Hi,

When you run Gmer, on pop-up messages (rootkit activity) you should press NO for full Gmer scan. :slight_smile:

Wait for initial scan to finish - if there is any query, click [b]No[/b];

Doesn’t matter, we shall use script for FRST64 for fixing…

=> do NOT use any USB device untill I tell you so.

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system


Start
HKCU\...\Run: [MICROS~1] - C:\Users\maggot\AppData\Local\Temp\MICROS~1.VBS [152739 2013-09-25] () <===== ATTENTION
Startup: C:\Users\maggot\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MICROS~1.VBS ()
C:\Users\maggot\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MICROS~1.VBS
C:\Users\maggot\AppData\Local\Temp
C:\Windows\Tasks\At*.job
HKCU\...\Policies\Explorer: []
MountPoints2: {3285bd86-ead6-11e1-b62d-b74268557408} - H:\USBAutoRun.exe
MountPoints2: {46e5506c-90a1-11e2-bf15-806e6f6e6963} - G:\AutoRun.exe
MountPoints2: {90bb8748-e1e9-11e1-85bc-e97e19566818} - G:\AutoRun.exe
MountPoints2: {92c9d531-1090-11e2-8e6f-8ca98207194a} - G:\Windows/AutoRun.exe
MountPoints2: {a8020c18-256b-11e1-a291-782bcbc51943} - G:\Setup.exe /Auto
MountPoints2: {bbe27ed6-5ce5-11e0-bef1-806e6f6e6963} - E:\autoRcd.exe
MountPoints2: {c3e616ea-e553-11e1-875b-d40aa586471b} - G:\AutoRun.exe
MountPoints2: {c703d888-9dcd-11e1-a793-782bcbc51943} - "G:\WD SmartWare.exe" autoplay=true
MountPoints2: {c8d06cb7-3e23-11e2-be75-85a8df0c66af} - G:\.\ShowModem.exe
MountPoints2: {ec2e9cb2-e3cd-11e1-8265-9188ef06fe07} - G:\MyZone.exe
MountPoints2: {f52504c5-e204-11e1-8ed7-e88da3e4b00b} - G:\AutoRun.exe
MountPoints2: {fb000b20-909f-11e2-81c7-8ca98207194a} - G:\AutoRun.exe
HKLM-x32\...\Run: [FAStartup] - [x]
BootExecute:
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://websearch.searchesplace.info/?pid=946&r=2013/08/06&hid=2943278761&lg=EN&cc=IN&unqvl=30
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://websearch.searchesplace.info/?pid=946&r=2013/08/06&hid=2943278761&lg=EN&cc=IN&unqvl=30
URLSearchHook: HKCU - (No Name) - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - No File
SearchScopes: HKLM-x32 - {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2786678
SearchScopes: HKLM-x32 - {BB74DE59-BC4C-4172-9AC4-73315F71CFFE} URL = http://websearch.searchesplace.info/?l=1&q={searchTerms}&pid=946&r=2013/08/06&hid=2943278761&lg=EN&cc=IN&unqvl=30
SearchScopes: HKCU - {5CB78B2F-C1C7-460B-8555-AC277F1258FE} URL = http://www.mysearchresults.com/search?c=2402&t=15&q={searchTerms}
SearchScopes: HKCU - {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2786678
SearchScopes: HKCU - {BB74DE59-BC4C-4172-9AC4-73315F71CFFE} URL = http://websearch.searchesplace.info/?l=1&q={searchTerms}&pid=946&r=2013/08/06&hid=2943278761&lg=EN&cc=IN&unqvl=30
BHO: No Name - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} -  No File
BHO-x32: No Name - {7825CFB6-490A-436B-9F26-4A7B5CFC01A9} -  No File
Toolbar: HKCU - No Name - {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} -  No File
Toolbar: HKCU - No Name - {30F9B915-B755-4826-820B-08FBA6BD249D} -  No File
FF SearchEngineOrder.1: WebSearch
FF SearchEngineOrder.user_pref("browser.search.order.1,S", "WebSearch");: user_pref("browser.search.order.1,S", "WebSearch");
FF SelectedSearchEngine: Google
FF Homepage: hxxp://websearch.searchesplace.info/?pid=946&r=2013/08/06&hid=2943278761&lg=EN&cc=IN&unqvl=30
FF Keyword.URL: hxxp://websearch.searchesplace.info/?pid=946&r=2013/08/06&hid=2943278761&lg=EN&cc=IN&unqvl=30&l=1&q=
CHR Extension: (saVeNshhaore ) - C:\Users\maggot\AppData\Local\Google\Chrome\User Data\Default\Extensions\bekklncadjfpplddpahalgnhpfepfcjf\5.10
C:\Users\maggot\AppData\Local\Google\Chrome\User Data\Default\Extensions\bekklncadjfpplddpahalgnhpfepfcjf
CHR HKLM-x32\...\Chrome\Extension: [bejbohlohkkgompgecdcbbglkpjfjgdj] - C:\Users\maggot\AppData\Local\Temp\crx61E3.tmp
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
CHR HKCU\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
Task: {2DC9A438-C1C2-4573-8C10-50670EAF8580} - System32\Tasks\{7E3892E4-B20F-4BCD-A794-0B5858361270} => F:\ASDFASD\SETUP.EXE
Task: {40B8DA8A-BD9F-4B9C-9D68-71E73FB1E9F4} - System32\Tasks\{68BAC247-8220-42C8-B821-F10B117C548A} => F:\ASDFASD\SETUP.EXE
Task: {5D6F42BB-4585-4B11-A5FC-FC545A4B5573} - System32\Tasks\{A2EEED55-BADC-4B6B-BFBC-03336DCD4740} => F:\ASDFASD\SETUP.EXE
Task: {7560DDC4-44A0-4CF5-92C9-6B16CD6B4363} - System32\Tasks\{AD7787FC-80FE-4CEA-9405-D64873DFD1D7} => F:\ASDFASD\SETUP.EXE
Task: {A8B0345C-2A54-491E-96B8-9844921D7020} - System32\Tasks\At1 => C:\Windows\System32\shutdown.exe [2009-07-14] (Microsoft Corporation)
Task: {ACDDFE25-7B4D-4D39-BAB8-4C96E682D8CE} - System32\Tasks\{704CB586-CE6F-49DC-8D4C-FBFEFDBFDA0F} => F:\ASDFASD\SETUP.EXE
Task: {B9E733E6-3DE4-40F2-B091-1018A775C114} - System32\Tasks\{B0D266EF-9056-487F-ACC5-AA355E1626F8} => F:\ASDFASD\SETUP.EXE
Task: {C44D4584-1387-4BFB-8BA3-8BF75627FDB2} - System32\Tasks\At3 => C:\Windows\System32\shutdown.exe [2009-07-14] (Microsoft Corporation)
Task: {D9D2E7FF-123A-4A0B-8FD0-09CBDC6B6228} - System32\Tasks\At2 => C:\Windows\System32\shutdown.exe [2009-07-14] (Microsoft Corporation)
Task: {E6FBD718-AFF8-426F-833E-4938D5DCFD75} - System32\Tasks\shut down => C:\Windows\System32\shutdown.exe [2009-07-14] (Microsoft Corporation)
Task: {FDCF43D1-4CE1-435F-8FD2-65E6600D7B3A} - System32\Tasks\{654D4C6A-4348-44C7-887B-5357F156FCB6} => F:\ASDFASD\SETUP.EXE
Task: C:\Windows\Tasks\At1.job => C:\Windows\system32\Shutdown.exe
Task: C:\Windows\Tasks\At2.job => C:\Windows\system32\Shutdown.exe
Task: C:\Windows\Tasks\At3.job => C:\Windows\system32\Shutdown.exe
AlternateDataStreams: C:\ProgramData\TEMP:94A19129
AlternateDataStreams: C:\ProgramData\TEMP:9AEE100C
File: C:\Program Files (x86)\After Death\FS.exe
File: C:\Windows\System32\shutdown.exe
Hosts:
CMD: ipcofig /flushdns
End

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.


THEN

Re-run FRST64, just hit Scan button and post me fresh created FRST.txt logreprot.