To whom it may concern

I cannot install erunt because im usiong windows 7. Ive had a root kit result that's marked as malware for over three months with a few name variations which i have forgotten spybot is unable to remove it even on start up.
Ill post the the name of it below including my dds.txt and attach the attach.txt. I hope ive done everything correctly.

11367

(Suspect malware)
HKLM\SYSTEM\Controlset002\Session Manager\


(DDS.txt)
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.16521 BrowserJavaVersion: 10.51.2
Run by admin at 4:01:39 on 2014-03-27
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.16343.11965 [GMT 11:00]
.
AV: Bitdefender Antivirus *Enabled/Updated* {9A0813D8-CED6-F86B-072E-28D2AF25A83D}
SP: Bitdefender Antispyware *Enabled/Updated* {2169F23C-E8EC-F7E5-3D9E-13A0D4A2E280}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Spybot - Search and Destroy *Enabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
FW: Bitdefender Firewall *Enabled* {A23392FD-84B9-F933-2C71-81E751F6EF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\Bitdefender\Bitdefender\vsserv.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\system32\atieclxx.exe
C:\Program Files\Intel\iCLS Client\HeciServer.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe
C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Bitdefender\Bitdefender\updatesrv.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
C:\Program Files\Bitdefender\Bitdefender SafeBox\safeboxservice.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
C:\Program Files (x86)\Google\Update\1.3.22.5\GoogleCrashHandler.exe
C:\Program Files (x86)\Google\Update\1.3.22.5\GoogleCrashHandler64.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Bitdefender\Bitdefender\bdagent.exe
C:\Program Files\Bitdefender\Bitdefender\pmbxag.exe
C:\Program Files\Bitdefender\Bitdefender\antispam32\bdapppassmgr.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
C:\Program Files (x86)\Steam\Steam.exe
C:\Program Files (x86)\Common Files\Steam\SteamService.exe
C:\Program Files (x86)\VideoLAN\VLC\vlc.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDRootAlyzer.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
mStart Page = about:blank
uProxyServer = localhost:8080
mWinlogon: Userinit = userinit.exe,
BHO: Bitdefender Wallet: {1DAC0C53-7D23-4AB3-856A-B04D98CD982A} - C:\Program Files\Bitdefender\Bitdefender\Antispam32\pmbxie.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
uRun: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun
uRun: [Bitdefender Wallet Agent] "C:\Program Files\Bitdefender\Bitdefender\pmbxag.exe"
uRun: [Bitdefender Wallet Application Agent] "C:\Program Files\Bitdefender\Bitdefender\antispam32\bdapppassmgr.exe"
uRun: [Spybot-S&D Cleaning] "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDCleaner.exe" /autoclean
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe" MSRun
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [SDTray] "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe"
dRun: [Bitdefender Wallet Agent] "C:\Program Files\Bitdefender\Bitdefender\pmbxag.exe"
dRun: [Bitdefender Wallet] "C:\Program Files\Bitdefender\Bitdefender\pwdmanui.exe" --hidden --nowizard
dRun: [Bitdefender Wallet Application Agent] "C:\Program Files\Bitdefender\Bitdefender\antispam32\bdapppassmgr.exe"
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
TCP: NameServer = 192.168.2.10
TCP: Interfaces\{74B4C437-3D77-499C-B0D5-61027B060036} : DHCPNameServer = 192.168.2.10
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
Notify: SDWinLogon - SDWinLogon.dll
SSODL: WebCheck - <orphaned>
x64-mStart Page = about:blank
x64-BHO: Bitdefender Wallet : {1DAC0C53-7D23-4AB3-856A-B04D98CD982A} - C:\Program Files\Bitdefender\Bitdefender\pmbxie.dll
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [Logitech Download Assistant] C:\Windows\System32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
x64-Run: [Bdagent] "C:\Program Files\Bitdefender\Bitdefender\bdagent.exe"
.
INFO: x64-HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\97a7peot.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.sbs.com.au/news/
FF - plugin: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Battlelog Web Plugins\2.3.1\npbattlelog.dll
FF - plugin: C:\Program Files (x86)\Battlelog Web Plugins\2.3.2\npbattlelog.dll
FF - plugin: C:\Program Files (x86)\Battlelog Web Plugins\Sonar\0.70.4\npesnsonar.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.22.5\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIIPT.dll
FF - plugin: C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIUpdater.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\npuplaypc.dll
FF - plugin: C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\npuplaypchub.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_12_0_0_70.dll
.
============= SERVICES / DRIVERS ===============
.
R0 avc3;avc3;C:\Windows\System32\drivers\avc3.sys [2014-3-17 893440]
R0 gzflt;gzflt;C:\Windows\System32\drivers\gzflt.sys [2014-3-17 150256]
R0 iusb3hcs;Intel(R) USB 3.0 Host Controller Switch Driver;C:\Windows\System32\drivers\iusb3hcs.sys [2013-8-25 19264]
R1 BdfNdisf;BitDefender Firewall NDIS 6 Filter Driver;C:\Program Files\Common Files\Bitdefender\Bitdefender Firewall\bdfndisf6.sys [2014-3-17 93600]
R1 bdfwfpf;bdfwfpf;C:\Program Files\Common Files\Bitdefender\Bitdefender Firewall\bdfwfpf.sys [2014-3-17 103504]
R1 BDVEDISK;BDVEDISK;C:\Windows\System32\drivers\bdvedisk.sys [2014-3-17 76944]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2013-12-7 239616]
R2 Intel(R) Capability Licensing Service Interface;Intel(R) Capability Licensing Service Interface;C:\Program Files\Intel\iCLS Client\HeciServer.exe [2012-4-20 635104]
R2 jhi_service;Intel(R) Dynamic Application Loader Host Interface Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\Jhi_service.exe [2013-8-25 166720]
R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [2014-3-27 1809720]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [2014-3-27 857912]
R2 SafeBox;SafeBox;C:\Program Files\Bitdefender\Bitdefender Safebox\safeboxservice.exe [2014-3-17 94624]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [2014-3-26 3921880]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2014-3-26 1042272]
R2 SDWSCService;Spybot-S&D 2 Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [2014-3-26 171416]
R2 UNS;Intel(R) Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2013-8-25 365376]
R2 UPDATESRV;Bitdefender Desktop Update Service;C:\Program Files\Bitdefender\Bitdefender\updatesrv.exe [2014-3-17 67320]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\System32\drivers\AtihdW76.sys [2013-9-25 94208]
R3 avchv;avchv Function Driver;C:\Windows\System32\drivers\avchv.sys [2013-8-26 261056]
R3 avckf;avckf;C:\Windows\System32\drivers\avckf.sys [2014-3-17 635392]
R3 iusb3hub;Intel(R) USB 3.0 Hub Driver;C:\Windows\System32\drivers\iusb3hub.sys [2013-8-25 357184]
R3 iusb3xhc;Intel(R) USB 3.0 eXtensible Host Controller Driver;C:\Windows\System32\drivers\iusb3xhc.sys [2013-8-25 789824]
R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2014-3-27 25816]
R3 MBAMSwissArmy;MBAMSwissArmy;C:\Windows\System32\drivers\MBAMSwissArmy.sys [2014-3-27 119512]
R3 MBAMWebAccessControl;MBAMWebAccessControl;C:\Windows\System32\drivers\mwac.sys [2014-3-27 63192]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2013-8-25 646248]
R3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-12-13 54784]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2013-9-11 124088]
S3 bdfwfpf_pc;bdfwfpf_pc;C:\Program Files\Common Files\Bitdefender\Bitdefender Firewall\bdfwfpf_pc.sys [2014-3-17 121928]
S3 BDSandBox;BDSandBox;C:\Windows\System32\drivers\bdsandbox.sys [2014-3-17 82824]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2014-3-13 111616]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2014-3-14 19456]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2014-3-14 56832]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2014-3-14 30208]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2013-8-26 1255736]
S4 BdDesktopParental;Bitdefender Desktop Parental Control;C:\Program Files\Bitdefender\Bitdefender\bdparentalservice.exe [2014-3-17 77632]
S4 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-10-23 172192]
.
=============== Created Last 30 ================
.
2014-03-26 16:42:07 -------- d-----w- C:\Program Files\Registrar Registry Manager
2014-03-26 13:25:51 119512 ----a-w- C:\Windows\System32\drivers\MBAMSwissArmy.sys
2014-03-26 13:25:35 88280 ----a-w- C:\Windows\System32\drivers\mbamchameleon.sys
2014-03-26 13:25:35 63192 ----a-w- C:\Windows\System32\drivers\mwac.sys
2014-03-26 13:25:35 25816 ----a-w- C:\Windows\System32\drivers\mbam.sys
2014-03-26 13:25:35 -------- d-----w- C:\ProgramData\Malwarebytes
2014-03-26 13:25:35 -------- d-----w- C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-03-25 19:44:44 21040 ----a-w- C:\Windows\System32\sdnclean64.exe
2014-03-22 11:51:54 214392 ----a-w- C:\Windows\SysWow64\PnkBstrB.exe
2014-03-22 11:51:50 76888 ----a-w- C:\Windows\SysWow64\PnkBstrA.exe
2014-03-22 11:51:50 3894632 ----a-w- C:\Windows\SysWow64\pbsvc.exe
2014-03-17 08:36:39 597548 ----a-w- C:\ProgramData\1395045066.bdinstall.bin
2014-03-17 08:35:53 76944 ----a-w- C:\Windows\System32\drivers\bdvedisk.sys
2014-03-17 08:35:46 93600 ----a-w- C:\Windows\System32\drivers\BdfNdisf6.sys
2014-03-17 08:35:46 82824 ----a-w- C:\Windows\System32\drivers\bdsandbox.sys
2014-03-17 08:35:45 893440 ----a-w- C:\Windows\System32\drivers\avc3.sys
2014-03-17 08:35:45 635392 ----a-w- C:\Windows\System32\drivers\avckf.sys
2014-03-17 08:33:12 -------- d-----w- C:\Users\admin\AppData\Roaming\Bitdefender
2014-03-17 08:31:21 150256 ----a-w- C:\Windows\System32\drivers\gzflt.sys
2014-03-17 08:31:19 389240 ----a-w- C:\Windows\System32\drivers\trufos.sys
2014-03-17 08:31:19 -------- d-----w- C:\Program Files\Bitdefender
2014-03-17 08:26:01 8199504 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2014-03-17 08:25:58 10536864 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{028A8B2A-2042-4B0C-8E79-DEB5908E9980}\mpengine.dll
2014-03-17 08:25:02 62705 ----a-w- C:\ProgramData\1395044690.bdinstall.bin
2014-03-17 08:24:10 81792 ----a-w- C:\ProgramData\1395044418.2412.bin
2014-03-17 08:20:35 -------- d-----w- C:\ProgramData\Bitdefender
2014-03-17 08:20:33 991 ----a-w- C:\ProgramData\1395044418.3452.bin
2014-03-17 08:20:33 739 ----a-w- C:\ProgramData\1395044418.3436.bin
2014-03-17 08:20:33 3735 ----a-w- C:\ProgramData\1395044418.3424.bin
2014-03-17 08:20:33 3190 ----a-w- C:\ProgramData\1395044418.3432.bin
2014-03-17 08:20:33 17891 ----a-w- C:\ProgramData\1395044418.3428.bin
2014-03-17 08:20:33 1090 ----a-w- C:\ProgramData\1395044418.3440.bin
2014-03-17 08:20:33 10652 ----a-w- C:\ProgramData\1395044418.3448.bin
2014-03-17 08:20:24 7875 ----a-w- C:\ProgramData\1395044418.3356.bin
2014-03-17 08:20:24 30056 ----a-w- C:\ProgramData\1395044418.3360.bin
2014-03-17 08:20:18 115741 ----a-w- C:\ProgramData\1395044418.3308.bin
2014-03-17 08:18:00 -------- d-----w- C:\Program Files\Common Files\Bitdefender
2014-03-17 08:17:53 -------- d-----w- C:\Program Files (x86)\Common Files\Bitdefender
2014-03-15 11:56:34 -------- d-----w- C:\Program Files\iPod
2014-03-15 11:56:33 -------- d-----w- C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2014-03-15 11:56:33 -------- d-----w- C:\Program Files\iTunes
2014-03-15 11:56:33 -------- d-----w- C:\Program Files (x86)\iTunes
2014-03-15 11:52:43 159744 ----a-w- C:\Program Files\Internet Explorer\Plugins\npqtplugin5.dll
2014-03-15 11:52:43 159744 ----a-w- C:\Program Files\Internet Explorer\Plugins\npqtplugin4.dll
2014-03-15 11:52:43 159744 ----a-w- C:\Program Files\Internet Explorer\Plugins\npqtplugin3.dll
2014-03-15 11:52:43 159744 ----a-w- C:\Program Files\Internet Explorer\Plugins\npqtplugin2.dll
2014-03-15 11:52:43 159744 ----a-w- C:\Program Files\Internet Explorer\Plugins\npqtplugin.dll
2014-03-14 13:29:54 6574592 ----a-w- C:\Windows\System32\mstscax.dll
2014-03-14 13:29:54 5694464 ----a-w- C:\Windows\SysWow64\mstscax.dll
2014-03-14 07:21:26 1030144 ----a-w- C:\Windows\System32\TSWorkspace.dll
2014-03-14 07:21:25 792576 ----a-w- C:\Windows\SysWow64\TSWorkspace.dll
2014-03-14 07:21:06 514560 ----a-w- C:\Windows\SysWow64\qdvd.dll
2014-03-14 07:21:06 366592 ----a-w- C:\Windows\System32\qdvd.dll
2014-03-13 09:23:02 -------- d-----w- C:\Program Files (x86)\Diablo III
2014-03-13 09:21:06 -------- d-----w- C:\Users\admin\AppData\Roaming\Battle.net
2014-03-13 09:21:06 -------- d-----w- C:\Users\admin\AppData\Local\Battle.net
2014-03-13 09:21:02 -------- d-----w- C:\Program Files (x86)\Battle.net
2014-03-12 17:41:57 624128 ----a-w- C:\Windows\System32\qedit.dll
2014-03-12 17:41:56 509440 ----a-w- C:\Windows\SysWow64\qedit.dll
2014-03-12 17:41:31 1424384 ----a-w- C:\Windows\System32\WindowsCodecs.dll
2014-03-12 17:41:31 1230336 ----a-w- C:\Windows\SysWow64\WindowsCodecs.dll
2014-03-12 13:04:41 571312 ----a-w- C:\Windows\SysWow64\Codejock.SkinFramework.Unicode.v13.0.0.ocx
2014-03-12 13:04:41 2262960 ----a-w- C:\Windows\SysWow64\Codejock.CommandBars.v13.0.0.ocx
2014-03-12 13:04:40 -------- d-----w- C:\Program Files (x86)\DolbyAxon
2014-03-10 07:49:34 -------- d-----w- C:\Users\admin\AppData\Local\Google
2014-03-06 11:40:56 -------- d-----w- C:\Users\admin\AppData\Local\ElevatedDiagnostics
2014-03-06 11:35:22 -------- d-----w- C:\Windows\SmartPack
2014-03-05 00:19:01 -------- d-----w- C:\Users\admin\AppData\Local\bdch
2014-03-01 16:22:57 -------- d-----w- C:\Users\admin\AppData\Local\DayZ
2014-02-27 01:48:07 -------- d-----w- C:\Windows\Migration
.
==================== Find3M ====================
.
2014-03-24 11:48:18 214392 ----a-w- C:\Windows\SysWow64\PnkBstrB.ex0
2014-03-01 05:17:02 2724864 ----a-w- C:\Windows\System32\mshtml.tlb
2014-03-01 05:16:26 4096 ----a-w- C:\Windows\System32\ieetwcollectorres.dll
2014-03-01 04:52:55 66048 ----a-w- C:\Windows\System32\iesetup.dll
2014-03-01 04:51:59 48640 ----a-w- C:\Windows\System32\ieetwproxystub.dll
2014-03-01 04:33:52 139264 ----a-w- C:\Windows\System32\ieUnatt.exe
2014-03-01 04:33:34 111616 ----a-w- C:\Windows\System32\ieetwcollector.exe
2014-03-01 04:32:59 708608 ----a-w- C:\Windows\System32\jscript9diag.dll
2014-03-01 04:23:49 940032 ----a-w- C:\Windows\System32\MsSpellCheckingFacility.exe
2014-03-01 04:11:20 2724864 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2014-03-01 03:54:33 5768704 ----a-w- C:\Windows\System32\jscript9.dll
2014-03-01 03:52:43 61952 ----a-w- C:\Windows\SysWow64\iesetup.dll
2014-03-01 03:51:53 51200 ----a-w- C:\Windows\SysWow64\ieetwproxystub.dll
2014-03-01 03:38:26 112128 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2014-03-01 03:37:35 553472 ----a-w- C:\Windows\SysWow64\jscript9diag.dll
2014-03-01 03:35:11 2041856 ----a-w- C:\Windows\System32\inetcpl.cpl
2014-03-01 03:14:15 4244480 ----a-w- C:\Windows\SysWow64\jscript9.dll
2014-03-01 03:10:28 2334208 ----a-w- C:\Windows\System32\wininet.dll
2014-03-01 03:00:08 1964032 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2014-03-01 02:32:16 1820160 ----a-w- C:\Windows\SysWow64\wininet.dll
2014-02-27 14:35:06 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2014-02-27 14:35:06 692616 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2014-02-07 01:23:30 3156480 ----a-w- C:\Windows\System32\win32k.sys
2014-02-03 04:27:18 281688 ----a-w- C:\Windows\SysWow64\PnkBstrB.xtr
2014-02-03 02:20:54 270496 ------w- C:\Windows\System32\MpSigStub.exe
2014-01-29 02:32:18 484864 ----a-w- C:\Windows\System32\wer.dll
2014-01-29 02:06:47 381440 ----a-w- C:\Windows\SysWow64\wer.dll
2014-01-28 02:32:46 228864 ----a-w- C:\Windows\System32\wwansvc.dll
2014-01-17 05:24:12 94208 ----a-w- C:\Windows\SysWow64\QuickTimeVR.qtx
2014-01-17 05:24:12 69632 ----a-w- C:\Windows\SysWow64\QuickTime.qts
.
============= FINISH: 4:01:57.12 ===============

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post the appropriate logs in the Malware Removal forum and wait for help.
Hi and welcome to Safer Networking. :)

I'm Dakeyras and I am going to try to assist you with your problem. Please take note of the below:


I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
The fixes are specific to your problem and should only be used for this issue on this machine!
The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
If you don't know, stop and ask! Don't keep going on.
Please reply to this thread. Do not start a new topic.
Refrain from running self fixes as this will hinder the malware removal process.
It may prove beneficial if you print of the following instructions or save them to notepad as I post them.
Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.

Before we start:

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

Peer to Peer Advice:

I see µTorrent is installed. If you have used this recently, you can be fairly confident this is a principal reason your computer became infected.

It's really important, if you value your PC at all, to stay away from P2P file sharing programs, like utorrent, Bittorrent, Azureus, Limewire, Vuze.
Criminals have "planted" thousands upon thousands of infections in the "free" shared files.
Virtually all of these recent infections will compromise your Security, and some can turn your machine into a useless "doorstop".

My friendly advice would be to uninstall the aforementioned. To be honest I have lost count of the number of machines I have dealt with over the years that became infected due to the use of P2P software...
However if you opt not to...please refrain from using it for the duration of the malware removal process, thank you.

PunkBuster Advice:

There are some issues with infections in relation to PunkBuster...

Your computer has installed gaming tools. Some of these, like Punkbuster, use spyware techniques to engage in the anti-piracy battle.
In the process, they take control of much of your PC, and they actually meet the definition of spyware/malware.
They are sometimes designed to prevent orderly removal or modification, and they have only limited respect for retaining the overall security and integrity of your machine.

My advice would be to download the removal tool from here (http://www.evenbalance.com/downloads/pbsvc/pbsvc.exe). Use this to uninstall PunkBuster Services. Then when I give the all clear use it again to reinstall PunkBuster Services if you so wish.

Backup the Registry:

Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.


Please download the installer for Registry Backup from here (http://www.bleepingcomputer.com/download/registry-backup/) or here (http://www.tweaking.com/files/setups/tweaking.com_registry_backup_setup.exe) and save to your desktop.
Right-click on tweaking.com_registry_backup_setup.exe and select Run as Administrator >> Follow the prompts for a default installation
Ensure the option Open "Tweaking.com - Registry Backup" When Install Completes is selected >> Next > >> Finish
Once the GUI(graphical user interface) has appeared/loaded:-

http://i280.photobucket.com/albums/kk173/Dakeyras_album2/TCRB-1.jpg


Click on Backup Now >> once the process is complete, similar to the below will displayed in the GUI:-

http://i280.photobucket.com/albums/kk173/Dakeyras_album2/TBRB-2.jpg (http://s280.photobucket.com/user/Dakeyras_album2/media/TBRB-2.jpg.html)


Close Tweaking.com - Registry Backup

Note: There will now be a folder at the root of the Hard-Drive named C:\RegBackup, do not delete this as it is the actual backup just created.

A tutorial for Registry Backup explaining the various features can be viewed here (http://www.malwareremoval.com/forum/viewtopic.php?f=4&t=61325).

Scan with aswMBR:

Please download aswMBR.exe (http://files.avast.com/files/rootkit-scanner/aswmbr.exe) to your desktop.


Right-click on aswMBR.exe and select Run as Administrator to launch the application
When prompted with The application can use the Avast! Free Antivirus for scanning >> select Yes
The Avast! virus definitions database will automatically be downloaded. Be patient this make take some time depending on the speed of your Internet Connection.
Once it has downloaded >> ensure the option next to AV scan: >> QwickScan is selected only. It should be by default.
Now click on the Scan button to start the scan.
On completion of the scan click Save Log, save it to your desktop and post the contents in your next reply
Click on Exit.

Note: There will also be a file on your desktop named MBR.dat(or similar) do not delete this for now it is a actual backup of the MBR(master boot record).

Next:

Let myself know when completed the above. Also post the requested aswMBR log and we will then go from there, thank you.

Hi dakeyras

Thank you for taking the time to help me, I followed your instructions i have punkbuster uninstalled as utorrent. I would like to mention im very careful with my downloads and always scan completed downloads with
bitdefender as well using spybot nightly with malwarebytes. I just wanted to mention in recent days ive been getting DDOS attacks which i saved the logs as my internet company needed to have reason to give me
a new ip address which i got yesterday i thought i might mention this as it might help. Even after my new ip address i had strange firewall logs, illl post two examples of a before and after look at my logs. I should note
my internet was dropping out every 5mins 4 days ago but after technicians checked my line and all kinds of hassle things seem ok again. I post my avast save log below as well.


(Before ip change)
03/26/2014 14:31:48 **UDP Loop** 91.188.117.154, 42780->> 139.218.250.98, 19 (from PPPoE1 Inbound)
03/26/2014 09:06:28 **UDP Loop** 91.188.117.154, 54180->> 139.218.250.98, 19 (from PPPoE1 Inbound)
03/26/2014 03:02:24 **TCP FIN Scan** 74.125.237.170, 443->> 192.168.2.12, 64354 (from PPPoE1 Inbound)
03/25/2014 20:11:43 **Ping of Death/Tear Drop** 74.125.109.72, 443->> 192.168.2.12, 58250 (from PPPoE1 Inbound)
03/25/2014 20:07:14 **Ping of Death/Tear Drop** 74.125.109.120, 443->> 192.168.2.12, 57977 (from PPPoE1 Inbound)
03/25/2014 19:32:14 **Ping of Death/Tear Drop** 74.125.109.120, 443->> 192.168.2.12, 56053 (from PPPoE1 Inbound)
03/25/2014 19:23:38 **Ping of Death/Tear Drop** 74.125.109.71, 443->> 192.168.2.12, 55655 (from PPPoE1 Inbound)
03/25/2014 17:19:44 **UDP Loop** 184.105.139.78, 41594->> 139.218.250.98, 19 (from PPPoE1 Inbound)


(After ip change)
03/27/2014 02:46:17 **TCP FIN Scan** 74.125.237.171, 443->> 192.168.2.12, 51930 (from PPPoE1 Inbound)
03/27/2014 00:03:05 **TCP FIN Scan** 122.148.3.201, 80->> 192.168.2.12, 57267 (from PPPoE1 Inbound)
03/26/2014 21:13:21 **Probable ASCEND Probe** 94.0.187.117, 45907->> 192.168.2.12, 17212 (from PPPoE1 Inbound)
03/26/2014 21:13:13 **Probable ASCEND Probe** 94.0.187.117, 45907->> 192.168.2.12, 17212 (from PPPoE1 Inbound)
03/26/2014 21:13:09 **Probable ASCEND Probe** 94.0.187.117, 45907->> 192.168.2.12, 17212 (from PPPoE1 Inbound)
03/26/2014 21:13:06 **Probable ASCEND Probe** 94.0.187.117, 45907->> 192.168.2.12, 17212 (from PPPoE1 Inbound)
03/26/2014 21:13:05 **Probable ASCEND Probe** 94.0.187.117, 45907->> 192.168.2.12, 17212 (from PPPoE1 Inbound)
03/26/2014 21:13:03 **Probable ASCEND Probe** 94.0.187.117, 45907->> 192.168.2.12, 17212 (from PPPoE1 Inbound)
03/26/2014 21:00:29 **Probable ASCEND Probe** 117.217.128.105, 52836->> 192.168.2.12, 17212 (from PPPoE1 Inbound)

(Avast save log)
aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2014-03-27 16:09:32
-----------------------------
16:09:32.314 OS Version: Windows x64 6.1.7601 Service Pack 1
16:09:32.314 Number of processors: 8 586 0x3A09
16:09:32.315 ComputerName: ADMIN-PC UserName: admin
16:09:32.348 Initialze error 1
16:15:59.806 AVAST engine defs: 14032602
16:19:24.658 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
16:19:24.659 Disk 0 Vendor: ST2000DM001-1CH164 CC26 Size: 1907729MB BusType: 3
16:19:24.667 Disk 0 MBR read successfully
16:19:24.668 Disk 0 MBR scan
16:19:24.696 Disk 0 unknown MBR code
16:19:24.698 Disk 0 Partition 1 00 EE GPT 2097151 MB offset 1
16:19:24.701 Disk 0 scanning C:\Windows\system32\drivers
16:19:24.702 Service scanning
16:19:25.309 Modules scanning
16:19:25.311 Disk 0 trace - called modules:
16:19:25.314 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa800d0de2c0]<<sptd.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
16:19:25.316 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800d85e790]
16:19:25.318 3 CLASSPNP.SYS[fffff880015d043f] -> nt!IofCallDriver -> [0xfffffa800d5ef580]
16:19:25.320 5 ACPI.sys[fffff880013867a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa800d5f1060]
16:19:25.326 \Driver\atapi[0xfffffa800d5de400] -> IRP_MJ_CREATE -> 0xfffffa800d0de2c0
16:19:25.329 AVAST engine scan C:\Windows
16:19:25.332 AVAST engine scan C:\Windows\system32
16:19:25.334 AVAST engine scan C:\Windows\system32\drivers
16:19:25.337 AVAST engine scan C:\Users\admin
16:19:25.340 AVAST engine scan C:\ProgramData
16:19:25.342 Scan finished successfully
16:19:52.278 Disk 0 MBR has been saved successfully to "C:\Users\admin\Desktop\MBR.dat"
16:19:52.308 The log file has been saved successfully to "C:\Users\admin\Desktop\aswMBR.txt"

Hi. :)


Thank you for taking the time to help me
You're welcome!


I just wanted to mention in recent days ive been getting DDOS attacks
Is the below from the Bitdefender Firewall log or your Routers ?

The DDOS does not appear to have been a sustained one and in fact is using quite older protocols to do so. It may be due to a wannabe hacker and or script kiddie with limited knowledge though saying that still something that would understandably cause concern. One other possible root cause is after you have used P2P to download something in the past your machine came to the notice of the download source. So a prudent move on your behalf uninstalling utorrent.

Another feasible scenario is since you appear to be a gamer, some individuals do take such quite seriously and will attempt to disrupt your ability to play online.

Anyway if not done so probably be a good idea to check your Routers security logs(if the information you posted is actually from the Bitdefender Firewall ), then to err on the side of caution reset your Router and apply a new Admin password. Then ensure the Nat(network address translation) feature(basically a hardware firewall) is enabled and check for any Firmware updates. If unsure how to perform the aforementioned merely let myself know the exact make and model of Router in use and I in turn will provide the appropriate instructions etc.


a new ip address which i got yesterday
Do you know if this was a static or dynamic one ? The latter is better from a security point of view but not all ISP's actually provide such unfortunately.

Next:

Your machine appears to have a unknown MBR rather than the standard Windows 7 version. So since it appears no Recovery type drives/partitions are present I would like to check this out too err on the side of caution.

So please send the MBR.dat to a Zip file and then in turn attach that in your next reply so I can download it and analyse etc.

Going back to this you mentioned prior:-


I had a root kit result that's marked as serious for over three months with a few name variations which i have forgotten spybot is unable to remove it even on start up.
Check for updates then run a scan with Spybot' then post the log in your next reply for my review so I can review exactly what is being flagged as malicious.

Scan with OTL:

Please download OTL (http://oldtimer.geekstogo.com/OTL.exe) and save it to your Desktop.

Alternate downloads are here (http://oldtimer.geekstogo.com/OTL.com) and here (http://oldtimer.geekstogo.com/OTL.scr).


Right-click on OTL.exe and select Run as Administrator to start OTL.
Ensure Include 64bit Scans is selected.
Under Output, ensure that Standard Output is selected.
Under Extra Registry section, select Use SafeList.
Click the Scan All Users checkbox.
Under the Custom Scan/Fixes box cut & paste this in:-

netsvcs
baseservices
%systemdrive%\*.exe
C:\program files (x86)\Google\Desktop
C:\program files\Google\Desktop
dir "%systemdrive%\*" /S /A:L /C
CreateRestorePoint


Now click on Run Scan at the top left hand corner.
When done, two Notepad files will open.
OTL.txt <-- Will be opened
Extra.txt <-- Will be minimized
Please post the contents of these two Notepad files in your next reply.

The first OTL scanned crashed i saw cmd open i assumed i needed to press enter however after 40secs or so the program worked again. How do i create a mbr.dat file? I tried Google and saw things im weary to try.
Ive heard of scripts kiddies before hopefully it stops. If im getting DDOS attacks it would be from gaming as i play quite a few.
Ill post the spybot loga then the OLT logs it seems that malware file has doubled or has new information concerning this issue this is done via a root kit scan.
As for those logs they come from my router ive placed bitdefender on paranoid mode so everything that runs needs permission and added those ip address to bitdefender's blocklist
I was wondering if i get spybot's paid home edition to get a extra firewall will it conflict with my bitdefender firewall and malwarebytes prgoram?

11369 spybot normal scan
11370


OTL - This was to big to upload in one file so i made it four files the last requiring to be saved as unicode and needing to be posted in a second section it says i can only upload 5 files per post.

11371
11372
11373


Extra.txt will be in post beneath

The first OTL scanned crashed i saw cmd open i assumed i needed to press enter however after 40secs or so the program worked again. How do i create a mbr.dat file? I tried Google and saw things im weary to try.
Ive heard of scripts kiddies before hopefully it stops. If im getting DDOS attacks it would be from gaming as i play quite a few.
Ill post the spybot loga then the OLT logs it seems that malware file has doubled or has new information concerning this issue this is done via a root kit scan.
As for those logs they come from my router ive placed bitdefender on paranoid mode so everything that runs needs permission and added those ip address to bitdefender's blocklist
I was wondering if i get spybot's paid home edition to get a extra firewall will it conflict with my bitdefender firewall and malwarebytes prgoram?

11369 spybot normal scan
11370 Rootkit


OTL - This was to big to upload in one file so i made it four files the last requiring to be saved as unicode and needing to be posted in a second section it says i can only upload 5 files per post.

11371 1of4
11372 2of4
11373 3of4


Extra.txt will be in post beneath

As you can see i accidentally posted part 1 twice my apologies. The second repeat of part 1 is the one i wanted to post.
I tried posting these as they are but the is restriction on the size of the document plus the 48kb upload restriction.



OLT
11374 4of4

Extra.txt was also to big to upload ive had to make it three files.

11375
11376
11377

Hi. :)

Regarding the RootAlyzer and Spybot results, nothing particularly major there. Mostly just some tracking cookies and benign alternate data streams to name a few examples.

We can address some of the aforementioned in due course.


How do i create a mbr.dat file? I tried Google and saw things im weary to try.
A copy was actually saved to the desktop of your machine after you scanned with awsMBR. It can be located here:-

C:\Users\admin\Desktop\MBR.dat <-- Right-click on the file and select Send To > >> Compressed (zipped) folder

Post the zip file created as a attachment in your next reply please.


I was wondering if i get spybot's paid home edition to get a extra firewall will it conflict with my bitdefender firewall and malwarebytes prgoram?
No that will merely end up causing a system conflict and actually lesson overall online security. So best to leave Spybot' as a on-demand scanner only rather than upgrading it.

With regard to the requested OTL logs, not a problem and I managed to review all successfully...

For future reference if any logs I request are too large for posting merely send them to a zip file and or inform myself and we can then work something out OK. :bigthumb:

Uninstall Software:

Click on Start(Windows 7 Orb) >> Control Panel >> Uninstall a program or Programs and Features and remove the following (if present):

Registrar Registry Manager <-- Such software actually makes no improvement and has the capacity to render a machine little more than a expensive doorstop!

To do so click once on the above to highlight, then click on Uninstall/Change and follow the prompts.

Note: Take extra care in answering questions posed by any Uninstaller. Some questions may be worded to deceive you into keeping the program.

Windows Sidebar Advice:

It is no longer prudent to have this feature enabled as outlined in the below Microsoft article:-

Vulnerabilities in Gadgets could allow remote code execution (http://support.microsoft.com/kb/2719662)

I advice you download and run the Disable Windows Sidebar and Gadgets Fixti (http://download.microsoft.com/download/E/2/3/E23783A8-6602-48C9-81A7-3B512F6E938B/MicrosoftFixit50906.msi)t utility to rectify this.

Note: Ensure you reboot you machine when prompted.

Proxy Query:

Do you reorganise the below/highlighted ProxyServer setting and or set this yourself ?

IE - HKU\S-1-5-21-3363456023-2054032563-2103478203-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = localhost:8080 <-- This specifically.

Next:

Let myself know when completed the above...

Post/attach the requested MBR.dat as a zip file and the answer to my proxy query. We will then go from there, thank you.

11380

Hi again

So this is not malware?
RegyValue:"Zero char in value name","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet002\Control\","sk(0)rdisk(0)partition(3)<0x00><0x00><0x00><0x00><0x00><0x00>￠￿歶耀<0x00><0x00>
2祔数6<0x00><0x00>ÿ<0x00><0x00>
<0x00>慄慴"
RegyValue:"Invisible to Win32","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet002\Control\","sk(0)rdisk(0)partition(3)<0x00><0x00><0x00><0x00><0x00><0x00>￠￿歶耀<0x00><0x00>
2祔数6<0x00><0x00>ÿ<0x00><0x00>
<0x00>慄慴"

The only partition im aware of is one made by bitdefender also will this thread be deleted once we are finished? I feel vulnerable with all this information about my pc online. As for the proxy i never made one how do i get rid of it?

Im having trouble finding the exe file for microsoft fix it i did restart my pc

Hi. :)


So this is not malware?
That will be addressed/researched further in due course.


will this thread be deleted once we are finished? I feel vulnerable with all this information about my pc online.
It will eventually be moved to the Archives area of the forum and there is no personal information denoted in any logs so far and or the future that are a cause for concern.


As for the proxy i never made one how do i get rid of it?
Acknowledged, the below custom OTL script will take care of that.


Im having trouble finding the exe file for microsoft fix it i did restart my pc
I take it you did download it and then run it etc ?

You attached a copy of the log created by awsMBR not the actual requested MBR.dat. So please check your desktop for a file named:- MBR.dat

If you cannot locate it not to worry and merely inform myself in your next reply please.

Custom OTL Script:


Right-click OTL.exe and select Run as Administrator to start the program.
Copy the lines from the quote-box(do not copy the word quote) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


:Commands
[CreateRestorePoint]

:OTL
IE - HKU\S-1-5-21-3363456023-2054032563-2103478203-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;<local>
IE - HKU\S-1-5-21-3363456023-2054032563-2103478203-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = localhost:8080
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll File not found
O3 - HKU\S-1-5-21-3363456023-2054032563-2103478203-1000\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O13:64bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O15 - HKU\S-1-5-21-3363456023-2054032563-2103478203-1000\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-3363456023-2054032563-2103478203-1000\..Trusted Domains: freerealms.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-3363456023-2054032563-2103478203-1000\..Trusted Domains: soe.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-3363456023-2054032563-2103478203-1000\..Trusted Domains: sony.com ([]* in Trusted sites)
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O33 - MountPoints2\{a034fbb6-1b71-11e3-84fb-902b34d84bf0}\Shell\AutoRun\command - "" = I:\setup.exe
[2014/03/27 03:42:07 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Registrar Registry Manager
[2014/03/27 03:42:07 | 000,000,000 | ---D | C] -- C:\Program Files\Registrar Registry Manager
[2014/03/06 22:35:27 | 000,000,000 | ---D | C] -- C:\Users\admin\Documents\SmartPack
[2014/03/06 22:35:22 | 000,000,000 | ---D | C] -- C:\Windows\SmartPack
[2014/03/27 03:42:07 | 000,000,902 | ---- | M] () -- C:\Users\admin\Desktop\Registrar Registry Manager.lnk
[2014/03/24 22:48:18 | 000,214,392 | ---- | M] () -- C:\Windows\SysWow64\PnkBstrB.ex0
[2014/03/22 22:51:50 | 003,894,632 | ---- | C] () -- C:\Windows\SysWow64\pbsvc.exe

:Files
ipconfig /flushdns /c
netsh advfirewall reset /c
netsh advfirewall set allprofiles state off /c

:Reg
[HKEY_USERS\S-1-5-21-3363456023-2054032563-2103478203-1000\Software\Microsoft\Windows\CurrentVersion\Run]
"Spybot-S&D Cleaning"=-
[HKEY_USERS\S-1-5-21-3363456023-2054032563-2103478203-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"=-

:Commands
[EmptyTemp]

Return to OTL, right-click in the Custom Scans/Fixes window (under the cyan bar) and choose Paste.
Then click the red Run Fix button.
Let the program run unhindered.
If OTL asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.

Note: The log file can also be located C: >> _OTL >> MovedFiles >> DD/DD/DD TT/TT.txt <-- denotes date/time log created.

Scan with RogueKiller:

Please download RogueKiller (http://www.bleepingcomputer.com/download/roguekiller/) to your desktop

Alternate downloads are here (http://www.geekstogo.com/forum/files/file/413-roguekiller/) or here (http://www.sur-la-toile.com/RogueKiller).


Quit all running programs.
Right-click on RogueKiller.exe and select Run as Administrator to start the application.
Let the pre-scan complete, then click on Accept option when the disclaimer window appears.
Note: If a browser window is launched/opened, merely close it.

Now click on the Scan tab back in the RogueKiller main window.
The RKreport.txt shall be generated next to the executable along with a zip file named RK_Quarantine.
If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.com
Please post the contents of the RKreport.txt in your next reply.

Next:

When completed the above, please post back the following in the order asked for:


How is your computer performing now, any further symptoms and or problems encountered ?
Were you able to locate the MBR.dat file on the desktop ? Plus the answer to my MS Fixit query.
OTL Log from the Custom Script.
RogueKiller Log.

Hi again

I apologize for the late reply, the computer seems to be running fine. I re-downloaded Microsoft fix it and ran the program i closed the program down when it asked for a restart because
at this time im writing this response but i remember reading something along the lines of "its been processed" i assumed i had to install it then run it again but it seems its done whatever
it does. I could not find the mbr.dat file if i may have deleted it accidentally i apologize.

11387 OTL custom scan

11388 rogue killer scan

Hi. :)


I apologize for the late reply
Not a problem.


the computer seems to be running fine
Good.


I could not find the mbr.dat file if i may have deleted it accidentally i apologize.
Fair play.

Re-scan with aswMBR:

Delete both aswMBR.exe and aswMBR.txt if still present, then empty the Recycle Bin.

Please re-download aswMBR.exe (http://files.avast.com/files/rootkit-scanner/aswmbr.exe) to your desktop.


Right-click on aswMBR.exe and select Run as Administrator to launch the application.
When prompted with The application can use the Avast! Free Antivirus for scanning >> select Yes
The Avast! virus definitions database will automatically be downloaded. Be patient this make take some time depending on the speed of your Internet Connection.
Once it has downloaded >> ensure the option next to AV scan: >> QwickScan is selected only. It should be by default.
Now click on the Scan button to start the scan.
On completion of the scan click Save Log, save it to your desktop and post the contents in your next reply
Click on Exit

Note: There will also be a file on your desktop named MBR.dat(or similar) do not delete this for now it is a actual backup of the MBR(master boot record).

Next:

Look for \MBR.dat on your desktop:-

C:\Users\admin\Desktop\MBR.dat <-- Right-click on the file and select Send To > >> Compressed (zipped) folder

Post the zip file created as a attachment in your next reply please along with the new aswMBR log.

Due to the lack of feedback this Topic is closed.

If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh set of DDS logs and a link to your previous thread.

If it has been less than three days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.