Jump to content

Computer Infected


Ladrian

Recommended Posts

Hi,

I downloaded Malwarebytes Anti-malware and ran a full scan with it because I was experiencing numerous crashes and Blue Screens of Death. It told me I have the svchost.exe trojan and now it asks to quarantine it everytime I start the computer. Malwarebytes said it couldn't get rid of it on it's own and I haven't been able to find any other methods to get my computer clean. I'm at a loss at this point and would greatly appreciate any help you guys could give me.

Link to post
Share on other sites

Welcome to the forum, please start at the link below:

http://forums.malwar...?showtopic=9573

Post back the 2 logs here.....DDS.txt and Attach.txt

<====><====><====><====><====><====><====><====>

Next.......

Please remove any usb or external drives from the computer before you run this scan!

Quit all running programs.

Please download and run RogueKiller to your desktop.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

------->Your topic will be closed if you haven't replied within 3 days!<--------

(If I don't respond within 48 hours, please send me a PM)

Link to post
Share on other sites

Alright, here is the dds log:

DDS (Ver_2012-11-20.01) - NTFS_AMD64

Internet Explorer: 9.0.8112.16455 BrowserJavaVersion: 10.7.2

Run by Andrew at 18:42:06 on 2012-11-25

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.8086.5231 [GMT -5:00]

.

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\nvvsvc.exe

C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\WLANExt.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe

C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Intel\WiFi\bin\EvtEng.exe

C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files (x86)\Cisco\Cisco NAC Agent\NACAgent.exe

C:\Program Files (x86)\Norton Internet Security\Engine\20.2.0.19\ccSvcHst.exe

C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe

C:\Windows\SysWOW64\PnkBstrA.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe

C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE

C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe

C:\Program Files (x86)\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files (x86)\Norton Internet Security\Engine\20.2.0.19\ccSvcHst.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE

C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe

C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe

C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe

C:\Windows\System32\igfxtray.exe

C:\Windows\System32\hkcmd.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe

C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\Program Files (x86)\Skype\Phone\Skype.exe

C:\Program Files\NVIDIA Corporation\Display\nvtray.exe

C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe

C:\Program Files (x86)\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files (x86)\Nero\SyncUP\NeroLauncher.exe

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe

C:\Program Files (x86)\Garmin\Lifetime Updater\GarminLifetime.exe

C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe

C:\Program Files (x86)\Ask.com\Updater\Updater.exe

C:\Program Files (x86)\iTunes\iTunesHelper.exe

C:\Program Files (x86)\Cisco\Cisco NAC Agent\NACAgentUI.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files (x86)\Roxio\OEM\Roxio Burn\Roxio Burn.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe

C:\Program Files (x86)\Nero\Update\NASvc.exe

C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe

C:\Program Files (x86)\Mozilla Firefox\firefox.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\system32\svchost.exe -k SDRSVC

C:\Windows\system32\wuauclt.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\System32\cscript.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.dell.com

uDefault_Page_URL = hxxp://www.dell.com

uURLSearchHooks: UrlSearchHook Class: {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll

mWinlogon: Userinit = userinit.exe,

BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: Lync Browser Helper: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files (x86)\Microsoft Lync\OCHelper.dll

BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\20.2.0.19\coieplg.dll

BHO: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\20.2.0.19\IPS\ipsbho.dll

BHO: Search Helper: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll

BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL

BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll

BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll

BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL

BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll

BHO: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll

BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll

TB: @C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll

TB: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll

TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\20.2.0.19\coieplg.dll

uRun: [steam] "C:\Program Files (x86)\Steam\steam.exe" -silent

uRun: [Facebook Update] "C:\Users\Andrew\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver

uRun: [skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun

mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun: [NeroLauncher] C:\Program Files (x86)\Nero\SyncUP\NeroLauncher.exe 900

mRun: [Dell DataSafe Online] C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe

mRun: [RoxWatchTray] "C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe"

mRun: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe"

mRun: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume

mRun: [AccuWeatherWidget] "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe" "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\start.umj" --startup

mRun: [Garmin Lifetime Updater] C:\Program Files (x86)\Garmin\Lifetime Updater\GarminLifetime.exe /StartMinimized

mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"

mRun: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe

mRun: [Communicator] "C:\Program Files (x86)\Microsoft Lync\communicator.exe" /fromrunkey

mRun: [bCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices

mRun: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2

mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

mRun: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe"

mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

mRun: [NACAgentUI] C:\Program Files (x86)\Cisco\Cisco NAC Agent\NACAgentUI.exe

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\WDDMST~1.LNK - C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\WDSMAR~1.LNK - C:\Program Files (x86)\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe

mPolicies-Explorer: NoActiveDesktop = dword:1

mPolicies-Explorer: NoActiveDesktopChanges = dword:1

mPolicies-System: ConsentPromptBehaviorAdmin = dword:0

mPolicies-System: ConsentPromptBehaviorUser = dword:3

mPolicies-System: EnableLUA = dword:0

mPolicies-System: EnableUIADesktopToggle = dword:0

mPolicies-System: PromptOnSecureDesktop = dword:0

IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105

IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll

IE: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files (x86)\Microsoft Lync\OCHelper.dll

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} - hxxp://ccfiles.creative.com/Web/softwareupdate/su/ocx/15102/CTSUEng.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {D4B68B83-8710-488B-A692-D74B50BA558E} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab

DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/110926/CTPID.cab

TCP: NameServer = 137.45.26.80 137.45.24.111

TCP: Interfaces\{AA5E4A45-5D72-404F-AA46-E6DA53B2B4A7} : DHCPNameServer = 137.45.26.80 137.45.24.111

TCP: Interfaces\{AA5E4A45-5D72-404F-AA46-E6DA53B2B4A7}\452554E444E65647635323 : DHCPNameServer = 192.168.10.1

TCP: Interfaces\{AA5E4A45-5D72-404F-AA46-E6DA53B2B4A7}\7556C636F6D65645F62555 : DHCPNameServer = 137.45.26.80 137.45.24.111

TCP: Interfaces\{AA5E4A45-5D72-404F-AA46-E6DA53B2B4A7}\84F4D454E4544553635363 : DHCPNameServer = 68.105.28.11 68.105.29.11 68.105.28.12

TCP: Interfaces\{AA5E4A45-5D72-404F-AA46-E6DA53B2B4A7}\84F6C6964616970294E6E602242757E637779636B602331373 : DHCPNameServer = 10.1.0.1

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL

Handler: cozi - {5356518D-FE9C-4E08-9C1F-1E872ECD367F} - c:\Program Files (x86)\Cozi Express\CoziProtocolHandler.dll

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll

AppInit_DLLs= C:\Windows\SysWOW64\nvinit.dll

SSODL: WebCheck - <orphaned>

SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL

x64-BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL

x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL

x64-BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

x64-Run: [synTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe

x64-Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe -s

x64-Run: [RtHDVBg] C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe /MAXX3

x64-Run: [igfxTray] C:\Windows\System32\igfxtray.exe

x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe

x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe

x64-Run: [FreeFallProtection] C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe

x64-Run: [intelWireless] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel Wireless Tray

x64-Run: [QuickSet] c:\Program Files\Dell\QuickSet\QuickSet.exe

x64-Run: [DellStage] "C:\Program Files (x86)\Dell Stage\Dell Stage\stage_primary.exe" "C:\Program Files (x86)\Dell Stage\Dell Stage\start.umj" --startup

x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll

x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

x64-DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

x64-DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

x64-DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL

x64-Handler: cozi - {5356518D-FE9C-4E08-9C1F-1E872ECD367F} - <orphaned>

x64-Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - <orphaned>

x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>

x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>

x64-Notify: igfxcui - igfxdev.dll

x64-SSODL: WebCheck - <orphaned>

x64-SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL

.

================= FIREFOX ===================

.

FF - ProfilePath - C:\Users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\3rvss9so.default\

FF - prefs.js: browser.search.selectedEngine - Ask.com

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=ORJ&o=&locale=&apn_uid=049BA6E7-1EB7-4B46-8BBB-067676C7B4EC&apn_ptnrs=&apn_sauid=CA49E17A-0877-4B2A-BF91-CE8227C1F601&apn_dtid=OSJ000&&q=

FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL

FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL

FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll

FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dll

FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll

FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrlui.dll

FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npCouponPrinter.dll

FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npMeetingJoinPluginOC.dll

FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npMozCouponPrinter.dll

FF - plugin: C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll

FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll

FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll

FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll

FF - plugin: C:\Users\Andrew\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll

FF - plugin: C:\Users\Andrew\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll

FF - plugin: C:\Users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\3rvss9so.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}\plugins\npGarmin.dll

FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_5_502_110.dll

FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll

FF - plugin: C:\Windows\SysWOW64\npmproxy.dll

FF - ExtSQL: 2012-11-04 13:54; jid1-xUfzOsOFlzSOXg@jetpack; C:\Users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\3rvss9so.default\extensions\jid1-xUfzOsOFlzSOXg@jetpack.xpi

FF - ExtSQL: 2012-11-24 00:34; {2D3F3651-74B9-4795-BDEC-6DA2F431CB62}; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.2.0.19\coFFPlgn

FF - ExtSQL: 2012-11-24 00:34; {BBDA0591-3099-440a-AA10-41764D9DB4DB}; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.2.0.19\IPSFFPlgn

.

============= SERVICES / DRIVERS ===============

.

P2 HiPatchService;Hi-Rez Studios Authenticate and Update Service;C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe [2012-3-8 8704]

R0 nvpciflt;nvpciflt;C:\Windows\System32\drivers\nvpciflt.sys [2012-5-29 28992]

R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2011-8-16 55856]

R0 SMR311;Symantec SMR Utility Service 3.1.1;C:\Windows\System32\drivers\SMR311.SYS [2012-11-24 95392]

R0 stdcfltn;Disk Class Filter Driver for Accelerometer;C:\Windows\System32\drivers\stdcfltn.sys [2011-8-16 21616]

R0 SymDS;Symantec Data Store;C:\Windows\System32\drivers\NISx64\1402000.013\SymDS64.sys [2012-11-24 493216]

R0 SymEFA;Symantec Extended File Attributes;C:\Windows\System32\drivers\NISx64\1402000.013\SymEFA64.sys [2012-11-24 1133216]

R1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.2.0.19\Definitions\BASHDefs\20121106.001\BHDrvx64.sys [2012-10-23 1384608]

R1 ccSet_NIS;Norton Internet Security Settings Manager;C:\Windows\System32\drivers\NISx64\1402000.013\ccSetx64.sys [2012-11-24 168096]

R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.2.0.19\Definitions\IPSDefs\20121123.001\IDSviA64.sys [2012-11-23 513184]

R1 nvkflt;nvkflt;C:\Windows\System32\drivers\nvkflt.sys [2012-5-29 249152]

R1 SymIRON;Symantec Iron Driver;C:\Windows\System32\drivers\NISx64\1402000.013\Ironx64.sys [2012-11-24 224416]

R1 SymNetS;Symantec Network Security WFP Driver;C:\Windows\System32\drivers\NISx64\1402000.013\symnets.sys [2012-11-24 432800]

R2 AERTFilters;Andrea RT Filters Service;C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe [2011-8-16 98208]

R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2012-1-4 822624]

R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-11-20 399432]

R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-11-20 676936]

R2 NACAgent;Cisco NAC Agent;C:\Program Files (x86)\Cisco\Cisco NAC Agent\NACAgent.exe [2012-4-16 1257400]

R2 NAUpdate;Nero Update;C:\Program Files (x86)\Nero\Update\NASvc.exe [2011-11-25 687400]

R2 NIS;Norton Internet Security;C:\Program Files (x86)\Norton Internet Security\Engine\20.2.0.19\ccSvcHst.exe [2012-11-24 143928]

R2 NOBU;Dell DataSafe Online;C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe [2010-8-25 2823000]

R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-1 508776]

R2 SftService;SoftThinks Agent Service;C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe [2011-8-16 1692480]

R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-5-15 382272]

R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-8-16 2656280]

R2 WDDMService;WD SmartWare Drive Manager Service;C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [2010-1-21 130048]

R2 WDSmartWareBackgroundService;WD SmartWare Background Service;C:\Program Files (x86)\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [2009-6-16 20480]

R3 Acceler;Accelerometer Service;C:\Windows\System32\drivers\Accelern.sys [2011-8-16 27760]

R3 CtClsFlt;Creative Camera Class Upper Filter Driver;C:\Windows\System32\drivers\CtClsFlt.sys [2011-12-14 176000]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-11-24 138912]

R3 IntcDAud;Intel® Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2011-8-16 317440]

R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2012-11-20 25928]

R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;C:\Windows\System32\drivers\nusb3hub.sys [2011-8-16 82432]

R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;C:\Windows\System32\drivers\nusb3xhc.sys [2011-8-16 181760]

R3 qicflt;upper Device Filter Driver;C:\Windows\System32\drivers\qicflt.sys [2011-8-16 29288]

R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2011-8-16 428136]

R3 Sftfs;Sftfs;C:\Windows\System32\drivers\Sftfslh.sys [2011-10-1 764264]

R3 Sftplay;Sftplay;C:\Windows\System32\drivers\Sftplaylh.sys [2011-10-1 268648]

R3 Sftredir;Sftredir;C:\Windows\System32\drivers\Sftredirlh.sys [2011-10-1 25960]

R3 Sftvol;Sftvol;C:\Windows\System32\drivers\Sftvollh.sys [2011-10-1 22376]

R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-1 219496]

R3 wdkmd;Intel WiDi KMD;C:\Windows\System32\drivers\WDKMD.sys [2010-12-1 42392]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S2 EraserSvc11210;Symantec Eraser Service;"C:\Program Files (x86)\Norton Internet Security\Engine\19.7.1.5\ccSvcHst.exe" /h ccCommon --> C:\Program Files (x86)\Norton Internet Security\Engine\19.7.1.5\ccSvcHst.exe [?]

S2 RoxWatch12;Roxio Hard Drive Watcher 12;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-11-25 219632]

S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-7-3 160944]

S3 Impcd;Impcd;C:\Windows\System32\drivers\Impcd.sys [2011-8-16 158976]

S3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [2010-12-17 340240]

S3 NvStUSB;NVIDIA Stereoscopic 3D USB driver;C:\Windows\System32\drivers\nvstusb.sys [2011-8-16 121960]

S3 PCDSRVC{1E208CE0-FB7451FF-06020200}_0;PCDSRVC{1E208CE0-FB7451FF-06020200}_0 - PCDR Kernel Mode Service Helper Driver;C:\Program Files\Dell Support Center\pcdsrvc_x64.pkms [2012-8-17 25584]

S3 RoxMediaDB12OEM;RoxMediaDB12OEM;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-11-25 1116656]

S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]

S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]

S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-7-9 52736]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-8-21 1255736]

S3 WDC_SAM;WD SCSI Pass Thru driver;C:\Windows\System32\drivers\wdcsam64.sys [2008-5-6 14464]

S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]

.

=============== Created Last 30 ================

.

2012-11-25 21:32:25 20480 ----a-w- C:\Windows\svchost.exe

2012-11-24 05:53:17 95392 ----a-w- C:\Windows\System32\drivers\SMR311.SYS

2012-11-24 05:49:57 -------- d-----w- C:\Program Files (x86)\Common Files\Symantec Shared

2012-11-24 05:33:52 177312 ----a-w- C:\Windows\System32\drivers\SYMEVENT64x86.SYS

2012-11-24 05:33:51 -------- d-----w- C:\Program Files\Common Files\Symantec Shared

2012-11-24 05:24:58 432800 ----a-r- C:\Windows\System32\drivers\NISx64\1402000.013\symnets.sys

2012-11-24 05:24:58 23448 ----a-r- C:\Windows\System32\drivers\NISx64\1402000.013\SymELAM.sys

2012-11-24 05:24:57 776864 ----a-r- C:\Windows\System32\drivers\NISx64\1402000.013\srtsp64.sys

2012-11-24 05:24:57 493216 ----a-r- C:\Windows\System32\drivers\NISx64\1402000.013\SymDS64.sys

2012-11-24 05:24:57 37496 ----a-r- C:\Windows\System32\drivers\NISx64\1402000.013\srtspx64.sys

2012-11-24 05:24:57 224416 ----a-r- C:\Windows\System32\drivers\NISx64\1402000.013\Ironx64.sys

2012-11-24 05:24:57 168096 ----a-r- C:\Windows\System32\drivers\NISx64\1402000.013\ccSetx64.sys

2012-11-24 05:24:57 1133216 ----a-r- C:\Windows\System32\drivers\NISx64\1402000.013\SymEFA64.sys

2012-11-24 05:24:41 -------- d-----w- C:\Program Files (x86)\Norton Internet Security

2012-11-24 05:23:42 -------- d-----w- C:\Program Files (x86)\NortonInstaller

2012-11-24 05:18:45 -------- d-----w- C:\ProgramData\PCSettings

2012-11-24 05:12:00 -------- d-----w- C:\Program Files\Symantec

2012-11-24 05:11:40 -------- d-----w- C:\Windows\System32\drivers\NISx64\1402000.013

2012-11-24 05:11:40 -------- d-----w- C:\Windows\System32\drivers\NISx64

2012-11-22 05:08:33 -------- d-----w- C:\Windows\Microsoft Antimalware

2012-11-20 05:44:23 -------- d-----w- C:\Users\Andrew\AppData\Roaming\Malwarebytes

2012-11-20 05:44:07 -------- d-----w- C:\ProgramData\Malwarebytes

2012-11-20 05:44:06 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys

2012-11-20 05:44:06 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware

2012-11-20 04:51:21 -------- d-----w- C:\Users\Andrew\AppData\Local\Western_Digital

2012-11-20 04:10:02 -------- d-----w- C:\ProgramData\WD_SmartWareCommon

2012-11-20 04:08:07 -------- d-----w- C:\Users\Andrew\AppData\Roaming\Western Digital

2012-11-20 04:07:57 -------- d-----w- C:\ProgramData\Western Digital

2012-11-20 04:07:49 -------- d-----w- C:\Program Files\Western Digital

2012-11-20 04:07:49 -------- d-----w- C:\Program Files (x86)\Western Digital

2012-11-20 04:07:15 -------- d-----w- C:\Users\Andrew\AppData\Local\Western Digital

2012-11-15 00:01:43 503808 ----a-w- C:\Windows\SysWow64\MSVCP71.DLL

2012-11-15 00:01:43 348160 ----a-w- C:\Windows\SysWow64\MSVCR71.DLL

2012-11-15 00:01:43 1060864 ----a-w- C:\Windows\SysWow64\MFC71.DLL

2012-11-14 03:24:52 -------- d-----w- C:\Program Files (x86)\Common Files\Cisco

2012-11-14 02:26:53 -------- d-----w- C:\Program Files (x86)\Symantec

2012-11-14 01:03:09 9728 ----a-w- C:\Windows\System32\Wdfres.dll

2012-11-14 01:03:09 785512 ----a-w- C:\Windows\System32\drivers\Wdf01000.sys

2012-11-14 01:03:09 54376 ----a-w- C:\Windows\System32\drivers\WdfLdr.sys

2012-11-14 01:03:09 2560 ----a-w- C:\Windows\System32\drivers\en-US\wdf01000.sys.mui

2012-11-14 00:56:44 87040 ----a-w- C:\Windows\System32\drivers\WUDFPf.sys

2012-11-14 00:56:44 84992 ----a-w- C:\Windows\System32\WUDFSvc.dll

2012-11-14 00:56:44 744448 ----a-w- C:\Windows\System32\WUDFx.dll

2012-11-14 00:56:44 45056 ----a-w- C:\Windows\System32\WUDFCoinstaller.dll

2012-11-14 00:56:44 229888 ----a-w- C:\Windows\System32\WUDFHost.exe

2012-11-14 00:56:44 198656 ----a-w- C:\Windows\System32\drivers\WUDFRd.sys

2012-11-14 00:56:44 194048 ----a-w- C:\Windows\System32\WUDFPlatform.dll

2012-11-13 23:45:44 -------- d-----w- C:\Windows\System32\drivers\SEP\0C01044D\0191.105\x64

2012-11-13 23:45:44 -------- d-----w- C:\Windows\System32\drivers\SEP\0C01044D\0191.105

2012-11-13 23:45:44 -------- d-----w- C:\Windows\System32\drivers\SEP\0C01044D

2012-11-13 23:45:44 -------- d-----w- C:\Windows\System32\drivers\SEP

2012-11-09 23:47:07 8525240 ----a-w- C:\Program Files (x86)\Mozilla Firefox\updated\BLR Installerv3\Blacklight Retribution.exe

2012-11-09 23:47:01 18912 ----a-w- C:\Program Files (x86)\Mozilla Firefox\updated\AccessibleMarshal.dll

2012-11-09 03:50:18 -------- d-----w- C:\Windows\System32\drivers\N360x64\1402000.013

2012-11-09 03:50:18 -------- d-----w- C:\Windows\System32\drivers\N360x64

2012-11-06 02:05:31 -------- d-----w- C:\ProgramData\Battle.net

2012-11-03 20:09:47 -------- d-----w- C:\Users\Andrew\AppData\Local\ElevatedDiagnostics

.

==================== Find3M ====================

.

2012-11-20 21:43:11 58288 ----a-w- C:\Windows\System32\snacnp.dll

2012-11-20 07:35:08 73656 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2012-11-20 07:35:08 697272 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe

2012-10-18 18:25:58 3149824 ----a-w- C:\Windows\System32\win32k.sys

2012-10-09 18:17:13 55296 ----a-w- C:\Windows\System32\dhcpcsvc6.dll

2012-10-09 18:17:13 226816 ----a-w- C:\Windows\System32\dhcpcore6.dll

2012-10-09 17:40:31 44032 ----a-w- C:\Windows\SysWow64\dhcpcsvc6.dll

2012-10-09 17:40:31 193536 ----a-w- C:\Windows\SysWow64\dhcpcore6.dll

2012-10-08 11:31:03 2312704 ----a-w- C:\Windows\System32\jscript9.dll

2012-10-08 11:23:52 1392128 ----a-w- C:\Windows\System32\wininet.dll

2012-10-08 11:22:55 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl

2012-10-08 11:18:22 173056 ----a-w- C:\Windows\System32\ieUnatt.exe

2012-10-08 11:17:35 599040 ----a-w- C:\Windows\System32\vbscript.dll

2012-10-08 11:13:33 2382848 ----a-w- C:\Windows\System32\mshtml.tlb

2012-10-08 07:56:24 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll

2012-10-08 07:48:03 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll

2012-10-08 07:47:44 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl

2012-10-08 07:44:05 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe

2012-10-08 07:43:21 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll

2012-10-08 07:40:56 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb

2012-10-03 17:56:54 1914248 ----a-w- C:\Windows\System32\drivers\tcpip.sys

2012-10-03 17:44:21 70656 ----a-w- C:\Windows\System32\nlaapi.dll

2012-10-03 17:44:21 303104 ----a-w- C:\Windows\System32\nlasvc.dll

2012-10-03 17:44:17 246272 ----a-w- C:\Windows\System32\netcorehc.dll

2012-10-03 17:44:17 18944 ----a-w- C:\Windows\System32\netevent.dll

2012-10-03 17:44:16 216576 ----a-w- C:\Windows\System32\ncsi.dll

2012-10-03 17:42:16 569344 ----a-w- C:\Windows\System32\iphlpsvc.dll

2012-10-03 16:42:24 18944 ----a-w- C:\Windows\SysWow64\netevent.dll

2012-10-03 16:42:24 175104 ----a-w- C:\Windows\SysWow64\netcorehc.dll

2012-10-03 16:42:23 156672 ----a-w- C:\Windows\SysWow64\ncsi.dll

2012-10-03 16:07:26 45568 ----a-w- C:\Windows\System32\drivers\tcpipreg.sys

2012-09-25 22:47:43 78336 ----a-w- C:\Windows\SysWow64\synceng.dll

2012-09-25 22:46:17 95744 ----a-w- C:\Windows\System32\synceng.dll

2012-09-22 18:24:45 283032 ----a-w- C:\Windows\SysWow64\PnkBstrB.xtr

2012-09-22 18:24:45 283032 ----a-w- C:\Windows\SysWow64\PnkBstrB.exe

2012-09-22 18:08:28 298016 ----a-w- C:\Windows\SysWow64\PnkBstrB.ex0

2012-09-14 19:19:29 2048 ----a-w- C:\Windows\System32\tzres.dll

2012-09-14 18:28:53 2048 ----a-w- C:\Windows\SysWow64\tzres.dll

2012-09-03 02:12:23 95208 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll

2012-09-03 02:12:23 821736 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll

2012-09-03 02:12:23 746984 ----a-w- C:\Windows\SysWow64\deployJava1.dll

2012-08-31 18:19:35 1659760 ----a-w- C:\Windows\System32\drivers\ntfs.sys

.

============= FINISH: 18:44:11.18 ===============

And I attached the attach log. I'm about to download Roguekiller and run the scan, I just wanted to reply back as soon as possible.

attach.txt

Link to post
Share on other sites

Sorry for the late reply,

here is the Roguekiller report:

RogueKiller V8.3.1 [Nov 26 2012] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User : Andrew [Admin rights]

Mode : Scan -- Date : 11/28/2012 16:52:28

¤¤¤ Bad processes : 1 ¤¤¤

[sVCHOST] svchost.exe -- \\.\globalroot\systemroot\svchost.exe -> KILLED [TermProc]

¤¤¤ Registry Entries : 6 ¤¤¤

[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND

[HJ] HKLM\[...]\Wow6432Node\System : ConsentPromptBehaviorAdmin (0) -> FOUND

[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND

[HJ] HKLM\[...]\Wow6432Node\System : EnableLUA (0) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-18\$792f41990b73e2f47b46706eb422a6b8\U --> FOUND

[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-18\$792f41990b73e2f47b46706eb422a6b8\L --> FOUND

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD7500BPKT-75PK4T0 +++++

--- User ---

[MBR] c4d441a27258bc95be2bbf548713c1b2

[bSP] dea9defa67a18cc486b8c709b2ee22f0 : Windows Vista MBR Code

Partition table:

0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 101 Mo

1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 212992 | Size: 20000 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 41172992 | Size: 695299 Mo

User != LL1 ... KO!

--- LL1 ---

[MBR] ac5f3fcbb7c7fc1df33156d22783a216

[bSP] dea9defa67a18cc486b8c709b2ee22f0 : Windows Vista MBR Code

Partition table:

1 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 101 Mo

2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 212992 | Size: 20000 Mo

3 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 41172992 | Size: 695299 Mo

User != LL2 ... KO!

--- LL2 ---

[MBR] ac5f3fcbb7c7fc1df33156d22783a216

[bSP] dea9defa67a18cc486b8c709b2ee22f0 : Windows Vista MBR Code

Partition table:

1 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 101 Mo

2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 212992 | Size: 20000 Mo

3 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 41172992 | Size: 695299 Mo

Finished : << RKreport[1]_S_11282012_02d1652.txt >>

RKreport[1]_S_11282012_02d1652.txt

Link to post
Share on other sites

Here you go......

Please read the following information first.

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

-----------------------------------------

Please create a new system restore point before running Malwarebytes Anti-Rootkit.

MBAR tutorial

MBAR tutorial

Download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt

To attach a log if needed:

Bottom right corner of this page.

more-reply-options.jpg

New window that comes up.

choose-files1.jpg

MrC

Link to post
Share on other sites

Alright, I'll download and run that.

And about the reformating and reinstalling, do you believe that'll take care of the problem further? I won't do it just yet but I may in the very near future and I just wanted to know if doing so would help keep my computer somewhat secure?

Link to post
Share on other sites

Okay, thank you.

and here are the two logs from the anti-rootkit:

Malwarebytes Anti-Rootkit 1.1.0.1009

www.malwarebytes.org

Database version: v2012.11.28.10

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Andrew :: ANDREW-PC [administrator]

11/28/2012 7:06:49 PM

mbar-log-2012-11-28 (19-06-49).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken

Scan options disabled: PUP | PUM | P2P

Objects scanned: 27825

Time elapsed: 19 minute(s), 5 second(s)

Memory Processes Detected: 1

C:\Windows\svchost.exe (Trojan.Agent) -> 9040 -> Delete on reboot. [4e5d8c30df7e142268f2483eda2838c8]

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 3

C:\$RECYCLE.BIN\S-1-5-18\$792f41990b73e2f47b46706eb422a6b8\U (Trojan.Siredef.C) -> Delete on reboot. [42693983fa63d462377232ce738d5aa6]

C:\$RECYCLE.BIN\S-1-5-18\$792f41990b73e2f47b46706eb422a6b8\L (Trojan.Siredef.C) -> Delete on reboot. [cae164582d3042f40e9d728e12ee13ed]

C:\$RECYCLE.BIN\S-1-5-18\$792f41990b73e2f47b46706eb422a6b8 (Trojan.Siredef.C) -> Delete on reboot. [3d6eb5074b128aacadff40c042beec14]

Files Detected: 4

C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\Bootstrap_0_0_6_infected.mbam (Rootkit.Pihar.c.MBR) -> Delete on reboot. [53343e92f0bca61cfa4e7b2c1f3cac06]

C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\MBR_0_infected.mbam (Rootkit.Pihar.c.MBR) -> Delete on reboot. [c4d441a27258bc95be2bbf548713c1b2]

C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\Sector_0_1465148493_user.mbam (Forged physical sector) -> Delete on reboot. [8240dd042845ebed5e91aabb51877474]

C:\Windows\svchost.exe (Trojan.Agent) -> Delete on reboot. [4e5d8c30df7e142268f2483eda2838c8]

(end)

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.01.0.1009

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

Account is Administrative

Internet Explorer version: 9.0.8112.16421

Java version: 1.6.0_29

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED, Q:\ DRIVE_FIXED

CPU speed: 2.294000 GHz

Memory total: 8478961664, free: 5225664512

------------ Kernel report ------------

11/28/2012 18:46:28

------------ Loaded modules -----------

\SystemRoot\system32\ntoskrnl.exe

\SystemRoot\system32\hal.dll

\SystemRoot\system32\kdcom.dll

\SystemRoot\system32\mcupdate_GenuineIntel.dll

\SystemRoot\system32\PSHED.dll

\SystemRoot\system32\CLFS.SYS

\SystemRoot\system32\CI.dll

\SystemRoot\System32\drivers\SMR311.SYS

\SystemRoot\System32\drivers\FLTMGR.SYS

\SystemRoot\system32\drivers\Wdf01000.sys

\SystemRoot\system32\drivers\WDFLDR.SYS

\SystemRoot\system32\drivers\ACPI.sys

\SystemRoot\system32\drivers\WMILIB.SYS

\SystemRoot\system32\drivers\msisadrv.sys

\SystemRoot\system32\drivers\pci.sys

\SystemRoot\system32\drivers\vdrvroot.sys

\SystemRoot\System32\drivers\partmgr.sys

\SystemRoot\system32\DRIVERS\compbatt.sys

\SystemRoot\system32\DRIVERS\BATTC.SYS

\SystemRoot\system32\drivers\volmgr.sys

\SystemRoot\System32\drivers\volmgrx.sys

\SystemRoot\System32\drivers\mountmgr.sys

\SystemRoot\system32\drivers\iaStor.sys

\SystemRoot\system32\drivers\amdxata.sys

\SystemRoot\system32\drivers\NISx64\1402000.013\SYMDS64.SYS

\SystemRoot\system32\drivers\fileinfo.sys

\SystemRoot\system32\drivers\NISx64\1402000.013\SYMEFA64.SYS

\SystemRoot\System32\Drivers\PxHlpa64.sys

\SystemRoot\System32\Drivers\Ntfs.sys

\SystemRoot\System32\Drivers\msrpc.sys

\SystemRoot\System32\Drivers\ksecdd.sys

\SystemRoot\System32\Drivers\cng.sys

\SystemRoot\System32\drivers\pcw.sys

\SystemRoot\System32\Drivers\Fs_Rec.sys

\SystemRoot\system32\drivers\ndis.sys

\SystemRoot\system32\drivers\NETIO.SYS

\SystemRoot\System32\Drivers\ksecpkg.sys

\SystemRoot\System32\drivers\tcpip.sys

\SystemRoot\System32\drivers\fwpkclnt.sys

\SystemRoot\system32\drivers\volsnap.sys

\SystemRoot\system32\DRIVERS\stdcfltn.sys

\SystemRoot\System32\Drivers\spldr.sys

\SystemRoot\System32\drivers\rdyboost.sys

\SystemRoot\system32\DRIVERS\nvpciflt.sys

\SystemRoot\System32\Drivers\mup.sys

\SystemRoot\System32\drivers\hwpolicy.sys

\SystemRoot\System32\DRIVERS\fvevol.sys

\SystemRoot\system32\drivers\disk.sys

\SystemRoot\system32\drivers\CLASSPNP.SYS

\SystemRoot\system32\DRIVERS\cdrom.sys

\SystemRoot\system32\drivers\NISx64\1402000.013\ccSetx64.sys

\SystemRoot\system32\drivers\NISx64\1402000.013\Ironx64.SYS

\SystemRoot\System32\Drivers\Null.SYS

\SystemRoot\System32\Drivers\Beep.SYS

\SystemRoot\System32\drivers\vga.sys

\SystemRoot\System32\drivers\VIDEOPRT.SYS

\SystemRoot\System32\drivers\watchdog.sys

\SystemRoot\System32\DRIVERS\RDPCDD.sys

\SystemRoot\system32\drivers\rdpencdd.sys

\SystemRoot\system32\drivers\rdprefmp.sys

\SystemRoot\System32\Drivers\Msfs.SYS

\SystemRoot\System32\Drivers\Npfs.SYS

\SystemRoot\system32\DRIVERS\tdx.sys

\SystemRoot\system32\DRIVERS\TDI.SYS

\SystemRoot\System32\DRIVERS\netbt.sys

\SystemRoot\system32\drivers\afd.sys

\SystemRoot\system32\DRIVERS\wfplwf.sys

\SystemRoot\system32\DRIVERS\pacer.sys

\SystemRoot\system32\DRIVERS\vwififlt.sys

\SystemRoot\system32\DRIVERS\netbios.sys

\SystemRoot\system32\DRIVERS\wanarp.sys

\SystemRoot\system32\DRIVERS\termdd.sys

\SystemRoot\system32\drivers\NISx64\1402000.013\SYMNETS.SYS

\??\C:\Windows\system32\Drivers\SYMEVENT64x86.SYS

\SystemRoot\system32\drivers\NISx64\1402000.013\SRTSPX64.SYS

\SystemRoot\system32\DRIVERS\rdbss.sys

\SystemRoot\system32\DRIVERS\nvkflt.sys

\SystemRoot\System32\drivers\dxgkrnl.sys

\SystemRoot\System32\drivers\dxgmms1.sys

\SystemRoot\system32\drivers\nsiproxy.sys

\SystemRoot\system32\DRIVERS\mssmbios.sys

\??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys

\SystemRoot\System32\drivers\discache.sys

\SystemRoot\System32\Drivers\dfsc.sys

\SystemRoot\system32\DRIVERS\blbdrive.sys

\??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.2.0.19\Definitions\BASHDefs\20121106.001\BHDrvx64.sys

\SystemRoot\system32\DRIVERS\tunnel.sys

\SystemRoot\system32\DRIVERS\wmiacpi.sys

\SystemRoot\system32\DRIVERS\nvlddmkm.sys

\SystemRoot\System32\Drivers\nvBridge.kmd

\SystemRoot\system32\DRIVERS\igdkmd64.sys

\SystemRoot\system32\DRIVERS\HECIx64.sys

\SystemRoot\system32\DRIVERS\usbehci.sys

\SystemRoot\system32\DRIVERS\USBPORT.SYS

\SystemRoot\system32\DRIVERS\HDAudBus.sys

\SystemRoot\system32\DRIVERS\NETwNs64.sys

\SystemRoot\system32\DRIVERS\vwifibus.sys

\SystemRoot\system32\DRIVERS\nusb3xhc.sys

\SystemRoot\system32\DRIVERS\USBD.SYS

\SystemRoot\system32\DRIVERS\Rt64win7.sys

\SystemRoot\system32\DRIVERS\i8042prt.sys

\SystemRoot\system32\DRIVERS\kbdclass.sys

\SystemRoot\system32\DRIVERS\SynTP.sys

\SystemRoot\system32\DRIVERS\mouclass.sys

\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys

\SystemRoot\system32\DRIVERS\Accelern.sys

\SystemRoot\system32\DRIVERS\CmBatt.sys

\SystemRoot\system32\DRIVERS\intelppm.sys

\SystemRoot\system32\DRIVERS\CompositeBus.sys

\SystemRoot\system32\DRIVERS\AgileVpn.sys

\SystemRoot\system32\DRIVERS\rasl2tp.sys

\SystemRoot\system32\DRIVERS\ndistapi.sys

\SystemRoot\system32\DRIVERS\ndiswan.sys

\SystemRoot\system32\DRIVERS\raspppoe.sys

\SystemRoot\system32\DRIVERS\raspptp.sys

\SystemRoot\system32\DRIVERS\rassstp.sys

\SystemRoot\system32\DRIVERS\swenum.sys

\SystemRoot\system32\DRIVERS\ks.sys

\SystemRoot\system32\DRIVERS\umbus.sys

\SystemRoot\system32\DRIVERS\WDKMD.sys

\SystemRoot\system32\DRIVERS\usbhub.sys

\SystemRoot\system32\DRIVERS\nusb3hub.sys

\SystemRoot\System32\Drivers\NDProxy.SYS

\SystemRoot\system32\drivers\RTKVHD64.sys

\SystemRoot\system32\drivers\portcls.sys

\SystemRoot\system32\drivers\drmk.sys

\SystemRoot\system32\drivers\ksthunk.sys

\SystemRoot\system32\DRIVERS\IntcDAud.sys

\SystemRoot\system32\DRIVERS\usbccgp.sys

\SystemRoot\system32\DRIVERS\hidusb.sys

\SystemRoot\system32\DRIVERS\HIDCLASS.SYS

\SystemRoot\system32\DRIVERS\HIDPARSE.SYS

\SystemRoot\system32\DRIVERS\mouhid.sys

\SystemRoot\System32\win32k.sys

\SystemRoot\System32\drivers\Dxapi.sys

\SystemRoot\System32\Drivers\crashdmp.sys

\SystemRoot\System32\Drivers\dump_iaStor.sys

\SystemRoot\System32\Drivers\dump_dumpfve.sys

\SystemRoot\System32\Drivers\usbvideo.sys

\SystemRoot\system32\DRIVERS\qicflt.sys

\SystemRoot\system32\DRIVERS\CtClsFlt.sys

\SystemRoot\system32\DRIVERS\monitor.sys

\SystemRoot\System32\TSDDD.dll

\SystemRoot\System32\cdd.dll

\SystemRoot\System32\ATMFD.DLL

\SystemRoot\system32\drivers\luafv.sys

\??\C:\Windows\system32\drivers\mbam.sys

\SystemRoot\system32\DRIVERS\Sftvollh.sys

\SystemRoot\system32\DRIVERS\lltdio.sys

\SystemRoot\system32\DRIVERS\nwifi.sys

\SystemRoot\system32\DRIVERS\ndisuio.sys

\SystemRoot\system32\DRIVERS\rspndr.sys

\SystemRoot\system32\drivers\HTTP.sys

\SystemRoot\System32\DRIVERS\srvnet.sys

\SystemRoot\system32\DRIVERS\bowser.sys

\SystemRoot\system32\DRIVERS\mrxsmb.sys

\SystemRoot\system32\DRIVERS\mrxsmb10.sys

\SystemRoot\system32\DRIVERS\mrxsmb20.sys

\SystemRoot\System32\DRIVERS\srv2.sys

\SystemRoot\System32\DRIVERS\srv.sys

\SystemRoot\system32\DRIVERS\vwifimp.sys

\SystemRoot\system32\drivers\peauth.sys

\SystemRoot\System32\Drivers\secdrv.SYS

\SystemRoot\system32\DRIVERS\Sftfslh.sys

\SystemRoot\system32\DRIVERS\Sftplaylh.sys

\SystemRoot\System32\drivers\tcpipreg.sys

\SystemRoot\system32\DRIVERS\Sftredirlh.sys

\SystemRoot\System32\Drivers\fastfat.SYS

\SystemRoot\system32\drivers\NISx64\1402000.013\SRTSP64.SYS

\??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.2.0.19\Definitions\IPSDefs\20121127.001\IDSvia64.sys

\??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.2.0.19\Definitions\VirusDefs\20121128.003\EX64.SYS

\??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.2.0.19\Definitions\VirusDefs\20121128.003\ENG64.SYS

\??\C:\Windows\system32\drivers\mbamchameleon.sys

\??\C:\Windows\system32\drivers\mbamswissarmy.sys

\Windows\System32\ntdll.dll

\Windows\System32\smss.exe

\Windows\System32\apisetschema.dll

\Windows\System32\autochk.exe

\Windows\System32\ole32.dll

\Windows\System32\oleaut32.dll

\Windows\System32\psapi.dll

\Windows\System32\gdi32.dll

\Windows\System32\rpcrt4.dll

\Windows\System32\normaliz.dll

\Windows\System32\clbcatq.dll

\Windows\System32\msvcrt.dll

\Windows\System32\usp10.dll

\Windows\System32\msctf.dll

\Windows\System32\shell32.dll

\Windows\System32\imm32.dll

\Windows\System32\setupapi.dll

\Windows\System32\ws2_32.dll

\Windows\System32\shlwapi.dll

\Windows\System32\kernel32.dll

\Windows\System32\difxapi.dll

\Windows\System32\advapi32.dll

\Windows\System32\sechost.dll

\Windows\System32\user32.dll

\Windows\System32\nsi.dll

\Windows\System32\Wldap32.dll

\Windows\System32\comdlg32.dll

\Windows\System32\iertutil.dll

\Windows\System32\urlmon.dll

\Windows\System32\wininet.dll

\Windows\System32\lpk.dll

\Windows\System32\imagehlp.dll

\Windows\System32\cfgmgr32.dll

\Windows\System32\devobj.dll

\Windows\System32\comctl32.dll

\Windows\System32\wintrust.dll

\Windows\System32\crypt32.dll

\Windows\System32\KernelBase.dll

\Windows\System32\msasn1.dll

\Windows\SysWOW64\normaliz.dll

----------- End -----------

<<<1>>>

Upper Device Name: \Device\Harddisk0\DR0

Upper Device Object: 0xfffffa80096e0060

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\Ide\IAAStorageDevice-1\

Lower Device Object: 0xfffffa8007aeb050

Lower Device Driver Name: \00000712\

Driver name found: iaStor

DriverEntry returned 0x0

Function returned 0x0

Downloaded database version: v2012.11.28.10

Downloaded database version: v2012.11.28.01

Initializing...

Done!

Scanning directory: C:\Windows\system32\drivers...

<<<2>>>

Device number: 0, partition: 3

Physical Sector Size: 512

Drive: 0, DevicePointer: 0xfffffa80096e0060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xfffffa8007cab870, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xfffffa80096e0060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

DevicePointer: 0xfffffa8007caa850, DeviceName: Unknown, DriverName: \Driver\stdcfltn\

DevicePointer: 0xfffffa8007ae7a40, DeviceName: Unknown, DriverName: \Driver\ACPI\

DevicePointer: 0xfffffa8007aeb050, DeviceName: \Device\Ide\IAAStorageDevice-1\, DriverName: \00000712\

------------ End ----------

Upper DeviceData: 0xfffff8a018cafdf0, 0xfffffa80096e0060, 0xfffffa80099d2090

Lower DeviceData: 0xfffff8a01cb3c420, 0xfffffa8007aeb050, 0xfffffa80099d5090

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Done!

Drive 0

Scanning MBR on drive 0...

MBR is forged!

Inspecting partition table:

MBR Signature: 55AA

Disk Signature: 7F2837E

Partition information:

Partition 0 type is Empty (0x0)

Partition is ACTIVE.

Partition starts at LBA: 6 Numsec = 0

Partition is not bootable

Infected: VBR on Empty active partition --> [Rootkit.Pihar.c.MBR]

Changing partition to empty and not active. New active partition is 1 on drive 0 ...

Partition 0 type is Other (0xde)

Partition is NOT ACTIVE.

Partition starts at LBA: 63 Numsec = 208782

Partition 1 type is Primary (0x7)

Partition is ACTIVE.

Partition starts at LBA: 212992 Numsec = 40960000

Partition file system is NTFS

Partition is bootable

Partition 2 type is Primary (0x7)

Partition is NOT ACTIVE.

Partition starts at LBA: 41172992 Numsec = 1423974128

Partition 3 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

MBR infection found on drive 0

Disk Size: 750156374016 bytes

Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-5-1465129168-1465149168)...

Sector 1465148493 --> [Forged physical sector]

Sector 1465148494 --> [Forged physical sector]

Sector 1465148495 --> [Forged physical sector]

Sector 1465148496 --> [Forged physical sector]

Sector 1465148497 --> [Forged physical sector]

Sector 1465148498 --> [Forged physical sector]

Sector 1465148499 --> [Forged physical sector]

Sector 1465148500 --> [Forged physical sector]

Sector 1465148501 --> [Forged physical sector]

Sector 1465148502 --> [Forged physical sector]

Sector 1465148503 --> [Forged physical sector]

Sector 1465148504 --> [Forged physical sector]

Sector 1465148505 --> [Forged physical sector]

Sector 1465148506 --> [Forged physical sector]

Sector 1465148507 --> [Forged physical sector]

Sector 1465148508 --> [Forged physical sector]

Sector 1465148509 --> [Forged physical sector]

Sector 1465148510 --> [Forged physical sector]

Sector 1465148511 --> [Forged physical sector]

Sector 1465148512 --> [Forged physical sector]

Sector 1465148513 --> [Forged physical sector]

Sector 1465148514 --> [Forged physical sector]

Sector 1465148515 --> [Forged physical sector]

Sector 1465148516 --> [Forged physical sector]

Sector 1465148517 --> [Forged physical sector]

Sector 1465148518 --> [Forged physical sector]

Sector 1465148519 --> [Forged physical sector]

Sector 1465148520 --> [Forged physical sector]

Sector 1465148521 --> [Forged physical sector]

Sector 1465148522 --> [Forged physical sector]

Sector 1465148523 --> [Forged physical sector]

Sector 1465148524 --> [Forged physical sector]

Sector 1465148525 --> [Forged physical sector]

Sector 1465148526 --> [Forged physical sector]

Sector 1465148527 --> [Forged physical sector]

Sector 1465148528 --> [Forged physical sector]

Sector 1465148529 --> [Forged physical sector]

Sector 1465148530 --> [Forged physical sector]

Sector 1465148531 --> [Forged physical sector]

Sector 1465148532 --> [Forged physical sector]

Sector 1465148533 --> [Forged physical sector]

Sector 1465148534 --> [Forged physical sector]

Sector 1465148535 --> [Forged physical sector]

Sector 1465148536 --> [Forged physical sector]

Sector 1465148537 --> [Forged physical sector]

Sector 1465148538 --> [Forged physical sector]

Sector 1465148539 --> [Forged physical sector]

Sector 1465148540 --> [Forged physical sector]

Sector 1465148541 --> [Forged physical sector]

Sector 1465148542 --> [Forged physical sector]

Sector 1465148543 --> [Forged physical sector]

Sector 1465148544 --> [Forged physical sector]

Sector 1465148545 --> [Forged physical sector]

Sector 1465148546 --> [Forged physical sector]

Sector 1465148547 --> [Forged physical sector]

Sector 1465148548 --> [Forged physical sector]

Sector 1465148549 --> [Forged physical sector]

Sector 1465148550 --> [Forged physical sector]

Sector 1465148551 --> [Forged physical sector]

Sector 1465148552 --> [Forged physical sector]

Sector 1465148553 --> [Forged physical sector]

Sector 1465148554 --> [Forged physical sector]

Sector 1465148555 --> [Forged physical sector]

Sector 1465148556 --> [Forged physical sector]

Sector 1465148557 --> [Forged physical sector]

Sector 1465148558 --> [Forged physical sector]

Sector 1465148559 --> [Forged physical sector]

Sector 1465148560 --> [Forged physical sector]

Sector 1465148561 --> [Forged physical sector]

Sector 1465148562 --> [Forged physical sector]

Sector 1465148563 --> [Forged physical sector]

Sector 1465148564 --> [Forged physical sector]

Sector 1465148565 --> [Forged physical sector]

Sector 1465148566 --> [Forged physical sector]

Sector 1465148567 --> [Forged physical sector]

Sector 1465148568 --> [Forged physical sector]

Sector 1465148569 --> [Forged physical sector]

Sector 1465148570 --> [Forged physical sector]

Sector 1465148571 --> [Forged physical sector]

Sector 1465148572 --> [Forged physical sector]

Sector 1465148573 --> [Forged physical sector]

Sector 1465148574 --> [Forged physical sector]

Sector 1465148575 --> [Forged physical sector]

Sector 1465148576 --> [Forged physical sector]

Sector 1465148577 --> [Forged physical sector]

Sector 1465148578 --> [Forged physical sector]

Sector 1465148579 --> [Forged physical sector]

Sector 1465148580 --> [Forged physical sector]

Sector 1465148581 --> [Forged physical sector]

Sector 1465148582 --> [Forged physical sector]

Sector 1465148583 --> [Forged physical sector]

Sector 1465148584 --> [Forged physical sector]

Sector 1465148585 --> [Forged physical sector]

Sector 1465148586 --> [Forged physical sector]

Sector 1465148587 --> [Forged physical sector]

Sector 1465148588 --> [Forged physical sector]

Sector 1465148589 --> [Forged physical sector]

Sector 1465148590 --> [Forged physical sector]

Sector 1465148591 --> [Forged physical sector]

Sector 1465148592 --> [Forged physical sector]

Sector 1465148593 --> [Forged physical sector]

Sector 1465148594 --> [Forged physical sector]

Sector 1465148595 --> [Forged physical sector]

Sector 1465148596 --> [Forged physical sector]

Sector 1465148597 --> [Forged physical sector]

Sector 1465148598 --> [Forged physical sector]

Sector 1465148599 --> [Forged physical sector]

Sector 1465148600 --> [Forged physical sector]

Sector 1465148601 --> [Forged physical sector]

Sector 1465148602 --> [Forged physical sector]

Sector 1465148603 --> [Forged physical sector]

Sector 1465148604 --> [Forged physical sector]

Sector 1465148605 --> [Forged physical sector]

Sector 1465148606 --> [Forged physical sector]

Sector 1465148607 --> [Forged physical sector]

Sector 1465148608 --> [Forged physical sector]

Sector 1465148609 --> [Forged physical sector]

Sector 1465148610 --> [Forged physical sector]

Sector 1465148611 --> [Forged physical sector]

Sector 1465148612 --> [Forged physical sector]

Sector 1465148613 --> [Forged physical sector]

Sector 1465148614 --> [Forged physical sector]

Sector 1465148615 --> [Forged physical sector]

Sector 1465148616 --> [Forged physical sector]

Sector 1465148617 --> [Forged physical sector]

Sector 1465148618 --> [Forged physical sector]

Sector 1465148619 --> [Forged physical sector]

Sector 1465148620 --> [Forged physical sector]

Sector 1465148621 --> [Forged physical sector]

Sector 1465148622 --> [Forged physical sector]

Sector 1465148623 --> [Forged physical sector]

Sector 1465148624 --> [Forged physical sector]

Sector 1465148625 --> [Forged physical sector]

Sector 1465148626 --> [Forged physical sector]

Sector 1465148627 --> [Forged physical sector]

Sector 1465148628 --> [Forged physical sector]

Sector 1465148629 --> [Forged physical sector]

Sector 1465148630 --> [Forged physical sector]

Sector 1465148631 --> [Forged physical sector]

Sector 1465148632 --> [Forged physical sector]

Sector 1465148633 --> [Forged physical sector]

Sector 1465148634 --> [Forged physical sector]

Sector 1465148635 --> [Forged physical sector]

Sector 1465148636 --> [Forged physical sector]

Sector 1465148637 --> [Forged physical sector]

Sector 1465148638 --> [Forged physical sector]

Sector 1465148639 --> [Forged physical sector]

Sector 1465148640 --> [Forged physical sector]

Sector 1465148641 --> [Forged physical sector]

Sector 1465148642 --> [Forged physical sector]

Sector 1465148643 --> [Forged physical sector]

Sector 1465148644 --> [Forged physical sector]

Sector 1465148645 --> [Forged physical sector]

Sector 1465148646 --> [Forged physical sector]

Sector 1465148647 --> [Forged physical sector]

Sector 1465148648 --> [Forged physical sector]

Sector 1465148649 --> [Forged physical sector]

Sector 1465148650 --> [Forged physical sector]

Sector 1465148651 --> [Forged physical sector]

Sector 1465148652 --> [Forged physical sector]

Sector 1465148653 --> [Forged physical sector]

Sector 1465148654 --> [Forged physical sector]

Sector 1465148655 --> [Forged physical sector]

Sector 1465148656 --> [Forged physical sector]

Sector 1465148657 --> [Forged physical sector]

Sector 1465148658 --> [Forged physical sector]

Sector 1465148659 --> [Forged physical sector]

Sector 1465148660 --> [Forged physical sector]

Sector 1465148661 --> [Forged physical sector]

Sector 1465148662 --> [Forged physical sector]

Sector 1465148663 --> [Forged physical sector]

Sector 1465148664 --> [Forged physical sector]

Sector 1465148665 --> [Forged physical sector]

Sector 1465148666 --> [Forged physical sector]

Sector 1465148667 --> [Forged physical sector]

Sector 1465148668 --> [Forged physical sector]

Sector 1465148669 --> [Forged physical sector]

Sector 1465148670 --> [Forged physical sector]

Sector 1465148671 --> [Forged physical sector]

Sector 1465148672 --> [Forged physical sector]

Sector 1465148673 --> [Forged physical sector]

Sector 1465148674 --> [Forged physical sector]

Sector 1465148675 --> [Forged physical sector]

Sector 1465148676 --> [Forged physical sector]

Sector 1465148677 --> [Forged physical sector]

Sector 1465148678 --> [Forged physical sector]

Sector 1465148679 --> [Forged physical sector]

Sector 1465148680 --> [Forged physical sector]

Sector 1465148681 --> [Forged physical sector]

Sector 1465148682 --> [Forged physical sector]

Sector 1465148683 --> [Forged physical sector]

Sector 1465148684 --> [Forged physical sector]

Sector 1465148685 --> [Forged physical sector]

Sector 1465148686 --> [Forged physical sector]

Sector 1465148687 --> [Forged physical sector]

Sector 1465148688 --> [Forged physical sector]

Sector 1465148689 --> [Forged physical sector]

Sector 1465148690 --> [Forged physical sector]

Sector 1465148691 --> [Forged physical sector]

Sector 1465148692 --> [Forged physical sector]

Sector 1465148693 --> [Forged physical sector]

Sector 1465148694 --> [Forged physical sector]

Sector 1465148695 --> [Forged physical sector]

Sector 1465148696 --> [Forged physical sector]

Sector 1465148697 --> [Forged physical sector]

Sector 1465148698 --> [Forged physical sector]

Sector 1465148699 --> [Forged physical sector]

Sector 1465148700 --> [Forged physical sector]

Sector 1465148701 --> [Forged physical sector]

Sector 1465148702 --> [Forged physical sector]

Sector 1465148703 --> [Forged physical sector]

Sector 1465148704 --> [Forged physical sector]

Sector 1465148705 --> [Forged physical sector]

Sector 1465148706 --> [Forged physical sector]

Sector 1465148707 --> [Forged physical sector]

Sector 1465148708 --> [Forged physical sector]

Sector 1465148709 --> [Forged physical sector]

Sector 1465148710 --> [Forged physical sector]

Sector 1465148711 --> [Forged physical sector]

Sector 1465148712 --> [Forged physical sector]

Sector 1465148713 --> [Forged physical sector]

Sector 1465148714 --> [Forged physical sector]

Sector 1465148715 --> [Forged physical sector]

Sector 1465148716 --> [Forged physical sector]

Sector 1465148717 --> [Forged physical sector]

Sector 1465148718 --> [Forged physical sector]

Sector 1465148719 --> [Forged physical sector]

Sector 1465148720 --> [Forged physical sector]

Sector 1465148721 --> [Forged physical sector]

Sector 1465148722 --> [Forged physical sector]

Sector 1465148723 --> [Forged physical sector]

Sector 1465148724 --> [Forged physical sector]

Sector 1465148725 --> [Forged physical sector]

Sector 1465148726 --> [Forged physical sector]

Sector 1465148727 --> [Forged physical sector]

Sector 1465148728 --> [Forged physical sector]

Sector 1465148729 --> [Forged physical sector]

Sector 1465148730 --> [Forged physical sector]

Sector 1465148731 --> [Forged physical sector]

Sector 1465148732 --> [Forged physical sector]

Sector 1465148733 --> [Forged physical sector]

Sector 1465148734 --> [Forged physical sector]

Sector 1465148735 --> [Forged physical sector]

Sector 1465148736 --> [Forged physical sector]

Sector 1465148737 --> [Forged physical sector]

Sector 1465148738 --> [Forged physical sector]

Sector 1465148739 --> [Forged physical sector]

Sector 1465148740 --> [Forged physical sector]

Sector 1465148741 --> [Forged physical sector]

Sector 1465148742 --> [Forged physical sector]

Sector 1465148743 --> [Forged physical sector]

Sector 1465148744 --> [Forged physical sector]

Sector 1465148745 --> [Forged physical sector]

Sector 1465148746 --> [Forged physical sector]

Sector 1465148747 --> [Forged physical sector]

Sector 1465148748 --> [Forged physical sector]

Sector 1465148749 --> [Forged physical sector]

Sector 1465148750 --> [Forged physical sector]

Sector 1465148751 --> [Forged physical sector]

Sector 1465148752 --> [Forged physical sector]

Sector 1465148753 --> [Forged physical sector]

Sector 1465148754 --> [Forged physical sector]

Sector 1465148755 --> [Forged physical sector]

Sector 1465148756 --> [Forged physical sector]

Sector 1465148757 --> [Forged physical sector]

Sector 1465148758 --> [Forged physical sector]

Sector 1465148759 --> [Forged physical sector]

Sector 1465148760 --> [Forged physical sector]

Sector 1465148761 --> [Forged physical sector]

Sector 1465148762 --> [Forged physical sector]

Sector 1465148763 --> [Forged physical sector]

Sector 1465148764 --> [Forged physical sector]

Sector 1465148765 --> [Forged physical sector]

Sector 1465148766 --> [Forged physical sector]

Sector 1465148767 --> [Forged physical sector]

Sector 1465148768 --> [Forged physical sector]

Sector 1465148769 --> [Forged physical sector]

Sector 1465148770 --> [Forged physical sector]

Sector 1465148771 --> [Forged physical sector]

Sector 1465148772 --> [Forged physical sector]

Sector 1465148773 --> [Forged physical sector]

Sector 1465148774 --> [Forged physical sector]

Sector 1465148775 --> [Forged physical sector]

Sector 1465148776 --> [Forged physical sector]

Sector 1465148777 --> [Forged physical sector]

Sector 1465148778 --> [Forged physical sector]

Sector 1465148779 --> [Forged physical sector]

Sector 1465148780 --> [Forged physical sector]

Sector 1465148781 --> [Forged physical sector]

Sector 1465148782 --> [Forged physical sector]

Sector 1465148783 --> [Forged physical sector]

Sector 1465148784 --> [Forged physical sector]

Sector 1465148785 --> [Forged physical sector]

Sector 1465148786 --> [Forged physical sector]

Sector 1465148787 --> [Forged physical sector]

Sector 1465148788 --> [Forged physical sector]

Sector 1465148789 --> [Forged physical sector]

Sector 1465148790 --> [Forged physical sector]

Sector 1465148791 --> [Forged physical sector]

Sector 1465148792 --> [Forged physical sector]

Sector 1465148793 --> [Forged physical sector]

Sector 1465148794 --> [Forged physical sector]

Sector 1465148795 --> [Forged physical sector]

Sector 1465148796 --> [Forged physical sector]

Sector 1465148797 --> [Forged physical sector]

Sector 1465148798 --> [Forged physical sector]

Sector 1465148799 --> [Forged physical sector]

Sector 1465148800 --> [Forged physical sector]

Sector 1465148801 --> [Forged physical sector]

Sector 1465148802 --> [Forged physical sector]

Sector 1465148803 --> [Forged physical sector]

Sector 1465148804 --> [Forged physical sector]

Sector 1465148805 --> [Forged physical sector]

Sector 1465148806 --> [Forged physical sector]

Sector 1465148807 --> [Forged physical sector]

Sector 1465148808 --> [Forged physical sector]

Sector 1465148809 --> [Forged physical sector]

Sector 1465148810 --> [Forged physical sector]

Sector 1465148811 --> [Forged physical sector]

Sector 1465148812 --> [Forged physical sector]

Sector 1465148813 --> [Forged physical sector]

Sector 1465148814 --> [Forged physical sector]

Sector 1465148815 --> [Forged physical sector]

Sector 1465148816 --> [Forged physical sector]

Sector 1465148817 --> [Forged physical sector]

Sector 1465148818 --> [Forged physical sector]

Sector 1465148819 --> [Forged physical sector]

Sector 1465148820 --> [Forged physical sector]

Sector 1465148821 --> [Forged physical sector]

Sector 1465148822 --> [Forged physical sector]

Sector 1465148823 --> [Forged physical sector]

Sector 1465148824 --> [Forged physical sector]

Sector 1465148825 --> [Forged physical sector]

Sector 1465148826 --> [Forged physical sector]

Sector 1465148827 --> [Forged physical sector]

Sector 1465148828 --> [Forged physical sector]

Sector 1465148829 --> [Forged physical sector]

Sector 1465148830 --> [Forged physical sector]

Sector 1465148831 --> [Forged physical sector]

Sector 1465148832 --> [Forged physical sector]

Sector 1465148833 --> [Forged physical sector]

Sector 1465148834 --> [Forged physical sector]

Sector 1465148835 --> [Forged physical sector]

Sector 1465148836 --> [Forged physical sector]

Sector 1465148837 --> [Forged physical sector]

Sector 1465148838 --> [Forged physical sector]

Sector 1465148839 --> [Forged physical sector]

Sector 1465148840 --> [Forged physical sector]

Sector 1465148841 --> [Forged physical sector]

Sector 1465148842 --> [Forged physical sector]

Sector 1465148843 --> [Forged physical sector]

Sector 1465148844 --> [Forged physical sector]

Sector 1465148845 --> [Forged physical sector]

Sector 1465148846 --> [Forged physical sector]

Sector 1465148847 --> [Forged physical sector]

Sector 1465148848 --> [Forged physical sector]

Sector 1465148849 --> [Forged physical sector]

Sector 1465148850 --> [Forged physical sector]

Sector 1465148851 --> [Forged physical sector]

Sector 1465148852 --> [Forged physical sector]

Sector 1465148853 --> [Forged physical sector]

Sector 1465148854 --> [Forged physical sector]

Sector 1465148855 --> [Forged physical sector]

Sector 1465148856 --> [Forged physical sector]

Sector 1465148857 --> [Forged physical sector]

Sector 1465148858 --> [Forged physical sector]

Sector 1465148859 --> [Forged physical sector]

Sector 1465148860 --> [Forged physical sector]

Sector 1465148861 --> [Forged physical sector]

Sector 1465148862 --> [Forged physical sector]

Sector 1465148863 --> [Forged physical sector]

Sector 1465148864 --> [Forged physical sector]

Sector 1465148865 --> [Forged physical sector]

Sector 1465148866 --> [Forged physical sector]

Sector 1465148867 --> [Forged physical sector]

Sector 1465148868 --> [Forged physical sector]

Sector 1465148869 --> [Forged physical sector]

Sector 1465148870 --> [Forged physical sector]

Sector 1465148871 --> [Forged physical sector]

Sector 1465148872 --> [Forged physical sector]

Sector 1465148873 --> [Forged physical sector]

Sector 1465148874 --> [Forged physical sector]

Sector 1465148875 --> [Forged physical sector]

Sector 1465148876 --> [Forged physical sector]

Sector 1465148877 --> [Forged physical sector]

Sector 1465148878 --> [Forged physical sector]

Sector 1465148879 --> [Forged physical sector]

Sector 1465148880 --> [Forged physical sector]

Sector 1465148881 --> [Forged physical sector]

Sector 1465148882 --> [Forged physical sector]

Sector 1465148883 --> [Forged physical sector]

Sector 1465148884 --> [Forged physical sector]

Sector 1465148885 --> [Forged physical sector]

Sector 1465148886 --> [Forged physical sector]

Sector 1465148887 --> [Forged physical sector]

Sector 1465148888 --> [Forged physical sector]

Sector 1465148889 --> [Forged physical sector]

Sector 1465148890 --> [Forged physical sector]

Sector 1465148891 --> [Forged physical sector]

Sector 1465148892 --> [Forged physical sector]

Sector 1465148893 --> [Forged physical sector]

Sector 1465148894 --> [Forged physical sector]

Sector 1465148895 --> [Forged physical sector]

Sector 1465148896 --> [Forged physical sector]

Sector 1465148897 --> [Forged physical sector]

Sector 1465148898 --> [Forged physical sector]

Sector 1465148899 --> [Forged physical sector]

Sector 1465148900 --> [Forged physical sector]

Sector 1465148901 --> [Forged physical sector]

Sector 1465148902 --> [Forged physical sector]

Sector 1465148903 --> [Forged physical sector]

Sector 1465148904 --> [Forged physical sector]

Sector 1465148905 --> [Forged physical sector]

Sector 1465148906 --> [Forged physical sector]

Sector 1465148907 --> [Forged physical sector]

Sector 1465148908 --> [Forged physical sector]

Sector 1465148909 --> [Forged physical sector]

Sector 1465148910 --> [Forged physical sector]

Sector 1465148911 --> [Forged physical sector]

Sector 1465148912 --> [Forged physical sector]

Sector 1465148913 --> [Forged physical sector]

Sector 1465148914 --> [Forged physical sector]

Sector 1465148915 --> [Forged physical sector]

Sector 1465148916 --> [Forged physical sector]

Sector 1465148917 --> [Forged physical sector]

Sector 1465148918 --> [Forged physical sector]

Sector 1465148919 --> [Forged physical sector]

Sector 1465148920 --> [Forged physical sector]

Sector 1465148921 --> [Forged physical sector]

Sector 1465148922 --> [Forged physical sector]

Sector 1465148923 --> [Forged physical sector]

Sector 1465148924 --> [Forged physical sector]

Sector 1465148925 --> [Forged physical sector]

Sector 1465148926 --> [Forged physical sector]

Sector 1465148927 --> [Forged physical sector]

Sector 1465148928 --> [Forged physical sector]

Sector 1465148929 --> [Forged physical sector]

Sector 1465148930 --> [Forged physical sector]

Sector 1465148931 --> [Forged physical sector]

Sector 1465148932 --> [Forged physical sector]

Sector 1465148933 --> [Forged physical sector]

Sector 1465148934 --> [Forged physical sector]

Sector 1465148935 --> [Forged physical sector]

Sector 1465148936 --> [Forged physical sector]

Sector 1465148937 --> [Forged physical sector]

Sector 1465148938 --> [Forged physical sector]

Sector 1465148939 --> [Forged physical sector]

Sector 1465148940 --> [Forged physical sector]

Sector 1465148941 --> [Forged physical sector]

Sector 1465148942 --> [Forged physical sector]

Sector 1465148943 --> [Forged physical sector]

Sector 1465148944 --> [Forged physical sector]

Sector 1465148945 --> [Forged physical sector]

Sector 1465148946 --> [Forged physical sector]

Sector 1465148947 --> [Forged physical sector]

Sector 1465148948 --> [Forged physical sector]

Sector 1465148949 --> [Forged physical sector]

Sector 1465148950 --> [Forged physical sector]

Sector 1465148951 --> [Forged physical sector]

Sector 1465148952 --> [Forged physical sector]

Sector 1465148953 --> [Forged physical sector]

Sector 1465148954 --> [Forged physical sector]

Sector 1465148955 --> [Forged physical sector]

Sector 1465148956 --> [Forged physical sector]

Sector 1465148957 --> [Forged physical sector]

Sector 1465148958 --> [Forged physical sector]

Sector 1465148959 --> [Forged physical sector]

Sector 1465148960 --> [Forged physical sector]

Sector 1465148961 --> [Forged physical sector]

Sector 1465148962 --> [Forged physical sector]

Sector 1465148963 --> [Forged physical sector]

Sector 1465148964 --> [Forged physical sector]

Sector 1465148965 --> [Forged physical sector]

Sector 1465148966 --> [Forged physical sector]

Sector 1465148967 --> [Forged physical sector]

Sector 1465148968 --> [Forged physical sector]

Sector 1465148969 --> [Forged physical sector]

Sector 1465148970 --> [Forged physical sector]

Sector 1465148971 --> [Forged physical sector]

Sector 1465148972 --> [Forged physical sector]

Sector 1465148973 --> [Forged physical sector]

Sector 1465148974 --> [Forged physical sector]

Sector 1465148975 --> [Forged physical sector]

Sector 1465148976 --> [Forged physical sector]

Sector 1465148977 --> [Forged physical sector]

Sector 1465148978 --> [Forged physical sector]

Sector 1465148979 --> [Forged physical sector]

Sector 1465148980 --> [Forged physical sector]

Sector 1465148981 --> [Forged physical sector]

Sector 1465148982 --> [Forged physical sector]

Sector 1465148983 --> [Forged physical sector]

Sector 1465148984 --> [Forged physical sector]

Sector 1465148985 --> [Forged physical sector]

Sector 1465148986 --> [Forged physical sector]

Sector 1465148987 --> [Forged physical sector]

Sector 1465148988 --> [Forged physical sector]

Sector 1465148989 --> [Forged physical sector]

Sector 1465148990 --> [Forged physical sector]

Sector 1465148991 --> [Forged physical sector]

Sector 1465148992 --> [Forged physical sector]

Sector 1465148993 --> [Forged physical sector]

Sector 1465148994 --> [Forged physical sector]

Sector 1465148995 --> [Forged physical sector]

Sector 1465148996 --> [Forged physical sector]

Sector 1465148997 --> [Forged physical sector]

Sector 1465148998 --> [Forged physical sector]

Sector 1465148999 --> [Forged physical sector]

Sector 1465149000 --> [Forged physical sector]

Sector 1465149001 --> [Forged physical sector]

Sector 1465149002 --> [Forged physical sector]

Sector 1465149003 --> [Forged physical sector]

Sector 1465149004 --> [Forged physical sector]

Sector 1465149005 --> [Forged physical sector]

Sector 1465149006 --> [Forged physical sector]

Sector 1465149007 --> [Forged physical sector]

Sector 1465149008 --> [Forged physical sector]

Sector 1465149009 --> [Forged physical sector]

Sector 1465149010 --> [Forged physical sector]

Sector 1465149011 --> [Forged physical sector]

Sector 1465149012 --> [Forged physical sector]

Sector 1465149013 --> [Forged physical sector]

Sector 1465149014 --> [Forged physical sector]

Sector 1465149015 --> [Forged physical sector]

Sector 1465149016 --> [Forged physical sector]

Sector 1465149017 --> [Forged physical sector]

Sector 1465149018 --> [Forged physical sector]

Sector 1465149019 --> [Forged physical sector]

Sector 1465149020 --> [Forged physical sector]

Sector 1465149021 --> [Forged physical sector]

Sector 1465149022 --> [Forged physical sector]

Sector 1465149023 --> [Forged physical sector]

Sector 1465149024 --> [Forged physical sector]

Sector 1465149025 --> [Forged physical sector]

Sector 1465149026 --> [Forged physical sector]

Sector 1465149027 --> [Forged physical sector]

Sector 1465149028 --> [Forged physical sector]

Sector 1465149029 --> [Forged physical sector]

Sector 1465149030 --> [Forged physical sector]

Sector 1465149031 --> [Forged physical sector]

Sector 1465149032 --> [Forged physical sector]

Sector 1465149033 --> [Forged physical sector]

Sector 1465149034 --> [Forged physical sector]

Sector 1465149035 --> [Forged physical sector]

Sector 1465149036 --> [Forged physical sector]

Sector 1465149037 --> [Forged physical sector]

Sector 1465149038 --> [Forged physical sector]

Sector 1465149039 --> [Forged physical sector]

Sector 1465149040 --> [Forged physical sector]

Sector 1465149041 --> [Forged physical sector]

Sector 1465149042 --> [Forged physical sector]

Sector 1465149043 --> [Forged physical sector]

Sector 1465149044 --> [Forged physical sector]

Sector 1465149045 --> [Forged physical sector]

Sector 1465149046 --> [Forged physical sector]

Sector 1465149047 --> [Forged physical sector]

Sector 1465149048 --> [Forged physical sector]

Sector 1465149049 --> [Forged physical sector]

Sector 1465149050 --> [Forged physical sector]

Sector 1465149051 --> [Forged physical sector]

Sector 1465149052 --> [Forged physical sector]

Sector 1465149053 --> [Forged physical sector]

Sector 1465149054 --> [Forged physical sector]

Sector 1465149055 --> [Forged physical sector]

Sector 1465149056 --> [Forged physical sector]

Sector 1465149057 --> [Forged physical sector]

Sector 1465149058 --> [Forged physical sector]

Sector 1465149059 --> [Forged physical sector]

Sector 1465149060 --> [Forged physical sector]

Sector 1465149061 --> [Forged physical sector]

Sector 1465149062 --> [Forged physical sector]

Sector 1465149063 --> [Forged physical sector]

Sector 1465149064 --> [Forged physical sector]

Sector 1465149065 --> [Forged physical sector]

Sector 1465149066 --> [Forged physical sector]

Sector 1465149067 --> [Forged physical sector]

Sector 1465149068 --> [Forged physical sector]

Sector 1465149069 --> [Forged physical sector]

Sector 1465149070 --> [Forged physical sector]

Sector 1465149071 --> [Forged physical sector]

Sector 1465149072 --> [Forged physical sector]

Sector 1465149073 --> [Forged physical sector]

Sector 1465149074 --> [Forged physical sector]

Sector 1465149075 --> [Forged physical sector]

Sector 1465149076 --> [Forged physical sector]

Sector 1465149077 --> [Forged physical sector]

Sector 1465149078 --> [Forged physical sector]

Sector 1465149079 --> [Forged physical sector]

Sector 1465149080 --> [Forged physical sector]

Sector 1465149081 --> [Forged physical sector]

Sector 1465149082 --> [Forged physical sector]

Sector 1465149083 --> [Forged physical sector]

Sector 1465149084 --> [Forged physical sector]

Sector 1465149085 --> [Forged physical sector]

Sector 1465149086 --> [Forged physical sector]

Sector 1465149087 --> [Forged physical sector]

Sector 1465149088 --> [Forged physical sector]

Sector 1465149089 --> [Forged physical sector]

Sector 1465149090 --> [Forged physical sector]

Sector 1465149091 --> [Forged physical sector]

Sector 1465149092 --> [Forged physical sector]

Sector 1465149093 --> [Forged physical sector]

Sector 1465149094 --> [Forged physical sector]

Sector 1465149095 --> [Forged physical sector]

Sector 1465149096 --> [Forged physical sector]

Sector 1465149097 --> [Forged physical sector]

Sector 1465149098 --> [Forged physical sector]

Sector 1465149099 --> [Forged physical sector]

Sector 1465149100 --> [Forged physical sector]

Sector 1465149101 --> [Forged physical sector]

Sector 1465149102 --> [Forged physical sector]

Sector 1465149103 --> [Forged physical sector]

Sector 1465149104 --> [Forged physical sector]

Sector 1465149105 --> [Forged physical sector]

Sector 1465149106 --> [Forged physical sector]

Sector 1465149107 --> [Forged physical sector]

Sector 1465149108 --> [Forged physical sector]

Sector 1465149109 --> [Forged physical sector]

Sector 1465149110 --> [Forged physical sector]

Sector 1465149111 --> [Forged physical sector]

Sector 1465149112 --> [Forged physical sector]

Sector 1465149113 --> [Forged physical sector]

Sector 1465149114 --> [Forged physical sector]

Sector 1465149115 --> [Forged physical sector]

Sector 1465149116 --> [Forged physical sector]

Sector 1465149117 --> [Forged physical sector]

Sector 1465149118 --> [Forged physical sector]

Sector 1465149119 --> [Forged physical sector]

Sector 1465149120 --> [Forged physical sector]

Sector 1465149121 --> [Forged physical sector]

Sector 1465149122 --> [Forged physical sector]

Sector 1465149123 --> [Forged physical sector]

Sector 1465149124 --> [Forged physical sector]

Sector 1465149125 --> [Forged physical sector]

Sector 1465149126 --> [Forged physical sector]

Sector 1465149127 --> [Forged physical sector]

Sector 1465149128 --> [Forged physical sector]

Sector 1465149129 --> [Forged physical sector]

Sector 1465149130 --> [Forged physical sector]

Sector 1465149131 --> [Forged physical sector]

Sector 1465149132 --> [Forged physical sector]

Sector 1465149133 --> [Forged physical sector]

Sector 1465149134 --> [Forged physical sector]

Sector 1465149135 --> [Forged physical sector]

Sector 1465149136 --> [Forged physical sector]

Sector 1465149137 --> [Forged physical sector]

Sector 1465149138 --> [Forged physical sector]

Sector 1465149139 --> [Forged physical sector]

Sector 1465149140 --> [Forged physical sector]

Sector 1465149141 --> [Forged physical sector]

Sector 1465149142 --> [Forged physical sector]

Sector 1465149143 --> [Forged physical sector]

Sector 1465149144 --> [Forged physical sector]

Sector 1465149145 --> [Forged physical sector]

Sector 1465149146 --> [Forged physical sector]

Sector 1465149147 --> [Forged physical sector]

Sector 1465149148 --> [Forged physical sector]

Sector 1465149149 --> [Forged physical sector]

Sector 1465149150 --> [Forged physical sector]

Sector 1465149151 --> [Forged physical sector]

Sector 1465149152 --> [Forged physical sector]

Sector 1465149153 --> [Forged physical sector]

Sector 1465149154 --> [Forged physical sector]

Sector 1465149155 --> [Forged physical sector]

Sector 1465149156 --> [Forged physical sector]

Sector 1465149157 --> [Forged physical sector]

Sector 1465149158 --> [Forged physical sector]

Sector 1465149159 --> [Forged physical sector]

Sector 1465149160 --> [Forged physical sector]

Sector 1465149161 --> [Forged physical sector]

Sector 1465149162 --> [Forged physical sector]

Sector 1465149163 --> [Forged physical sector]

Sector 1465149164 --> [Forged physical sector]

Sector 1465149165 --> [Forged physical sector]

Sector 1465149166 --> [Forged physical sector]

Sector 1465149167 --> [Forged physical sector]

Done!

Performing system, memory and registry scan...

Infected: C:\Windows\svchost.exe --> [Trojan.Agent]

Infected: C:\Windows\svchost.exe --> [Trojan.Agent]

Infected: C:\$RECYCLE.BIN\S-1-5-18\$792f41990b73e2f47b46706eb422a6b8\U --> [Trojan.Siredef.C]

Infected: C:\$RECYCLE.BIN\S-1-5-18\$792f41990b73e2f47b46706eb422a6b8\L --> [Trojan.Siredef.C]

Infected: C:\$RECYCLE.BIN\S-1-5-18\$792f41990b73e2f47b46706eb422a6b8 --> [Trojan.Siredef.C]

Done!

Scan finished

Creating System Restore point...

Scheduling clean up...

<<<2>>>

Device number: 0, partition: 3

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

BCD Entry for BOOTEMS is missing

Malicious Entry 26000022 for BOOTEMS present!

Removal scheduling successful. System shutdown needed.

System shutdown occured

=======================================

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.01.0.1009

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

Account is Administrative

Internet Explorer version: 9.0.8112.16421

Java version: 1.6.0_29

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED, Q:\ DRIVE_FIXED

CPU speed: 2.294000 GHz

Memory total: 8478961664, free: 7007596544

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.01.0.1009

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

Account is Administrative

Internet Explorer version: 9.0.8112.16421

Java version: 1.6.0_29

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED, Q:\ DRIVE_FIXED

CPU speed: 2.294000 GHz

Memory total: 8478961664, free: 5744680960

------------ Kernel report ------------

11/28/2012 19:18:15

------------ Loaded modules -----------

\SystemRoot\system32\ntoskrnl.exe

\SystemRoot\system32\hal.dll

\SystemRoot\system32\kdcom.dll

\SystemRoot\system32\mcupdate_GenuineIntel.dll

\SystemRoot\system32\PSHED.dll

\SystemRoot\system32\CLFS.SYS

\SystemRoot\system32\CI.dll

\SystemRoot\System32\drivers\SMR311.SYS

\SystemRoot\System32\drivers\FLTMGR.SYS

\SystemRoot\system32\drivers\Wdf01000.sys

\SystemRoot\system32\drivers\WDFLDR.SYS

\SystemRoot\system32\drivers\ACPI.sys

\SystemRoot\system32\drivers\WMILIB.SYS

\SystemRoot\system32\drivers\msisadrv.sys

\SystemRoot\system32\drivers\pci.sys

\SystemRoot\system32\drivers\vdrvroot.sys

\SystemRoot\System32\drivers\partmgr.sys

\SystemRoot\system32\DRIVERS\compbatt.sys

\SystemRoot\system32\DRIVERS\BATTC.SYS

\SystemRoot\system32\drivers\volmgr.sys

\SystemRoot\System32\drivers\volmgrx.sys

\SystemRoot\System32\drivers\mountmgr.sys

\SystemRoot\system32\drivers\iaStor.sys

\SystemRoot\system32\drivers\amdxata.sys

\SystemRoot\system32\drivers\NISx64\1402000.013\SYMDS64.SYS

\SystemRoot\system32\drivers\fileinfo.sys

\SystemRoot\system32\drivers\NISx64\1402000.013\SYMEFA64.SYS

\SystemRoot\System32\Drivers\PxHlpa64.sys

\SystemRoot\System32\Drivers\Ntfs.sys

\SystemRoot\System32\Drivers\msrpc.sys

\SystemRoot\System32\Drivers\ksecdd.sys

\SystemRoot\System32\Drivers\cng.sys

\SystemRoot\System32\drivers\pcw.sys

\SystemRoot\System32\Drivers\Fs_Rec.sys

\SystemRoot\system32\drivers\ndis.sys

\SystemRoot\system32\drivers\NETIO.SYS

\SystemRoot\System32\Drivers\ksecpkg.sys

\SystemRoot\System32\drivers\tcpip.sys

\SystemRoot\System32\drivers\fwpkclnt.sys

\SystemRoot\system32\drivers\volsnap.sys

\SystemRoot\system32\DRIVERS\stdcfltn.sys

\SystemRoot\System32\Drivers\spldr.sys

\SystemRoot\System32\drivers\rdyboost.sys

\SystemRoot\system32\DRIVERS\nvpciflt.sys

\SystemRoot\System32\Drivers\mup.sys

\SystemRoot\System32\drivers\hwpolicy.sys

\SystemRoot\System32\DRIVERS\fvevol.sys

\SystemRoot\system32\drivers\disk.sys

\SystemRoot\system32\drivers\CLASSPNP.SYS

\SystemRoot\system32\DRIVERS\cdrom.sys

\SystemRoot\system32\drivers\NISx64\1402000.013\ccSetx64.sys

\SystemRoot\system32\drivers\NISx64\1402000.013\Ironx64.SYS

\SystemRoot\System32\Drivers\Null.SYS

\SystemRoot\System32\Drivers\Beep.SYS

\SystemRoot\System32\drivers\vga.sys

\SystemRoot\System32\drivers\VIDEOPRT.SYS

\SystemRoot\System32\drivers\watchdog.sys

\SystemRoot\System32\DRIVERS\RDPCDD.sys

\SystemRoot\system32\drivers\rdpencdd.sys

\SystemRoot\system32\drivers\rdprefmp.sys

\SystemRoot\System32\Drivers\Msfs.SYS

\SystemRoot\System32\Drivers\Npfs.SYS

\SystemRoot\system32\DRIVERS\tdx.sys

\SystemRoot\system32\DRIVERS\TDI.SYS

\SystemRoot\System32\DRIVERS\netbt.sys

\SystemRoot\system32\drivers\afd.sys

\SystemRoot\system32\DRIVERS\wfplwf.sys

\SystemRoot\system32\DRIVERS\pacer.sys

\SystemRoot\system32\DRIVERS\vwififlt.sys

\SystemRoot\system32\DRIVERS\netbios.sys

\SystemRoot\system32\DRIVERS\wanarp.sys

\SystemRoot\system32\DRIVERS\termdd.sys

\SystemRoot\system32\drivers\NISx64\1402000.013\SYMNETS.SYS

\??\C:\Windows\system32\Drivers\SYMEVENT64x86.SYS

\SystemRoot\system32\drivers\NISx64\1402000.013\SRTSPX64.SYS

\SystemRoot\system32\DRIVERS\rdbss.sys

\SystemRoot\system32\DRIVERS\nvkflt.sys

\SystemRoot\System32\drivers\dxgkrnl.sys

\SystemRoot\System32\drivers\dxgmms1.sys

\SystemRoot\system32\drivers\nsiproxy.sys

\SystemRoot\system32\DRIVERS\mssmbios.sys

\??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.2.0.19\Definitions\IPSDefs\20121127.001\IDSvia64.sys

\??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys

\??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys

\SystemRoot\System32\drivers\discache.sys

\SystemRoot\System32\Drivers\dfsc.sys

\SystemRoot\system32\DRIVERS\blbdrive.sys

\??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.2.0.19\Definitions\BASHDefs\20121106.001\BHDrvx64.sys

\SystemRoot\system32\DRIVERS\tunnel.sys

\SystemRoot\system32\DRIVERS\wmiacpi.sys

\SystemRoot\system32\DRIVERS\nvlddmkm.sys

\SystemRoot\System32\Drivers\nvBridge.kmd

\SystemRoot\system32\DRIVERS\igdkmd64.sys

\SystemRoot\system32\DRIVERS\HECIx64.sys

\SystemRoot\system32\DRIVERS\usbehci.sys

\SystemRoot\system32\DRIVERS\USBPORT.SYS

\SystemRoot\system32\DRIVERS\HDAudBus.sys

\SystemRoot\system32\DRIVERS\NETwNs64.sys

\SystemRoot\system32\DRIVERS\vwifibus.sys

\SystemRoot\system32\DRIVERS\nusb3xhc.sys

\SystemRoot\system32\DRIVERS\USBD.SYS

\SystemRoot\system32\DRIVERS\Rt64win7.sys

\SystemRoot\system32\DRIVERS\i8042prt.sys

\SystemRoot\system32\DRIVERS\kbdclass.sys

\SystemRoot\system32\DRIVERS\SynTP.sys

\SystemRoot\system32\DRIVERS\mouclass.sys

\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys

\SystemRoot\system32\DRIVERS\Accelern.sys

\SystemRoot\system32\DRIVERS\CmBatt.sys

\SystemRoot\system32\DRIVERS\intelppm.sys

\SystemRoot\system32\DRIVERS\CompositeBus.sys

\SystemRoot\system32\DRIVERS\AgileVpn.sys

\SystemRoot\system32\DRIVERS\rasl2tp.sys

\SystemRoot\system32\DRIVERS\ndistapi.sys

\SystemRoot\system32\DRIVERS\ndiswan.sys

\SystemRoot\system32\DRIVERS\raspppoe.sys

\SystemRoot\system32\DRIVERS\raspptp.sys

\SystemRoot\system32\DRIVERS\rassstp.sys

\SystemRoot\system32\DRIVERS\swenum.sys

\SystemRoot\system32\DRIVERS\ks.sys

\SystemRoot\system32\DRIVERS\umbus.sys

\SystemRoot\system32\DRIVERS\WDKMD.sys

\SystemRoot\system32\DRIVERS\usbhub.sys

\SystemRoot\system32\DRIVERS\nusb3hub.sys

\SystemRoot\System32\Drivers\NDProxy.SYS

\SystemRoot\system32\drivers\RTKVHD64.sys

\SystemRoot\system32\drivers\portcls.sys

\SystemRoot\system32\drivers\drmk.sys

\SystemRoot\system32\drivers\ksthunk.sys

\SystemRoot\system32\DRIVERS\IntcDAud.sys

\SystemRoot\system32\DRIVERS\usbccgp.sys

\SystemRoot\system32\DRIVERS\hidusb.sys

\SystemRoot\system32\DRIVERS\HIDCLASS.SYS

\SystemRoot\system32\DRIVERS\HIDPARSE.SYS

\SystemRoot\system32\DRIVERS\mouhid.sys

\SystemRoot\System32\win32k.sys

\SystemRoot\System32\drivers\Dxapi.sys

\SystemRoot\System32\Drivers\crashdmp.sys

\SystemRoot\System32\Drivers\dump_iaStor.sys

\SystemRoot\System32\Drivers\dump_dumpfve.sys

\SystemRoot\System32\Drivers\usbvideo.sys

\SystemRoot\system32\DRIVERS\qicflt.sys

\SystemRoot\system32\DRIVERS\CtClsFlt.sys

\SystemRoot\system32\DRIVERS\monitor.sys

\SystemRoot\System32\TSDDD.dll

\SystemRoot\System32\cdd.dll

\SystemRoot\System32\ATMFD.DLL

\SystemRoot\system32\drivers\luafv.sys

\??\C:\Windows\system32\drivers\mbam.sys

\SystemRoot\system32\DRIVERS\Sftvollh.sys

\SystemRoot\system32\DRIVERS\lltdio.sys

\SystemRoot\system32\DRIVERS\nwifi.sys

\SystemRoot\system32\DRIVERS\ndisuio.sys

\SystemRoot\system32\DRIVERS\rspndr.sys

\SystemRoot\system32\drivers\HTTP.sys

\SystemRoot\System32\DRIVERS\srvnet.sys

\SystemRoot\system32\DRIVERS\bowser.sys

\SystemRoot\system32\DRIVERS\mrxsmb.sys

\SystemRoot\system32\DRIVERS\mrxsmb10.sys

\SystemRoot\system32\DRIVERS\mrxsmb20.sys

\SystemRoot\System32\DRIVERS\srv2.sys

\SystemRoot\System32\DRIVERS\srv.sys

\SystemRoot\system32\DRIVERS\vwifimp.sys

\SystemRoot\system32\drivers\peauth.sys

\SystemRoot\System32\Drivers\secdrv.SYS

\SystemRoot\system32\DRIVERS\Sftfslh.sys

\SystemRoot\system32\DRIVERS\Sftplaylh.sys

\SystemRoot\System32\drivers\tcpipreg.sys

\SystemRoot\system32\DRIVERS\Sftredirlh.sys

\SystemRoot\System32\Drivers\fastfat.SYS

\SystemRoot\system32\drivers\NISx64\1402000.013\SRTSP64.SYS

\??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.2.0.19\Definitions\VirusDefs\20121128.003\EX64.SYS

\??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.2.0.19\Definitions\VirusDefs\20121128.003\ENG64.SYS

\SystemRoot\system32\drivers\spsys.sys

\??\C:\Windows\system32\drivers\mbamchameleon.sys

\??\C:\Windows\system32\drivers\mbamswissarmy.sys

\Windows\System32\ntdll.dll

\Windows\System32\smss.exe

\Windows\System32\apisetschema.dll

\Windows\System32\autochk.exe

\Windows\System32\difxapi.dll

\Windows\System32\setupapi.dll

\Windows\System32\imagehlp.dll

\Windows\System32\shlwapi.dll

\Windows\System32\kernel32.dll

\Windows\System32\msvcrt.dll

\Windows\System32\ws2_32.dll

\Windows\System32\Wldap32.dll

\Windows\System32\clbcatq.dll

\Windows\System32\iertutil.dll

\Windows\System32\lpk.dll

\Windows\System32\rpcrt4.dll

\Windows\System32\usp10.dll

\Windows\System32\advapi32.dll

\Windows\System32\nsi.dll

\Windows\System32\urlmon.dll

\Windows\System32\imm32.dll

\Windows\System32\oleaut32.dll

\Windows\System32\comdlg32.dll

\Windows\System32\psapi.dll

\Windows\System32\msctf.dll

\Windows\System32\sechost.dll

\Windows\System32\gdi32.dll

\Windows\System32\wininet.dll

\Windows\System32\normaliz.dll

\Windows\System32\shell32.dll

\Windows\System32\ole32.dll

\Windows\System32\user32.dll

\Windows\System32\cfgmgr32.dll

\Windows\System32\crypt32.dll

\Windows\System32\comctl32.dll

\Windows\System32\wintrust.dll

\Windows\System32\devobj.dll

\Windows\System32\KernelBase.dll

\Windows\System32\msasn1.dll

\Windows\SysWOW64\normaliz.dll

----------- End -----------

<<<1>>>

Upper Device Name: \Device\Harddisk0\DR0

Upper Device Object: 0xfffffa80096ff060

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\Ide\IAAStorageDevice-1\

Lower Device Object: 0xfffffa8007993050

Lower Device Driver Name: \Driver\iaStor\

Driver name found: iaStor

DriverEntry returned 0x0

Function returned 0x0

Initializing...

Done!

Scanning directory: C:\Windows\system32\drivers...

<<<2>>>

Device number: 0, partition: 3

Physical Sector Size: 512

Drive: 0, DevicePointer: 0xfffffa80096ff060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xfffffa80096ffb90, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xfffffa80096ff060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

DevicePointer: 0xfffffa8009576cb0, DeviceName: Unknown, DriverName: \Driver\stdcfltn\

DevicePointer: 0xfffffa800798f820, DeviceName: Unknown, DriverName: \Driver\ACPI\

DevicePointer: 0xfffffa8007993050, DeviceName: \Device\Ide\IAAStorageDevice-1\, DriverName: \Driver\iaStor\

------------ End ----------

Upper DeviceData: 0xfffff8a017025230, 0xfffffa80096ff060, 0xfffffa800e701520

Lower DeviceData: 0xfffff8a0170f8f60, 0xfffffa8007993050, 0xfffffa800daff7f0

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Done!

Drive 0

Scanning MBR on drive 0...

Inspecting partition table:

MBR Signature: 55AA

Disk Signature: 7F2837E

Partition information:

Partition 0 type is Other (0xde)

Partition is NOT ACTIVE.

Partition starts at LBA: 63 Numsec = 208782

Partition 1 type is Primary (0x7)

Partition is ACTIVE.

Partition starts at LBA: 212992 Numsec = 40960000

Partition file system is NTFS

Partition is bootable

Partition 2 type is Primary (0x7)

Partition is NOT ACTIVE.

Partition starts at LBA: 41172992 Numsec = 1423974128

Partition 3 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Disk Size: 750156374016 bytes

Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-1465129168-1465149168)...

Done!

Performing system, memory and registry scan...

Done!

Scan finished

=======================================

Link to post
Share on other sites

Well Done, lets run ComboFix to clear up any leftovers.

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites

alright, here is the log:

ComboFix 12-11-29.02 - Andrew 11/29/2012 17:47:13.1.4 - x64

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.8086.5449 [GMT -5:00]

Running from: c:\users\Andrew\Downloads\ComboFix.exe

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

C:\Install.exe

c:\programdata\Roaming

c:\users\Andrew\Documents\~WRL0003.tmp

c:\users\Andrew\Documents\~WRL1233.tmp

.

.

((((((((((((((((((((((((( Files Created from 2012-10-28 to 2012-11-29 )))))))))))))))))))))))))))))))

.

.

2012-11-29 23:06 . 2012-11-29 23:06 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp

2012-11-28 21:39 . 2012-11-28 21:39 -------- d-----w- C:\found.001

2012-11-26 17:21 . 2012-11-26 17:21 -------- d-----w- c:\program files (x86)\Common Files\Skype

2012-11-24 05:53 . 2012-11-24 05:53 95392 ----a-w- c:\windows\system32\drivers\SMR311.SYS

2012-11-24 05:49 . 2012-11-24 05:49 -------- d-----w- c:\program files (x86)\Common Files\Symantec Shared

2012-11-24 05:33 . 2012-11-24 05:33 177312 ----a-w- c:\windows\system32\drivers\SYMEVENT64x86.SYS

2012-11-24 05:33 . 2012-11-24 05:33 -------- d-----w- c:\program files\Common Files\Symantec Shared

2012-11-24 05:24 . 2012-11-24 05:24 -------- d-----w- c:\program files (x86)\Norton Internet Security

2012-11-24 05:23 . 2012-11-24 05:24 -------- d-----w- c:\program files (x86)\NortonInstaller

2012-11-24 05:18 . 2012-11-24 05:18 -------- d-----w- c:\programdata\PCSettings

2012-11-24 05:12 . 2012-11-24 05:33 -------- d-----w- c:\program files\Symantec

2012-11-24 05:11 . 2012-11-24 05:11 -------- d-----w- c:\windows\system32\drivers\NISx64

2012-11-22 05:08 . 2012-11-22 05:08 -------- d-----w- c:\windows\Microsoft Antimalware

2012-11-20 05:44 . 2012-11-20 05:44 -------- d-----w- c:\users\Andrew\AppData\Roaming\Malwarebytes

2012-11-20 05:44 . 2012-11-20 05:44 -------- d-----w- c:\programdata\Malwarebytes

2012-11-20 05:44 . 2012-11-20 05:44 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware

2012-11-20 05:44 . 2012-09-30 00:54 25928 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-11-20 04:51 . 2012-11-20 04:51 -------- d-----w- c:\users\Andrew\AppData\Local\Western_Digital

2012-11-20 04:10 . 2012-11-20 04:10 -------- d-----w- c:\programdata\WD_SmartWareCommon

2012-11-20 04:08 . 2012-11-20 04:08 -------- d-----w- c:\users\Andrew\AppData\Roaming\Western Digital

2012-11-20 04:07 . 2012-11-20 04:07 -------- d-----w- c:\programdata\Western Digital

2012-11-20 04:07 . 2012-11-20 04:07 -------- d-----w- c:\program files\Western Digital

2012-11-20 04:07 . 2012-11-20 04:07 -------- d-----w- c:\program files (x86)\Western Digital

2012-11-20 04:07 . 2012-11-20 04:07 -------- d-----w- c:\users\Andrew\AppData\Local\Western Digital

2012-11-15 00:01 . 2007-03-22 01:39 1060864 ----a-w- c:\windows\SysWow64\MFC71.DLL

2012-11-15 00:01 . 2007-03-22 01:33 503808 ----a-w- c:\windows\SysWow64\MSVCP71.DLL

2012-11-15 00:01 . 2007-03-22 01:33 348160 ----a-w- c:\windows\SysWow64\MSVCR71.DLL

2012-11-14 22:25 . 2012-11-16 03:55 -------- d-----w- c:\users\Andrew\AppData\Roaming\Audacity

2012-11-14 03:24 . 2012-11-14 03:24 -------- d-----w- c:\program files (x86)\Common Files\Cisco

2012-11-14 02:26 . 2012-11-15 02:36 -------- d-----w- c:\program files (x86)\Symantec

2012-11-14 01:03 . 2012-07-26 04:55 785512 ----a-w- c:\windows\system32\drivers\Wdf01000.sys

2012-11-14 01:03 . 2012-07-26 04:55 54376 ----a-w- c:\windows\system32\drivers\WdfLdr.sys

2012-11-14 01:03 . 2012-07-26 04:47 2560 ----a-w- c:\windows\system32\drivers\en-US\wdf01000.sys.mui

2012-11-14 01:03 . 2012-07-26 02:36 9728 ----a-w- c:\windows\system32\Wdfres.dll

2012-11-14 00:56 . 2012-07-26 03:08 229888 ----a-w- c:\windows\system32\WUDFHost.exe

2012-11-14 00:56 . 2012-07-26 03:08 84992 ----a-w- c:\windows\system32\WUDFSvc.dll

2012-11-14 00:56 . 2012-07-26 03:08 744448 ----a-w- c:\windows\system32\WUDFx.dll

2012-11-14 00:56 . 2012-07-26 03:08 45056 ----a-w- c:\windows\system32\WUDFCoinstaller.dll

2012-11-14 00:56 . 2012-07-26 03:08 194048 ----a-w- c:\windows\system32\WUDFPlatform.dll

2012-11-14 00:56 . 2012-07-26 02:26 87040 ----a-w- c:\windows\system32\drivers\WUDFPf.sys

2012-11-14 00:56 . 2012-07-26 02:26 198656 ----a-w- c:\windows\system32\drivers\WUDFRd.sys

2012-11-13 23:45 . 2012-11-13 23:45 -------- d-----w- c:\windows\system32\drivers\SEP

2012-11-09 23:47 . 2012-02-23 04:12 8525240 ----a-w- c:\program files (x86)\Mozilla Firefox\updated\BLR Installerv3\Blacklight Retribution.exe

2012-11-09 23:47 . 2012-08-25 02:00 18912 ----a-w- c:\program files (x86)\Mozilla Firefox\updated\AccessibleMarshal.dll

2012-11-09 03:50 . 2012-11-14 00:06 -------- d-----w- c:\windows\system32\drivers\N360x64

2012-11-06 02:05 . 2012-11-06 02:05 -------- d-----w- c:\programdata\Battle.net

2012-11-03 20:09 . 2012-11-15 02:16 -------- d-----w- c:\users\Andrew\AppData\Local\ElevatedDiagnostics

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-11-20 21:43 . 2012-10-23 23:08 58288 ----a-w- c:\windows\system32\snacnp.dll

2012-11-20 07:35 . 2012-09-06 03:04 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2012-11-20 07:35 . 2012-09-06 03:04 697272 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2012-11-14 00:57 . 2011-08-27 19:40 66395536 ----a-w- c:\windows\system32\MRT.exe

2012-10-16 08:38 . 2012-11-27 22:21 135168 ----a-w- c:\windows\apppatch\AppPatch64\AcXtrnal.dll

2012-10-16 08:38 . 2012-11-27 22:21 350208 ----a-w- c:\windows\apppatch\AppPatch64\AcLayers.dll

2012-10-16 07:39 . 2012-11-27 22:21 561664 ----a-w- c:\windows\apppatch\AcLayers.dll

2012-09-22 18:24 . 2012-04-09 16:16 283032 ----a-w- c:\windows\SysWow64\PnkBstrB.xtr

2012-09-22 18:24 . 2012-04-09 05:41 283032 ----a-w- c:\windows\SysWow64\PnkBstrB.exe

2012-09-22 18:08 . 2012-04-09 05:41 298016 ----a-w- c:\windows\SysWow64\PnkBstrB.ex0

2012-09-14 19:19 . 2012-10-11 00:22 2048 ----a-w- c:\windows\system32\tzres.dll

2012-09-14 18:28 . 2012-10-09 21:02 2048 ----a-w- c:\windows\SysWow64\tzres.dll

2012-09-03 02:12 . 2012-09-03 02:12 95208 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll

2012-09-03 02:12 . 2012-05-29 21:15 821736 ----a-w- c:\windows\SysWow64\npDeployJava1.dll

2012-09-03 02:12 . 2011-08-16 10:49 746984 ----a-w- c:\windows\SysWow64\deployJava1.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files (x86)\Ask.com\GenericAskToolbar.dll" [2012-05-04 1519272]

.

[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]

.

[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]

2012-05-04 20:43 1519272 ----a-w- c:\program files (x86)\Ask.com\GenericAskToolbar.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files (x86)\Ask.com\GenericAskToolbar.dll" [2012-05-04 1519272]

.

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Steam"="c:\program files (x86)\Steam\steam.exe" [2012-10-24 1353080]

"Facebook Update"="c:\users\Andrew\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2012-07-11 138096]

"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2012-11-09 17877168]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2012-07-27 35768]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]

"NeroLauncher"="c:\program files (x86)\Nero\SyncUP\NeroLauncher.exe" [2012-02-06 66872]

"Dell DataSafe Online"="c:\program files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe" [2010-08-26 1117528]

"RoxWatchTray"="c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe" [2010-11-25 240112]

"Desktop Disc Tool"="c:\program files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe" [2010-11-17 514544]

"Microsoft Default Manager"="c:\program files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]

"AccuWeatherWidget"="c:\program files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe" [2011-05-30 885760]

"Garmin Lifetime Updater"="c:\program files (x86)\Garmin\Lifetime Updater\GarminLifetime.exe" [2012-06-04 1466760]

"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-08-28 59280]

"HP Software Update"="c:\program files (x86)\Hp\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]

"Communicator"="c:\program files (x86)\Microsoft Lync\communicator.exe" [2012-09-29 12105344]

"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]

"Dell Webcam Central"="c:\program files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2011-08-12 520330]

"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-04-19 421888]

"ApnUpdater"="c:\program files (x86)\Ask.com\Updater\Updater.exe" [2012-05-04 1561768]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]

"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-09-10 421776]

"NACAgentUI"="c:\program files (x86)\Cisco\Cisco NAC Agent\NACAgentUI.exe" [2012-04-16 593848]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2010-1-21 2119488]

WDSmartWare.lnk - c:\program files (x86)\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe [2010-1-21 9136960]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]

"LoadAppInit_DLLs"=1 (0x1)

"AppInit_DLLs"=c:\windows\SysWOW64\nvinit.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R2 EraserSvc11210;Symantec Eraser Service;c:\program files (x86)\Norton Internet Security\Engine\19.7.1.5\ccSvcHst.exe [x]

R2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-11-25 219632]

R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-11-09 160944]

R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2010-02-27 158976]

R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [2010-12-17 340240]

R3 NvStUSB;NVIDIA Stereoscopic 3D USB driver;c:\windows\system32\drivers\nvstusb.sys [2010-12-12 121960]

R3 PCDSRVC{1E208CE0-FB7451FF-06020200}_0;PCDSRVC{1E208CE0-FB7451FF-06020200}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\dell support center\pcdsrvc_x64.pkms [2012-08-17 25584]

R3 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-11-25 1116656]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]

R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]

R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-07-09 52736]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-08-21 1255736]

R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys [2008-05-06 14464]

R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]

S0 nvpciflt;nvpciflt;c:\windows\system32\DRIVERS\nvpciflt.sys [2012-05-15 28992]

S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2010-03-19 55856]

S0 SMR311;Symantec SMR Utility Service 3.1.1;c:\windows\System32\drivers\SMR311.SYS [2012-11-24 95392]

S0 stdcfltn;Disk Class Filter Driver for Accelerometer;c:\windows\system32\DRIVERS\stdcfltn.sys [2010-08-20 21616]

S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NISx64\1402000.013\SYMDS64.SYS [2012-10-04 493216]

S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NISx64\1402000.013\SYMEFA64.SYS [2012-10-04 1133216]

S1 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.2.0.19\Definitions\BASHDefs\20121106.001\BHDrvx64.sys [2012-10-23 1384608]

S1 ccSet_NIS;Norton Internet Security Settings Manager;c:\windows\system32\drivers\NISx64\1402000.013\ccSetx64.sys [2012-10-04 168096]

S1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.2.0.19\Definitions\IPSDefs\20121128.001\IDSvia64.sys [2012-11-23 513184]

S1 nvkflt;nvkflt;c:\windows\system32\DRIVERS\nvkflt.sys [2012-05-15 249152]

S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NISx64\1402000.013\Ironx64.SYS [2012-09-07 224416]

S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\system32\drivers\NISx64\1402000.013\SYMNETS.SYS [2012-09-07 432800]

S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2009-11-18 98208]

S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 822624]

S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-09-30 399432]

S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-09-30 676936]

S2 NACAgent;Cisco NAC Agent;c:\program files (x86)\Cisco\Cisco NAC Agent\NACAgent.exe [2012-04-16 1257400]

S2 NAUpdate;Nero Update;c:\program files (x86)\Nero\Update\NASvc.exe [2011-11-25 687400]

S2 NIS;Norton Internet Security;c:\program files (x86)\Norton Internet Security\Engine\20.2.0.19\ccSvcHst.exe [2012-10-11 143928]

S2 NOBU;Dell DataSafe Online;c:\program files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe SERVICE [x]

S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 508776]

S2 SftService;SoftThinks Agent Service;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE [2011-08-18 1692480]

S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-05-15 382272]

S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-12-20 2656280]

S2 WDDMService;WD SmartWare Drive Manager Service;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [2010-01-21 130048]

S2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files (x86)\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [2009-06-16 20480]

S3 Acceler;Accelerometer Service;c:\windows\system32\DRIVERS\Accelern.sys [2010-12-13 27760]

S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [2011-06-16 176000]

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-11-23 138912]

S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-10-15 317440]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-09-30 25928]

S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [2011-02-10 82432]

S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [2011-02-10 181760]

S3 qicflt;upper Device Filter Driver;c:\windows\system32\DRIVERS\qicflt.sys [2010-07-13 29288]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-02-17 428136]

S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [2011-10-01 764264]

S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [2011-10-01 268648]

S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2011-10-01 25960]

S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [2011-10-01 22376]

S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 219496]

S3 wdkmd;Intel WiDi KMD;c:\windows\system32\DRIVERS\WDKMD.sys [2010-12-01 42392]

.

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - WS2IFSL

.

Contents of the 'Scheduled Tasks' folder

.

2012-11-29 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-09-06 07:35]

.

2012-11-29 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1329499073-3600295967-3592974642-1001Core.job

- c:\users\Andrew\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-11-06 22:42]

.

2012-11-29 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1329499073-3600295967-3592974642-1001UA.job

- c:\users\Andrew\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-11-06 22:42]

.

2012-11-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-08-20 18:08]

.

2012-11-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-08-20 18:08]

.

2012-08-19 c:\windows\Tasks\PCDoctorBackgroundMonitorTask-Delay.job

- c:\program files\Dell Support Center\uaclauncher.exe [2012-08-23 05:36]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RtkNGUI64.exe" [2011-02-18 6611048]

"RtHDVBg"="c:\program files\Realtek\Audio\HDA\RAVBg64.exe" [2011-01-18 2188904]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-03-30 167960]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-03-30 391704]

"Persistence"="c:\windows\system32\igfxpers.exe" [2011-03-30 418840]

"FreeFallProtection"="c:\program files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe" [2010-12-17 686704]

"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2010-12-17 1933584]

"DellStage"="c:\program files (x86)\Dell Stage\Dell Stage\stage_primary.exe" [2011-05-30 2055816]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=c:\windows\System32\nvinitx.dll

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://www.dell.com

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105

TCP: DhcpNameServer = 137.45.26.80 137.45.24.111

FF - ProfilePath - c:\users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\3rvss9so.default\

FF - prefs.js: browser.search.selectedEngine - Ask.com

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=ORJ&o=&locale=&apn_uid=049BA6E7-1EB7-4B46-8BBB-067676C7B4EC&apn_ptnrs=&apn_sauid=CA49E17A-0877-4B2A-BF91-CE8227C1F601&apn_dtid=OSJ000&&q=

FF - ExtSQL: 2012-11-04 13:54; jid1-xUfzOsOFlzSOXg@jetpack; c:\users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\3rvss9so.default\extensions\jid1-xUfzOsOFlzSOXg@jetpack.xpi

FF - ExtSQL: 2012-11-24 00:34; {2D3F3651-74B9-4795-BDEC-6DA2F431CB62}; c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.2.0.19\coFFPlgn

FF - ExtSQL: 2012-11-24 00:34; {BBDA0591-3099-440a-AA10-41764D9DB4DB}; c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.2.0.19\IPSFFPlgn

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-Locked - (no file)

Wow6432Node-HKLM-Run-<NO NAME> - (no file)

Toolbar-Locked - (no file)

HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe

AddRemove-PunkBusterSvc - c:\windows\system32\pbsvc_blr.exe

.

.

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\services\NIS]

"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\20.2.0.19\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files (x86)\Norton Internet Security\Engine\20.2.0.19\diMaster.dll\" /prefetch:1"

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\services\PCDSRVC{1E208CE0-FB7451FF-06020200}_0]

"ImagePath"="\??\c:\program files\dell support center\pcdsrvc_x64.pkms"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]

@Denied: (2) (LocalSystem)

"{8DCB7100-DF86-4384-8842-8FA844297B3F}"=hex:51,66,7a,6c,4c,1d,38,12,6e,72,d8,

89,b4,91,ea,06,f7,54,cc,e8,41,77,3f,2b

"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"=hex:51,66,7a,6c,4c,1d,38,12,8d,ec,f8,

7b,2b,25,27,06,e7,c4,bc,f0,98,15,0d,de

"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,

1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7

"{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}"=hex:51,66,7a,6c,4c,1d,38,12,ce,98,c3,

35,c7,5c,a0,09,c1,9c,6a,63,e2,38,41,ce

"{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}"=hex:51,66,7a,6c,4c,1d,38,12,60,d8,39,

64,cd,04,79,07,f5,b7,d6,9a,c1,81,e0,1c

"{6D53EC84-6AAE-4787-AEEE-F4628F01010C}"=hex:51,66,7a,6c,4c,1d,38,12,ea,ef,40,

69,9c,24,e9,02,d1,f8,b7,22,8a,5f,45,18

"{6EBF7485-159F-4BFF-A14F-B9E3AAC4465B}"=hex:51,66,7a,6c,4c,1d,38,12,eb,77,ac,

6a,ad,5b,91,0e,de,59,fa,a3,af,9a,02,4f

"{72853161-30C5-4D22-B7F9-0BBC1D38A37E}"=hex:51,66,7a,6c,4c,1d,38,12,0f,32,96,

76,f7,7e,4c,08,c8,ef,48,fc,18,66,e7,6a

"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"=hex:51,66,7a,6c,4c,1d,38,12,d5,94,07,

72,c2,98,42,03,c9,fd,97,9a,f4,87,69,57

"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,

94,30,02,d1,0f,f1,da,12,24,73,56,27,d2

"{9FDDE16B-836F-4806-AB1F-1455CBEFF289}"=hex:51,66,7a,6c,4c,1d,38,12,05,e2,ce,

9b,5d,cd,68,0d,d4,09,57,15,ce,b1,b6,9d

"{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}"=hex:51,66,7a,6c,4c,1d,38,12,07,5b,93,

aa,6e,60,ba,0b,f0,6d,b2,b7,80,44,00,83

"{B4F3A835-0E21-4959-BA22-42B3008E02FF}"=hex:51,66,7a,6c,4c,1d,38,12,5b,ab,e0,

b0,13,40,37,0c,c5,34,01,f3,05,d0,46,eb

"{D2CE3E00-F94A-4740-988E-03DC2F38C34F}"=hex:51,66,7a,6c,4c,1d,38,12,6e,3d,dd,

d6,78,b7,2e,02,e7,98,40,9c,2a,66,87,5b

"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,

df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd

"{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}"=hex:51,66,7a,6c,4c,1d,38,12,8f,19,47,

2e,c4,15,0b,03,d7,b5,8c,e9,62,70,06,85

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]

@Denied: (2) (LocalSystem)

"Timestamp"=hex:df,a8,b7,28,6a,70,cd,01

.

[HKEY_USERS\S-1-5-21-1329499073-3600295967-3592974642-1001\Software\SecuROM\License information*]

"datasecu"=hex:45,91,ae,ae,ca,88,94,51,66,81,c2,dd,14,58,c9,cf,3a,8e,45,8e,77,

f1,89,ed,d2,f8,e9,24,fe,3f,ea,8f,9f,75,62,d4,3d,7c,fd,2e,96,44,cb,89,94,e3,\

"rkeysecu"=hex:08,8e,78,35,c1,46,ee,3f,a0,f2,4b,45,78,ed,11,12

.

[HKEY_LOCAL_MACHINE\software\McAfee]

"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\

.

[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]

@Denied: (A) (Everyone)

"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"

.

[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]

@Denied: (A) (Everyone)

.

[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]

"Key"="ActionsPane3"

"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Other Running Processes ------------------------

.

c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\windows\SysWOW64\PnkBstrA.exe

c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\program files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe

c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe

c:\program files (x86)\Dell DataSafe Local Backup\TOASTER.EXE

c:\program files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE

c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe

c:\program files (x86)\Nero\SyncUP\SyncUP.exe

c:\program files (x86)\Nero\SyncUP\Nero.AndroidServer.exe

.

**************************************************************************

.

Completion time: 2012-11-29 18:35:33 - machine was rebooted

ComboFix-quarantined-files.txt 2012-11-29 23:35

.

Pre-Run: 420,106,235,904 bytes free

Post-Run: 427,165,061,120 bytes free

.

- - End Of File - - 32595F7301FA88A56FCBD33A0CEC839B

Link to post
Share on other sites

Looks Good, lets check the system for adware..............

Please download AdwCleaner from here and save it on your Desktop.

  1. Right-click on adwcleaner.exe and select Run As Administrator (for XP just double click) to launch the application.
  2. Now click on the Search tab.
  3. Please post the contents of the log-file created in your next post.

Note: The log can also be located at C:\ >> AdwCleaner[XX].txt >> XX <-- Denotes the number of times the application has been ran, so in this should be something like R1.

MrC

Link to post
Share on other sites

Here's the adware log:

# AdwCleaner v2.010 - Logfile created 11/29/2012 at 19:47:57

# Updated 29/11/2012 by Xplode

# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)

# User : Andrew - ANDREW-PC

# Boot Mode : Normal

# Running from : C:\Users\Andrew\Downloads\adwcleaner.exe

# Option [search]

***** [services] *****

***** [Files / Folders] *****

File Found : C:\Users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\3rvss9so.default\searchplugins\Askcom.xml

Folder Found : C:\Program Files (x86)\Ask.com

Folder Found : C:\ProgramData\Ask

Folder Found : C:\Users\Andrew\AppData\LocalLow\AskToolbar

Folder Found : C:\Users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\3rvss9so.default\extensions\staged

Folder Found : C:\Users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\3rvss9so.default\extensions\toolbar@ask.com

Folder Found : C:\Windows\Installer\{86D4B82A-ABED-442A-BE86-96357B70F4FE}

***** [Registry] *****

Key Found : HKCU\Software\APN

Key Found : HKCU\Software\AppDataLow\Software\AskToolbar

Key Found : HKCU\Software\Ask.com

Key Found : HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D4027C7F-154A-4066-A1AD-4243D8127440}

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440}

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{79A765E1-C399-405B-85AF-466F52E918B0}

Key Found : HKLM\Software\APN

Key Found : HKLM\Software\AskToolbar

Key Found : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}

Key Found : HKLM\SOFTWARE\Classes\AppID\GenericAskToolbar.DLL

Key Found : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd

Key Found : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd.1

Key Found : HKLM\SOFTWARE\Classes\Installer\Features\A28B4D68DEBAA244EB686953B7074FEF

Key Found : HKLM\SOFTWARE\Classes\Installer\Products\A28B4D68DEBAA244EB686953B7074FEF

Key Found : HKLM\SOFTWARE\Classes\Installer\UpgradeCodes\F928123A039649549966D4C29D35B1C9

Key Found : HKLM\SOFTWARE\Classes\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}

Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{00000000-6E41-4FD3-8538-502F5495E5FC}

Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}

Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}

Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}

Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}

Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}

Key Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}

Key Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}

Key Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{86D4B82A-ABED-442A-BE86-96357B70F4FE}

Key Found : HKLM\SOFTWARE\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}

Key Found : HKLM\SOFTWARE\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}

Key Found : HKLM\SOFTWARE\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A28B4D68DEBAA244EB686953B7074FEF

Value Found : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{00000000-6E41-4FD3-8538-502F5495E5FC}]

Value Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [ApnUpdater]

Value Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [{D4027C7F-154A-4066-A1AD-4243D8127440}]

***** [internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

[OK] Registry is clean.

-\\ Mozilla Firefox v15.0 (en-US)

Profile name : default

File : C:\Users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\3rvss9so.default\prefs.js

Found : user_pref("browser.search.defaultengine", "Ask.com");

Found : user_pref("browser.search.defaultenginename", "Ask.com");

Found : user_pref("browser.search.order.1", "Ask.com");

Found : user_pref("browser.search.selectedEngine", "Ask.com");

Found : user_pref("extensions.asktb.ff-original-keyword-url", "");

Found : user_pref("keyword.URL", "hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=ORJ&o=&locale=&apn_u[...]

-\\ Google Chrome v [unable to get version]

File : C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [4750 octets] - [29/11/2012 19:47:57]

########## EOF - C:\AdwCleaner[R1].txt - [4810 octets] ##########

Link to post
Share on other sites

Some adware found....lets clear it out.....

  1. Please re-run AdwCleaner
  2. Click on Delete button.
  3. Confirm each time with OK if asked.
  4. Your computer will be rebooted automatically. A text file will open after the restart. Please post the content of that logfile in your reply.

Note: You can find the logfile at C:\AdwCleaner[sn].txt as well - n is the order number.

~~~~~~~~~~~~~~~~~~~~~

Then............

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt.
  • Please Post the contents of that document.
  • Do Not Attach It!!!

MrC

Link to post
Share on other sites

alright, here is the adware log:

# AdwCleaner v2.010 - Logfile created 11/29/2012 at 20:43:29

# Updated 29/11/2012 by Xplode

# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)

# User : Andrew - ANDREW-PC

# Boot Mode : Normal

# Running from : C:\Users\Andrew\Downloads\adwcleaner.exe

# Option [Delete]

***** [services] *****

***** [Files / Folders] *****

File Deleted : C:\Users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\3rvss9so.default\searchplugins\Askcom.xml

Folder Deleted : C:\Program Files (x86)\Ask.com

Folder Deleted : C:\ProgramData\Ask

Folder Deleted : C:\Users\Andrew\AppData\LocalLow\AskToolbar

Folder Deleted : C:\Users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\3rvss9so.default\extensions\staged

Folder Deleted : C:\Users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\3rvss9so.default\extensions\toolbar@ask.com

Folder Deleted : C:\Windows\Installer\{86D4B82A-ABED-442A-BE86-96357B70F4FE}

***** [Registry] *****

Key Deleted : HKCU\Software\APN

Key Deleted : HKCU\Software\AppDataLow\Software\AskToolbar

Key Deleted : HKCU\Software\Ask.com

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D4027C7F-154A-4066-A1AD-4243D8127440}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{79A765E1-C399-405B-85AF-466F52E918B0}

Key Deleted : HKLM\Software\APN

Key Deleted : HKLM\Software\AskToolbar

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}

Key Deleted : HKLM\SOFTWARE\Classes\AppID\GenericAskToolbar.DLL

Key Deleted : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd

Key Deleted : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd.1

Key Deleted : HKLM\SOFTWARE\Classes\Installer\Features\A28B4D68DEBAA244EB686953B7074FEF

Key Deleted : HKLM\SOFTWARE\Classes\Installer\Products\A28B4D68DEBAA244EB686953B7074FEF

Key Deleted : HKLM\SOFTWARE\Classes\Installer\UpgradeCodes\F928123A039649549966D4C29D35B1C9

Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{00000000-6E41-4FD3-8538-502F5495E5FC}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{86D4B82A-ABED-442A-BE86-96357B70F4FE}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A28B4D68DEBAA244EB686953B7074FEF

Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{00000000-6E41-4FD3-8538-502F5495E5FC}]

Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [ApnUpdater]

Value Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [{D4027C7F-154A-4066-A1AD-4243D8127440}]

***** [internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

[OK] Registry is clean.

-\\ Mozilla Firefox v15.0 (en-US)

Profile name : default

File : C:\Users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\3rvss9so.default\prefs.js

Deleted : user_pref("browser.search.defaultengine", "Ask.com");

Deleted : user_pref("browser.search.defaultenginename", "Ask.com");

Deleted : user_pref("browser.search.order.1", "Ask.com");

Deleted : user_pref("browser.search.selectedEngine", "Ask.com");

Deleted : user_pref("extensions.asktb.ff-original-keyword-url", "");

Deleted : user_pref("keyword.URL", "hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=ORJ&o=&locale=&apn_u[...]

-\\ Google Chrome v [unable to get version]

File : C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [4871 octets] - [29/11/2012 19:47:57]

AdwCleaner[R2].txt - [4931 octets] - [29/11/2012 20:43:20]

AdwCleaner[s1].txt - [4962 octets] - [29/11/2012 20:43:29]

########## EOF - C:\AdwCleaner[s1].txt - [5022 octets] ##########

And the Security check log:

Results of screen317's Security Check version 0.99.56

Windows 7 Service Pack 1 x64 (UAC is disabled!)

Internet Explorer 9

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Enabled!

Norton Internet Security

WMI entry may not exist for antivirus; attempting automatic update.

`````````Anti-malware/Other Utilities Check:`````````

Malwarebytes Anti-Malware version 1.65.1.1000

JavaFX 2.1.1

Java 6 Update 29

Java 7 Update 7

Java version out of Date!

Adobe Flash Player 11.5.502.110

Adobe Reader 10.1.4 Adobe Reader out of Date!

Mozilla Firefox (15.0)

Google Chrome 21.0.1180.83

Google Chrome 21.0.1180.89

Google Chrome 22.0.1229.79

Google Chrome 22.0.1229.92

Google Chrome 22.0.1229.94

Google Chrome 23.0.1271.64

Google Chrome 23.0.1271.91

````````Process Check: objlist.exe by Laurent````````

Norton ccSvcHst.exe

Malwarebytes Anti-Malware mbamservice.exe

Malwarebytes Anti-Malware mbamgui.exe

Malwarebytes' Anti-Malware mbamscheduler.exe

`````````````````System Health check`````````````````

Total Fragmentation on Drive C: 9%

````````````````````End of Log``````````````````````

Link to post
Share on other sites

JavaFX 2.1.1

Java™ 6 Update 29 <----please uninstall from add/remove programs

Java 7 Update 7 <---please update - should be Update 9

Java version out of Date!

Adobe Reader 10.1.4 Adobe Reader out of Date! <-----please check for an update

You have out dated programs on the system which are vulnerable to malware.

Please update or uninstall them

Info on doing that can be found in my Preventive Maintenance

~~~~~~~~~~~~~~~~~~~~~

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

cf2.jpg

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall)

---------------------------------

Please download OTL from one of the links below: (you may already have OTL on the system)

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com

http://www.itxassoci...T-Tools/OTL.exe

Save it to your desktop.

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

Any other programs or logs you can manually delete.

IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST, etc....

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

Link to post
Share on other sites

Hi,

Thank you so much for all your help, you have been great! I just have a couple of more questions.

Before I started this thread, I backed up my computer things to an external hard drive. I'm not going to use that back up and I'll just make a new one but I was wondering if there is a risk of the trojan having somehow infected the external hard drive. If so, is there anything I can do to properly clean it?

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.