Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Support
Windows Malware Removal Help & Support
Ukash virus removal problem
Message
<blockquote data-quote="wellzy" data-source="post: 144455" data-attributes="member: 14955"><p>Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 17-11-2013 02</p><p>Ran by Sexy Zoe (ATTENTION: The logged in user is not administrator) on KARLS on 18-11-2013 02:12:26</p><p>Running from C:\Users\Sexy Zoe\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BEFF33KA</p><p>Windows 7 Starter Service Pack 1 (X86) OS Language: English(US)</p><p>Internet Explorer Version 10</p><p>Boot Mode: Normal</p><p></p><p>==================== Could not list processes ===============</p><p></p><p>==================== Registry (Whitelisted) ==================</p><p></p><p>HKLM\...\Run: [SysTrayApp] - C:\Program Files\IDT\WDM\sttray.exe [495708 2010-06-09] (IDT, Inc.)</p><p>HKLM\...\Run: [SynTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2299176 2011-10-14] (Synaptics Incorporated)</p><p>HKLM\...\Run: [HP Quick Launch] - C:\Program Files\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe [602680 2010-07-02] (Hewlett-Packard Company)</p><p>HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)</p><p>HKLM\...\Run: [Adobe Reader Speed Launcher] - C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe [41056 2013-05-08] (Adobe Systems Incorporated)</p><p>HKLM\...\Run: [HPWirelessAssistant] - C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe [363064 2010-06-18] (Hewlett-Packard Company)</p><p>HKLM\...\Run: [HotKeysCmds] - C:\Windows\system32\hkcmd.exe [ ] ()</p><p>HKLM\...\Run: [avast] - C:\Program Files\AVAST Software\Avast\AvastUI.exe [4858968 2013-08-30] (AVAST Software)</p><p>HKLM\...\Run: [itype] - C:\Program Files\Microsoft IntelliType Pro\itype.exe [1298320 2011-04-13] (Microsoft Corporation)</p><p>HKLM\...\Run: [IAStorIcon] - C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [283160 2010-11-05] (Intel Corporation)</p><p>HKLM\...\Run: [IntelliPoint] - C:\Program Files\Microsoft IntelliPoint\ipoint.exe [1821576 2011-08-01] (Microsoft Corporation)</p><p>HKLM\...\Run: [SunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [254696 2012-01-18] (Sun Microsystems, Inc.)</p><p>HKLM\...\Run: [APSDaemon] - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-01-28] (Apple Inc.)</p><p>HKLM\...\Run: [QuickTime Task] - C:\Program Files\QuickTime\QTTask.exe [421888 2012-10-25] (Apple Inc.)</p><p>HKLM\...\Run: [iTunesHelper] - C:\Program Files\iTunes\iTunesHelper.exe [152392 2013-02-20] (Apple Inc.)</p><p>HKCU\...\Run: [QuickTime Task] - C:\Program Files\QuickTime\QTTask.exe [421888 2012-10-25] (Apple Inc.)</p><p>HKCU\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path)</p><p></p><p>==================== Internet (Whitelisted) ====================</p><p></p><p>HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.uk.msn.com/HPNOT/2</p><p>HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.uk.msn.com/HPNOT/2</p><p>SearchScopes: HKLM - DefaultScope {97FCF6C8-E98B-4C3D-9B32-4247FECDB219} URL = http://www.bing.com/search?q={searchTerms}&form=HPNTDF&pc=HPNTDF&src=IE-SearchBox</p><p>SearchScopes: HKLM - {044C702A-DFE8-48DA-B76F-BC1541A9F1AC} URL = http://en.wikipedia.org/wiki/Special:Search?search={searchTerms}</p><p>SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = </p><p>SearchScopes: HKLM - {97FCF6C8-E98B-4C3D-9B32-4247FECDB219} URL = http://www.bing.com/search?q={searchTerms}&form=HPNTDF&pc=HPNTDF&src=IE-SearchBox</p><p>SearchScopes: HKLM - {C47091E2-83AE-4B1F-8387-783771E8545E} URL = http://uk.search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPNTDF</p><p>SearchScopes: HKCU - DefaultScope {97FCF6C8-E98B-4C3D-9B32-4247FECDB219} URL = </p><p>SearchScopes: HKCU - {044C702A-DFE8-48DA-B76F-BC1541A9F1AC} URL = </p><p>BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)</p><p>BHO: WebCGMHlprObj Class - {56B38F40-4E70-11d4-A076-0080AD86BA2F} - C:\Windows\System32\cgmopenbho.dll (CGM Open Consortium, Inc.)</p><p>BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)</p><p>BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)</p><p>BHO: avast! Online Security - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)</p><p>BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)</p><p>BHO: Windows Live Messenger Companion Helper - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files\Windows Live\Companion\companioncore.dll (Microsoft Corporation)</p><p>BHO: Skype Browser Helper - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)</p><p>BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)</p><p>Toolbar: HKLM - avast! Online Security - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)</p><p>Toolbar: HKCU - No Name - {BA14329E-9550-4989-B3F2-9732E92D17CC} - No File</p><p>DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab</p><p>DPF: {31150A86-0BBA-409F-BEB4-F3922D10BF34} file:///C:/Users/Karl%20Wells/AppData/Local/Microsoft/Windows%20Sidebar/Gadgets/xplugCam.gadget/en-US/xplug.ocx</p><p>DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab</p><p>DPF: {CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab</p><p>DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab</p><p>Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)</p><p>Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)</p><p>Winsock: Catalog5 10 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)</p><p>Tcpip\Parameters: [DhcpNameServer] 192.168.1.1</p><p></p><p>FireFox:</p><p>========</p><p>FF ProfilePath: C:\Users\Sexy Zoe\AppData\Roaming\Mozilla\Firefox\Profiles\t5c2bq4c.default</p><p>FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF32_11_9_900_117.dll ()</p><p>FF Plugin: @adobe.com/ShockwavePlayer - C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)</p><p>FF Plugin: @Apple.com/iTunes,version=1.0 - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()</p><p>FF Plugin: @java.com/DTPlugin,version=1.6.0_35 - C:\Windows\system32\npdeployJava1.dll (Sun Microsystems, Inc.)</p><p>FF Plugin: @java.com/JavaPlugin - C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)</p><p>FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)</p><p>FF Plugin: @microsoft.com/WLPG,version=15.4.3502.0922 - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)</p><p>FF Plugin: @microsoft.com/WLPG,version=15.4.3508.1109 - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)</p><p>FF Plugin: @microsoft.com/WLPG,version=15.4.3555.0308 - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)</p><p>FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)</p><p>FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml</p><p>FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\answers.xml</p><p>FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml</p><p>FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml</p><p>FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml</p><p>FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml</p><p>FF Extension: No Name - C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}</p><p>FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}</p><p>FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA}</p><p>FF Extension: Skype Click to Call - C:\Program Files\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}</p><p>FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF</p><p>FF Extension: avast! Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF</p><p></p><p>========================== Services (Whitelisted) =================</p><p></p><p>R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [46808 2013-08-30] (AVAST Software)</p><p>R2 DvmMDES; C:\SwSetup\HPQWMM\QuickWeb\QW.SYS\config\DVMExportService.exe [338168 2010-07-02] (DeviceVM, Inc.)</p><p>S3 GameConsoleService; C:\Program Files\HP Games\HP Game Console\GameConsoleService.exe [246520 2010-04-03] (WildTangent, Inc.)</p><p>S2 HP Wireless Assistant Service; C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [103992 2010-06-18] (Hewlett-Packard Company)</p><p>S2 HPWMISVC; C:\Program Files\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [27192 2010-07-02] ()</p><p>R2 lmhosts; C:\Windows\system32\svchost.exe [20992 2009-07-14] (Microsoft Corporation)</p><p>R2 NlaSvc; C:\Windows\System32\svchost.exe [20992 2009-07-14] (Microsoft Corporation)</p><p>R2 nsi; C:\Windows\system32\svchost.exe [20992 2009-07-14] (Microsoft Corporation)</p><p>R2 STacSV; C:\Program Files\IDT\WDM\STacSV.exe [237650 2010-06-09] (IDT, Inc.)</p><p>S2 Winmgmt; C:\ProgramData\9rh8rq.dss [151552 2013-11-03] (Корпорация Майкрософт)</p><p>R2 Skype C2C Service; "C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe" [x]</p><p></p><p>==================== Drivers (Whitelisted) ====================</p><p></p><p>R2 aswFsBlk; C:\Windows\System32\Drivers\aswFsBlk.sys [29816 2013-08-30] (AVAST Software)</p><p>R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [66336 2013-08-30] (AVAST Software)</p><p>R1 aswRdr; C:\Windows\System32\Drivers\aswrdr2.sys [61680 2013-08-30] (AVAST Software)</p><p>R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [49376 2013-08-30] ()</p><p>R1 aswSnx; C:\Windows\System32\Drivers\aswSnx.sys [770344 2013-08-30] (AVAST Software)</p><p>R1 aswSP; C:\Windows\System32\Drivers\aswSP.sys [369584 2013-08-30] (AVAST Software)</p><p>R1 aswTdi; C:\Windows\System32\Drivers\aswTdi.sys [56080 2013-08-30] (AVAST Software)</p><p>R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [177864 2013-08-30] ()</p><p>R1 DVMIO; C:\Windows\System32\DRIVERS\dvmio.sys [18136 2009-11-11] (DeviceVM, Inc.)</p><p>R2 Hardlock; C:\Windows\system32\drivers\hardlock.sys [693760 2006-11-22] (Aladdin Knowledge Systems Ltd.)</p><p>R2 NSHE; C:\Windows\system32\Drivers\NSHE.SYS [97792 2008-11-23] (T0r0 2008)</p><p>S3 NuidFltr; C:\Windows\System32\DRIVERS\NuidFltr.sys [21792 2011-04-13] (Microsoft Corporation)</p><p>R3 RSPCIESTOR; C:\Windows\System32\DRIVERS\RtsPStor.sys [230944 2011-04-11] (Realtek Semiconductor Corp.)</p><p>S3 taphss; C:\Windows\System32\DRIVERS\taphss.sys [32768 2010-09-22] (AnchorFree Inc)</p><p>S3 mcdbus; system32\DRIVERS\mcdbus.sys [x]</p><p></p><p>==================== NetSvcs (Whitelisted) ===================</p><p></p><p></p><p>==================== One Month Created Files and Folders ========</p><p></p><p>2013-11-18 02:12 - 2013-11-18 02:12 - 00000000 ____D C:\FRST</p><p>2013-11-17 23:12 - 2013-11-17 23:12 - 00013286 _____ C:\Users\Sexy Zoe\Desktop\hs_err_pid16268.log</p><p>2013-11-17 23:12 - 2013-11-17 23:12 - 00000000 ____D C:\Users\Sexy Zoe\AppData\Local\Google</p><p>2013-11-03 19:55 - 2013-11-03 19:55 - 00000273 _____ C:\ProgramData\qr8hr9.reg</p><p>2013-11-03 19:49 - 2013-11-17 18:35 - 00000000 _____ C:\ProgramData\qr8hr9.fvv</p><p>2013-11-03 19:48 - 2013-11-17 18:35 - 95025368 ____T C:\ProgramData\qr8hr9.bxx</p><p>2013-11-03 19:48 - 2013-11-03 19:48 - 00151552 _____ (Корпорация Майкрософт) C:\ProgramData\9rh8rq.dss</p><p>2013-11-02 20:34 - 2013-11-02 20:34 - 00000416 _____ C:\Windows\PFRO.log</p><p></p><p>==================== One Month Modified Files and Folders =======</p><p></p><p>2013-11-18 02:12 - 2013-11-18 02:12 - 00000000 ____D C:\FRST</p><p>2013-11-18 02:12 - 2010-09-15 18:42 - 01513238 _____ C:\Windows\WindowsUpdate.log</p><p>2013-11-18 01:32 - 2012-05-02 21:53 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job</p><p>2013-11-18 01:26 - 2009-07-14 04:34 - 00014128 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0</p><p>2013-11-18 01:26 - 2009-07-14 04:34 - 00014128 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0</p><p>2013-11-18 01:09 - 2013-10-10 17:12 - 00001624 _____ C:\Windows\setupact.log</p><p>2013-11-18 01:09 - 2009-07-14 04:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT</p><p>2013-11-17 23:12 - 2013-11-17 23:12 - 00013286 _____ C:\Users\Sexy Zoe\Desktop\hs_err_pid16268.log</p><p>2013-11-17 23:12 - 2013-11-17 23:12 - 00000000 ____D C:\Users\Sexy Zoe\AppData\Local\Google</p><p>2013-11-17 18:35 - 2013-11-03 19:49 - 00000000 _____ C:\ProgramData\qr8hr9.fvv</p><p>2013-11-17 18:35 - 2013-11-03 19:48 - 95025368 ____T C:\ProgramData\qr8hr9.bxx</p><p>2013-11-03 19:55 - 2013-11-03 19:55 - 00000273 _____ C:\ProgramData\qr8hr9.reg</p><p>2013-11-03 19:48 - 2013-11-03 19:48 - 00151552 _____ (Корпорация Майкрософт) C:\ProgramData\9rh8rq.dss</p><p>2013-11-02 20:34 - 2013-11-02 20:34 - 00000416 _____ C:\Windows\PFRO.log</p><p>2013-10-30 23:45 - 2009-09-06 23:02 - 00726444 _____ C:\Windows\system32\PerfStringBackup.INI</p><p>2013-10-27 14:04 - 2009-07-14 02:37 - 00000000 ____D C:\Windows\Microsoft.NET</p><p>2013-10-19 18:55 - 2011-02-11 19:47 - 00000052 _____ C:\Windows\system32\DOErrors.log</p><p>2013-10-19 18:54 - 2011-10-28 12:13 - 00000000 _____ C:\Windows\system32\HP_ActiveX_Patch_NOT_DETECTED.txt</p><p>ZeroAccess:</p><p>C:\Users\Sexy Zoe\AppData\Local\Google\Desktop\Install</p><p></p><p>Files to move or delete:</p><p>====================</p><p>C:\ProgramData\9rh8rq.dss</p><p>C:\ProgramData\qr8hr9.bxx</p><p>C:\ProgramData\qr8hr9.fvv</p><p>C:\ProgramData\qr8hr9.reg</p><p></p><p></p><p>Some content of TEMP:</p><p>====================</p><p>C:\Users\Sexy Zoe\AppData\Local\Temp\install_flashplayer11x32_chra_aih.exe</p><p>C:\Users\Sexy Zoe\AppData\Local\Temp\install_flashplayer11x32_chra_aih_1.exe</p><p>C:\Users\Sexy Zoe\AppData\Local\Temp\swt-gdip-win32-3448.dll</p><p>C:\Users\Sexy Zoe\AppData\Local\Temp\swt-win32-3448.dll</p><p>C:\Users\Sexy Zoe\AppData\Local\Temp\WindowsAPI.dll</p><p></p><p></p><p>==================== Bamital & volsnap Check =================</p><p></p><p>C:\Windows\explorer.exe => MD5 is legit</p><p>C:\Windows\System32\winlogon.exe => MD5 is legit</p><p>C:\Windows\System32\wininit.exe => MD5 is legit</p><p>C:\Windows\System32\svchost.exe => MD5 is legit</p><p>C:\Windows\System32\services.exe => MD5 is legit</p><p>C:\Windows\System32\User32.dll => MD5 is legit</p><p>C:\Windows\System32\userinit.exe => MD5 is legit</p><p>C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit</p><p></p><p>==================== End Of Log ============================</p></blockquote><p></p>
[QUOTE="wellzy, post: 144455, member: 14955"] Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 17-11-2013 02 Ran by Sexy Zoe (ATTENTION: The logged in user is not administrator) on KARLS on 18-11-2013 02:12:26 Running from C:\Users\Sexy Zoe\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BEFF33KA Windows 7 Starter Service Pack 1 (X86) OS Language: English(US) Internet Explorer Version 10 Boot Mode: Normal ==================== Could not list processes =============== ==================== Registry (Whitelisted) ================== HKLM\...\Run: [SysTrayApp] - C:\Program Files\IDT\WDM\sttray.exe [495708 2010-06-09] (IDT, Inc.) HKLM\...\Run: [SynTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2299176 2011-10-14] (Synaptics Incorporated) HKLM\...\Run: [HP Quick Launch] - C:\Program Files\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe [602680 2010-07-02] (Hewlett-Packard Company) HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated) HKLM\...\Run: [Adobe Reader Speed Launcher] - C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe [41056 2013-05-08] (Adobe Systems Incorporated) HKLM\...\Run: [HPWirelessAssistant] - C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe [363064 2010-06-18] (Hewlett-Packard Company) HKLM\...\Run: [HotKeysCmds] - C:\Windows\system32\hkcmd.exe [ ] () HKLM\...\Run: [avast] - C:\Program Files\AVAST Software\Avast\AvastUI.exe [4858968 2013-08-30] (AVAST Software) HKLM\...\Run: [itype] - C:\Program Files\Microsoft IntelliType Pro\itype.exe [1298320 2011-04-13] (Microsoft Corporation) HKLM\...\Run: [IAStorIcon] - C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [283160 2010-11-05] (Intel Corporation) HKLM\...\Run: [IntelliPoint] - C:\Program Files\Microsoft IntelliPoint\ipoint.exe [1821576 2011-08-01] (Microsoft Corporation) HKLM\...\Run: [SunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [254696 2012-01-18] (Sun Microsystems, Inc.) HKLM\...\Run: [APSDaemon] - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-01-28] (Apple Inc.) HKLM\...\Run: [QuickTime Task] - C:\Program Files\QuickTime\QTTask.exe [421888 2012-10-25] (Apple Inc.) HKLM\...\Run: [iTunesHelper] - C:\Program Files\iTunes\iTunesHelper.exe [152392 2013-02-20] (Apple Inc.) HKCU\...\Run: [QuickTime Task] - C:\Program Files\QuickTime\QTTask.exe [421888 2012-10-25] (Apple Inc.) HKCU\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path) ==================== Internet (Whitelisted) ==================== HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.uk.msn.com/HPNOT/2 HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.uk.msn.com/HPNOT/2 SearchScopes: HKLM - DefaultScope {97FCF6C8-E98B-4C3D-9B32-4247FECDB219} URL = http://www.bing.com/search?q={searchTerms}&form=HPNTDF&pc=HPNTDF&src=IE-SearchBox SearchScopes: HKLM - {044C702A-DFE8-48DA-B76F-BC1541A9F1AC} URL = http://en.wikipedia.org/wiki/Special:Search?search={searchTerms} SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKLM - {97FCF6C8-E98B-4C3D-9B32-4247FECDB219} URL = http://www.bing.com/search?q={searchTerms}&form=HPNTDF&pc=HPNTDF&src=IE-SearchBox SearchScopes: HKLM - {C47091E2-83AE-4B1F-8387-783771E8545E} URL = http://uk.search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPNTDF SearchScopes: HKCU - DefaultScope {97FCF6C8-E98B-4C3D-9B32-4247FECDB219} URL = SearchScopes: HKCU - {044C702A-DFE8-48DA-B76F-BC1541A9F1AC} URL = BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated) BHO: WebCGMHlprObj Class - {56B38F40-4E70-11d4-A076-0080AD86BA2F} - C:\Windows\System32\cgmopenbho.dll (CGM Open Consortium, Inc.) BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation) BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.) BHO: avast! Online Security - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software) BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.) BHO: Windows Live Messenger Companion Helper - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files\Windows Live\Companion\companioncore.dll (Microsoft Corporation) BHO: Skype Browser Helper - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.) Toolbar: HKLM - avast! Online Security - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software) Toolbar: HKCU - No Name - {BA14329E-9550-4989-B3F2-9732E92D17CC} - No File DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {31150A86-0BBA-409F-BEB4-F3922D10BF34} file:///C:/Users/Karl%20Wells/AppData/Local/Microsoft/Windows%20Sidebar/Gadgets/xplugCam.gadget/en-US/xplug.ocx DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies) Winsock: Catalog5 10 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.) Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 FireFox: ======== FF ProfilePath: C:\Users\Sexy Zoe\AppData\Roaming\Mozilla\Firefox\Profiles\t5c2bq4c.default FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF32_11_9_900_117.dll () FF Plugin: @adobe.com/ShockwavePlayer - C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.) FF Plugin: @Apple.com/iTunes,version=1.0 - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll () FF Plugin: @java.com/DTPlugin,version=1.6.0_35 - C:\Windows\system32\npdeployJava1.dll (Sun Microsystems, Inc.) FF Plugin: @java.com/JavaPlugin - C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.) FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation) FF Plugin: @microsoft.com/WLPG,version=15.4.3502.0922 - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation) FF Plugin: @microsoft.com/WLPG,version=15.4.3508.1109 - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation) FF Plugin: @microsoft.com/WLPG,version=15.4.3555.0308 - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation) FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\answers.xml FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml FF Extension: No Name - C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} FF Extension: Skype Click to Call - C:\Program Files\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF FF Extension: avast! Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF ========================== Services (Whitelisted) ================= R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [46808 2013-08-30] (AVAST Software) R2 DvmMDES; C:\SwSetup\HPQWMM\QuickWeb\QW.SYS\config\DVMExportService.exe [338168 2010-07-02] (DeviceVM, Inc.) S3 GameConsoleService; C:\Program Files\HP Games\HP Game Console\GameConsoleService.exe [246520 2010-04-03] (WildTangent, Inc.) S2 HP Wireless Assistant Service; C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [103992 2010-06-18] (Hewlett-Packard Company) S2 HPWMISVC; C:\Program Files\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [27192 2010-07-02] () R2 lmhosts; C:\Windows\system32\svchost.exe [20992 2009-07-14] (Microsoft Corporation) R2 NlaSvc; C:\Windows\System32\svchost.exe [20992 2009-07-14] (Microsoft Corporation) R2 nsi; C:\Windows\system32\svchost.exe [20992 2009-07-14] (Microsoft Corporation) R2 STacSV; C:\Program Files\IDT\WDM\STacSV.exe [237650 2010-06-09] (IDT, Inc.) S2 Winmgmt; C:\ProgramData\9rh8rq.dss [151552 2013-11-03] (Корпорация Майкрософт) R2 Skype C2C Service; "C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe" [x] ==================== Drivers (Whitelisted) ==================== R2 aswFsBlk; C:\Windows\System32\Drivers\aswFsBlk.sys [29816 2013-08-30] (AVAST Software) R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [66336 2013-08-30] (AVAST Software) R1 aswRdr; C:\Windows\System32\Drivers\aswrdr2.sys [61680 2013-08-30] (AVAST Software) R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [49376 2013-08-30] () R1 aswSnx; C:\Windows\System32\Drivers\aswSnx.sys [770344 2013-08-30] (AVAST Software) R1 aswSP; C:\Windows\System32\Drivers\aswSP.sys [369584 2013-08-30] (AVAST Software) R1 aswTdi; C:\Windows\System32\Drivers\aswTdi.sys [56080 2013-08-30] (AVAST Software) R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [177864 2013-08-30] () R1 DVMIO; C:\Windows\System32\DRIVERS\dvmio.sys [18136 2009-11-11] (DeviceVM, Inc.) R2 Hardlock; C:\Windows\system32\drivers\hardlock.sys [693760 2006-11-22] (Aladdin Knowledge Systems Ltd.) R2 NSHE; C:\Windows\system32\Drivers\NSHE.SYS [97792 2008-11-23] (T0r0 2008) S3 NuidFltr; C:\Windows\System32\DRIVERS\NuidFltr.sys [21792 2011-04-13] (Microsoft Corporation) R3 RSPCIESTOR; C:\Windows\System32\DRIVERS\RtsPStor.sys [230944 2011-04-11] (Realtek Semiconductor Corp.) S3 taphss; C:\Windows\System32\DRIVERS\taphss.sys [32768 2010-09-22] (AnchorFree Inc) S3 mcdbus; system32\DRIVERS\mcdbus.sys [x] ==================== NetSvcs (Whitelisted) =================== ==================== One Month Created Files and Folders ======== 2013-11-18 02:12 - 2013-11-18 02:12 - 00000000 ____D C:\FRST 2013-11-17 23:12 - 2013-11-17 23:12 - 00013286 _____ C:\Users\Sexy Zoe\Desktop\hs_err_pid16268.log 2013-11-17 23:12 - 2013-11-17 23:12 - 00000000 ____D C:\Users\Sexy Zoe\AppData\Local\Google 2013-11-03 19:55 - 2013-11-03 19:55 - 00000273 _____ C:\ProgramData\qr8hr9.reg 2013-11-03 19:49 - 2013-11-17 18:35 - 00000000 _____ C:\ProgramData\qr8hr9.fvv 2013-11-03 19:48 - 2013-11-17 18:35 - 95025368 ____T C:\ProgramData\qr8hr9.bxx 2013-11-03 19:48 - 2013-11-03 19:48 - 00151552 _____ (Корпорация Майкрософт) C:\ProgramData\9rh8rq.dss 2013-11-02 20:34 - 2013-11-02 20:34 - 00000416 _____ C:\Windows\PFRO.log ==================== One Month Modified Files and Folders ======= 2013-11-18 02:12 - 2013-11-18 02:12 - 00000000 ____D C:\FRST 2013-11-18 02:12 - 2010-09-15 18:42 - 01513238 _____ C:\Windows\WindowsUpdate.log 2013-11-18 01:32 - 2012-05-02 21:53 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job 2013-11-18 01:26 - 2009-07-14 04:34 - 00014128 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2013-11-18 01:26 - 2009-07-14 04:34 - 00014128 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2013-11-18 01:09 - 2013-10-10 17:12 - 00001624 _____ C:\Windows\setupact.log 2013-11-18 01:09 - 2009-07-14 04:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT 2013-11-17 23:12 - 2013-11-17 23:12 - 00013286 _____ C:\Users\Sexy Zoe\Desktop\hs_err_pid16268.log 2013-11-17 23:12 - 2013-11-17 23:12 - 00000000 ____D C:\Users\Sexy Zoe\AppData\Local\Google 2013-11-17 18:35 - 2013-11-03 19:49 - 00000000 _____ C:\ProgramData\qr8hr9.fvv 2013-11-17 18:35 - 2013-11-03 19:48 - 95025368 ____T C:\ProgramData\qr8hr9.bxx 2013-11-03 19:55 - 2013-11-03 19:55 - 00000273 _____ C:\ProgramData\qr8hr9.reg 2013-11-03 19:48 - 2013-11-03 19:48 - 00151552 _____ (Корпорация Майкрософт) C:\ProgramData\9rh8rq.dss 2013-11-02 20:34 - 2013-11-02 20:34 - 00000416 _____ C:\Windows\PFRO.log 2013-10-30 23:45 - 2009-09-06 23:02 - 00726444 _____ C:\Windows\system32\PerfStringBackup.INI 2013-10-27 14:04 - 2009-07-14 02:37 - 00000000 ____D C:\Windows\Microsoft.NET 2013-10-19 18:55 - 2011-02-11 19:47 - 00000052 _____ C:\Windows\system32\DOErrors.log 2013-10-19 18:54 - 2011-10-28 12:13 - 00000000 _____ C:\Windows\system32\HP_ActiveX_Patch_NOT_DETECTED.txt ZeroAccess: C:\Users\Sexy Zoe\AppData\Local\Google\Desktop\Install Files to move or delete: ==================== C:\ProgramData\9rh8rq.dss C:\ProgramData\qr8hr9.bxx C:\ProgramData\qr8hr9.fvv C:\ProgramData\qr8hr9.reg Some content of TEMP: ==================== C:\Users\Sexy Zoe\AppData\Local\Temp\install_flashplayer11x32_chra_aih.exe C:\Users\Sexy Zoe\AppData\Local\Temp\install_flashplayer11x32_chra_aih_1.exe C:\Users\Sexy Zoe\AppData\Local\Temp\swt-gdip-win32-3448.dll C:\Users\Sexy Zoe\AppData\Local\Temp\swt-win32-3448.dll C:\Users\Sexy Zoe\AppData\Local\Temp\WindowsAPI.dll ==================== Bamital & volsnap Check ================= C:\Windows\explorer.exe => MD5 is legit C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\wininit.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\System32\services.exe => MD5 is legit C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit ==================== End Of Log ============================ [/QUOTE]
Insert quotes…
Verification
Post reply
Top