Hi, here is the thing:
FRST logs shows the traces of active worms. As additional, GMER shows some possible suspicious activity. This in principle means that we besides FRST Fix need to deploy some equally powerfull AntiRootKit tool as an alternative to GMER.
Important notice: Your USB devices are infected as well. Do NOT use/attach USB memory devices until so I tell you so. We shall clean USB’s when the host system is clean.
FRST’s FixList
1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system
Start
(Microsoft Corporation) C:\Windows\System32\wscript.exe
C:\Users\Christine\AppData\Local\Temp\*.vbs
C:\Users\Christine\AppData\Local\Temp\*.sys
C:\Users\Christine\AppData\Local\Temp\*.exe
C:\Users\Christine\AppData\Local\Temp\*.dll
C:\Users\Christine\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\11111.vbs
HKLM-x32\...\Run: [] - [X]
HKU\S-1-5-21-4049588947-1142049457-3320450371-1001\...\Run: [11111] - wscript.exe //B "C:\Users\CHRIST~1\AppData\Local\Temp\11111.vbs" <===== ATTENTION
HKU\S-1-5-21-4049588947-1142049457-3320450371-1001\...\MountPoints2: {d2038de5-8483-11e1-a1f6-806e6f6e6963} - D:\Start.exe
Startup: C:\Users\Christine\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\11111.vbs ()
SearchScopes: HKCU - {C61E1C84-8698-43CB-847A-DB4DEF267E34} URL = http://websearch.ask.com/redirect?client=ie&tb=AVR-4&o=APN10261&src=kw&q={searchTerms}&locale=&apn_ptnrs=^AGS&apn_dtid=^YYYYYY^YY^DE&apn_uid=181339a5-dbc4-4c0b-87b3-e912eaeeeb5b&apn_sauid=16EE819A-288F-4745-8FC5-B71ABCC6A83D
U3 kglcyuod; \??\C:\Users\CHRIST~1\AppData\Local\Temp\kglcyuod.sys [X]
CMD: RD /S /Q %TEMP%
Reboot:
End
2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.
MB’s AntiRootKit
Please download Malwarebytes Anti-RootKit(MBAR) from here and save it to your desktop.
https://www.malwarebytes.org/antirootkit/
Doubleclick on the MBAR file and allow it to run.
•Click OK on the next screen, to allow the package to extract the contents of the file to its own folder named mbar.
•mbar.exe will launch automatically. Please be patient and wait for the program to open…
•Click ‘Next’ …
•On the Update Database screen, click on the ‘Update’ button.
•Once you see ‘Success: Database was successfully updated’ click on 'Next’, then click the Scan button.
Small notices: with some infections, you may see two messages boxes:
-‘Could not load protection driver’. Click ‘OK’.
-‘Could not load DDA driver’. Click ‘Yes’ to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.
•If malware is found, press the Cleanup button when the scan completes. MBAR Shall restart your mashine and after the restart finish the cleaning process.
You’ll find the log in that mbar folder as MBAR-log-***.txt .
Please post MBAR’s log in your next reply.