Over 1 million tech questions and answers.

elevated help- Zero Access Rootkit?

Q: elevated help- Zero Access Rootkit?

Hello- I started out just thinking I had Scorpion Saver on the computer and started a thread here.... http://www.bleepingcomputer.com/forums/t/616295/scorpion-saver/page-2#entry4014917
 
After getting some assistance from Broni- he advised me that "There are some signs of ZeroAccess rootkit so you'll need elevated help."  And that I needed to follow this guide : http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
As he advised I started at step six on the guide posted above.
 
My computer is running rather slow.  I need my computer for work as I am working from home for Uhaul.   Whatever is going on is interfering with the VPN connection I have to have for work. Any assistance would be greatly appreciated.  
 
thank you
 
 
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:03-06-2016
Ran by Randi (administrator) on RANDI-PC (04-06-2016 17:40:59)
Running from C:\Users\Randi\Downloads
Loaded Profiles: Randi (Available Profiles: Randi & DefaultAppPool)
Platform: Windows 10 Home Version 1511 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
==================== Processes (Whitelisted) =================
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgrsa.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgcsrva.exe
(Stardock Corporation) C:\Program Files\Dell\DellDock\DockLogin.exe
(Cisco Systems, Inc.) C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Framework\Common\avgsvca.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgwdsvca.exe
(Seiko Epson Corporation) C:\Windows\System32\escsvc64.exe
() C:\Program Files (x86)\Motorola\MotoHelper\MotoHelperService.exe
(SEIKO EPSON CORPORATION) C:\Program Files\EPSON\EpsonCustomerResearchParticipation\EPCP.exe
(Microsoft Corporation) C:\Windows\System32\mqsvc.exe
() C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTmon.exe
(RealNetworks, Inc.) C:\Program Files (x86)\Real\RealPlayer\RPDS\Bin\rpdsvc.exe
() C:\Program Files (x86)\Real\UpdateService\RealPlayerUpdateSvc.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgidsagenta.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgnsa.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgemca.exe
() C:\Program Files (x86)\Motorola\MotoHelper\MotoHelperAgent.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.30.3\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.30.3\GoogleCrashHandler64.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(Microsoft Corporation) C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe
(SEIKO EPSON CORPORATION) C:\Windows\System32\spool\drivers\x64\3\E_YATIMDE.EXE
(RealNetworks, Inc.) C:\Program Files (x86)\Real\RealPlayer\RPDS\Bin64\rpsystray.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(SupportSoft, Inc.) C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe
(Wondershare) C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe
(SEIKO EPSON CORPORATION) C:\Program Files (x86)\EPSON Software\FAX Utility\FUFAXRCV.exe
(SEIKO EPSON CORPORATION) C:\Program Files (x86)\EPSON Software\FAX Utility\FUFAXSTM.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Framework\Common\avguix.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\redirector.exe
(SEIKO EPSON CORPORATION) C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgui.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe
(SupportSoft, Inc.) C:\Program Files (x86)\Dell Support Center\bin\sprtsvc.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\SelfServicePlugin\SelfService.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MpCmdRun.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\Receiver\Receiver.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\SelfServicePlugin\SelfServicePlugin.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe

==================== Registry (Whitelisted) ===========================
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1808680 2009-06-25] (Synaptics Incorporated)
HKLM\...\Run: [IntelliType Pro] => c:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe [1464944 2012-11-02] (Microsoft Corporation)
HKLM\...\Run: [IntelliPoint] => c:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe [2076272 2012-11-02] (Microsoft Corporation)
HKLM-x32\...\Run: [Dell Webcam Central] => C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe [409744 2009-06-24] (Creative Technology Ltd)
HKLM-x32\...\Run: [DellSupportCenter] => C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe [206064 2009-05-21] (SupportSoft, Inc.)
HKLM-x32\...\Run: [Wondershare Helper Compact.exe] => C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe [2072928 2014-10-31] (Wondershare)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [594992 2016-01-29] (Oracle Corporation)
HKLM-x32\...\Run: [FUFAXRCV] => C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXRCV.exe [650784 2015-12-22] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [FUFAXSTM] => C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe [863776 2015-12-22] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [AvgUi] => C:\Program Files (x86)\AVG\Framework\Common\avguirnx.exe [186640 2016-05-18] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [ConnectionCenter] => C:\Program Files (x86)\Citrix\ICA Client\concentr.exe [530560 2016-04-25] (Citrix Systems, Inc.)
HKLM-x32\...\Run: [Redirector] => C:\Program Files (x86)\Citrix\ICA Client\redirector.exe [239744 2016-04-25] (Citrix Systems, Inc.)
HKLM-x32\...\Run: [EEventManager] => C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe [1087184 2016-01-20] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [AVG_UI] => C:\Program Files (x86)\AVG\Av\avgui.exe [6570256 2016-05-20] (AVG Technologies CZ, s.r.o.)
HKU\S-1-5-21-4265505565-2887419862-550575693-1001\...\Run: [EPLTarget\P0000000000000000] => C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIMDE.EXE [298560 2013-12-16] (SEIKO EPSON CORPORATION)
HKU\S-1-5-21-4265505565-2887419862-550575693-1001\...\RunOnce: [Uninstall C:\Users\Randi\AppData\Local\Microsoft\OneDrive\17.3.6301.0127_1\amd64] => C:\WINDOWS\system32\cmd.exe /q /c rmdir /s /q "C:\Users\Randi\AppData\Local\Microsoft\OneDrive\17.3.6301.0127_1\amd64"
HKU\S-1-5-21-4265505565-2887419862-550575693-1001\...\MountPoints2: {22eea75b-04d5-11e6-8d94-a4badba8feaf} - "F:\VerizonWirelessUpgradeAssistantSetup.exe" -a
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\RealPlayer Cloud Service UI.lnk [2014-07-24]
ShortcutTarget: RealPlayer Cloud Service UI.lnk -> C:\Program Files (x86)\Real\RealPlayer\RPDS\Bin64\rpsystray.exe (RealNetworks, Inc.)
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk [2010-04-03]
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk [2010-04-03]
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\DefaultAppPool\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk [2010-04-03]
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
==================== Internet (Whitelisted) ====================
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
Tcpip\Parameters: [DhcpNameServer] 64.37.30.6 137.118.1.33
Tcpip\..\Interfaces\{6470960d-c3dc-40bf-9770-eb3c7dd1258a}: [DhcpNameServer] 64.37.30.6 137.118.1.33
Tcpip\..\Interfaces\{bfe9adc4-b0bb-4ac6-86de-caddfc69e3f0}: [DhcpNameServer] 64.37.30.6 137.118.1.33
Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.google.com
SearchScopes: HKLM -> {9A65A8FE-7001-4989-A613-544BFDEF5CA6} URL = hxxp://www.bing.com/search?q={searchTerms}&form=DLCDF8&pc=MDDC&src=IE-SearchBox
SearchScopes: HKLM-x32 -> DefaultScope value is missing
SearchScopes: HKLM-x32 -> {2CF5D85E-F43D-47B1-AC93-A2270C845315} URL = hxxp://www.bing.com/search?q={searchTerms}&form=DLCDF8&pc=MDDC&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-4265505565-2887419862-550575693-1001 -> {2CF5D85E-F43D-47B1-AC93-A2270C845315} URL =
SearchScopes: HKU\S-1-5-21-4265505565-2887419862-550575693-1001 -> {95B7759C-8C7F-4BF1-B163-73684A933233} URL = hxxps://mysearch.avg.com/search?cid={ED0C330D-16C7-4C32-92A7-4AAE3298D897}&mid=19cea43628a447ccae3175f39d4c175c-f329d0866b09042498b2f9877ae7bf4b21187cf6&lang=en&ds=AVG&coid=avgtbavg&cmpid=0216piz&pr=fr&d=2016-03-30 21:41:51&v=4.2.8.608&pid=wtu&sg=&sap=dsp&q={searchTerms}
SearchScopes: HKU\S-1-5-21-4265505565-2887419862-550575693-1001 -> {9A65A8FE-7001-4989-A613-544BFDEF5CA6} URL =
BHO: RealNetworks Download and Record Plugin for Internet Explorer -> {3049C3E9-B461-4BC5-8870-4C09146192CA} -> C:\Program Files (x86)\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin64.dll [2014-06-10] (RealDownloader)
BHO: No Name -> {95B7759C-8C7F-4BF1-B163-73684A933233} -> No File
BHO-x32: E-Web Print -> {201CF130-E29C-4E5C-A73F-CD197DEFA6AE} -> C:\Program Files (x86)\Epson Software\E-Web Print\ewps_tb.dll [2014-11-27] (SEIKO EPSON CORPORATION)
BHO-x32: RealNetworks Download and Record Plugin for Internet Explorer -> {3049C3E9-B461-4BC5-8870-4C09146192CA} -> C:\Program Files (x86)\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll [2014-06-10] (RealDownloader)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_73\bin\ssv.dll [2016-03-07] (Oracle Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_73\bin\jp2ssv.dll [2016-03-07] (Oracle Corporation)
Toolbar: HKLM-x32 - E-Web Print - {201CF130-E29C-4E5C-A73F-CD197DEFA6AE} - C:\Program Files (x86)\Epson Software\E-Web Print\ewps_tb.dll [2014-11-27] (SEIKO EPSON CORPORATION)
Toolbar: HKU\S-1-5-21-4265505565-2887419862-550575693-1001 -> No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} -  No File
Toolbar: HKU\S-1-5-21-4265505565-2887419862-550575693-1001 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
DPF: HKLM-x32 {0E5F0222-96B9-11D3-8997-00104BD12D94} hxxp://www.pcpitstop.com/nirvana/controls/pcmatic.cab
DPF: HKLM-x32 {166B1BCA-3F9C-11CF-8075-444553540000} hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: HKLM-x32 {E06E2E99-0AA1-11D4-ABA6-0060082AA75C}
Handler-x32: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll [2009-07-26] (Microsoft Corporation)
Handler-x32: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll [2009-07-26] (Microsoft Corporation)
Handler: tmtbim - {0B37915C-8B98-4B9E-80D4-464D2C830D10} -  No File
Filter-x32: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2016-04-25] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2016-04-25] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2016-04-25] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2016-04-25] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2016-04-25] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2016-04-25] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2016-04-25] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2016-04-25] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2016-04-25] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2016-04-25] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2016-04-25] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2016-04-25] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2016-04-25] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2016-04-25] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2016-04-25] (Citrix Systems, Inc.)
Filter-x32: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2016-04-25] (Citrix Systems, Inc.)
FireFox:
========
FF ProfilePath: C:\Users\Randi\AppData\Roaming\Mozilla\Firefox\Profiles\0lyr49jl.default-1434586609341
FF DefaultSearchEngine: AVG Secure Search
FF DefaultSearchEngine.US: AVG Secure Search
FF Homepage: about:home
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF64_21_0_0_242.dll [2016-05-12] ()
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_21_0_0_242.dll [2016-05-12] ()
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\SysWOW64\Adobe\Director\np32dsw_1210150.dll [2014-03-11] (Adobe Systems, Inc.)
FF Plugin-x32: @Citrix.com/npican -> C:\Program Files (x86)\Citrix\ICA Client\npicaN.dll [2016-04-25] (Citrix Systems, Inc.)
FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll [2013-10-07] (Google)
FF Plugin-x32: @java.com/DTPlugin,version=11.73.2 -> C:\Program Files (x86)\Java\jre1.8.0_73\bin\dtplugin\npDeployJava1.dll [2016-03-07] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.73.2 -> C:\Program Files (x86)\Java\jre1.8.0_73\bin\plugin2\npjp2.dll [2016-03-07] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=14.0.8081.0709 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2009-07-10] (Microsoft Corporation)
FF Plugin-x32: @real.com/nppl3260;version=17.0.11.0 -> c:\program files (x86)\real\realplayer\Netscape6\nppl3260.dll [2014-07-24] (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprjplug;version=15.0.6.14 -> c:\program files (x86)\real\realplayer\Netscape6\nprjplug.dll [2012-10-12] (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprndlchromebrowserrecordext;version=17.0.11 -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlchromebrowserrecordext.dll [2014-06-10] (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprndlhtml5videoshim;version=17.0.11 -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlhtml5videoshim.dll [2014-06-10] (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprndlpepperflashvideoshim;version=17.0.11 -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlpepperflashvideoshim.dll [2014-06-10] (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprpchromebrowserrecordext;version=15.0.6.14 -> C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll [2012-10-12] (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprphtml5videoshim;version=15.0.6.14 -> C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll [2012-10-12] (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprpplugin;version=17.0.11.0 -> c:\program files (x86)\real\realplayer\Netscape6\nprpplugin.dll [2014-07-24] (RealPlayer Cloud)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-05-11] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-05-11] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2016-04-23] (Adobe Systems Inc.)
FF Extension: Grammarly Spell Checker & Grammar Checker - C:\Users\Randi\AppData\Roaming\Mozilla\Firefox\Profiles\0lyr49jl.default-1434586609341\Extensions\[email protected] [2016-03-29]
FF HKLM-x32\...\Firefox\Extensions: [{ABDE892B-13A8-4d1b-88E6-365A6E755758}] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext
FF Extension: RealDownloader - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext [2014-07-24] [not signed]
FF HKLM-x32\...\Firefox\Extensions: [{1DD9AC48-0855-4AE7-9934-159B4377FFA2}] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext
FF HKLM-x32\...\Firefox\Extensions: [[email protected]] - C:\Program Files (x86)\Epson Software\E-Web Print\Firefox Add-on
FF Extension: E-Web Print - C:\Program Files (x86)\Epson Software\E-Web Print\Firefox Add-on [2016-05-07] [not signed]
Chrome:
=======
CHR HomePage: Default -> hxxps://us.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_nxtad_15_53&param1=1&param2=f%3D1%26b%3DChrome%26cc%3Dus%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0AyE0B0A0D0B0Azz0F0E0A0F0F0B0B0CtN0D0Tzu0StCyEyDyBtN1L2XzutAtFtCyCtFtCtFtDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StCyBzyyCyDyEyD0AtGtA0BtCtAtGtAyByCtBtGtCyCtDyDtGtC0EyEtDtD0B0B0BtC0ByEyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2StC0EyCtD0D0Azy0EtG0CtDyC0CtGyE0F0EzytG0B0EyCyCtG0B0A0AtAtDyD0B0B0EtCtByE2QtN0A0LzutB%26cr%3D1655908324%26a%3Dwncy_nxtad_15_53%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome
CHR DefaultSearchURL: Default -> hxxps://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_nxtad_15_53&param1=1&param2=f%3D4%26b%3DChrome%26cc%3Dus%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0AyE0B0A0D0B0Azz0F0E0A0F0F0B0B0CtN0D0Tzu0StCyEyDyBtN1L2XzutAtFtCyCtFtCtFtDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StCyBzyyCyDyEyD0AtGtA0BtCtAtGtAyByCtBtGtCyCtDyDtGtC0EyEtDtD0B0B0BtC0ByEyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2StC0EyCtD0D0Azy0EtG0CtDyC0CtGyE0F0EzytG0B0EyCyCtG0B0A0AtAtDyD0B0B0EtCtByE2QtN0A0LzutB%26cr%3D1655908324%26a%3Dwncy_nxtad_15_53%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome&p={searchTerms}
CHR DefaultSearchKeyword: Default -> search provided by yahoo.com
CHR DefaultSuggestURL: Default -> {google:baseSuggestURL}search?client=chrome&hl={language}&q={searchTerms}
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\50.0.2661.102\PepperFlash\pepflashplayer.dll ()
CHR Plugin: (Shockwave Flash) - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_9_900_117.dll => No File
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\50.0.2661.102\ppGoogleNaClPluginChrome.dll => No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\50.0.2661.102\pdf.dll => No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll => No File
CHR Plugin: (Java Deployment Toolkit 6.0.170.4) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeploytk.dll => No File
CHR Plugin: (Java™ Platform SE 6 U17) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll => No File
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll => No File
CHR Plugin: (Windows Live® Photo Gallery) - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
CHR Plugin: (RealNetworks™ Chrome Background Extension Plug-In (32-bit) ) - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
CHR Plugin: (RealPlayer™ HTML5VideoShim Plug-In (32-bit) ) - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
CHR Plugin: (RealPlayer™ G2 LiveConnect-Enabled Plug-In (32-bit) ) - c:\program files (x86)\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
CHR Plugin: (RealPlayer Download Plugin) - c:\program files (x86)\real\realplayer\Netscape6\nprpplugin.dll (RealPlayer Cloud)
CHR Plugin: (Facebook Video Calling Plugin) - C:\Users\Randi\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll => No File
CHR Plugin: (Shockwave for Director) - C:\Windows\SysWOW64\Adobe\Director\np32dsw_1167637.dll => No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\5.1.20913.0\npctrl.dll => No File
CHR Plugin: (RealJukebox NS Plugin) - c:\program files (x86)\real\realplayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
CHR Profile: C:\Users\Randi\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (YouTube) - C:\Users\Randi\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-01-17]
CHR Extension: (Google Search) - C:\Users\Randi\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2016-01-17]
CHR Extension: (RealPlayer Downloader) - C:\Users\Randi\AppData\Local\Google\Chrome\User Data\Default\Extensions\idhngdhcfkoamngbedgpaokgjbnpdiji [2014-08-08]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Randi\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-02]
CHR Extension: (Gmail) - C:\Users\Randi\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-07-04]
CHR HKLM-x32\...\Chrome\Extension: [idhngdhcfkoamngbedgpaokgjbnpdiji] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Chrome\Ext\realdownloader.crx [2014-06-10]
==================== Services (Whitelisted) ========================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
S3 AvgAMPS; C:\Program Files (x86)\AVG\Av\avgamps.exe [636312 2016-05-20] (AVG Technologies CZ, s.r.o.)
R2 AVGIDSAgent; C:\Program Files (x86)\AVG\Av\avgidsagenta.exe [5164800 2016-05-20] (AVG Technologies CZ, s.r.o.)
R2 avgsvc; C:\Program Files (x86)\AVG\Framework\Common\avgsvca.exe [1080592 2016-05-18] (AVG Technologies CZ, s.r.o.)
R2 avgwd; C:\Program Files (x86)\AVG\Av\avgwdsvca.exe [705528 2016-05-20] (AVG Technologies CZ, s.r.o.)
R2 DockLoginService; C:\Program Files\Dell\DellDock\DockLogin.exe [155648 2009-06-09] (Stardock Corporation) [File not signed]
R2 EpsonCustomerResearchParticipation; C:\Program Files\EPSON\EpsonCustomerResearchParticipation\EPCP.exe [677376 2016-06-03] (SEIKO EPSON CORPORATION)
R2 EpsonScanSvc; C:\WINDOWS\system32\EscSvc64.exe [144560 2012-05-17] (Seiko Epson Corporation)
S2 LMIRescue_a38ee134-33dc-4547-a77d-0d1907ff0f23; C:\Users\Randi\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe [3987216 2016-06-01] (LogMeIn, Inc.)
R2 MotoHelper; C:\Program Files (x86)\Motorola\MotoHelper\MotoHelperService.exe [214896 2012-02-06] ()
R2 RealNetworks Downloader Resolver Service; C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe [39568 2014-06-10] ()
R2 RealPlayer Cloud Service; c:\program files (x86)\real\realplayer\RPDS\Bin\rpdsvc.exe [1141848 2014-07-24] (RealNetworks, Inc.)
R2 RealPlayerUpdateSvc; C:\Program Files (x86)\Real\UpdateService\RealPlayerUpdateSvc.exe [23552 2014-06-10] () [File not signed]
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [364464 2015-10-30] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [24864 2015-10-30] (Microsoft Corporation)
===================== Drivers (Whitelisted) ==========================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
S0 Avgboota; C:\Windows\System32\DRIVERS\avgboota.sys [21632 2016-01-07] (AVG Technologies CZ, s.r.o.)
R1 Avgdiska; C:\Windows\System32\DRIVERS\avgdiska.sys [162592 2016-02-16] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [307456 2016-05-18] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [272304 2016-01-26] (AVG Technologies CZ, s.r.o.)
R1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [260352 2016-05-02] (AVG Technologies CZ, s.r.o.)
R0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [360736 2016-02-16] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [247040 2016-05-05] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [51968 2016-05-02] (AVG Technologies CZ, s.r.o.)
R0 avguniva; C:\Windows\System32\DRIVERS\avguniva.sys [71936 2016-05-05] (AVG Technologies CZ, s.r.o.)
R1 Avgwfpa; C:\Windows\system32\DRIVERS\avgwfpa.sys [315840 2015-12-16] (AVG Technologies CZ, s.r.o.)
S3 mbamchameleon; C:\WINDOWS\system32\drivers\mbamchameleon.sys [109272 2016-06-03] (Malwarebytes)
S3 vpnva; C:\Windows\System32\drivers\vpnva64-6.sys [52592 2015-07-24] (Cisco Systems, Inc.)
S0 WdBoot; C:\Windows\System32\drivers\WdBoot.sys [44568 2015-10-30] (Microsoft Corporation)
R0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [293216 2015-10-30] (Microsoft Corporation)
R3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [118112 2015-10-30] (Microsoft Corporation)
R3 yukonw8; C:\Windows\System32\drivers\yk63x64.sys [288768 2015-10-30] (Marvell)
U3 idsvc; no ImagePath
==================== NetSvcs (Whitelisted) ===================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========
(If an entry is included in the fixlist, the file/folder will be moved.)
2016-06-04 17:40 - 2016-06-04 17:42 - 00027955 _____ C:\Users\Randi\Downloads\FRST.txt
2016-06-04 17:40 - 2016-06-04 17:40 - 02384384 _____ (Farbar) C:\Users\Randi\Downloads\FRST64.exe
2016-06-03 19:53 - 2016-06-04 10:33 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2016-06-03 19:52 - 2016-06-04 10:33 - 00000000 ____D C:\Users\Randi\Desktop\mbar
2016-06-03 19:51 - 2016-06-03 19:51 - 00000726 _____ C:\Users\Randi\Desktop\Malwarebytesprotectionlog.txt
2016-06-03 19:50 - 2016-06-03 19:50 - 00010003 _____ C:\Users\Randi\Desktop\Malwarebytes.txt
2016-06-03 19:46 - 2016-06-03 19:46 - 00002433 _____ C:\Users\Randi\Desktop\FSS.txt
2016-06-03 19:38 - 2016-06-03 19:38 - 00034949 _____ C:\Users\Randi\Desktop\MTB.txt
2016-06-03 18:34 - 2016-06-03 18:49 - 00002198 _____ C:\Users\Randi\Desktop\Rkill.txt
2016-06-03 16:46 - 2016-06-03 16:46 - 00001124 _____ C:\Users\Public\Desktop\Revo Uninstaller Pro.lnk
2016-06-03 16:46 - 2016-06-03 16:46 - 00000000 ____D C:\Users\Randi\AppData\Local\VS Revo Group
2016-06-03 16:46 - 2016-06-03 16:46 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Revo Uninstaller Pro
2016-06-03 16:45 - 2016-06-03 16:45 - 11374528 _____ (VS Revo Group ) C:\Users\Randi\Downloads\RevoUninProSetup.exe
2016-06-03 16:45 - 2016-06-03 16:45 - 00000000 ____D C:\ProgramData\VS Revo Group
2016-06-03 16:45 - 2016-06-03 16:45 - 00000000 ____D C:\Program Files\VS Revo Group
2016-06-03 16:45 - 2009-12-30 11:21 - 00031800 _____ (VS Revo Group) C:\WINDOWS\system32\Drivers\revoflt.sys
2016-06-03 16:30 - 2016-06-03 16:30 - 00000000 ____D C:\Intel
2016-06-03 16:01 - 2016-06-03 16:01 - 01835048 _____ (LogMeIn, Inc.) C:\Users\Randi\Downloads\Support-LogMeInRescue(4).exe
2016-06-03 12:42 - 2016-06-03 12:43 - 01835048 _____ (LogMeIn, Inc.) C:\Users\Randi\Downloads\Support-LogMeInRescue(3).exe
2016-06-03 12:08 - 2016-06-03 12:08 - 00000000 ___HD C:\OneDriveTemp
2016-06-02 12:48 - 2016-06-04 11:17 - 00192216 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2016-06-02 12:48 - 2016-06-03 19:52 - 00109272 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2016-06-02 12:48 - 2016-06-02 12:48 - 00001173 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2016-06-02 12:48 - 2016-06-02 12:48 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2016-06-02 12:48 - 2016-06-02 12:48 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2016-06-02 12:48 - 2016-03-10 14:09 - 00065408 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mwac.sys
2016-06-02 12:48 - 2016-03-10 14:08 - 00027008 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbam.sys
2016-06-02 12:47 - 2016-06-02 12:47 - 22851472 _____ (Malwarebytes ) C:\Users\Randi\Downloads\mbam-setup-2.2.1.1043.exe
2016-06-02 12:44 - 2016-06-02 12:44 - 01835048 _____ (LogMeIn, Inc.) C:\Users\Randi\Downloads\Support-LogMeInRescue(2).exe
2016-06-01 15:22 - 2016-06-01 15:22 - 00000600 _____ C:\Users\Randi\AppData\Roaming\winscp.rnd
2016-06-01 14:50 - 2016-06-01 14:51 - 01835048 _____ (LogMeIn, Inc.) C:\Users\Randi\Downloads\Support-LogMeInRescue(1).exe
2016-06-01 14:26 - 2016-06-03 16:19 - 00000000 ____D C:\Users\Randi\AppData\Local\LogMeIn Rescue Applet
2016-06-01 14:26 - 2016-06-01 14:26 - 01835048 _____ (LogMeIn, Inc.) C:\Users\Randi\Downloads\Support-LogMeInRescue.exe
2016-06-01 14:26 - 2016-06-01 14:26 - 00002332 _____ C:\Users\Randi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\U-Haul International, Inc..lnk
2016-06-01 14:26 - 2016-06-01 14:26 - 00000248 _____ C:\rescue.info
2016-05-31 17:58 - 2016-05-31 17:58 - 00000000 ____D C:\Users\Randi\Documents\20160531-One on One Training W. Ramon(32506)
2016-05-30 11:16 - 2016-05-30 11:16 - 00000000 ____D C:\Epson
2016-05-29 16:32 - 2016-05-29 16:33 - 01463424 _____ (Skype Technologies S.A.) C:\Users\Randi\Downloads\SkypeSetup(1).exe
2016-05-27 17:41 - 2016-05-27 17:41 - 00000000 ____D C:\Users\Randi\Documents\20160527-Center Sales Week 2 Remote Training Day 5 - 5_27_16(32417)
2016-05-26 16:44 - 2016-05-26 16:44 - 00000000 ____D C:\Users\Randi\Documents\20160526-Center Sales Week 2 Remote Training Day 4 - 5_26_16(32378)
2016-05-25 16:37 - 2016-05-25 16:37 - 00000000 ____D C:\Users\Randi\Documents\20160525-Center Sales Week 2 Remote Training Day 3 - 5_25_16(32308)
2016-05-24 16:45 - 2016-05-24 16:45 - 00000000 ____D C:\Users\Randi\Documents\20160524-Center Sales Week 2 Remote Training Day 2 - 5_24_16(32204)
2016-05-24 16:03 - 2016-05-24 16:03 - 00000000 ____H C:\Users\Randi\Documents\Default.rdp
2016-05-23 16:36 - 2016-05-23 16:36 - 00000000 ____D C:\Users\Randi\Documents\20160523-Center Sales Week 2 Remote Training Day 1 - 5_23_16(32102)
2016-05-20 18:30 - 2016-05-20 18:30 - 00000000 ____D C:\Users\Randi\Documents\20160520-RMT Center sales and reservations week 1 Final Day!!!(32012)
2016-05-19 17:28 - 2016-05-19 17:28 - 00000000 ____D C:\Users\Randi\Documents\20160519-RMT Center Sales and Reservations week 1 day 4(31933)
2016-05-18 17:30 - 2016-05-18 17:30 - 00000000 ____D C:\Users\Randi\Documents\20160518-RMT Center sales and Reservations week 1 day 3(31848)
2016-05-18 12:13 - 2016-05-18 12:13 - 00307456 _____ (AVG Technologies CZ, s.r.o.) C:\WINDOWS\system32\Drivers\avgidsdrivera.sys
2016-05-17 17:30 - 2016-05-17 17:30 - 00000000 ____D C:\Users\Randi\Documents\20160517-RMT Center sales and reservations week 1 day 2(31742)
2016-05-17 12:13 - 2016-05-17 12:14 - 00000000 ____D C:\Users\Randi\Desktop\Cody's Folder
2016-05-17 12:11 - 2016-05-17 12:12 - 00000000 ____D C:\Users\Randi\Desktop\Randi's Resume and things
2016-05-16 17:32 - 2016-05-16 17:32 - 00000000 ____D C:\Users\Randi\Documents\20160516-RMT Center sales and Reservations week 1 day 1 W Raquel.3163(31632)
2016-05-16 17:13 - 2016-05-16 17:13 - 00301816 _____ (Cisco WebEx LLC) C:\Users\Randi\Downloads\Y29uZmVyZW5jZS5hbWVyY28uY29tLyAvMzE2MzIvLTcyODUzOzcyODUzL09NQy8wfDAvb0EzV2ZYTXdvcmdrcl8yRVNMUzctaVduWHJQVl9QX044bVpmTFFSNUttdz0vMg==_webex.exe
2016-05-16 15:05 - 2016-05-16 15:06 - 29616803 _____ C:\Users\Randi\Downloads\Center
2016-05-16 12:18 - 2016-05-16 12:18 - 00000882 _____ C:\Users\Public\Desktop\AVG.lnk
2016-05-12 14:35 - 2016-05-12 14:35 - 00000000 ____D C:\Users\Randi\AppData\Local\Plantronics
2016-05-12 14:34 - 2016-05-12 14:34 - 00000000 ____D C:\Users\Randi\AppData\Roaming\Cisco
2016-05-11 13:58 - 2016-04-22 22:31 - 13018112 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.UI.Xaml.dll
2016-05-11 13:58 - 2016-04-22 22:28 - 16984576 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.UI.Xaml.dll
2016-05-11 13:58 - 2016-04-22 22:26 - 00059904 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MosStorage.dll
2016-05-11 13:58 - 2016-04-22 22:25 - 00087040 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MapsBtSvc.dll
2016-05-11 13:58 - 2016-04-22 22:22 - 00460800 _____ (Microsoft Corporation) C:\WINDOWS\system32\MapConfiguration.dll
2016-05-11 13:58 - 2016-04-22 22:19 - 01056256 _____ (Microsoft Corporation) C:\WINDOWS\system32\JpMapControl.dll
2016-05-11 13:58 - 2016-04-22 22:19 - 00853504 _____ (Microsoft Corporation) C:\WINDOWS\system32\MapsStore.dll
2016-05-11 13:58 - 2016-04-22 22:18 - 24604672 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtml.dll
2016-05-11 13:58 - 2016-04-22 22:18 - 00988160 _____ (Microsoft Corporation) C:\WINDOWS\system32\NMAA.dll
2016-05-11 13:58 - 2016-04-22 22:18 - 00939520 _____ (Microsoft Corporation) C:\WINDOWS\system32\MapControlCore.dll
2016-05-11 13:58 - 2016-04-22 22:18 - 00349696 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MapConfiguration.dll
2016-05-11 13:58 - 2016-04-22 22:16 - 00800768 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\JpMapControl.dll
2016-05-11 13:58 - 2016-04-22 22:15 - 00784896 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\NMAA.dll
2016-05-11 13:58 - 2016-04-22 22:14 - 00711680 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MapControlCore.dll
2016-05-11 13:58 - 2016-04-22 22:13 - 07200256 _____ (Microsoft Corporation) C:\WINDOWS\system32\BingMaps.dll
2016-05-11 13:58 - 2016-04-22 22:13 - 06295552 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mos.dll
2016-05-11 13:58 - 2016-04-22 22:09 - 02582016 _____ (Microsoft Corporation) C:\WINDOWS\system32\MFMediaEngine.dll
2016-05-11 13:58 - 2016-04-22 22:08 - 02061824 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MFMediaEngine.dll
2016-05-11 13:58 - 2016-04-22 22:07 - 05205504 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\BingMaps.dll
2016-05-11 13:57 - 2016-04-22 22:19 - 07977472 _____ (Microsoft Corporation) C:\WINDOWS\system32\mos.dll
2016-05-11 13:57 - 2016-04-22 22:19 - 00970752 _____ (Microsoft Corporation) C:\WINDOWS\system32\kerberos.dll
2016-05-11 13:57 - 2016-04-22 22:15 - 00792064 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\kerberos.dll
2016-05-11 13:56 - 2016-04-22 23:28 - 01542816 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ntdll.dll
2016-05-11 13:56 - 2016-04-22 23:24 - 07474528 _____ (Microsoft Corporation) C:\WINDOWS\system32\ntoskrnl.exe
2016-05-11 13:56 - 2016-04-22 23:24 - 01819208 _____ (Microsoft Corporation) C:\WINDOWS\system32\ntdll.dll
2016-05-11 13:56 - 2016-04-22 23:10 - 03673424 _____ (Microsoft Corporation) C:\WINDOWS\system32\iertutil.dll
2016-05-11 13:56 - 2016-04-22 23:10 - 02919832 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iertutil.dll
2016-05-11 13:56 - 2016-04-22 23:09 - 22561256 _____ (Microsoft Corporation) C:\WINDOWS\system32\shell32.dll
2016-05-11 13:56 - 2016-04-22 23:09 - 21123320 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\shell32.dll
2016-05-11 13:56 - 2016-04-22 23:09 - 05240960 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\windows.storage.dll
2016-05-11 13:56 - 2016-04-22 23:08 - 06605504 _____ (Microsoft Corporation) C:\WINDOWS\system32\windows.storage.dll
2016-05-11 13:56 - 2016-04-22 22:30 - 22379008 _____ (Microsoft Corporation) C:\WINDOWS\system32\edgehtml.dll
2016-05-11 13:56 - 2016-04-22 22:23 - 11545088 _____ (Microsoft Corporation) C:\WINDOWS\system32\twinui.dll
2016-05-11 13:56 - 2016-04-22 22:22 - 09918976 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\twinui.dll
2016-05-11 13:56 - 2016-04-22 22:20 - 19344384 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtml.dll
2016-05-11 13:56 - 2016-04-22 22:20 - 18676224 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\edgehtml.dll
2016-05-11 13:56 - 2016-04-22 22:19 - 00440320 _____ (Microsoft Corporation) C:\WINDOWS\system32\CredProvDataModel.dll
2016-05-11 13:56 - 2016-04-22 22:18 - 00870400 _____ (Microsoft Corporation) C:\WINDOWS\system32\modernexecserver.dll
2016-05-11 13:56 - 2016-04-22 22:15 - 00348672 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\CredProvDataModel.dll
2016-05-11 13:56 - 2016-04-22 22:14 - 13383168 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieframe.dll
2016-05-11 13:56 - 2016-04-22 22:10 - 12125696 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieframe.dll
2016-05-11 13:56 - 2016-04-22 22:08 - 05324288 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Data.Pdf.dll
2016-05-11 13:56 - 2016-04-22 22:06 - 06974464 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.Data.Pdf.dll
2016-05-11 13:56 - 2016-04-22 22:03 - 05660160 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Chakra.dll
2016-05-11 13:56 - 2016-04-22 22:02 - 07832576 _____ (Microsoft Corporation) C:\WINDOWS\system32\Chakra.dll
2016-05-11 13:55 - 2016-05-05 22:53 - 00095072 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\sdport.sys
2016-05-11 13:55 - 2016-05-05 22:03 - 00649216 _____ (Microsoft Corporation) C:\WINDOWS\system32\ngcsvc.dll
2016-05-11 13:55 - 2016-05-05 21:53 - 00351232 _____ (Microsoft Corporation) C:\WINDOWS\system32\NgcCtnr.dll
2016-05-11 13:55 - 2016-05-05 21:49 - 00289792 _____ (Microsoft Corporation) C:\WINDOWS\system32\NgcCtnrSvc.dll
2016-05-11 13:55 - 2016-05-05 21:44 - 00582656 _____ (Microsoft Corporation) C:\WINDOWS\system32\ngccredprov.dll
2016-05-11 13:55 - 2016-05-05 21:23 - 00076288 _____ (Microsoft Corporation) C:\WINDOWS\system32\ngcpopkeysrv.dll
2016-05-11 13:55 - 2016-04-30 00:42 - 01387520 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32kbase.sys
2016-05-11 13:55 - 2016-04-30 00:31 - 03591168 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32kfull.sys
2016-05-11 13:55 - 2016-04-23 00:12 - 01401024 _____ (Microsoft Corporation) C:\WINDOWS\system32\appraiser.dll
2016-05-11 13:55 - 2016-04-23 00:12 - 01184960 _____ (Microsoft Corporation) C:\WINDOWS\system32\aeinv.dll
2016-05-11 13:55 - 2016-04-23 00:12 - 00713920 _____ (Microsoft Corporation) C:\WINDOWS\system32\generaltel.dll
2016-05-11 13:55 - 2016-04-23 00:12 - 00514752 _____ (Microsoft Corporation) C:\WINDOWS\system32\devinv.dll
2016-05-11 13:55 - 2016-04-23 00:12 - 00294592 _____ (Microsoft Corporation) C:\WINDOWS\system32\invagent.dll
2016-05-11 13:55 - 2016-04-23 00:12 - 00190144 _____ (Microsoft Corporation) C:\WINDOWS\system32\DeviceCensus.exe
2016-05-11 13:55 - 2016-04-23 00:12 - 00092352 _____ (Microsoft Corporation) C:\WINDOWS\system32\acmigration.dll
2016-05-11 13:55 - 2016-04-23 00:12 - 00046784 _____ (Microsoft Corporation) C:\WINDOWS\system32\CompatTelRunner.exe
2016-05-11 13:55 - 2016-04-22 23:28 - 01557768 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\KernelBase.dll
2016-05-11 13:55 - 2016-04-22 23:26 - 00707608 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\rpcrt4.dll
2016-05-11 13:55 - 2016-04-22 23:24 - 01997328 _____ (Microsoft Corporation) C:\WINDOWS\system32\KernelBase.dll
2016-05-11 13:55 - 2016-04-22 23:24 - 00754664 _____ (Microsoft Corporation) C:\WINDOWS\system32\CoreMessaging.dll
2016-05-11 13:55 - 2016-04-22 23:24 - 00638816 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\fvevol.sys
2016-05-11 13:55 - 2016-04-22 23:24 - 00335712 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\fastfat.sys
2016-05-11 13:55 - 2016-04-22 23:22 - 01161120 _____ (Microsoft Corporation) C:\WINDOWS\system32\rpcrt4.dll
2016-05-11 13:55 - 2016-04-22 23:13 - 00306832 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wlanapi.dll
2016-05-11 13:55 - 2016-04-22 23:12 - 00925064 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfplat.dll
2016-05-11 13:55 - 2016-04-22 23:12 - 00451928 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MFCaptureEngine.dll
2016-05-11 13:55 - 2016-04-22 23:12 - 00413536 _____ (Microsoft Corporation) C:\WINDOWS\system32\wifitask.exe
2016-05-11 13:55 - 2016-04-22 23:11 - 01092464 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfplat.dll
2016-05-11 13:55 - 2016-04-22 23:11 - 00498960 _____ (Microsoft Corporation) C:\WINDOWS\system32\MFCaptureEngine.dll
2016-05-11 13:55 - 2016-04-22 23:11 - 00390496 _____ (Microsoft Corporation) C:\WINDOWS\system32\wlanapi.dll
2016-05-11 13:55 - 2016-04-22 23:10 - 00330072 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\pci.sys
2016-05-11 13:55 - 2016-04-22 23:09 - 04074160 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\explorer.exe
2016-05-11 13:55 - 2016-04-22 23:09 - 00569744 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\SHCore.dll
2016-05-11 13:55 - 2016-04-22 23:09 - 00565600 _____ (Microsoft Corporation) C:\WINDOWS\system32\SettingSyncHost.exe
2016-05-11 13:55 - 2016-04-22 23:09 - 00465760 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\SettingSyncHost.exe
2016-05-11 13:55 - 2016-04-22 23:09 - 00303216 _____ (Microsoft Corporation) C:\WINDOWS\system32\LockAppHost.exe
2016-05-11 13:55 - 2016-04-22 23:09 - 00255168 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\LockAppHost.exe
2016-05-11 13:55 - 2016-04-22 23:08 - 04515256 _____ (Microsoft Corporation) C:\WINDOWS\explorer.exe
2016-05-11 13:55 - 2016-04-22 23:08 - 00725776 _____ (Microsoft Corporation) C:\WINDOWS\system32\SHCore.dll
2016-05-11 13:55 - 2016-04-22 23:07 - 01848072 _____ (Microsoft Corporation) C:\WINDOWS\system32\crypt32.dll
2016-05-11 13:55 - 2016-04-22 23:07 - 01536088 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\crypt32.dll
2016-05-11 13:55 - 2016-04-22 23:07 - 00204048 _____ (Microsoft Corporation) C:\WINDOWS\system32\rsaenh.dll
2016-05-11 13:55 - 2016-04-22 23:07 - 00183904 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\rsaenh.dll
2016-05-11 13:55 - 2016-04-22 23:06 - 00291360 _____ (Microsoft Corporation) C:\WINDOWS\system32\wininit.exe
2016-05-11 13:55 - 2016-04-22 23:02 - 00188256 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\AppxAllUserStore.dll
2016-05-11 13:55 - 2016-04-22 23:01 - 01996640 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\dxgkrnl.sys
2016-05-11 13:55 - 2016-04-22 23:01 - 00650304 _____ (Microsoft Corporation) C:\WINDOWS\system32\dxgi.dll
2016-05-11 13:55 - 2016-04-22 23:01 - 00619296 _____ (Microsoft Corporation) C:\WINDOWS\system32\d3d10level9.dll
2016-05-11 13:55 - 2016-04-22 23:01 - 00577368 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\dxgmms2.sys
2016-05-11 13:55 - 2016-04-22 23:01 - 00522176 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\dxgi.dll
2016-05-11 13:55 - 2016-04-22 23:01 - 00513368 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\d3d10level9.dll
2016-05-11 13:55 - 2016-04-22 23:01 - 00393568 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\dxgmms1.sys
2016-05-11 13:55 - 2016-04-22 23:01 - 00217440 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppxAllUserStore.dll
2016-05-11 13:55 - 2016-04-22 23:00 - 01776768 _____ (Microsoft Corporation) C:\WINDOWS\system32\WindowsCodecs.dll
2016-05-11 13:55 - 2016-04-22 23:00 - 01594920 _____ (Microsoft Corporation) C:\WINDOWS\system32\gdi32.dll
2016-05-11 13:55 - 2016-04-22 23:00 - 01522152 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WindowsCodecs.dll
2016-05-11 13:55 - 2016-04-22 23:00 - 01399224 _____ (Microsoft Corporation) C:\WINDOWS\system32\user32.dll
2016-05-11 13:55 - 2016-04-22 23:00 - 01372304 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\gdi32.dll
2016-05-11 13:55 - 2016-04-22 23:00 - 01337240 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\user32.dll
2016-05-11 13:55 - 2016-04-22 23:00 - 00550656 _____ (Microsoft Corporation) C:\WINDOWS\system32\directmanipulation.dll
2016-05-11 13:55 - 2016-04-22 23:00 - 00453472 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\directmanipulation.dll
2016-05-11 13:55 - 2016-04-22 23:00 - 00058208 _____ (Microsoft Corporation) C:\WINDOWS\system32\dwminit.dll
2016-05-11 13:55 - 2016-04-22 22:56 - 00534872 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\USBHUB3.SYS
2016-05-11 13:55 - 2016-04-22 22:39 - 00089088 _____ (Microsoft Corporation) C:\WINDOWS\system32\MapsCSP.dll
2016-05-11 13:55 - 2016-04-22 22:35 - 00066560 _____ (Microsoft Corporation) C:\WINDOWS\system32\MosHostClient.dll
2016-05-11 13:55 - 2016-04-22 22:32 - 00069632 _____ (Microsoft Corporation) C:\WINDOWS\system32\EnterpriseDesktopAppMgmtCSP.dll
2016-05-11 13:55 - 2016-04-22 22:32 - 00028672 _____ (Microsoft Corporation) C:\WINDOWS\system32\mapsupdatetask.dll
2016-05-11 13:55 - 2016-04-22 22:31 - 00074752 _____ (Microsoft Corporation) C:\WINDOWS\system32\MosStorage.dll
2016-05-11 13:55 - 2016-04-22 22:30 - 00120320 _____ (Microsoft Corporation) C:\WINDOWS\system32\MapsBtSvc.dll
2016-05-11 13:55 - 2016-04-22 22:30 - 00050176 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MosHostClient.dll
2016-05-11 13:55 - 2016-04-22 22:29 - 00087040 _____ (Microsoft Corporation) C:\WINDOWS\system32\MDMAppInstaller.exe
2016-05-11 13:55 - 2016-04-22 22:29 - 00072704 _____ (Microsoft Corporation) C:\WINDOWS\system32\moshost.dll
2016-05-11 13:55 - 2016-04-22 22:28 - 00130560 _____ (Microsoft Corporation) C:\WINDOWS\system32\CloudDomainJoinDataModelServer.dll
2016-05-11 13:55 - 2016-04-22 22:28 - 00127488 _____ (Microsoft Corporation) C:\WINDOWS\system32\VEDataLayerHelpers.dll
2016-05-11 13:55 - 2016-04-22 22:26 - 00269824 _____ (Microsoft Corporation) C:\WINDOWS\system32\moshostcore.dll
2016-05-11 13:55 - 2016-04-22 22:25 - 00630784 _____ (Microsoft Corporation) C:\WINDOWS\system32\PhoneProviders.dll
2016-05-11 13:55 - 2016-04-22 22:25 - 00617984 _____ (Microsoft Corporation) C:\WINDOWS\system32\StorSvc.dll
2016-05-11 13:55 - 2016-04-22 22:25 - 00210432 _____ (Microsoft Corporation) C:\WINDOWS\system32\wcmcsp.dll
2016-05-11 13:55 - 2016-04-22 22:24 - 00689152 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieproxy.dll
2016-05-11 13:55 - 2016-04-22 22:24 - 00292864 _____ (Microsoft Corporation) C:\WINDOWS\system32\provengine.dll
2016-05-11 13:55 - 2016-04-22 22:24 - 00287232 _____ (Microsoft Corporation) C:\WINDOWS\system32\provhandlers.dll
2016-05-11 13:55 - 2016-04-22 22:24 - 00181248 _____ (Microsoft Corporation) C:\WINDOWS\system32\shacct.dll
2016-05-11 13:55 - 2016-04-22 22:24 - 00166400 _____ (Microsoft Corporation) C:\WINDOWS\system32\SubscriptionMgr.dll
2016-05-11 13:55 - 2016-04-22 22:23 - 00279040 _____ (Microsoft Corporation) C:\WINDOWS\system32\ListSvc.dll
2016-05-11 13:55 - 2016-04-22 22:21 - 00479232 _____ (Microsoft Corporation) C:\WINDOWS\system32\schannel.dll
2016-05-11 13:55 - 2016-04-22 22:21 - 00314880 _____ (Microsoft Corporation) C:\WINDOWS\system32\RDXTaskFactory.dll
2016-05-11 13:55 - 2016-04-22 22:20 - 00606720 _____ (Microsoft Corporation) C:\WINDOWS\system32\wcmsvc.dll
2016-05-11 13:55 - 2016-04-22 22:20 - 00497152 _____ (Microsoft Corporation) C:\WINDOWS\system32\tileobjserver.dll
2016-05-11 13:55 - 2016-04-22 22:20 - 00484352 _____ (Microsoft Corporation) C:\WINDOWS\system32\DataSenseHandlers.dll
2016-05-11 13:55 - 2016-04-22 22:20 - 00356864 _____ (Microsoft Corporation) C:\WINDOWS\system32\ActivationManager.dll
2016-05-11 13:55 - 2016-04-22 22:20 - 00307200 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieproxy.dll
2016-05-11 13:55 - 2016-04-22 22:20 - 00137728 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\shacct.dll
2016-05-11 13:55 - 2016-04-22 22:18 - 00988672 _____ (Microsoft Corporation) C:\WINDOWS\system32\SharedStartModel.dll
2016-05-11 13:55 - 2016-04-22 22:18 - 00804352 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript.dll
2016-05-11 13:55 - 2016-04-22 22:18 - 00605184 _____ (Microsoft Corporation) C:\WINDOWS\system32\vbscript.dll
2016-05-11 13:55 - 2016-04-22 22:18 - 00585728 _____ (Microsoft Corporation) C:\WINDOWS\system32\winlogon.exe
2016-05-11 13:55 - 2016-04-22 22:18 - 00515072 _____ (Microsoft Corporation) C:\WINDOWS\system32\OneDriveSettingSyncProvider.dll
2016-05-11 13:55 - 2016-04-22 22:18 - 00471552 _____ (Microsoft Corporation) C:\WINDOWS\system32\NetSetupShim.dll
2016-05-11 13:55 - 2016-04-22 22:17 - 01213440 _____ (Microsoft Corporation) C:\WINDOWS\system32\wwansvc.dll
2016-05-11 13:55 - 2016-04-22 22:17 - 00529920 _____ (Microsoft Corporation) C:\WINDOWS\system32\LogonController.dll
2016-05-11 13:55 - 2016-04-22 22:17 - 00388608 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\schannel.dll
2016-05-11 13:55 - 2016-04-22 22:16 - 01319424 _____ (Microsoft Corporation) C:\WINDOWS\system32\wifinetworkmanager.dll
2016-05-11 13:55 - 2016-04-22 22:16 - 00848896 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuapi.dll
2016-05-11 13:55 - 2016-04-22 22:15 - 01073152 _____ (Microsoft Corporation) C:\WINDOWS\system32\RDXService.dll
2016-05-11 13:55 - 2016-04-22 22:15 - 00865792 _____ (Microsoft Corporation) C:\WINDOWS\system32\AzureSettingSyncProvider.dll
2016-05-11 13:55 - 2016-04-22 22:15 - 00673280 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.UI.dll
2016-05-11 13:55 - 2016-04-22 22:15 - 00400896 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\OneDriveSettingSyncProvider.dll
2016-05-11 13:55 - 2016-04-22 22:14 - 00870912 _____ (Microsoft Corporation) C:\WINDOWS\system32\MPSSVC.dll
2016-05-11 13:55 - 2016-04-22 22:14 - 00821760 _____ (Microsoft Corporation) C:\WINDOWS\system32\TokenBroker.dll
2016-05-11 13:55 - 2016-04-22 22:14 - 00647680 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript.dll
2016-05-11 13:55 - 2016-04-22 22:14 - 00503296 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\vbscript.dll
2016-05-11 13:55 - 2016-04-22 22:14 - 00354304 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\NetSetupShim.dll
2016-05-11 13:55 - 2016-04-22 22:14 - 00342528 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\AppXDeploymentClient.dll
2016-05-11 13:55 - 2016-04-22 22:13 - 00705536 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wuapi.dll
2016-05-11 13:55 - 2016-04-22 22:13 - 00489984 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.UI.dll
2016-05-11 13:55 - 2016-04-22 22:13 - 00434688 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\LogonController.dll
2016-05-11 13:55 - 2016-04-22 22:12 - 00667648 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\AzureSettingSyncProvider.dll
2016-05-11 13:55 - 2016-04-22 22:10 - 00639488 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\TokenBroker.dll
2016-05-11 13:55 - 2016-04-22 22:09 - 03666432 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript9.dll
2016-05-11 13:55 - 2016-04-22 22:07 - 02598912 _____ (Microsoft Corporation) C:\WINDOWS\system32\NetworkMobileSettings.dll
2016-05-11 13:55 - 2016-04-22 22:07 - 01500160 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\urlmon.dll
2016-05-11 13:55 - 2016-04-22 22:07 - 00848896 _____ (Microsoft Corporation) C:\WINDOWS\system32\samsrv.dll
2016-05-11 13:55 - 2016-04-22 22:05 - 05502976 _____ (Microsoft Corporation) C:\WINDOWS\system32\d2d1.dll
2016-05-11 13:55 - 2016-04-22 22:05 - 02166784 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppXDeploymentServer.dll
2016-05-11 13:55 - 2016-04-22 22:05 - 02066432 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppXDeploymentExtensions.dll
2016-05-11 13:55 - 2016-04-22 22:05 - 01946112 _____ (Microsoft Corporation) C:\WINDOWS\system32\dwmcore.dll
2016-05-11 13:55 - 2016-04-22 22:05 - 01626624 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\dwmcore.dll
2016-05-11 13:55 - 2016-04-22 22:05 - 00613376 _____ (Microsoft Corporation) C:\WINDOWS\system32\SettingSync.dll
2016-05-11 13:55 - 2016-04-22 22:04 - 04759040 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\d2d1.dll
2016-05-11 13:55 - 2016-04-22 22:04 - 01731072 _____ (Microsoft Corporation) C:\WINDOWS\system32\urlmon.dll
2016-05-11 13:55 - 2016-04-22 22:03 - 04894208 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript9.dll
2016-05-11 13:55 - 2016-04-22 22:03 - 02280960 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuaueng.dll
2016-05-11 13:55 - 2016-04-22 22:03 - 02000896 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\twinui.appcore.dll
2016-05-11 13:55 - 2016-04-22 22:03 - 00754176 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\SettingSyncCore.dll
2016-05-11 13:55 - 2016-04-22 22:03 - 00503296 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\SettingSync.dll
2016-05-11 13:55 - 2016-04-22 22:02 - 02444288 _____ (Microsoft Corporation) C:\WINDOWS\system32\twinui.appcore.dll
2016-05-11 13:55 - 2016-04-22 22:01 - 04775424 _____ (Microsoft Corporation) C:\WINDOWS\system32\actxprxy.dll
2016-05-11 13:55 - 2016-04-22 22:00 - 01390080 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.UI.Shell.dll
2016-05-11 13:55 - 2016-04-22 22:00 - 00984576 _____ (Microsoft Corporation) C:\WINDOWS\system32\SettingSyncCore.dll
2016-05-11 13:55 - 2016-04-22 21:45 - 00461824 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\CoreMessaging.dll
2016-05-11 13:55 - 2016-04-22 20:10 - 00215040 _____ (Microsoft Corporation) C:\WINDOWS\system32\aepic.dll
2016-05-11 13:54 - 2016-05-05 22:05 - 00241664 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\cryptngc.dll
2016-05-11 13:54 - 2016-05-05 21:43 - 00320000 _____ (Microsoft Corporation) C:\WINDOWS\system32\cryptngc.dll
2016-05-11 13:54 - 2016-04-22 23:24 - 00099680 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\pdc.sys
2016-05-11 13:54 - 2016-04-22 23:18 - 00026408 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe
2016-05-11 13:54 - 2016-04-22 23:13 - 00502104 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\NetSetupEngine.dll
2016-05-11 13:54 - 2016-04-22 23:13 - 00084832 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\NetSetupApi.dll
2016-05-11 13:54 - 2016-04-22 23:11 - 00696672 _____ (Microsoft Corporation) C:\WINDOWS\system32\NetSetupEngine.dll
2016-05-11 13:54 - 2016-04-22 23:11 - 00131424 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\ufxsynopsys.sys
2016-05-11 13:54 - 2016-04-22 23:11 - 00115040 _____ (Microsoft Corporation) C:\WINDOWS\system32\NetSetupApi.dll
2016-05-11 13:54 - 2016-04-22 22:34 - 00067072 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\usbser.sys
2016-05-11 13:54 - 2016-04-22 22:34 - 00059392 _____ (Microsoft Corporation) C:\WINDOWS\system32\hmkd.dll
2016-05-11 13:54 - 2016-04-22 22:34 - 00048128 _____ (Microsoft Corporation) C:\WINDOWS\system32\wups.dll
2016-05-11 13:54 - 2016-04-22 22:33 - 00089600 _____ (Microsoft Corporation) C:\WINDOWS\system32\NFCProvisioningPlugin.dll
2016-05-11 13:54 - 2016-04-22 22:33 - 00063488 _____ (Microsoft Corporation) C:\WINDOWS\system32\wshbth.dll
2016-05-11 13:54 - 2016-04-22 22:33 - 00063488 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\UcmCx.sys
2016-05-11 13:54 - 2016-04-22 22:33 - 00038400 _____ (Microsoft Corporation) C:\WINDOWS\system32\ByteCodeGenerator.exe
2016-05-11 13:54 - 2016-04-22 22:32 - 00134656 _____ (Microsoft Corporation) C:\WINDOWS\system32\wificonnapi.dll
2016-05-11 13:54 - 2016-04-22 22:29 - 00192000 _____ (Microsoft Corporation) C:\WINDOWS\system32\provisioningcsp.dll
2016-05-11 13:54 - 2016-04-22 22:29 - 00151040 _____ (Microsoft Corporation) C:\WINDOWS\system32\VEStoreEventHandlers.dll
2016-05-11 13:54 - 2016-04-22 22:29 - 00087552 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\filecrypt.sys
2016-05-11 13:54 - 2016-04-22 22:29 - 00047104 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\hmkd.dll
2016-05-11 13:54 - 2016-04-22 22:29 - 00031232 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ByteCodeGenerator.exe
2016-05-11 13:54 - 2016-04-22 22:29 - 00023552 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wups.dll
2016-05-11 13:54 - 2016-04-22 22:28 - 00104448 _____ (Microsoft Corporation) C:\WINDOWS\system32\BluetoothApis.dll
2016-05-11 13:54 - 2016-04-22 22:28 - 00086528 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppCapture.dll
2016-05-11 13:54 - 2016-04-22 22:28 - 00051712 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wshbth.dll
2016-05-11 13:54 - 2016-04-22 22:27 - 00155136 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\hidclass.sys
2016-05-11 13:54 - 2016-04-22 22:27 - 00039424 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wfdprov.dll
2016-05-11 13:54 - 2016-04-22 22:26 - 00086528 _____ (Microsoft Corporation) C:\WINDOWS\system32\wpdbusenum.dll
2016-05-11 13:54 - 2016-04-22 22:25 - 00207360 _____ (Microsoft Corporation) C:\WINDOWS\system32\NetSetupSvc.dll
2016-05-11 13:54 - 2016-04-22 22:24 - 00764928 _____ (Microsoft Corporation) C:\WINDOWS\system32\Chakradiag.dll
2016-05-11 13:54 - 2016-04-22 22:24 - 00084480 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\VEDataLayerHelpers.dll
2016-05-11 13:54 - 2016-04-22 22:23 - 00414720 _____ (Microsoft Corporation) C:\WINDOWS\system32\bcastdvr.exe
2016-05-11 13:54 - 2016-04-22 22:23 - 00179712 _____ (Microsoft Corporation) C:\WINDOWS\system32\BrowserSettingSync.dll
2016-05-11 13:54 - 2016-04-22 22:23 - 00080896 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\BluetoothApis.dll
2016-05-11 13:54 - 2016-04-22 22:22 - 00285696 _____ (Microsoft Corporation) C:\WINDOWS\system32\VEEventDispatcher.dll
2016-05-11 13:54 - 2016-04-22 22:19 - 00395264 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wlansec.dll
2016-05-11 13:54 - 2016-04-22 22:19 - 00140800 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\BrowserSettingSync.dll
2016-05-11 13:54 - 2016-04-22 22:18 - 00436736 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppXDeploymentClient.dll
2016-05-11 13:54 - 2016-04-22 22:18 - 00219648 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\VEEventDispatcher.dll
2016-05-11 13:54 - 2016-04-22 22:17 - 00337920 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wlanmsm.dll
2016-05-11 13:54 - 2016-04-22 22:05 - 00111616 _____ (Microsoft Corporation) C:\WINDOWS\system32\updatepolicy.dll
2016-05-11 13:54 - 2016-04-22 22:05 - 00103936 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\updatepolicy.dll
2016-05-11 13:54 - 2016-04-22 22:03 - 02193408 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\actxprxy.dll
2016-05-11 13:54 - 2016-04-22 20:10 - 00002186 _____ C:\WINDOWS\system32\AppxProvisioning.xml
2016-05-11 13:54 - 2016-04-18 16:30 - 00002186 _____ C:\WINDOWS\SysWOW64\AppxProvisioning.xml
2016-05-11 13:36 - 2016-05-11 13:36 - 00378101 _____ C:\Users\Randi\Downloads\de17e6d0-bd07-45dc-8fbe-370516b83489.pdf
2016-05-10 16:09 - 2016-05-10 16:09 - 00000000 ____D C:\Users\Randi\.cisco
2016-05-10 16:07 - 2016-06-03 12:48 - 00001357 _____ C:\Users\Public\Desktop\Cisco IP Communicator.lnk
2016-05-10 16:07 - 2016-05-10 16:07 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Cisco IP Communicator
2016-05-10 16:07 - 2011-01-24 10:37 - 00027392 ____R (Cisco Systems) C:\WINDOWS\system32\Drivers\CipcCdp.sys
2016-05-10 16:07 - 2010-10-18 09:22 - 01919968 ____R (Microsoft Corporation) C:\WINDOWS\system32\wdfcoinstaller01005.dll
2016-05-10 16:06 - 2016-06-01 15:22 - 00001248 _____ C:\Users\Randi\Desktop\Cisco AnyConnect.lnk
2016-05-10 16:06 - 2016-05-12 14:34 - 00000000 ____D C:\Users\Randi\AppData\Local\Cisco
2016-05-10 16:06 - 2016-05-10 16:06 - 00001941 _____ C:\Users\Public\Desktop\FirstClass.lnk
2016-05-10 16:06 - 2016-05-10 16:06 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FirstClass
2016-05-10 16:06 - 2016-05-10 16:06 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Cisco
2016-05-10 16:06 - 2016-05-10 16:06 - 00000000 ____D C:\ProgramData\FirstClass
2016-05-10 16:06 - 2016-05-10 16:06 - 00000000 ____D C:\ProgramData\Cisco
2016-05-10 16:06 - 2016-05-10 16:06 - 00000000 ____D C:\Program Files (x86)\FirstClass
2016-05-10 16:06 - 2016-05-10 16:06 - 00000000 ____D C:\Program Files (x86)\Cisco Systems
2016-05-10 16:06 - 2016-05-10 16:06 - 00000000 ____D C:\Program Files (x86)\Cisco
2016-05-10 16:06 - 2015-07-24 06:13 - 00129520 ____R (Cisco Systems, Inc.) C:\WINDOWS\system32\Drivers\acsock64.sys
2016-05-10 16:05 - 2016-05-12 14:42 - 00000000 ____D C:\Users\Randi\Documents\FirstClass
2016-05-10 16:04 - 2016-05-10 16:04 - 00002406 _____ C:\Users\Randi\Desktop\UCC.rdp
2016-05-10 14:20 - 2016-06-02 15:56 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG
2016-05-10 14:14 - 2016-05-16 15:06 - 00000000 ____D C:\Users\Randi\Desktop\Uhaul
2016-05-10 12:37 - 2016-05-10 12:37 - 00000000 ____D C:\Users\Randi\AppData\Roaming\webex
2016-05-10 12:37 - 2016-05-10 12:37 - 00000000 ____D C:\Users\Randi\AppData\Local\WebEx
2016-05-10 12:36 - 2016-06-02 15:10 - 00000000 ____D C:\Users\Randi\AppData\LocalLow\WebEx
2016-05-07 23:19 - 2016-05-10 07:57 - 00003606 _____ C:\WINDOWS\System32\Tasks\RealDownloaderRealUpgradeScheduledTaskS-1-5-21-4265505565-2887419862-550575693-1001
2016-05-07 23:19 - 2016-05-10 07:57 - 00003544 _____ C:\WINDOWS\System32\Tasks\RealDownloaderRealUpgradeLogonTaskS-1-5-21-4265505565-2887419862-550575693-1001
2016-05-05 22:00 - 2016-05-07 09:57 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2016-05-05 11:06 - 2016-05-05 11:06 - 00247040 _____ (AVG Technologies CZ, s.r.o.) C:\WINDOWS\system32\Drivers\avgmfx64.sys
==================== One Month Modified files and folders ========
(If an entry is included in the fixlist, the file/folder will be moved.)
2016-06-04 17:40 - 2012-09-30 13:37 - 00000000 ____D C:\FRST
2016-06-04 17:21 - 2016-03-07 16:21 - 00000937 _____ C:\WINDOWS\Tasks\EPSON WF-2630 Series Update {5B9512DD-C177-4247-A5F3-A86BDBC31985}.job
2016-06-04 17:18 - 2012-10-06 20:35 - 00000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2016-06-04 17:17 - 2016-03-07 00:09 - 00004152 _____ C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{3712483D-984D-4566-8036-29F31FDE56D3}
2016-06-04 17:16 - 2013-12-06 10:27 - 00000924 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2016-06-04 15:37 - 2015-10-30 01:24 - 00000000 ____D C:\WINDOWS\AppReadiness
2016-06-04 13:16 - 2013-12-06 10:27 - 00000920 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2016-06-04 11:39 - 2015-10-30 01:21 - 00000000 ____D C:\WINDOWS\INF
2016-06-04 11:00 - 2015-10-30 01:24 - 00000000 ___HD C:\Program Files\WindowsApps
2016-06-04 10:43 - 2015-10-30 19:33 - 00000000 ___RD C:\

RELEVANCY SCORE 200
Preferred Solution: elevated help- Zero Access Rootkit?

I recommend downloading and running DAP. It can help sort out any driver and firmware related issues on your system

It's worked out well for many of us in the past.

You can download it direct from this link http://downloaddap.org. (This link will open the download page of DAP so you can save a copy to your computer.)

A: elevated help- Zero Access Rootkit?

Hello, Welcome to BleepingComputer.I'm nasdaq and will be helping you.If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.===Press the windows key + r on your keyboard at the same time. This will open the RUN BOX.Type Notepad and and click the OK key.Please copy the entire contents of the code box below to a new file. 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

Remove this process via the Control Panel > Programs > Programs and Features applet.
[b]ScorpionSaver [/b] (HKLM-x32\...\{9B65F9A3-9D24-452A-B6EF-1457D65E4259}) (Version: 1.0.0.0 - Adpeak, Inc.) <==== ATTENTION

===

SearchScopes: HKLM-x32 -> DefaultScope value is missing
BHO: No Name -> {95B7759C-8C7F-4BF1-B163-73684A933233} -> No File
Toolbar: HKU\S-1-5-21-4265505565-2887419862-550575693-1001 -> No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
Toolbar: HKU\S-1-5-21-4265505565-2887419862-550575693-1001 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
Handler: tmtbim - {0B37915C-8B98-4B9E-80D4-464D2C830D10} - No File
FF DefaultSearchEngine: AVG Secure Search
CHR Plugin: (Shockwave Flash) - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_9_900_117.dll => No File
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\50.0.2661.102\ppGoogleNaClPluginChrome.dll => No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\50.0.2661.102\pdf.dll => No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll => No File
CHR Plugin: (Java Deployment Toolkit 6.0.170.4) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeploytk.dll => No File
CHR Plugin: (Java Platform SE 6 U17) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll => No File
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll => No File
CHR Plugin: (Facebook Video Calling Plugin) - C:\Users\Randi\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll => No File
CHR Plugin: (Shockwave for Director) - C:\Windows\SysWOW64\Adobe\Director\np32dsw_1167637.dll => No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\5.1.20913.0\npctrl.dll => No File
CHR Extension: (Chrome Web Store Payments) - C:\Users\Randi\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-02]
U3 idsvc; no ImagePath
Task: {064D57F4-A38D-40C3-B6A2-0C569C0B92CB} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {1CE9B5D0-3E03-4AB2-B0B3-B2BC33036055} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {2333BB6B-BDA2-4DC9-9373-820E52C368AB} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
Task: {2B47EFEA-ADE4-4905-B4D5-4FD276D5645D} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {799FCC05-7A53-4FC2-A8BD-3C97C8CF4181} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {AB7EDD9C-70B5-45C7-8933-8B54B8084D37} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {B1E5AFEF-6FD0-49CB-91F6-B842EEDE53F0} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {BDC5741B-E0D4-405E-90C8-E3CAB521A3E6} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {BDFA4B6F-524E-4469-9BE9-B761E93ADA67} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {C2617AC9-24DD-4450-AF44-C1272D8E9AD8} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {E060F415-26F1-4CEA-880C-07EC9A4F5BC1} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.The location is listed in the 3rd line of the Farbar log you have submitted.Run FRST and click Fix only once and wait.Restart the computer normally to reset the registry.The tool will create a log (Fixlog.txt) please post it to your reply.===--RogueKiller--Download & SAVE to your Desktop Download RogueKillerQuit all programs that you may have started.Please disconnect any USB or external drives from the computer before you run this scan!For Vista or above, right-click the program file and select "Run as Administrator"Accept the user agreements.Execute the scan and wait until it has finished.If a Windows opens to explain what [PUM's] are, read about it.Click the RoguKiller icon on your taksbar to return to the report.Click open the ReportClick Export TXT buttonSave the file as ReportRogue.txtClick the Remove button to delete the items in REDClick Finish and close the program.Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.=======Please let me know what problem persists with this computer.

Read other 0 answers
RELEVANCY SCORE 60.4

Referred here from the "Am I Infected?" forum,
thanks to BC Advisor .
 
In this link you will see several initial logs from Security Check, Farbar, etc.
http://www.bleepingcomputer.com/forums/t/494838/mse-closed-fake-security-infection/
 
 
 
I had Microsoft Security Essentials on my IE7.
I had an "update Java" type prompt that I tried to close.
(Would never open that!)
 
Suddenly MSE closed, I don't seem to have it available anymore.
A fake Security program tried to run, but I closed it.
 
I haven't observed any problems, other than the fact that MSE is disabled.
 
------
 
This may/may not be relevant: I had a some major problems several months
ago with viruses - I tried to repair them on my own - I accidently
deleted part of the MasterBootRecord, so I had to re-format my drive
and start over.
 
Gringo helped me through that.
 
DDS logs:
 
 

A:ZeroAccess Rootkit - Elevated help please

DDS + Attachment
-------------------
 
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 8.0.7601.17514
Run by HAL at 17:46:04 on 2013-05-16
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.2942.1646 [GMT -5:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files (x86)\Application Updater\ApplicationUpdater.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Users\HAL\AppData\Roaming\PC-Gizmos\PC_136519.en_76.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
C:\Program Files (x86)\Common Files\Spigot\Se... Read more

Read other 44 answers
RELEVANCY SCORE 60

Originally had posted for help to remove csrss.exe and was being instructed on removal.  I had originally posted here http://www.bleepingcomputer.com/forums/t/577117/infected-with-csrssexe-and-spyhunter-4/
 
 I get error messages that say I have corrupt files in my recycle bin.  The recycle bin is empty. While in safemode I realized that I was looking at a fake desktop.  When I saved the scans to my real desktop they worked.   I was able to run most of the scans that I was asked to run.  I couldn't run rkill.  I was then informed that I was infected with ZeroAccess rootkit and needed elevated help. 
 
 
 
 
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 26-05-2015
Ran by Jackie (ATTENTION: The logged in user is not administrator) on JACKIE-PC on 31-05-2015 16:28:48
Running from C:\Users\Jackie\Downloads
Loaded Profiles: Jackie & Admin (Available Profiles: Jackie & RosettaStone Spanish & Admin)
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
==================== Processes (Whitelisted) =================
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
Failed to access process -> sm... Read more

A:infected with ZeroAccess rootkit- need elevated help!

  to BleepingComputer! 
My name is Jason and I'll be helping you with your computer problems. You can call me by my screename jntkwx or Jason is fine.
 
Ground Rules:
First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met.
Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
When you post your reply, use the button.
In the upper right hand corner of the topic you will see the butto... Read more

Read other answers
RELEVANCY SCORE 55.2

Hello,

We're deploying Windows 10 to all our corporate computers, and I was trying to write a batch file to silently install all the necessary core programs that our employees would need. However I keep getting an elevated access required issue when running the batch file as an administrator. I am an admin on the domain, yet I keep getting this error. Any ideas?

Thanks,
Society

Read other answers
RELEVANCY SCORE 54

Hello,

We implanted new GPO rule, to block Control Panel for users. Now we would like to have ability to run As different user and able access from current user profile and save time to not switching accounts.
I tried navigate to C:\Windows\System32\Control.exe and run "As Different User" - does not work. I'm running as administrator and admin account are not effected by this GPO.
 I hope there is way to access Control Panel from restricted user, otherwise we need find different solution to block control panel for regular users and not for admins.

Read other answers
RELEVANCY SCORE 53.6

So... after many years having this problem, I decided to post for some help. I've been using this computer (Acer Aspire with Windows 7 Home premium x64 on an Administrator account) without issues for quite a while. One day, like two years ago, I noticed something weird while using Calibre (the virtual library software): the program was not able to save or edit files because it was not run as administrator. This was odd, because it was not supposed to work that way, and it worked fine without admin privileges before, but then I got used to using it as administrator. After that, I noticed that other programs were having this issue as well (Steam, Spotify, many others) and I gradually integrated into my workflow the use of programs as administrator... until I got fed up recently.

I've been looking for help and answers but it seems no one or almost no one has this exact problem, so I thought I'd better ask for help.

Just to be clear, this has nothing to do with UAC. It is just that if, for example, Spotify is running without admin privileges and it wants to update, the update fails. I have to restart the program as administrator and then it can install whatever it wants. Every installation I do has to be done through rightclick->run as administrator, as an unelevated installation file will fail.

I've recently tried to take ownership of my C:\ drive, to no use. I also tried resetting the files and folder permission to default with the use of


Code:
secedit /configure /c... Read more

A:Built-in elevated administrator account has access denied

Good method to mess up Windows install once and for all Stop messing with the permissions imho.
It may very well be a registry issue.

Did you try to make another administrator account and see if programs work well with it?

Read other 3 answers
RELEVANCY SCORE 47.6

I originally received Security Tool 2011 from golf.com.au. It came through svchost.exe.

I found and deleted the .exe and System Restored to before the infection. In safe mode with networking (i..e without firewall), iexplore.exe was startig by itself and before I picked up on this I believe I was infected with a series of trojans and other nasties. Many of these were picked up by Malwarebytes and SUPERAntiSpyware. I then used Avast! and it picked up a Win32:Cossta and the Alureon Rootkit. The Cossta trojan was cleaned. The rootkit has remained.

MBRCheck diagnosed the MBR Code as being non-normal or infected. Boot_remover identified the code as 'FAKED!'

After cleaning as much as I could with Avast! Boot scans, I attempted to use both MBRCheck and boot_remover to 'fix' the MBR. Neither were able to.

My next step was to download aswMBR.exe but it would not run. I then attempted to download GMER but the options were greyed out. I then downloaded TDSSKiller which detected 1 Rootkit which I 'cured' and 1 locked file which was 'skipped'. A log is provided below.

This allowed me to access aswMBR.exe which I ran, and posted the log below. After this I ran ComboFix (sorry!!) which said I had Rootkit: Zero Access. ComboFix rebooted and successfully went through all its 'stages'. The ComboFix log is provided below. Interestingly, I had uninstalled all my Anti-Virus software prior to running ComboFix, except for Malware Anti... Read more

A:Infected with Rootkit: Zero Access from Security Tool 2011 [Also potentially Rootkit: Alureon]

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything. We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. To help Bleeping Computer better assist you please perform the following steps:*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/427038 <<< CLICK THIS LINK If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.*************************************************** If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lo... Read more

Read other 14 answers
RELEVANCY SCORE 44.4

 GMer 2-20-2012.log   8.66KB
  0 downloadsMy Windows XP (32 bit) seems to be infected with the zero access rootkit.Rootkit. Among other things, it is preventing me from activating the Windows Firewall or connecting to the Internet. Multiple runs of the TDSSkiller have failed to kill it.
THX in advance for your help.
DDS Log
-------------------------------------------
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Run by Robert at 7:55:33 on 2012-02-20
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1346 [GMT -5:00]
.
AV: Norton Security Suite *Disabled/Outdated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\WINDOWS\system32\IProsetMonitor.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Memeo\AutoBackup\MemeoBackgroundService.exe
C:\Program Files\Norton Security Suite\Engine\4.4.0.12\ccSvcHst.exe
C:\Program Files\Linksys\Wireless-G Notebook Ada... Read more

A:zero access rootkit.Rootkit Infection

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.Do not run any other tool untill instructed to do so!Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.Run Combofix:You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<Combofix may need to reboot your computer more than once to do its job this is normal.You can download Combofix from one of these links.Link 1Link 2Link 3 1. Close any open browsers or any other programs that are open.2. Close/disable all anti virus and anti malware programs so they do not interfere with the r... Read more

Read other 47 answers
RELEVANCY SCORE 44

Like many I have referred to your site many times over the years to help extract the baddies of the online world mostly for friends computers, I have always been able to get the systems back up and running by either following a main thread or a thread in where a technician walks another user through an issue that is similar. Unfortunately it appears as though I need a bit more specialized help since the items I have tried have not worked and I fear that if I proceed with non specific information I will only make it harder for your team to identify the issue. In a nutshell I am at a standstill and will not be using any more tools until I hear from your team. DDS log and GMER log created and then no additional activity on the system. Here is the history of the system in question:
Specific Issue
A) Wired connection continually says Acquiring network address
When attempting to "Change Windows Firewall settings" in LAN tray icon the following error is displayed "Windows Firewall settings cannot be displayed because the associated service is not running. Do you want to start the Windows Firewall/Internet Connection Sharing (ICS) service? When selecting Yes windows displays "Windows cannot start the Windows Firewall/Internet Connection Sharing (ICS) service."
c) Other items of interest = Opening the task manager does not display the toolbar or tabs, just the running processes.

1) Wired Connection tested on another system to ensure operation
2) The sys... Read more

A:Possible Rootkit Zero Access After Malware Removal - Cannot Access Internet

HiPlease physically connect your machine to the internet so the tool can determine what service is failing and run the following:Please download Farbar Service Scanner and run it on the computer with the issue.Press "Scan".It will create a log (FSS.txt) in the same directory the tool is run.Please copy and paste the log to your reply.

Read other 16 answers
RELEVANCY SCORE 42.8

I've already run malwarebytes, combofix, Spybot.

The winfiles and Pe-files attachments are from rootkitty running on ubcd4win, although they could possibly have been modified by the rootkit before uploading, as I uploaded them from the infected machine.

Here's dds.txt,
DDS (Ver_09-07-30.01) - NTFSx86
Run by Winxp at 9:13:45.14 on Sun 08/30/2009
Internet Explorer: 6.0.2800.1106
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.511.182 [GMT -5:00]
============== Running Processes ===============

C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\avgas\guard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C... Read more

A:Rootkit, Vundo.h, Rootkit.agent, Rootkit.Rustock, Rootkit.Dropper, Slenugga, FakeAlert, WinWebSec, etc....

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 3 answers
RELEVANCY SCORE 41.6

I believe I am infected with rootkit.zero access I cant access the internet.I have tried Restore, Malwarebytes,Rkill.Nothing worked so far.Need help badly.Here is the 1 of 2 DDS log............. Let me know if you need the second one..DDS (Ver_2011-08-26.01) - NTFSx86 Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_24Run by Horace at 22:26:27 on 2012-02-11Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.1014.258 [GMT -5:00].AV: AntiVir Desktop *Enabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}SP: AntiVir Desktop *Enabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}.============== Running Processes ===============.C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\svchost.exe -k RPCSSC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\system32\svchost.exe -k netsvcsC:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\system32\svchost.exe -k NetworkServiceC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonationC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkC:\Program Files\Common Files\Adobe\ARM\1.0\... Read more

A:Rootkit.zero access .. Cant access the Internet

Here is the "Combofix" log...ComboFix 12-02-11.03 - Horace 02/12/2012 2:18.8.2 - x86Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.1014.412 [GMT -5:00]Running from: E:\ComboFix.exeAV: AntiVir Desktop *Enabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}SP: AntiVir Desktop *Enabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}..((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))..c:\windows\$NtUninstallKB22595$ . . . . Failed to delete..((((((((((((((((((((((((( Files Created from 2012-01-12 to 2012-02-12 )))))))))))))))))))))))))))))))..2012-02-12 08:12 . 2012-02-12 08:12 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{B25BD74F-8BC3-422C-9195-EE637F860E7C}\offreg.dll2012-02-12 08:11 . 2012-02-12 08:13 -------- d-----w- c:\users\Horace\AppData\Local\temp2012-02-12 08:11 . 2012-02-12 08:11 -------- d-----w- c:\users\Default\AppData\Local\temp2012-02-11 23:42 . 2012-02-11 23:42 -------- d-----w- c:\program files\Runtime Software2012-02-11 12:39 . 2012-02-11 12:39 -------- d-----w- c:\users\Horace\AppData\Roaming\SUPERAntiSpyware.com2012-02-11 12:39 . 2012-02-11 12:39 -------- d-----w- c:\programdata\SUPERAntiSpyware.com2012-02-11 12:39 .... Read more

Read other 3 answers
RELEVANCY SCORE 39.6

Hello,
 
I was asked to make this forum post from another post I made here.
 
I have run Security Check, Farbar Service Scanner, MiniToolBox, Malwarebytes Anti-Malware, Malwarebytes Anti-Rootkit, and RKill.
 
I was then asked to run DDS. These are the results:
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 11.0.9600.17344
Run by Fred at 14:42:40 on 2014-11-02
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.8191.992 [GMT -5:00]
.
AV: avast! Antivirus *Enabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Spybot - Search and Destroy *Enabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
SP: avast! Antivirus *Enabled/Updated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k NetworkService
c:\Program Files (x86)\AMD\AMD Fusion Utility for Desktops\FusionSVC.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files (x86)\Common Files\Juniper Networks\JUNS\dsAccessService.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.e... Read more

A:Zero Access rootkit

Hi & to Bleeping Computer Forums!My name is Jürgen and I will be assisting you with your Malware related problems.Before we move on, please read the following points carefully: My native language isn't English. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.Please read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.Perform everything in the correct order. Sometimes one step requires the previous one.If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.If I don't hear from you within 5 days from this initial or any subsequent post, then this thread will be closed.If I don't reply within 24 hours please PM me!Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.Step 1Please run a FRST scan. This will help us diagnose your problem.Please download Farbar Recovery Scan Tool and save it to your Desktop.(If you are not sure which version (32-/64-bit) applies to your system, d... Read more

Read other 17 answers
RELEVANCY SCORE 39.6

Hey All -

First post so please don't kill me. My Malwarebytes keeps telling me that I have RootKit.0Access Trojan. It goes away for a while but after a few days I rerun the scan and it is back.

I have been getting random pop-ups, internet unavailability, google re-directs and general slow PC performance. I am running windows 7 Home Premium.

Any ideas on if I got rid of it via Malwarebytes or if it is still lingering? I still have many of the symptoms.
Thanks!
Ken

A:Zero Access Rootkit

With the information you have provided I believe you will need help from the malware removal team. Please make sure that you read the information about getting started first.Then start a new thread HERE and include or required logs.Including a link to this thread will be helpful. Good luck and be patient. Help is on the way!

Read other 2 answers
RELEVANCY SCORE 39.6

Haven't been able to turn my Network Discovery on, and have it stay on so posted in the Networking forum and was directed here after running Security Check, Farbar, Mini Toolbox, Malware Bytes Anti-Malware, and Anti Malwarebytes root kit. Here is the link to the original post... http://www.bleepingcomputer.com/forums/t/486730/network-discovery-wont-stay-turned-on/
 
Posting logs from DDS
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16464
Run by Krista at 21:47:51 on 2013-02-26
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4044.1634 [GMT -8:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}
SP: Microsoft Security Essentials *Enabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe... Read more

A:Zero Access Rootkit

Please re-run the MBAR tool that Broni had you run, this time select the "cleanup" button to remove any threats and reboot if prompted to do so.Wait while the system shuts down and the cleanup process is performed.Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt

Read other 23 answers
RELEVANCY SCORE 39.6

Hi everyone, I've been fighting this rootkit for a while and run out of ideas. I searched and ended up coming here - most people with zero access were recommended to contact a tech before doing anything so here we go. I initially had sophos, that detected a threat but let it through. I've since removed sophos and installed a trial of kaspersky which is doing a little better, but not a lot.
Originally the virus interfered with the alcohol 120% virtual scsi driver and BSOD'd windows every time it started - i fixed that by going into save mode and removing the driver.
I've run Kaspersky rescue disk, virus removal tool and antivius 2011 with latest database. Originally the behaviour was that the files were locked and couldn't be removed (even when booting of a bootcd like WinXP portable). One of the files was C:\Windows\assembly\gac_msil\desktop.ini but a whole bunch of system restore folder files were infected as well.
I ran rkill, and it was denied access to a whole bunch of processes. Then rkill.com, rkill.exe got infected.
I've also run MBAM, I don't remember it picking anything up actually. At least I haven't seen MBAM get infected.
Somehow I managed to get rid of the virus - at least it wasn't showing up under any scans.
Everything looked good until just this morning when a BSOD was caused by a kaspersky system file. Virus is back. I scanned again, but now whenever a file is found and tried to be disinfected, it disap... Read more

A:Zero Access G Rootkit

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything. We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. To help Bleeping Computer better assist you please perform the following steps:*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/428870 <<< CLICK THIS LINK If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.*************************************************** If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lo... Read more

Read other 24 answers
RELEVANCY SCORE 39.6

Hi everyone, I've been fighting this rootkit for a while and run out of ideas. I searched and ended up coming here - most people with zero access were recommended to contact a tech before doing anything so here we go. I initially had sophos, that detected a threat but let it through. I've since removed sophos and installed a trial of kaspersky which is doing a little better, but not a lot.
Originally the virus interfered with the alcohol 120% virtual scsi driver and BSOD'd windows every time it started - i fixed that by going into save mode and removing the driver.
I've run Kaspersky rescue disk, virus removal tool and antivius 2011 with latest database. Originally the behaviour was that the files were locked and couldn't be removed (even when booting of a bootcd like WinXP portable). One of the files was C:\Windows\assembly\gac_msil\desktop.ini but a whole bunch of system restore folder files were infected as well.
I ran rkill, and it was denied access to a whole bunch of processes. Then rkill.com, rkill.exe got infected.
I've also run MBAM, I don't remember it picking anything up actually. At least I haven't seen MBAM get infected.
Somehow I managed to get rid of the virus - at least it wasn't showing up under any scans.
Everything looked good until just this morning when a BSOD was caused by a kaspersky system file. Virus is back. I scanned again, but now whenever a file is found and tried to be disinfected, it disap... Read more

A:Zero Access G Rootkit

Please follow the instructions in ==>This Guide<== starting at Step 6. If you cannot complete a step, skip it and continue.Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

Read other 3 answers
RELEVANCY SCORE 39.6

Hi. I have a problem in that my anti-virus software has stopped working at some stage (Microsoft Security Essentials). I can not reactivate the program at all. It`s not possible to download any program as I get a"xxxx...program contained a virus and was deleted". I was able to download Avast on another pc and bring it across via USB stick and install.
I ran a full system scan and a boot sector scan and came up with numerous threats. These were moved to the vault but the problems with being unable to download were still there. I have now uninstalled Avast and deactivated all security as to go through the process as explained in the sticky on this forum.
I am running a legal copy of windows and do have the CD if required.
I have posted as required below. Thankyou and look forward to your help



DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.16635
Run by Leon at 20:38:27 on 2013-08-15
Microsoft Windows 7 Professional 6.1.7601.1.1252.61.1033.18.6135.4572 [GMT 10:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr... Read more

A:Help with possible Zero Access Rootkit

Hello!

I am currently reviewing your logfiles and will assist you shortly with instructions. Please be patient.

Meanwhile: Please subscribe to this thread if you have not done already and please don't do any other scans on your own and don't install or remove software. Thank you!

Read other 19 answers
RELEVANCY SCORE 39.6

Hello

First thank you for helping, I ran combofix and it detected the Rootkit Zero Access and now I can't connect to the internet. Sorry for being so vague but I see that this is a popular topic on the forums I just wanted to make it short and sweet. Please let me know what you need me to do.

Thanks

A:Rootkit Zero Access

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will ap... Read more

Read other 3 answers
RELEVANCY SCORE 39.6

I wasn't sure wether to post this here or in the Am I Infected? forum.
When I try to turn on Windows Firewall or Windows Defender it says it can't with Error Code 0x80070424.
My computer was recently infected with the redirect virus. I tried to restore to an earlier point of time but it failed (and I can't remember the reason why, sorry) but now restore points are gone. Along with that Wordstarter no longer works, not sure if that means anything.

So I used the TDSkiller and it found nothing and after a couple days the redirecting has stopped, this all started on the 3rd and its been over a week without redirecting. I'm not sure what to do next to startup the Firewall or Defender, any help would be appreciated.

My OS is Windows 7 64bit if that helps.

I performed a few more steps since then. Here is the thread- http://www.bleepingcomputer.com/forums/topic438130.html

Here is the DDS log:
.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385
Run by Julian at 12:33:19 on 2012-01-15
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.2940.1947 [GMT -8:00]
.
AV: Kaspersky Anti-Virus *Enabled/Updated* {56547CC9-C9B2-849D-8FEF-A496150D6A06}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Kaspersky Anti-Virus *Enabled/Updated* {ED359D2D-EF88-8B13-B55F-9FE46E8A20BB}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm... Read more

A:64 BIT zero access rootkit

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.Do not run any other tool untill instructed to do so!Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.Run Combofix:You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<Combofix may need to reboot your computer more than once to do its job this is normal.You can download Combofix from one of these links.Link 1Link 2Link 3 1. Close any open browsers or any other programs that are open.2. Close/disable all anti virus and anti malware programs so they do not interfere with the r... Read more

Read other 22 answers
RELEVANCY SCORE 39.6

I was advised to post a link to my original topic which is here : http://www.bleepingcomputer.com/forums/topic460425.html

I am helping a friend of mine with his laptop, so I don't have a whole lot of history on it. He just stated it has been slow as of late. He was not running any AV software (out of date) so I ran Avast! on it, and it reported 16 threats. When I removed the threats the laptop would no longer boot, and I was forced to do a restore. So I am back to square one with an infected laptop.

Windows 7 64bit


.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by Zoyde at 15:52:05 on 2012-07-12
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3838.1743 [GMT -5:00]
.
AV: Norton 360 *Disabled/Outdated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton 360 *Disabled/Outdated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton 360 *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Wi... Read more

A:Zero Access Rootkit

twintone, to Bleeping Computer.My name is Jason and I'll be helping you with your computer problems. You can call me by my screename jntkwx or Jason is fine.Some things to remember while we are working together.Do not run any other tool untill instructed to do so!Please do not attach logs or put logs in code boxes (unless explicitly asked to)Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can also help.Do not run anything while running a fix.If you don't understand a step, please ask for clarification before continuing with any future steps.Click on the Watch Topic button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.Note to others: The instructions here are intended for the person who began this topic. If you need help, please create your own topic in the appropriate forum.  One or more of the identified infections is a backdoor trojan and password stealer.This type of infection allows hackers to access and remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.If you do any banking or other financial transactions on the PC or if it contains any other sensitive information, then from a clean computer, change all passwords where applicable.It would also be wise to contact those same financial institu... Read more

Read other 23 answers
RELEVANCY SCORE 39.6

two days ago my bullguard anti virus stopped many trojans with several different names from running on my computer. I did a full system scan which found nothing
then I used malwarebytes which also found nothing but still my antivirus was stopping several viruses daily
I downloaded rkill and got the message
*ALERT: ZEROACCESS rootkit symptoms found!
C\Windows\assembly\GAC\Desktop.ini [ZA FILE]
I have tried several programs to get rid of it but most dont even detect it can anyone help. I have tried the following
mcafee rootkit remover
ADW cleaner
Tdss killer
I have also been getting random cmd windows pop up its pretty fast before it disappears but it said something about taskeng.exe. My firewall is being disabled all the time too i re-enable then its disabled again
I am running windows 7
I posted earlier here
and was given directions to follow to post here
 
 
i have now managed to run dds and logs are attached thx

A:zero access rootkit

Hello traceygl,Welcome to Bleeping Computer.My name is fireman4it and I will be helping you with your Malware problem.Please take note of some guidelines for this fix:Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.If you do not understand any step(s) provided, please do not hesitate to ask before continuing.Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".In the upper right hand corner of the topic you will see a button called Follow This Topic.I suggest you click it and select Immediate E-Mail notification and click on Follow This Topic. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.Finally, please reply using the Post button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.Do you have a USB Flash drive you can use?

Read other 26 answers
RELEVANCY SCORE 39.6

I have a Windows XP SP 3 Home Edition that is infected with the Rootkit Zero Access. After multiple attempts running Sophos, MalawareBytes all came clean, the Wireless/Wired Network stopped working. I was told to try a number of tcp/ip stack fixes. None of these worked. I tried the last resort, combofix. Although all logs seem to indicate the infection is gone, I still do not have any internet connectivitiy. I get 0.0.0.0 in ipconfig. I am going to attach the combofix logs. I really want to avoid a reformat, but can anyone please comment on this zero access infection?

Edit 1: I should mention that the DHCP Client Service is will not start. I was able to figure out that NetTCP was missing which is related to the DHCP Client Service. It was suggested that I get that .dll from another Windows XP machine and see if that solves the problem.

A:Rootkit Zero Access

Hello,Please follow the instructions in ==>This Guide<== starting at step 6.Once the proper logs are created, then post them in a reply to this topic by using the Add Reply button. Since you have run ComboFix, please include the ComboFix log in the reply.If you can produce at least some of the logs, then please create the post and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the reply and explain that you followed the Prep. Guide, include the information that you were unable to produce the other logs, include the ComboFix log, and describe what happens when you try to create the other logs.Please note that I am not a member of the Malware Removal Team and will not be assisting you in removing the infection. I'm simply helping you to post the information they need in order to assist you.If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.Orange Blossom

Read other 6 answers
RELEVANCY SCORE 39.6

Hello,
My wife's computer seems to have acquired a zero access rootkit problem. I get the message saying "file contained a virus and was deleted" message every time I try to download a file. Se just noticed the problem a few days ago.
It is an HP desktop (sorry, don't have the model. Umbe than day rot now) running Vista Home Premium.
What would be the best way to get rid of this issue? What steps should I take?
Any help will be appreciated very much.

A:Zero Access Rootkit

ZEROACCESS rootkit is a serious malware infection. Disinfection will probably require the use of more powerful tools than we recommend in this forum. Before that can be done you will need to create and post a DDS log for further investigation.Please follow the instructions in the Malware Removal and Log Section Preparation Guide starting at Step 6.If you cannot complete a step, then skip it and continue with the next.In Step 6 there are instructions for downloading and running DDS which will create two logs.When you have done that, post your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team.Start a new topic, give it a relevant title and post your log(s) along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. If you cannot produce any of the required logs, then still start the new topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happened when you tried to create them. A member of the Malware Removal Team will walk you through, step by step, on how to clean your computer.After doing this, it would be helpful if you replied back in this thread with a link to the new topic so we can closed this one. Good luck and be patient.

Read other 1 answers
RELEVANCY SCORE 39.6

http://www.bleepingcomputer.com/forums/topic428348.html.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_29
Run by DuSchi at 12:42:39 on 2011-11-18
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4095.2132 [GMT -6:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Windows\System32\rundll32.... Read more

A:Zero Access Rootkit

Hello and Welcome to the forums!My name is Gringo and I'll be glad to help you with your computer problems.Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.Do not run any other tool untill instructed to do so!Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.Run Combofix:You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<Combofix may need to reboot your computer more than once to do its job this is normal.You can download Combofix from one of these links.Link 1Link 2Link 31. Close any open browsers or any other programs that are open.2. Close/disable all anti virus and anti malware programs so they do not interfere with the runn... Read more

Read other 3 answers
RELEVANCY SCORE 39.6

Help - I have Zero Access Rootkit virus - Unable to download anything at all
menus, maps, software etc. I use ASC Pro and Malware Bytes.
Neither will find and delete the virus. I am not very technical and have
read all the forums e.g. TDS Killer etc.
 
How can I remedy this problem when I am unable to download?.
Will a system restore fix the problem?.

A:zero access rootkit

Hello! Welcome to BleepingComputer Forums!
My name is Georgi and and I will be helping you with your computer problems.
Before we begin, please note the following:
I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
The logs can take some time to research, so please be patient with me.
Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
Instructions that I give are for your system only!
Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.
 
 
First please navigate to C:\Program Files, then right-click the Windows Defender folder and select Rename from the context menu.
Add a unique variation to the filename, such as .old (for example, Windows Defender.old).
 
 
 
Next please download Farbar Recovery Scan Tool and save it to your desktop.Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will... Read more

Read other 14 answers
RELEVANCY SCORE 39.6

Hello,I've been instructed to move my issues over to this thread from http://www.bleepingcomputer.com/forums/topic431884.html Original issue was that my Google/Yahoo searches were being hijacked. The search itself wasnt hijacked, but if I clicked on any of the links on the searchpage it redirected me to some other weird search site. Also, my laptop is running VERY slow (40-100% memory usage)and my Outlook 2007 will not connect. After doing the steps given to in in the other thread, my computer seems to be running faster but the search is still hijacked and Outlook won't let me connect. Thanks for your help! Here are my logs:.DDS (Ver_2011-08-26.01) - NTFSx86 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_29Run by matt.thomas at 16:50:39 on 2011-12-11Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.367 [GMT -5:00].AV: Trend Micro Client-Server Security Agent AntiVirus *Enabled/Updated* {61CB6683-51E0-4335-991A-E86068BDD4B5}FW: Trend Micro Client-Server Security Agent Firewall *Enabled* .============== Running Processes ===============.C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcsC:\WINDOWS\system32\svchost.exe -k WudfServiceGroupsvchost.exesvchost.exeC:\WINDOWS\System32\WLTRYSVC.EXEC:\WINDOWS\System32\bcmwltry.exeC:\WINDOWS\system32\spoolsv.exesvchost.exeC:\Documents and Settings\mat... Read more

A:***Possible Zero Access Rootkit?

Hi,Please do the following:Please download TDSSKiller.zipExtract it to your desktopDouble click TDSSKiller.exePress Start Scan
Only if Malicious objects are found then ensure Cure is selectedThen click Continue > Reboot nowCopy and paste the log in your next reply
A copy of the log will be saved automatically to the root of the drive (typically C:\)NEXTDownload ComboFix from one of the following locations:Link 1 Link 2 VERY IMPORTANT !!! Save ComboFix.exe to your Desktop * IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here Double click on ComboFix.exe & follow the prompts.As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.**Please note: If the Microsoft Win... Read more

Read other 14 answers
RELEVANCY SCORE 39.6

I was told that my PC has been infected with a Zero Access Rootkit, and directed here from the Am I Infected? What do I do? Forum. My post from there is below.

I'm hoping you can help me. My computer had been acting up, so I ran a full AVG scan, and it told me that I had 5-6 trojans/viruses. I told it to Quarantine the items, which it did, and then ran a Malwarebytes scan, which turned up clean. After I rebooted my computer, I received quite a few AVG notifications that there were trojans still present, and when I went to go online, Firefox and IE will not connect. I tried disabling my wired connection, which didn't do anything, and when I tell Windows to repair the connection, I receive this message:

"Windows could not finish repairing the problem because the following action cannot be completed: Failed to query TCP/IP settings of the connection. Cannot proceed."

Furthermore, I get a notification that my firewall is turned off via Windows Security Center

Any help you can give is appreciated. While not entirely computer illiterate, this is the first time I've used a forum...I'm stumped.

I am using Windows XP with Service Pack 3.

DDS Log

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_29
Run by EZ-PC Customer at 17:00:40 on 2012-03-15
.
============== Running Processes ===============
.
\??\C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
\??\C:\Program Files\AV... Read more

A:Zero Access Rootkit

Hello and Welcome to Bleeping Computer!!My name is Gringo and I'll be glad to help you with your computer problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us1.Do not run any other tool untill instructed to do so!doing so will only at best cause you unneeded worry as it finds our backups and may even list our toolsand at worst can cause conficts with our tools and lead to unforseen things to happen2.Please Do not Attach logs or put in code boxes.besides the time it takes me to open the reports it makes it harder to find something if I need to go back to do more research and putting them in code boxes just makes them so hard to read3. After each step give me a little feedback It does not need to be long but just something so I know how things are going it can be something likeI am still getting redirected The computer is running as it shouldDon't put things like - it is the same as before or still the same this just makes me go back and look for you last feedback as to how things are4. read every post completely before doing anythingPay special attention to the Notes** I have put inThese are things I have found that happen allot and can be taken care of easily just by reading the Notes**Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.Pl... Read more

Read other 20 answers
RELEVANCY SCORE 39.6

I did some searching, and I think I have the Zero Access rootkit trojan.

AVG Free Edition keeps asking me to remove c:/windows/installer/various names.
AVG Free Edition keeps asking me to remove c:/windows/system32/services.exe.
It does this so often that it is hard to browse the internet.
Also my browser is redirecting me to other websites.
Should I consider a system restore? Or is that a bad idea?
Except for the system restore idea, I have no idea how to remove this trojan.

Help! Please.

A:Help! I think I have Zero Access rootkit

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your computer problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At... Read more

Read other 16 answers
RELEVANCY SCORE 39.6

Recently I've acquired this rootkit, and I have no idea how. I just installed a fresh copy of Windows 8 on this SSD that i have just purchased, and i haven't installed anything i don't usually install or have visited any websites that i don't normally visit. The first thing that tipped me off that something was off was that UAC was bugging me to update Flash Player. Usually i just put it off and update it a week later, but in this case, UAC wouldn't let me click no and go back to my desktop, it would just keep bugging me over and over again until i clicked yes. When i did click yes, it wouldn't do anything, no installer would come up. So i opened up my task manager and took a look at some of the running processes, and the FlashPlayerInstaller.exe or whatever was running along with 2 of the windows installer executable. Then i noticed something very weird, and that was a blank process running from svchost.exe. At times, it would use up to 600+MB of RAM. I also noticed that in the C:\Users\Tony\AppData\Local\Temp folder that there was some randomly named executable files in there, and one called csrss.exe. So at that point, I ran Malwarebytes to see what was there to find, and it found the ZeroAccess Rootkit on a quick scan or whatever, along with a registry entry. So i removed that, and immediately start getting some other programs together to start scanning. Next thing i scanned with was GMER, came back clean. HitmanPro came back with a few items, got rid of them. Ran a full ... Read more

A:Zero Access Rootkit

Need to bump this... Need to know what else i should be doing to ensure it's gone. Don't really want to format, but if it comes down to it, i will.

Read other 4 answers
RELEVANCY SCORE 39.6

So after ignoring a mozilla/ie 8 hijack for a few weeks until one of my kids got dropped off to a site not worth repeating, I decided to try to fix the problem myself.

Malwarebytes Antimalware and Microsoft Security Essentials could not find the problem, so browsing some fourms I saw combofix was the recommended solution. I ran combofix and it indicated that rootkit.zeroaccess was the issue. I allowed it to fix the issue and now I cannot connect to the internet. I've read a few other fourms on this issue and tried a few recommendations but with no results.

It appears I have saved over the original combofix log (i ran it twice as that was suggested in another thread).

Any assistance would be appreciated.

A:rootkit zero access

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything. We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. To help Bleeping Computer better assist you please perform the following steps:*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/434292 <<< CLICK THIS LINK If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.*************************************************** If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lo... Read more

Read other 2 answers
RELEVANCY SCORE 39.6

Hi people
I need a bit of help; got a nasty zeroaccess rootkit on my desktop, ran tdsskiller, didn't clean.
Tried combofix; it seems Combo fix cleaned the rootkit but broke my internet and didn't give me a log file. But it created a folder in C: named Combofix. When I tried to open it it took me back to My Computer under Combofix.
Rebooted, uninstalled Combo Fix, ran Combofix again (accidently while trying to install recovery console) and got a log this time. Can anyone see if anything is off?
Thank you in advance.

A:Zero access rootkit - afterwards

Hello,Please follow the instructions in ==>This Guide<== starting at step 6.Once the proper logs are created, then post them in a reply to this topic by using the Add Reply button. Since you have run ComboFix, please include the ComboFix log in the reply.If you can produce at least some of the logs, then please create the post and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the reply and explain that you followed the Prep. Guide, include the information that you were unable to produce the other logs, include the ComboFix log, and describe what happens when you try to create the other logs.Please note that I am not a member of the Malware Removal Team and will not be assisting you in removing the infection. I'm simply helping you to post the information they need in order to assist you.If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.Orange Blossom

Read other 3 answers
RELEVANCY SCORE 39.6

Laptop started off running real slow.  Various antispyware (emisoft, malwarebytes, pcdoctor,) not finding anything. 
 
Then couldn't access some programs like 'process explorer and browser (comodo dragon).  
 
Several other things happened like BSOD, boot up only in safe mode.  
 
Tried other software (rkill, tdskiller, etc) thought I got it with rkill but after 'deleting' it, system still not working.  Can only work in safe mode.  In normal mode cannot access browser and will not let me anti spyware programs like emisoft & malwarebytes, and still cannot access process explorer.  
 
Here are the logs:
 
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64 NETWORK
Internet Explorer: 9.0.8112.16457  BrowserJavaVersion: 1.6.0_29
Run by NGS at 22:15:28 on 2013-02-21
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3999.3087 [GMT -5:00]
.
AV: ZoneAlarm Antivirus *Enabled/Updated* {DE038A5B-9EDD-18A9-2361-FF7D98D43730}
AV: PC Tools Spyware Doctor with AntiVirus *Enabled/Updated* {2F668A56-D5E0-2DF1-A0AE-CB1284F42AB2}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: ZoneAlarm Anti-Spyware *Enabled/Updated* {65626BBF-B8E7-1727-19D1-C40FE3537D8D}
SP: PC Tools Spyware Doctor with AntiVirus *Enabled/Outdated* {94076BB2-F3DA-227F-9A1E-F060FF73600F}
FW: ZoneAlarm Firewall *Enabled* {E6380B7E-D4B2-19F1-083E-56486607704B}
.
============== Running Processes ===============
.
C:\Wind... Read more

A:Possible Zero Access rootkit.

Hello NancyNo5 Welcome to The Forums!!Around here they call me Gringo and I'll be glad to help you with your malware problems.Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!Please do not run any tools unless instructed to do so.We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at y... Read more

Read other 22 answers
RELEVANCY SCORE 39.6

About two days ago I needed to restart my computer and that is when I noticed that a malicious virus was blocked and was attempting to change my homepage for my browsers. I decided to download malwarebytes and perform a scan and it found about 10 infections. I then performed a AVG (free software) scan and it found 7 threats all of them different. (1 was hacker tool, another was cookie type infection, so on). After going into safe mode and running a malware scan it found 5 more infections. Now I am running in regular windows mode but I am still noticing that my browser is being messed with and now Internet explorer will not open to certain pages. Google chrome is working just fine but when I change my homepage to yahoo.com, something changes it back to search browsing.com. I also noticed that at various times (seems to be random) that music will start to play with no applications open and sometimes it's not music but advertisements. I am afraid that my browser has been hacked and that my passwords, files on my computer might be at risk. I would appreciate any help that I can get. Thank you in advance. A friend also suggested that my computer might be a bot and being used has a drone machine. After getting help in the one forum I will post my DDS log under this paragraph.DDS Log TXT:.DDS (Ver_2011-08-26.01) - NTFSAMD64 Internet Explorer: 9.0.8112.16421Run by Owner at 13:16:05 on 2012-07-15Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.5611.2762 [GMT -4:00].AV... Read more

A:zero access rootkit

Hi,Please run the followingRefer to the ComboFix User's Guide Download ComboFix from the following location:

Link

* IMPORTANT !!! Place ComboFix.exe on your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
You can get help on disabling your protection programs here
Double click on ComboFix.exe & follow the prompts.Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

---------------------------------------------------------------------------------------------
Ensure your AntiVirus and AntiSpyware applications are re-enabled.

---------------------------------------------------------------------------------------------NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Read other 12 answers
RELEVANCY SCORE 39.6

Last week a virus redirected my goggle searches. I ran Combofix which removed a fake NT$uninstall directory that was responsible. Everything seemed fine for about a week when I got one of those fake security popups saying I had a virus and needed to run a scan with a link provided in the popup. I decided to run Combofix again. It said I had rootkit zero access, and that it was in my tcpip settings (or something like that). After Combofix did it's thing, the popup virus was gone, however I was unable to connect to the internet (network connection says limited or no connectivity). I see that Combofix saved some of my registry tcpip settings in a quarintine file but didn't remove them from the registry. Anyway, at this point I'm not exactly sure if I still have a virus that is preventing internet access, or if perhaps Combofix did something undesirable while it was removing the popup virus. I've followed the directions given here and run both dds.scr and gmer.exe and attached the log files. Any ideas would be appreciated.

A:Rootkit Zero Access

As a followup to the above, I discovered that something is preventing the AFD network support environment service from starting at bootup. I've tried to manually start AFD in device manager but it gives error message saying "The system encountered the following error while attempting to start the service: the filename, directory name or volume label syntax is incorrect". I've checked and see that the file is present in windows/system32/drivers and the dllcache, so the file is there. I've also checked the registry key HKLM\system\currentcontrolset\services\afd and verified the image path is correct, it is: \systemroot\system32\drivers\afd.sys. BTW, I also took a look at HKLM\system\currentcontrolset\enum\root\LEGACY_AFD\0000\Control, and have noticed there is no ActiveService entry, and whenever I add one, it seems to disappear anytime I try to start the AFD service, almost makes me think something is overriding my changes to that key (a virus??). Not sure what else I might try, perhaps it's time to give up and reinstall windows.

Read other 21 answers
RELEVANCY SCORE 39.6

Thread started here http://www.bleepingcomputer.com/forums/t/568466/need-help-with-bsods/page-2
 
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 02-03-2015
Ran by Mario (administrator) on MARIO-PC on 03-03-2015 19:46:04
Running from C:\Users\Mario\Downloads
Loaded Profiles: Mario (Available profiles: Mario)
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
==================== Processes (Whitelisted) =================
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(AMD) C:\Windows\System32\atiesrxx.exe
(Creative Technology Ltd) C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Stardock Corporation) C:\Program Files\Dell\DellDock\DockLogin.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
(SoftThinks) C:\Program Files (x86)\Dell DataS... Read more

A:Zero Access rootkit

Hi & to Bleeping Computer Forums!My name is Jürgen and I will be assisting you with your Malware related problems.Before we move on, please read the following points carefully: My native language isn't English. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.Please read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.Perform everything in the correct order. Sometimes one step requires the previous one.If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.If I don't hear from you within 5 days from this initial or any subsequent post, then this thread will be closed.If I don't reply within 24 hours please PM me!Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.Step 1Please uninstall some programs:Windows 7: Click on the button, open Control Panel and click Uninstall a program.Search and select the following programs one by one and click on Uninstall: Pirates of the Bur... Read more

Read other 21 answers
RELEVANCY SCORE 39.6

HiMy name is anirmj. Its great to have finally found a forum where I can expect a resolution to my issue.Well, to the topic at hand. I have the Zero access rootkit in my system. Have it for about 5 days now. Been looking for a while on the web for a solution. Found a few but they were no good.My system is a Win7 64bit (Dell XPS Laptop)Antivirus: McAfee Security Center 11Antispyware: SuperAntiSpyware Pro 5.5How i know its zero access. For one, Mcafee told me (but their removal solution didn't work). Firewalls in both Mcafee and Windows don't work. Windows Update doesn't work (even the service for Win Update isn't there in the services menu). Mcafee upon virus scan keeps finding two files "Desktop.ini" for 32/64, infected with Zero access but is unable to remove them.Also,don't know if these are because of the rootkit, but my "Gamebooster" doesn't run a game from the software's menu, but upon ending the process and relaunching the software, the game is able to run (this wasn't the case before and have reinstalled the software to confirm the issue). My power plan has a new entry (have attached a pic). And, while setting the system restore option to "off", there was an error window (but still the restore option was disabled).I haven't noticed any system slowdowns yet. As for the net connection, it connects properly, but sometimes it doesn't, as in I'm unable to browse websites (even though if a torrent file... Read more

A:Zero Access Rootkit

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your computer problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At the ... Read more

Read other 27 answers
RELEVANCY SCORE 39.6

I was directed here from "BC Advisor". I am having intermittent browser redirects on all of my browsers (IE8, Chrome, Firefox), often to the site Happili.com. aswMBR identified the rootkit, so I'm attaching that log. The GMER scan didn't locate anything and produced an empty log file.

DDS Log:

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_29
Run by Mark at 5:36:22 on 2012-04-30
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.6012.1316 [GMT -7:00]
.
AV: Norton Internet Security *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Internet Security *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Internet Security *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\nvvsvc.exe
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost... Read more

A:Zero Access Rootkit

Hello and Welcome to Bleeping Computer!!My name is Gringo and I'll be glad to help you with your computer problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At t... Read more

Read other 14 answers
RELEVANCY SCORE 39.6

Hey guys if anyone can help me, I have some nasty rootkit infection and I ran combo fix, it found winver.exe to be infected and successfuly repaired it after thatI ran sfc /scan and it found some files to be corrupted and fixed it. Also I ran Adware Cleaner, Malwarebytes antirootkit, Eset Online scanner, TDSS tool and it only found only one Disable Task Manager registry key. If anyone could help me find rest of it I would really appreciate it.

Read other answers
RELEVANCY SCORE 39.6

I think I may have a zero access rootkit infection... I've tried several spyware removal tools in both normal mode and safe mode to no avail.
 
The dds log is attached....
 
Current state of PC:
 
-Windows firewall error
-Requesting that I remove "Win32/Small.CA virus

A:zero access rootkit

Hello pottsy710I would like to welcome you to the Malware Removal section of the forum.Around here they call me Gringo and I will be glad to help you with your malware problems.Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!Please do not run any tools unless instructed to do so.We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same"... Read more

Read other 19 answers
RELEVANCY SCORE 39.6

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_26
Run by Mike at 0:25:25 on 2011-09-30
.
============== Running Processes ===============
.
.
============== Pseudo HJT Report ===============
.
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\smart web printing\hpswp_printenhancer.dll
BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hp\smart web printing\hpswp_framework.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.... Read more

A:DDS Log for Zero Access rootkit

Please run the following instead:Please download aswMBR.exe and save it to your desktop.
Double click aswMBR.exe to start the tool. (Vista/Windows 7 users - right click to run as administrator)
When asked if you want to download Avast's virus definitions please select Yes.
Click Scan

Upon completion of the scan, click Save log and save it to your desktop, and post that log in your next reply for review. Note - do NOT attempt any Fix yet.
You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well.

Read other 4 answers
RELEVANCY SCORE 39.6

Hi all,
 
My mom's computer is hosed up with what appears to be the Zero Access Rootkit.  I cannot download any of the scanning or removal tools like DDS to fix because every download attempt results in the ".....contained a virus and was deleted" error (which is why I think this PC is infected with it).
 
Any assistance would be great.
 
Thank you.
 
vandelay87

A:Zero Access Rootkit?

Hello! Welcome to BleepingComputer Forums!
My name is Georgi and and I will be helping you with your computer problems.
Before we begin, please note the following:
I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
The logs can take some time to research, so please be patient with me.
Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
Instructions that I give are for your system only!
Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.
 
 
First please navigate to C:\Program Files, then right-click the Windows Defender folder and select Rename from the context menu.
Add a unique variation to the filename, such as .old (for example, Windows Defender.old).
 
 
 
Next please download Farbar Recovery Scan Tool and save it to your desktop.Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will... Read more

Read other 17 answers
RELEVANCY SCORE 39.6

i ran dds heres the copy paste
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16526
Run by Ryan at 2:42:49 on 2014-01-04
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.4060.1938 [GMT -5:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {ADA629C7-7F48-5689-624A-3B76997E0892}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {16C7C823-5972-5907-58FA-0004E2F9422F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: McAfee Firewall *Enabled* {959DA8E2-3527-57D1-4915-924367AD4FE9}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\AERTSr64.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\GameTrack... Read more

A:zero access rootkit

Hello and welcome.  Please follow these guidelines while we work on your PC:Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.”  Absence of symptoms does not mean your machine is clean!Please do not run any scans or install/uninstall any applications without being directed to do so.Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.   Please download Farbar Recovery Scan Tool and save it to your desktop.Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.Double-click to run it. When the tool opens click Yes to disclaimer.Press Scan button.It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Read other 5 answers
RELEVANCY SCORE 39.6

.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_31
Run by Woodbury at 13:07:42 on 2012-08-12
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3241.2139 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\Explorer.EXE
C:\Windows\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Woodbury\Downloads\HijackThi... Read more

A:Rootkit Zero Access

Please do the following:download Farbar Recovery Scan Tool and save it to a flash drive.Plug the flashdrive into the infected PC.Enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account and click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.On the System Recovery Options menu you will get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolCommand Prompt[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer" and find your flash drive letter and close the notepad.[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) ... Read more

Read other 2 answers
RELEVANCY SCORE 39.6

For the last couple of weeks, my internet browser has been redirecting me to other sites. Also, a message periodically pops up on my screen saying "werconcpl.dll error" I did a little searching, and found that it might be a rootkit virus. I think it also might have somehow attached itself to the windows system 32 services. I would greatly appreciate if you could help me in my attempt to rid my computer of this annoying virus. Thankyou.

A:Zero Access Rootkit?

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your computer problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At the ... Read more

Read other 23 answers
RELEVANCY SCORE 39.6

Tried using aswmBR....Here is the log. Helping a family member via email. Thanks.
aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software
Run date: 2012-12-04 23:41:34
-----------------------------
23:41:34.437 OS Version: Windows 5.1.2600 Service Pack 3
23:41:34.437 Number of processors: 2 586 0x4B02
23:41:34.437 ComputerName: EB3B638EFBD840C UserName: Frankie
23:41:35.140 Initialize success
00:03:50.656 AVAST engine defs: 12120401
15:00:36.859 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
15:00:36.859 Disk 0 Vendor: WDC_WD3200AAJS-00L7A0 01.03E01 Size: 305245MB BusType: 3
15:00:36.875 Disk 0 MBR read successfully
15:00:36.875 Disk 0 MBR scan
15:00:36.937 Disk 0 Windows XP default MBR code
15:00:36.937 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 305234 MB offset 63
15:00:36.937 Disk 0 scanning sectors +625121280
15:00:37.015 Disk 0 scanning C:\WINDOWS\system32\drivers
15:00:45.078 Service scanning
15:00:57.515 Modules scanning
15:00:59.953 Disk 0 trace - called modules:
15:00:59.984 ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
15:00:59.984 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a4ffab8]
15:00:59.984 3 CLASSPNP.SYS[b80e8fd7] -> nt!IofCallDriver -> \Device\00000062[0x8a458f18]
15:00:59.984 5 ACPI.sys[b7f7f620] -> nt!IofCallD... Read more

A:Zero Access Rootkit

Hello moddman, and to the Virus/Trojan/Spyware/Malware Removal forum.I am oneof4, and I am here to help you!I ask that you refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
Please perform all steps in the order received and do not proceed if you need clarification.
Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems please stop and tell me about it. When your computer is clean I will alert you of such. I will also provide you with detailed suggestions for prevention.
At the top right-center of the topic you will see a button called Watch Topic. If you click on this, another page will open. Please choose Immediate Notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.
If after 5 days you have not replied to this topic, I will assume it has been abandoned, and I will close it.
I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please be courteous and appreciative for the assistance provided!
Again I would like to remind you to make no further changes to your computer unless I direct you to do so... Read more

Read other 3 answers
RELEVANCY SCORE 39.6

.
DDS (Ver_2011-06-12.02) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
Run by user at 12:39:48 on 2011-06-13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2013.804 [GMT 3:00]
.
AV: BitDefender Antivirus *Enabled/Updated* {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: BitDefender Firewall *Enabled*
.
============== Running Processes ===============
.
D:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
D:\Program Files\BitDefender\BitDefender 2011\vsserv.exe
D:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
D:\WINDOWS\system32\spoolsv.exe
svchost.exe
D:\WINDOWS\system32\inetsrv\inetinfo.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\oracle\bin\omtsreco.exe
D:\Program Files\BitDefender\BitDefender 2011\updatesrv.exe
D:\WINDOWS\system32\SearchIndexer.exe
D:\Program Files\BitDefender\BitDefender 2011\bdagent.exe
D:\Program Files\BitDefender\BitDefender 2011\pchooklaunch32.exe
D:\WINDOWS\system32\ctfmon.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Everything\Everything.exe
D:\Program Files\Google\Google Talk\googletalk.exe
D:\Program Files\Common Files\Java\Java Update\jusched.exe
D:\Program Files\Microsoft Office\Office12&#... Read more

A:rootkit.zero access

Hello edelawit,

Did ComboFix complete its run? Kindly post the C:\ComboFix.txt

Read other 1 answers