[23red]

Hi djrk16  

Sincere apologies for the delay.  A bit more to fix with FRST ~ I'd like to do this fix a slightly different way as part of it did not go thru the board correctly when I made the previous fixlist. 

You also need to remove the previous fixlist from your Desktop before you make this one.  It's ok to delete it.

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

 

Open notepad and copy/paste the text inside the quotebox below into it:

 

 

 

CreateRestorepoint:
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
CustomCLSID: HKU\S-1-5-21-3595834773-1647143225-1819946379-1000_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Users\David\AppData\Local\Google\Update\1.3.25.5\psuser_64.dll No File
CustomCLSID: HKU\S-1-5-21-3595834773-1647143225-1819946379-1000_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}\InprocServer32 -> C:\Users\David\AppData\Local\Google\Update\1.3.23.9\psuser_64.dll No File
CustomCLSID: HKU\S-1-5-21-3595834773-1647143225-1819946379-1000_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\David\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll No File
CustomCLSID: HKU\S-1-5-21-3595834773-1647143225-1819946379-1000_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}\InprocServer32 -> C:\Users\David\AppData\Local\Google\Update\1.3.24.7\psuser_64.dll No File
AlternateDataStreams: C:\ProgramData\TEMP:48147409
Emptytemp:
CMD: bitsadmin /reset /allusers

 

 

 

 

 

 

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that.

 

 Poweliks was found on your computer.  It is a rootkit with backdoor function.  I've removed what I can see.   It looked as though it was just getting started probably due to your diligence in stopping the processes. 

I'd like you to do a rootkit scan for me in an effort to check further. 

 

Now for a deeper check:

 

Step 2

Mbar

 

Download Malwarebytes Anti-Rootkit to your desktop from here.

• Right-Click on the file that was downloaded and choose Run as administrator. Answer Yes if prompted to Allow.

• Click OK at the installer screen that comes up.

• The software will be extracted and will open.

• Click Next at the first screen.

• The Update Database screen will appear. Click the Update button.

• Once updated, click the Next button.

• On the Scan System screen, click the Scan button.

• Once, the Scan is finished click on the Cleanup button to remove any threats and reboot if prompted to do so.  If no threats are found just close the program.

• If threats were found, then after the reboot, re-run the program to verify no threats remain. If threats are still detected, click the Cleanup button once more.

 

Whether threats were found or not there will be a folder named mbar on your desktop. Open this folder and you will find in the list that presents with a file named mbar-log-...txt and another named system log.txt. Please open the files one at a time and copy and paste the contents of each back here.

 

When you return, please post:

1.  FRST fix log

2.  Mbar-log txt

3.  system log.txt

 

Thank you

[Advertisements]

Hello 23red,

 

 No need to worry about the delay. I have completed the scans as requested.

 

Here is the FRST fix log:

 

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 03-01-2015 03
Ran by David at 2015-01-05 20:32:26 Run:2
Running from C:\Users\David\Desktop
Loaded Profile: David (Available profiles: David)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
 

 

CreateRestorepoint:
 SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
 SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
 SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
 CustomCLSID: HKU\S-1-5-21-3595834773-1647143225-1819946379-1000_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Users\David\AppData\Local\Google\Update\1.3.25.5\psuser_64.dll No File
 CustomCLSID: HKU\S-1-5-21-3595834773-1647143225-1819946379-1000_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}\InprocServer32 -> C:\Users\David\AppData\Local\Google\Update\1.3.23.9\psuser_64.dll No File
 CustomCLSID: HKU\S-1-5-21-3595834773-1647143225-1819946379-1000_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\David\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll No File
 CustomCLSID: HKU\S-1-5-21-3595834773-1647143225-1819946379-1000_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}\InprocServer32 -> C:\Users\David\AppData\Local\Google\Update\1.3.24.7\psuser_64.dll No File
 AlternateDataStreams: C:\ProgramData\TEMP:48147409
 Emptytemp:
 CMD: bitsadmin /reset /allusers

 

 

 

*****************

Restore point was successfully created.
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
"HKU\S-1-5-21-3595834773-1647143225-1819946379-1000_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}" => Key deleted successfully.
"HKU\S-1-5-21-3595834773-1647143225-1819946379-1000_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}" => Key deleted successfully.
"HKU\S-1-5-21-3595834773-1647143225-1819946379-1000_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}" => Key deleted successfully.
"HKU\S-1-5-21-3595834773-1647143225-1819946379-1000_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}" => Key deleted successfully.
C:\ProgramData\TEMP => ":48147409" ADS removed successfully.

=========  bitsadmin /reset /allusers =========

BITSADMIN version 3.0 [ 7.5.7601 ]
BITS administration utility.
© Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

0 out of 0 jobs canceled.

========= End of CMD: =========

EmptyTemp: => Removed 490 MB temporary data.

The system needed a reboot.

==== End of Fixlog 20:35:58 ====

[djrk16]

Hello 23red,

 

 No need to worry about the delay. I have completed the scans as requested.

 

Here is the FRST fix log:

 

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 03-01-2015 03
Ran by David at 2015-01-05 20:32:26 Run:2
Running from C:\Users\David\Desktop
Loaded Profile: David (Available profiles: David)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
 

 

CreateRestorepoint:
 SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
 SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
 SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
 CustomCLSID: HKU\S-1-5-21-3595834773-1647143225-1819946379-1000_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Users\David\AppData\Local\Google\Update\1.3.25.5\psuser_64.dll No File
 CustomCLSID: HKU\S-1-5-21-3595834773-1647143225-1819946379-1000_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}\InprocServer32 -> C:\Users\David\AppData\Local\Google\Update\1.3.23.9\psuser_64.dll No File
 CustomCLSID: HKU\S-1-5-21-3595834773-1647143225-1819946379-1000_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\David\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll No File
 CustomCLSID: HKU\S-1-5-21-3595834773-1647143225-1819946379-1000_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}\InprocServer32 -> C:\Users\David\AppData\Local\Google\Update\1.3.24.7\psuser_64.dll No File
 AlternateDataStreams: C:\ProgramData\TEMP:48147409
 Emptytemp:
 CMD: bitsadmin /reset /allusers

 

 

 

*****************

Restore point was successfully created.
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
"HKU\S-1-5-21-3595834773-1647143225-1819946379-1000_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}" => Key deleted successfully.
"HKU\S-1-5-21-3595834773-1647143225-1819946379-1000_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}" => Key deleted successfully.
"HKU\S-1-5-21-3595834773-1647143225-1819946379-1000_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}" => Key deleted successfully.
"HKU\S-1-5-21-3595834773-1647143225-1819946379-1000_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}" => Key deleted successfully.
C:\ProgramData\TEMP => ":48147409" ADS removed successfully.

=========  bitsadmin /reset /allusers =========

BITSADMIN version 3.0 [ 7.5.7601 ]
BITS administration utility.
© Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

0 out of 0 jobs canceled.

========= End of CMD: =========

EmptyTemp: => Removed 490 MB temporary data.

The system needed a reboot.

==== End of Fixlog 20:35:58 ====

[djrk16]

Here is the mbar log:

 

 

 

Malwarebytes Anti-Rootkit BETA 1.08.2.1001
www.malwarebytes.org

Database version: v2015.01.06.01

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.17501
David :: DAVID-PC [administrator]

1/5/2015 9:06:01 PM
mbar-log-2015-01-05 (21-06-01).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 357786
Time elapsed: 28 minute(s), 38 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)

[djrk16]

Here is the system log:

 

 

 

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.08.2.1001

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

Account is Administrative

Internet Explorer version: 11.0.9600.17501

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 2.194000 GHz
Memory total: 4021186560, free: 2760048640

Downloaded database version: v2015.01.06.01
Downloaded database version: v2014.12.30.01
Downloaded database version: v2014.12.06.01
=======================================
Initializing...
------------ Kernel report ------------
     01/05/2015 21:05:46
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_AuthenticAMD.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\ACPI.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\system32\drivers\vdrvroot.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\DRIVERS\compbatt.sys
\SystemRoot\system32\DRIVERS\BATTC.SYS
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\drivers\atapi.sys
\SystemRoot\system32\drivers\ataport.SYS
\SystemRoot\system32\drivers\msahci.sys
\SystemRoot\system32\drivers\PCIIDEX.SYS
\SystemRoot\system32\drivers\amdxata.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\System32\drivers\WRkrn.sys
\SystemRoot\System32\drivers\msrpc.sys
\SystemRoot\System32\drivers\NETIO.SYS
\SystemRoot\System32\drivers\NDIS.SYS
\SystemRoot\System32\drivers\TDI.SYS
\SystemRoot\System32\Drivers\PxHlpa64.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\drivers\disk.sys
\SystemRoot\system32\drivers\CLASSPNP.SYS
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\drivers\ws2ifsl.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\vwififlt.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\blbdrive.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\amdppm.sys
\SystemRoot\system32\DRIVERS\atikmpag.sys
\SystemRoot\system32\DRIVERS\atikmdag.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\athrx.sys
\SystemRoot\system32\DRIVERS\vwifibus.sys
\SystemRoot\system32\DRIVERS\Rt64win7.sys
\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
\SystemRoot\system32\DRIVERS\usbohci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\i8042prt.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\CmBatt.sys
\SystemRoot\system32\DRIVERS\wmiacpi.sys
\SystemRoot\system32\DRIVERS\CompositeBus.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\hamachi.sys
\SystemRoot\system32\DRIVERS\tap0901t.sys
\SystemRoot\system32\drivers\serscan.sys
\SystemRoot\system32\drivers\ksthunk.sys
\SystemRoot\system32\drivers\ks.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\HdAudio.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_dumpata.sys
\SystemRoot\System32\Drivers\dump_msahci.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\System32\Drivers\usbvideo.sys
\SystemRoot\system32\drivers\hidusb.sys
\SystemRoot\system32\drivers\HIDCLASS.SYS
\SystemRoot\system32\drivers\HIDPARSE.SYS
\SystemRoot\system32\DRIVERS\LEqdUsb.Sys
\SystemRoot\system32\DRIVERS\kbdhid.sys
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\system32\DRIVERS\LHidEqd.Sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\system32\DRIVERS\USBSTOR.SYS
\SystemRoot\system32\DRIVERS\LHidFilt.Sys
\SystemRoot\system32\DRIVERS\LMouFilt.Sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\System32\Drivers\fastfat.SYS
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\system32\DRIVERS\WUDFRd.sys
\SystemRoot\system32\DRIVERS\umpass.sys
\SystemRoot\system32\DRIVERS\asyncmac.sys
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\MBAMSwissArmy.sys
\Windows\System32\ntdll.dll
\Windows\System32\smss.exe
\Windows\System32\apisetschema.dll
\Windows\System32\autochk.exe
\Windows\System32\oleaut32.dll
\Windows\System32\rpcrt4.dll
\Windows\System32\lpk.dll
\Windows\System32\ws2_32.dll
\Windows\System32\setupapi.dll
\Windows\System32\imm32.dll
\Windows\System32\comdlg32.dll
\Windows\System32\shlwapi.dll
\Windows\System32\shell32.dll
\Windows\System32\msctf.dll
\Windows\System32\user32.dll
\Windows\System32\iertutil.dll
\Windows\System32\Wldap32.dll
\Windows\System32\nsi.dll
\Windows\System32\normaliz.dll
\Windows\System32\usp10.dll
\Windows\System32\difxapi.dll
\Windows\System32\advapi32.dll
\Windows\System32\imagehlp.dll
\Windows\System32\psapi.dll
\Windows\System32\sechost.dll
\Windows\System32\wininet.dll
\Windows\System32\gdi32.dll
\Windows\System32\ole32.dll
\Windows\System32\msvcrt.dll
\Windows\System32\kernel32.dll
\Windows\System32\urlmon.dll
\Windows\System32\clbcatq.dll
\Windows\System32\wintrust.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk1\DR1
Upper Device Object: 0xfffffa80033de790
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\00000088\
Lower Device Object: 0xfffffa80051219c0
Lower Device Driver Name: \Driver\USBSTOR\
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xfffffa80042f6060
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-0\
Lower Device Object: 0xfffffa8003df4060
Lower Device Driver Name: \Driver\atapi\
<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xfffffa80042f6060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa80042f6ab0, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa80042f6060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa8003df4060, DeviceName: \Device\Ide\IdeDeviceP0T0L0-0\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
Done!
Drive 0
This is a System drive
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: C584C584

Partition information:

    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 2048  Numsec = 204800
    Partition file system is NTFS
    Partition is bootable

    Partition 1 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 206848  Numsec = 976564224

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

Disk Size: 500107862016 bytes
Sector size: 512 bytes

Done!
Physical Sector Size: 512
Drive: 1, DevicePointer: 0xfffffa80033de790, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa800513c910, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa80033de790, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa80051219c0, DeviceName: \Device\00000088\, DriverName: \Driver\USBSTOR\
------------ End ----------
Alternate DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
Drive 1
Scanning MBR on drive 1...
Inspecting partition table:
Partition information:

    This drive is a Single Partition removable Drive.
    Partition is not bootable

Disk Size: 1014497280 bytes
Sector size: 512 bytes

Done!
Scan finished
=======================================

Removal queue found; removal started
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-0-2048-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-1-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-1-r.mbam...
Removal finished

[23red]

Great!   Looks good   How is the  computer running?

 

[djrk16]

I have had no issues running my computer. The COM Surrogate Process still shows up once or twice after booting the computer, and disappears after a few seconds. However, I have been experiencing no issues from this. I'll let you know if anything comes up. Thanks for all of your help.

[23red]

Hi djrk16

 

 

I have had no issues running my computer.

 

 

Great! Glad to hear it!

 

 

The COM Surrogate Process still shows up once or twice after booting the computer, and disappears after a few seconds. However, I have been experiencing no issues from this.

 

 

It is a legitimate process.

 

 

Thanks for all of your help.

 

 

You're very welcome!

 

If all is well, let's do some final checks then I'll clean up my mess on your Desktop:

 

I need you to check something, please:

Step 1
Reset Chrome Search Provider:
 
1.  Click the Chrome menu icon on the browser toolbar
2.  Select Settings. The Settings page will open.
3.  In the "Search" section, click Manage search engines.

 

Mouse over them and click the X to remove the bad entries. 
The one in the OTL log to remove is Privitize VPN . 
Remove that and any other remaining that do not belong.
Make the search engine of your choice,  Google the (Default) search engine by mousing over it and clicking Make default.
Please advise how this goes.  If it is no longer there, let me know that as well.

 

Step 2
ESET Online Scanner

 

Please run a free online scan with the ESET

Note: You will need to disable your current installed Anti-Virus for the duration of the online scan, how to do so can be read here.

Vista / Win7 users: Right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator.

Note: This scan works with Internet Explorer or Mozilla FireFox.

If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.

 

• Click the green ESET Online Scanner box
• Tick the box next to YES, I accept the Terms of Use
   then click on: Start
• You may see a panel towards the top of the screen telling you the website wants to install an addon... click and allow it to install. If your firewall asks whether you want to allow installation, say yes.
• Make sure that the option Scan archives is checked.
• Now click on Advanced Settings and select the following:
  • Scan for potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology
• Click on Start
• The virus signature database will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
• When completed the Online Scan will begin automatically. The scan may take several hours.
• Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
• When completed select Uninstall application on close, make sure you copy the logfile first!
• Then click on: Finish
• Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
• Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

 

 

Step 3
SecurityCheck by Screen317:

 

Please also download Security Check by screen317.

•Save it to your Desktop.

•Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.

•A Notepad document should open automatically called checkup.txt; please also post the contents of that document.

 

 

When you return please post:

1.  ESET log

2.  checkup.txt

3.  Please let me know how the Chrome repair went

 

Thank you 

[djrk16]

Hello 23red,

 

I have been having a few problems with the instructions. I don't believe I have Google Chrome installed, as I uninstalled it about a year ago, but if I do, I have no shortcut to access it anywhere.

I'm also having problems with the ESET Scanner. I think the button I need to click is blue, not green, but after I agree to the Terms, I get a message saying that an addon failed to run.

 

Sorry for the complications.

[23red]

Hello djrk16

 

Not a problem.  Let's check on Chrome:

 

 

I don't believe I have Google Chrome installed, as I uninstalled it about a year ago, but if I do, I have no shortcut to access it anywhere.

 

 Please check here as it is visible in both FRST and OTL logs:

 

Please go to Start > Control Panel > Programs and Features and remove the following if present:

 

Google Chrome

 

Please let me know how this goes.

 

 

For ESET the Blue button is the one requested as we're doing an online scan.
 The green button is for a free trial ~ you have an Antivirus installed ~ so you do not need that.

 

Let me know how you get on 

 

Thank you

[djrk16]

Hello 23red,

 

Google Chrome is now properly uninstalled. I must have made an error when I thought I uninstalled it.

I still get the error "An addon for this website has failed to run." whenever I try to run the scan. I have used this scanner before, if that makes any difference.

 

 

Click the green ESET Online Scanner box

 

Also, I mentioned the color of the button because the instructions stated that I should click a green button, I was just making sure.

 

Thank you for your patience.

[23red]

Hello again

Ok, Chrome's taken care of  
 
As for ESET, not a problem ~ we'll switch to another online scanner.


Panda Cloud Cleaner

Download Panda Cloud Cleaner and save it to your desktop.

Alternate download sites are here and here.

• Double-click on PandaCloudCleaner.exe. When the Setup - Panda Cloud Cleaner window has loaded choose Next and then Next
• Ensure Launch Panda Cloud Cleaner is selected. Click Finish Once the window appears. Click on Accept and Scan
• Please be patient as the scan may take some time to complete depending on your system's specifications.
• Once the scan has completed, if Scan finished with detections is denoted in the window do not take any action and or have Panda Cloud Cleaner clean anything!
• Now within the window click on the (or any or them if multiple) tab then on View Report a notepad file should now open called PCloudCleaner.txt
• Save this to your desktop and post the contents in your next reply.
• Then click on Back then Exit

Note: When we're all done here feel free to uninstall Panda Cloud Cleaner if you so wish.

When you return please post:

PCloudCleaner.txt Log
 
Thank you

[djrk16]

Hello,

 

The scan worked just fine.

I feel that I should mention when I rebooted my computer earlier, CHKDSK ran a scan before my computer could boot up. I wrote down what most of the scan did if you would need that information.

 

Here is the requested scan log:

 

 

 

 

Unknown. FILE: C:\PROGRAM FILES (X86)\QUICKTIME\QTTASK.EXE to be deleted.

Unknown. REGKEY: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run[QuickTime Task]. Value: QuickTime Task To be deleted.

Unknown. REGKEY: HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run[QuickTime Task]. Value: QuickTime Task To be deleted.

Unknown. REGKEY: HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run[QuickTime Task]. Value: QuickTime Task To be deleted.

Unknown. FILE: C:\WINDOWS\SYSTEM32\HPZIPM12.DLL to be deleted.

Unknown. REGKEY: HKLM\SYSTEM\CurrentControlSet\Services\Pml Driver HPZ12. Key to be deleted.

Unknown. FILE: C:\WINDOWS\SYSTEM32\HPZINW12.DLL to be deleted.

Unknown. REGKEY: HKLM\SYSTEM\CurrentControlSet\Services\Net Driver HPZ12. Key to be deleted.

Malware. REGKEY: HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM[DISABLEREGISTRYTOOLS]. Value: DISABLEREGISTRYTOOLS To be deleted.

Malware. REGKEY: HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM[DISABLETASKMGR]. Value: DISABLETASKMGR To be deleted.

Malware. REGKEY: HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM[DISABLECMD]. Value: DISABLECMD To be deleted.

Malware. REGKEY: HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM[DISABLEREGISTRYTOOLS]. Value: DISABLEREGISTRYTOOLS To be deleted.

Malware. REGKEY: HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM[DISABLETASKMGR]. Value: DISABLETASKMGR To be deleted.

Suspicious Policy. POLICY: HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED[SHOWSUPERHIDDEN] to be changed to: 0

Suspicious Policy. POLICY: HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED[SHOWSUPERHIDDEN] to be changed to: 0

Suspicious Policy. POLICY: HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM[ENABLELUA] to be changed to: 1

Suspicious Policy. POLICY: HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM[ENABLELUA] to be changed to: 1

Suspicious Policy. POLICY: HKLM\SOFTWARE\CLASSES\REGFILE\SHELL\OPEN\COMMAND to be changed to: regedit.exe "%1"

Suspicious Policy. POLICY: HKLM\SOFTWARE\CLASSES\REGFILE\SHELL\OPEN\COMMAND to be changed to: regedit.exe "%1"

[23red]

Hi djrk16

Great!  Thank you for the information  

Ok, last two scans here, if all goes well with these, I'll start cleaning up the mess I've made of your Desktop.  How is the computer running?

 

You have Malwarebytes installed, please right click to run as Administrator, let it check for updates.

 

• If an update is found, it will download and install the latest updates automatically:
  

   

   

• Now select the Settings tab, and check the box next to Scan for rootkits:
  

   

   

• Go back to the Dashboard tab, and click the Scan Now button:
  

   

   

• The scan may take some time to finish, so please be patient.
  

   

   

• When the scan is complete, it will show you the results.  (This one is clean):
  

   

   

• Make sure that everything is checked, and click Quarantine All (or similar).

   

   

• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.  (See Extra Note below)  If the log doesn't open, select View detailed log in the Scan tab:
  

   

   

• The log is automatically saved by MBAM and can be viewed by going to the History tab and clicking on Application Logs:
  

   

   

• Choose the latest Scan Log, and click on the View button:
  

   

   

• In the bottom of the Scanning History Log window that opens, you can click on Export > Save to Text file (*.txt).  Save the report to your Desktop.
  

   

   

• Copy & Paste the entire contents of the report log in your next reply.

   

   

 

 

Let's check for Security issues:

 

Step 3
SecurityCheck by Screen317:

 

Please also download Security Check by screen317.

•Save it to your Desktop.

•Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.

•A Notepad document should open automatically called checkup.txt; please also post the contents of that document.

NOTE: If SecurityCheck aborts and you get the following message: UNSUPPORTED OPERATING SYSTEM! ABORTED!  Try rebooting the system and then run SecurityCheck again.

Step 4
Post!

 

When you return, please post:

1.  Malwarebytes log
2.  Checkup.txt
3.  Please let me know how is the computer running?

 

Thank you 

[djrk16]

Hello 23red,

 

My system has been continuing to run without problem. Thanks again for all the help

 

Here is the requested Malwarebytes log:

 

 

 

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 1/10/2015
Scan Time: 12:02:12 PM
Logfile: mwblog.txt
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2015.01.10.14
Rootkit Database: v2015.01.07.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: David

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 358865
Time Elapsed: 30 min, 15 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

[djrk16]

Here is the requested checkup.txt:

 

 

 

 Results of screen317's Security Check version 0.99.93 
 Windows 7 Service Pack 1 x64 (UAC is disabled!) 
 Internet Explorer 11 
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled! 
Webroot SecureAnywhere  
 Antivirus up to date!  (On Access scanning disabled!)
`````````Anti-malware/Other Utilities Check:`````````
 Panda Cloud Cleaner  
 Java 7 Update 60 
 Java version 32-bit out of Date!
  Adobe Flash Player 15.0.0.246 Flash Player out of Date! 
 Adobe Reader XI 
 Mozilla Firefox 15.0 Firefox out of Date! 
````````Process Check: objlist.exe by Laurent```````` 
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````