Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 03-10-2013 Ran by Stefan at 2013-10-24 17:26:32 Run:1 Running from C:\Users\Stefan\Downloads Boot Mode: Normal ============================================== Content of fixlist: ***************** HKLM\...\Run: [Microsoft Windows Hosting Service] - C:\Users\Stefan\AppData\Local\Temp\csrss.exe [239616 2013-09-19] (NoVirusThanks Company Srl) <===== ATTENTION HKLM\...\Policies\Explorer\Run: [44992] - c:\progra~2\dxrrblix.exe [357888 2009-07-14] ( ()) HKLM\...\Policies\Explorer: [3212083974] 0x504B0304C239B7F8068374BFB511000000400000E269F63D73594F6202C9694280CC96A28BBD63516FE3C2D5F7A2FF87AC HKCU\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path) HKCU\...\Run: [Microsoft Windows Hosting Service] - C:\Users\Stefan\AppData\Local\Temp\csrss.exe [239616 2013-09-19] (NoVirusThanks Company Srl) <===== ATTENTION HKCU\...\CurrentVersion\Windows: [Load] c:\users\stefan\dxmwpq.exe <===== ATTENTION S2 DefaultTabSearch; C:\Program Files\DefaultTab\DefaultTabSearch.exe [573952 2013-09-16] () R2 DefaultTabUpdate; C:\Users\Stefan\AppData\Roaming\DefaultTab\DefaultTab\DTUpdate.exe [107520 2013-08-23] () S3 rpcapd; "%ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini" [x] U2 *etadpug; "C:\Program Files\Google\Desktop\Install\{2e754a38-a09f-89b0-736a-408075ef620d}\ \...\???\{2e754a38-a09f-89b0-736a-408075ef620d}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess) S3 iBurstu; system32\DRIVERS\iBurstu.sys [x] C:\Windows\assembly\GAC\Desktop.ini C:\Users\Stefan\AppData\Local\Temp\csrss.exe C:\Users\Stefan\AppData\Local\Google\Desktop\Install C:\Program Files\Google\Desktop\Install C:\ProgramData\dxrrblix.exe C:\Users\Stefan\dxakokxu.exe C:\Users\Stefan\dxavzr.exe C:\Users\Stefan\dxbesgdoq.exe C:\Users\Stefan\dxcadh.exe C:\Users\Stefan\dxcbaathv.exe C:\Users\Stefan\dxddoi.exe C:\Users\Stefan\dxdjbu.exe C:\Users\Stefan\dxehlohv.exe C:\Users\Stefan\dxgcftur.exe C:\Users\Stefan\dxhuamnw.exe C:\Users\Stefan\dxhvrn.exe C:\Users\Stefan\dxiewkke.exe C:\Users\Stefan\dxifgxuu.exe C:\Users\Stefan\dxiynj.exe C:\Users\Stefan\dxizkvbep.exe C:\Users\Stefan\dxkdufa.exe C:\Users\Stefan\dxlabpuqo.exe C:\Users\Stefan\dxlmhx.exe C:\Users\Stefan\dxmwpq.exe C:\Users\Stefan\dxojim.exe C:\Users\Stefan\dxoyiv.exe C:\Users\Stefan\dxqafz.exe C:\Users\Stefan\dxriojni.exe C:\Users\Stefan\dxrjiy.exe C:\Users\Stefan\dxsezfjt.exe C:\Users\Stefan\dxtjrk.exe C:\Users\Stefan\dxtseu.exe C:\Users\Stefan\dxudeh.exe C:\Users\Stefan\dxvyvlii.exe C:\Users\Stefan\dxxikia.exe C:\Users\Stefan\dxxtwdeuo.exe C:\Users\Stefan\dxyrsiu.exe C:\Users\Stefan\dxzkhbwa.exe C:\Users\Stefan\AppData\Local\Temp\1345545343.exe C:\Users\Stefan\AppData\Local\Temp\1345550028.exe C:\Users\Stefan\AppData\Local\Temp\1347056850.exe C:\Users\Stefan\AppData\Local\Temp\1348369731.exe C:\Users\Stefan\AppData\Local\Temp\1348385342.exe C:\Users\Stefan\AppData\Local\Temp\1348385637.exe C:\Users\Stefan\AppData\Local\Temp\1364500553.exe C:\Users\Stefan\AppData\Local\Temp\1364503380.exe C:\Users\Stefan\AppData\Local\Temp\1373093828.exe C:\Users\Stefan\AppData\Local\Temp\1373099186.exe C:\Users\Stefan\AppData\Local\Temp\1373307441.exe C:\Users\Stefan\AppData\Local\Temp\1390877027.exe C:\Users\Stefan\AppData\Local\Temp\1423717569.exe C:\Users\Stefan\AppData\Local\Temp\77Zip973867.exe C:\Users\Stefan\AppData\Local\Temp\AutoRun.exe C:\Users\Stefan\AppData\Local\Temp\AutoRunGUI.dll C:\Users\Stefan\AppData\Local\Temp\BackupSetup.exe C:\Users\Stefan\AppData\Local\Temp\CmdLineExt03.dll C:\Users\Stefan\AppData\Local\Temp\csrss.exe C:\Users\Stefan\AppData\Local\Temp\drm_dyndata_7400009.dll C:\Users\Stefan\AppData\Local\Temp\EBU1489.EXE C:\Users\Stefan\AppData\Local\Temp\EBU14F6.DLL C:\Users\Stefan\AppData\Local\Temp\EBU34D5.EXE C:\Users\Stefan\AppData\Local\Temp\EBU35EE.DLL C:\Users\Stefan\AppData\Local\Temp\EBU7B27.EXE C:\Users\Stefan\AppData\Local\Temp\EBU7BA4.DLL C:\Users\Stefan\AppData\Local\Temp\mgsqlite3.dll C:\Users\Stefan\AppData\Local\Temp\msdt.exe C:\Users\Stefan\AppData\Local\Temp\ootp13setup.exe C:\Users\Stefan\AppData\Local\Temp\ose00000.exe C:\Users\Stefan\AppData\Local\Temp\SIntf16.dll C:\Users\Stefan\AppData\Local\Temp\SIntf32.dll C:\Users\Stefan\AppData\Local\Temp\SIntfNT.dll C:\Users\Stefan\AppData\Local\Temp\SweetIMSetup.exe C:\Users\Stefan\AppData\Local\Temp\ubiC524.tmp.exe C:\Users\Stefan\AppData\Local\Temp\uninstaller.exe C:\Users\Stefan\AppData\Local\Temp\utt5FE5.tmp.exe C:\Users\Stefan\AppData\Local\Temp\WAKUNX.exe C:\Users\Stefan\AppData\Local\Temp\_isFD26.exe DeleteJunctionsIndirectory: C:\Program Files\Windows Defender Winsock: Catalog5 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll" Winsock: Catalog5 02 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll" CMD: netsh winsock reset ***************** HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\Microsoft Windows Hosting Service => Value deleted successfully. HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\\44992 => Value deleted successfully. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\3212083974 => Value deleted successfully. HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\Google Update* => Value deleted successfully. HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\Microsoft Windows Hosting Service => Value not found. HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\\Load => Value was restored successfully. DefaultTabSearch => Service deleted successfully. DefaultTabUpdate => Service deleted successfully. rpcapd => Service deleted successfully. *etadpug => Service deleted successfully. iBurstu => Service deleted successfully. C:\Windows\assembly\GAC\Desktop.ini => Moved successfully. C:\Users\Stefan\AppData\Local\Temp\csrss.exe => Moved successfully. C:\Users\Stefan\AppData\Local\Google\Desktop\Install => Moved successfully. "C:\Program Files\Google\Desktop\Install" directory move: Could not move "C:\Program Files\Google\Desktop\Install" directory. => Scheduled to move on reboot. C:\ProgramData\dxrrblix.exe => Moved successfully. C:\Users\Stefan\dxakokxu.exe => Moved successfully. C:\Users\Stefan\dxavzr.exe => Moved successfully. C:\Users\Stefan\dxbesgdoq.exe => Moved successfully. C:\Users\Stefan\dxcadh.exe => Moved successfully. C:\Users\Stefan\dxcbaathv.exe => Moved successfully. C:\Users\Stefan\dxddoi.exe => Moved successfully. C:\Users\Stefan\dxdjbu.exe => Moved successfully. C:\Users\Stefan\dxehlohv.exe => Moved successfully. C:\Users\Stefan\dxgcftur.exe => Moved successfully. C:\Users\Stefan\dxhuamnw.exe => Moved successfully. C:\Users\Stefan\dxhvrn.exe => Moved successfully. C:\Users\Stefan\dxiewkke.exe => Moved successfully. C:\Users\Stefan\dxifgxuu.exe => Moved successfully. C:\Users\Stefan\dxiynj.exe => Moved successfully. C:\Users\Stefan\dxizkvbep.exe => Moved successfully. C:\Users\Stefan\dxkdufa.exe => Moved successfully. C:\Users\Stefan\dxlabpuqo.exe => Moved successfully. C:\Users\Stefan\dxlmhx.exe => Moved successfully. C:\Users\Stefan\dxmwpq.exe => Moved successfully. C:\Users\Stefan\dxojim.exe => Moved successfully. C:\Users\Stefan\dxoyiv.exe => Moved successfully. C:\Users\Stefan\dxqafz.exe => Moved successfully. C:\Users\Stefan\dxriojni.exe => Moved successfully. C:\Users\Stefan\dxrjiy.exe => Moved successfully. C:\Users\Stefan\dxsezfjt.exe => Moved successfully. C:\Users\Stefan\dxtjrk.exe => Moved successfully. C:\Users\Stefan\dxtseu.exe => Moved successfully. C:\Users\Stefan\dxudeh.exe => Moved successfully. C:\Users\Stefan\dxvyvlii.exe => Moved successfully. C:\Users\Stefan\dxxikia.exe => Moved successfully. C:\Users\Stefan\dxxtwdeuo.exe => Moved successfully. C:\Users\Stefan\dxyrsiu.exe => Moved successfully. C:\Users\Stefan\dxzkhbwa.exe => Moved successfully. C:\Users\Stefan\AppData\Local\Temp\1345545343.exe => Moved successfully. C:\Users\Stefan\AppData\Local\Temp\1345550028.exe => Moved successfully. C:\Users\Stefan\AppData\Local\Temp\1347056850.exe => Moved successfully. C:\Users\Stefan\AppData\Local\Temp\1348369731.exe => Moved successfully. C:\Users\Stefan\AppData\Local\Temp\1348385342.exe => Moved successfully. C:\Users\Stefan\AppData\Local\Temp\1348385637.exe => Moved successfully. C:\Users\Stefan\AppData\Local\Temp\1364500553.exe => Moved successfully. C:\Users\Stefan\AppData\Local\Temp\1364503380.exe => Moved successfully. C:\Users\Stefan\AppData\Local\Temp\1373093828.exe => Moved successfully. C:\Users\Stefan\AppData\Local\Temp\1373099186.exe => Moved successfully. C:\Users\Stefan\AppData\Local\Temp\1373307441.exe => Moved successfully. C:\Users\Stefan\AppData\Local\Temp\1390877027.exe => Moved successfully. C:\Users\Stefan\AppData\Local\Temp\1423717569.exe => Moved successfully. C:\Users\Stefan\AppData\Local\Temp\77Zip973867.exe => Moved successfully. C:\Users\Stefan\AppData\Local\Temp\AutoRun.exe => Moved successfully. C:\Users\Stefan\AppData\Local\Temp\AutoRunGUI.dll => Moved successfully. C:\Users\Stefan\AppData\Local\Temp\BackupSetup.exe => Moved successfully. C:\Users\Stefan\AppData\Local\Temp\CmdLineExt03.dll => Moved successfully. "C:\Users\Stefan\AppData\Local\Temp\csrss.exe" => File/Directory not found. C:\Users\Stefan\AppData\Local\Temp\drm_dyndata_7400009.dll => Moved successfully. C:\Users\Stefan\AppData\Local\Temp\EBU1489.EXE => Moved successfully. C:\Users\Stefan\AppData\Local\Temp\EBU14F6.DLL => Moved successfully. C:\Users\Stefan\AppData\Local\Temp\EBU34D5.EXE => Moved successfully. C:\Users\Stefan\AppData\Local\Temp\EBU35EE.DLL => Moved successfully. C:\Users\Stefan\AppData\Local\Temp\EBU7B27.EXE => Moved successfully. C:\Users\Stefan\AppData\Local\Temp\EBU7BA4.DLL => Moved successfully. C:\Users\Stefan\AppData\Local\Temp\mgsqlite3.dll => Moved successfully. C:\Users\Stefan\AppData\Local\Temp\msdt.exe => Moved successfully. C:\Users\Stefan\AppData\Local\Temp\ootp13setup.exe => Moved successfully. C:\Users\Stefan\AppData\Local\Temp\ose00000.exe => Moved successfully. C:\Users\Stefan\AppData\Local\Temp\SIntf16.dll => Moved successfully. C:\Users\Stefan\AppData\Local\Temp\SIntf32.dll => Moved successfully. C:\Users\Stefan\AppData\Local\Temp\SIntfNT.dll => Moved successfully. C:\Users\Stefan\AppData\Local\Temp\SweetIMSetup.exe => Moved successfully. C:\Users\Stefan\AppData\Local\Temp\ubiC524.tmp.exe => Moved successfully. C:\Users\Stefan\AppData\Local\Temp\uninstaller.exe => Moved successfully. C:\Users\Stefan\AppData\Local\Temp\utt5FE5.tmp.exe => Moved successfully. C:\Users\Stefan\AppData\Local\Temp\WAKUNX.exe => Moved successfully. C:\Users\Stefan\AppData\Local\Temp\_isFD26.exe => Moved successfully. "C:\Program Files\Windows Defender" => Deleting reparse point and unlocking started. "C:\Program Files\Windows Defender\en-US" => Deleting reparse point and unlocking done. "C:\Program Files\Windows Defender\MpAsDesc.dll" => Deleting reparse point and unlocking done. "C:\Program Files\Windows Defender\MpClient.dll" => Deleting reparse point and unlocking done. "C:\Program Files\Windows Defender\MpCmdRun.exe" => Deleting reparse point and unlocking done. "C:\Program Files\Windows Defender\MpCommu.dll" => Deleting reparse point and unlocking done. "C:\Program Files\Windows Defender\MpEvMsg.dll" => Deleting reparse point and unlocking done. "C:\Program Files\Windows Defender\MpOAV.dll" => Deleting reparse point and unlocking done. "C:\Program Files\Windows Defender\MpRTP.dll" => Deleting reparse point and unlocking done. "C:\Program Files\Windows Defender\MpSvc.dll" => Deleting reparse point and unlocking done. "C:\Program Files\Windows Defender\MSASCui.exe" => Deleting reparse point and unlocking done. "C:\Program Files\Windows Defender\MsMpCom.dll" => Deleting reparse point and unlocking done. "C:\Program Files\Windows Defender\MsMpLics.dll" => Deleting reparse point and unlocking done. "C:\Program Files\Windows Defender\MsMpRes.dll" => Deleting reparse point and unlocking done. "C:\Program Files\Windows Defender" => Deleting reparse point and unlocking completed. Winsock: Catalog5 entry 000000000001\\LibraryPath was set successfully to %SystemRoot%\system32\NLAapi.dll Winsock: Catalog5 entry 000000000002\\LibraryPath was set successfully to %SystemRoot%\System32\mswsock.dll ========= netsh winsock reset ========= The following helper DLL cannot be loaded: WSHELPER.DLL. The following command was not found: winsock reset. ========= End of CMD: ========= =========== Result of Scheduled Files to move =========== C:\Program Files\Google\Desktop\Install => Moved successfully. ==== End of Fixlog ====