One or more of the identified infections is a rootkit.
This allows hackers to remotely control your computer, steal critical system information, and download and execute files.
I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Though the rootkit has been identified and can be killed, because of how it exploits your system, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this rootkit, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall
We can attempt to clean this machine but I can’t guarantee that it will be 100% secure afterwards.
[*]Step #1 Fix with FRST
Make sure that you still have FRST.exe on your Desktop. If you do not have it, download the suitable version from here to your Desktop.
[*]Open Notepad.exe. Do not use any other text editor software;
[*]Copy and Paste the contents inside the code-box to your Notepad –
Start
CreateRestorePoint:
CloseProcesses:
EmptyTemp:
HKLM Group Policy restriction on software: C:\Program Files\AVAST Software <====== ATTENTION
HKU\S-1-5-21-1931180291-2634211220-2304859528-500\...409d6c4515e9\InprocServer32: [Default-shell32] C:\Users\Administrator\AppData\Roaming\sxxepxn\scfcifb\wow.dll ATTENTION! ====> ZeroAccess?
HKU\S-1-5-21-1931180291-2634211220-2304859528-500\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf> (the data entry has 243 more characters). <==== Poweliks!
AppInit_DLLs: c:\PROGRA~2\OPTIMI~1\OPTPRO~2.DLL => c:\PROGRA~2\OPTIMI~1\OPTPRO~2.DLL File Not Found
AppInit_DLLs-x32: c:\progra~2\optimi~1\optpro~1.dll => "c:\progra~2\optimi~1\optpro~1.dll" File Not Found
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKU\S-1-5-21-1931180291-2634211220-2304859528-500\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://search.conduit.com/?ctid=CT3324316&octid=EB_ORIGINAL_CTID&SearchSource=55&CUI=&UM=2&UP=SPFF3DD6CA-13F8-4B8E-B933-38F2A06E05FC&SSPV=
FF DefaultSearchEngine: Trovi search
FF SearchEngineOrder.3: Bing
FF SelectedSearchEngine: Trovi search
CHR HKLM-x32\...\Chrome\Extension: [bopakagnckmlgajfccecajhnimjiiedh] - No Path
2015-02-03 14:59 - 2015-02-03 14:59 - 00000000 ____D () C:\Program Files (x86)\PriicEoDownlooadder
2015-01-27 11:33 - 2015-02-02 15:59 - 00008632 _____ () C:\Users\Administrator\Desktop\HELP_DECRYPT.HTML
2015-01-27 11:33 - 2015-02-02 15:59 - 00004256 _____ () C:\Users\Administrator\Desktop\HELP_DECRYPT.TXT
2015-01-27 11:33 - 2015-02-02 15:59 - 00000300 _____ () C:\Users\Administrator\Desktop\HELP_DECRYPT.URL
2015-01-27 11:33 - 2015-01-27 11:33 - 00008528 _____ () C:\Users\Administrator\HELP_DECRYPT.HTML
2015-01-27 11:33 - 2015-01-27 11:33 - 00004204 _____ () C:\Users\Administrator\HELP_DECRYPT.TXT
2015-01-27 11:33 - 2015-01-27 11:33 - 00000272 _____ () C:\Users\Administrator\HELP_DECRYPT.URL
2015-01-27 11:32 - 2015-01-27 11:32 - 00008528 _____ () C:\Users\Administrator\Downloads\HELP_DECRYPT.HTML
2015-01-27 11:32 - 2015-01-27 11:32 - 00008528 _____ () C:\Users\Administrator\Documents\HELP_DECRYPT.HTML
2015-01-27 11:32 - 2015-01-27 11:32 - 00008528 _____ () C:\Users\Administrator\AppData\Roaming\HELP_DECRYPT.HTML
2015-01-27 11:32 - 2015-01-27 11:32 - 00008528 _____ () C:\Users\Administrator\AppData\HELP_DECRYPT.HTML
2015-01-27 11:32 - 2015-01-27 11:32 - 00004204 _____ () C:\Users\Administrator\Downloads\HELP_DECRYPT.TXT
2015-01-27 11:32 - 2015-01-27 11:32 - 00004204 _____ () C:\Users\Administrator\Documents\HELP_DECRYPT.TXT
2015-01-27 11:32 - 2015-01-27 11:32 - 00004204 _____ () C:\Users\Administrator\AppData\Roaming\HELP_DECRYPT.TXT
2015-01-27 11:32 - 2015-01-27 11:32 - 00004204 _____ () C:\Users\Administrator\AppData\HELP_DECRYPT.TXT
2015-01-27 11:32 - 2015-01-27 11:32 - 00000272 _____ () C:\Users\Administrator\Downloads\HELP_DECRYPT.URL
2015-01-27 11:32 - 2015-01-27 11:32 - 00000272 _____ () C:\Users\Administrator\Documents\HELP_DECRYPT.URL
2015-01-27 11:32 - 2015-01-27 11:32 - 00000272 _____ () C:\Users\Administrator\AppData\Roaming\HELP_DECRYPT.URL
2015-01-27 11:32 - 2015-01-27 11:32 - 00000272 _____ () C:\Users\Administrator\AppData\HELP_DECRYPT.URL
2015-01-27 11:31 - 2015-01-27 11:31 - 00008528 _____ () C:\Users\Administrator\AppData\Local\HELP_DECRYPT.HTML
2015-01-27 11:31 - 2015-01-27 11:31 - 00004204 _____ () C:\Users\Administrator\AppData\Local\HELP_DECRYPT.TXT
2015-01-27 11:31 - 2015-01-27 11:31 - 00000272 _____ () C:\Users\Administrator\AppData\Local\HELP_DECRYPT.URL
2015-01-27 11:30 - 2015-01-27 11:30 - 00008528 _____ () C:\ProgramData\HELP_DECRYPT.HTML
2015-01-27 11:30 - 2015-01-27 11:30 - 00004204 _____ () C:\ProgramData\HELP_DECRYPT.TXT
2015-01-27 11:30 - 2015-01-27 11:30 - 00000272 _____ () C:\ProgramData\HELP_DECRYPT.URL
CMD: bitsadmin /reset /allusers
End
[*]Click on File > Save as…
[list][*]Inside the File Name box type fixlist.txt
[*]From the Save as type drop down list, choose All Files
[*]Save the file to your Desktop;
[*]Re-run FRST.exe and click Fix;
[*]Note: If FRST advises there is a new updated version to be downloaded, do so/allow this.[]After the completion, a log will be produced;
[]Attach the log in your next reply.[/list]
[*]Required Log(s):
[*]FRST Fix Log
Regards,
Valinorum