND

[HJPOL] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-18\$71de843f4d9287427dc724a0dcbf5263\n.) [x] -> FOUND

[HJ INPROC][ZeroAccess] HKLM\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-18\$71de843f4d9287427dc724a0dcbf5263\n.) [x] -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-18\$71de843f4d9287427dc724a0dcbf5263\U --> FOUND

[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-21-1448738616-3995532035-3103400055-1000\$71de843f4d9287427dc724a0dcbf5263\U --> FOUND

[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-18\$71de843f4d9287427dc724a0dcbf5263\L --> FOUND

[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-21-1448738616-3995532035-3103400055-1000\$71de843f4d9287427dc724a0dcbf5263\L --> FOUND

[ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_32\Desktop.ini [-] --> FOUND

[ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_64\Desktop.ini [-] --> FOUND

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HDT721032SLA SCSI Disk Device +++++

--- User ---

[MBR] e53d06fa40611a278ba0d6c3eb674f5e

[bSP] eb02a6d20cebb6df951712f0583d56b0 : Windows Vista/7/8 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 292917 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 600100864 | Size: 12226 Mo

User = LL1 ... OK!

Error reading LL2 MBR!

Finished : << RKreport[1]_S_03022013_02d1333.txt >>

RKreport[1]_S_03022013_02d1333.txt

[Maurice Naggar]

Backdoor trojan warning:ZeroAccess / Sirefef

This system has some serious backdoor trojans. ZeroAccess / Sirefef

This is a point where you need to decide about whether to make a clean start.

According to the information provided in logs, one or more of the identified infections is a backdoor trojan. This allows hackers to remotely control your computer, steal critical system information, and download and execute files.

You are strongly advised to do the following immediately.

1. Contact your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and ask them to put a watch on your accounts or change all your account numbers.

2. From a clean computer, change ALL your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups.

3. Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.These trojans leave a backdoor open on the system that can allow a hacker total and complete access to your computer. (Remote access trojan) Hackers can operate your computer just as if they were sitting in front of it. Hackers can watch everything you are doing on the computer, play tricks, do screenshots, log passwords, start and stop programs.

See this article on creating strong passwords http://www.microsoft.com/security/online-privacy/passwords-create.aspx

* Take any other steps you think appropriate for an attempted identity theft.

You should also understand that once a system has been compromised by a Trojan backdoor, it can never really be trusted again unless you completely reformat the hard drives and reinstall Windows fresh.

While we usually can successfully remove malware like this, we cannot guarantee that it is totally gone, and that your system is completely safe to use for future financial information and/or transactions.

Here is some additional information: What Is A Backdoor Trojan? http://www.geekstogo...backdoor-trojan

Danger: Remote Access Trojans http://www.microsoft...o/virusrat.mspx

Consumers – Identity Theft http://www.ftc.gov/b...mers/index.html

When should I re-format? How should I reinstall? http://www.dslreports.com/faq/10063

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? http://www.dslreports.com/faq/10451

Rootkits: The Obscure Hacker Attack http://www.microsoft...tip/st1005.mspx

Help: I Got Hacked. Now What Do I Do? http://www.microsoft...gmt/sm0504.mspx

Help: I Got Hacked. Now What Do I Do? Part II http://www.microsoft...gmt/sm0704.mspx

Microsoft Says Recovery from Malware Becoming Impossible http://www.eweek.com...,1945808,00.asp

Let me know what you decide.

[Needhelpplease1]

I am unsure what to do from here, I have ensured I logged out of everything, and am changing passwords from a safe place as we speak and will not re-log on to them on this computer.

I have several questions:

1. Does this mean I will never be able to use this computer again?

2. Is there no way to completely wipe the computer of everything and start from square one?

3. Will I have no other choice but to purchase a new computer?

[Maurice Naggar]

I do believe we can squash and remove the infections, which are multi-faceted.

I have prepared a plan of attack to do that ..... if you want to proceed.

To answer some of your questions

1. You would be able to re-use the computer .....once we remove all infections and I give you the all clear.

2. Yes, if you have the Windows operating system Windows 7 DVD, otherwise likely your system has the manufacturer's factory restore partition.

NOTE that that means you will have to re-install everything from scratch to include WIN7, the antivirus, security apps, all program applications.

You will lose all your personal files and documents .....unless you make an offline backup beforehand to Offline media.

3. You will not need to buy a new computer.

IF you want to proceed with removal, do as much as you can of the following.

You can do the download on another computer and then put on a CD/DVD, or a new/clean USB-flash and take to the problem-computer and from there Copy to the DESKTOP.

You will want to print out or copy these instructions to Notepad for offline reference!

These steps are for member Needhelpplease1 only. If you are a casual viewer, do NOT try this on your system!

If you are not Needhelpplease1 and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

=

Close any of your open programs while you run these tools.

On most all of the following programs and tools, you will need to do a right-click on the program link or shortcut or desktop icon (as appropriate) and then select "Run as Administrator". Please remember that as you go along and use these tools, each in turn.

• Disable your anti-virus program
  Click on the Avast ball. Then click on Additional Protections then on AutoSandbox then on Settings then uncheck Enable AutoSandbox. OK
  Right click on the Avast Ball and select Avast! Shields Control and Disable Until Computer is Restarted
  Step 2
  Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
  Do NOT turn off the firewall
  Please download Rkill by Grinler and save it to your desktop.
  Link 2
  Link 3
  Link 4
  
• Double-click on the Rkill desktop icon to run the tool.
  
• If using Vista or Windows 7, right-click on it and Run As Administrator.
  
• A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  
• If not, delete the file, then download and use the one provided in Link 2.
  
• If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  
• If the tool does not run from any of the links provided, please let me know.
  
• If your antivirus program gives a prompt message, respond positive to allow RKILL to run.
  
• If a malware-rogue gives a message regarding RKILL, proceed forward to running RKILL

IF you still have a problem running RKILL, you can download iExplore.exe or eXplorer.exe, which are renamed copies of rkill.com, and try them instead.

When all done, rkill.txt log file will be on your desktop. Copy & Paste contents of Rkill.txt into a reply.

More Information about Rkill can be found at this link: http://www.bleepingcomputer.com/forums/topic308364.html

Step 3

We Need to Run a Batch Script

1. Press the Windows-key on keyboard.
   
2. In the box, type notepad and press Enter.
   
3. Highlight the contents of the following codebox, and copy and paste that text into NOTEPAD.
   

   net pause msplex
   net pause popcr
   net pause msmges
   net stop msplex
   net stop popcr
   net stop msmges
   sc delete msplex
   sc delete popcr
   sc delete msmges
   del /f /q C:\Users\Joseph\AppData\Roaming\msplex.dll
   del /f /q C:\Users\Joseph\AppData\Roaming\pocpr.dll
   del /f /q C:\Users\Joseph\AppData\Roaming\msmges.dll
   del /f /q C:\Users\Joseph\AppData\Local\cheerychickenSA\bin\1.0.7.0\CheeryChickenSA.exe
   del /f /q C:\Users\Joseph\AppData\Local\Temp\launchie.vbs
   del /f /q "%~f0"

   
   

4. Select File -> Save AS.
   
5. Press the Desktop button on the left side of the save dialog.
   
6. In the box, type in Fix.bat.
   
7. Press .
   
8. Close Notepad.
   
9. NOW Close Internet Explorer and any other browser that is open.
   
10. Right click on your desktop, and choose .
    
11. Press Yes if prompted by User Account Control.
    

Step 4

[*]Please disconnect any USB or external drives from the computer before you run this scan!

[*]Right-Click RogueKiller and select Run as Administrator.

[*]Wait until Prescan finishes.

[*]On the RogueKiller console, click the Files tab.

Put a check next to all of these and uncheck the rest:

[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-18\$71de843f4d9287427dc724a0dcbf5263\U --> FOUND

[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-21-1448738616-3995532035-3103400055-1000\$71de843f4d9287427dc724a0dcbf5263\U --> FOUND

[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-18\$71de843f4d9287427dc724a0dcbf5263\L --> FOUND

[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-21-1448738616-3995532035-3103400055-1000\$71de843f4d9287427dc724a0dcbf5263\L --> FOUND

[ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_32\Desktop.ini [-] --> FOUND

[ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_64\Desktop.ini [-] --> FOUND

Now click Delete on the right hand column under Options

[*]On the RogueKiller console, click the Registry tab.

Put a check next to all of these and uncheck the rest: (if found)

[RUN][sUSP PATH] HKCU\[...]\Run : msplex ("C:\Windows\System32\rundll32.exe" "C:\Users\Joseph\AppData\Roaming\msplex.dll",_Add) [7] -> FOUND

[RUN][sUSP PATH] HKCU\[...]\Run : pocpr ("C:\Windows\System32\rundll32.exe" "C:\Users\Joseph\AppData\Roaming\pocpr.dll",SetDefaults) [7] -> FOUND

[RUN][sUSP PATH] HKCU\[...]\Run : msmges ("C:\Windows\System32\rundll32.exe" "C:\Users\Joseph\AppData\Roaming\msmges.dll",HashNotImplemented) [7] -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-1448738616-3995532035-3103400055-1000[...]\Run : msplex ("C:\Windows\System32\rundll32.exe" "C:\Users\Joseph\AppData\Roaming\msplex.dll",_Add) [7] -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-1448738616-3995532035-3103400055-1000[...]\Run : pocpr ("C:\Windows\System32\rundll32.exe" "C:\Users\Joseph\AppData\Roaming\pocpr.dll",SetDefaults) [7] -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-1448738616-3995532035-3103400055-1000[...]\Run : msmges ("C:\Windows\System32\rundll32.exe" "C:\Users\Joseph\AppData\Roaming\msmges.dll",HashNotImplemented) [7] -> FOUND

[TASK][ROGUE ST] 4798 : wscript.exe C:\Users\Joseph\AppData\Local\Temp\launchie.vbs //B -> FOUND

[TASK][sUSP PATH] RunAsStdUser Task : "C:\Users\Joseph\AppData\Local\cheerychickenSA\bin\1.0.7.0\CheeryChickenSA.exe" [x] -> FOUND

[HJPOL] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND

[HJPOL] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND

[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-18\$71de843f4d9287427dc724a0dcbf5263\n.) [x] -> FOUND

[HJ INPROC][ZeroAccess] HKLM\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-18\$71de843f4d9287427dc724a0dcbf5263\n.) [x] -> FOUND

[*]Then click on Delete on the right hand column under Options.

[*]When done, logoff & Restart the system.[*]The log will be found as RKreport

Copy & Paste the contents into next reply.

Edited March 2, 2013 by Maurice Naggar

[Needhelpplease1]

I have a few more questions, before I make the decision to go through with this process, I'm sure you understand, as I am quite nervous.

1. The first step I am uncertain of what to do, I am perfectly fine with having to start over with factory settings, such as re-downloading all the current programs I own, anti-viruses, etc. I do not have any personal items saved to this computer other than games that I can simply re-download as I have already purchased them. I have the feeling that after we remove the Trojans, restoring the computer to factory settings and wiping the hard drive, is the safest method. If you know what I mean, I guess my point is that after we've cleaned the PC I'd like to reset it to factory settings and then just re-download the things I need, which would be advantageous as it would ensure any junk I previously had on my PC would be gone.

2. I am not sure if I have the Windows 7 DVD or not, I will make sure to search, my question is will it or saving data to a flash drive or other DVD be necessary, or will I be able to skip this process and after the virus removal start the computer almost as though it is new.

3. Can you give me a brief summary of what this process is going to do once we complete it?

I truly am not trying to be a burden by asking you so many questions, I really appreciate all the help you have given me.

[Maurice Naggar]

If you -do- want to a factory restore, you can proceed to it directly, and as part of that, wipe (delete) the windows partition and then install Windows clean. all from the factory restore partition.

No need to go thru my steps if that is what you want.

I take it this is a HP computer. You will need to check with HP support website on how to start the Factory restore procedure.

IF you have no personal files or documents that you care to save, fine skip that part.

# 3. These steps above will squash what is ailing (infecting) this system (a couple of hooks to play sounds and some remains of the zero access). Then we would run some more tools and check to insure nothing remains.

[Needhelpplease1]

Okay, so I will begin this tomorrow, as it is late.

One question I have is do I restore to factory settings before or after we do the scans for the infections. I would assume that would be done after, but I would rather see what you say first.

And as for the personal files I don't really keep things on my personal computer, which yes is a HP. I prefer to keep what few files I actually do keep on a flash drive.

Hopefully we'll be able to eliminate these viruses by tomorrow, get my computer reverted to it's original, unchanged self. From the clean computer it will be much easier to make a stronger defense, I also plan on swapping out my default browser to a more secure one, and will be certain to update my defense system more frequently. I never want to go through this stressful process again. This whole issue is scary, and I'll be glad when it is over. I know I've said this several times, but I can't thank you enough for your help.

[Maurice Naggar]

To make it easier for you.... you can do what I had outlined first. Then later, you should plan to do the factory restore.

[Needhelpplease1]

Alright, before I begin I have one question: Do I need to download all these then exit out of my internet browser, or can I download them, exit out of the browser, run the scan, once scan is complete begin next scan. If you understand what I mean?

[Maurice Naggar]

Do the downloads and exit the browser, yes.

If you can, print out the instructions or Copy to your Notepad and save into your own file.

[Needhelpplease1]

Okay Mr. Naggar, here are the results:

Rkill:

Rkill 2.4.7 by Lawrence Abrams (Grinler)

http://www.bleepingcomputer.com/

Copyright 2008-2013 BleepingComputer.com

More Information about Rkill can be found at this link:

http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 03/03/2013 05:56:53 PM in x64 mode.

Windows Version: Windows 7 Home Premium Service Pack 1

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* No malware processes found to kill.

Checking Registry for malware related settings:

* Explorer Policy Removed: NoActiveDesktopChanges [HKLM]

Backup Registry file created at:

C:\Users\Joseph\Desktop\rkill\rkill-03-03-2013-05-56-58.reg

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* ALERT: ZEROACCESS rootkit symptoms found!

* HKEY_CLASSES_ROOT\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32 [ZA Reg Hijack]

* C:\$Recycle.Bin\S-1-5-18\$71de843f4d9287427dc724a0dcbf5263\ [ZA Dir]

* C:\$Recycle.Bin\S-1-5-18\$71de843f4d9287427dc724a0dcbf5263\L\ [ZA Dir]

* C:\$Recycle.Bin\S-1-5-18\$71de843f4d9287427dc724a0dcbf5263\L\00000004.@ [ZA File]

* C:\$Recycle.Bin\S-1-5-18\$71de843f4d9287427dc724a0dcbf5263\L\201d3dde [ZA File]

* C:\$Recycle.Bin\S-1-5-18\$71de843f4d9287427dc724a0dcbf5263\U\ [ZA Dir]

* C:\Windows\assembly\GAC_32\Desktop.ini [ZA File]

* C:\Windows\assembly\GAC_64\Desktop.ini [ZA File]

Checking Windows Service Integrity:

* Windows Firewall Authorization Driver (mpsdrv) is not Running.

Startup Type set to: Manual

* BFE [Missing Service]

* BITS [Missing Service]

* iphlpsvc [Missing Service]

* MpsSvc [Missing Service]

* WinDefend [Missing Service]

* wscsvc [Missing Service]

* wuauserv [Missing Service]

* SharedAccess [Missing ImagePath]

Searching for Missing Digital Signatures:

* No issues found.

Checking HOSTS File:

* No issues found.

Program finished at: 03/03/2013 05:57:15 PM

Execution time: 0 hours(s), 0 minute(s), and 22 seconds(s)

Roguekiller:

RogueKiller V8.5.2 [Feb 23 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User : Joseph [Admin rights]

Mode : Scan -- Date : 03/03/2013 18:07:46

| ARK || FAK || MBR |

¤¤¤ Bad processes : 2 ¤¤¤

[DLL] rundll32.exe -- C:\Windows\System32\rundll32.exe : C:\Users\Joseph\AppData\Roaming\msmges.dll [x] -> KILLED [TermProc]

[DLL] rundll32.exe -- C:\Windows\SysWOW64\rundll32.exe : C:\Users\Joseph\AppData\Roaming\msmges.dll [x] -> KILLED [TermProc]

¤¤¤ Registry Entries : 15 ¤¤¤

[RUN][sUSP PATH] HKCU\[...]\Run : msplex ("C:\Windows\System32\rundll32.exe" "C:\Users\Joseph\AppData\Roaming\msplex.dll",_Add) [7] -> FOUND

[RUN][sUSP PATH] HKCU\[...]\Run : pocpr ("C:\Windows\System32\rundll32.exe" "C:\Users\Joseph\AppData\Roaming\pocpr.dll",SetDefaults) [7] -> FOUND

[RUN][sUSP PATH] HKCU\[...]\Run : msmges ("C:\Windows\System32\rundll32.exe" "C:\Users\Joseph\AppData\Roaming\msmges.dll",HashNotImplemented) [7] -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-1448738616-3995532035-3103400055-1000[...]\Run : msplex ("C:\Windows\System32\rundll32.exe" "C:\Users\Joseph\AppData\Roaming\msplex.dll",_Add) [7] -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-1448738616-3995532035-3103400055-1000[...]\Run : pocpr ("C:\Windows\System32\rundll32.exe" "C:\Users\Joseph\AppData\Roaming\pocpr.dll",SetDefaults) [7] -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-1448738616-3995532035-3103400055-1000[...]\Run : msmges ("C:\Windows\System32\rundll32.exe" "C:\Users\Joseph\AppData\Roaming\msmges.dll",HashNotImplemented) [7] -> FOUND

[TASK][ROGUE ST] 0 : c:\program files (x86)\internet explorer\iexplore.exe -> FOUND

[TASK][ROGUE ST] 4798 : wscript.exe C:\Users\Joseph\AppData\Local\Temp\launchie.vbs //B -> FOUND

[TASK][sUSP PATH] RunAsStdUser Task : "C:\Users\Joseph\AppData\Local\cheerychickenSA\bin\1.0.7.0\CheeryChickenSA.exe" [x] -> FOUND

[HJPOL] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND

[HJPOL] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-18\$71de843f4d9287427dc724a0dcbf5263\n.) [x] -> FOUND

[HJ INPROC][ZeroAccess] HKLM\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-18\$71de843f4d9287427dc724a0dcbf5263\n.) [x] -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-18\$71de843f4d9287427dc724a0dcbf5263\U --> FOUND

[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-21-1448738616-3995532035-3103400055-1000\$71de843f4d9287427dc724a0dcbf5263\U --> FOUND

[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-18\$71de843f4d9287427dc724a0dcbf5263\L --> FOUND

[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-21-1448738616-3995532035-3103400055-1000\$71de843f4d9287427dc724a0dcbf5263\L --> FOUND

[ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_32\Desktop.ini [-] --> FOUND

[ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_64\Desktop.ini [-] --> FOUND

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HDT721032SLA SCSI Disk Device +++++

--- User ---

[MBR] e53d06fa40611a278ba0d6c3eb674f5e

[bSP] eb02a6d20cebb6df951712f0583d56b0 : Windows Vista/7/8 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 292917 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 600100864 | Size: 12226 Mo

User = LL1 ... OK!

Error reading LL2 MBR!

Finished : << RKreport[2]_S_03032013_02d1807.txt >>

RKreport[1]_S_03022013_02d1333.txt ; RKreport[2]_S_03032013_02d1807.txt

RogueKiller V8.5.2 [Feb 23 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User : Joseph [Admin rights]

Mode : Remove -- Date : 03/03/2013 18:10:36

| ARK || FAK || MBR |

¤¤¤ Bad processes : 2 ¤¤¤

[DLL] rundll32.exe -- C:\Windows\System32\rundll32.exe : C:\Users\Joseph\AppData\Roaming\msmges.dll [x] -> KILLED [TermProc]

[DLL] rundll32.exe -- C:\Windows\SysWOW64\rundll32.exe : C:\Users\Joseph\AppData\Roaming\msmges.dll [x] -> KILLED [TermProc]

¤¤¤ Registry Entries : 11 ¤¤¤

[RUN][sUSP PATH] HKCU\[...]\Run : msplex ("C:\Windows\System32\rundll32.exe" "C:\Users\Joseph\AppData\Roaming\msplex.dll",_Add) [7] -> DELETED

[RUN][sUSP PATH] HKCU\[...]\Run : pocpr ("C:\Windows\System32\rundll32.exe" "C:\Users\Joseph\AppData\Roaming\pocpr.dll",SetDefaults) [7] -> DELETED

[RUN][sUSP PATH] HKCU\[...]\Run : msmges ("C:\Windows\System32\rundll32.exe" "C:\Users\Joseph\AppData\Roaming\msmges.dll",HashNotImplemented) [7] -> DELETED

[TASK][ROGUE ST] 0 : c:\program files (x86)\internet explorer\iexplore.exe -> DELETED

[TASK][ROGUE ST] 4798 : wscript.exe C:\Users\Joseph\AppData\Local\Temp\launchie.vbs //B -> DELETED

[TASK][sUSP PATH] RunAsStdUser Task : "C:\Users\Joseph\AppData\Local\cheerychickenSA\bin\1.0.7.0\CheeryChickenSA.exe" [x] -> DELETED

[HJPOL] HKCU\[...]\System : DisableTaskMgr (0) -> DELETED

[HJPOL] HKCU\[...]\System : DisableRegistryTools (0) -> DELETED

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-18\$71de843f4d9287427dc724a0dcbf5263\n.) [x] -> REPLACED (C:\Windows\system32\wbem\fastprox.dll)

¤¤¤ Particular Files / Folders: ¤¤¤

[ZeroAccess][FOLDER] ROOT : C:\$recycle.bin\S-1-5-18\$71de843f4d9287427dc724a0dcbf5263\U --> REMOVED

[ZeroAccess][FOLDER] ROOT : C:\$recycle.bin\S-1-5-21-1448738616-3995532035-3103400055-1000\$71de843f4d9287427dc724a0dcbf5263\U --> REMOVED

[Del.Parent][FILE] 00000004.@ : C:\$recycle.bin\S-1-5-18\$71de843f4d9287427dc724a0dcbf5263\L\00000004.@ [-] --> REMOVED

[Del.Parent][FILE] 201d3dde : C:\$recycle.bin\S-1-5-18\$71de843f4d9287427dc724a0dcbf5263\L\201d3dde [-] --> REMOVED

[ZeroAccess][FOLDER] ROOT : C:\$recycle.bin\S-1-5-18\$71de843f4d9287427dc724a0dcbf5263\L --> REMOVED

[ZeroAccess][FOLDER] ROOT : C:\$recycle.bin\S-1-5-21-1448738616-3995532035-3103400055-1000\$71de843f4d9287427dc724a0dcbf5263\L --> REMOVED

[ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_32\Desktop.ini [-] --> REMOVED

[ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_64\Desktop.ini [-] --> REMOVED

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HDT721032SLA SCSI Disk Device +++++

--- User ---

[MBR] e53d06fa40611a278ba0d6c3eb674f5e

[bSP] eb02a6d20cebb6df951712f0583d56b0 : Windows Vista/7/8 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 292917 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 600100864 | Size: 12226 Mo

User = LL1 ... OK!

Error reading LL2 MBR!

Finished : << RKreport[3]_D_03032013_02d1810.txt >>

RKreport[1]_S_03022013_02d1333.txt ; RKreport[2]_S_03032013_02d1807.txt ; RKreport[3]_D_03032013_02d1810.txt

RogueKiller V8.5.2 [Feb 23 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User : Joseph [Admin rights]

Mode : Remove -- Date : 03/03/2013 18:12:33

| ARK || FAK || MBR |

¤¤¤ Bad processes : 2 ¤¤¤

[DLL] rundll32.exe -- C:\Windows\System32\rundll32.exe : C:\Users\Joseph\AppData\Roaming\msmges.dll [x] -> KILLED [TermProc]

[DLL] rundll32.exe -- C:\Windows\SysWOW64\rundll32.exe : C:\Users\Joseph\AppData\Roaming\msmges.dll [x] -> KILLED [TermProc]

¤¤¤ Registry Entries : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HDT721032SLA SCSI Disk Device +++++

--- User ---

[MBR] e53d06fa40611a278ba0d6c3eb674f5e

[bSP] eb02a6d20cebb6df951712f0583d56b0 : Windows Vista/7/8 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 292917 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 600100864 | Size: 12226 Mo

User = LL1 ... OK!

Error reading LL2 MBR!

Finished : << RKreport[4]_D_03032013_02d1812.txt >>

RKreport[1]_S_03022013_02d1333.txt ; RKreport[2]_S_03032013_02d1807.txt ; RKreport[3]_D_03032013_02d1810.txt ; RKreport[4]_D_03032013_02d1812.txt