Hi samwisemueller,
Logs shows system infected with 0Access RootKit.
As step#1, from Control Panel > Programs and Features uninstall following ( if you find there )
Mozilla Firefox (3.6.13) (x32 Version: 3.6.13 (en-US))
Mozilla Firefox 4.0b7 (x86 en-US) (x32 Version: 4.0b7)
SweetPacks Updater Service (x32 Version: 3.0.5.5)
Updater By SweetPacks 2.0.0.586 (Version: 2.0.0.586)
IncrediMail, Ltd.
THEN
- Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system
Start
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\$Recycle.Bin\S-1-5-18\$7185adb03536b16566407e766640976e\n. ATTENTION! ====> ZeroAccess
HKCR\...409d6c4515e9\InprocServer32: [Default-shell32] C:\$Recycle.Bin\S-1-5-21-3960442023-2759247791-3210914792-1000\$7185adb03536b16566407e766640976e\n. ATTENTION! ====> ZeroAccess
MountPoints2: D - D:\LaunchU3.exe -a
MountPoints2: {3d675831-4c91-11df-b3c9-00269e4f2605} - D:\LaunchU3.exe -a
MountPoints2: {42b6bb56-2167-11df-80c5-00269e4f2605} - D:\LaunchU3.exe -a
MountPoints2: {43740f2f-909a-11e1-ab7b-00269e4f2605} - G:\TL-Bootstrap.exe
MountPoints2: {7fd91b0e-ba9d-11de-b12d-806e6f6e6963} - E:\Driver\Windows\PL2303_Prolific_WDMDriverInstaller_v1.6.1.exe
MountPoints2: {df9c2736-7a23-11df-971e-00269e4f2605} - F:\Launcher.exe
MountPoints2: {f8338d57-95e1-11df-b176-00269e4f2605} - D:\Autorun.exe
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.sweetpacks.com/?src=10&st=12&crg=3.5000006.10043&barid={BD7A7CB7-DDFB-11E2-BC3A-00269E4F2605}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://start.sweetpacks.com/?src=10&st=12&crg=3.5000006.10043&barid={BD7A7CB7-DDFB-11E2-BC3A-00269E4F2605}
URLSearchHook: (No Name) - {4acda0f5-16f9-451e-a9d1-26cd832a9dac} - No File
HKLM-x32 SearchScopes: DefaultScope {EEE6C360-6118-11DC-9C72-001320C79847} URL = http://start.sweetpacks.com/?src=6&q={searchTerms}&st=12&crg=3.5000006.10043&barid={BD7A7CB7-DDFB-11E2-BC3A-00269E4F2605}
SearchScopes: HKLM-x32 - {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2455324
SearchScopes: HKLM-x32 - {EEE6C360-6118-11DC-9C72-001320C79847} URL = http://start.sweetpacks.com/?src=6&q={searchTerms}&st=12&crg=3.5000006.10043&barid={BD7A7CB7-DDFB-11E2-BC3A-00269E4F2605}
SearchScopes: HKCU - {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2455324
SearchScopes: HKCU - {EEE6C360-6118-11DC-9C72-001320C79847} URL = http://start.sweetpacks.com/?src=6&q={searchTerms}&st=12&crg=3.5000006.10043&barid={BD7A7CB7-DDFB-11E2-BC3A-00269E4F2605}
BHO: Updater By SweetPacks - {7D4F1959-3F72-49d5-8E59-F02F8AA6815D} - C:\Program Files\Updater By SweetPacks\Extension64.dll ()
BHO-x32: Zeit Tunes Media Toolbar - {4acda0f5-16f9-451e-a9d1-26cd832a9dac} - C:\Program Files (x86)\Zeit_Tunes_Media\tbZeit.dll (Conduit Ltd.)
BHO-x32: No Name - {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO-x32: Updater By SweetPacks - {7D4F1959-3F72-49d5-8E59-F02F8AA6815D} - C:\Program Files\Updater By SweetPacks\Extension32.dll ()
BHO-x32: SweetPacks Browser Helper - {EEE6C35C-6118-11DC-9C72-001320C79847} - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll (SweetIM Technologies Ltd.)
Toolbar: HKLM-x32 - Zeit Tunes Media Toolbar - {4acda0f5-16f9-451e-a9d1-26cd832a9dac} - C:\Program Files (x86)\Zeit_Tunes_Media\tbZeit.dll (Conduit Ltd.)
Toolbar: HKLM-x32 - SweetPacks Toolbar for Internet Explorer - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll (SweetIM Technologies Ltd.)
Toolbar: HKCU - No Name - {4ACDA0F5-16F9-451E-A9D1-26CD832A9DAC} - No File
Winsock: Catalog5 01 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5 02 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5-x64 01 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 02 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
FF user.js: detected! => C:\Users\Jeff O\AppData\Roaming\Mozilla\Firefox\Profiles\ktwk1gpn.default\user.js
FF NewTab: hxxp://start.sweetpacks.com/?barid={BD7A7CB7-DDFB-11E2-BC3A-00269E4F2605}&src=97&crg=3.5000006.10043&st=23
FF Homepage: hxxp://start.sweetpacks.com/?barid={BD7A7CB7-DDFB-11E2-BC3A-00269E4F2605}&src=10&crg=3.5000006.10043&st=23
FF Keyword.URL: hxxp://start.sweetpacks.com?src=6&barid={BD7A7CB7-DDFB-11E2-BC3A-00269E4F2605}&crg=3.5000006.10043&st=23&q=
FF Extension: No Name - C:\Users\Jeff O\AppData\Roaming\Mozilla\Firefox\Profiles\ktwk1gpn.default\Extensions\{EEE6C361-6118-11DC-9C72-001320C79847}.xpi
CHR HomePage: hxxp://start.sweetpacks.com/?src=10&st=12&crg=3.5000006.10043&barid={BD7A7CB7-DDFB-11E2-BC3A-00269E4F2605}
CHR RestoreOnStartup: "hxxp://start.sweetpacks.com/?barid={BD7A7CB7-DDFB-11E2-BC3A-00269E4F2605}&src=10&crg=3.5000006.10043&st=23", "hxxp://www.google.com/"
CHR DefaultSearchURL: (Bing) - http://start.sweetpacks.com?src=6&q={searchTerms}&barid={BD7A7CB7-DDFB-11E2-BC3A-00269E4F2605}&crg=3.5000006.10043&st=23
CHR Extension: (SweetPacks Chrome Extension) - C:\Users\Jeff O\AppData\Local\Google\Chrome\User Data\Default\Extensions\ogccgbmabaphcakpiclgcnmcnimhokcj\1.4.0.0_0
R2 Updater By SweetPacks; C:\Program Files\Updater By SweetPacks\ExtensionUpdaterService.exe [188760 2013-05-16] ()
C:\Windows\system32\dmwu.exe
C:\Program Files\Updater By SweetPacks
C:\Program Files (x86)\SweetIM
C:\Program Files (x86)\Zeit_Tunes_Media
C:\Users\Jeff O\AppData\Roaming\Mozilla\Firefox\Profiles\ktwk1gpn.default\Extensions\{EEE6C361-6118-11DC-9C72-001320C79847}.xpi
C:\Program Files\Updater By SweetPacks
C:\Program Files (x86)\XingHaoLyrics
Folder: C:\29bc31e917c7b3afe1a6
Folder: C:\dfb067bdd29760f428e5c7399daa949b
C:\Windows\SysWOW64\jmdp\stij.exe
C:\$Recycle.Bin\S-1-5-21-3960442023-2759247791-3210914792-1000\$7185adb03536b16566407e766640976e
C:\$Recycle.Bin\S-1-5-18\$7185adb03536b16566407e766640976e
DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
End
-
Save notepad as fixlist.txt
NOTE. It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
-
Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.
THEN
Re-run FRST, press Scan button and attach here fresh FRST.txt logreport.
THEN
Please download Farbar Service Scanner and run it on the computer with the issue.
[*]Make sure the following options are checked:
[*]Internet Services
[*]Windows Firewall
[*]System Restore
[*]Security Center/Action Center
[*]Windows Update
[*]Windows Defender
[*]Press “Scan”.
[]It will create a log (FSS.txt) in the same directory the tool is run.
[]Please copy and paste the log to your reply.