Trojans Necurs.A.44 and Crypt.ULPM.Gen detected by Avira

Time Pink · 11 Feb 2013

Hi! Today Avira started detecting the trojans Necurs.A.44 and Crypt.ULPM.Gen. Those are the only two detected so far. I took the liberty to generate a HijackThis log (on admin mode):

Logfile of HijackThis v1.99.1
Scan saved at 18:14:05, on 11/02/2013
Platform: Unknown Windows (WinNT 6.01.3505 SP1)
MSIE: Internet Explorer v9.00 (9.00.8112.16457)

Running processes:
C:\Program Files (x86)\SpeedFan\speedfan.exe
C:\Users\Camila\Local Settings\Apps\F.lux\flux.exe
C:\Program Files (x86)\uTorrent\uTorrent.exe
C:\Program Files (x86)\CyberScript32\CyberScript.exe
C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\iTunesHelper.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Program Files (x86)\Opera\opera.exe
C:\Program Files (x86)\Java\jre6\bin\javaw.exe
C:\Users\Camila\AppData\Local\Opera\Opera\temporary_downloads\HijackThis.exe
C:\Program Files\Applian Technologies\Jaksta Streaming Media Recorder\jsmrp.exe
C:\Users\Camila\Desktop\ht\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Yahoo!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo!
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.facemoods.com/?a=ddr&s={searchTerms}&f=4
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.*.*;*.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: uTorrentBar_PT Toolbar - {e0301295-ab3e-4af3-979f-3d453c5f9f48} - C:\Program Files (x86)\uTorrentBar_PT\prxtbuTo0.dll
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: facemoods Helper - {64182481-4F71-486b-A045-B233BD0DA8FC} - C:\Program Files (x86)\facemoods.com\facemoods\1.4.17.5\bh\facemoods.dll
O2 - BHO: ZoneAlarm Toolbar Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - (no file)
O2 - BHO: Auxiliar de Conexão do Windows Live ID - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~2\Office14\URLREDIR.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: uTorrentBar_PT - {e0301295-ab3e-4af3-979f-3d453c5f9f48} - C:\Program Files (x86)\uTorrentBar_PT\prxtbuTo0.dll
O3 - Toolbar: (no name) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - (no file)
O3 - Toolbar: uTorrentBar_PT Toolbar - {e0301295-ab3e-4af3-979f-3d453c5f9f48} - C:\Program Files (x86)\uTorrentBar_PT\prxtbuTo0.dll
O3 - Toolbar: facemoods Toolbar - {DB4E9724-F518-4dfd-9C7C-78B52103CAB9} - C:\Program Files (x86)\facemoods.com\facemoods\1.4.17.5\facemoodsTlbr.dll
O4 - HKLM\..\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
O4 - HKLM\..\Run: [facemoods] "C:\Program Files (x86)\facemoods.com\facemoods\1.4.17.5\facemoodssrv.exe" /md I
O4 - HKLM\..\Run: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [ROC_ROC_JULY_P1] "C:\Program Files (x86)\AVG Secure Search\ROC_ROC_JULY_P1.exe" / /PROMPT /CMPID=ROC_JULY_P1
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunesHelper.exe"
O4 - HKCU\..\Run: [F.lux] "C:\Users\Camila\Local Settings\Apps\F.lux\flux.exe" /noshow
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files (x86)\uTorrent\uTorrent.exe" /MINIMIZED
O4 - HKCU\..\Run: [DW7] "C:\Program Files (x86)\The Weather Channel\The Weather Channel App\TWCApp.exe"
O4 - HKCU\..\Run: [ONAIR] C:\Program Files\ONAIR\ONAIR.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\Camila\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
O4 - Startup: CyberScript.lnk = C:\Program Files (x86)\CyberScript32\CyberScript.exe
O4 - Startup: Dell Dock.lnk = C:\Program Files\Dell\DellDock\DellDock.exe
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: &Download All using 4shared Desktop - res://C:\Program Files (x86)\4shared Desktop\Desktop.32/D_ALL_LINK
O8 - Extra context menu item: &Download using 4shared Desktop - res://C:\Program Files (x86)\4shared Desktop\Desktop.32/D_ONE_LINK
O8 - Extra context menu item: &Enviar para o OneNote - res://C:\PROGRA~2\MICROS~2\Office14\ONBttnIE.dll/105
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~2\MICROS~2\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Enviar imagem para Dispositivo &Bluetooth... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Enviar página para Dispositivo &Bluetooth ... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: FlashCapture - {753BBC4B-CC73-4fb8-A5B5-CA09C804C1DD} - C:\Program Files (x86)\Flash Capture\fciext.dll (file missing)
O9 - Extra button: &Anotações Vinculadas do OneNote - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: &Anotações Vinculadas do OneNote - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Enviar para Bluetooth - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: Enviar para Dispositivo &Bluetooth... - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\bonjour\mdnsnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O11 - Options group: [INTERNATIONAL] International
O13 - Gopher Prefix:
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files (x86)\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} (WMI Class) - https://support.dell.com/systemprofiler/SysProExe.CAB
O16 - DPF: {8CFCF42C-1C64-47D6-AEEC-F9D001832ED3} (DellSystem.Scanner) - http://xserv.dell.com/DellDriverScanner/DellSystem.CAB
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files (x86)\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.dll
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\Windows\SysWOW64\guard32.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_35a1fb3404aa1180\AESTSr64.e xe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Avira Programador (AntiVirSchedulerService) - Avira Operations GmbH & Co. KG - C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira Realtime Protection (AntiVirService) - Avira Operations GmbH & Co. KG - C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Serviço do Bonjour (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Cron Service for Prey (CronService) - Fork Ltd. - C:\Prey\platform\windows\cronsvc.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: Futuremark SystemInfo Service - Futuremark Corporation - C:\Program Files (x86)\Futuremark\Futuremark SystemInfo\FMSISvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Unknown owner - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc (file missing)
O23 - Service: Serviço do Google Update (gupdatem) (gupdatem) - Unknown owner - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc (file missing)
O23 - Service: Intel(R) Rapid Storage Technology (IAStorDataMgrSvc) - Intel Corporation - C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Intel(R) Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files (x86)\Skype\Updater\Updater.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_35a1fb3404aa1180\STacSV64.e xe
O23 - Service: TeamViewer 7 (TeamViewer7) - TeamViewer GmbH - C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe
O23 - Service: TurboBoost - Intel(R) Corporation - C:\Program Files\Intel\TurboBoost\TurboBoost.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: Intel(R) Management & Security Application User Notification Service (UNS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: DW WLAN Tray Service (wltrysvc) - Unknown owner - C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE" "C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %PROGRAMFILES%\Windows Media Player\wmpnetwk.exe (file missing)

Thank you.

cottonball · 11 Feb 2013

Time Pink,

Let's take a look at what is going on with your system...

Please download RogueKiller:
Tlcharger RogueKiller (Site Officiel)

When you get to the website, go to where it says:
(Download link) Lien de téléchargement:

Select the version that applies to your system: x64

Click the dark-blue button that applies to download.

Save to the Desktop

Close all windows and browsers
Right-click RogueKiller and select 'Run as Administrator'

Press: SCAN

A report opens on the Desktop: RKreport.txt

Please provide the RKreport.txt (Mode: Scan) in your reply.

(Please do not delete anything!)

Also, download Farbar Service Scanner

Save to the Desktop

Make sure the following options are checked:
- Internet Services
- Windows Firewall
- System Restore
- Security Center
- Windows Update
- Windows Defender
Press: Scan
FSS creates a log, FSS.txt, on the Desktop.

Please provide the FSS.txt in your reply.

Time Pink · 11 Feb 2013

Hi, cottonball!

RogueKiller:

RogueKiller V8.5.0 _x64_ [Feb 9 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : RogueKiller - Geeks to Go Forums
Website : Download RogueKiller (Official website)
Blog : tigzy-RK

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Camila [Admin rights]
Mode : Scan -- Date : 02/11/2013 21:27:13
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 13 ¤¤¤
[TASK][SUSP PATH] {1FBC808B-919F-4A8B-A189-10A5E5D34761} : C:\Users\Camila\Desktop\OperaPassView.exe -> FOUND
[TASK][SUSP PATH] {4A2F98D4-0BF4-40DD-A5A1-08D707337E27} : C:\Users\Camila\Desktop\OperaPassView.exe -> FOUND
[HJPOL] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND
[HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJPOL] HKLM\[...]\Wow6432Node\System : DisableTaskMgr (0) -> FOUND
[HJPOL] HKLM\[...]\Wow6432Node\System : DisableRegistryTools (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyDocs (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowUser (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST9500325AS +++++
--- User ---
[MBR] 2a7a8b2fe2a563211b7a9fbbca260a2e
[BSP] 5eb0f8e71dd0859abfc5538c79d8ca2c : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 125 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 23846912 | Size: 85292 Mo
2 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 198526913 | Size: 359522 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1]_S_02112013_02d2127.txt >>
RKreport[1]_S_02112013_02d2127.txt

FSS:

Farbar Service Scanner Version: 10-02-2013
Ran by Camila (administrator) on 11-02-2013 at 21:21:20
Running from "C:\Users\Camila\Desktop"
Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Attempt to access Google IP returned error. Google IP is offline
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\Standard Profile]
"EnableFirewall"=DWORD:0

System Restore:
============

System Restore Disabled Policy:
========================

Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================

Windows Defender:
==============

Other Services:
==============

File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit

**** End of log ****

cottonball · 11 Feb 2013

Please run RogueKiller again, and after it finishes its Prescan, press the Delete button.

When done, post the new RKreport.txt (Mode: Remove) in your reply.

Is Avira still detecting the trojans Necurs.A.44 and Crypt.ULPM.Gen?

Also download the Junkware Removal Tool:
Junkware Removal Tool Download
Save to the Desktop.

Make sure you temporarily disable your AntiVirus, Firewall, and any other AntiSpyware applications.
These programs may interfere with the running of JRT.

For information on how to disable protective programs, refer to this info:
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - BleepingComputer.com.

Right-click JRT.exe and select: Run as Administrator

The tool opens and starts scanning the system. Please be patient as this can take a while...

When done, a report (JRT.txt) is saved on the Desktop.

Please post the contents of JRT.txt in your reply.

Next, please download Temp File Cleaner (TFC):
TFC - Temp File Cleaner by OldTimer - Geeks to Go Forums

Double-click on TFC.exe to run the program.

Be sure to save any work in progress before running TFC!!

Click on Start to begin the cleaning process.

TFC closes all running programs, and may ask you to restart the computer.

Re-enable your protection software (Avira), and post back on whether it finds any malware.

Time Pink · 12 Feb 2013

Hi.

RogueKiller:
After Prescan, the delete button was grey. There was nothing listed in that list where it shows what it found.

JRT (for some reason, it couldn't do a registry backup, but I've created a restore point before):

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.6.2 (02.02.2013:2)
OS: Windows 7 Home Premium x64
Ran by Camila on 12/02/2013 at 19:47:07,34
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~ Services

~~~ Registry Values

Failed to delete: [Registry Value] hkey_local_machine\software\microsoft\windows\currentversion\run\\facemoods
Failed to delete: [Registry Value] hkey_local_machine\software\wow6432node\microsoft\windows\currentversion\run\\facemoods
Failed to delete: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\toolbar\\{db4e9724-f518-4dfd-9c7c-78b52103cab9}
Failed to delete: [Registry Value] hkey_local_machine\software\wow6432node\microsoft\internet explorer\toolbar\\{db4e9724-f518-4dfd-9c7c-78b52103cab9}
Successfully repaired: [Registry Value] hkey_current_user\software\microsoft\internet explorer\searchscopes\\DefaultScope
Successfully repaired: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\searchscopes\\DefaultScope
Successfully repaired: [Registry Value] hkey_users\.default\software\microsoft\internet explorer\searchscopes\\DefaultScope
Successfully repaired: [Registry Value] hkey_users\s-1-5-18\software\microsoft\internet explorer\searchscopes\\DefaultScope
Successfully repaired: [Registry Value] hkey_users\s-1-5-19\software\microsoft\internet explorer\searchscopes\\DefaultScope
Successfully repaired: [Registry Value] hkey_users\s-1-5-20\software\microsoft\internet explorer\searchscopes\\DefaultScope
Successfully repaired: [Registry Value] hkey_users\S-1-5-21-707863446-4181733128-2208853327-1000\software\microsoft\internet explorer\searchscopes\\DefaultScope

~~~ Registry Keys

Successfully deleted: [Registry Key] hkey_classes_root\escort.escortiepane
Successfully deleted: [Registry Key] hkey_classes_root\escort.escortiepane.1
Successfully deleted: [Registry Key] hkey_local_machine\software\conduit
Successfully deleted: [Registry Key] hkey_current_user\software\igearsettings
Successfully deleted: [Registry Key] hkey_current_user\software\softonic
Successfully deleted: [Registry Key] hkey_local_machine\software\systweak
Successfully deleted: [Registry Key] hkey_current_user\software\appdatalow\software\conduit
Successfully deleted: [Registry Key] hkey_current_user\software\appdatalow\software\pricegong
Successfully deleted: [Registry Key] hkey_current_user\software\appdatalow\toolbar
Failed to delete: [Registry Key] hkey_local_machine\software\classes\appid\escort.dll
Failed to delete: [Registry Key] hkey_local_machine\software\classes\appid\esrv.exe
Successfully deleted: [Registry Key] hkey_local_machine\software\classes\escort.escrtbtn.1
Successfully deleted: [Registry Key] hkey_local_machine\software\classes\esrv.escrtsrvc
Successfully deleted: [Registry Key] hkey_local_machine\software\classes\esrv.escrtsrvc.1
Successfully deleted: [Registry Key] hkey_local_machine\software\classes\facemoods.dskbnd
Successfully deleted: [Registry Key] hkey_local_machine\software\classes\facemoods.dskbnd.1
Successfully deleted: [Registry Key] hkey_local_machine\software\classes\facemoods.facemoodshlpr
Successfully deleted: [Registry Key] hkey_local_machine\software\classes\facemoods.facemoodshlpr.1
Successfully deleted: [Registry Key] hkey_local_machine\software\classes\facemoods.xtrnl
Successfully deleted: [Registry Key] hkey_local_machine\software\classes\facemoods.xtrnl.1
Successfully deleted: [Registry Key] hkey_local_machine\software\classes\facemoodsapp.appcore
Successfully deleted: [Registry Key] hkey_local_machine\software\classes\facemoodsapp.appcore.1
Failed to delete: [Registry Key] hkey_local_machine\software\classes\wow6432node\appid\esrv.exe
Failed to delete: [Registry Key] hkey_local_machine\software\wow6432node\classes\appid\escort.dll
Successfully deleted: [Registry Key-Heur] HKEY_LOCAL_MACHINE\software\classes\Toolbar.CT2851643
Successfully deleted: [Registry Key] hkey_current_user\software\microsoft\internet explorer\searchscopes\{0d7562ae-8ef6-416d-a838-ab665251703a}
Failed to delete: [Registry Key] hkey_classes_root\clsid\{3c471948-f874-49f5-b338-4f214a2ee0b1}
Failed to delete: [Registry Key] hkey_classes_root\wow6432node\clsid\{3c471948-f874-49f5-b338-4f214a2ee0b1}
Failed to delete: [Registry Key] hkey_classes_root\clsid\{64182481-4f71-486b-a045-b233bd0da8fc}
Failed to delete: [Registry Key] hkey_classes_root\wow6432node\clsid\{64182481-4f71-486b-a045-b233bd0da8fc}
Failed to delete: [Registry Key] hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects\{64182481-4f71-486b-a045-b233bd0da8fc}
Failed to delete: [Registry Key] hkey_local_machine\software\wow6432node\microsoft\windows\currentversion\explorer\browser helper objects\{64182481-4f71-486b-a045-b233bd0da8fc}
Successfully deleted: [Registry Key] hkey_current_user\software\microsoft\internet explorer\searchscopes\{95b7759c-8c7f-4bf1-b163-73684a933233}
Failed to delete: [Registry Key] hkey_classes_root\clsid\{db4e9724-f518-4dfd-9c7c-78b52103cab9}
Failed to delete: [Registry Key] hkey_classes_root\wow6432node\clsid\{db4e9724-f518-4dfd-9c7c-78b52103cab9}

~~~ Files

~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\boost_interprocess"
Failed to delete: [Folder] "C:\Users\Camila\appdata\local\conduit"
Successfully deleted: [Folder] "C:\Users\Camila\appdata\local\opencandy"
Successfully deleted: [Folder] "C:\Users\Camila\appdata\locallow\conduit"
Failed to delete: [Folder] "C:\Users\Camila\appdata\locallow\facemoods.com"
Successfully deleted: [Folder] "C:\Users\Camila\appdata\locallow\pricegong"
Failed to delete: [Folder] "C:\Program Files (x86)\conduit"
Failed to delete: [Folder] "C:\Program Files (x86)\facemoods.com"

~~~ Event Viewer Logs were cleared

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 12/02/2013 at 19:54:07,02
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

No malware has been found by Avira in a day.

cottonball · 13 Feb 2013

Is there a RogueKiller RKreport.txt (Mode: Remove) on the Desktop?
If so, please post it.

Let's press on and run the ESET Online Scanner.

First, temporarily disable your Anti-Virus.
Info: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - BleepingComputer.com

If possible, use Internet Explorer for this scan.

Right-click on the IE icon in the Start Menu and select: Run as Administrator

Go here to run the Scan:
ESET Online Scanner

Accept the Terms of Use, then click on: Start
When prompted, allow the Add-On/Active X to install.

Under Scan Settings, make sure that the option Remove found threats is NOT checked, and the option Scan Archives is checked.

Click on Advanced Settings and select the following:
Scan for potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth Technology

Now, click on: Start
The virus signature database begins to download. (This make take some time.)

Next, the Online Scan begins automatically.
Please do not touch the mouse or keyboard during the scan, otherwise it may stall.

When the scan completes, click: List Threats
Please copy and provide the information presented in your reply. (If no malware is found, a list is not presented.)
Click the Back button, and then click the Finish button.

Note: Make sure you re-enable your Anti-Virus!

Time Pink · 14 Feb 2013

Hi.

No, there is not a RKreport.txt mode remove on desktop.

ESET scanner:

C:\Program Files (x86)\Avira\AntiVir Desktop\apnic.dll a variant of Win32/Bundled.Toolbar.Ask application
C:\Program Files (x86)\Avira\AntiVir Desktop\apntoolbarinstaller.exe a variant of Win32/Bundled.Toolbar.Ask application
C:\Program Files (x86)\CyberScript32\fserv\script1.ini probably unknown SCRIPT virus
C:\Users\Camila\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LQX4H20O\ApnIC[1].0 a variant of Win32/Bundled.Toolbar.Ask application
C:\Users\Camila\AppData\Local\Temp\AskSLib.dll a variant of Win32/Bundled.Toolbar.Ask application
D:\Documentos\Instaladores\avira_2012_antivirus_gratis_1200147.exe a variant of Win32/Bundled.Toolbar.Ask application
D:\Documentos\Instaladores\cpu-z_1.58-setup-en.exe a variant of Win32/Bundled.Toolbar.Ask application
D:\Documentos\Instaladores\CyberScript32.exe multiple threats
D:\Documentos\Instaladores\disk-defrag-setup.exe a variant of Win32/Bundled.Toolbar.Ask application
D:\Documentos\Instaladores\dvdcdbxp_setup_4.3.7.2423.exe Win32/OpenCandy application
D:\Documentos\Instaladores\GOMPLAYERENSETUP.EXE a variant of Win32/Bundled.Toolbar.Ask application
D:\Documentos\Instaladores\imgburn_2550.exe a variant of Win32/Bundled.Toolbar.Ask application
D:\Documentos\Instaladores\Licking Cat screensaver.exe a variant of Win32/SoftonicDownloader.A application
D:\Documentos\Instaladores\Nero-9.4.12.3d_free.exe Win32/Toolbar.AskSBar application
D:\Documentos\Instaladores\unlocker_190_32bit.exe Win32/Adware.ADON application
D:\Documentos\Instaladores\CyberScript32\fserv\script1.ini probably unknown SCRIPT virus

CyberScript is the mirc client that I use.

Also, after one of the scans that we made, the following error window has been annoying me at every boot:

cottonball · 14 Feb 2013

Please run Eset once again, and this time Remove found threats, except the CyberScript you use.

Also, download AdwCleaner:
http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/2-adwcleaner

Save to the desktop.

Close all open programs.
To run the program, right-click AdwCleaner.exe and select "Run as Administrator
Click on Search and confirm the prompt.
After it finishes, the computer is restarted.

A text file report opens after the restart.

Please post the content of the AdwCleaner report to your reply.
(A copy of the log is also saved at C:\AdwCleaner[S1].txt)

Time Pink · 15 Feb 2013

Hi.
Most of the things that Eset found were installers that I like to keep. I've deleted the threats as you said.

AdwCleaner didn't required a restart to show me a log. And I couldn't find a way to change the language to English. Sorry.

# AdwCleaner v2.112 - Relatório criado em 16/02/2013 às 01:00:05
# Atualizado em 10/02/2013 por Xplode
# Sistema Operacional : Windows 7 Home Premium Service Pack 1 (64 bits)
# Usuário : Camila - TARDIS
# Modo de Boot : Normal
# Executado de : C:\Users\Camila\Desktop\adwcleaner0.exe
# Opção [Verificar]

***** [Serviços] *****

***** [Arquivos/Pastas] *****

Pasta Encontrado : C:\Program Files (x86)\Conduit
Pasta Encontrado : C:\Program Files (x86)\facemoods.com
Pasta Encontrado : C:\Users\Camila\AppData\Local\Conduit
Pasta Encontrado : C:\Users\Camila\AppData\LocalLow\facemoods.com
Pasta Encontrado : C:\Users\Convidado\AppData\LocalLow\facemoods.com

***** [Registro] *****

Chave Encontrada : HKCU\Software\Ask.com.tmp
Chave Encontrada : HKCU\Software\facemoods.com
Chave Encontrada : HKCU\Software\InstallCore
Chave Encontrada : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Chave Encontrada : HKLM\SOFTWARE\Classes\AppID\{5B1881D1-D9C7-46DF-B041-1E593282C7D0}
Chave Encontrada : HKLM\SOFTWARE\Classes\AppID\{AD25754E-D76C-42B3-A335-2F81478B722F}
Chave Encontrada : HKLM\SOFTWARE\Classes\AppID\escort.DLL
Chave Encontrada : HKLM\SOFTWARE\Classes\AppID\esrv.EXE
Chave Encontrada : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Chave Encontrada : HKLM\Software\facemoods.com
Chave Encontrada : HKLM\SOFTWARE\Microsoft\Tracing\facemoodssrv_RASAPI32
Chave Encontrada : HKLM\SOFTWARE\Microsoft\Tracing\facemoodssrv_RASMANCS
Chave Encontrada : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Chave Encontrada : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Chave Encontrada : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Chave Encontrada : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Chave Encontrada : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{FFB96CC1-7EB3-449D-B827-DB661701C6BB}
Chave Encontrada : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\ihflimipbcaljfnojhhknppphnnciiif
Chave Encontrada : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FFDF9EF3-3C3A-4F05-9A6E-5D3B778EC567}
Chave Encontrada : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{64182481-4F71-486B-A045-B233BD0DA8FC}
Chave Encontrada : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Chave Encontrada : HKLM\SOFTWARE\Classes\Interface\{542FA950-C57A-4E17-B3E1-D935DFE15DEE}
Chave Encontrada : HKLM\SOFTWARE\Classes\Interface\{5B035F86-41B5-40F1-AAAD-3D219F30244E}
Chave Encontrada : HKLM\SOFTWARE\Classes\Interface\{6365AC7B-9920-4D8B-AF5D-3BDFEAC340A8}
Chave Encontrada : HKLM\SOFTWARE\Classes\Interface\{6A934270-717F-4BC3-BA59-BC9BED47A8D2}
Chave Encontrada : HKLM\SOFTWARE\Classes\Interface\{74C012C4-00FB-4F04-9AFB-4AD5449D2018}
Chave Encontrada : HKLM\SOFTWARE\Classes\Interface\{78888F8B-D5E4-43CE-89F5-C8C18223AF64}
Chave Encontrada : HKLM\SOFTWARE\Classes\Interface\{79B13431-CCAC-4097-8889-D0289E5E924F}
Chave Encontrada : HKLM\SOFTWARE\Classes\Interface\{8B8558F6-DC26-4F39-8417-34B8934AA459}
Chave Encontrada : HKLM\SOFTWARE\Classes\Interface\{8C8D5C57-3CAD-4CF9-BCAD-F873678DA883}
Chave Encontrada : HKLM\SOFTWARE\Classes\Interface\{981334CB-7B8B-431F-B86D-67B7426B125B}
Chave Encontrada : HKLM\SOFTWARE\Classes\Interface\{9E393F82-2644-4AB6-B994-1AD39D6C59EE}
Chave Encontrada : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Chave Encontrada : HKLM\SOFTWARE\Classes\Interface\{A3A2A5C0-1306-4D1A-A093-9CECA4230002}
Chave Encontrada : HKLM\SOFTWARE\Classes\Interface\{A9379648-F6EB-4F65-A624-1C10411A15D0}
Chave Encontrada : HKLM\SOFTWARE\Classes\Interface\{C1C2FC43-F042-4F17-AEDB-C5ABF3B42E4B}
Chave Encontrada : HKLM\SOFTWARE\Classes\Interface\{C8D424EF-CB21-49A0-8659-476FBAB0F8E8}
Chave Encontrada : HKLM\SOFTWARE\Classes\Interface\{F16AB1DB-15C0-4456-A29E-4DF24FB9E3D2}
Chave Encontrada : HKLM\SOFTWARE\Classes\Interface\{F7EC6286-297C-4981-9DCC-FD7F57BC24C9}
Chave Encontrada : HKLM\SOFTWARE\Classes\Interface\{FFB96CC1-7EB3-449D-B827-DB661701C6BB}
Valor Encontrada : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}]

***** [Navegadores] *****

-\\ Internet Explorer v9.0.8112.16464

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Search - SearchAssistant] = hxxp://start.facemoods.com/?a=ddr&s={searchTerms}&f=4

-\\ Google Chrome v24.0.1312.57

Arquivo : C:\Users\Camila\AppData\Local\Google\Chrome\User Data\Default\Preferences

Encontrada [l.8] : homepage = "hxxps://isearch.avg.com/?cid={CE624CD7-3D27-4EEA-88EC-DCC4CE8A6C35}&mid=85288506c41d47d0af9b69e529030a0b-17db3d868a5a1db38f6e2da50120758d1468bd24&lang=en&ds=gl011&pr=sa&d=2012-07-19 22:01:48&v=12.1.0.20&sap=hp",
Encontrada [l.12] : urls_to_restore_on_startup = [ "hxxps://isearch.avg.com/?cid={CE624CD7-3D27-4EEA-88EC-DCC4CE8A6C35}&mid=85288506c41d47d0af9b69e529030a0b-17db3d868a5a1db38f6e2da50120758d1468bd24&lang=en&ds=gl011&pr=sa&d=2012-07-19 22:01:48&v=12.1.0.20&sap=hp" ]
Encontrada [l.1621] : homepage = "hxxps://isearch.avg.com/?cid={CE624CD7-3D27-4EEA-88EC-DCC4CE8A6C35}&mid=85288506c41d47d0af9b69e529030a0b-17db3d868a5a1db38f6e2da50120758d1468bd24&lang=en&ds=gl011&pr=sa&d=2012-07-19 22:01:48&v=12.1.0.20&sap=hp",
Encontrada [l.2149] : urls_to_restore_on_startup = [ "hxxps://isearch.avg.com/?cid={CE624CD7-3D27-4EEA-88EC-DCC4CE8A6C35}&mid=85288506c41d47d0af9b69e529030a0b-17db3d868a5a1db38f6e2da50120758d1468bd24&lang=en&ds=gl011&pr=sa&d=2012-07-19 22:01:48&v=12.1.0.20&sap=hp" ]

-\\ Opera v12.14.1738.0

Arquivo : C:\Users\Camila\AppData\Roaming\Opera\Opera\operaprefs.ini

[OK] Arquivo está limpo.

*************************

AdwCleaner[R1].txt - [6015 octets] - [16/02/2013 00:56:47]
AdwCleaner[R2].txt - [5986 octets] - [16/02/2013 01:00:05]

########## EOF - C:\AdwCleaner[R2].txt - [6046 octets] ##########

cottonball · 15 Feb 2013

Please download the ESETNecursRemover:
http://download.eset.com/special/ESETNecursRemover.exe
Save to the Desktop

Right-click on ESETNecursRemover.exe and select: Run as administrator

Notice 1:
If you receive the message "Rootkit was not found", your computer is not infected with the Necurs malware.

Notice 2:
If you receive the message "Win32/Necurs has been found on your system," press Y to confirm that you want to remove the Rootkit.

Once the cleaning is completed, you are prompted to restart your computer.

Press Y, and then press Enter to confirm that you want to restart.

Post back on what the ESETNecursRemover found. The report is contained in the folder creted on the Desktop. Please post its contents.